diff --git a/.docker/docker-entrypoint.sh b/.docker/docker-entrypoint.sh
index df71b4b99..21e5e0e3e 100755
--- a/.docker/docker-entrypoint.sh
+++ b/.docker/docker-entrypoint.sh
@@ -414,9 +414,18 @@ if [ ! -f "$bin_path" ]; then
 fi
 
 if [ "$DEBUG_FLAG" = "1" ]; then
+    # Verify that /usr/local/bin/dlv is a real Delve binary, not the production stub
+    # (production images ship a shell stub that exits 1 to satisfy the COPY instruction
+    # without embedding the vulnerable golang.org/x/sys < v0.27.0 — GO-2026-5024).
+    # Real Delve exits 0 on `dlv version`; the stub exits 1.
+    if ! /usr/local/bin/dlv version >/dev/null 2>&1; then
+        echo "Note: Delve not available in this image (production build, GO-2026-5024 mitigation)."
+        echo "   Running Charon directly. To enable remote debugging, rebuild with:"
+        echo "   docker build --build-arg BUILD_DEBUG=1 ..."
+        run_as_charon "$bin_path" &
     # Check if binary has debug symbols (required for Delve)
     # objdump -h lists section headers; .debug_info is present if DWARF symbols exist
-    if command -v objdump >/dev/null 2>&1; then
+    elif command -v objdump >/dev/null 2>&1; then
         if ! objdump -h "$bin_path" 2>/dev/null | grep -q '\.debug_info'; then
             echo "⚠️  WARNING: Binary lacks debug symbols (DWARF info stripped)."
             echo "   Delve debugging will NOT work with this binary."
diff --git a/.github/renovate.json b/.github/renovate.json
index 0c9a6d876..af11eccdc 100644
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -225,6 +225,19 @@
       "datasourceTemplate": "golang-version",
       "versioningTemplate": "semver"
     },
+    {
+      "customType": "regex",
+      "description": "Track NODE_VERSION in Actions workflows",
+      "managerFilePatterns": [
+        "/^\\.github/workflows/.*\\.yml$/"
+      ],
+      "matchStrings": [
+        "NODE_VERSION: ['\"]?(?<currentValue>[\\d\\.]+)['\"]?"
+      ],
+      "depNameTemplate": "node",
+      "datasourceTemplate": "node-version",
+      "versioningTemplate": "node"
+    },
     {
       "customType": "regex",
       "description": "Track GO_VERSION in Actions workflows",
@@ -414,18 +427,9 @@
       "groupSlug": "go-non-major"
     },
     {
-      "description": "Group Go github-tags fallback updates from Dockerfile custom manager into Go non-major PR",
+      "description": "Group NPM non-major updates into one PR",
       "matchDatasources": [
-        "github-tags"
-      ],
-      "matchManagers": [
-        "custom.regex"
-      ],
-      "matchFileNames": [
-        "Dockerfile"
-      ],
-      "matchPackageNames": [
-        "jackc/pgx"
+        "npm"
       ],
       "matchUpdateTypes": [
         "minor",
@@ -433,13 +437,16 @@
         "pin",
         "digest"
       ],
-      "groupName": "go-non-major",
-      "groupSlug": "go-non-major"
+      "groupName": "npm-non-major",
+      "groupSlug": "npm-non-major"
     },
     {
-      "description": "Group NPM non-major updates into one PR",
-      "matchDatasources": [
-        "npm"
+      "description": "Dockerfile ARG trackers (any datasource) group under Dockerfile, not Go/NPM — placed after the datasource group rules so it wins",
+      "matchManagers": [
+        "custom.regex"
+      ],
+      "matchFileNames": [
+        "Dockerfile"
       ],
       "matchUpdateTypes": [
         "minor",
@@ -447,8 +454,11 @@
         "pin",
         "digest"
       ],
-      "groupName": "npm-non-major",
-      "groupSlug": "npm-non-major"
+      "groupName": "dockerfile-non-major",
+      "groupSlug": "dockerfile-non-major",
+      "addLabels": [
+        "dockerfile"
+      ]
     },
     {
       "description": "Development branch: Auto-merge non-major updates after proven stable",
diff --git a/.github/skills/test-e2e-playwright-coverage-scripts/run.sh b/.github/skills/test-e2e-playwright-coverage-scripts/run.sh
index 1910e7d8b..de9cf814e 100755
--- a/.github/skills/test-e2e-playwright-coverage-scripts/run.sh
+++ b/.github/skills/test-e2e-playwright-coverage-scripts/run.sh
@@ -158,7 +158,7 @@ start_vite() {
     # Ensure dependencies are installed
     if [[ ! -d "node_modules" ]]; then
         log_info "Installing frontend dependencies..."
-        npm ci --silent
+        npm ci --silent --ignore-scripts
     fi
 
     # Start Vite in background with explicit port
diff --git a/.github/workflows/codecov-upload.yml b/.github/workflows/codecov-upload.yml
index 47689dfb5..2c8b1621d 100644
--- a/.github/workflows/codecov-upload.yml
+++ b/.github/workflows/codecov-upload.yml
@@ -174,7 +174,7 @@ jobs:
 
       - name: Install dependencies
         working-directory: frontend
-        run: npm ci
+        run: npm ci --ignore-scripts
 
       - name: Run frontend tests and coverage
         working-directory: ${{ github.workspace }}
diff --git a/.github/workflows/e2e-tests-split.yml b/.github/workflows/e2e-tests-split.yml
index c2c0dbc49..b5c889b3c 100644
--- a/.github/workflows/e2e-tests-split.yml
+++ b/.github/workflows/e2e-tests-split.yml
@@ -82,7 +82,7 @@ on:
   pull_request:
 
 env:
-  NODE_VERSION: '20'
+  NODE_VERSION: '24.12.0'
   GO_VERSION: '1.26.4'
   GOTOOLCHAIN: local
   DOCKERHUB_REGISTRY: docker.io
@@ -166,7 +166,7 @@ jobs:
 
       - name: Install dependencies
         if: steps.resolve-image.outputs.image_source == 'build'
-        run: npm ci
+        run: npm ci --ignore-scripts
 
       - name: Set up Docker Buildx
         if: steps.resolve-image.outputs.image_source == 'build'
@@ -184,6 +184,7 @@ jobs:
           tags: ${{ steps.resolve-image.outputs.image_tag }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          no-cache-filters: caddy-builder,crowdsec-builder
 
       - name: Save Docker image
         if: steps.resolve-image.outputs.image_source == 'build'
@@ -303,7 +304,7 @@ jobs:
           exit 1
 
       - name: Install dependencies
-        run: npm ci
+        run: npm ci --ignore-scripts
 
       - name: Install Playwright Chromium
         run: |
@@ -505,7 +506,7 @@ jobs:
           exit 1
 
       - name: Install dependencies
-        run: npm ci
+        run: npm ci --ignore-scripts
 
       - name: Install Playwright Chromium (required by security-tests dependency)
         run: |
@@ -715,7 +716,7 @@ jobs:
           exit 1
 
       - name: Install dependencies
-        run: npm ci
+        run: npm ci --ignore-scripts
 
       - name: Install Playwright Chromium (required by security-tests dependency)
         run: |
@@ -952,7 +953,7 @@ jobs:
           exit 1
 
       - name: Install dependencies
-        run: npm ci
+        run: npm ci --ignore-scripts
 
       - name: Install Playwright Chromium
         run: |
@@ -1190,7 +1191,7 @@ jobs:
           exit 1
 
       - name: Install dependencies
-        run: npm ci
+        run: npm ci --ignore-scripts
 
       - name: Install Playwright Chromium (required by security-tests dependency)
         run: |
@@ -1436,7 +1437,7 @@ jobs:
           exit 1
 
       - name: Install dependencies
-        run: npm ci
+        run: npm ci --ignore-scripts
 
       - name: Install Playwright Chromium (required by security-tests dependency)
         run: |
diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml
index 841e4c529..b972ac98c 100644
--- a/.github/workflows/quality-checks.yml
+++ b/.github/workflows/quality-checks.yml
@@ -310,7 +310,7 @@ jobs:
 
       - name: Install dependencies
         working-directory: frontend
-        run: npm ci
+        run: npm ci --ignore-scripts
 
       - name: Run frontend tests and coverage
         id: frontend-tests
diff --git a/.github/workflows/release-goreleaser.yml b/.github/workflows/release-goreleaser.yml
index beaae3df9..84d1ca367 100644
--- a/.github/workflows/release-goreleaser.yml
+++ b/.github/workflows/release-goreleaser.yml
@@ -62,7 +62,7 @@ jobs:
           # Inject version into frontend build from tag (if present)
           VERSION=${GITHUB_REF#refs/tags/}
           echo "VITE_APP_VERSION=${VERSION}" >> "$GITHUB_ENV"
-          npm ci
+          npm ci --ignore-scripts
           npm run build
 
       - name: Install Cross-Compilation Tools (Zig)
diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
index 7cb09f114..640dfa125 100644
--- a/.github/workflows/renovate.yml
+++ b/.github/workflows/renovate.yml
@@ -33,7 +33,7 @@ jobs:
           go-version-file: backend/go.mod
 
       - name: Run Renovate
-        uses: renovatebot/github-action@693b9ef15eec82123529a37c782242f091365961 # v46.1.14
+        uses: renovatebot/github-action@8217b3fc286df088d7c27f3255fe8414463bc0fd # v46.1.15
         with:
           configurationFile: .github/renovate.json
           token: ${{ secrets.RENOVATE_TOKEN || secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/weekly-nightly-promotion.yml b/.github/workflows/weekly-nightly-promotion.yml
index 8e739f0d7..1b03fcbec 100644
--- a/.github/workflows/weekly-nightly-promotion.yml
+++ b/.github/workflows/weekly-nightly-promotion.yml
@@ -443,11 +443,12 @@ jobs:
             const nightlyHeadSha = nightlyBranch.commit.sha;
             core.info(`Current nightly HEAD for dispatch fallback: ${nightlyHeadSha}`);
 
+            const prNumber = '${{ needs.create-promotion-pr.outputs.pr_number }}';
             const requiredWorkflows = [
               { id: 'e2e-tests-split.yml' },
               { id: 'codeql.yml' },
               { id: 'codecov-upload.yml', inputs: { run_backend: 'true', run_frontend: 'true' } },
-              { id: 'security-pr.yml' },
+              { id: 'security-pr.yml', inputs: { pr_number: prNumber } },
               { id: 'supply-chain-verify.yml' },
             ];
 
diff --git a/Dockerfile b/Dockerfile
index 2446bef89..8dba5104b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -13,7 +13,7 @@ ARG BUILD_DEBUG=0
 ARG GO_VERSION=1.26.4
 
 # renovate: datasource=docker depName=alpine versioning=docker
-ARG ALPINE_IMAGE=alpine:3.23.4@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11
+ARG ALPINE_IMAGE=alpine:3.24.0@sha256:a2d49ea686c2adfe3c992e47dc3b5e7fa6e6b5055609400dc2acaeb241c829f4
 
 # ---- Shared CrowdSec Version ----
 # renovate: datasource=github-releases depName=crowdsecurity/crowdsec
@@ -22,14 +22,14 @@ ARG CROWDSEC_VERSION=1.7.8
 ARG CROWDSEC_RELEASE_SHA256=704e37121e7ac215991441cef0d8732e33fa3b1a2b2b88b53a0bfe5e38f863bd
 
 # ---- Shared Go Security Patches ----
-# renovate: datasource=go depName=github.com/expr-lang/expr
+# renovate: datasource=github-tags depName=expr-lang/expr extractVersion=^v(?<version>.+)$
 ARG EXPR_LANG_VERSION=1.17.8
 # renovate: datasource=go depName=golang.org/x/net
-ARG XNET_VERSION=0.55.0
+ARG XNET_VERSION=0.56.0
 # renovate: datasource=go depName=golang.org/x/crypto
-ARG XCRYPTO_VERSION=0.52.0
+ARG XCRYPTO_VERSION=0.53.0
 # renovate: datasource=npm depName=npm
-ARG NPM_VERSION=11.16.0
+ARG NPM_VERSION=11.17.0
 
 # Allow pinning Caddy version - Renovate will update this
 # Build the most recent Caddy 2.x release (keeps major pinned under v3).
@@ -37,7 +37,7 @@ ARG NPM_VERSION=11.16.0
 # avoid accidentally pulling a v3 major release. Renovate can still update
 # this ARG to a specific v2.x tag when desired.
 ## Try to build the requested Caddy v2.x tag (Renovate can update this ARG).
-## If the requested tag isn't available, fall back to a known-good v2.11.3 build.
+## If the requested tag isn't available, fall back to a known-good v2.11.4 build.
 # renovate: datasource=go depName=github.com/caddyserver/caddy/v2
 ARG CADDY_VERSION=2.11.4
 # renovate: datasource=go depName=github.com/caddyserver/caddy/v2
@@ -94,7 +94,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
 # ---- Frontend Builder ----
 # Build the frontend using the BUILDPLATFORM to avoid arm64 musl Rollup native issues
 # renovate: datasource=docker depName=node
-FROM --platform=$BUILDPLATFORM node:24.16.0-alpine@sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14 AS frontend-builder
+FROM --platform=$BUILDPLATFORM node:24.16.0-alpine3.24@sha256:fb71d01345f11b708a3553c66e7c74074f2d506400ea81973343d915cb64eef0 AS frontend-builder
 WORKDIR /app/frontend
 
 # Copy frontend package files
@@ -118,7 +118,7 @@ RUN apk upgrade --no-cache && \
 # hadolint ignore=DL3059
 RUN npm install -g picomatch@4.0.4 --no-fund --no-audit
 
-RUN npm ci
+RUN npm ci --ignore-scripts
 
 # Copy frontend source and build
 COPY frontend/ ./
@@ -164,18 +164,32 @@ RUN set -eux; \
         test -e "$LOADER"; \
     fi
 
-# Install Delve (cross-compile for target)
-# Note: xx-go install puts binaries in /go/bin/TARGETOS_TARGETARCH/dlv if cross-compiling.
-# We find it and move it to /go/bin/dlv so it's in a consistent location for the next stage.
+# Install Delve (cross-compile for target) — debug builds only.
+# Security: dlv is only installed when BUILD_DEBUG=1.  Production images (BUILD_DEBUG=0,
+# the default) receive a harmless stub so the unconditional COPY below still succeeds,
+# but no Delve binary with golang.org/x/sys < v0.27.0 (GO-2026-5024) is shipped.
+# When dlv IS needed, we build it inside a temporary module that pins
+# golang.org/x/sys to the patched version used by the rest of the project.
 # renovate: datasource=go depName=github.com/go-delve/delve
 ARG DLV_VERSION=1.26.3
 # hadolint ignore=DL3059,DL4006
-RUN CGO_ENABLED=0 xx-go install github.com/go-delve/delve/cmd/dlv@v${DLV_VERSION} && \
-    DLV_PATH=$(find /go/bin -name dlv -type f | head -n 1) && \
-    if [ -n "$DLV_PATH" ] && [ "$DLV_PATH" != "/go/bin/dlv" ]; then \
-        mv "$DLV_PATH" /go/bin/dlv; \
-    fi && \
-    xx-verify /go/bin/dlv
+RUN if [ "$BUILD_DEBUG" = "1" ]; then \
+        echo "DEBUG build: installing Delve v${DLV_VERSION} with patched golang.org/x/sys..."; \
+        mkdir -p /tmp/dlv-install && cd /tmp/dlv-install && \
+        go mod init dlv_install && \
+        go get golang.org/x/sys@v0.46.0 && \
+        CGO_ENABLED=0 GOFLAGS="-mod=mod" xx-go install github.com/go-delve/delve/cmd/dlv@v${DLV_VERSION} && \
+        DLV_PATH=$(find /go/bin -name dlv -type f | head -n 1) && \
+        if [ -n "$DLV_PATH" ] && [ "$DLV_PATH" != "/go/bin/dlv" ]; then \
+            mv "$DLV_PATH" /go/bin/dlv; \
+        fi && \
+        xx-verify /go/bin/dlv && \
+        cd / && rm -rf /tmp/dlv-install; \
+    else \
+        echo "Production build: skipping Delve install (GO-2026-5024 mitigation)"; \
+        printf '#!/bin/sh\necho "Delve not available in production builds. Rebuild with BUILD_DEBUG=1." >&2\nexit 1\n' \
+            > /go/bin/dlv && chmod +x /go/bin/dlv; \
+    fi
 
 # Copy Go module files
 COPY backend/go.mod backend/go.sum ./
@@ -466,7 +480,7 @@ RUN go get github.com/expr-lang/expr@v${EXPR_LANG_VERSION} && \
     # renovate: datasource=go depName=github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream
     go get github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream@v1.7.13 && \
     # renovate: datasource=go depName=github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs
-    go get github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs@v1.75.1 && \
+    go get github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs@v1.75.2 && \
     go get github.com/aws/aws-sdk-go-v2/service/kinesis@v1.43.7 && \
     go get github.com/aws/aws-sdk-go-v2/service/s3@v1.102.1 && \
     # CVE-2026-32952: go-ntlmssp DoS via malicious NTLM challenge response
@@ -477,7 +491,7 @@ RUN go get github.com/expr-lang/expr@v${EXPR_LANG_VERSION} && \
     # Affects /usr/local/bin/crowdsec and /usr/local/bin/cscli (CrowdSec embeds quic-go v0.57.0).
     # Fix available at v0.59.1. Caddy already resolves v0.59.1 through its own graph.
     # renovate: datasource=go depName=github.com/quic-go/quic-go
-    go get github.com/quic-go/quic-go@v0.59.1 && \
+    go get github.com/quic-go/quic-go@v0.60.0 && \
     # buger/jsonparser Delete() panic via negative slice index on malformed JSON.
     # Fix available at v1.2.0.
     # renovate: datasource=go depName=github.com/buger/jsonparser
@@ -579,7 +593,7 @@ SHELL ["/bin/ash", "-o", "pipefail", "-c"]
 # Note: In production, users should provide their own MaxMind license key
 # This uses the publicly available GeoLite2 database
 # In CI, timeout quickly rather than retrying to save build time
-ARG GEOLITE2_COUNTRY_SHA256=abce3a42f4f6bfb2c90cded582341da6764f5e152782ce6c832bc8fa1d873778
+ARG GEOLITE2_COUNTRY_SHA256=11b88595d026953920668d91f6d531057b397f05170237fc98a13a8b051ab861
 RUN mkdir -p /app/data/geoip && \
         if [ "$CI" = "true" ] || [ "$CI" = "1" ]; then \
             echo "⏱️  CI detected - quick download (10s timeout, no retries)"; \
@@ -664,7 +678,11 @@ RUN chmod +x /usr/local/bin/install_hub_items.sh /usr/local/bin/register_bouncer
 # Copy Go binary from backend builder
 COPY --from=backend-builder /app/backend/charon /app/charon
 RUN ln -s /app/charon /app/cpmp || true
-# Copy Delve debugger (xx-go install places it in /go/bin)
+# Copy Delve stub/binary from backend-builder.
+# Security (GO-2026-5024): production builds (BUILD_DEBUG=0) receive a harmless shell
+# stub that prints an error and exits 1 — no vulnerable golang.org/x/sys v0.26.0 binary
+# is present in production images.  Debug builds (BUILD_DEBUG=1) receive the real dlv
+# compiled against golang.org/x/sys v0.46.0 (patched).
 COPY --from=backend-builder /go/bin/dlv /usr/local/bin/dlv
 
 # Copy frontend build from frontend builder
diff --git a/Makefile b/Makefile
index 5ec9bb9e7..bc1f2707f 100644
--- a/Makefile
+++ b/Makefile
@@ -31,7 +31,7 @@ install:
 	@echo "Installing backend dependencies..."
 	cd backend && go mod download
 	@echo "Installing frontend dependencies..."
-	cd frontend && npm install
+	cd frontend && npm install --ignore-scripts
 
 # Install Go development tools
 install-tools:
diff --git a/SECURITY.md b/SECURITY.md
index 1fde07e29..9059c435c 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -241,13 +241,13 @@ Charon users is negligible since the vulnerable code path is not exercised.
 
 ---
 
-### [HIGH] CVE-2026-45135 · Caddy FastCGI Unsafe Unicode Handling in splitPos
+### ✅ [HIGH] CVE-2026-45135 · Caddy FastCGI Unsafe Unicode Handling in splitPos
 
 | Field        | Value |
 |--------------|-------|
 | **ID**       | CVE-2026-45135 |
 | **Severity** | High · 8.1 |
-| **Status**   | Fix deployed — `no-cache-filter: caddy-builder` added to nightly workflow |
+| **Status**   | Fully remediated — `no-cache-filters: caddy-builder,crowdsec-builder` applied to nightly and E2E build workflows |
 
 **What**
 Caddy v2.11.2 contains unsafe Unicode handling in the FastCGI `splitPos` function. A
@@ -280,10 +280,11 @@ prior nightly run despite the ARG value change — a known edge case where GHA c
 loses ARG-scoped metadata, preventing proper cache key invalidation.
 
 **Remediation Applied**
-Added `no-cache-filter: caddy-builder` to the `build-and-push-nightly` job in
-`.github/workflows/nightly-build.yml`. This forces the `caddy-builder` stage to rebuild from
-scratch on every nightly run, bypassing the GHA layer cache for that stage. All other stages
-continue to benefit from the cache.
+Added `no-cache-filters: caddy-builder,crowdsec-builder` to the `build-and-push-nightly` job in
+`.github/workflows/nightly-build.yml` and to the `Build Docker image` step in
+`.github/workflows/e2e-tests-split.yml`. This forces both the `caddy-builder` and
+`crowdsec-builder` stages to rebuild from scratch on every nightly and E2E build run, bypassing
+the GHA layer cache for those stages. All other stages continue to benefit from the cache.
 
 ---
 
diff --git a/agent/go.mod b/agent/go.mod
index e5245f3b5..1f0912053 100644
--- a/agent/go.mod
+++ b/agent/go.mod
@@ -14,7 +14,7 @@ require (
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
-	golang.org/x/sys v0.45.0 // indirect
+	golang.org/x/sys v0.46.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/agent/go.sum b/agent/go.sum
index 4a3eb7a2d..474f5c4e9 100644
--- a/agent/go.sum
+++ b/agent/go.sum
@@ -22,8 +22,8 @@ github.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w
 github.com/sirupsen/logrus v1.9.4/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
-golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.46.0 h1:noSf2Fq6F8DBgS+LysIkx7rIExoNHJsxOAtPp4rthXw=
+golang.org/x/sys v0.46.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
diff --git a/backend/go.mod b/backend/go.mod
index d3d8eac67..880006e37 100644
--- a/backend/go.mod
+++ b/backend/go.mod
@@ -17,15 +17,15 @@ require (
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/sirupsen/logrus v1.9.4
 	github.com/stretchr/testify v1.11.1
-	golang.org/x/crypto v0.52.0
-	golang.org/x/net v0.55.0
-	golang.org/x/text v0.37.0
+	golang.org/x/crypto v0.53.0
+	golang.org/x/net v0.56.0
+	golang.org/x/text v0.38.0
 	golang.org/x/time v0.15.0
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
 	gopkg.in/yaml.v3 v3.0.1
 	gorm.io/driver/sqlite v1.6.0
 	gorm.io/gorm v1.31.1
-	software.sslmate.com/src/go-pkcs12 v0.7.1
+	software.sslmate.com/src/go-pkcs12 v0.7.2
 )
 
 require (
@@ -43,7 +43,7 @@ require (
 	github.com/docker/go-connections v0.7.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
-	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/felixge/httpsnoop v1.1.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.13 // indirect
 	github.com/gin-contrib/sse v1.1.1 // indirect
 	github.com/glebarez/go-sqlite v1.22.0 // indirect
@@ -87,10 +87,10 @@ require (
 	go.opentelemetry.io/otel v1.44.0 // indirect
 	go.opentelemetry.io/otel/metric v1.44.0 // indirect
 	go.opentelemetry.io/otel/trace v1.44.0 // indirect
-	golang.org/x/arch v0.27.0 // indirect
-	golang.org/x/sys v0.45.0 // indirect
+	golang.org/x/arch v0.28.0 // indirect
+	golang.org/x/sys v0.46.0 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
-	modernc.org/libc v1.72.5 // indirect
+	modernc.org/libc v1.73.3 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
 	modernc.org/sqlite v1.52.0 // indirect
diff --git a/backend/go.sum b/backend/go.sum
index 9f10c0ee6..ce283e537 100644
--- a/backend/go.sum
+++ b/backend/go.sum
@@ -27,8 +27,8 @@ github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
-github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
-github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/felixge/httpsnoop v1.1.0 h1:3YtUj32ZZkqZtt3sZZsClsymw/QDuVfpNhoA31zeORc=
+github.com/felixge/httpsnoop v1.1.0/go.mod h1:Zqxgdd+1Rkcz8euOqdr7lqgCRJztwr5hp9vDSi5UZCE=
 github.com/gabriel-vasile/mimetype v1.4.13 h1:46nXokslUBsAJE/wMsp5gtO500a4F3Nkz9Ufpk2AcUM=
 github.com/gabriel-vasile/mimetype v1.4.13/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
 github.com/gin-contrib/gzip v1.2.6 h1:OtN8DplD5DNZCSLAnQ5HxRkD2qZ5VU+JhOrcfJrcRvg=
@@ -183,24 +183,24 @@ go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
 go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
 go.yaml.in/yaml/v2 v2.4.4 h1:tuyd0P+2Ont/d6e2rl3be67goVK4R6deVxCUX5vyPaQ=
 go.yaml.in/yaml/v2 v2.4.4/go.mod h1:gMZqIpDtDqOfM0uNfy0SkpRhvUryYH0Z6wdMYcacYXQ=
-golang.org/x/arch v0.27.0 h1:0WNVcR8u9yFz8j5FvdHpgwNp3FS5U4guYdzHwEiGjoU=
-golang.org/x/arch v0.27.0/go.mod h1:0X+GdSIP+kL5wPmpK7sdkEVTt2XoYP0cSjQSbZBwOi8=
-golang.org/x/crypto v0.52.0 h1:RMs7fP2rXdep0CftQlK8Uf+kibLm7qkCcradZWYz988=
-golang.org/x/crypto v0.52.0/go.mod h1:1QgfPxDqh0T2M/elOJtp9RvuR95kVjir0e6/BvEmGbc=
-golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
-golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
-golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
-golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
-golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
-golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
-golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
-golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
-golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
-golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
+golang.org/x/arch v0.28.0 h1:wVwVdqsTuUbJvhYVCspQYwZXHNYeLSoZnmHD+ggddpQ=
+golang.org/x/arch v0.28.0/go.mod h1:0X+GdSIP+kL5wPmpK7sdkEVTt2XoYP0cSjQSbZBwOi8=
+golang.org/x/crypto v0.53.0 h1:QZ4Muo8THX6CizN2vPPd5fBGHyogrdK9fG4wLPFUsto=
+golang.org/x/crypto v0.53.0/go.mod h1:DNLU434OwVakk9PzuwV8w62mAJpRJL3vsgcfp4Qnsio=
+golang.org/x/mod v0.36.0 h1:JJjpVx6myfUsUdAzZuOSTTmRE0PfZeNWzzvKrP7amb4=
+golang.org/x/mod v0.36.0/go.mod h1:moc6ELqsWcOw5Ef3xVprK5ul/MvtVvkIXLziUOICjUQ=
+golang.org/x/net v0.56.0 h1:Rw8j/hFzGvJUZwNBXnAtf5sVDVt+65SK2C7IxCxZt5o=
+golang.org/x/net v0.56.0/go.mod h1:D3Ku6r+V6JROoZK144D2XfMHFcMq/0zSfLelVTCFKec=
+golang.org/x/sync v0.21.0 h1:HLII4xRRTtCRkxYp4HNFF0Js/Og6q2i++KXbg0gHCwM=
+golang.org/x/sync v0.21.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
+golang.org/x/sys v0.46.0 h1:noSf2Fq6F8DBgS+LysIkx7rIExoNHJsxOAtPp4rthXw=
+golang.org/x/sys v0.46.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/text v0.38.0 h1:sXmwo9DwP3OK9EZ7PqAdaooSGozfl/3a6/xJcbzPRhE=
+golang.org/x/text v0.38.0/go.mod h1:YXZt3QhHUKYT53r2lLKFIVi6Ao1jdzrTR/KQ09qyxF4=
 golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=
 golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno=
-golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
-golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
+golang.org/x/tools v0.45.0 h1:18qN3FAooORvApf5XjCXgsuayZOEtXf6JK18I3+ONa8=
+golang.org/x/tools v0.45.0/go.mod h1:LuUGqqaXcXMEFEruIVJVm5mgDD8vww/z/SR1gQ4uE/0=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
 google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -217,10 +217,10 @@ gorm.io/gorm v1.31.1 h1:7CA8FTFz/gRfgqgpeKIBcervUn3xSyPUmr6B2WXJ7kg=
 gorm.io/gorm v1.31.1/go.mod h1:XyQVbO2k6YkOis7C2437jSit3SsDK72s7n7rsSHd+Gs=
 gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
 gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
-modernc.org/cc/v4 v4.28.2 h1:3tQ0lf2ADtoby2EtSP+J7IE2SHwEJdP8ioR59wx7XpY=
-modernc.org/cc/v4 v4.28.2/go.mod h1:OnovgIhbbMXMu1aISnJ0wvVD1KnW+cAUJkIrAWh+kVI=
-modernc.org/ccgo/v4 v4.34.2 h1:mxsy2FdrB6+qG3NfXefz1AmWv0ehOSDO4jxgxd7h9yo=
-modernc.org/ccgo/v4 v4.34.2/go.mod h1:1L7us56+kAKu04p25EATpmBBvhbcqqZ85ibqWVwVgog=
+modernc.org/cc/v4 v4.28.4 h1:Hd/4Es+MBj+/7hSdZaisNyu6bv3V0Dp2MdllyfqaH+c=
+modernc.org/cc/v4 v4.28.4/go.mod h1:OnovgIhbbMXMu1aISnJ0wvVD1KnW+cAUJkIrAWh+kVI=
+modernc.org/ccgo/v4 v4.34.4 h1:OVnSOWQjVKOYkFxoHYB+qQmSHK5gqMqARM+K9DpR/Ws=
+modernc.org/ccgo/v4 v4.34.4/go.mod h1:qdKqE8FNIYyysougB1RX9MxCzp5oJOcQXSobANJ4TuE=
 modernc.org/fileutil v1.4.0 h1:j6ZzNTftVS054gi281TyLjHPp6CPHr2KCxEXjEbD6SM=
 modernc.org/fileutil v1.4.0/go.mod h1:EqdKFDxiByqxLk8ozOxObDSfcVOv/54xDs/DUHdvCUU=
 modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
@@ -229,8 +229,8 @@ modernc.org/gc/v3 v3.1.3 h1:6QAplYyVO+KdPW3pGnqmJDUxtkec8ooEWvks/hhU3lc=
 modernc.org/gc/v3 v3.1.3/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
 modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
 modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
-modernc.org/libc v1.72.5 h1:m2OGx9Ser1VvTS4Z9ZJlWs+CBMxutLaTiAWkNz+NB9U=
-modernc.org/libc v1.72.5/go.mod h1:np0N7KDJ7eUtMZmOqVZNldrZyG+DHLl2B5pg8Hbar3U=
+modernc.org/libc v1.73.3 h1:enGE2dD5ZIzW3uf2K/ln6IYb/cAuW24c9gG4RFp8BO0=
+modernc.org/libc v1.73.3/go.mod h1:DXZ3eO8qMCNn2SnmTNCiC71nJ9Rcq3PsnpU6Vc4rWK8=
 modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
 modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
 modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
@@ -247,5 +247,5 @@ modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
 modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
 pgregory.net/rapid v1.2.0 h1:keKAYRcjm+e1F0oAuU5F5+YPAWcyxNNRK2wud503Gnk=
 pgregory.net/rapid v1.2.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=
-software.sslmate.com/src/go-pkcs12 v0.7.1 h1:bxkUPRsvTPNRBZa4M/aSX4PyMOEbq3V8I6hbkG4F4Q8=
-software.sslmate.com/src/go-pkcs12 v0.7.1/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
+software.sslmate.com/src/go-pkcs12 v0.7.2 h1:Rh9FoMaI5k7Oo6EOS+2/BnoZ+JFIS+XHjM0VGkSPXLM=
+software.sslmate.com/src/go-pkcs12 v0.7.2/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
diff --git a/docs/plans/current_spec.md b/docs/plans/current_spec.md
index 00b34fdbc..eeee56b87 100644
--- a/docs/plans/current_spec.md
+++ b/docs/plans/current_spec.md
@@ -1,546 +1,107 @@
-# Fix: Flash of Unstyled Content (FOUC) / Forced Layout Warning
-
-**Status:** Draft
-**Date:** 2026-06-05
-**Target Files:** `frontend/index.html`, `frontend/src/context/ThemeContext.tsx`, `frontend/src/i18n.ts`, `frontend/src/main.tsx`, `frontend/src/index.css`
-
----
-
-## 1. Introduction
-
-### Overview
-
-Charon's frontend exhibits a classic Flash of Unstyled Content (FOUC) during initial page load. The browser console surfaces it as:
-
-> *"Layout was forced before the page was fully loaded. If stylesheets are not yet loaded this may cause a flash of unstyled content."*
-
-Users experience a visible dark-to-light (or light-to-dark) colour flicker on every hard reload or cold navigation. For light-mode users this is especially severe — the entire page flashes a dark slate background before switching to light colours. The page also experiences a blank white frame while i18n initialises.
-
-### Objectives
-
-1. Eliminate the theme class FOUC so `<html>` carries the correct `.dark` / `.light` class **before** the first browser paint.
-2. Eliminate the blank-page delay caused by async i18n initialisation.
-3. Remove the forced-layout warning triggered by React's post-paint `useEffect` applying theme classes while CSS is still resolving.
-4. Establish Playwright regression tests that prevent future regressions.
-
----
-
-## 2. Research Findings
-
-### 2.1 File Inventory
-
-| File | Lines | Role |
-|---|---|---|
-| `frontend/index.html` | 13 | HTML shell served by Vite / Go backend |
-| `frontend/src/main.tsx` | 46 | React application entry point |
-| `frontend/src/context/ThemeContext.tsx` | 27 | Dark/light mode state and DOM application |
-| `frontend/src/context/LanguageContext.tsx` | 34 | Language state provider |
-| `frontend/src/i18n.ts` | 38 | i18next initialisation with bundled JSON resources |
-| `frontend/src/index.css` | 300 | Global stylesheet: Tailwind v4, CSS custom properties, light-mode overrides |
-| `frontend/src/App.tsx` | ~180 | Root component; all 28 pages are React.lazy() |
-| `frontend/tailwind.config.js` | ~80 | darkMode: 'class' |
-| `frontend/vite.config.ts` | 43 | Vite with rolldown, vendor chunk splitting |
-
-### 2.2 Critical Code Paths
-
-**`frontend/index.html`** (full file):
-
-```html
-<!doctype html>
-<html lang="en">
-  <head>
-    <meta charset="UTF-8" />
-    <link rel="icon" type="image/png" href="/favicon.png" />
-    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <title>Charon</title>
-  </head>
-  <body>
-    <div id="root"></div>
-    <script type="module" src="/src/main.tsx"></script>
-  </body>
-</html>
-```
-
-Observations:
-- No inline `<script>` in `<head>` to pre-apply the theme class.
-- No `<link rel="preload">` for CSS or fonts.
-- CSS enters exclusively through the JS module graph (`main.tsx → import './index.css'`).
-
-**`frontend/src/context/ThemeContext.tsx`** lines 11–16:
-
-```tsx
-useEffect(() => {
-  const root = window.document.documentElement
-  root.classList.remove('light', 'dark')
-  root.classList.add(theme)
-  localStorage.setItem('theme', theme)
-}, [theme])
-```
-
-Observations:
-- `useEffect` fires **after** the browser has committed and painted the first frame.
-- The `<html>` element carries no `dark` or `light` class between navigation start and this effect executing — typically 50–300 ms on first load.
-- `useState` lazy initialiser correctly reads `localStorage.getItem('theme')` (lines 6–9), but the DOM class is not applied until the effect runs.
-
-**`frontend/src/index.css`** lines 216–228 (`:root` block):
-
-```css
-:root {
-  /* … custom properties (dark mode as default) … */
-  color-scheme: dark;
-  color: rgba(255, 255, 255, 0.87);
-  background-color: #0f172a;  /* slate-900 */
-}
-.light {
-  /* All surface/text/border variables overridden for light mode */
-  --color-bg-base: 248 250 252;  /* slate-50 */
-  /* … */
-}
-```
-
-Observations:
-- `:root` hardcodes `background-color: #0f172a` (dark slate) as the document default.
-- Light-mode overrides live under `.light {}`, requiring the `.light` class on `<html>`.
-- Without the class, every user — regardless of preference — renders the dark background on first paint.
-
-**`frontend/src/main.tsx`** lines 41–46:
-
-```tsx
-if (i18n.isInitialized) {
-  renderApp()
-} else {
-  i18n.on('initialized', renderApp)
-}
-```
-
-**`frontend/src/i18n.ts`** — `init()` options:
-
-```ts
-i18n.use(LanguageDetector).use(initReactI18next).init({
-  resources,         // Five bundled JSON files (no network fetch)
-  fallbackLng: 'en',
-  debug: false,
-  interpolation: { escapeValue: false },
-  detection: {
-    order: ['localStorage', 'navigator'],
-    caches: ['localStorage'],
-    lookupLocalStorage: 'charon-language',
-  },
-})
-```
-
-Observations:
-- All five translation JSONs are statically imported — no network fetch required.
-- i18next's default `initImmediate` is `true`, which defers `init()` resolution to the next microtask tick even when everything is synchronous.
-- Result: `i18n.isInitialized` is `false` when `main.tsx` first evaluates, so `renderApp()` is always pushed to the next event loop tick.
-- The DOM shows an empty `<div id="root">` with the dark `:root` background for one tick — visible as a brief blank flash.
-
-**`frontend/tailwind.config.js`**:
-
-```js
-export default {
-  darkMode: 'class',
-  // …
-}
-```
-
-Confirms: all Tailwind `dark:` utilities require the `.dark` class on `<html>`.
-
-**`frontend/vite.config.ts`** — `rolldownOptions`:
-
-```ts
-manualChunks(id) {
-  if (id.includes('node_modules/i18next') || id.includes('node_modules/react-i18next'))
-    return 'vendor-i18n'
-  // …
-}
-```
-
-Observations:
-- `vendor-i18n` is a separate chunk; its load must complete before `i18n.init()` can run.
-- Combined with async `initImmediate`, this adds an additional render-blocking step.
-
-### 2.3 Layout-Reading Code (Forced Layout Audit)
-
-Grep for `offsetWidth`, `offsetHeight`, `getBoundingClientRect`, `scrollHeight`, `clientHeight`, `scrollTop` across `frontend/src/**`:
-
-| File | Lines | Context |
-|---|---|---|
-| `frontend/src/components/hecate/TunnelLogViewer.tsx` | 69–70 | Scroll position check inside a scroll-event handler (post-mount) |
-| `frontend/src/components/LiveLogViewer.tsx` | 262, 269–271 | Auto-scroll logic inside `useEffect` (post-mount) |
-
-Neither reads layout properties during the initial render phase. Both execute inside already-mounted event handlers and are **not** the source of the forced-layout warning.
-
-The actual forced-layout trigger is `classList.add(theme)` in `ThemeContext.tsx`'s `useEffect`, which forces a style recalculation while the browser may not have finished resolving the CSS cascade from the JS-imported stylesheet.
-
-### 2.4 Font Loading Audit
-
-`frontend/src/index.css` references:
-
-```css
-font-family: Inter, system-ui, Avenir, Helvetica, Arial, sans-serif;
-```
-
-There are **no** `@font-face` declarations, no `@fontsource` imports, and no Google Fonts `<link>` in `index.html`. `Inter` falls through to `system-ui` on most systems. No FOIT/FOUT from web font loading is present. Font loading is not a contributing factor.
-
-### 2.5 External Dependency Summary
-
-| Library | FOUC Relevance |
-|---|---|
-| `react` 19+ | CSR only — no SSR hydration concerns |
-| `i18next` | Async init default (fixed by `initImmediate: false`) |
-| `tailwindcss` v4 | `darkMode: 'class'` requires class on `<html>` |
-| `@vitejs/plugin-react` | CSS extracted to separate file in prod build automatically |
-| `recharts` / `d3-*` | Vendor-split; loaded lazily — no initial FOUC |
-
----
-
-## 3. Root Cause Analysis
-
-### RC-1 — ThemeContext `useEffect` Applies Theme After First Paint
-
-**File:** `frontend/src/context/ThemeContext.tsx` lines 11–16
-**Severity:** Critical
-**Affected users:** All users
-
-`useEffect` is scheduled **after** React commits the DOM and the browser paints. During the window between page-start and effect execution (typically 50–300 ms on a cold load):
-
-- `<html>` has no `dark` or `light` class.
-- All Tailwind `dark:` utilities produce no styles (class-based dark mode requires the class on `<html>`).
-- `:root` background is `#0f172a` (dark slate), but component-level `dark:` variant styles are absent.
-- Light-mode users see the dark `:root` background; dark-mode users see components without `dark:` utility styles.
-
-### RC-2 — No Anti-FOUC Inline Script in `index.html`
-
-**File:** `frontend/index.html`
-**Severity:** Critical (root of RC-1)
-
-The standard pattern for preventing theme FOUC is a small synchronous `<script>` in `<head>` that reads the persisted theme from `localStorage` and applies the class to `<html>` before any rendering occurs. Without it, there is no mechanism to apply the theme class before React loads and its first `useEffect` runs.
-
-This script must be:
-- Inline (not a module import — avoids network round-trip and async execution).
-- Located in `<head>`, before `<body>` renders.
-- Wrapped in a try/catch IIFE (`localStorage` can throw in restricted contexts).
-
-### RC-3 — i18next Async Init Delays React Render
-
-**File:** `frontend/src/main.tsx` lines 41–46; `frontend/src/i18n.ts`
-**Severity:** Major
-**Result:** Blank page for one event-loop tick before `renderApp()` is called
-
-i18next's default `initImmediate: true` defers `init()` resolution to the next microtask, even when all resources are bundled synchronously. Because `i18n.isInitialized` is `false` when `main.tsx` first evaluates, `renderApp()` is always deferred. The DOM shows an empty `<div id="root">` with the `:root` styles for one tick — visible as a brief blank flash before the first React render.
-
-Setting `initImmediate: false` makes `init()` synchronous when no async plugins are involved. `i18n.isInitialized` is then `true` immediately, and `renderApp()` is called inline without waiting for the event loop.
-
-### RC-4 — `:root` Defaults to Dark; Light Mode Requires a Class
-
-**File:** `frontend/src/index.css` lines 216–228
-**Severity:** Moderate (amplifies RC-1 for light-mode users)
-
-The `:root` block includes `background-color: #0f172a` and `color: rgba(255,255,255,0.87)`. Light-mode CSS custom property overrides live under `.light {}`. Without the `.light` class, the page is visually dark regardless of user preference. This creates a dark flash for light-mode users that persists until the theme class is applied.
-
-The primary fix (RC-2 inline script) resolves this by applying the class before the first paint. However, the `.light {}` block must also explicitly override `background-color`, `color-scheme`, and `color` — without these overrides, light-mode users still see a dark flash on first paint because `:root` hardcodes dark values that `.light {}` does not currently cancel. See Fix 4.4.
-
-### RC-5 — Vendor Chunk Splitting Delays i18n Chunk Load
-
-**File:** `frontend/vite.config.ts` lines 25–27
-**Severity:** Minor (amplifies RC-3)
-
-`vendor-i18n` is a separate chunk. Its network fetch and parse must complete before `i18n.init()` can run. With RC-3 fixed (`initImmediate: false`), the chunk loading delay still exists — but init completes synchronously once the chunk is available, rather than deferring again to the next tick.
-
----
-
-## 4. Technical Specifications
-
-### 4.1 Fix for RC-1 + RC-2: Anti-FOUC Inline Script
-
-**Target file:** `frontend/index.html`
-**Mechanism:** Synchronous inline script in `<head>` that reads `localStorage` and applies the theme class to `<html>` before any rendering
-
-```html
-<head>
-  <meta charset="UTF-8" />
-  <link rel="icon" type="image/png" href="/favicon.png" />
-  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-  <title>Charon</title>
-  <script>(function(){try{var t=localStorage.getItem('theme');document.documentElement.classList.add(t==='light'?'light':'dark')}catch(_){}})()</script>
-</head>
-```
-
-Constraints:
-- Plain `<script>` (not `type="module"`) — module scripts are deferred and do not execute synchronously.
-- Placed in `<head>` before `<body>` — ensures execution before any layout is calculated.
-- IIFE + try/catch guards against `localStorage` throwing in restricted contexts (private browsing, cross-origin iframes).
-- Defaults to `'dark'` when no preference is stored — matches `ThemeContext.tsx`'s default.
-- Minified to a single line — this script is render-blocking, so minimising its byte size matters.
-
-### 4.2 Fix for RC-3: Synchronous i18n Initialisation
-
-**Target file:** `frontend/src/i18n.ts`
-**Mechanism:** Add `initImmediate: false` to `i18n.init()` options
-
-```ts
-// Add initImmediate: false to the init options
-i18n
-  .use(LanguageDetector)
-  .use(initReactI18next)
-  .init({
-    resources,
-    fallbackLng: 'en',
-    debug: false,
-    initImmediate: false,   // Makes init synchronous for bundled resources
-    interpolation: { escapeValue: false },
-    detection: {
-      order: ['localStorage', 'navigator'],
-      caches: ['localStorage'],
-      lookupLocalStorage: 'charon-language',
-    },
-  })
-```
-
-With all five translation JSONs statically imported (no `HttpBackend`, no network fetch), i18next has no async work. `initImmediate: false` completes init synchronously, making `i18n.isInitialized` true immediately after the `.init()` call returns. No change to `main.tsx` is needed — the existing `if (i18n.isInitialized)` guard handles this correctly.
-
-### 4.3 Fix for RC-4: ThemeContext `useLayoutEffect`
-
-**Target file:** `frontend/src/context/ThemeContext.tsx`
-**Mechanism:** Replace `useEffect` with `useLayoutEffect`
-
-```tsx
-// Replace useEffect with useLayoutEffect for synchronous class application
-useLayoutEffect(() => {
-  const root = window.document.documentElement
-  root.classList.remove('light', 'dark')
-  root.classList.add(theme)
-  localStorage.setItem('theme', theme)
-}, [theme])
-```
-
-`useLayoutEffect` fires synchronously after React commits DOM mutations but **before** the browser paints. After the inline script (Fix 4.1) handles the initial load, `useLayoutEffect` becomes the mechanism for theme-toggle transitions — ensuring they are seamless with no visible flash.
-
-`useLayoutEffect` is safe here because Charon is CSR-only (no SSR). If SSR is ever introduced, a `typeof window !== 'undefined'` guard must be added.
-
-The `useEffect` import may become unused if `ThemeContext.tsx` uses only `useLayoutEffect` and `useState`. Remove unused imports when making this change.
-
-### 4.4 Fix for CSS-1: Light-Mode Property Overrides in `index.css`
-
-**Target file:** `frontend/src/index.css`
-**Mechanism:** Add explicit `background-color`, `color-scheme`, and `color` overrides to the `.light {}` block
-
-The current `.light {}` block overrides CSS custom properties (e.g., `--color-bg-base`) but does not override the physical properties set on `:root` — `background-color: #0f172a`, `color-scheme: dark`, and `color: rgba(255, 255, 255, 0.87)`. Because these physical properties are not CSS variables, they are not overridden by variable redefinition.
-
-**Change:**
-
-```css
-.light {
-  background-color: #f0f4f8;   /* matches Layout.tsx root div; cancels :root dark default */
-  color-scheme: light;
-  color: rgba(0, 0, 0, 0.87);
-  /* … existing variable overrides unchanged … */
-}
-```
-
-`#f0f4f8` is used (not `#f8fafc`) to match the colour applied by `Layout.tsx`'s root `<div>`. This ensures that even in the instant between the inline script applying `.light` to `<html>` and React mounting, the page renders with a light background rather than the dark `:root` default.
-
----
-
-### 4.5 Data Flow Diagram (After All Fixes)
-
-```
-Browser parses HTML
-  ↓
-<head> inline script executes synchronously (render-blocking, ~0.1ms)
-  → reads localStorage.getItem('theme')
-  → document.documentElement.classList.add('dark' | 'light')
-  ↓
-CSS parsed (Tailwind .dark: / .light: classes now resolve correctly)
-  ↓
-vendor-i18n chunk loads
-  ↓
-main.tsx module evaluates
-  → i18n.init() called
-  → initImmediate: false → completes synchronously
-  → i18n.isInitialized === true
-  → renderApp() called immediately (no next-tick deferral)
-  ↓
-React renders
-  → ThemeContext reads localStorage — same value as the class already on <html>
-  → useLayoutEffect fires synchronously (class already present → no-op)
-  ↓
-First browser paint: correct theme applied, no flash, no forced-layout warning
-```
-
-### 4.6 Edge Cases
-
-| Scenario | Expected Behaviour |
-|---|---|
-| `localStorage` unavailable (private mode, restricted iframe) | try/catch in inline script falls back silently to dark (`:root` default). FOUC not eliminated but gracefully degraded. |
-| User clears `localStorage` between visits | Inline script falls back to dark. Matches `ThemeContext` default. |
-| First-ever visit (no `theme` key) | `localStorage.getItem('theme')` returns `null`; `null === 'light'` is `false`; `dark` applied. Correct. |
-| Theme toggled mid-session | `useLayoutEffect` fires synchronously before browser paint — no visible transition flash. |
-| `initImmediate: false` + future async i18n plugin | If `HttpBackend` is added, synchronous init completes before async ops. Missing translations fall back to `fallbackLng: 'en'` until async load finishes — acceptable. |
-| User navigates with `?theme=light` query param | Not currently a feature; not in scope. |
-
----
-
-## 5. Implementation Plan
-
-### Phase 1 — Playwright Tests (Red State)
-
-Write failing tests that document expected post-fix behaviour. Tests must fail against the current codebase; their passage confirms the fix is complete.
-
-**New file:** `tests/core/theme-fouc.spec.ts`
-
-Test cases:
-
-| ID | Description | How Verified |
-|---|---|---|
-| T1 | Default (no stored preference): `<html>` carries `.dark` at `DOMContentLoaded`, before React runs | `addInitScript`: register a `DOMContentLoaded` listener that captures `document.documentElement.className` into `window.__domContentClasses`; assert it contains `dark` |
-| T2 | Stored light preference: `<html>` carries `.light` at `DOMContentLoaded` | `addInitScript`: set `localStorage.theme='light'` and register `DOMContentLoaded` capture into `window.__domContentClasses`; assert it contains `light` |
-| T3 | Stored dark preference: `<html>` carries `.dark` and not `.light` at `DOMContentLoaded` | `addInitScript`: set `localStorage.theme='dark'` and register `DOMContentLoaded` capture; assert `window.__domContentClasses` contains `dark` but not `light` |
-| T4 | Light-mode background is not dark slate *(depends on CSS-1: Fix 4.4)* | Set light preference, goto, assert computed `background-color` of `<html>` is not `#0f172a`; requires `.light {}` `background-color` override to be present |
-| T5 | No dual-class false positive: only `.light` on `<html>` when light theme stored | `addInitScript`: set `localStorage.theme='light'` and register `DOMContentLoaded` capture; assert `window.__domContentClasses` does not contain `dark` |
-| T6 | Theme toggle applies `.light` synchronously | Login, navigate to settings, click toggle, evaluate classList before next animation frame |
-
-Playwright approach for T1–T3 and T5 uses `page.addInitScript()` for two purposes: (1) setting `localStorage` to simulate a returning user's stored preference, and (2) registering a `DOMContentLoaded` listener that captures `document.documentElement.className` into `window.__domContentClasses`. Tests then assert on `window.__domContentClasses` rather than the final DOM state. This is critical: asserting only on final state would pass even if the inline script were removed from `index.html`, because React's `useLayoutEffect` would still apply the correct class before the assertion evaluates. Capturing at `DOMContentLoaded` — before React has executed — ensures the test detects that regression.
-
-### Phase 2 — No Backend Changes
-
-All fixes are frontend-only. Backend, database, and Go code are not affected.
-
-### Phase 3 — Fix RC-1 + RC-2: `frontend/index.html`
-
-Single-line change: add the minified anti-FOUC `<script>` to `<head>`.
-
-- **Effort:** ~5 minutes
-- **Risk:** Very low — defensive script, no breaking changes
-
-### Phase 4 — Fix RC-3: `frontend/src/i18n.ts`
-
-Single-line change: add `initImmediate: false` to `init()` options.
-
-- **Effort:** ~5 minutes
-- **Risk:** Low — safe with bundled resources; regression covered by T6 and existing auth tests
-
-### Phase 5 — Fix CSS-1: `frontend/src/index.css`
-
-Three-line addition inside the existing `.light {}` block: `background-color: #f0f4f8`, `color-scheme: light`, `color: rgba(0, 0, 0, 0.87)`.
-
-- **Effort:** ~5 minutes
-- **Risk:** Very low — additive CSS change with no structural impact
-
-### Phase 6 — Fix RC-4: `frontend/src/context/ThemeContext.tsx`
-
-Single-line change: `useEffect` → `useLayoutEffect`. Potentially remove unused `useEffect` import.
-
-- **Effort:** ~5 minutes
-- **Risk:** Low for CSR; document SSR caveat in comment or PR description
-
-### Phase 7 — Validate
-
-1. Run `tests/core/theme-fouc.spec.ts` — all T1–T6 must pass (Firefox).
-2. Run full non-security Playwright suite — no regressions.
-3. Manual browser check:
-   - Set `localStorage.theme = 'light'`, hard-reload, confirm no dark flash.
-   - Open Chrome DevTools Performance tab, record page load, confirm no "Layout was forced" warning.
-4. `tsc --noEmit` — no new TypeScript errors.
-
----
-
-## 6. Commit Slicing Strategy
-
-**Decision:** Single PR with three ordered logical commits.
-
-All changes are:
-- Frontend-only (no cross-domain risk)
-- Independently small (≤ 3 lines each)
-- Closely related (all address the same user-visible bug)
-
-A single PR keeps the context and test evidence together for reviewers.
-
----
-
-### Commit 1 — `test(fouc): add regression tests for theme FOUC and blank page delay`
-
-**Scope:** `tests/core/theme-fouc.spec.ts` (new file)
-**Files:** `tests/core/theme-fouc.spec.ts`
-**Dependencies:** None
-**Validation gate:** Tests run; T1–T6 fail on current codebase (expected red state)
-
-Tests document expected behaviour and serve as the acceptance signal for Commits 2 and 3.
-
----
-
-### Commit 2 — `fix(ui): eliminate FOUC with anti-FOUC script, synchronous i18n init, and light-mode CSS overrides`
-
-**Scope:**
-- `frontend/index.html` — add inline `<script>` to `<head>`
-- `frontend/src/i18n.ts` — add `initImmediate: false`
-- `frontend/src/index.css` — add `background-color`, `color-scheme`, `color` overrides to `.light {}`
-
-**Files:** `frontend/index.html`, `frontend/src/i18n.ts`, `frontend/src/index.css`
-**Dependencies:** Commit 1
-**Validation gate:** T1–T5 now pass; no blank-page delay observable in browser; light-mode background resolves to `#f0f4f8` not `#0f172a`
-
-This commit resolves the two highest-severity root causes (RC-1, RC-2, RC-3) and applies the CSS-1 light-mode property fix. Theme class is applied synchronously before paint; React renders on the same tick as i18n init; light-mode users see the correct background immediately.
-
----
-
-### Commit 3 — `fix(theme): use useLayoutEffect to apply theme class before browser paint`
-
-**Scope:**
-- `frontend/src/context/ThemeContext.tsx` — `useEffect` → `useLayoutEffect`
-
-**Files:** `frontend/src/context/ThemeContext.tsx`
-**Dependencies:** Commit 2
-**Validation gate:** T6 passes; DevTools Performance tab clean; full Playwright suite green
-
-Eliminates the forced-layout warning for theme-toggle transitions and makes the initial class application synchronous with React's commit phase.
-
----
-
-### Rollback Notes
-
-All three commits are independently safe to revert:
-- Commit 1: delete `tests/core/theme-fouc.spec.ts`.
-- Commit 2: remove the `<script>` from `index.html`; remove `initImmediate: false` from `i18n.ts`; remove the three property overrides from `.light {}` in `index.css`.
-- Commit 3: revert `useLayoutEffect` to `useEffect`; restore `useEffect` import.
-
-No migrations, API changes, or infrastructure changes are involved.
-
 ---
-
-## 7. Acceptance Criteria (Definition of Done)
-
-### Functional
-- [ ] Hard-reloading with `localStorage.theme = 'dark'` shows no flash of light content.
-- [ ] Hard-reloading with `localStorage.theme = 'light'` shows no dark background flash.
-- [ ] Hard-reloading with no `theme` key defaults to dark mode with no flash.
-- [ ] Theme toggle in Settings applies the new theme with no visible flicker.
-- [ ] Browser DevTools Performance tab shows no "Layout was forced before the page was fully loaded" warning.
-
-### Testing
-- [ ] `tests/core/theme-fouc.spec.ts` — all T1–T6 pass in Firefox.
-- [ ] T4 passes (depends on CSS-1: `.light {}` overrides `background-color`, `color-scheme`, and `color`).
-- [ ] Full non-security Playwright suite is green.
-- [ ] No new console errors or warnings from `localStorage`, `classList`, or `useLayoutEffect`.
-
-### Code Quality
-- [ ] Inline script in `index.html` is a single minified line.
-- [ ] Unused `useEffect` import removed from `ThemeContext.tsx` if no longer needed.
-- [ ] `tsc --noEmit` clean — no TypeScript errors introduced.
-
-### Performance
-- [ ] CSS and JS chunks load in the same order as before (waterfall unchanged).
-- [ ] No observable FCP regression (no Lighthouse gate — no pre-fix baseline is defined).
-
+goal: Issue #579 — [Frontend] Add Auth Guard on Page Reload (root-cause verification + regression hardening)
+version: 1.0
+date_created: 2026-06-09
+status: 'Approved'
+tags: [fix, frontend, auth, security]
 ---
 
-## 8. Out of Scope
-
-The following were identified during research and confirmed as non-contributing or separate concerns:
-
-- **Font loading** — `Inter` and `JetBrains Mono` fall back to `system-ui`. No `@font-face` or external CDN. No FOIT/FOUT. Separate font-bundling work would be its own feature.
-- **CSS preload hints** — Vite automatically injects `<link rel="stylesheet">` and `<link rel="modulepreload">` in production builds. The dev-server gap is acceptable.
-- **Log viewer layout reads** — `TunnelLogViewer.tsx` and `LiveLogViewer.tsx` read scroll properties inside post-mount event handlers, not during initial render. These are benign.
-- **Vendor chunk splitting** — The `vendor-i18n` chunk incurs a network round-trip on cold load. This is a performance concern separate from FOUC and belongs in a performance audit.
-- **SSR / hydration** — Charon is CSR-only. No hydration concerns exist.
+# Issue #579 — Auth Guard on Page Reload
+
+Branch: `fix/authprovider` (no worktrees, per CLAUDE.md)
+Scope: Frontend only. No backend/model changes (GORM scan not required).
+
+## Root Cause Analysis (verified 2026-06-09)
+
+Traced the full flow per the Context First rule:
+
+1. **Entry point**: page reload on a protected route (`/`).
+2. **Transformation**: `frontend/src/context/AuthContext.tsx` `checkAuth()` runs on
+   mount. When `localStorage` has no `charon_auth_token` it clears auth state and
+   returns early (commit `901e824f`); when a token exists it validates it via
+   `fetchSessionUser()` (`GET /api/v1/auth/me`) and clears state on failure.
+3. **Persistence**: token lives only in `localStorage` (`charon_auth_token`);
+   the axios Authorization header is mirrored via `setAuthToken()` in
+   `frontend/src/api/client.ts`.
+4. **Exit point**: `frontend/src/components/RequireAuth.tsx` redirects to `/login`
+   when `isLoading` is false and either context state or the localStorage token is
+   missing. A global 401 interceptor in `client.ts` invokes the handler registered
+   by `AuthContext` via `setAuthErrorHandler()` (excluding `/auth/*` endpoints).
+
+**Finding**: the guard described in issue #579 is already implemented on
+`development` (route-guard fix merged 2026-01-30 plus commits `901e824f`,
+`6777f6e8`). The acceptance test
+`tests/core/authentication.spec.ts › should redirect to login when session expires`
+**passes** against a container rebuilt from current source, as do all 16 tests in
+`tests/core/authentication.spec.ts` (firefox). The issue is stale with respect to
+the redirect behavior itself.
+
+**Remaining defects/gaps (the actual work):**
+
+1. **Stale auth-error handler (correctness gap)**: `setAuthErrorHandler` in
+   `frontend/src/api/client.ts` only accepts `() => void`, and the registration
+   `useEffect` in `AuthContext` has no cleanup, so after `AuthProvider` unmounts
+   the axios interceptor keeps invoking a closure over dead state (calls
+   `setUser` on an unmounted component; relevant for remounts, tests, HMR).
+   Long-term fix: accept `(() => void) | null` and unregister on unmount.
+2. **Zero unit-test regression coverage** for the guard behavior the issue is
+   about: there are no Vitest tests for `AuthContext` (reload paths) or
+   `RequireAuth` (redirect decision). The issue's own checklist requires
+   "Add unit tests for auth error handling". Without them the behavior can
+   silently regress again, which is how this issue arose.
+
+## Phases
+
+### Phase 1 — Harden auth-error handler lifecycle
+
+- `frontend/src/api/client.ts`: change `setAuthErrorHandler(handler: () => void)`
+  to `setAuthErrorHandler(handler: (() => void) | null)` (doc comment updated).
+- `frontend/src/context/AuthContext.tsx`: in the registration `useEffect`, add
+  cleanup `return () => setAuthErrorHandler(null);`.
+- No behavioral change for the running app; eliminates the stale-closure hazard.
+
+### Phase 2 — Regression unit tests (Vitest, jsdom)
+
+- **New** `frontend/src/components/__tests__/RequireAuth.test.tsx`
+  (render via `MemoryRouter` with `AuthContext.Provider`):
+  - shows `LoadingOverlay` while `isLoading` is true (no premature redirect);
+  - redirects to `/login` when `isAuthenticated` is false;
+  - redirects to `/login` when context says authenticated but
+    `localStorage.charon_auth_token` is absent (defense in depth);
+  - renders children when authenticated and token present.
+- **New** `frontend/src/context/__tests__/AuthContext.test.tsx`
+  (mock `fetch` and the axios client module):
+  - reload with no stored token → no `/auth/me` call, `user=null`,
+    `isLoading=false`, `isAuthenticated=false`;
+  - reload with stored token + `/auth/me` 401 → auth token cleared,
+    `user=null`, `isAuthenticated=false`;
+  - reload with stored token + `/auth/me` 200 → user populated;
+  - registered auth-error handler clears `charon_auth_token` from localStorage
+    and resets user state; handler is unregistered (set to null) on unmount.
+- **Update** `frontend/src/api/__tests__/client.test.ts`: add case asserting that
+  `setAuthErrorHandler(null)` unregisters (401 no longer invokes old handler).
+
+### Phase 3 — Validation (Definition of Done, frontend-only)
+
+1. E2E: `npx playwright test --project=firefox tests/core/authentication.spec.ts`
+   against rebuilt `charon-e2e` container — all pass.
+2. Unit tests + coverage: `scripts/frontend-test-coverage.sh` (≥85%).
+3. `cd frontend && npm run type-check`.
+4. `cd frontend && npm run build`.
+5. `lefthook run pre-commit`.
+
+## Commit Slicing Strategy (single PR `fix/authprovider` → `development`)
+
+| # | Commit | Scope | Files | Gate |
+|---|--------|-------|-------|------|
+| 1 | `fix(auth): unregister auth error handler on AuthProvider unmount and add reload guard regression tests` | Phase 1 + Phase 2 | `client.ts`, `AuthContext.tsx`, new/updated test files, this plan | full DoD above |
+
+One logical commit suffices: the production change is small and the new tests
+validate it; splitting tests from the signature change would leave the first
+commit without its validation gate.
+
+## Ignore-file review
+
+`.gitignore`, `.dockerignore`, `codecov.yml`: no new top-level paths introduced
+(tests live in existing `__tests__` directories) — no changes required.
+`Dockerfile`: unaffected.
diff --git a/frontend/eslint.config.js b/frontend/eslint.config.js
index 0f8656a39..38b8b0a19 100644
--- a/frontend/eslint.config.js
+++ b/frontend/eslint.config.js
@@ -10,7 +10,6 @@ import unicorn from 'eslint-plugin-unicorn';
 import sonarjs from 'eslint-plugin-sonarjs';
 import security from 'eslint-plugin-security';
 import noUnsanitized from 'eslint-plugin-no-unsanitized';
-import reactCompiler from 'eslint-plugin-react-compiler';
 import testingLibrary from 'eslint-plugin-testing-library';
 import vitest from '@vitest/eslint-plugin';
 import css from '@eslint/css';
@@ -41,7 +40,6 @@ export default tseslint.config(
       sonarjs,
       security,
       'no-unsanitized': noUnsanitized,
-      'react-compiler': reactCompiler,
     },
     settings: {
       'import-x/resolver': {
@@ -52,9 +50,16 @@ export default tseslint.config(
     rules: {
       // ── React ──
       'react-refresh/only-export-components': 'warn',
+      // React Compiler diagnostics now ship with eslint-plugin-react-hooks
+      // (the standalone eslint-plugin-react-compiler is deprecated); keep
+      // them at 'warn' to match the old react-compiler/react-compiler rule.
+      ...Object.fromEntries(
+        Object.keys(reactHooks.configs['recommended-latest'].rules).map(
+          name => [name, 'warn']
+        )
+      ),
       'react-hooks/rules-of-hooks': 'error',
       'react-hooks/exhaustive-deps': 'warn',
-      'react-compiler/react-compiler': 'warn',
 
       // ── TypeScript ──
       '@typescript-eslint/no-explicit-any': 'warn',
diff --git a/frontend/package-lock.json b/frontend/package-lock.json
index 442cc35b8..a94d40700 100644
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
@@ -23,10 +23,10 @@
         "date-fns": "^4.4.0",
         "i18next": "^26.3.1",
         "i18next-browser-languagedetector": "^8.2.1",
-        "lucide-react": "^1.17.0",
+        "lucide-react": "^1.18.0",
         "react": "^19.2.7",
         "react-dom": "^19.2.7",
-        "react-hook-form": "^7.78.0",
+        "react-hook-form": "^7.79.0",
         "react-hot-toast": "^2.6.0",
         "react-i18next": "^17.0.8",
         "react-router-dom": "^7.17.0",
@@ -40,44 +40,43 @@
         "@eslint/json": "^2.0.0",
         "@eslint/markdown": "^8.0.2",
         "@playwright/test": "^1.60.0",
-        "@tailwindcss/postcss": "^4.3.0",
+        "@tailwindcss/postcss": "^4.3.1",
         "@testing-library/jest-dom": "^6.9.1",
         "@testing-library/react": "^16.3.2",
         "@testing-library/user-event": "^14.6.1",
         "@types/eslint-plugin-jsx-a11y": "^6.10.1",
-        "@types/node": "^25.9.2",
+        "@types/node": "^25.9.3",
         "@types/react": "^19.2.17",
         "@types/react-dom": "^19.2.3",
-        "@typescript-eslint/eslint-plugin": "^8.60.1",
-        "@typescript-eslint/parser": "^8.60.1",
-        "@typescript-eslint/utils": "^8.60.1",
+        "@typescript-eslint/eslint-plugin": "^8.61.0",
+        "@typescript-eslint/parser": "^8.61.0",
+        "@typescript-eslint/utils": "^8.61.0",
         "@vitejs/plugin-react": "^6.0.2",
         "@vitest/coverage-istanbul": "^4.1.8",
         "@vitest/coverage-v8": "^4.1.8",
-        "@vitest/eslint-plugin": "^1.6.19",
+        "@vitest/eslint-plugin": "^1.6.20",
         "@vitest/ui": "^4.1.8",
         "autoprefixer": "^10.5.0",
-        "eslint": "^10.4.1",
+        "eslint": "^10.5.0",
         "eslint-formatter-compact": "^9.0.1",
         "eslint-import-resolver-typescript": "^4.4.5",
         "eslint-plugin-import-x": "^4.16.2",
         "eslint-plugin-jsx-a11y": "^6.10.2",
         "eslint-plugin-no-unsanitized": "^4.1.5",
         "eslint-plugin-promise": "^7.3.0",
-        "eslint-plugin-react-compiler": "^19.1.0-rc.2",
         "eslint-plugin-react-hooks": "^7.1.1",
-        "eslint-plugin-react-refresh": "^0.5.2",
-        "eslint-plugin-security": "^4.0.0",
+        "eslint-plugin-react-refresh": "^0.5.3",
+        "eslint-plugin-security": "^4.0.1",
         "eslint-plugin-sonarjs": "^4.0.3",
         "eslint-plugin-testing-library": "^7.16.2",
-        "eslint-plugin-unicorn": "^65.0.0",
+        "eslint-plugin-unicorn": "^66.0.0",
         "eslint-plugin-unused-imports": "^4.4.1",
         "jsdom": "29.1.1",
         "knip": "^6.16.1",
         "postcss": "^8.5.15",
-        "tailwindcss": "^4.3.0",
+        "tailwindcss": "^4.3.1",
         "typescript": "^6.0.3",
-        "typescript-eslint": "^8.60.1",
+        "typescript-eslint": "^8.61.0",
         "vite": "^8.0.16",
         "vitest": "^4.1.8",
         "zod-validation-error": "^5.0.0"
@@ -237,19 +236,6 @@
         "node": ">=6.9.0"
       }
     },
-    "node_modules/@babel/helper-annotate-as-pure": {
-      "version": "7.29.7",
-      "resolved": "https://registry.npmjs.org/@babel/helper-annotate-as-pure/-/helper-annotate-as-pure-7.29.7.tgz",
-      "integrity": "sha512-OoK6239jHPuSQOoS0kfTVKn0b/rVTk0seKq4Gd2UMLtmOVLjDC0ki3e+c90Trqv2gMfvJFqkiljrr568+qddiw==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@babel/types": "^7.29.7"
-      },
-      "engines": {
-        "node": ">=6.9.0"
-      }
-    },
     "node_modules/@babel/helper-compilation-targets": {
       "version": "7.29.7",
       "resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.29.7.tgz",
@@ -277,38 +263,6 @@
         "semver": "bin/semver.js"
       }
     },
-    "node_modules/@babel/helper-create-class-features-plugin": {
-      "version": "7.29.7",
-      "resolved": "https://registry.npmjs.org/@babel/helper-create-class-features-plugin/-/helper-create-class-features-plugin-7.29.7.tgz",
-      "integrity": "sha512-IY3ZD9Tmooqr3TUhc3DUWxiuo8xx1DWLhd5M7hQ+ZWJamqM2BbalrBJb2MisSLoYorOj75U03qULCxQTY9r3hg==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@babel/helper-annotate-as-pure": "^7.29.7",
-        "@babel/helper-member-expression-to-functions": "^7.29.7",
-        "@babel/helper-optimise-call-expression": "^7.29.7",
-        "@babel/helper-replace-supers": "^7.29.7",
-        "@babel/helper-skip-transparent-expression-wrappers": "^7.29.7",
-        "@babel/traverse": "^7.29.7",
-        "semver": "^6.3.1"
-      },
-      "engines": {
-        "node": ">=6.9.0"
-      },
-      "peerDependencies": {
-        "@babel/core": "^7.0.0"
-      }
-    },
-    "node_modules/@babel/helper-create-class-features-plugin/node_modules/semver": {
-      "version": "6.3.1",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
-      "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
-      "dev": true,
-      "license": "ISC",
-      "bin": {
-        "semver": "bin/semver.js"
-      }
-    },
     "node_modules/@babel/helper-globals": {
       "version": "7.29.7",
       "resolved": "https://registry.npmjs.org/@babel/helper-globals/-/helper-globals-7.29.7.tgz",
@@ -319,20 +273,6 @@
         "node": ">=6.9.0"
       }
     },
-    "node_modules/@babel/helper-member-expression-to-functions": {
-      "version": "7.29.7",
-      "resolved": "https://registry.npmjs.org/@babel/helper-member-expression-to-functions/-/helper-member-expression-to-functions-7.29.7.tgz",
-      "integrity": "sha512-j+7JYmk1JYDtACIGj0QJqqWZjoUpMoEikQGADMaHgCMCSDqd2+P32rfcibUNrGOMWrlzK1WJBdxrB3JJQZwWtg==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@babel/traverse": "^7.29.7",
-        "@babel/types": "^7.29.7"
-      },
-      "engines": {
-        "node": ">=6.9.0"
-      }
-    },
     "node_modules/@babel/helper-module-imports": {
       "version": "7.29.7",
       "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.29.7.tgz",
@@ -365,61 +305,6 @@
         "@babel/core": "^7.0.0"
       }
     },
-    "node_modules/@babel/helper-optimise-call-expression": {
-      "version": "7.29.7",
-      "resolved": "https://registry.npmjs.org/@babel/helper-optimise-call-expression/-/helper-optimise-call-expression-7.29.7.tgz",
-      "integrity": "sha512-+kmGVjcT9RGYzoDwdwEqEvGgKe3BYq+O1iGzjFubaNgZHwYHP6lsF2Yghf4kEuv9BV7tYDZ913aBW9am6YKong==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@babel/types": "^7.29.7"
-      },
-      "engines": {
-        "node": ">=6.9.0"
-      }
-    },
-    "node_modules/@babel/helper-plugin-utils": {
-      "version": "7.29.7",
-      "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.29.7.tgz",
-      "integrity": "sha512-G7sHYigPY17oO5SYWnfD/0MTBwVR781S/JI643e/JhUYgVgWE/61SoW3NH9KWUKyKq5LVh3npif99Wkt6j86Jw==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=6.9.0"
-      }
-    },
-    "node_modules/@babel/helper-replace-supers": {
-      "version": "7.29.7",
-      "resolved": "https://registry.npmjs.org/@babel/helper-replace-supers/-/helper-replace-supers-7.29.7.tgz",
-      "integrity": "sha512-atfGXWSeCiF4DnKZIfmJfQRkSw9b9gNNXR1kqKjbhG4pGYCOnkp8OcTB8E3NXjBu8NpheSnOeNKz8KT7UNFTmQ==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@babel/helper-member-expression-to-functions": "^7.29.7",
-        "@babel/helper-optimise-call-expression": "^7.29.7",
-        "@babel/traverse": "^7.29.7"
-      },
-      "engines": {
-        "node": ">=6.9.0"
-      },
-      "peerDependencies": {
-        "@babel/core": "^7.0.0"
-      }
-    },
-    "node_modules/@babel/helper-skip-transparent-expression-wrappers": {
-      "version": "7.29.7",
-      "resolved": "https://registry.npmjs.org/@babel/helper-skip-transparent-expression-wrappers/-/helper-skip-transparent-expression-wrappers-7.29.7.tgz",
-      "integrity": "sha512-brcMGQaVzIeUb+6/bs1Av0f8YuNNjKY2JyvfRCsFuFsdKccEQ5Ges2y74D74NZ1Rz8lKJ9ksJkfqwQFJ/iNEyQ==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@babel/traverse": "^7.29.7",
-        "@babel/types": "^7.29.7"
-      },
-      "engines": {
-        "node": ">=6.9.0"
-      }
-    },
     "node_modules/@babel/helper-string-parser": {
       "version": "7.29.7",
       "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.29.7.tgz",
@@ -480,24 +365,6 @@
         "node": ">=6.0.0"
       }
     },
-    "node_modules/@babel/plugin-proposal-private-methods": {
-      "version": "7.18.6",
-      "resolved": "https://registry.npmjs.org/@babel/plugin-proposal-private-methods/-/plugin-proposal-private-methods-7.18.6.tgz",
-      "integrity": "sha512-nutsvktDItsNn4rpGItSNV2sz1XwS+nfU0Rg8aCx3W3NOKVzdMjJRu0O5OkgDp3ZGICSTbgRpxZoWsxoKRvbeA==",
-      "deprecated": "This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-private-methods instead.",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@babel/helper-create-class-features-plugin": "^7.18.6",
-        "@babel/helper-plugin-utils": "^7.18.6"
-      },
-      "engines": {
-        "node": ">=6.9.0"
-      },
-      "peerDependencies": {
-        "@babel/core": "^7.0.0-0"
-      }
-    },
     "node_modules/@babel/runtime": {
       "version": "7.29.7",
       "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.29.7.tgz",
@@ -623,9 +490,9 @@
       }
     },
     "node_modules/@csstools/css-color-parser": {
-      "version": "4.1.1",
-      "resolved": "https://registry.npmjs.org/@csstools/css-color-parser/-/css-color-parser-4.1.1.tgz",
-      "integrity": "sha512-eZ5XOtyhK+mggRafYUWzA0tvaYOFgdY8AkgQiCJF9qNAePnUo/zmsqqYubBBb3sQ8uNUaSKTY9s9klfRaAXL0g==",
+      "version": "4.1.7",
+      "resolved": "https://registry.npmjs.org/@csstools/css-color-parser/-/css-color-parser-4.1.7.tgz",
+      "integrity": "sha512-CmjJFQTFQx/U/xNJhSjCQ0ilpesPmNQ8+eOUeM/+kDOVW33qsIjeOXc27vrQDdWVkf83ZSWwtg7kXSUvKDJ8cQ==",
       "dev": true,
       "funding": [
         {
@@ -674,9 +541,9 @@
       }
     },
     "node_modules/@csstools/css-syntax-patches-for-csstree": {
-      "version": "1.1.4",
-      "resolved": "https://registry.npmjs.org/@csstools/css-syntax-patches-for-csstree/-/css-syntax-patches-for-csstree-1.1.4.tgz",
-      "integrity": "sha512-wgsqt92b7C7tQhIdPNxj0n9zuUbQlvAuI1exyzeNrOKOi62SD7ren8zqszmpVREjAOqg8cD2FqYhQfAuKjk4sw==",
+      "version": "1.1.5",
+      "resolved": "https://registry.npmjs.org/@csstools/css-syntax-patches-for-csstree/-/css-syntax-patches-for-csstree-1.1.5.tgz",
+      "integrity": "sha512-oNjBvzLq2GPZtJphCjLqXow/cHySHSgtxvKZb7OqSZ/xHgw6NWNhfad+6AB9cLeVm6eA9d/qMll3JdEHjy6M+A==",
       "dev": true,
       "funding": [
         {
@@ -1292,14 +1159,14 @@
       }
     },
     "node_modules/@napi-rs/wasm-runtime": {
-      "version": "1.1.4",
-      "resolved": "https://registry.npmjs.org/@napi-rs/wasm-runtime/-/wasm-runtime-1.1.4.tgz",
-      "integrity": "sha512-3NQNNgA1YSlJb/kMH1ildASP9HW7/7kYnRI2szWJaofaS1hWmbGI4H+d3+22aGzXXN9IJ+n+GiFVcGipJP18ow==",
+      "version": "1.1.5",
+      "resolved": "https://registry.npmjs.org/@napi-rs/wasm-runtime/-/wasm-runtime-1.1.5.tgz",
+      "integrity": "sha512-AWPoBRJ9tsnVhor4sjO7rkni+7p+2IAEFj6cx06UgP10jkQHqay/36uRV/bFkgrh18D9vb4cr8Q0Pthskgzy+Q==",
       "dev": true,
       "license": "MIT",
       "optional": true,
       "dependencies": {
-        "@tybys/wasm-util": "^0.10.1"
+        "@tybys/wasm-util": "^0.10.2"
       },
       "funding": {
         "type": "github",
@@ -3047,49 +2914,49 @@
       "license": "MIT"
     },
     "node_modules/@tailwindcss/node": {
-      "version": "4.3.0",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/node/-/node-4.3.0.tgz",
-      "integrity": "sha512-aFb4gUhFOgdh9AXo4IzBEOzBkkAxm9VigwDJnMIYv3lcfXCJVesNfbEaBl4BNgVRyid92AmdviqwBUBRKSeY3g==",
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/node/-/node-4.3.1.tgz",
+      "integrity": "sha512-6NDaqRoAMSXD1mr/RXu0HBvNE9a2n5tHPsxu9XHLws8o4Twes5rBM2205SUUiJ9goAtadrN6xTGX0UDEwp/N4A==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@jridgewell/remapping": "^2.3.5",
-        "enhanced-resolve": "^5.21.0",
-        "jiti": "^2.6.1",
+        "enhanced-resolve": "5.21.6",
+        "jiti": "^2.7.0",
         "lightningcss": "1.32.0",
         "magic-string": "^0.30.21",
         "source-map-js": "^1.2.1",
-        "tailwindcss": "4.3.0"
+        "tailwindcss": "4.3.1"
       }
     },
     "node_modules/@tailwindcss/oxide": {
-      "version": "4.3.0",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide/-/oxide-4.3.0.tgz",
-      "integrity": "sha512-F7HZGBeN9I0/AuuJS5PwcD8xayx5ri5GhjYUDBEVYUkexyA/giwbDNjRVrxSezE3T250OU2K/wp/ltWx3UOefg==",
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide/-/oxide-4.3.1.tgz",
+      "integrity": "sha512-yVPyo8RNkabVr3O2EhHEE0Rewu7YKzc1DhIqfL46LKveFrmu9XbDazNOJY7/GRuvw1h6u3utWnR29H/p5JPlgA==",
       "dev": true,
       "license": "MIT",
       "engines": {
         "node": ">= 20"
       },
       "optionalDependencies": {
-        "@tailwindcss/oxide-android-arm64": "4.3.0",
-        "@tailwindcss/oxide-darwin-arm64": "4.3.0",
-        "@tailwindcss/oxide-darwin-x64": "4.3.0",
-        "@tailwindcss/oxide-freebsd-x64": "4.3.0",
-        "@tailwindcss/oxide-linux-arm-gnueabihf": "4.3.0",
-        "@tailwindcss/oxide-linux-arm64-gnu": "4.3.0",
-        "@tailwindcss/oxide-linux-arm64-musl": "4.3.0",
-        "@tailwindcss/oxide-linux-x64-gnu": "4.3.0",
-        "@tailwindcss/oxide-linux-x64-musl": "4.3.0",
-        "@tailwindcss/oxide-wasm32-wasi": "4.3.0",
-        "@tailwindcss/oxide-win32-arm64-msvc": "4.3.0",
-        "@tailwindcss/oxide-win32-x64-msvc": "4.3.0"
+        "@tailwindcss/oxide-android-arm64": "4.3.1",
+        "@tailwindcss/oxide-darwin-arm64": "4.3.1",
+        "@tailwindcss/oxide-darwin-x64": "4.3.1",
+        "@tailwindcss/oxide-freebsd-x64": "4.3.1",
+        "@tailwindcss/oxide-linux-arm-gnueabihf": "4.3.1",
+        "@tailwindcss/oxide-linux-arm64-gnu": "4.3.1",
+        "@tailwindcss/oxide-linux-arm64-musl": "4.3.1",
+        "@tailwindcss/oxide-linux-x64-gnu": "4.3.1",
+        "@tailwindcss/oxide-linux-x64-musl": "4.3.1",
+        "@tailwindcss/oxide-wasm32-wasi": "4.3.1",
+        "@tailwindcss/oxide-win32-arm64-msvc": "4.3.1",
+        "@tailwindcss/oxide-win32-x64-msvc": "4.3.1"
       }
     },
     "node_modules/@tailwindcss/oxide-android-arm64": {
-      "version": "4.3.0",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-android-arm64/-/oxide-android-arm64-4.3.0.tgz",
-      "integrity": "sha512-TJPiq67tKlLuObP6RkwvVGDoxCMBVtDgKkLfa/uyj7/FyxvQwHS+UOnVrXXgbEsfUaMgiVvC4KbJnRr26ho4Ng==",
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-android-arm64/-/oxide-android-arm64-4.3.1.tgz",
+      "integrity": "sha512-SVlyf61g374l5cHyg8x9kf5xmLcOaxvOTsbsqDnSsDJaKOEFZ7GCvi84VAVGpxojYOs1+3K6M0UjXfqPU8vmOQ==",
       "cpu": [
         "arm64"
       ],
@@ -3104,9 +2971,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-darwin-arm64": {
-      "version": "4.3.0",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-darwin-arm64/-/oxide-darwin-arm64-4.3.0.tgz",
-      "integrity": "sha512-oMN/WZRb+SO37BmUElEgeEWuU8E/HXRkiODxJxLe1UTHVXLrdVSgfaJV7pSlhRGMSOiXLuxTIjfsF3wYvz8cgQ==",
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-darwin-arm64/-/oxide-darwin-arm64-4.3.1.tgz",
+      "integrity": "sha512-hVnWLwv+e/l7c4WKyVtHVrIPvYdqWHjRB3MDIqARynzFtnQg85kmQEFCbV9Ja0VVx4xXTIiDWY60Y7iz/iNoDA==",
       "cpu": [
         "arm64"
       ],
@@ -3121,9 +2988,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-darwin-x64": {
-      "version": "4.3.0",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-darwin-x64/-/oxide-darwin-x64-4.3.0.tgz",
-      "integrity": "sha512-N6CUmu4a6bKVADfw77p+iw6Yd9Q3OBhe0veaDX+QazfuVYlQsHfDgxBrsjQ/IW+zywL8mTrNd0SdJT/zgtvMdA==",
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-darwin-x64/-/oxide-darwin-x64-4.3.1.tgz",
+      "integrity": "sha512-Cf7abu0WVgbhU7ANgPUnSAvm7nCvMweusHb8FnaHlLfv/Caq4GYaEZg7ZImzzmjx4lIAfuS8q+eLIS7A7IzxIg==",
       "cpu": [
         "x64"
       ],
@@ -3138,9 +3005,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-freebsd-x64": {
-      "version": "4.3.0",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-freebsd-x64/-/oxide-freebsd-x64-4.3.0.tgz",
-      "integrity": "sha512-zDL5hBkQdH5C6MpqbK3gQAgP80tsMwSI26vjOzjJtNCMUo0lFgOItzHKBIupOZNQxt3ouPH7RPhvNhiTfCe5CQ==",
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-freebsd-x64/-/oxide-freebsd-x64-4.3.1.tgz",
+      "integrity": "sha512-ZZqzX2Y+GXtXXfqSfpJhDm60OoZfvLHLCgm+J7NVqgHHJjG/m9ugZI77RwTsVd4fnBJuCFP6Ae6kTJb71UdS8g==",
       "cpu": [
         "x64"
       ],
@@ -3155,9 +3022,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-linux-arm-gnueabihf": {
-      "version": "4.3.0",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm-gnueabihf/-/oxide-linux-arm-gnueabihf-4.3.0.tgz",
-      "integrity": "sha512-R06HdNi7A7OEoMsf6d4tjZ71RCWnZQPHj2mnotSFURjNLdBC+cIgXQ7l81CqeoiQftjf6OOblxXMInMgN2VzMA==",
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm-gnueabihf/-/oxide-linux-arm-gnueabihf-4.3.1.tgz",
+      "integrity": "sha512-/Ah/xik0LaMYfv9DZ0S/t4pBlBNYOcqtRwusjgovHkvT8ixueWCLyJjsaF5kQIckjb4IT8Q6K6p/iPmZMixYgg==",
       "cpu": [
         "arm"
       ],
@@ -3172,9 +3039,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-linux-arm64-gnu": {
-      "version": "4.3.0",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm64-gnu/-/oxide-linux-arm64-gnu-4.3.0.tgz",
-      "integrity": "sha512-qTJHELX8jetjhRQHCLilkVLmybpzNQAtaI/gaoVoidn/ufbNDbAo8KlK2J+yPoc8wQxvDxCmh/5lr8nC1+lTbg==",
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm64-gnu/-/oxide-linux-arm64-gnu-4.3.1.tgz",
+      "integrity": "sha512-gqdFoVJlw444GvpnheZLHmvTzSxI/cOUUh2KSNejQjTcYkW062SVD+En0rUgD+QV91bz1XGIGtt1HJd48xUGbQ==",
       "cpu": [
         "arm64"
       ],
@@ -3192,9 +3059,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-linux-arm64-musl": {
-      "version": "4.3.0",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm64-musl/-/oxide-linux-arm64-musl-4.3.0.tgz",
-      "integrity": "sha512-Z6sukiQsngnWO+l39X4pPbiWT81IC+PLKF+PHxIlyZbGNb9MODfYlXEVlFvej5BOZInWX01kVyzeLvHsXhfczQ==",
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm64-musl/-/oxide-linux-arm64-musl-4.3.1.tgz",
+      "integrity": "sha512-Bwv9KwOvE0VKa86xPFif9b9c3Y1NxOV1P0gLti/IYaWEsQYZXDlxfGEtA8mdDZ7SG3wyNXAWYT5SIn3giL57oA==",
       "cpu": [
         "arm64"
       ],
@@ -3212,9 +3079,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-linux-x64-gnu": {
-      "version": "4.3.0",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-x64-gnu/-/oxide-linux-x64-gnu-4.3.0.tgz",
-      "integrity": "sha512-DRNdQRpSGzRGfARVuVkxvM8Q12nh19l4BF/G7zGA1oe+9wcC6saFBHTISrpIcKzhiXtSrlSrluCfvMuledoCTQ==",
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-x64-gnu/-/oxide-linux-x64-gnu-4.3.1.tgz",
+      "integrity": "sha512-Ymi8O8T15HYQdOUWUtTI6ldN0neHP85FC+Qz32xTcZ7iJXtem/x8ITev0o1e9e5rkqj4lONZfTRLvkmin1+tKg==",
       "cpu": [
         "x64"
       ],
@@ -3232,9 +3099,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-linux-x64-musl": {
-      "version": "4.3.0",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-x64-musl/-/oxide-linux-x64-musl-4.3.0.tgz",
-      "integrity": "sha512-Z0IADbDo8bh6I7h2IQMx601AdXBLfFpEdUotft86evd/8ZPflZe9COPO8Q1vw+pfLWIUo9zN/JGZvwuAJqduqg==",
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-x64-musl/-/oxide-linux-x64-musl-4.3.1.tgz",
+      "integrity": "sha512-M+P/91qJ6uILLw4k2G93GMDRAXj61SMvFQYt39AqvUqYgExXpLL5aepfns7sj4HiAQeolirQF9E0lzRvdf4zPQ==",
       "cpu": [
         "x64"
       ],
@@ -3252,9 +3119,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-wasm32-wasi": {
-      "version": "4.3.0",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-wasm32-wasi/-/oxide-wasm32-wasi-4.3.0.tgz",
-      "integrity": "sha512-HNZGOUxEmElksYR7S6sC5jTeNGpobAsy9u7Gu0AskJ8/20FR9GqebUyB+HBcU/ax6BHuiuJi+Oda4B+YX6H1yA==",
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-wasm32-wasi/-/oxide-wasm32-wasi-4.3.1.tgz",
+      "integrity": "sha512-zsM8uOeqvVGHsAXsJxsT28ttosFahLJKCLOTUBqRAtKnVgGSRitds9T432QiT8b77Yga7JIBkulIRRlJPtYhRA==",
       "bundleDependencies": [
         "@napi-rs/wasm-runtime",
         "@emnapi/core",
@@ -3274,7 +3141,7 @@
         "@emnapi/runtime": "^1.10.0",
         "@emnapi/wasi-threads": "^1.2.1",
         "@napi-rs/wasm-runtime": "^1.1.4",
-        "@tybys/wasm-util": "^0.10.1",
+        "@tybys/wasm-util": "^0.10.2",
         "tslib": "^2.8.1"
       },
       "engines": {
@@ -3282,9 +3149,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-win32-arm64-msvc": {
-      "version": "4.3.0",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-arm64-msvc/-/oxide-win32-arm64-msvc-4.3.0.tgz",
-      "integrity": "sha512-Pe+RPVTi1T+qymuuRpcdvwSVZjnll/f7n8gBxMMh3xLTctMDKqpdfGimbMyioqtLhUYZxdJ9wGNhV7MKHvgZsQ==",
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-arm64-msvc/-/oxide-win32-arm64-msvc-4.3.1.tgz",
+      "integrity": "sha512-aiNvSq9BsVk8V513lDKlrCFAgf8qBMPZTpgEhInL+NwQqs97mYmupVMrPrgBBSL8Pv/0zXu9MrMF9rMun1ZeNg==",
       "cpu": [
         "arm64"
       ],
@@ -3299,9 +3166,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-win32-x64-msvc": {
-      "version": "4.3.0",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-x64-msvc/-/oxide-win32-x64-msvc-4.3.0.tgz",
-      "integrity": "sha512-Mvrf2kXW/yeW/OTezZlCGOirXRcUuLIBx/5Y12BaPM7wJoryG6dfS/NJL8aBPqtTEx/Vm4T4vKzFUcKDT+TKUA==",
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-x64-msvc/-/oxide-win32-x64-msvc-4.3.1.tgz",
+      "integrity": "sha512-xDEyu1rg290472FEGaKHnzyDyh5QH+AlWvsU5hMoMtPpzmKlRI0jaYKCgSHDYtaQWZOYbMaduSyCwFwY4n1HmA==",
       "cpu": [
         "x64"
       ],
@@ -3316,17 +3183,17 @@
       }
     },
     "node_modules/@tailwindcss/postcss": {
-      "version": "4.3.0",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/postcss/-/postcss-4.3.0.tgz",
-      "integrity": "sha512-Jm05Tjx+9yCLGv5qw1c+84Psds8MnyrEQYCB+FFk2lgGiUjlRqdxke4mVTuYrj2xnVZqKim2Apr5ySuQRYAw/w==",
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/postcss/-/postcss-4.3.1.tgz",
+      "integrity": "sha512-dNJuNbdEJT/SWRuXTYP1WSamelsz3ztkUsdtWQPjrexysrTpaEPM40P/71knXiXLYEojqPOEGitVLLpPMS5T6A==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@alloc/quick-lru": "^5.2.0",
-        "@tailwindcss/node": "4.3.0",
-        "@tailwindcss/oxide": "4.3.0",
-        "postcss": "^8.5.10",
-        "tailwindcss": "4.3.0"
+        "@tailwindcss/node": "4.3.1",
+        "@tailwindcss/oxide": "4.3.1",
+        "postcss": "8.5.15",
+        "tailwindcss": "4.3.1"
       }
     },
     "node_modules/@tanstack/query-core": {
@@ -3848,9 +3715,9 @@
       "license": "MIT"
     },
     "node_modules/@types/node": {
-      "version": "25.9.2",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-25.9.2.tgz",
-      "integrity": "sha512-G05zqtJhcDLb8uslf5EjCxXg9G1KQxiV8OS0R26IC//Eoyitzqe8z37I7cqvnZlrlSfgocQRfSn/AHBZJJFyGw==",
+      "version": "25.9.3",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-25.9.3.tgz",
+      "integrity": "sha512-603BddQMv3pUcr4U2dhujk83N2tTDVr/34wII2B6bJy6g+8WD6yUb11jszNs0gdi4PesVWl7ABt8nYMVpnLUcg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -3891,17 +3758,17 @@
       "license": "MIT"
     },
     "node_modules/@typescript-eslint/eslint-plugin": {
-      "version": "8.60.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.60.1.tgz",
-      "integrity": "sha512-JQ4S5GB0tfjO8BuJ4fcX+HodkzJjYBV+7OJ+wLygaX7OGQ7FudyHL4NSCA6ob+w3Yn+5MkKIozOwQhXeM7opVg==",
+      "version": "8.61.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.61.0.tgz",
+      "integrity": "sha512-bFNvl9ZczlVb+wR2Akszf3gHfKVj/8WanXaGJ3UstTA7brNKg0cNdk6X1Psu5V7MZ2oQtzZKOEzIUehaoxbDGw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@eslint-community/regexpp": "^4.12.2",
-        "@typescript-eslint/scope-manager": "8.60.1",
-        "@typescript-eslint/type-utils": "8.60.1",
-        "@typescript-eslint/utils": "8.60.1",
-        "@typescript-eslint/visitor-keys": "8.60.1",
+        "@typescript-eslint/scope-manager": "8.61.0",
+        "@typescript-eslint/type-utils": "8.61.0",
+        "@typescript-eslint/utils": "8.61.0",
+        "@typescript-eslint/visitor-keys": "8.61.0",
         "ignore": "^7.0.5",
         "natural-compare": "^1.4.0",
         "ts-api-utils": "^2.5.0"
@@ -3914,22 +3781,22 @@
         "url": "https://opencollective.com/typescript-eslint"
       },
       "peerDependencies": {
-        "@typescript-eslint/parser": "^8.60.1",
+        "@typescript-eslint/parser": "^8.61.0",
         "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
         "typescript": ">=4.8.4 <6.1.0"
       }
     },
     "node_modules/@typescript-eslint/parser": {
-      "version": "8.60.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.60.1.tgz",
-      "integrity": "sha512-A0M6ua6H252bVjPvvtSgl2QA4+ET9S5Mtkb2GDyTxIhH/C4qDItT7RQNO5PhMC6NXGYXOR9dIalcDDgBKT7oFA==",
+      "version": "8.61.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.61.0.tgz",
+      "integrity": "sha512-5B7PfA2e1NQGCnDHd/0lW7W3gvp3d59Ryw54FYO8Uswxo9f6ikw3AZV+Xj/TvpImmpsiYyUqAfhC6kJID1jF6w==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/scope-manager": "8.60.1",
-        "@typescript-eslint/types": "8.60.1",
-        "@typescript-eslint/typescript-estree": "8.60.1",
-        "@typescript-eslint/visitor-keys": "8.60.1",
+        "@typescript-eslint/scope-manager": "8.61.0",
+        "@typescript-eslint/types": "8.61.0",
+        "@typescript-eslint/typescript-estree": "8.61.0",
+        "@typescript-eslint/visitor-keys": "8.61.0",
         "debug": "^4.4.3"
       },
       "engines": {
@@ -3945,14 +3812,14 @@
       }
     },
     "node_modules/@typescript-eslint/project-service": {
-      "version": "8.60.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.60.1.tgz",
-      "integrity": "sha512-eXkTH2bxmXlqD1RnOPmLZ9ZM9D3VwSx04JOwBnP9RQ+yUA5a2Mu7SfW8uaV2Aon53NJzZlZYuX7tn91Izf+xaw==",
+      "version": "8.61.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.61.0.tgz",
+      "integrity": "sha512-DV42F7MLJO6Rax7SK1yg43tcnEfGUrurSpSxKuVX+a3RCTzBlH3fuxprrOJXKCJGAaw82xXocikJ0uQaqwXgGA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/tsconfig-utils": "^8.60.1",
-        "@typescript-eslint/types": "^8.60.1",
+        "@typescript-eslint/tsconfig-utils": "^8.61.0",
+        "@typescript-eslint/types": "^8.61.0",
         "debug": "^4.4.3"
       },
       "engines": {
@@ -3967,14 +3834,14 @@
       }
     },
     "node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.60.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.60.1.tgz",
-      "integrity": "sha512-gvI5OQoptnxQnchOirukCuQ55svJSTuD/4k5+pC267xyBtYry748R9/c3tYUzb/iE6RZfllRz2lVulLCHkTm4w==",
+      "version": "8.61.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.61.0.tgz",
+      "integrity": "sha512-IWdXFHFSb6mlC3HPc7QsLDm5zYEbUla6trDEHf32D3/dnuUyXd87plScSNXSbm0/RxMvObpI17sv/EDTGrGZkA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.60.1",
-        "@typescript-eslint/visitor-keys": "8.60.1"
+        "@typescript-eslint/types": "8.61.0",
+        "@typescript-eslint/visitor-keys": "8.61.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -3985,9 +3852,9 @@
       }
     },
     "node_modules/@typescript-eslint/tsconfig-utils": {
-      "version": "8.60.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.60.1.tgz",
-      "integrity": "sha512-nh8w4qAteiKuZu3pSSzG/yGKpw0OlkrKnzFmbVRenKaD4qc+7i1GrmZaLVkr8rk4uipiPGMOW4YsM6WmKZ5CvA==",
+      "version": "8.61.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.61.0.tgz",
+      "integrity": "sha512-O5Amvdv9ztMpxpf+vmFULGG78IE6Qwdr3bCGvqwG4nwc9H2qXkOYJJnRbRHyMkQTjv1d03olqwwwzHLMqpFePQ==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -4002,15 +3869,15 @@
       }
     },
     "node_modules/@typescript-eslint/type-utils": {
-      "version": "8.60.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.60.1.tgz",
-      "integrity": "sha512-sdwTrpjosW7ANQYJ39ZBF1ZyEMEGVB2UsikrserVM/30a/F1dTLnu9bGxEdosugyu5caigjLrR2qiD11asjI1A==",
+      "version": "8.61.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.61.0.tgz",
+      "integrity": "sha512-TuBiQYIkd97yBfInHCTKVYMbX4kvEmpOEuixIuzCU9p8BGT1SfyyO0d0IfDMbPIHcjn/hWnusUX5e8v5Xg+X8A==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.60.1",
-        "@typescript-eslint/typescript-estree": "8.60.1",
-        "@typescript-eslint/utils": "8.60.1",
+        "@typescript-eslint/types": "8.61.0",
+        "@typescript-eslint/typescript-estree": "8.61.0",
+        "@typescript-eslint/utils": "8.61.0",
         "debug": "^4.4.3",
         "ts-api-utils": "^2.5.0"
       },
@@ -4027,9 +3894,9 @@
       }
     },
     "node_modules/@typescript-eslint/types": {
-      "version": "8.60.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.60.1.tgz",
-      "integrity": "sha512-4h0tY8ppCkdCzcrl2YM5M3my0xsE1Tf8om3owEu5oPWmXwkKRmk0j0LGDzYBGUcAlesEbxBhazqu/K4cu3Ug7w==",
+      "version": "8.61.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.61.0.tgz",
+      "integrity": "sha512-9QTQpZ5Iin4CdIodfbDQFSeiSJKidgYJYug1P9CC2xWgUTvlmixViqDZNciMjwLBZyJnG4tGmPl97rVAFb1AJg==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -4041,16 +3908,16 @@
       }
     },
     "node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.60.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.60.1.tgz",
-      "integrity": "sha512-alpRkfG8hlVE5kdJW2GkfgDgXxold3e8e4l6EnmhRmRLbekgAPCCGDVD++sABy9FcgPFroq+uFcCSM1vR57Cew==",
+      "version": "8.61.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.61.0.tgz",
+      "integrity": "sha512-42zatd5qSvvcV1JdDBCLxYRznvP4eIHpPoZXdkPFnAmanA4FuZ5dibSnCBggY8hQnqajPpoGjXFdZ7fIJKQnlA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/project-service": "8.60.1",
-        "@typescript-eslint/tsconfig-utils": "8.60.1",
-        "@typescript-eslint/types": "8.60.1",
-        "@typescript-eslint/visitor-keys": "8.60.1",
+        "@typescript-eslint/project-service": "8.61.0",
+        "@typescript-eslint/tsconfig-utils": "8.61.0",
+        "@typescript-eslint/types": "8.61.0",
+        "@typescript-eslint/visitor-keys": "8.61.0",
         "debug": "^4.4.3",
         "minimatch": "^10.2.2",
         "semver": "^7.7.3",
@@ -4069,16 +3936,16 @@
       }
     },
     "node_modules/@typescript-eslint/utils": {
-      "version": "8.60.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.60.1.tgz",
-      "integrity": "sha512-h2MPBLoNtjc3qZWfY3Tl51yPorQ2McHn8pJfcMNTcIvrrZrr90Ykffit0yjrPFWQcRcUxzH20+6OcVdW4yHtUg==",
+      "version": "8.61.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.61.0.tgz",
+      "integrity": "sha512-3bzFt7ImFMW/jVYwJamDoe/dMOdFLSC6pom6rRjdh4SZJEYupyMzem8e7vKZLclLfpHjlwSAXOUxtKxGXUiLqA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.9.1",
-        "@typescript-eslint/scope-manager": "8.60.1",
-        "@typescript-eslint/types": "8.60.1",
-        "@typescript-eslint/typescript-estree": "8.60.1"
+        "@typescript-eslint/scope-manager": "8.61.0",
+        "@typescript-eslint/types": "8.61.0",
+        "@typescript-eslint/typescript-estree": "8.61.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -4093,13 +3960,13 @@
       }
     },
     "node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.60.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.60.1.tgz",
-      "integrity": "sha512-EbGRQg4FhrmwLodl+t3JNAnXHWVr9Vp+Zl1QBZVPY4ByfkzIT8cX3K6QWODHtkIZqqJVEWvhHSx3v5PDHsaQag==",
+      "version": "8.61.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.61.0.tgz",
+      "integrity": "sha512-QVLZu3ZPQEE+HICQyAMZ2yLQhxf0meY/wx6Hx14YcTNj13JB3qHlX3lJ02L3fLGHgERRH71kvYDwiXIguT3AjQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.60.1",
+        "@typescript-eslint/types": "8.61.0",
         "eslint-visitor-keys": "^5.0.0"
       },
       "engines": {
@@ -4549,9 +4416,9 @@
       }
     },
     "node_modules/@vitest/eslint-plugin": {
-      "version": "1.6.19",
-      "resolved": "https://registry.npmjs.org/@vitest/eslint-plugin/-/eslint-plugin-1.6.19.tgz",
-      "integrity": "sha512-zodmXRsVKFsuHxHJILuTFaaKsrsxm0YsiOX65clk+LpCW9JrVXaf6ERXr0caDs+NEk0S62Jyk0K7XYQ7gWXheA==",
+      "version": "1.6.20",
+      "resolved": "https://registry.npmjs.org/@vitest/eslint-plugin/-/eslint-plugin-1.6.20.tgz",
+      "integrity": "sha512-xRwWHFG0Utp6hXtbGiWk4VdKXCGdExD8kbWrrmFEiG5dk8anOJ+vbWbeOa8EbkocKQRTsx7JAWETccZiBgFp/Q==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -4715,9 +4582,9 @@
       }
     },
     "node_modules/acorn": {
-      "version": "8.16.0",
-      "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.16.0.tgz",
-      "integrity": "sha512-UVJyE9MttOsBQIDKw1skb9nAwQuR5wuGD3+82K6JgJlm/Y+KI92oNsMNGZCYdDsVtRHSak0pcV5Dno5+4jh9sw==",
+      "version": "8.17.0",
+      "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.17.0.tgz",
+      "integrity": "sha512-xRQbDb9BnwDafYNn6Vwl839DYVjqXYb1XVGtWAZ1kcDc6iwAL4hg3B1dZlRiuENFeO2H53gFG3in621AdERVAg==",
       "dev": true,
       "license": "MIT",
       "bin": {
@@ -4938,9 +4805,9 @@
       "license": "MIT"
     },
     "node_modules/ast-v8-to-istanbul": {
-      "version": "1.0.3",
-      "resolved": "https://registry.npmjs.org/ast-v8-to-istanbul/-/ast-v8-to-istanbul-1.0.3.tgz",
-      "integrity": "sha512-jCMQ6ZylLPudp0CDfBmQBZUsrh1/8psbmu9ibeVWKuHWD0YrH9YABwlKu5kVEFoT0GCQQW9Z/SxfuEbbkGQCRg==",
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/ast-v8-to-istanbul/-/ast-v8-to-istanbul-1.0.4.tgz",
+      "integrity": "sha512-0bC0/4bTSrnwdhU3IsZDwEdojvuPrSg59OYZfKsLRtJZ0u8VBx9DebfqqG8bRdCC0I7vjgxmPi41P0lpkhJHtA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -5026,9 +4893,9 @@
       }
     },
     "node_modules/axe-core": {
-      "version": "4.12.0",
-      "resolved": "https://registry.npmjs.org/axe-core/-/axe-core-4.12.0.tgz",
-      "integrity": "sha512-FTavr/7Ba0IptwGOPxnQvdyW2tAsdLBMTBXz7rKH6xJ2skpyxpBxyHkDdBs4lf69yRqYpkqCdfhnwS8YULGOmg==",
+      "version": "4.12.1",
+      "resolved": "https://registry.npmjs.org/axe-core/-/axe-core-4.12.1.tgz",
+      "integrity": "sha512-s7iGf5GaVMxEG0ENN9x+xTr7GFZCb1ZP/1uATUpCEK2X78nDB3RwbtFCo9pGAf9ru+VwoQ464DkaLEeRM08wJA==",
       "dev": true,
       "license": "MPL-2.0",
       "engines": {
@@ -5068,9 +4935,9 @@
       }
     },
     "node_modules/baseline-browser-mapping": {
-      "version": "2.10.33",
-      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.33.tgz",
-      "integrity": "sha512-bA6+tcSLpz2tIEdDXZPpPTIuxBcC4+w6SieaYyfigIa4h8GlFxbA17v22Vx3JUtuZQj9SgOsnbK+aTBzyDyEuw==",
+      "version": "2.10.37",
+      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.37.tgz",
+      "integrity": "sha512-girxaJ7WZssDOFhzCGZTDKoTa1gk6A1TbflaYTpykLJ4UU9Fz9kx1aREM8JCuoVHbL8X8T/mJg7w2oYSq72Oig==",
       "dev": true,
       "license": "Apache-2.0",
       "bin": {
@@ -5220,9 +5087,9 @@
       }
     },
     "node_modules/caniuse-lite": {
-      "version": "1.0.30001793",
-      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001793.tgz",
-      "integrity": "sha512-iwSsYWaCOoh26cV8NwNRViHlrfUvYsHDfRVcbtmw0Kg6PJIZZXwMkj1442FYLBGkeUf1juAsU3DTfxW579mrPA==",
+      "version": "1.0.30001799",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001799.tgz",
+      "integrity": "sha512-hG1bReV+OUU+MOqK4t/ZWI0tZOyz3rqS9XuhOUz1cIcbwBKjOyJEJuw9ER5JuNyqxNk8u/JUVbGibBOL1yrjFw==",
       "dev": true,
       "funding": [
         {
@@ -5869,9 +5736,9 @@
       }
     },
     "node_modules/electron-to-chromium": {
-      "version": "1.5.364",
-      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.364.tgz",
-      "integrity": "sha512-G/dYE3+AYhyHwzTwg8UbnXf7zqMERYh7l2jJ3QujhFsH8agSYwtnGAR2aZ7f0AakIKJXd5En/Hre4igIUrdlYw==",
+      "version": "1.5.372",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.372.tgz",
+      "integrity": "sha512-M3yhbAlilnwqC8D21t28UCDGHyitShTmmLRU/H+b74P6Ski16Nb9HONYEaVpMj/pwC7BEo5B95FpjODLCWbtfA==",
       "dev": true,
       "license": "ISC"
     },
@@ -5883,9 +5750,9 @@
       "license": "MIT"
     },
     "node_modules/enhanced-resolve": {
-      "version": "5.22.1",
-      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.22.1.tgz",
-      "integrity": "sha512-6QEuw3zoX1SJQc7b87aBXke/no+mG2bTBgw29gWMQonLmpEkWoCAVkl+M49e48AZlWzxiDzDZzYdp6kobcyLww==",
+      "version": "5.21.6",
+      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.21.6.tgz",
+      "integrity": "sha512-aNnGCvbJ/RIyWo1IuhNdVjnNF+EjH9wpzpNHt+ci/m9He9LJvUN8wrCcXjp9cWsGNAuvSpVFTx/vraAFQ8qGjQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -6062,9 +5929,9 @@
       }
     },
     "node_modules/es-toolkit": {
-      "version": "1.47.0",
-      "resolved": "https://registry.npmjs.org/es-toolkit/-/es-toolkit-1.47.0.tgz",
-      "integrity": "sha512-n1GuoD0WEQZMBk5tttoZSqwgyLx01oqa5XsBmCHwPyNe1S9jPBEmtR2pSgp2kJuWE3ciFZ6yRHmY4pM4C3OOkw==",
+      "version": "1.47.1",
+      "resolved": "https://registry.npmjs.org/es-toolkit/-/es-toolkit-1.47.1.tgz",
+      "integrity": "sha512-5RAqEwf4P4E17p+W75KLOWw/nOvKZzSQpxM32IpI2KZLaVonjTrZ0Ai5ghMaVI9eKC2p8eoQgcBdkEDgzFk6+Q==",
       "license": "MIT",
       "workspaces": [
         "docs",
@@ -6095,11 +5962,14 @@
       }
     },
     "node_modules/eslint": {
-      "version": "10.4.1",
-      "resolved": "https://registry.npmjs.org/eslint/-/eslint-10.4.1.tgz",
-      "integrity": "sha512-AyIKhnOBuOAdueD7RB3xB+YeAWScb9jHsJBgH2Hcde8InP5JYhqrRR6iTMHyTEwgENK54Cp44e4v8BwNhsuHuw==",
+      "version": "10.5.0",
+      "resolved": "https://registry.npmjs.org/eslint/-/eslint-10.5.0.tgz",
+      "integrity": "sha512-1y+7C+vi12bUK1IpZeaV3gsH9fHLBmPvYmPx42pvT/E9yG0IC8g3PUZZgp0+JLJl7ZDK0flc2gc+Aw9dpCvIsQ==",
       "dev": true,
       "license": "MIT",
+      "workspaces": [
+        "packages/*"
+      ],
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.8.0",
         "@eslint-community/regexpp": "^4.12.2",
@@ -6358,50 +6228,6 @@
         "eslint": "^7.0.0 || ^8.0.0 || ^9.0.0 || ^10.0.0"
       }
     },
-    "node_modules/eslint-plugin-react-compiler": {
-      "version": "19.1.0-rc.2",
-      "resolved": "https://registry.npmjs.org/eslint-plugin-react-compiler/-/eslint-plugin-react-compiler-19.1.0-rc.2.tgz",
-      "integrity": "sha512-oKalwDGcD+RX9mf3NEO4zOoUMeLvjSvcbbEOpquzmzqEEM2MQdp7/FY/Hx9NzmUwFzH1W9SKTz5fihfMldpEYw==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@babel/core": "^7.24.4",
-        "@babel/parser": "^7.24.4",
-        "@babel/plugin-proposal-private-methods": "^7.18.6",
-        "hermes-parser": "^0.25.1",
-        "zod": "^3.22.4",
-        "zod-validation-error": "^3.0.3"
-      },
-      "engines": {
-        "node": "^14.17.0 || ^16.0.0 || >= 18.0.0"
-      },
-      "peerDependencies": {
-        "eslint": ">=7"
-      }
-    },
-    "node_modules/eslint-plugin-react-compiler/node_modules/zod": {
-      "version": "3.25.76",
-      "resolved": "https://registry.npmjs.org/zod/-/zod-3.25.76.tgz",
-      "integrity": "sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ==",
-      "dev": true,
-      "license": "MIT",
-      "funding": {
-        "url": "https://github.com/sponsors/colinhacks"
-      }
-    },
-    "node_modules/eslint-plugin-react-compiler/node_modules/zod-validation-error": {
-      "version": "3.5.4",
-      "resolved": "https://registry.npmjs.org/zod-validation-error/-/zod-validation-error-3.5.4.tgz",
-      "integrity": "sha512-+hEiRIiPobgyuFlEojnqjJnhFvg4r/i3cqgcm67eehZf/WBaK3g6cD02YU9mtdVxZjv8CzCA9n/Rhrs3yAAvAw==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=18.0.0"
-      },
-      "peerDependencies": {
-        "zod": "^3.24.4"
-      }
-    },
     "node_modules/eslint-plugin-react-hooks": {
       "version": "7.1.1",
       "resolved": "https://registry.npmjs.org/eslint-plugin-react-hooks/-/eslint-plugin-react-hooks-7.1.1.tgz",
@@ -6436,9 +6262,9 @@
       }
     },
     "node_modules/eslint-plugin-react-refresh": {
-      "version": "0.5.2",
-      "resolved": "https://registry.npmjs.org/eslint-plugin-react-refresh/-/eslint-plugin-react-refresh-0.5.2.tgz",
-      "integrity": "sha512-hmgTH57GfzoTFjVN0yBwTggnsVUF2tcqi7RJZHqi9lIezSs4eFyAMktA68YD4r5kNw1mxyY4dmkyoFDb3FIqrA==",
+      "version": "0.5.3",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-react-refresh/-/eslint-plugin-react-refresh-0.5.3.tgz",
+      "integrity": "sha512-5EMmLCV98Pi4o/f/3DP/v/tNqLHMIc9I8LKClNDWhZ9JTho89/kQcitCXQBMG7sAfVRK0Ie3T2EDOzp1YXYiVA==",
       "dev": true,
       "license": "MIT",
       "peerDependencies": {
@@ -6446,9 +6272,9 @@
       }
     },
     "node_modules/eslint-plugin-security": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/eslint-plugin-security/-/eslint-plugin-security-4.0.0.tgz",
-      "integrity": "sha512-tfuQT8K/Li1ZxhFzyD8wPIKtlzZxqBcPr9q0jFMQ77wWAbKBVEhaMPVQRTMTvCMUDhwBe5vPVqQPwAGk/ASfxQ==",
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-security/-/eslint-plugin-security-4.0.1.tgz",
+      "integrity": "sha512-/lZCkOxPOWaf1jXAqgICrS8St3BMBccIPvhOSUYuV6VCr1o5nFVG998FnTLt6w2Nxb8Uo0nM8fzmnhp+GY/aEg==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
@@ -6503,36 +6329,37 @@
       }
     },
     "node_modules/eslint-plugin-unicorn": {
-      "version": "65.0.0",
-      "resolved": "https://registry.npmjs.org/eslint-plugin-unicorn/-/eslint-plugin-unicorn-65.0.0.tgz",
-      "integrity": "sha512-wE75x2QqMuPgZXcoc8LgTz7+gk5+SZK93Cxe6jkfouKp6+FwYwjMGrbYQTMRH8HK8X6jeTBhPPI2Cun923EMLQ==",
+      "version": "66.0.0",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-unicorn/-/eslint-plugin-unicorn-66.0.0.tgz",
+      "integrity": "sha512-+ywdy8T3foyZ2t3nRBujGa3vfOVMobHIi5iLB0L+fogdVO3EiUJ4BAyIacogWytnweLw3hgT70LQL9KoKTY/kA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@babel/helper-validator-identifier": "^7.28.5",
+        "@babel/helper-validator-identifier": "^7.29.7",
         "@eslint-community/eslint-utils": "^4.9.1",
+        "browserslist": "^4.28.2",
         "change-case": "^5.4.4",
         "ci-info": "^4.4.0",
         "core-js-compat": "^3.49.0",
         "detect-indent": "^7.0.2",
         "find-up-simple": "^1.0.1",
-        "globals": "^17.4.0",
+        "globals": "^17.6.0",
         "indent-string": "^5.0.0",
         "is-builtin-module": "^5.0.0",
         "jsesc": "^3.1.0",
         "pluralize": "^8.0.0",
-        "regjsparser": "^0.13.0",
-        "semver": "^7.7.4",
+        "regjsparser": "^0.13.1",
+        "semver": "^7.8.4",
         "strip-indent": "^4.1.1"
       },
       "engines": {
-        "node": "^20.10.0 || >=21.0.0"
+        "node": ">=22"
       },
       "funding": {
         "url": "https://github.com/sindresorhus/eslint-plugin-unicorn?sponsor=1"
       },
       "peerDependencies": {
-        "eslint": ">=9.38.0"
+        "eslint": ">=10.4"
       }
     },
     "node_modules/eslint-plugin-unused-imports": {
@@ -6880,16 +6707,16 @@
       }
     },
     "node_modules/form-data": {
-      "version": "4.0.5",
-      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz",
-      "integrity": "sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==",
+      "version": "4.0.6",
+      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.6.tgz",
+      "integrity": "sha512-vKatAh4SlVfgbv+YtmhiRjhEMJsYpsG1Y2rMQtR+SVSbytsSD1YGzDIcrAJmdFec88u/+VoGmxnl+80gL1tRCQ==",
       "license": "MIT",
       "dependencies": {
         "asynckit": "^0.4.0",
         "combined-stream": "^1.0.8",
         "es-set-tostringtag": "^2.1.0",
-        "hasown": "^2.0.2",
-        "mime-types": "^2.1.12"
+        "hasown": "^2.0.4",
+        "mime-types": "^2.1.35"
       },
       "engines": {
         "node": ">= 6"
@@ -6959,18 +6786,21 @@
       }
     },
     "node_modules/function.prototype.name": {
-      "version": "1.1.8",
-      "resolved": "https://registry.npmjs.org/function.prototype.name/-/function.prototype.name-1.1.8.tgz",
-      "integrity": "sha512-e5iwyodOHhbMr/yNrc7fDYG4qlbIvI5gajyzPnb5TCwyhjApznQh1BMFou9b30SevY43gCJKXycoCBjMbsuW0Q==",
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/function.prototype.name/-/function.prototype.name-1.2.0.tgz",
+      "integrity": "sha512-jObKIik1P2QjPHP5nz5BaOtUlfgS0fWo8IUByNXkM+o+02sJOi94em77GwJKQSJ3gfPHdgzLNrHc1uokV4P/ew==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "call-bind": "^1.0.8",
-        "call-bound": "^1.0.3",
-        "define-properties": "^1.2.1",
+        "call-bind": "^1.0.9",
+        "call-bound": "^1.0.4",
+        "es-define-property": "^1.0.1",
+        "es-errors": "^1.3.0",
         "functions-have-names": "^1.2.3",
-        "hasown": "^2.0.2",
-        "is-callable": "^1.2.7"
+        "has-property-descriptors": "^1.0.2",
+        "hasown": "^2.0.4",
+        "is-callable": "^1.2.7",
+        "is-document.all": "^1.0.0"
       },
       "engines": {
         "node": ">= 0.4"
@@ -7600,6 +7430,22 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
+    "node_modules/is-document.all": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/is-document.all/-/is-document.all-1.0.0.tgz",
+      "integrity": "sha512-+XSoyS05OdBbhFuELhgTCpFNHkpBOJqtsZfUFFpe5QTw+9Sjbh8zitxhQkYAo6wV7e1Vb8cAPvpCk9jGam/82g==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "call-bound": "^1.0.4"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
     "node_modules/is-extglob": {
       "version": "2.1.1",
       "resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-2.1.1.tgz",
@@ -8489,9 +8335,9 @@
       }
     },
     "node_modules/lucide-react": {
-      "version": "1.17.0",
-      "resolved": "https://registry.npmjs.org/lucide-react/-/lucide-react-1.17.0.tgz",
-      "integrity": "sha512-9FA9evdox/JQL5PT57fdA1x/yg8T7knJ98+zjTL3UfKza6pflQUUh3XtaQIHKvnsJw1lmsEyHVlt5jchYxOQ5w==",
+      "version": "1.18.0",
+      "resolved": "https://registry.npmjs.org/lucide-react/-/lucide-react-1.18.0.tgz",
+      "integrity": "sha512-LZDb7H/0YfM+RJncD0hDQRCAu+vSGODqpe35TuVI8EuXaRjkczbsx7p8dY4J87F/MUSj6bpYqeI8nw8qXaAdmA==",
       "license": "ISC",
       "peerDependencies": {
         "react": "^16.5.1 || ^17.0.0 || ^18.0.0 || ^19.0.0"
@@ -9572,9 +9418,9 @@
       "license": "MIT"
     },
     "node_modules/node-releases": {
-      "version": "2.0.46",
-      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.46.tgz",
-      "integrity": "sha512-GYVXHE2KnrzAfsAjl4uP++evGFCrAU1jta4ubEjIG7YWt/64Gqv66a30yKwWczVjA6j3bM4nBwH7Pk1JmDHaxQ==",
+      "version": "2.0.47",
+      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.47.tgz",
+      "integrity": "sha512-Uzmd6LXpouKo8EUK68IjH4+E01w/hXyV3R3g/geCJo+rXLNfh1xucB+LOzYEOQPSiUK3h/xZf0cQGcSsmyL2Og==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -9664,15 +9510,18 @@
       }
     },
     "node_modules/obug": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/obug/-/obug-2.1.1.tgz",
-      "integrity": "sha512-uTqF9MuPraAQ+IsnPf366RG4cP9RtUi7MLO1N3KEc+wb0a6yKpeL0lmk2IB1jY5KHPAlTc6T/JRdC/YqxHNwkQ==",
+      "version": "2.1.3",
+      "resolved": "https://registry.npmjs.org/obug/-/obug-2.1.3.tgz",
+      "integrity": "sha512-9miFgM2OFba7hB+pRgvtV84pYTBaoTHohvmIgiRt6dRIzbwEOIaNaP+dIlGs2fNFoB0SeISs0Jz5WFVRid6Xyg==",
       "dev": true,
       "funding": [
         "https://github.com/sponsors/sxzz",
         "https://opencollective.com/debug"
       ],
-      "license": "MIT"
+      "license": "MIT",
+      "engines": {
+        "node": ">=12.20.0"
+      }
     },
     "node_modules/optionator": {
       "version": "0.9.4",
@@ -10039,9 +9888,9 @@
       }
     },
     "node_modules/react-hook-form": {
-      "version": "7.78.0",
-      "resolved": "https://registry.npmjs.org/react-hook-form/-/react-hook-form-7.78.0.tgz",
-      "integrity": "sha512-EEZqc+N23moyzTlz61Pj+JvcXo76ICkpfOZo8JZw+sM4+wLQGh6nI2Ms+PdMOYNluFu0ghlM7B8mCzhRYtJCnA==",
+      "version": "7.79.0",
+      "resolved": "https://registry.npmjs.org/react-hook-form/-/react-hook-form-7.79.0.tgz",
+      "integrity": "sha512-mhYp/MTmXvzYX6AJcJVko0rktoIhhmRnEouObj4wF5i/tCttgJvnp1+9wRkpITZjDTqpo4IOSJqu0dBlPlV/Lw==",
       "license": "MIT",
       "engines": {
         "node": ">=18.0.0"
@@ -10399,9 +10248,9 @@
       }
     },
     "node_modules/regjsparser": {
-      "version": "0.13.1",
-      "resolved": "https://registry.npmjs.org/regjsparser/-/regjsparser-0.13.1.tgz",
-      "integrity": "sha512-dLsljMd9sqwRkby8zhO1gSg3PnJIBFid8f4CQj/sXx+7cKx+E7u0PKhZ+U4wmhx7EfmtvnA318oVaIkAB1lRJw==",
+      "version": "0.13.2",
+      "resolved": "https://registry.npmjs.org/regjsparser/-/regjsparser-0.13.2.tgz",
+      "integrity": "sha512-NgRBy2Nx/bE+9F27nVHnqcN5HjyLmecqsqx2PJHu3/IEtADD4WuxuXIVExD5PoSDFVrl78dOonfcOe5O+5nbzQ==",
       "dev": true,
       "license": "BSD-2-Clause",
       "dependencies": {
@@ -10581,9 +10430,9 @@
       }
     },
     "node_modules/semver": {
-      "version": "7.8.2",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.2.tgz",
-      "integrity": "sha512-c8jsqUZm3omBOI66G90z1Dyw5z622G8oLG+omfsHBJf3CWQTlOcwOjvOG6wtiNfW6anKm/eA39LMwMtMez2TiQ==",
+      "version": "7.8.4",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.4.tgz",
+      "integrity": "sha512-rUCObTnP32Q08R2uuIrt7r9PlEonuTmtuXYcW6s5kjdlj3xbnwe+21yXptAUYcMAABLkYYTtnmzb3w3EDZfueA==",
       "dev": true,
       "license": "ISC",
       "bin": {
@@ -10672,15 +10521,15 @@
       }
     },
     "node_modules/side-channel": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.1.0.tgz",
-      "integrity": "sha512-ZX99e6tRweoUXqR+VBrslhda51Nh5MTQwou5tnUDgbtyM0dBgmhEDtWGP/xbKn6hqfPRHujUNwz5fy/wbbhnpw==",
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.1.1.tgz",
+      "integrity": "sha512-6x6dK6zJdpTzF4sQeNYxwtvBzf6Eg4GtlesS94HOvTudUeyK2WXAaIfmDgsyslYrRBeFIlsi54AYsFGUuhmvrQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "es-errors": "^1.3.0",
-        "object-inspect": "^1.13.3",
-        "side-channel-list": "^1.0.0",
+        "object-inspect": "^1.13.4",
+        "side-channel-list": "^1.0.1",
         "side-channel-map": "^1.0.1",
         "side-channel-weakmap": "^1.0.2"
       },
@@ -10846,19 +10695,20 @@
       }
     },
     "node_modules/string.prototype.trim": {
-      "version": "1.2.10",
-      "resolved": "https://registry.npmjs.org/string.prototype.trim/-/string.prototype.trim-1.2.10.tgz",
-      "integrity": "sha512-Rs66F0P/1kedk5lyYyH9uBzuiI/kNRmwJAR9quK6VOtIpZ2G+hMZd+HQbbv25MgCA6gEffoMZYxlTod4WcdrKA==",
+      "version": "1.2.11",
+      "resolved": "https://registry.npmjs.org/string.prototype.trim/-/string.prototype.trim-1.2.11.tgz",
+      "integrity": "sha512-PwvK7BU+CMTJGYQCTZb5RWXIML92lftJLhQz1tBzgKiqGxJaMlBAa48POXaNAC2s4y8jr3EFqrkF9+44neS46w==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "call-bind": "^1.0.8",
-        "call-bound": "^1.0.2",
+        "call-bind": "^1.0.9",
+        "call-bound": "^1.0.4",
         "define-data-property": "^1.1.4",
         "define-properties": "^1.2.1",
-        "es-abstract": "^1.23.5",
-        "es-object-atoms": "^1.0.0",
-        "has-property-descriptors": "^1.0.2"
+        "es-abstract": "^1.24.2",
+        "es-object-atoms": "^1.1.2",
+        "has-property-descriptors": "^1.0.2",
+        "safe-regex-test": "^1.1.0"
       },
       "engines": {
         "node": ">= 0.4"
@@ -10868,16 +10718,16 @@
       }
     },
     "node_modules/string.prototype.trimend": {
-      "version": "1.0.9",
-      "resolved": "https://registry.npmjs.org/string.prototype.trimend/-/string.prototype.trimend-1.0.9.tgz",
-      "integrity": "sha512-G7Ok5C6E/j4SGfyLCloXTrngQIQU3PWtXGst3yM7Bea9FRURf1S42ZHlZZtsNque2FN2PoUhfZXYLNWwEr4dLQ==",
+      "version": "1.0.10",
+      "resolved": "https://registry.npmjs.org/string.prototype.trimend/-/string.prototype.trimend-1.0.10.tgz",
+      "integrity": "sha512-2+3aDAOmPTmuFwjDnmJG2ctEkQKVki7vOSqaxkv42Mowj1V6PnvuwFCRrR5lChUux1TBskPjfkeTOhqczDMxTw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "call-bind": "^1.0.8",
-        "call-bound": "^1.0.2",
+        "call-bind": "^1.0.9",
+        "call-bound": "^1.0.4",
         "define-properties": "^1.2.1",
-        "es-object-atoms": "^1.0.0"
+        "es-object-atoms": "^1.1.2"
       },
       "engines": {
         "node": ">= 0.4"
@@ -10961,9 +10811,9 @@
       }
     },
     "node_modules/tailwindcss": {
-      "version": "4.3.0",
-      "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.3.0.tgz",
-      "integrity": "sha512-y6nxMGB1nMW9R6k96e5gdIFzcfL/gTJRNaqGes1YvkLnPVXzWgbqFF2yLC0T8G774n24cx3Pe8XrKoniCOAH+Q==",
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.3.1.tgz",
+      "integrity": "sha512-hk+TB1m+K8CYNrP6rjQaq/Y+4Zylwpa87mLYBKCunwnnQ9p+fHb7kmSfGqyEJoxF/O6CDyABWVFEafNSYKll+Q==",
       "dev": true,
       "license": "MIT"
     },
@@ -11210,16 +11060,16 @@
       }
     },
     "node_modules/typescript-eslint": {
-      "version": "8.60.1",
-      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.60.1.tgz",
-      "integrity": "sha512-6m5hkkRAp8lKvhVpcprAIn5KkehQEh+47oHH2VGnExEh7dhNxXlg6GPAOIu6TxbVQxhebrJDvjl3020ooiWCMA==",
+      "version": "8.61.0",
+      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.61.0.tgz",
+      "integrity": "sha512-8y31Rd0eGTrDKqhy6vT0HtzhN+YLjQizwX3aA3hPXP/ynSfnrBXcQY5IzsP9/DM7+klX4IUncZZjkchP0z+rUw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/eslint-plugin": "8.60.1",
-        "@typescript-eslint/parser": "8.60.1",
-        "@typescript-eslint/typescript-estree": "8.60.1",
-        "@typescript-eslint/utils": "8.60.1"
+        "@typescript-eslint/eslint-plugin": "8.61.0",
+        "@typescript-eslint/parser": "8.61.0",
+        "@typescript-eslint/typescript-estree": "8.61.0",
+        "@typescript-eslint/utils": "8.61.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -11263,9 +11113,9 @@
       }
     },
     "node_modules/undici": {
-      "version": "7.27.0",
-      "resolved": "https://registry.npmjs.org/undici/-/undici-7.27.0.tgz",
-      "integrity": "sha512-+t2Z/GwkZQDtu00813aP66ygViGtPHKhhoFZpQKpKrE+9jIgES+Zw+mFNaDWOVRKiuJjuqKHzD3B1sfGg8+ZOQ==",
+      "version": "7.27.2",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-7.27.2.tgz",
+      "integrity": "sha512-uZsKNuzQxDMUY6M3pIMvy5tvlGmtq8XJ2oLAkfRKGNu+1VQAIvLy2xIVG5ATZl5wDXl/tddByAWCizRbOme+TA==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -11840,9 +11690,9 @@
       }
     },
     "node_modules/which-typed-array": {
-      "version": "1.1.21",
-      "resolved": "https://registry.npmjs.org/which-typed-array/-/which-typed-array-1.1.21.tgz",
-      "integrity": "sha512-zbRA8cVm6io/d5W8uIe2hblzN76/Wm3v/yiythQvr+dpBWeqhPSWIDNj4zOyHi4zKbMK6DN34Xsr9jPHJERAEw==",
+      "version": "1.1.22",
+      "resolved": "https://registry.npmjs.org/which-typed-array/-/which-typed-array-1.1.22.tgz",
+      "integrity": "sha512-fvO4ExWMFsqyhG3AiPAObMuY1lxaqgYcxbc49CNdWDDECOJNgQyvsOWVwbZc+qf3rzRtxojBK+CMEv0Ld5CYpw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
diff --git a/frontend/package.json b/frontend/package.json
index b7743082c..79991032c 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -10,7 +10,7 @@
   "scripts": {
     "dev": "vite",
     "build": "tsc -p tsconfig.build.json && vite build",
-    "pretype-check": "npm ci --silent",
+    "pretype-check": "npm ci --silent --ignore-scripts",
     "type-check": "tsc --noEmit",
     "lint": "eslint . --report-unused-disable-directives",
     "preview": "vite preview",
@@ -18,7 +18,7 @@
     "test:ci": "NODE_OPTIONS=--max-old-space-size=4096 vitest run",
     "test:ui": "vitest --ui",
     "check-coverage": "bash ../scripts/frontend-test-coverage.sh",
-    "pretest:coverage": "npm ci --silent && node -e \"require('fs').mkdirSync('coverage/.tmp', { recursive: true })\"",
+    "pretest:coverage": "npm ci --silent --ignore-scripts && node -e \"require('fs').mkdirSync('coverage/.tmp', { recursive: true })\"",
     "test:coverage": "NODE_OPTIONS=--max-old-space-size=4096 vitest run --coverage",
     "e2e:install": "npx playwright install --with-deps",
     "e2e:test": "playwright test",
@@ -42,10 +42,10 @@
     "date-fns": "^4.4.0",
     "i18next": "^26.3.1",
     "i18next-browser-languagedetector": "^8.2.1",
-    "lucide-react": "^1.17.0",
+    "lucide-react": "^1.18.0",
     "react": "^19.2.7",
     "react-dom": "^19.2.7",
-    "react-hook-form": "^7.78.0",
+    "react-hook-form": "^7.79.0",
     "react-hot-toast": "^2.6.0",
     "react-i18next": "^17.0.8",
     "react-router-dom": "^7.17.0",
@@ -59,44 +59,43 @@
     "@eslint/json": "^2.0.0",
     "@eslint/markdown": "^8.0.2",
     "@playwright/test": "^1.60.0",
-    "@tailwindcss/postcss": "^4.3.0",
+    "@tailwindcss/postcss": "^4.3.1",
     "@testing-library/jest-dom": "^6.9.1",
     "@testing-library/react": "^16.3.2",
     "@testing-library/user-event": "^14.6.1",
     "@types/eslint-plugin-jsx-a11y": "^6.10.1",
-    "@types/node": "^25.9.2",
+    "@types/node": "^25.9.3",
     "@types/react": "^19.2.17",
     "@types/react-dom": "^19.2.3",
-    "@typescript-eslint/eslint-plugin": "^8.60.1",
-    "@typescript-eslint/parser": "^8.60.1",
-    "@typescript-eslint/utils": "^8.60.1",
+    "@typescript-eslint/eslint-plugin": "^8.61.0",
+    "@typescript-eslint/parser": "^8.61.0",
+    "@typescript-eslint/utils": "^8.61.0",
     "@vitejs/plugin-react": "^6.0.2",
     "@vitest/coverage-istanbul": "^4.1.8",
     "@vitest/coverage-v8": "^4.1.8",
-    "@vitest/eslint-plugin": "^1.6.19",
+    "@vitest/eslint-plugin": "^1.6.20",
     "@vitest/ui": "^4.1.8",
     "autoprefixer": "^10.5.0",
-    "eslint": "^10.4.1",
+    "eslint": "^10.5.0",
     "eslint-formatter-compact": "^9.0.1",
     "eslint-import-resolver-typescript": "^4.4.5",
     "eslint-plugin-import-x": "^4.16.2",
     "eslint-plugin-jsx-a11y": "^6.10.2",
     "eslint-plugin-no-unsanitized": "^4.1.5",
     "eslint-plugin-promise": "^7.3.0",
-    "eslint-plugin-react-compiler": "^19.1.0-rc.2",
     "eslint-plugin-react-hooks": "^7.1.1",
-    "eslint-plugin-react-refresh": "^0.5.2",
-    "eslint-plugin-security": "^4.0.0",
+    "eslint-plugin-react-refresh": "^0.5.3",
+    "eslint-plugin-security": "^4.0.1",
     "eslint-plugin-sonarjs": "^4.0.3",
     "eslint-plugin-testing-library": "^7.16.2",
-    "eslint-plugin-unicorn": "^65.0.0",
+    "eslint-plugin-unicorn": "^66.0.0",
     "eslint-plugin-unused-imports": "^4.4.1",
     "jsdom": "29.1.1",
     "knip": "^6.16.1",
     "postcss": "^8.5.15",
-    "tailwindcss": "^4.3.0",
+    "tailwindcss": "^4.3.1",
     "typescript": "^6.0.3",
-    "typescript-eslint": "^8.60.1",
+    "typescript-eslint": "^8.61.0",
     "vite": "^8.0.16",
     "vitest": "^4.1.8",
     "zod-validation-error": "^5.0.0"
@@ -104,16 +103,19 @@
   "overrides": {
     "typescript": "^6.0.3",
     "eslint-plugin-react-hooks": {
-      "eslint": "^10.4.1"
+      "eslint": "^10.5.0"
     },
     "eslint-plugin-jsx-a11y": {
-      "eslint": "^10.4.1"
+      "eslint": "^10.5.0"
     },
     "eslint-plugin-promise": {
-      "eslint": "^10.4.1"
+      "eslint": "^10.5.0"
     },
     "@vitejs/plugin-react": {
       "vite": "^8.0.16"
     }
+  },
+  "allowScripts": {
+    "unrs-resolver": false
   }
 }
diff --git a/frontend/src/api/__tests__/client.test.ts b/frontend/src/api/__tests__/client.test.ts
index 6d031bb4e..135919e9e 100644
--- a/frontend/src/api/__tests__/client.test.ts
+++ b/frontend/src/api/__tests__/client.test.ts
@@ -169,6 +169,30 @@ describe('api client', () => {
     warnSpy.mockRestore()
   })
 
+  it('stops invoking a handler after it is unregistered with null', async () => {
+    const onAuthError = vi.fn()
+    const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {})
+
+    setAuthErrorHandler(onAuthError)
+    setAuthErrorHandler(null)
+
+    const error: ResponseError = {
+      response: { status: 401, data: { message: 'Unauthorized' } },
+      config: { url: '/proxy-hosts' },
+      message: 'Original',
+    }
+
+    const handler = capturedHandlers.onRejected
+    expect(handler).toBeDefined()
+
+    const resultPromise = handler ? handler(error) : Promise.reject(new Error('handler missing'))
+
+    await expect(resultPromise).rejects.toBe(error)
+    expect(onAuthError).not.toHaveBeenCalled()
+
+    warnSpy.mockRestore()
+  })
+
   it('does not invoke auth error handler when status is not 401', async () => {
     const onAuthError = vi.fn()
     const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {})
diff --git a/frontend/src/api/client.ts b/frontend/src/api/client.ts
index 801556a47..723863ff5 100644
--- a/frontend/src/api/client.ts
+++ b/frontend/src/api/client.ts
@@ -30,9 +30,11 @@ let onAuthError: (() => void) | null = null;
 
 /**
  * Registers a callback to handle authentication errors (401 responses).
- * @param handler - Function to call when authentication fails
+ * Pass null to unregister (e.g., when the AuthProvider unmounts) so the
+ * interceptor never invokes a stale handler over dead component state.
+ * @param handler - Function to call when authentication fails, or null to clear
  */
-export const setAuthErrorHandler = (handler: () => void) => {
+export const setAuthErrorHandler = (handler: (() => void) | null) => {
   onAuthError = handler;
 };
 
diff --git a/frontend/src/components/RemoteServerForm.tsx b/frontend/src/components/RemoteServerForm.tsx
index 41f23675d..9093ae70d 100644
--- a/frontend/src/components/RemoteServerForm.tsx
+++ b/frontend/src/components/RemoteServerForm.tsx
@@ -69,7 +69,6 @@ export default function RemoteServerForm({ server, onSubmit, onCancel }: Props)
       device_id: '',
       resolved_address: '',
     })
-  // eslint-disable-next-line react-compiler/react-compiler
   // eslint-disable-next-line react-hooks/exhaustive-deps
   }, [server])
 
diff --git a/frontend/src/components/__tests__/RequireAuth.test.tsx b/frontend/src/components/__tests__/RequireAuth.test.tsx
new file mode 100644
index 000000000..d10431592
--- /dev/null
+++ b/frontend/src/components/__tests__/RequireAuth.test.tsx
@@ -0,0 +1,77 @@
+import { render, screen } from '@testing-library/react'
+import { MemoryRouter, Route, Routes } from 'react-router-dom'
+import { describe, it, expect, beforeEach, vi } from 'vitest'
+
+import RequireAuth from '../RequireAuth'
+import { AuthContext, type AuthContextType, type User } from '../../context/AuthContextValue'
+
+const TOKEN_KEY = 'charon_auth_token'
+
+const testUser: User = { user_id: 1, role: 'admin', name: 'Test', email: 't@example.com' }
+
+const buildAuthValue = (overrides: Partial<AuthContextType> = {}): AuthContextType => ({
+  user: testUser,
+  login: vi.fn(),
+  logout: vi.fn(),
+  changePassword: vi.fn(),
+  isAuthenticated: true,
+  isLoading: false,
+  ...overrides,
+})
+
+const renderGuard = (authValue: AuthContextType) =>
+  render(
+    <AuthContext.Provider value={authValue}>
+      <MemoryRouter initialEntries={['/']}>
+        <Routes>
+          <Route
+            path="/"
+            element={
+              <RequireAuth>
+                <div>protected content</div>
+              </RequireAuth>
+            }
+          />
+          <Route path="/login" element={<div>login page</div>} />
+        </Routes>
+      </MemoryRouter>
+    </AuthContext.Provider>
+  )
+
+describe('<RequireAuth />', () => {
+  beforeEach(() => {
+    localStorage.clear()
+  })
+
+  it('shows the loading overlay while auth state is resolving (no premature redirect)', () => {
+    localStorage.setItem(TOKEN_KEY, 'token')
+    renderGuard(buildAuthValue({ user: null, isAuthenticated: false, isLoading: true }))
+
+    expect(screen.getByText(/authenticating/i)).toBeInTheDocument()
+    expect(screen.queryByText('protected content')).not.toBeInTheDocument()
+    expect(screen.queryByText('login page')).not.toBeInTheDocument()
+  })
+
+  it('redirects to /login when the user is not authenticated', () => {
+    renderGuard(buildAuthValue({ user: null, isAuthenticated: false }))
+
+    expect(screen.getByText('login page')).toBeInTheDocument()
+    expect(screen.queryByText('protected content')).not.toBeInTheDocument()
+  })
+
+  it('redirects to /login when context is authenticated but the localStorage token is missing', () => {
+    // Simulates session expiry where storage was cleared (issue #579 scenario)
+    renderGuard(buildAuthValue())
+
+    expect(screen.getByText('login page')).toBeInTheDocument()
+    expect(screen.queryByText('protected content')).not.toBeInTheDocument()
+  })
+
+  it('renders protected children when authenticated with a stored token', () => {
+    localStorage.setItem(TOKEN_KEY, 'token')
+    renderGuard(buildAuthValue())
+
+    expect(screen.getByText('protected content')).toBeInTheDocument()
+    expect(screen.queryByText('login page')).not.toBeInTheDocument()
+  })
+})
diff --git a/frontend/src/context/AuthContext.tsx b/frontend/src/context/AuthContext.tsx
index 56b8f5125..5e3c0f7d9 100644
--- a/frontend/src/context/AuthContext.tsx
+++ b/frontend/src/context/AuthContext.tsx
@@ -42,9 +42,11 @@ export const AuthProvider: FC<{ children: ReactNode }> = ({ children }) => {
     setIsLoading(false);
   }, [invalidateAuthRequests]);
 
-  // Register auth error handler on mount
+  // Register auth error handler on mount; unregister on unmount so the axios
+  // interceptor never calls a stale handler after the provider is gone
   useEffect(() => {
     setAuthErrorHandler(handleAuthError);
+    return () => setAuthErrorHandler(null);
   }, [handleAuthError]);
 
   useEffect(() => {
diff --git a/frontend/src/context/__tests__/AuthContext.test.tsx b/frontend/src/context/__tests__/AuthContext.test.tsx
new file mode 100644
index 000000000..781aa9698
--- /dev/null
+++ b/frontend/src/context/__tests__/AuthContext.test.tsx
@@ -0,0 +1,114 @@
+import { act, render, screen, waitFor } from '@testing-library/react'
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest'
+
+import { AuthProvider } from '../AuthContext'
+import { setAuthToken, setAuthErrorHandler } from '../../api/client'
+import { useAuth } from '../../hooks/useAuth'
+
+const TOKEN_KEY = 'charon_auth_token'
+
+vi.mock('../../api/client', () => ({
+  default: { post: vi.fn().mockResolvedValue({}) },
+  setAuthToken: vi.fn(),
+  setAuthErrorHandler: vi.fn(),
+}))
+
+const mockSetAuthToken = vi.mocked(setAuthToken)
+const mockSetAuthErrorHandler = vi.mocked(setAuthErrorHandler)
+
+const fetchMock = vi.fn()
+
+const AuthStateProbe = () => {
+  const { user, isAuthenticated, isLoading } = useAuth()
+  return (
+    <div>
+      <span data-testid="loading">{String(isLoading)}</span>
+      <span data-testid="authenticated">{String(isAuthenticated)}</span>
+      <span data-testid="user">{user?.email ?? 'none'}</span>
+    </div>
+  )
+}
+
+const renderProvider = () =>
+  render(
+    <AuthProvider>
+      <AuthStateProbe />
+    </AuthProvider>
+  )
+
+const sessionUser = { user_id: 1, role: 'admin', name: 'Test', email: 't@example.com' }
+
+describe('<AuthProvider /> session validation on mount (page reload)', () => {
+  beforeEach(() => {
+    localStorage.clear()
+    vi.clearAllMocks()
+    vi.stubGlobal('fetch', fetchMock)
+  })
+
+  afterEach(() => {
+    vi.unstubAllGlobals()
+  })
+
+  it('clears auth state without calling /auth/me when no token is stored', async () => {
+    renderProvider()
+
+    await waitFor(() => expect(screen.getByTestId('loading').textContent).toBe('false'))
+
+    expect(fetchMock).not.toHaveBeenCalled()
+    expect(screen.getByTestId('authenticated').textContent).toBe('false')
+    expect(screen.getByTestId('user').textContent).toBe('none')
+    expect(mockSetAuthToken).toHaveBeenCalledWith(null)
+  })
+
+  it('clears auth state when the stored token fails /auth/me validation (expired session)', async () => {
+    localStorage.setItem(TOKEN_KEY, 'expired-token')
+    fetchMock.mockResolvedValue({ ok: false, status: 401 })
+
+    renderProvider()
+
+    await waitFor(() => expect(screen.getByTestId('loading').textContent).toBe('false'))
+
+    expect(fetchMock).toHaveBeenCalledWith(
+      '/api/v1/auth/me',
+      expect.objectContaining({ credentials: 'include' })
+    )
+    expect(screen.getByTestId('authenticated').textContent).toBe('false')
+    expect(mockSetAuthToken).toHaveBeenLastCalledWith(null)
+  })
+
+  it('restores the session when the stored token passes /auth/me validation', async () => {
+    localStorage.setItem(TOKEN_KEY, 'valid-token')
+    fetchMock.mockResolvedValue({ ok: true, json: () => Promise.resolve(sessionUser) })
+
+    renderProvider()
+
+    await waitFor(() => expect(screen.getByTestId('loading').textContent).toBe('false'))
+
+    expect(screen.getByTestId('authenticated').textContent).toBe('true')
+    expect(screen.getByTestId('user').textContent).toBe('t@example.com')
+    expect(mockSetAuthToken).toHaveBeenCalledWith('valid-token')
+  })
+
+  it('registers an auth-error handler that clears the session, and unregisters it on unmount', async () => {
+    localStorage.setItem(TOKEN_KEY, 'valid-token')
+    fetchMock.mockResolvedValue({ ok: true, json: () => Promise.resolve(sessionUser) })
+    const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {})
+
+    const { unmount } = renderProvider()
+    await waitFor(() => expect(screen.getByTestId('authenticated').textContent).toBe('true'))
+
+    const registered = mockSetAuthErrorHandler.mock.calls.at(-1)?.[0]
+    expect(registered).toBeTypeOf('function')
+
+    act(() => registered?.())
+
+    await waitFor(() => expect(screen.getByTestId('authenticated').textContent).toBe('false'))
+    expect(localStorage.getItem(TOKEN_KEY)).toBeNull()
+    expect(mockSetAuthToken).toHaveBeenLastCalledWith(null)
+
+    unmount()
+    expect(mockSetAuthErrorHandler).toHaveBeenLastCalledWith(null)
+
+    warnSpy.mockRestore()
+  })
+})
diff --git a/go.work.sum b/go.work.sum
index 19616e32f..7f2436282 100644
--- a/go.work.sum
+++ b/go.work.sum
@@ -123,6 +123,7 @@ golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
 golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
 golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
 golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
+golang.org/x/term v0.44.0/go.mod h1:7ze4MdzUzLXpSAoFP1H0bOI9aXDqveSvatT5vKcFh2Y=
 golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
 golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
 golang.org/x/tools v0.37.0/go.mod h1:MBN5QPQtLMHVdvsbtarmTNukZDdgwdwlO5qGacAzF0w=
diff --git a/install-scout.sh b/install-scout.sh
new file mode 100644
index 000000000..cd689510c
--- /dev/null
+++ b/install-scout.sh
@@ -0,0 +1,713 @@
+#!/bin/sh
+
+# note: we require errors to propagate (don't set -e)
+
+# Copyright © 2023 Docker, Inc.
+
+set -u
+
+PROJECT_NAME="docker-scout"
+OWNER=docker
+REPO="scout-cli"
+GITHUB_DOWNLOAD_PREFIX=https://github.com/${OWNER}/${REPO}/releases/download
+INSTALL_SH_BASE_URL=https://raw.githubusercontent.com/${OWNER}/${REPO}
+BINARY="docker-scout"
+DOCKER_HOME=${DOCKER_HOME:-~/.docker}
+DEFAULT_INSTALL_DIR=${DOCKER_HOME}/cli-plugins
+PROGRAM_ARGS=$@
+
+# do not change the name of this parameter (this must always be backwards compatible)
+DOWNLOAD_TAG_INSTALL_SCRIPT=${DOWNLOAD_TAG_INSTALL_SCRIPT:-true}
+
+#
+# usage [script-name]
+#
+usage() (
+  this="$1"
+  cat <<EOF
+$this: download go binaries for ${OWNER}/${REPO}
+
+Usage: $this [-b] dir [-d] [tag]
+  -b  the installation directory (defaults to ${DEFAULT_INSTALL_DIR})
+  -d  turns on debug logging
+  -dd turns on trace logging
+  [tag] the specific release to use (if missing, then the latest will be used)
+EOF
+  exit 2
+)
+
+
+# ------------------------------------------------------------------------
+# https://github.com/client9/shlib - portable posix shell functions
+# Public domain - http://unlicense.org
+# https://github.com/client9/shlib/blob/master/LICENSE.md
+# but credit (and pull requests) appreciated.
+# ------------------------------------------------------------------------
+
+is_command() (
+  command -v "$1" >/dev/null
+)
+
+echo_stderr() (
+  echo "$@" 1>&2
+)
+
+_logp=2
+log_set_priority() {
+  _logp="$1"
+}
+
+log_priority() (
+  if test -z "$1"; then
+    echo "$_logp"
+    return
+  fi
+  [ "$1" -le "$_logp" ]
+)
+
+init_colors() {
+  RED=''
+  BLUE=''
+  PURPLE=''
+  BOLD=''
+  RESET=''
+  # check if stdout is a terminal
+  if test -t 1 && is_command tput; then
+      # see if it supports colors
+      ncolors=$(tput colors)
+      if test -n "$ncolors" && test "$ncolors" -ge 8; then
+        RED='\033[0;31m'
+        BLUE='\033[0;34m'
+        PURPLE='\033[0;35m'
+        BOLD='\033[1m'
+        RESET='\033[0m'
+      fi
+  fi
+}
+
+init_colors
+
+log_tag() (
+  case "$1" in
+    0) echo "${RED}${BOLD}[error]${RESET}" ;;
+    1) echo "${RED}[warn]${RESET}" ;;
+    2) echo "[info]${RESET}" ;;
+    3) echo "${BLUE}[debug]${RESET}" ;;
+    4) echo "${PURPLE}[trace]${RESET}" ;;
+    *) echo "[$1]" ;;
+  esac
+)
+
+
+log_trace_priority=4
+log_trace() (
+  priority=$log_trace_priority
+  log_priority "$priority" || return 0
+  echo_stderr "$(log_tag $priority)" "${@}" "$RESET"
+)
+
+log_debug_priority=3
+log_debug() (
+  priority=$log_debug_priority
+  log_priority "$priority" || return 0
+  echo_stderr "$(log_tag $priority)" "${@}" "$RESET"
+)
+
+log_info_priority=2
+log_info() (
+  priority=$log_info_priority
+  log_priority "$priority" || return 0
+  echo_stderr "$(log_tag $priority)" "${@}" "$RESET"
+)
+
+log_warn_priority=1
+log_warn() (
+  priority=$log_warn_priority
+  log_priority "$priority" || return 0
+  echo_stderr "$(log_tag $priority)" "${@}" "$RESET"
+)
+
+log_err_priority=0
+log_err() (
+  priority=$log_err_priority
+  log_priority "$priority" || return 0
+  echo_stderr "$(log_tag $priority)" "${@}" "$RESET"
+)
+
+uname_os_check() (
+  os="$1"
+  case "$os" in
+    darwin) return 0 ;;
+    dragonfly) return 0 ;;
+    freebsd) return 0 ;;
+    linux) return 0 ;;
+    android) return 0 ;;
+    nacl) return 0 ;;
+    netbsd) return 0 ;;
+    openbsd) return 0 ;;
+    plan9) return 0 ;;
+    solaris) return 0 ;;
+    windows) return 0 ;;
+  esac
+  log_err "uname_os_check '$(uname -s)' got converted to '$os' which is not a GOOS value. Please file bug at https://github.com/client9/shlib"
+  return 1
+)
+
+uname_arch_check() (
+  arch="$1"
+  case "$arch" in
+    386) return 0 ;;
+    amd64) return 0 ;;
+    arm64) return 0 ;;
+    armv5) return 0 ;;
+    armv6) return 0 ;;
+    armv7) return 0 ;;
+    ppc64) return 0 ;;
+    ppc64le) return 0 ;;
+    mips) return 0 ;;
+    mipsle) return 0 ;;
+    mips64) return 0 ;;
+    mips64le) return 0 ;;
+    s390x) return 0 ;;
+    amd64p32) return 0 ;;
+  esac
+  log_err "uname_arch_check '$(uname -m)' got converted to '$arch' which is not a GOARCH value.  Please file bug report at https://github.com/client9/shlib"
+  return 1
+)
+
+unpack() (
+  archive="$1"
+
+  log_trace "unpack(archive=${archive})"
+
+  case "$archive" in
+    *.tar.gz | *.tgz) tar --no-same-owner -xzf "$archive" ;;
+    *.tar) tar --no-same-owner -xf "$archive" ;;
+    *.zip) unzip -q "$archive" ;;
+    *.dmg) extract_from_dmg "$archive" ;;
+    *)
+      log_err "unpack unknown archive format for ${archive}"
+      return 1
+      ;;
+  esac
+)
+
+extract_from_dmg() (
+  dmg_file="$1"
+
+  mount_point="/Volumes/tmp-dmg"
+  hdiutil attach -quiet -nobrowse -mountpoint "$mount_point" "$dmg_file"
+  cp -fR "${mount_point}/." ./
+  hdiutil detach -quiet -force "$mount_point"
+)
+
+http_download_curl() (
+  local_file="$1"
+  source_url="$2"
+  header="$3"
+
+  log_trace "http_download_curl(local_file=$local_file, source_url=$source_url, header=$header)"
+
+  if [ -z "$header" ]; then
+    code=$(curl -w '%{http_code}' -sL -o "$local_file" "$source_url")
+  else
+    code=$(curl -w '%{http_code}' -sL -H "$header" -o "$local_file" "$source_url")
+  fi
+
+  if [ "$code" != "200" ]; then
+    log_err "received HTTP status=$code for url='$source_url'"
+    return 1
+  fi
+  return 0
+)
+
+http_download_wget() (
+  local_file="$1"
+  source_url="$2"
+  header="$3"
+
+  log_trace "http_download_wget(local_file=$local_file, source_url=$source_url, header=$header)"
+
+  if [ -z "$header" ]; then
+    wget -q -O "$local_file" "$source_url"
+  else
+    wget -q --header "$header" -O "$local_file" "$source_url"
+  fi
+)
+
+http_download() (
+  log_debug "http_download(url=$2)"
+  if is_command curl; then
+    http_download_curl "$@"
+    return
+  elif is_command wget; then
+    http_download_wget "$@"
+    return
+  fi
+  log_err "http_download unable to find wget or curl"
+  return 1
+)
+
+http_copy() (
+  tmp=$(mktemp)
+  http_download "$tmp" "$1" "$2" || return 1
+  body=$(cat "$tmp")
+  rm -f "$tmp"
+  echo "$body"
+)
+
+hash_sha256() (
+  TARGET=${1:-/dev/stdin}
+  if is_command gsha256sum; then
+    hash=$(gsha256sum "$TARGET") || return 1
+    echo "$hash" | cut -d ' ' -f 1
+  elif is_command sha256sum; then
+    hash=$(sha256sum "$TARGET") || return 1
+    echo "$hash" | cut -d ' ' -f 1
+  elif is_command shasum; then
+    hash=$(shasum -a 256 "$TARGET" 2>/dev/null) || return 1
+    echo "$hash" | cut -d ' ' -f 1
+  elif is_command openssl; then
+    hash=$(openssl -dst openssl dgst -sha256 "$TARGET") || return 1
+    echo "$hash" | cut -d ' ' -f a
+  else
+    log_err "hash_sha256 unable to find command to compute sha-256 hash"
+    return 1
+  fi
+)
+
+hash_sha256_verify() (
+  TARGET="$1"
+  checksums="$2"
+  if [ -z "$checksums" ]; then
+    log_err "hash_sha256_verify checksum file not specified in arg2"
+    return 1
+  fi
+  BASENAME=${TARGET##*/}
+  want=$(grep "$BASENAME" "$checksums" 2>/dev/null | tr '\t' ' ' | cut -d ' ' -f 1)
+  if [ -z "$want" ]; then
+    log_err "hash_sha256_verify unable to find checksum for '${TARGET}' in '${checksums}'"
+    return 1
+  fi
+  got=$(hash_sha256 "$TARGET")
+  if [ "$want" != "$got" ]; then
+    log_err "hash_sha256_verify checksum for '$TARGET' did not verify ${want} vs $got"
+    return 1
+  fi
+)
+
+# ------------------------------------------------------------------------
+# End of functions from https://github.com/client9/shlib
+# ------------------------------------------------------------------------
+
+# asset_file_exists [path]
+#
+# returns 1 if the given file does not exist
+#
+asset_file_exists() (
+  path="$1"
+  if [ ! -f "$path" ]; then
+      return 1
+  fi
+)
+
+
+# github_release_json [owner] [repo] [version]
+#
+# outputs release json string
+#
+github_release_json() (
+  owner="$1"
+  repo="$2"
+  version="$3"
+  test -z "$version" && version="latest"
+  giturl="https://github.com/${owner}/${repo}/releases/${version}"
+  json=$(http_copy "$giturl" "Accept:application/json")
+
+  log_trace "github_release_json(owner=${owner}, repo=${repo}, version=${version}) returned '${json}'"
+
+  test -z "$json" && return 1
+  echo "$json"
+)
+
+# extract_value [key-value-pair]
+#
+# outputs value from a colon delimited key-value pair
+#
+extract_value() (
+  key_value="$1"
+  IFS=':' read -r _ value << EOF
+${key_value}
+EOF
+  echo "$value"
+)
+
+# extract_json_value [json] [key]
+#
+# outputs value of the key from the given json string
+#
+extract_json_value() (
+  json="$1"
+  key="$2"
+  key_value=$(echo "$json" | grep  -o "\"$key\":[^,]*[,}]" | tr -d '",}')
+
+  extract_value "$key_value"
+)
+
+# github_release_tag [release-json]
+#
+# outputs release tag string
+#
+github_release_tag() (
+  json="$1"
+  tag=$(extract_json_value "$json" "tag_name")
+  test -z "$tag" && return 1
+  echo "$tag"
+)
+
+# download_github_release_checksums [release-url-prefix] [name] [version] [output-dir]
+#
+# outputs path to the downloaded checksums file
+#
+download_github_release_checksums() (
+  download_url="$1"
+  name="$2"
+  version="$3"
+  output_dir="$4"
+
+  log_trace "download_github_release_checksums(url=${download_url}, name=${name}, version=${version}, output_dir=${output_dir})"
+
+  checksum_filename=${name}_${version}_checksums.txt
+  checksum_url=${download_url}/${checksum_filename}
+  output_path="${output_dir}/${checksum_filename}"
+
+  http_download "$output_path" "$checksum_url" ""
+  asset_file_exists "$output_path"
+
+  log_trace "download_github_release_checksums() returned '${output_path}'"
+
+  echo "$output_path"
+)
+
+# search_for_asset [checksums-file-path] [name] [os] [arch] [format]
+#
+# outputs name of the asset to download
+#
+search_for_asset() (
+  checksum_path="$1"
+  name="$2"
+  os="$3"
+  arch="$4"
+  format="$5"
+
+  log_trace "search_for_asset(checksum-path=${checksum_path}, name=${name}, os=${os}, arch=${arch}, format=${format})"
+
+  asset_glob="${name}_.*_${os}_${arch}.${format}"
+  output_path=$(grep -o "$asset_glob" "$checksum_path" || true)
+
+  log_trace "search_for_asset() returned '${output_path}'"
+
+  echo "$output_path"
+)
+
+# uname_os
+#
+# outputs an adjusted os value
+#
+uname_os() (
+  os=$(uname -s | tr '[:upper:]' '[:lower:]')
+  case "$os" in
+    cygwin_nt*) os="windows" ;;
+    mingw*) os="windows" ;;
+    msys_nt*) os="windows" ;;
+  esac
+
+  uname_os_check "$os"
+
+  log_trace "uname_os() returned '${os}'"
+
+  echo "$os"
+)
+
+# uname_arch
+#
+# outputs an adjusted architecture value
+#
+uname_arch() (
+  arch=$(uname -m)
+  case "$arch" in
+    x86_64) arch="amd64" ;;
+    x86) arch="386" ;;
+    i686) arch="386" ;;
+    i386) arch="386" ;;
+    aarch64) arch="arm64" ;;
+    armv5*) arch="armv5" ;;
+    armv6*) arch="armv6" ;;
+    armv7*) arch="armv7" ;;
+  esac
+
+  uname_arch_check "$arch"
+
+  log_trace "uname_arch() returned '${arch}'"
+
+  echo "$arch"
+)
+
+# get_release_tag [owner] [repo] [tag]
+#
+# outputs tag string
+#
+get_release_tag() (
+  owner="$1"
+  repo="$2"
+  tag="$3"
+
+  log_trace "get_release_tag(owner=${owner}, repo=${repo}, tag=${tag})"
+
+  json=$(github_release_json "$owner" "$repo" "$tag")
+  real_tag=$(github_release_tag "$json")
+  if test -z "$real_tag"; then
+    return 1
+  fi
+
+  log_trace "get_release_tag() returned '${real_tag}'"
+
+  echo "$real_tag"
+)
+
+# tag_to_version [tag]
+#
+# outputs version string
+#
+tag_to_version() (
+  tag="$1"
+  value="${tag#v}"
+
+  log_trace "tag_to_version(tag=${tag}) returned '${value}'"
+
+  echo "$value"
+)
+
+# get_binary_name [os] [arch] [default-name]
+#
+# outputs a the binary string name
+#
+get_binary_name() (
+  os="$1"
+  arch="$2"
+  binary="$3"
+  original_binary="$binary"
+
+  case "$os" in
+    windows) binary="${binary}.exe" ;;
+  esac
+
+  log_trace "get_binary_name(os=${os}, arch=${arch}, binary=${original_binary}) returned '${binary}'"
+
+  echo "$binary"
+)
+
+
+# get_format_name [os] [arch] [default-format]
+#
+# outputs an adjusted file format
+#
+get_format_name() (
+  os="$1"
+  arch="$2"
+  format="$3"
+  original_format="$format"
+
+  case "$os" in
+    windows) format=zip ;;
+  esac
+
+  log_trace "get_format_name(os=${os}, arch=${arch}, format=${original_format}) returned '${format}'"
+
+  echo "$format"
+)
+
+# download_and_install_asset [release-url-prefix] [download-path] [install-path] [name] [os] [arch] [version] [format] [binary]
+#
+# attempts to download the archive and install it to the given path.
+#
+download_and_install_asset() (
+  download_url="$1"
+  download_path="$2"
+  install_path="$3"
+  name="$4"
+  os="$5"
+  arch="$6"
+  version="$7"
+  format="$8"
+  binary="$9"
+
+  asset_filepath=$(download_asset "$download_url" "$download_path" "$name" "$os" "$arch" "$version" "$format")
+
+  # don't continue if we couldn't download an asset
+  if [ -z "$asset_filepath" ]; then
+      log_err "could not find release asset for os='${os}' arch='${arch}' format='${format}' "
+      return 1
+  fi
+
+  install_asset "$asset_filepath" "$install_path" "$binary"
+)
+
+# download_asset [release-url-prefix] [download-path] [name] [os] [arch] [version] [format] [binary]
+#
+# outputs the path to the downloaded asset asset_filepath
+#
+download_asset() (
+  download_url="$1"
+  destination="$2"
+  name="$3"
+  os="$4"
+  arch="$5"
+  version="$6"
+  format="$7"
+
+  log_trace "download_asset(url=${download_url}, destination=${destination}, name=${name}, os=${os}, arch=${arch}, version=${version}, format=${format})"
+
+  checksums_filepath=$(download_github_release_checksums "$download_url" "$name" "$version" "$destination")
+
+  log_trace "checksums content:\n$(cat ${checksums_filepath})"
+
+  asset_filename=$(search_for_asset "$checksums_filepath" "$name" "$os" "$arch" "$format")
+
+  # don't continue if we couldn't find a matching asset from the checksums file
+  if [ -z "$asset_filename" ]; then
+      return 1
+  fi
+
+  asset_url="${download_url}/${asset_filename}"
+  asset_filepath="${destination}/${asset_filename}"
+  http_download "$asset_filepath" "$asset_url" ""
+
+  hash_sha256_verify "$asset_filepath" "$checksums_filepath"
+
+  log_trace "download_asset_by_checksums_file() returned '${asset_filepath}'"
+
+  echo "$asset_filepath"
+)
+
+# install_asset [asset-path] [destination-path] [binary]
+#
+install_asset() (
+  asset_filepath="$1"
+  destination="$2"
+  binary="$3"
+
+  log_trace "install_asset(asset=${asset_filepath}, destination=${destination}, binary=${binary})"
+
+  # don't continue if we don't have anything to install
+  if [ -z "$asset_filepath" ]; then
+      return
+  fi
+
+  archive_dir=$(dirname "$asset_filepath")
+
+  # unarchive the downloaded archive to the temp dir
+  (cd "$archive_dir" && unpack "$asset_filepath")
+
+  # create the destination dir
+  test ! -d "$destination" && install -d "$destination"
+
+  # install the binary to the destination dir
+  install "${archive_dir}/${binary}" "${destination}/"
+)
+
+main() (
+  # parse arguments
+
+  # note: never change default install directory (this must always be backwards compatible)
+  install_dir=${install_dir:-${DEFAULT_INSTALL_DIR}}
+
+  # note: never change the program flags or arguments (this must always be backwards compatible)
+  while getopts "b:dh?x" arg; do
+    case "$arg" in
+      b) install_dir="$OPTARG" ;;
+      d)
+        if [ "$_logp" = "$log_info_priority" ]; then
+          # -d == debug
+          log_set_priority $log_debug_priority
+        else
+          # -dd (or -ddd...) == trace
+          log_set_priority $log_trace_priority
+        fi
+        ;;
+      h | \?) usage "$0" ;;
+      x) set -x ;;
+    esac
+  done
+  shift $((OPTIND - 1))
+  set +u
+  tag="$1"
+
+  if [ "$install_dir" = "$DEFAULT_INSTALL_DIR" ]; then
+    if [ ! -d "$DOCKER_HOME" ]; then
+      log_err "docker is not installed; refusing to install to '${install_dir}'"
+      exit 1
+    fi
+  fi
+
+  if [ -z "$tag" ]; then
+    log_debug "checking github for the current release tag"
+    tag=""
+  else
+    log_debug "checking github for release tag='${tag}'"
+  fi
+  set -u
+
+  tag=$(get_release_tag "$OWNER" "$REPO" "$tag")
+
+  if [ "$?" != "0" ]; then
+      log_err "unable to find tag='${tag}'"
+      log_err "do not specify a version or select a valid version from https://github.com/${OWNER}/${REPO}/releases"
+      return 1
+  fi
+
+  # run the application
+
+  version=$(tag_to_version "$tag")
+  os=$(uname_os)
+  arch=$(uname_arch)
+  format=$(get_format_name "$os" "$arch" "tar.gz")
+  binary=$(get_binary_name "$os" "$arch" "$BINARY")
+  download_url="${GITHUB_DOWNLOAD_PREFIX}/${tag}"
+
+  # we always use the install.sh script that is associated with the tagged release. Why? the latest install.sh is not
+  # guaranteed to be able to install every version of the application. We use the DOWNLOAD_TAG_INSTALL_SCRIPT env var
+  # to indicate if we should continue processing with the existing script or to download the script from the given tag.
+  if [ "$DOWNLOAD_TAG_INSTALL_SCRIPT" = "true" ]; then
+      export DOWNLOAD_TAG_INSTALL_SCRIPT=false
+      log_info "fetching release script for tag='${tag}'"
+      http_copy "${INSTALL_SH_BASE_URL}/${tag}/install.sh" "" | sh -s -- ${PROGRAM_ARGS}
+      exit "$?"
+  fi
+
+  log_info "using release tag='${tag}' version='${version}' os='${os}' arch='${arch}'"
+
+  download_dir=$(mktemp -d)
+  trap 'rm -rf -- "$download_dir"' EXIT
+
+  log_debug "downloading files into ${download_dir}"
+
+  download_and_install_asset "$download_url" "$download_dir" "$install_dir" "$PROJECT_NAME" "$os" "$arch" "$version" "$format" "$binary"
+
+  # don't continue if we couldn't install the asset
+  if [ "$?" != "0" ]; then
+      log_err "failed to install ${BINARY}"
+      return 1
+  fi
+
+  log_info "installed ${install_dir}/${binary}"
+)
+
+# entrypoint
+
+set +u
+if [ -z "$TEST_INSTALL_SH" ]; then
+  set -u
+  main "$@"
+fi
+set -u
diff --git a/package-lock.json b/package-lock.json
index c351a59ab..6a4cdafa9 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -15,10 +15,10 @@
         "@bgotink/playwright-coverage": "^0.3.2",
         "@playwright/test": "^1.60.0",
         "@types/eslint-plugin-jsx-a11y": "^6.10.1",
-        "@types/node": "^25.9.2",
+        "@types/node": "^25.9.3",
         "dotenv": "^17.4.2",
         "markdownlint-cli2": "^0.22.1",
-        "prettier": "^3.8.3",
+        "prettier": "^3.8.4",
         "prettier-plugin-tailwindcss": "^0.8.0",
         "tar": "^7.5.16",
         "typescript": "^6.0.3",
@@ -353,14 +353,14 @@
       }
     },
     "node_modules/@napi-rs/wasm-runtime": {
-      "version": "1.1.4",
-      "resolved": "https://registry.npmjs.org/@napi-rs/wasm-runtime/-/wasm-runtime-1.1.4.tgz",
-      "integrity": "sha512-3NQNNgA1YSlJb/kMH1ildASP9HW7/7kYnRI2szWJaofaS1hWmbGI4H+d3+22aGzXXN9IJ+n+GiFVcGipJP18ow==",
+      "version": "1.1.5",
+      "resolved": "https://registry.npmjs.org/@napi-rs/wasm-runtime/-/wasm-runtime-1.1.5.tgz",
+      "integrity": "sha512-AWPoBRJ9tsnVhor4sjO7rkni+7p+2IAEFj6cx06UgP10jkQHqay/36uRV/bFkgrh18D9vb4cr8Q0Pthskgzy+Q==",
       "dev": true,
       "license": "MIT",
       "optional": true,
       "dependencies": {
-        "@tybys/wasm-util": "^0.10.1"
+        "@tybys/wasm-util": "^0.10.2"
       },
       "funding": {
         "type": "github",
@@ -822,9 +822,9 @@
       "license": "MIT"
     },
     "node_modules/@types/node": {
-      "version": "25.9.2",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-25.9.2.tgz",
-      "integrity": "sha512-G05zqtJhcDLb8uslf5EjCxXg9G1KQxiV8OS0R26IC//Eoyitzqe8z37I7cqvnZlrlSfgocQRfSn/AHBZJJFyGw==",
+      "version": "25.9.3",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-25.9.3.tgz",
+      "integrity": "sha512-603BddQMv3pUcr4U2dhujk83N2tTDVr/34wII2B6bJy6g+8WD6yUb11jszNs0gdi4PesVWl7ABt8nYMVpnLUcg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -973,9 +973,9 @@
       }
     },
     "node_modules/acorn": {
-      "version": "8.16.0",
-      "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.16.0.tgz",
-      "integrity": "sha512-UVJyE9MttOsBQIDKw1skb9nAwQuR5wuGD3+82K6JgJlm/Y+KI92oNsMNGZCYdDsVtRHSak0pcV5Dno5+4jh9sw==",
+      "version": "8.17.0",
+      "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.17.0.tgz",
+      "integrity": "sha512-xRQbDb9BnwDafYNn6Vwl839DYVjqXYb1XVGtWAZ1kcDc6iwAL4hg3B1dZlRiuENFeO2H53gFG3in621AdERVAg==",
       "dev": true,
       "license": "MIT",
       "bin": {
@@ -3295,15 +3295,18 @@
       }
     },
     "node_modules/obug": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/obug/-/obug-2.1.1.tgz",
-      "integrity": "sha512-uTqF9MuPraAQ+IsnPf366RG4cP9RtUi7MLO1N3KEc+wb0a6yKpeL0lmk2IB1jY5KHPAlTc6T/JRdC/YqxHNwkQ==",
+      "version": "2.1.3",
+      "resolved": "https://registry.npmjs.org/obug/-/obug-2.1.3.tgz",
+      "integrity": "sha512-9miFgM2OFba7hB+pRgvtV84pYTBaoTHohvmIgiRt6dRIzbwEOIaNaP+dIlGs2fNFoB0SeISs0Jz5WFVRid6Xyg==",
       "dev": true,
       "funding": [
         "https://github.com/sponsors/sxzz",
         "https://opencollective.com/debug"
       ],
-      "license": "MIT"
+      "license": "MIT",
+      "engines": {
+        "node": ">=12.20.0"
+      }
     },
     "node_modules/optionator": {
       "version": "0.9.4",
@@ -3505,9 +3508,9 @@
       }
     },
     "node_modules/prettier": {
-      "version": "3.8.3",
-      "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.8.3.tgz",
-      "integrity": "sha512-7igPTM53cGHMW8xWuVTydi2KO233VFiTNyF5hLJqpilHfmn8C8gPf+PS7dUT64YcXFbiMGZxS9pCSxL/Dxm/Jw==",
+      "version": "3.8.4",
+      "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.8.4.tgz",
+      "integrity": "sha512-N2MylSdi48+5N/6S5j+maeHbUSIzzZ5uOcX5Hm4QpV8Dkb1HFjfAKTKX6yNPJQD9AhcT3ifHNB66tWTTJDi11Q==",
       "dev": true,
       "license": "MIT",
       "bin": {
@@ -3763,9 +3766,9 @@
       "license": "MIT"
     },
     "node_modules/semver": {
-      "version": "7.8.1",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.1.tgz",
-      "integrity": "sha512-rkVq3IXh+4FDGch+KwzX3aV9W3kO54GyEgpvBzSyctDA6Xtd7RJQV1xmXbeQp5v7+VzLOfVqiutSE6GICgPFvg==",
+      "version": "7.8.4",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.4.tgz",
+      "integrity": "sha512-rUCObTnP32Q08R2uuIrt7r9PlEonuTmtuXYcW6s5kjdlj3xbnwe+21yXptAUYcMAABLkYYTtnmzb3w3EDZfueA==",
       "dev": true,
       "license": "ISC",
       "bin": {
@@ -3965,9 +3968,9 @@
       "license": "MIT"
     },
     "node_modules/tinyexec": {
-      "version": "1.2.3",
-      "resolved": "https://registry.npmjs.org/tinyexec/-/tinyexec-1.2.3.tgz",
-      "integrity": "sha512-g62dB+w1/OEFnPvmX0yd/HnetYITOL+1nJW7kitOycOeAvmbWC/nu0fwmmQ/kupNojqExzyC/T++pST/jRJ2mQ==",
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/tinyexec/-/tinyexec-1.2.4.tgz",
+      "integrity": "sha512-SHf/r48b7vOrjve9PxJo3MN5v5yuyjHvdUcrQffT3WXMUfnGmHDVbC4k3sHJaJTgZCwpUplIaAo5ANtMyp3YHg==",
       "dev": true,
       "license": "MIT",
       "engines": {
diff --git a/package.json b/package.json
index 2053d06b6..1de5e7861 100644
--- a/package.json
+++ b/package.json
@@ -22,10 +22,10 @@
     "@bgotink/playwright-coverage": "^0.3.2",
     "@playwright/test": "^1.60.0",
     "@types/eslint-plugin-jsx-a11y": "^6.10.1",
-    "@types/node": "^25.9.2",
+    "@types/node": "^25.9.3",
     "dotenv": "^17.4.2",
     "markdownlint-cli2": "^0.22.1",
-    "prettier": "^3.8.3",
+    "prettier": "^3.8.4",
     "prettier-plugin-tailwindcss": "^0.8.0",
     "tar": "^7.5.16",
     "typescript": "^6.0.3",
diff --git a/scripts/frontend-test-coverage.sh b/scripts/frontend-test-coverage.sh
index 7c8008e13..d63ba8471 100755
--- a/scripts/frontend-test-coverage.sh
+++ b/scripts/frontend-test-coverage.sh
@@ -19,7 +19,7 @@ RUN_COVERAGE_DIR="coverage/.run-${PPID}-$$-$(date +%s)"
 cd "$FRONTEND_DIR"
 
 # Ensure dependencies are installed for CI runs
-npm ci --silent
+npm ci --silent --ignore-scripts
 
 # Ensure coverage output directories exist
 mkdir -p "$CANONICAL_COVERAGE_DIR"
diff --git a/scripts/go_update.sh b/scripts/go_update.sh
index fe1b64676..32ccd470b 100755
--- a/scripts/go_update.sh
+++ b/scripts/go_update.sh
@@ -4,6 +4,10 @@
 
 set -euo pipefail
 
+GOPATH_BIN="$(go env GOPATH)/bin"
+export PATH="$GOPATH_BIN:$PATH"
+command -v govulncheck >/dev/null || go install golang.org/x/vuln/cmd/govulncheck@latest
+
 MODULES=(
     "/projects/Charon/backend"
     "/projects/Charon/agent"
@@ -16,12 +20,16 @@ for MODULE in "${MODULES[@]}"; do
 
     cd "$MODULE" || exit 1
 
-    go get -u ./...
+    # Update go/toolchain directives so Renovate's golang updates have nothing to do
+    go get go@latest toolchain@latest
+    # -t includes test-only dependencies, which Renovate also tracks
+    go get -u -t ./...
     go mod tidy
     go mod verify
     go vet ./...
-    go list -m -u all
     go build ./...
+    go test ./... > /dev/null
+    govulncheck ./...
 
     echo "Done: $MODULE"
 done
diff --git a/scripts/npm_update.sh b/scripts/npm_update.sh
index a3a88788d..87c5342a5 100644
--- a/scripts/npm_update.sh
+++ b/scripts/npm_update.sh
@@ -19,10 +19,10 @@ for MODULE in "${MODULES[@]}"; do
     cd "$MODULE" || exit 1
 
     npx npm-check-updates -u
-    npm install
+    rm -rf node_modules package-lock.json
+    npm install --ignore-scripts
     npm dedupe
     npm run --if-present build
-    npm run --if-present lint
     npm audit --audit-level=high
     npm audit fix
     npm outdated
diff --git a/scripts/setup-e2e-env.sh b/scripts/setup-e2e-env.sh
index d1a715db2..17acb82b6 100755
--- a/scripts/setup-e2e-env.sh
+++ b/scripts/setup-e2e-env.sh
@@ -126,7 +126,7 @@ echo ""
 
 # Step 2: Install npm dependencies
 echo -e "${BLUE}📦 Step 2: Installing npm dependencies...${NC}"
-npm ci --silent
+npm ci --silent --ignore-scripts
 echo -e "${GREEN}✅ Dependencies installed${NC}"
 echo ""