docs(decisions): record plan-tier taxonomy centralization decision (Option B)

Captures the 2026-05-29 decision to derive admin plan dropdown + validation from the plan_limits table rather than hand-duplicating the allow-list across 6+ sites. Triggered by the prod "AI sessions down" report that traced to the admin dropdown still offering the dead 'team' slug. Adds the matching backlog entry to TODO.md with duplication sites enumerated. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
docs(plan): L1 AI decision-tree builder — Phase 2A implementation plan
2026-05-29 11:25:28 -04:00 · 2026-05-29 03:16:10 -04:00 · 2026-05-29 03:04:49 -04:00 · 2026-05-29 01:22:37 -04:00 · 2026-05-29 05:18:47 +00:00 · 2026-05-29 01:06:02 -04:00
365 changed files with 49687 additions and 2921 deletions
--- a/.ai/CURRENT_TASK.md
+++ b/.ai/CURRENT_TASK.md
@@ -1,45 +1,34 @@
 # CURRENT_TASK.md

-**Task:** Add a fourth, non-terminal outcome to the suggested-fix banner — **Awaiting verification** (`applied_pending`). Today the verifying banner forces a synchronous verdict (worked / didn't / partial), but a lot of real fixes are async — engineer ran the script but is waiting on the client to power-cycle, AD replication, an O365 license sync. Without a fourth state the banner sits stale or the engineer guesses wrong.
+**Active task:** Phase O cutover for self-serve signup. All code blockers are now closed on `main`. Only user-side manual ops remain: apex DNS fix at Namecheap, Stripe Dashboard live-mode config (with the new `/contact` and `/policies` URLs surfaced in the business profile), Railway prod env vars, internal validation pass, public flag flip. See `.ai/HANDOFF.md` for the resume point.

-**Status:** ✅ **Engineering complete; PR #156 open.** Backend tests, prompt guardrail, frontend tsc/build clean; Alembic migration applies. Pending browser QA.
+## Recently shipped

-**Branch:** `feat/fix-pending-verification` (off `main` after the Escalation Mode merge).
-
-**PR:** https://gitea.resolutionflow.com/chihlasm/resolutionflow/pulls/156
-
-## What ships
-
-| Layer | Change |
-|---|---|
-| Schema | New `FixStatus="applied_pending"` + new `pending_reason` Text column on `session_suggested_fixes`. |
-| Migration | `c0f3a4b7e91d` — adds `pending_reason`, extends status CHECK constraint. |
-| API | `PATCH /suggested-fixes/{id}/outcome` accepts `applied_pending`, requires `notes`, stamps `applied_at` only (NOT `verified_at`). Pending in/out transitions allowed (parked, like partial). |
-| Generators | `resolution_note_generator` and `escalation_package_generator` system prompts handle the new status without real-looking examples; resolution note frames the fix as provisional; escalation package surfaces pending verification as the leading hypothesis with reference to what's being waited on. |
-| Frontend | New `BannerMode='pending'` + `PendingBanner` component (info-tone, mirrors `PartialBanner`) with worked / didn't / update reason / dismiss actions; "Waiting to verify…" overflow option in `VerifyingBanner`; nudge "Still checking" now records pending with a reason instead of just silencing; `AssistantChatPage` banner-mode derivation maps `applied_pending → 'pending'`; page-level Resolve/Escalate now handle pending honestly. |
-| Tests | 4 new integration tests in `test_fix_outcome_endpoint.py`: pending-requires-notes, pending stores reason + applied_at-not-verified_at, pending→success transition, pending_reason update on re-PATCH. 21/21 pass. Prompt anti-parrot guardrail passes. Frontend `tsc -b` and Vite build pass via Docker. |
-
-## Out of scope (intentionally)
-
- Cross-session "Follow-ups" dashboard rollup. The chat-anchored `PendingBanner` is the per-session reminder. Add the dashboard surface only if engineers report losing track across multiple pending sessions.
- Optional follow-up timer ("remind me in 30m"). Nice but not the wedge.
-
-## Resume point — DO THIS NEXT
-
-**Browser QA:** verify the new flow end-to-end in dev:
-1. Trigger a suggested fix, click Apply, then open the verifying banner overflow → "Waiting to verify…" → enter a reason → confirm `PendingBanner` renders with the reason.
-2. From `PendingBanner`, click "It worked" → confirm transition to terminal success and banner dismissal.
-3. From `PendingBanner`, click "Update reason" → confirm reason updates server-side.
-4. From `PendingBanner`, click "Dismiss" → confirm banner dismissal and no terminal timestamps.
-5. Trigger the nudge state (3+ post-apply messages) → click "Still checking" → enter a reason → confirm pending state takes over.
-6. From a pending fix, use page-level Resolve → confirm the fix is patched to `applied_success` before the resolution note.
-7. From a pending fix, use page-level Escalate → confirm the outcome intercept appears before the conclude modal.
-
-After QA passes, commit/push the local review fixes and merge PR #156.
-
-## Just-shipped (2026-04-30)
-
-**PR #155 — Escalation Mode wedge** merged into main as `ac42f97`. The wedge for ResolutionFlow's GTM (first paying-customer push). Senior tech sees structured handoff context in seconds via the magic-moment screen. Plan: [`docs/plans/2026-04-27-escalation-mode-wedge-design.md`](../docs/plans/2026-04-27-escalation-mode-wedge-design.md).
+- **2026-05-14 — PR #168** Session expiration policy + dashboard onboarding-CTA fix + welcome step-2 PSA CTA reshape. Merge-committed into main as `3a35121`. Three threads bundled on one branch (`feat/session-expiration-policy`):
+  - **Session expiration policy** (original branch scope): 3d idle / 14d absolute, per-account override, bulk revoke. New `AccountSecuritySettingsPage`, `RevokeSessionsModal`, `SessionExpiryToast`, `useAuthSessionExpiry` hook; backend dependencies in `accountSecurity.ts`.
+  - **Dashboard onboarding CTA fix** (`8d79dd9`): The "Start a session" CTAs on `NextStepCard` and `SetupChecklist` used to `<Link to="/">` while themselves rendered on `/`, so clicks were silent no-ops. Replaced with a `FOCUS_START_SESSION_EVENT` window event that `StartSessionInput` listens for — scrolls itself into view (top of viewport), focuses the textarea, pulses a blue ring 900ms. `NextStepCard` hides itself locally on click so the prompt doesn't linger while the user types.
+  - **Welcome step-2 PSA CTA reshape** (`dc88797`): Selecting a real PSA now swaps `[Continue] [Skip]` for `[Connect <PSA> now] [Connect later] [Skip this step]`. Primary blue button saves `primary_psa` and routes to `/account/integrations`; "Connect later" saves and continues to step 3. **Pre-existing bug fixed**: the old subtle "Connect now →" link never persisted `primary_psa` before navigating. Now it does. "No PSA yet" / no-selection states still show the original single Continue.
+- **2026-05-14 — PR #166** Docs/handoff doc updates carrying forward PR #164/#165 state and EIN blocker. Squash-merged into main as `fe0e692`.
+- **2026-05-12 — PR #167** `backend/scripts/create_site_admin.py` site-wide super-admin bootstrap script. Squash-merged into main as `e50a215`. Idempotent CLI, three modes (`--send-reset`, `--print-reset`, `--promote-only`). Uses `ADMIN_DATABASE_URL` (BYPASSRLS). User confirmed end-to-end success against prod via `railway ssh` 2026-05-12 evening.
+- **2026-05-12 — PR #165** Legal/contact pages for Stripe site review. Squash-merged into main as `ba45cfe`. Three new SPA pages: `/policies` (consolidated Customer Policies — refunds, cancellation, U.S. legal/export restrictions, promotional terms; anchor IDs per subsection), `/contact` (phone (470) 949-4131, support/sales/billing/security inboxes, response-time SLAs), `/promotions` (stub satisfying Policies §6.2). New `MarketingFooter` component (`components/common/MarketingFooter.tsx`) extracted from inline landing footer; mounted on `/landing`, `/pricing`, `/contact-sales` so all four legal links (Privacy/Terms/Policies/Contact) are reachable from every marketing surface. Component reuses existing `landing-footer*` CSS — must be inside a `.landing-page` wrapper (documented in JSX comment). Privacy and Terms closing sections updated to point at `/contact` + `/policies` with correct per-area inboxes; stale `hello@` mailto removed everywhere. Mailing address left as TODO comments in both `ContactPage.tsx` and `PoliciesPage.tsx`, rendered publicly as "available on request" until P.O. Box is purchased. tsc + eslint clean.
+- **2026-05-08 — PR #164** Plan taxonomy reconciliation + `INTERNAL_TESTER_EMAILS` allowlist + Stripe sync script + page-title fix + frontend taxonomy followups + doc refresh. 5 commits on `feat/billing-plan-taxonomy` from main (`dad5e1f`); HEAD `2c9f5e9`. Migration `4ce3e594cb87` renames `plan_limits.plan='team'` → `'enterprise'` and adds `starter` row (caps interpolated between free and pro: `max_trees=10`, `sessions=75`, `ai=15/mo`). Resource visibility (`Tree.visibility='team'`, `StepLibrary.visibility='team'`) is a separate domain and intentionally untouched. New `backend/scripts/sync_stripe_plan_ids.py` upserts `plan_billing` rows from Stripe products by exact name match — annual fields stay NULL by design (user explicitly skipping annual pricing for exit flexibility). `Settings.is_internal_tester` + `is_self_serve_active_for` centralize the allowlist + global-flag check; new `get_current_user_optional` dep; `/config/public` honors allowlist for authenticated callers; `/auth/register` allows allowlisted emails without invite code. LandingPage page-title bug — `—` inside JSX attribute strings was rendering as 6 literal characters in browser tabs; replaced with literal em dash. PageMeta default tagline updated from "Decision Tree Platform" to "AI-Powered Troubleshooting for MSPs". 86/86 passing across subscription/billing/plan/invite/admin sweep; tsc + lint clean. See `.ai/DECISIONS.md` for the two architectural entries (taxonomy reconciliation, allowlist).
+- **2026-05-06 — PR #163** Seed test users marked email-verified. Squash-merged into main as `dad5e1f`.
+- **2026-05-06 — PR #162** Self-serve signup Phase 2 (frontend cutover). 18 commits across Tasks 27–44 of the plan. Backend remainders + frontend billing foundation + auth surfaces (OAuth + accept-invite + verify-email) + welcome wizard + dashboard redesign (TrialPill, NextStepCard, unified checklist) + public surfaces (`/pricing`, `/contact-sales`) + beta-signup deprecation. Squash-merged into main as `f1be3ab`. Single alembic head was `c6cbfc534fad` (no new migrations in Phase 2; PR #164 adds `4ce3e594cb87`).
+- **2026-05-02 — PR #159** In-product User Guides rewrite. Merged into `main`. Replaced 15 feature-dump guides with 43 problem-oriented Diátaxis how-tos grouped under 10 categories. Dropped Maintenance Flows / AI Assistant / Flow Assist Sparkles (UI no longer exists). Renamed Step Library → Solutions Library. Authored 14 net-new how-tos for FlowPilot-era surfaces (tasklane keyboard flow, what-we-know, resolve, escalate, record-fix-outcome, post-docs-to-ticket, share-update, pause-and-leave, build-script-from-scratch, open-suggested-flow, pin-a-flow, invite-teammate, etc.). Schema additions: `category`, optional `relatedSlugs`; hub renders category sections; detail page renders related-guides footer. Fixed rendering bug where `**bold**` in `step.tip` rendered literally. Killed misleading "N sections" subtitle on guide cards. Browser-verified against engineer + owner login (sidebar labels, account sub-pages, pilot-screen header buttons, Tasks panel, integration form). Two unverified items intentionally deferred: change-teammate-role (requires non-owner test member to inspect role-change control) and detailed Resolve / Escalate modal contents (Resolve gated by 6 pending tasks in test data). tsc and Vite build clean.
+- **2026-05-01 — PR #158** Session-screen UX impeccable pass + tasklane keyboard flow. Merged into `main` as `5e10005`.
+  - **Impeccable pass** (5 sub-passes — distill / quieter / layout / typeset / polish): score 24/40 → 33/40. Removed the duplicate "Suggested checks" chip strip; added an inline `Next steps · N pending in Tasks` cue above the latest action-bearing AI bubble; consolidated the desktop session header to Resolve + Escalate + ⋯ kebab (Context / New Ticket / Update Ticket / Pause now under the kebab, mobile kebab gained Context + New Ticket parity); centered the messages column to `max-w-3xl` to match the composer; bubbles dropped to `rounded-xl`. Decoration sweep: dropped 3px side stripes (TaskLane done states, all 6 ProposalBanner modes, WhatWeKnowItem rows), gradient backgrounds (WhatWeKnow + every banner), accent borderTop on TaskLane header, backdrop-blur on handoff overlay, animate-pulse-amber ring in VerifyingBanner, bordered avatar boxes in banners. Type sweep: 14 distinct sizes → 5-step scale (10/11/12/13/14px). Icon disambiguation: `MessageCircleQuestion` split into `Pencil` (Answer CTA) + `HelpCircle` (per-check explainer). Dead `font-sans` audit (12 sites) and double `text-xs` cleanups.
+  - **TaskLane keyboard-first flow** (real feature): Enter submits + auto-advances to next pending task, Shift+Enter newline, Esc cancels, focus jumps to Send Responses after the last submission. Mouse path also auto-advances. Subtle hint row teaches the shortcut.
+  - **Banner ↔ script panel linked**: collapsing or dismissing the ProposalBanner now also hides the InlineNoTemplateDialog / TemplateMatchPanel; recording any outcome closes both surfaces.
+  - **WhatWeKnow collapsible**: per-session preference in `sessionStorage` (`rf-whatweknow-collapsed:{sessionId}`); auto-collapses on first render at ≥5 facts.
+  - **Side fix**: `ParameterizationPreview.tokenize()` word-boundary guard prevents over-eager highlighting of short values like `"D"` (no longer lights up every capital D in `Get-ADUser`).
+  - Validation: tsc clean, ESLint clean, Vite build clean. Type-check + lint passed at every commit boundary.
+- **2026-05-01 — PR #156** Suggested-fix `applied_pending` non-terminal outcome. Merged into `main` as `3ba4532`. Adds:
+  - Schema/API: `FixStatus="applied_pending"`, `pending_reason` Text column, migration `c0f3a4b7e91d`. `PATCH /suggested-fixes/{id}/outcome` accepts pending, requires notes, stamps `applied_at` only.
+  - UI: `PendingBanner` (info-tone, worked / didn't / update reason / dismiss). "Waiting to verify…" overflow option in `VerifyingBanner`. Nudge "Still checking" records pending with a reason. Page-level Resolve auto-patches pending → success before resolution flow; page-level Escalate intercepts pending the same way verifying/partial does.
+  - Generators: `resolution_note_generator` and `escalation_package_generator` system prompts handle the new status without real-looking examples.
+  - Tests: 4 new in `test_fix_outcome_endpoint.py` (21/21 suite green); prompt anti-parrot guardrail green; tsc + Vite build clean.
+  - QA report: `.gstack/qa-reports/qa-report-pending-verification-2026-04-30.md` (5/7 scripted checks PASS with concrete evidence; 2 entry-path checks deferred — same handlers verified via tested transitions).
+- **2026-04-30 — PR #155** Escalation Mode wedge merged as `ac42f97`. Senior-tech magic-moment screen. Plan: [`docs/plans/2026-04-27-escalation-mode-wedge-design.md`](../docs/plans/2026-04-27-escalation-mode-wedge-design.md).

 ## Two-metric framing (Escalation Mode — read before quoting numbers)

@@ -48,3 +37,10 @@ The in-product `GET /analytics/flowpilot/escalations` endpoint measures *post-cl
 ## Kill-switch (Escalation Mode)

 Week 8: if 0 of 3 pilots produce a verifiable hours-saved-per-week number above 1.0, revisit the wedge.
+
+## Notes for next session
+
+- Drive checks 1 (VerifyingBanner overflow → "Waiting to verify…") and 5 (nudge "Still checking" with 3+ post-apply messages) in real pilot usage to close the QA gap left by `/qa` (the tested handlers cover the same mutations, but the entry-path UI rendering wasn't exercised end-to-end).
+- Consider monitoring how often pending fixes get parked vs resolved — if engineers report losing track across sessions, revisit the cross-session "Follow-ups" dashboard rollup that was scoped out.
+- After PR #158 lands in real ticket flow, eyeball the keyboard-hint contrast and the WhatWeKnow auto-collapse-at-5 threshold — both were judgment calls (5 was a guess; the contrast bump from `/70` to full muted-foreground was based on my read, not real screen testing). Adjust if the 5-fact threshold feels too aggressive or too lenient mid-session.
+- Two follow-ups logged in `.ai/TODO.md` from the impeccable pass: `ConcludeSessionModal` paused/escalated step should allow multi-select (Ticket Notes + Client Update + Email Draft simultaneously) — real feature work; `bg-card-hover` Tailwind class doesn't resolve in `CommandPalette` — two-line fix.
--- a/.ai/DECISIONS.md
+++ b/.ai/DECISIONS.md
@@ -13,6 +13,130 @@

 ---

+## 2026-05-29 — Single source of truth for plan-tier taxonomy (derive admin UI + validation from `plan_limits`)
+
+**Context:** A prod report ("AI sessions aren't working") traced to the owner account having no paid plan (AI is plan-gated), compounded by a real bug: the admin "Change Plan" dropdown ([`AccountDetailPage.tsx:443-445`](../frontend/src/pages/admin/AccountDetailPage.tsx)) still offered the dead `team` slug (renamed to `enterprise` in migration `4ce3e594cb87`, 2026-05-07) and omitted `starter`/`enterprise`. Selecting "Team" 400s against the hardcoded allow-list in [`admin.py:994`](../backend/app/api/endpoints/admin.py#L994). The dropdown was missed during the 2026-05-07 taxonomy reconciliation because the allowed-plan list is hand-duplicated across ≥6 backend + frontend sites. Second taxonomy-drift incident.
+
+**Decision:** Option B — make `plan_limits` the single source of truth: admin dropdown + pricing/checkout derive plan options from a plans endpoint (filter `is_public`, order by `sort_order`, label from `display_name`), and backend validation checks against actual `plan_limits` rows rather than a hardcoded tuple. Implementation deferred (active work is on another branch); fully specced in [TODO.md](TODO.md). A trivial dropdown-options fix may land first to unblock the admin tool.
+
+**Rejected:** Option A (patch only the `AccountDetailPage` dropdown). Fixes the symptom but leaves the duplication that has now caused two drift incidents — and there is no outage forcing a minimal diff (bug is admin-only and was already worked around via direct Pro assignment). Conflicts with the repo principle "prefer correct architecture over minimal diff."
+
+**Consequences:** New plan tiers become a data change (a `plan_limits` row) instead of a multi-file code edit; UI and validation can no longer drift from the catalog. Requires a public-plans read endpoint (or extending billing state) consumed by the admin UI + pricing page. The `'team'` visibility string (`Tree.visibility` / `StepLibrary.visibility`) is a separate domain and is explicitly out of scope.
+
+---
+
+## 2026-05-28 — Scope Anthropic structured outputs to flat-array JSON only
+
+**Context:** Optimizing the existing Claude API usage (no model change). The Anthropic path in `generate_json` (`ai_provider.py`) had no equivalent to the Gemini path's `response_mime_type="application/json"` — it prompted for JSON and relied on downstream defenses: `_strip_markdown_fences` (ai_fix), `parse_llm_json` (knowledge_flywheel), and `_try_repair_json` (kb_conversion, which balances unclosed braces on truncated output). Anthropic structured outputs (`output_config.format` with a JSON schema) guarantee valid, parseable JSON and would eliminate those band-aids. The question was which of the four `generate_json` call sites can adopt it.
+
+Structured outputs has hard schema limits: **no recursive schemas**, and **every object must set `additionalProperties: false`** (so the schema must enumerate exactly the fields the model emits — a superset is impossible, an omission makes a field unproducible). Tracing the call sites against those limits:
+
+- **kb_conversion** → output is `{title, description, nodes: [...]}` / `{...steps[], intake_form[]}` — **flat arrays**, references by `next_node_id`/id, no nesting. Expressible.
+- **ai_fix** → returns a fixed *node that is itself a subtree*; `_find_node_by_id` recurses `node["children"]` and the prompt requires decision nodes to have ≥2 children. **Recursive, arbitrary depth.**
+- **knowledge_flywheel flow-gen** → emits `tree_structure`, a decision-tree root with nested `children`/`options`, persisted as an opaque blob.
+- **knowledge_flywheel enhancement** → flat `new_nodes[] + modified_options[]`; expressible but low-frequency and only fence-stripped.
+
+**Decision:** Apply structured outputs to **flat-array outputs only** — i.e. `kb_conversion`. Wired via an optional `schema=` param on `AIProvider.generate_json` (`None` = legacy prompt-only behavior; Anthropic maps it to `output_config.format`, Gemini ignores it), with the two KB schemas + `_schema_for_target_type()` in `kb_conversion_service.py`, gated behind `settings.AI_KB_CONVERT_STRUCTURED_OUTPUT` (default **False**) pending a live constrained-decoding smoke-test in staging. The robustness fixes that motivated the work — `_extract_text_from_response` (skip non-text blocks, log `max_tokens`/`refusal`, raise on no-text) — live in the shared provider, so **all four** callers already benefit regardless of schema adoption.
+
+**Rejected:**
+- **Forcing schemas on ai_fix / flow-gen.** Their outputs are recursive/nested decision trees; a bounded-depth schema would reject valid deeper trees and break generation. Wrong architecture for marginal/zero benefit (flow-gen's tree is stored as a blob, never schema-validated downstream).
+- **Wiring the flywheel enhancement site.** Flat and technically expressible, but low call frequency and only fence-stripping today — marginal benefit against the risk of a blind (un-live-tested) `additionalProperties: false` schema.
+- **Deleting the fence-strip / repair helpers now.** `_strip_markdown_fences` / `parse_llm_json` must stay — they protect the recursive paths that can't use schemas. Only `_try_repair_json` (kb-only) becomes removable, and only *after* the flag is validated in staging.
+
+**Consequences:**
+- Structured outputs is the tool for flat JSON; recursive decision-tree outputs are excluded by design. New flat-JSON `generate_json` callers can opt in via `schema=`; recursive ones should not.
+- `AI_KB_CONVERT_STRUCTURED_OUTPUT` must be smoke-tested against the live model (both target types) before production enablement. Open risk: whether Anthropic accepts optional (non-`required`) fields — if not, the schemas need every field in `required` with nullable types. The flag makes this fully reversible.
+- Deferred cleanup: once the flag is validated, remove only `_try_repair_json` from the kb_conversion Anthropic path; leave the fence-strippers.
+- Work lives on branch `feat/ai-structured-outputs` (commits `84a02a5`, `1388357`), based on `design/l1-workspace`.
+
+---
+
+## 2026-05-13 — Session expiration policy: 3d idle / 14d absolute defaults + per-account override
+
+**Context:** User report: "I login to ResolutionFlow and never have to log back in." Investigation found refresh tokens at `REFRESH_TOKEN_EXPIRE_DAYS=7` with JTI rotation (`security.py:36`) — every `/auth/refresh` minted a fresh 7-day window. Net effect: a sliding 7-day session with no absolute cap. Visit once a week, logged in forever. Acceptable for pilot but not for MSP buyers whose SOC2 / cyber-insurance auditors require enforced session timeouts. Required for the same Phase O launch readiness as the other gates already in flight.
+
+**Decision:** Two-window model snapshotted into the refresh JWT at login. Defaults to Strict (3-day idle, 14-day absolute), bounded by env-var system min/max. Per-account override via two new `accounts` columns (NULL = use system default). Owner-only `GET/PATCH /accounts/me/security` endpoint with effective-value validation (partial-override case caught at the app layer because the DB CHECK can't see Settings). Sibling `POST /accounts/me/security/revoke-sessions` for `all|others`-scoped bulk revocation. Frontend: Strict/Standard/Custom presets, active-users list (name + email + last-login-ago), differentiated SessionExpiryToast (idle = warning amber with "Stay signed in" → `/auth/refresh`; absolute = info cyan, informational only), cyan info-tone banner on `/login?reason=session_expired`, auto-redirect after scope=all bulk-revoke. Error-detail taxonomy on the wire: `session_expired_idle`, `session_expired_absolute`, `invalid_refresh_token`. Grandfather path: legacy refresh tokens (no `auth_time` claim) get one free rotation under the new policy. Atomic-revoke-then-check on `/auth/refresh` so absolute-expired tokens can't be replayed.
+
+8 commits on `feat/session-expiration-policy` branch (`92fa3bc` → `c7cd711`), ~1300 LoC backend + frontend including 28 backend tests. Plan + design review at `docs/plans/2026-05-13-session-expiration-policy.md` (initial design score 4/10 → final 9/10 via `/plan-design-review`; 7 design decisions locked).
+
+**Rejected:**
+- **Idle-only or absolute-only enforcement.** Idle without absolute is the current broken state (sliding forever). Absolute without idle is too strict — kicks users out daily.
+- **Hard cutover on deploy (SECRET_KEY rotation).** Forces every pilot to log in again immediately; high support cost. Grandfather path is friendlier and adds ~50 lines of code.
+- **Distinguish `session_revoked_by_admin` from `invalid_refresh_token` on the wire** for users whose sessions were killed via bulk-revoke. Requires tracking revocation reason per `refresh_tokens` row. Not worth the complexity for v1 — affected users see they're logged out, same as any other revoke.
+- **Per-user device list with per-device revoke.** Refresh tokens don't carry device/user-agent metadata today. Account-wide bulk revoke covers the breach-response use case; per-device is a follow-up if pilots ask.
+- **"Loose" preset (90d).** Strict default suggests we shouldn't ship a one-click loose option. Owners who want a loose policy can use Custom and own the choice explicitly.
+- **Always-required `idle_minutes`+`absolute_minutes` (XOR-NULL invariant).** Forces owners who only want to override idle to also re-declare the absolute window, leaking the system default into account data. Partial overrides allowed; validated at the app layer against current defaults.
+- **Reveal-on-Custom UI for the minute inputs.** Hidden-by-default-reveal-on-radio shifts page layout when Custom is selected. Always-visible-but-disabled is more stable and previews the Custom interaction.
+- **Modal-stays-open-success-state for scope=all bulk-revoke.** User preferred auto-redirect-with-toast (more standard SaaS pattern); the toast acts as the success acknowledgment before /login loads.
+
+**Consequences:**
+- "Logged in forever" is fixed. Every user sees a hard 14-day re-auth at minimum (3-day idle in practice for typical usage).
+- Account owners get a complete self-service surface for policy + bulk session control. New `/account/security` route, owner-gated.
+- Audit-log entries on both mutations: `account.session_policy_update` and `account.sessions_revoked_bulk`. SOC2-ready.
+- Frontend `idle_expires_at` + `absolute_expires_at` flow through the entire auth surface (`Token`, `OAuthCallbackResponse`, `authStore`, persistence). `useAuthSessionExpiry` hook is the single source for "is the session about to end."
+- Future improvements (filed as follow-ups in plan §9): per-user device list (requires `refresh_tokens.last_used_at` column), super-admin global ceiling UI, per-user policy. None block current shipping.
+- Cyan info-tone banner on `/login` is the first of its kind in the app; sets precedent for future neutral system messages.
+
+---
+
+## 2026-05-07 — Per-email allowlist (`INTERNAL_TESTER_EMAILS`) for self-serve soft cutover
+
+**Context:** Phase O Task 46 ("internal validation pass") needed a way to exercise the full self-serve flow against the prod backend before flipping `SELF_SERVE_ENABLED=true` for everyone. The plan doc described the mechanism but the backend support was never built — flagged in `SESSION_LOG.md` as a code blocker. Stripe live-mode setup is also gated on having a working internal-tester path in prod test mode.
+
+**Decision:** Comma-separated allowlist `INTERNAL_TESTER_EMAILS` parsed by a Pydantic field_validator into a normalized lowercase list. Two helpers on `Settings`: `is_internal_tester(email)` (case-insensitive membership check) and `is_self_serve_active_for(email)` (returns `SELF_SERVE_ENABLED OR is_internal_tester(email)`). Both endpoints that gate on the global flag now call the helper:
+- `/config/public` accepts optional auth via new `get_current_user_optional` dep; returns `self_serve_enabled=true` for allowlisted authenticated callers; anonymous calls always see the global flag.
+- `/auth/register` allows allowlisted emails to register without an invite code.
+
+**Rejected:**
+- **Custom header `X-Internal-Tester-Email` for anonymous flows.** Spoofable. The auth/register-payload checks are sufficient because the user has to OWN the email to register or log in.
+- **Separate allowlists per surface (`INTERNAL_PRICING_TESTERS`, `INTERNAL_OAUTH_TESTERS`).** Premature splitting. The Phase O use case is "this small set of people can see the new flow"; one variable handles it. If finer granularity emerges, split then.
+- **Database table for the allowlist.** Env var matches the spec from the plan doc and fits the soft-cutover lifecycle — list is small, changes infrequently, lives alongside other deployment-time config.
+
+**Consequences:**
+- Stripe internal validation can run end-to-end in prod test mode without flipping the global flag.
+- Anonymous callers always see the global flag — the allowlist never leaks via unauthenticated request content. Three regression tests in `test_config_public.py` enforce this.
+- `INTERNAL_TESTER_EMAILS` plumbed through `docker-compose.dev.yml` and documented in `backend/.env.example`. Railway prod env will need the same var set during Phase O cutover.
+
+---
+
+## 2026-05-07 — Reconcile plan tier taxonomy (rename `team` → `enterprise`, add `starter`)
+
+**Context:** PR #162 left a real architectural gap. Marketing surface (PricingPage, Stripe products) was wired for `Starter / Pro / Enterprise` while backend was on `free / pro / team`. `plan_billing.plan` FK referenced `plan_limits.plan` so the `BillingPlan` schema's `Literal["pro", "starter", "team", "enterprise"]` could accept values that violated the FK. `plan_billing` was unseeded in dev, so no checkout could complete. `Subscription.plan.in_(["pro", "team"])` paid-plan checks wouldn't recognize `enterprise`. Self-serve cutover was blocked at the data layer.
+
+**Decision:** Reconcile to a single taxonomy — backend slugs become `free / pro / starter / enterprise`, matching the marketing surface and Stripe products. Migration `4ce3e594cb87`:
+1. Defensive `UPDATE subscriptions SET plan='enterprise' WHERE plan='team'` (dev had zero such rows; safety for any prod stragglers).
+2. Rename the `plan_limits.plan='team'` row to `'enterprise'`.
+3. Insert a `starter` row with caps interpolated between free and pro: `max_trees=10`, `max_sessions=75`, `max_users=1`, `max_ai_builds_per_month=15`, no KB Accelerator, no custom branding, no priority support.
+
+Code rename across schemas, `Subscription` paid-plan/`has_pro_entitlement` checks, admin endpoints, frontend `useSubscription.isPaidPlan`. Resource visibility (`Tree.visibility='team'`, `StepLibrary.visibility='team'`) is a separate domain and intentionally untouched — that string means "shared with my account" and has nothing to do with the subscription tier.
+
+New `backend/scripts/sync_stripe_plan_ids.py` — idempotent upsert of `plan_billing` rows from Stripe products by exact name match (`ResolutionFlow Starter / Pro / Enterprise`). Picks the active monthly recurring price for tiers that have one. Annual fields stay NULL by design — annual pricing is intentionally out of scope for the soft cutover ("want to be able to exit if necessary without breaching any terms").
+
+**Rejected:**
+- **Map marketing names to existing slugs (Option A from the discussion).** Smallest diff but means PricingPage cards have to translate `enterprise` → `team` at render time, and "Starter" can't exist as a real backend tier — it'd have to be hidden or dropped. Kicks the can.
+- **Add `starter` only, keep `team` slug as cosmetic enterprise (Option C).** Mixed taxonomy across layers — slug-vs-display-name divergence guarantees confusion in 6 months. Compromise that's worse than either pure choice.
+- **Annual pricing in this iteration.** User's explicit constraint: skip annual to keep exit-flexibility. Schema columns (`annual_price_cents`, `stripe_annual_price_id`) preserved as nullable for future re-enable.
+- **Auto-archive the existing Enterprise `$500/mo` test-mode price.** Done manually via Stripe MCP after un-setting the product's `default_price` first. Spec says Enterprise is sales-led with no catalog price.
+
+**Consequences:**
+- `plan_billing` table is now seedable and seeded. Test-mode `plan_billing` populated for all 3 tiers via `sync_stripe_plan_ids.py`. Live mode runs the same script after manual Dashboard setup of products + prices.
+- New consumers of `Subscription.plan` literal must use `("free", "pro", "starter", "enterprise")`. Three call sites already updated. Backend-wide grep is the safety net for new ones.
+- `Subscription.is_paid` and `has_pro_entitlement` now include `starter` — Starter is a paid tier with a real $19.99/mo price.
+- 86/86 passing across the subscription/billing/plan/invite/admin sweep after the rename.
+- Test fixtures: `conftest.py` plan_limits seed updated to the new taxonomy. `_seed_plan_limits` helper in `test_plans_public.py` is now a true upsert so tests can override `max_users` even when conftest seeded the canonical value.
+
+---
+
+## 2026-05-07 — Standardize backend Python on 3.12
+
+**Context:** Runtime facts had drifted from docs. The backend Dockerfiles and running dev container were already on Python 3.12, GitHub CI had just been updated to 3.12, but project docs still said Python 3.11 and Gitea CI relied on the runner's ambient Python.
+
+**Decision:** Treat Python 3.12 as the backend standard. Pin local pyenv via `.python-version` to 3.12.13, matching the current `python:3.12-slim` container patch level. Add explicit Python 3.12 setup to Gitea CI and keep GitHub CI on Python 3.12.
+
+**Rejected:** Moving Docker/runtime back to Python 3.11. The application was already building and running on 3.12, so reverting the runtime would add churn without a product or dependency reason.
+
+**Consequences:** Native backend work should use `backend/venv` created from Python 3.12.13. Future docs/CI/runtime changes should preserve Python 3.12 unless a deliberate upgrade decision is recorded.
+
 ## 2026-04-30 — Add `applied_pending` non-terminal status to suggested fixes

 **Context:** The verifying banner forces a synchronous verdict — worked / didn't / partial — but a lot of real MSP fixes are async. Engineer ran the script but is waiting on the client to power-cycle, AD replication, an O365 license sync. With only the existing outcomes, the engineer either leaves the banner stale (eroding the verifying signal) or guesses wrong (corrupting outcome data). User flagged the gap directly. Today's `NudgeBanner` "Still checking" button just silences the nudge — it doesn't tell the system anything.
--- a/.ai/HANDOFF.md
+++ b/.ai/HANDOFF.md
@@ -2,51 +2,67 @@

 # HANDOFF.md

-**Last updated:** 2026-05-01 (session 5 — PR #156 review fixes applied)
+**Last updated:** 2026-05-14

-**Active task:** Suggested-fix `applied_pending` outcome. Branch: `feat/fix-pending-verification`. PR #156 open; review fixes applied locally and ready for browser QA, then commit/merge.
+**Active task:** Phase O cutover for self-serve signup. All code blockers remain closed on `main`. **Still blocked on Stripe live-mode activation — root cause is EIN, not code.** User does not yet have an EIN for ResolutionFlow, LLC; Stripe requires a tax ID for live-mode activation. EIN application via IRS.gov was scheduled for 2026-05-13 — confirm status at next session start. Mailing-address decision (carried forward from 2026-05-12): user enters home address into Stripe's **private** business profile temporarily so live-mode isn't blocked on the P.O. Box; public `ContactPage`/`PoliciesPage` mailing-address TODOs stay "available on request" until the P.O. Box is purchased. Stripe accepts an address update later without re-verification. Apex DNS at Namecheap is still missing (separate user-side issue, only matters once Stripe runs site-verification). Nothing on the code side blocks live-mode flip.

-**Just-merged:** PR #155 (Escalation Mode wedge) merged into main as `ac42f97`.
+**Bug-pending-capture item (2026-05-12) — likely resolved:** Prior session noted "user reported finding a bug, will send screenshot next session." This session surfaced two concrete UX bugs that were fixed and merged (PR #168): the dashboard "Start a session" CTA was a dead link, and welcome step-2's PSA setup had a near-invisible "Connect now →" link that didn't even persist `primary_psa`. **Confirm with user at next session start whether the screenshot bug was one of these or something else still pending.**

 ## Where this session ended

-PR #156 was reviewed for missed bugs and three fixes were applied:
+Two PRs merged into main:

-1. Page-level **Resolve** now treats `applied_pending` as a verifying state and patches the fix to `applied_success` before opening the resolution flow, avoiding provisional notes on a resolved session.
-2. Page-level **Escalate** intercept now catches `applied_pending` as well as verifying/partial, so a pending fix cannot bypass outcome capture before handoff. Intercept copy was generalized from "Verifying state" to "still needs an outcome."
-3. `PendingBanner` now includes a **Dismiss** action, matching the PR body and backend's allowed pending → dismissed transition.
-4. Real-looking pending examples were removed from `resolution_note_generator` and `escalation_package_generator` system prompts to stay aligned with the prompt anti-parrot guardrail.
+- **PR #166** (`fe0e692`) — docs/handoff doc updates from prior session. Squash-merged 2026-05-14.
+- **PR #168** (`3a35121`) — session expiration policy + dashboard NextStep CTA fix + welcome step-2 PSA CTA reshape. Merge-committed 2026-05-14. Three notable additions:
+  - `feat(dashboard)` `8d79dd9` — The "Start a session" CTAs on NextStepCard and SetupChecklist used to `Link`-navigate to `/`, leaving the user on the same page (the StartSessionInput lives on the dashboard) with no visible response. Replaced with a `FOCUS_START_SESSION_EVENT` window event the StartSessionInput listens for: scrolls input to viewport top (`scrollIntoView({block:'start'})`), focuses the textarea (with `preventScroll:true` so it doesn't fight the smooth scroll), pulses a `rgba(96,165,250,…)` ring for 900ms. NextStepCard hides itself via local `locallyHidden` state on click so the user isn't double-prompted while typing. SetupChecklist gets the same event-dispatch treatment for its `ran_session` row.
+  - `feat(welcome)` `dc88797` — Welcome step-2 PSA CTA reshaped. Selecting a real PSA now swaps the single Continue + tiny "Connect now →" link for an explicit two-button choice: `Connect <PSA> now` (primary, blue — saves `primary_psa` then routes to `/account/integrations`) and `Connect later` (secondary outlined — saves `primary_psa` then continues to step 3). **Important pre-existing bug fixed**: the old subtle Link never actually persisted `primary_psa` before navigating away. Both new buttons do. "No PSA yet" and no-selection states still show the original single Continue. Skip-this-step and Skip-the-rest unchanged. Existing tests pass without edits (testids `welcome-step-2-connect-now` and `welcome-step-2-continue` reused).
+  - `docs:` `e5b2624` — added `docs/plans/2026-05-13-public-landing-routing-refactor.md`, `docs/architecture/` reports (god-node map + report 2026-05-06, workflows.json/html, workflows-analysis.html), `docs/tutorials/build-a-page.md`, and `abc-feat-self-serve-signup-phase-2-design-20260507-112020.md` at repo root.

-**Validation on PR #156:**
+`tsc --project tsconfig.app.json --noEmit` clean across all changes. Local vitest blocked by root-owned `node_modules/.vite-temp` (same env issue noted in prior handoffs); CI ran the suite green.

- `docker exec resolutionflow_backend pytest --override-ini="addopts=" tests/test_prompt_anti_parrot.py -q` ✅ 2/2 pass.
- `docker exec resolutionflow_backend pytest --override-ini="addopts=" tests/test_fix_outcome_endpoint.py -q` ✅ 21/21 pass.
- `docker exec -w /app resolutionflow_frontend npx tsc -b` ✅ exit 0.
- `docker exec -w /app resolutionflow_frontend npm run build` ✅ exit 0; only existing Vite large-chunk warning.
- `git diff --check` ✅ clean.
- Previous session also verified `alembic upgrade heads` applied migration `c0f3a4b7e91d` cleanly.
+**Two issues filed for session leftovers:**

-## Resume point — DO THIS NEXT
+- **Issue #171** — Test coverage for the new welcome step-2 "Connect now" path (existing tests still pass but don't exercise the new button's save + redirect-to-integrations behavior).
+- **Issue #172** — Repo hygiene: gitignore `core.[0-9]*` + `**/.remember/`, and delete the existing 20MB core dumps (`core.144926`, `core.145678`, `docs/architecture/core.1392564`) and `docs/architecture/.remember/`. Carried forward across multiple sessions.

-**Browser QA on PR #156** (see CURRENT_TASK.md "Resume point" for the checklist). Include the new review-fix paths: PendingBanner Dismiss, page-level Resolve from pending, and Escalate from pending. Then commit local fixes, push, and merge when QA is green.
+Working tree clean except those persistent untracked items (intentionally left for issue #172).

-## Key files for PR #156
+Single alembic head: `4ce3e594cb87` (no schema changes this session).

- `backend/app/models/session_suggested_fix.py` — CHECK constraint extended; `pending_reason` Text column.
- `backend/app/schemas/session_suggested_fix.py` — `applied_pending` added to both `FixStatus` and `FixOutcome` literals; `pending_reason` on response model; updated docstring on `SessionSuggestedFixOutcomeRequest`.
- `backend/alembic/versions/71efd2102f49_add_pending_status_to_suggested_fixes.py` — new migration (rev `c0f3a4b7e91d`, down `71efd2102f49`).
- `backend/app/api/endpoints/session_suggested_fixes.py` — `patch_outcome` accepts pending, requires notes, stamps applied_at only.
- `backend/app/services/{resolution_note,escalation_package}_generator.py` — system-prompt handling for the new status; `pending_reason` line in input bundle; real-looking examples removed.
- `backend/tests/test_fix_outcome_endpoint.py` — 4 new tests.
- `frontend/src/api/sessionSuggestedFixes.ts` — types updated; `pending_reason` on `SessionSuggestedFix`.
- `frontend/src/components/pilot/ProposalBanner.tsx` — `'pending'` `BannerMode`; `PendingBanner` component + Dismiss; "Waiting to verify…" overflow option; nudge "Still checking" wired to record pending.
- `frontend/src/components/pilot/EscalateInterceptDialog.tsx` — copy generalized for pending/partial/verifying outcome capture.
- `frontend/src/pages/AssistantChatPage.tsx` — banner-mode derivation maps `applied_pending → 'pending'`; Resolve/Escalate paths now handle pending.
+## Resume point

-## Watch-outs
+**First thing next session:**

- Dev stack: backend `:8000`, frontend `:5173`, postgres `:5433` (docker-compose). HMR works. On this host use `docker exec` for Python/npm commands; see `.ai/PROJECT_CONTEXT.md`.
- Test users (Acme MSP, password `TestPass123!`): `engineer@resolutionflow.example.com`, `teamadmin@resolutionflow.example.com`.
- Multi-head alembic state on main is pre-existing (heads `070`, `c0f3a4b7e91d`, `024`); not introduced by this work but worth knowing if `alembic upgrade head` complains — use `upgrade heads` (plural).
- `pending_reason` is preserved as audit trail when an engineer advances pending → success/failed/dismissed; it is not auto-cleared. Intentional.
- Working tree also has documentation edits in `.ai/PROJECT_CONTEXT.md` and `AGENTS.md` describing Docker exec commands. Those were not part of the feature fix but should be preserved.
+1. Confirm with user whether the "bug-pending-capture" screenshot bug from 2026-05-12 was one of the two PR #168 fixes or something else still pending.
+2. Check EIN application status (filed 2026-05-13 via IRS.gov). If granted, unblocks the Phase O Stripe live-mode setup chain.
+
+After that — **Phase O manual ops, all user-side, all gated on EIN landing first:**
+
+1. **EIN application status check** (user, applied 2026-05-13).
+2. **Stripe Dashboard live-mode** (once EIN is in hand):
+   - 3 Products (Starter, Pro, Enterprise). Monthly Prices for Starter ($19.99) + Pro ($29.99). No Prices on Enterprise (sales-led).
+   - Customer Portal with plan-switching disabled.
+   - Webhook at `https://api.resolutionflow.com/api/v1/webhooks/stripe` with 5 events. Save live signing secret.
+   - **Business profile fields**: Customer service URL `https://resolutionflow.com/contact`. Refund/cancellation policy URL `https://resolutionflow.com/policies`. Terms `https://resolutionflow.com/terms`. Privacy `https://resolutionflow.com/privacy`. Phone `(470) 949-4131`. Mailing address = user's home address temporarily (private Stripe field; swap to P.O. Box later without re-verification). EIN = the newly-issued tax ID.
+3. **Apex DNS fix at Namecheap** (re-add `@` ALIAS → `c9g7uku8.up.railway.app`, or re-add apex as a Railway custom domain). Becomes the next blocker once Stripe runs site-verification.
+4. **Railway prod env**: `STRIPE_SECRET_KEY=sk_live_...`, `STRIPE_WEBHOOK_SECRET`, `STRIPE_PUBLISHABLE_KEY` + `VITE_STRIPE_PUBLISHABLE_KEY` (frontend redeploy required — Vite bake-at-build, Lesson 60), `OAUTH_REDIRECT_BASE=https://resolutionflow.com`, `SELF_SERVE_ENABLED=false` (still false at this point), `INTERNAL_TESTER_EMAILS=<allowlist>`, prod Google + Microsoft OAuth credentials.
+5. **Bootstrap prod super-admin** via `create_site_admin.py` (PR #167) — already done end-to-end on prod per 2026-05-12 user confirmation. Re-runnable if needed.
+6. **Sync Stripe → DB**: `railway run python -m scripts.sync_stripe_plan_ids` (or via `railway ssh`). Verify `plan_billing` rows have `sk_live_*` price IDs.
+7. **Internal validation (Phase O Task 46)**: 9 scenarios with internal testers whose emails match `INTERNAL_TESTER_EMAILS`.
+8. **Flag flip (Task 47)**: email pilots, set `SELF_SERVE_ENABLED=true` + `VITE_SELF_SERVE_ENABLED=true` (frontend redeploy). PostHog signup-funnel dashboard + Sentry alert at >1/hour Stripe webhook errors.
+
+## Open issues from prior session (non-code, user-side)
+
+- **Apex DNS missing.** `resolutionflow.com` (apex) returns no A/CNAME at the authoritative DNS (Namecheap). When `www` was reconfigured in Railway, the apex record got dropped from the zone. `www` works (cert provisioned 2026-05-08 01:40 UTC). User to re-add apex record at Namecheap (ALIAS `@` → `c9g7uku8.up.railway.app`) or re-add the apex as a Railway custom domain. Railway path is more durable.
+- **Edge HSTS sticky state on user's machine.** Browser remembers the earlier broken-cert visit. Fix: `edge://net-internals/#hsts` (delete `resolutionflow.com` and `www.resolutionflow.com`) + `#dns` clear host cache + `#sockets` flush.
+
+## Carry-forward
+
+- Annual pricing intentionally NOT implemented — user wants exit flexibility. Schema columns preserved as nullable. `sync_stripe_plan_ids.py` leaves annual fields NULL.
+- `INTERNAL_TESTER_EMAILS` parsed comma-separated → normalized lowercase list. Anonymous callers always see the global flag — allowlist never leaks via unauthenticated request content (regression test enforces).
+- Office-hours design doc now at `docs/` root (`abc-feat-self-serve-signup-phase-2-design-20260507-112020.md`) as of this session. NOT yet adopted as roadmap — gated on 3 cold calls with external Directors of Onboarding.
+- Mailing address fill-in: search for `TODO: replace with full mailing address` in `frontend/src/pages/ContactPage.tsx` and `frontend/src/pages/PoliciesPage.tsx` (one each) once P.O. Box is purchased.
+- `backend/scripts/create_site_admin.py` is the durable site-admin bootstrap tool — idempotent. Three modes: `--send-reset`, `--print-reset`, `--promote-only`. Run from inside the deployed backend container via `railway ssh`.
+- Bot-crawlability of legal pages: still SPA-rendered. Stripe didn't enforce content scraping last time (issue was DNS). If a future vendor review flags it, pre-render with `vite-plugin-prerender-spa` (~half day).
+- Frontend env additions for cutover: `VITE_SELF_SERVE_ENABLED`, `VITE_GOOGLE_CLIENT_ID`, `VITE_MS_CLIENT_ID`, `VITE_OAUTH_REDIRECT_BASE`, `VITE_CALENDLY_URL`, `VITE_STRIPE_PUBLISHABLE_KEY`.
+- **Branch hygiene note (process learning):** PR #168 ended up bundling unrelated work — session expiration policy (the original scope of `feat/session-expiration-policy`) plus dashboard CTA fixes plus welcome step-2 reshape. The mixed scope was deliberate (user wanted it on the same PR), but worth flagging for future PRs: if onboarding-UX work continues, branch it separately from auth/session work.
--- a/.ai/PROJECT_CONTEXT.md
+++ b/.ai/PROJECT_CONTEXT.md
@@ -26,7 +26,7 @@ Go-to-Market Validation (pre-PMF). Backend feature-complete (55+ endpoints, 100+

 ## Tech stack

- **Backend:** Python 3.11 + FastAPI, SQLAlchemy 2.0 async (asyncpg), Alembic, Pydantic v2, JWT (python-jose + bcrypt, JTI refresh rotation), APScheduler (in-process with FastAPI lifespan).
+- **Backend:** Python 3.12 + FastAPI, SQLAlchemy 2.0 async (asyncpg), Alembic, Pydantic v2, JWT (python-jose + bcrypt, JTI refresh rotation), APScheduler (in-process with FastAPI lifespan).
 - **Frontend:** React 19 + Vite + TypeScript, Tailwind v4 (CSS-only config in `index.css`), Zustand (immer + zundo), React Router v7, Axios (token-refresh interceptor), Lucide.
 - **DB:** PostgreSQL 16 (RLS enabled Phase 4, pgvector).

--- a/.ai/SESSION_LOG.md
+++ b/.ai/SESSION_LOG.md
@@ -12,6 +12,223 @@

 ---

+## 2026-05-14 ~04:00 UTC — Claude — PR #166 + #168 merged; dashboard CTA bug fixed; welcome step-2 PSA CTA reshaped
+
+**Accomplished:**
+
+- User reported the "Start a session" CTA on the dashboard onboarding card doing nothing after completing the welcome wizard. Root cause: `NextStepCard.tsx:80-82` had `ctaPath: '/'` and the card itself only renders on the dashboard at `/`. Clicking `<Link to="/">` while already on `/` is a react-router no-op. Same dead-link in `SetupChecklist.tsx` for the `ran_session` row.
+- Designed and built the fix collaboratively (user wanted scroll-to-input + visual pulse rather than auto-navigate to `/pilot` or just hiding the card):
+  - Added `FOCUS_START_SESSION_EVENT = 'rf:focus-start-session'` window event exported from `StartSessionInput.tsx`. The component listens via `useEffect`, on dispatch calls `wrapperRef.current?.scrollIntoView({behavior:'smooth', block:'start'})`, focuses the textarea with `preventScroll:true` (so it doesn't fight the smooth scroll), and sets a 900ms `nudge` state that swaps the inner wrapper's `focus-within:` ring classes for a louder `ring-2 ring-[rgba(96,165,250,0.35)] shadow-[0_0_0_6px_rgba(96,165,250,0.12)]`. Added `scroll-mt-6` to the outer ref'd div so the input doesn't hug the very top edge.
+  - `NextStepCard.tsx` — branched on `next.key === 'ran_session'`. Render a `<button>` that dispatches the event AND sets a new `locallyHidden` useState so the card disappears immediately on click (without calling the persisting `dismissOnboarding` API — that would kill all future onboarding nudges). All other CTAs keep the original `Link` element. Tests pass without changes (assertions only check text + testid).
+  - `SetupChecklist.tsx` — same `ran_session` branch (the checklist had the same dead-link bug if the user expanded "Show all setup steps").
+- User then asked about the welcome wizard PSA flow — "is it supposed to take me to set up ConnectWise if I keep clicking next after picking it?" Read `WelcomeStep2.tsx`: the spec was intentionally "just pick what you use, we'll wire it up later" with a `text-xs text-muted-foreground` "Connect now →" link as the only credential-setup entry. The link was visually near-invisible AND had a bug: it was a `<Link to="/account/integrations">` that navigated WITHOUT calling `onboardingApi.updateStep`, so `primary_psa` was never persisted if the user clicked it.
+- Proposed three fix options; user picked option 2 (explicit two-button branch). Implemented in `WelcomeStep2.tsx`:
+  - New `handleConnectNow` handler that calls `onboardingApi.updateStep({step:2, action:'complete', data:{primary_psa}})` then `navigate('/account/integrations')`. New `submitting === 'connect-now'` state value.
+  - When `showConnectNow` (real PSA selected): action row renders `[Connect <PSA> now (primary)] [Connect later (secondary)] [Skip this step (tertiary)]`. Reused the old `welcome-step-2-connect-now` testid on the new primary button. "Connect later" reuses the `welcome-step-2-continue` testid + handleContinue. PSA label derived dynamically from `PSA_OPTIONS`.
+  - When 'none' or no selection: original `[Continue] [Skip this step]` preserved.
+  - Removed the import of `Link` from `react-router-dom` and the entire `showConnectNow && <Link>` block.
+- All existing tests pass unchanged (`tsc --noEmit` clean, locally; vitest blocked by root-owned `node_modules/.vite-temp` — same env issue noted previously; CI ran the suite green on the PR).
+- Committed in two logical commits onto current branch (`feat/session-expiration-policy`): `feat(welcome): two-button PSA CTA in step-2` (`dc88797`) and `docs: add architecture reports, public-landing routing plan, build-a-page tutorial, self-serve signup phase-2 design` (`e5b2624`). Pushed. PR #168 CI ran green across `CI/backend`, `CI/frontend`, `CI/e2e`. PR #166 merged first (HTTP 200), then PR #168 once CI cleared (HTTP 200). `main` now at `3a35121`.
+- Filed two issues for session leftovers:
+  - **#171** — Test coverage for the new `welcome-step-2-connect-now` path (existing tests still pass but don't exercise the new save + redirect behavior).
+  - **#172** — Repo hygiene: add `core.[0-9]*` and `**/.remember/` to `.gitignore`, delete the three 20MB core dumps + `docs/architecture/.remember/`.
+
+**Left for next session:**
+
+- Confirm with user whether the "bug-pending-capture" item from 2026-05-12 HANDOFF was one of the two fixes above (dashboard CTA dead-click, welcome step-2 ConnectWise confusion) or a third bug still pending. Likely covered, but worth asking.
+- Phase O cutover remains gated on EIN — check status of 2026-05-13 IRS.gov application.
+- Issues #171 and #172 sitting in the backlog when there's time.
+
+**Files touched (all merged to main via PR #168 `3a35121` and PR #166 `fe0e692`):**
+
+- `frontend/src/components/dashboard/StartSessionInput.tsx` (event listener, scroll/focus/nudge ring)
+- `frontend/src/components/dashboard/NextStepCard.tsx` (event-dispatch button branch, `locallyHidden` state)
+- `frontend/src/components/dashboard/SetupChecklist.tsx` (event-dispatch button branch for `ran_session` row)
+- `frontend/src/pages/welcome/WelcomeStep2.tsx` (two-button PSA CTA + `handleConnectNow`)
+- `docs/plans/2026-05-13-public-landing-routing-refactor.md` (new, untouched by Claude this session — user-authored)
+- `docs/architecture/{god-node-map-2026-05-06.canvas, god-node-report-2026-05-06.md, workflows-analysis.html, workflows.html, workflows.json}` (new, generated reports)
+- `docs/tutorials/build-a-page.md` (new, user-authored)
+- `abc-feat-self-serve-signup-phase-2-design-20260507-112020.md` (root, office-hours design doc — committed as-is from prior local state)
+- `.ai/HANDOFF.md`, `.ai/CURRENT_TASK.md`, `.ai/SESSION_LOG.md` (this update)
+
+---
+
+## 2026-05-12 ~06:30 UTC — Claude — PR #167 (site-admin bootstrap script) merged; bug pending capture
+
+**Accomplished:**
+
+- User reported being unable to log into prod with `admin@resolutionflow.example.com` — that's the dev seed email (`.example.com` is a documentation TLD), only present in dev. Prod has no admin user at all because `seed_test_users.py` doesn't run in prod, self-serve is still gated, and even when it flips on signup creates `owner` roles not `super_admin`.
+- Designed and built `backend/scripts/create_site_admin.py` — idempotent CLI script for creating or promoting a site-wide super-admin on any environment. Three modes: `--send-reset` (mails reset link), `--print-reset` (stdout reset link), `--promote-only` (promote existing user without creating). Creates an `Account` first, then a `User` with `is_super_admin=true`, `account_role='owner'`, `email_verified_at` stamped at creation, `password_hash=NULL` (forces the reset flow on first login). Uses `ADMIN_DATABASE_URL` (BYPASSRLS) — required because `users` is RLS-enabled and the script has no tenant context at bootstrap. Reset token mints via existing `create_password_reset_token` helper, hashes JTI into `password_reset_tokens` row matching the `/auth/password/forgot` shape.
+- Smoke-tested all three paths in the dev container before pushing: fresh create on a new email (Account + User + reset URL emitted), idempotent re-run on same email (SKIP message + new reset URL), `--promote-only` on a user with `password_hash=NULL` (promotes + issues reset). Cleaned up the dev test row + account afterwards.
+- Initial bug: had `used: false` in the `password_reset_tokens` INSERT — actual column is `used_at` (nullable timestamp, NULL means "not used"). Fixed before pushing.
+- PR #167 opened, CI green, squash-merged into main as `e50a215`. Remote branch `feat/site-admin-script` auto-deleted.
+- User confirmed end-to-end success on prod via `railway ssh --service=<backend>` then `python -m scripts.create_site_admin ...` ("we're good now"). Specific service name not captured. First prod super-admin row now exists in the prod DB.
+- Stripe live-mode activation block traced to EIN, not code (user does not yet have an EIN for ResolutionFlow, LLC). Applying via IRS.gov 2026-05-13. Mailing-address decision: home address into Stripe's **private** business profile temporarily so live-mode isn't blocked on the P.O. Box; public `ContactPage`/`PoliciesPage` stays "available on request". Stripe accepts address update later without re-verification.
+- PR #166 (docs handoff for PR #164/#165 merges + EIN decision) still open from earlier in this same session — was never merged. This entry rebases the docs branch onto current main (which now includes PR #167) and adds the PR #167 narrative + bug-pending state so a fresh session has the full picture in one merge.
+- User reported finding a bug in a UI surface but did not provide details — planning to send a screenshot via the VS Code extension GUI in the next session (CLI is unreliable for them). Next session: ask for the screenshot at session start, then triage.
+
+**Left for next session:**
+
+- Get the bug screenshot from the user, triage, fix or scope.
+- Otherwise everything that was on the prior entry's left-for-next-session still stands: EIN application Tuesday 2026-05-13, then Stripe live-mode setup, apex DNS at Namecheap, Railway prod env vars, internal validation, flag flip.
+
+**Files touched (all merged to main via PR #167 squash `e50a215`):** `backend/scripts/create_site_admin.py` (new, ~270 lines including docstring). Plus `.ai/HANDOFF.md`, `.ai/SESSION_LOG.md` on `docs/handoff-pr-165-merge` (PR #166, awaiting merge).
+
+---
+
+## 2026-05-12 05:30 UTC — Claude — PR #164 + #165 merged; Stripe activation reported blocked
+
+**Accomplished:**
+
+- Resumed from compacted context. Confirmed PR #164 (`feat/billing-plan-taxonomy`, head `2c9f5e9`) was already CI-green at session start and squash-merged into main as `3f04911` earlier in the session (occurred pre-compaction; reflected in the prior HANDOFF revision). Branch auto-deleted on remote.
+- User raised the legal/contact pages question in conversation. Verified existing state of `frontend/src/pages/{PrivacyPage,TermsPage}.tsx` — both already contain real, dated content (last updated 2026-03-21) but are SPA-rendered. Discussed Stripe's site-review needs with the user and agreed to build a consolidated Customer Policies page plus a Contact page (now that the user has a business phone number) plus a Promotions stub to satisfy Policies §6.2 cross-reference. User authorized the work.
+- Built PR #165 (`feat/stripe-legal-pages`, head `545b2ad`):
+  - **`/policies` — `frontend/src/pages/PoliciesPage.tsx`** (new). Consolidated Customer Policies doc, 8 sections with anchor IDs per subsection so Stripe (or a support email) can deep-link: customer service contact (with phone (470) 949-4131), return policy (n/a — SaaS), refund / dispute policy, cancellation policy, U.S. legal and export restrictions (Georgia governing law, OFAC / BIS compliance, sanctioned-jurisdiction exclusion), promotional terms (general + cross-ref to `/promotions`), changes-to-policies, relationship-to-other-agreements. Mailing address left as in-source `TODO` comment, rendered publicly as "available on request — email support@" until P.O. Box is purchased.
+  - **`/contact` — `frontend/src/pages/ContactPage.tsx`** (new). Phone **(470) 949-4131**, all four inboxes (`support@`, `sales@`, `billing@`, `security@`), response-time SLAs, mailing-address placeholder, link to `/contact-sales` for the lead-gen Calendly flow (distinct surface — kept both routes intentionally).
+  - **`/promotions` — `frontend/src/pages/PromotionsPage.tsx`** (new). One-paragraph stub stating no promotions currently active. Will be appended to when offers run; satisfies Policies §6.2's cross-reference.
+  - Routes wired in `frontend/src/router.tsx` as 3 new public lazy-loaded routes alongside existing `/privacy`, `/terms`, `/pricing`, `/contact-sales`.
+  - **`MarketingFooter` — `frontend/src/components/common/MarketingFooter.tsx`** (new, second commit). Extracted from the inline landing footer (26 lines → 1 line at the call site). Mounted on `/landing`, `/pricing`, `/contact-sales` so all four legal links (Privacy / Terms / Policies / Contact) are reachable from every marketing surface — including the page Stripe's reviewer spends the most time on (`/pricing`). Reuses existing `landing-footer*` CSS in `frontend/src/styles/landing.css` — must be rendered inside a `.landing-page` wrapper because `--lp-*` vars are scoped there (documented in a JSX comment). All three current call sites already wrap in `.landing-page`, so landing renders pixel-identically and the two new mount sites match.
+  - **Privacy and Terms closing sections** updated to point at `/contact` + `/policies` with correct per-area inboxes (`security@` for Privacy, `support@` for Terms). Stale `hello@resolutionflow.com` mailto removed everywhere.
+- `tsc --project tsconfig.app.json --noEmit` clean, `eslint` clean. Local `vite build` and `tsc -b` blocked by root-owned `node_modules/.tmp` and `node_modules/.vite-temp` cache directories — CI rebuilds from a clean env and was green.
+- PR #165 opened at `gitea.resolutionflow.com/chihlasm/resolutionflow/pulls/165`, CI passed, squash-merged into main as `ba45cfe`. Remote branch `feat/stripe-legal-pages` auto-deleted.
+- User reports continued trouble activating Stripe live mode. After follow-up: the real blocker is the EIN — ResolutionFlow, LLC does not have one yet, and Stripe requires a tax ID before it will activate live mode. User is applying via IRS.gov on 2026-05-13. Updated HANDOFF.md to remove the earlier speculation list and record EIN as the named blocker, with the P.O. Box / mailing address called out as the likely-next blocker (Stripe live-mode also requires a business mailing address). Apex DNS at Namecheap is still pending but only matters after the business profile is accepted (site verification is a downstream step).
+- Mailing-address decision: user is going with the home-address-temporarily approach for Stripe so live-mode isn't blocked on the P.O. Box. Home address goes into Stripe's **private** business profile only — the **public** `TODO: replace with full mailing address` in `ContactPage.tsx` and `PoliciesPage.tsx` stays as "available on request" until the P.O. Box is purchased. Stripe accepts updating the address later without re-verification, so swapping in the P.O. Box when it arrives is non-disruptive.
+
+**Left for next session:**
+
+- Check in on whether the EIN application went through and whether the P.O. Box / mailing address is sorted. Both are pure user-side ops; no code work to do until Stripe accepts the business profile.
+- Once Stripe is activated: Stripe Dashboard live-mode product/price/webhook setup, Railway prod env vars, `railway run python -m scripts.sync_stripe_plan_ids` against prod, 9-scenario internal validation, flag flip.
+- Apex DNS at Namecheap (still missing; only matters once Stripe runs its site-verification step).
+- Mailing address TODO in `ContactPage.tsx` and `PoliciesPage.tsx` (one each) — fill in when P.O. Box is purchased.
+
+**Files touched (all merged to main via PR #165 squash `ba45cfe`):** `frontend/src/pages/ContactPage.tsx` (new), `frontend/src/pages/PoliciesPage.tsx` (new), `frontend/src/pages/PromotionsPage.tsx` (new), `frontend/src/components/common/MarketingFooter.tsx` (new), `frontend/src/router.tsx`, `frontend/src/pages/LandingPage.tsx`, `frontend/src/pages/PricingPage.tsx`, `frontend/src/pages/ContactSalesPage.tsx`, `frontend/src/pages/PrivacyPage.tsx`, `frontend/src/pages/TermsPage.tsx`. Plus `.ai/HANDOFF.md`, `.ai/CURRENT_TASK.md`, `.ai/SESSION_LOG.md` on the `docs/handoff-pr-165-merge` branch (this entry).
+
+---
+
+## 2026-05-08 03:30 UTC — Claude — PR #164 self-serve cutover code blockers, doc refresh, page-title bug, DNS triage
+
+**Accomplished:**
+
+- Merged PR #162 (self-serve Phase 2 frontend) and PR #163 (seed users email-verified) into main via Gitea API squash merge. Created branch `feat/billing-plan-taxonomy` off the new main; pushed 5 commits closing the last code blockers for Phase O cutover. PR #164 opened at gitea pulls/164.
+- Plan taxonomy reconciliation. Discovered the marketing surface (PricingPage, Stripe products) was wired for `Starter / Pro / Enterprise` while backend was on `free / pro / team`; `BillingPlan` schema's `Literal["pro","starter","team","enterprise"]` could accept FK-violating values; `plan_billing` was unseeded. Migration `4ce3e594cb87` renames `plan_limits.plan='team'` → `'enterprise'` (defensive update of any subscriptions on the old slug; dev had zero), adds `starter` row with caps interpolated between free and pro (`max_trees=10`, `sessions=75`, `users=1`, `ai=15/mo`, no KB Accelerator, no custom branding, no priority support). Code rename across schemas (`invite_code`, `billing`, `admin`, `subscription`), `Subscription` paid-plan/`has_pro_entitlement` checks, `admin_dashboard.py`, `admin.py`, frontend `useSubscription.isPaidPlan`. Resource visibility (`Tree.visibility='team'`, `StepLibrary.visibility='team'`) is a separate domain (means "shared with my account") and intentionally untouched. 86/86 passing across subscription/billing/plan/invite/admin sweep after the rename. Conftest plan_limits seed + `_seed_plan_limits` helper made a true upsert.
+- New `backend/scripts/sync_stripe_plan_ids.py` — idempotent upsert from Stripe products by exact name match (`ResolutionFlow Starter / Pro / Enterprise`), picks active monthly recurring price, leaves annual fields NULL by design. Works against test or live keys via `STRIPE_SECRET_KEY`. Run against test mode populated `plan_billing` for all 3 tiers in dev DB. Annual pricing intentionally skipped per user's exit-flexibility constraint.
+- Stripe MCP work (test mode, `livemode=false`): archived leftover Enterprise `$500/mo` test price (had to clear the product's `default_price` first — Stripe blocks archive otherwise). Verified test-mode product set: Starter $19.99/mo, Pro $29.99/mo, Enterprise no price (sales-led).
+- `INTERNAL_TESTER_EMAILS` allowlist. Phase O Task 46 needed it as a code blocker (flagged in prior SESSION_LOG as "backend support is NOT yet built"). `Settings.is_internal_tester` (case-insensitive membership) + `is_self_serve_active_for(email)` (returns global flag OR allowlist hit) centralize the check. New `get_current_user_optional` dep — best-effort auth that returns `None` instead of 401, used by `/config/public` so the same endpoint serves anonymous and authed. `/config/public` returns `self_serve_enabled=true` for authenticated allowlist members; `/auth/register` allows allowlisted emails without invite code. 5 regression tests including "anonymous callers always see the global flag" (prevents leak via unauthenticated request content).
+- Stripe env passthrough: `docker-compose.dev.yml` now wires `STRIPE_*` + `SELF_SERVE_ENABLED` + `INTERNAL_TESTER_EMAILS` into the backend container. New repo-root `.env.example`. `backend/.env.example` updated with the self-serve cutover vars.
+- Page-title bug fix on `LandingPage.tsx`. Two JSX attribute strings (`title="..."`, `description="..."`) had `—` (six literal characters) — JSX attribute strings don't process JS escape sequences, so the browser tab and OG description rendered the literal text instead of an em dash. Replaced with the literal em dash character. Verified by grep — every other `\u...` in the codebase is inside a real JS string (`'...'` literal or `{...}` JSX expression) where escapes resolve at compile time. PageMeta default tagline updated from stale "Decision Tree Platform" to "AI-Powered Troubleshooting for MSPs" (matches index.html and brand positioning).
+- Frontend taxonomy followups (caught by tsc -b after rebuild). The earlier taxonomy commit didn't propagate through frontend types: `types/account.ts`, `types/admin.ts`, `types/billing.ts`, `admin/AccountsPage.tsx` (state type, select onChange cast, `<option value="team">` rendered UI), `admin/InviteCodesPage.tsx` (PLAN_OPTIONS array, state type, onChange cast), `AccountSettingsPage.tsx` (`plan !== 'team'` check + CheckoutButton prop), `subscription/CheckoutButton.tsx` (prop type + planLabels). All updated to `'free' | 'pro' | 'starter' | 'enterprise'`. tsc clean. Lint clean (3 warnings only in auto-generated `coverage/`).
+- Doc refresh commit (`docs: refresh CURRENT-STATE, ROADMAP, README, DECISIONS for self-serve cutover`). CURRENT-STATE bumped to 2026-05-07; added entries for PR #159–164; refreshed What's In Progress / What's Next around Phase O. ROADMAP got a "Status as of 2026-05-07" preamble (months-stale historical content kept underneath as record); In Progress and What's Next sections updated. README fixed legacy `patherly_postgres` Docker command, project-tree path, `UI-DESIGN-SYSTEM.md` reference; added `AGENTS.md`, `PROJECT_CONTEXT.md`, `PRODUCT.md` to docs table. DECISIONS appended two entries (taxonomy reconciliation, allowlist).
+- Office-hours session ran via `/office-hours` skill earlier in this session. Design doc saved at `~/.gstack/projects/chihlasm-resolutionflow/abc-feat-self-serve-signup-phase-2-design-20260507-112020.md`. Captured the "documentation builder" thesis — cut branching Flows from pilot UI, focus product around FlowPilot + Day 1 onboarding checklist as navigational frame + 3 deep-capture procedures (M365 tenant build, Windows server build, credential vault) + Hudu/IT Glue/ConnectWise output. Founder is a Director-of-Onboarding at his own MSP (Andrea Henry); pre-build assignment is 3 cold calls with external Directors of Onboarding before scoping. NOT yet adopted as roadmap.
+- DNS / cert triage: `www.resolutionflow.com` was unreachable (Railway "train hasn't arrived" page) — user added it as a custom domain in Railway, cert provisioned at 2026-05-08 01:40 UTC, `www` now serves 200 with valid Let's Encrypt SAN. Apex `resolutionflow.com` separately discovered to have NO A/CNAME at authoritative DNS (Namecheap per SOA `dns1.registrar-servers.com.`). When user reconfigured `www`, the apex record dropped from the zone. From Railway-edge IP both names work fine when DNS is forced (proven by `curl --resolve` returning 200 OK from user's box) — so the apex cert is also valid; the failure mode is purely DNS-level absence. User asked for HSTS clearance steps in Edge — provided `edge://net-internals/#hsts`, `#dns`, `#sockets` walkthrough plus Linux DNS flush options.
+
+**Left for next session:**
+
+- Verify PR #164 CI green, then squash-merge.
+- Phase O manual ops sequence (Stripe Dashboard live-mode setup, Railway prod env vars including `INTERNAL_TESTER_EMAILS`, run `sync_stripe_plan_ids.py` against prod, internal validation Task 46, flag flip Task 47, PostHog dashboards, Sentry alert).
+- User-side: re-add apex DNS record at Namecheap (ALIAS `@` → `c9g7uku8.up.railway.app`, or re-add apex in Railway), clear Edge HSTS state.
+
+**Files touched (all on `feat/billing-plan-taxonomy`, all pushed):** `backend/alembic/versions/4ce3e594cb87_add_starter_rename_team_to_enterprise.py` (new), `backend/scripts/sync_stripe_plan_ids.py` (new), `backend/app/{schemas/{billing,invite_code,admin,subscription}.py, models/subscription.py, api/{deps.py, endpoints/{auth.py, admin.py, admin_dashboard.py, config.py}}, core/config.py}`, `frontend/src/{components/{common/PageMeta.tsx, subscription/CheckoutButton.tsx}, hooks/useSubscription.ts, pages/{LandingPage.tsx, AccountSettingsPage.tsx, admin/{AccountsPage.tsx, InviteCodesPage.tsx}}, types/{account.ts, admin.ts, billing.ts}}`, `backend/tests/{conftest.py, test_admin_plan_limits.py, test_invite_plan.py, test_plans_public.py, test_config_public.py}`, `docker-compose.dev.yml`, `.env.example` (new), `backend/.env.example`, `CURRENT-STATE.md`, `03-DEVELOPMENT-ROADMAP.md`, `README.md`, `.ai/{DECISIONS.md, HANDOFF.md, CURRENT_TASK.md, SESSION_LOG.md}`.
+
+---
+
+## 2026-05-07 11:45 EDT — Codex — Push PR #162 CI runner setup fixes
+
+- Inspected Gitea PR #162 via public API. PR head was `380fcf7` and all CI jobs failed quickly; pushed local commits through `4a37a47`, including Python 3.12 setup for Gitea backend/e2e jobs.
+- New run on `4a37a47` showed frontend still failed quickly while backend/e2e remained pending. Root cause likely same class of runner drift: Gitea frontend/e2e jobs used `npm` without setting up Node.
+- Added explicit `actions/setup-node@v4` with Node 20 to Gitea frontend and e2e jobs. This keeps CI from relying on runner ambient Node/npm.
+- Files touched: `.gitea/workflows/ci.yml`, `.ai/HANDOFF.md`, `.ai/SESSION_LOG.md`.
+
+## 2026-05-07 11:30 EDT — Codex — Standardize backend Python on 3.12
+
+- Standardized repo declarations around Python 3.12: added `.python-version` pinned to 3.12.13, updated stale Python 3.11 docs, and added explicit Python 3.12 setup steps to Gitea CI. GitHub CI was already updated to Python 3.12 by the user.
+- Installed pyenv Python 3.12.13 and created `backend/venv` from that interpreter. Installed `backend/requirements-dev.txt` into the venv.
+- Verified native `python --version` and venv `python --version` both report 3.12.13. Verified native `pytest 8.4.2` and `alembic 1.18.3` with explicit safe test env vars; plain pytest import still depends on local `.env` values being valid.
+- Rebuilt and restarted the dev backend container with `docker compose -f docker-compose.dev.yml build backend` and `up -d backend`; confirmed `docker exec resolutionflow_backend python --version` reports 3.12.13.
+- Files touched: `.python-version`, `.gitea/workflows/ci.yml`, `.github/workflows/ci.yml`, `README.md`, `DEV-ENV.md`, `.ai/PROJECT_CONTEXT.md`, `.ai/DECISIONS.md`, `.ai/HANDOFF.md`, `.ai/SESSION_LOG.md`.
+
+## 2026-05-07 11:14 EDT — Codex — Recheck native Python availability
+
+- Re-ran the startup ritual and checked the host Python state after the user reported fixing the missing native Python issue.
+- Verified `python` and `python3` resolve to `/config/.pyenv/shims/*` and run Python 3.12.10. `pip` and `pip3` are available as pip 25.0.1 under the same pyenv install.
+- Confirmed there is no native `python3.11`, pyenv currently lists only `3.12.10`, no repo virtualenv exists under `backend/venv`, `backend/.venv`, or root `.venv`, and `python -m pytest --version` from `backend/` fails with `No module named pytest`.
+- Conclusion: native Python is present, but it is not yet a ready backend dev/test environment for ResolutionFlow. Docker remains the reliable path for pytest/alembic until a Python 3.11 virtualenv with `backend/requirements*.txt` is installed.
+- Files touched: `.ai/HANDOFF.md`, `.ai/SESSION_LOG.md`.
+
+## 2026-05-06 — Claude — Self-serve signup Phase 2 (frontend + cutover code) shipped on `feat/self-serve-signup-phase-2`
+
+- Executed Tasks 27–44 of `docs/superpowers/plans/2026-05-06-self-serve-signup-phase-2-frontend-cutover.md` via `superpowers:subagent-driven-development`. 18 commits on `feat/self-serve-signup-phase-2` (off `main` `f918b76`); HEAD `c75ce0c`. Each task: dispatched implementer subagent with full task text + curated context, then spec-compliance + code-quality review subagents; review issues either fixed in-flight via `git commit --amend` or noted as deferred scope.
+- Backend (Phase I, Tasks 27–31): `BillingService.open_customer_portal` + `GET /billing/portal-session`; `PATCH /users/me/onboarding-step` + dismiss-rest sibling; public `POST /sales-leads` (5/hr/IP); `/admin/plan-limits` GET/PUT round-trips `plan_billing` in one transaction with NOT-NULL guards on `display_name|is_public|is_archived|sort_order`; `BillingService.invalidate_billing_cache` no-op stub; `GET /config/public` (`{self_serve_enabled, oauth_providers}`); `auth/register` invite-code gate now `REQUIRE_INVITE_CODE and not SELF_SERVE_ENABLED and not invite_code`. Also (T36): `GET /accounts/invites/{code}/lookup` (public, joinedload account+inviter); OAuth callback honors `account_invite_code+invited_email`, rejects existing-email user with `email_already_registered_use_login`. Also (T42, T44): `GET /plans/public`; `POST /beta-signup` returns 307 to `${FRONTEND_URL}/register?from=beta`. `OnboardingStatus` extended with `email_verified`+`shop_setup_done`; `UserResponse` exposes `onboarding_step_completed`+`onboarding_dismissed`.
+- Frontend (Phases J–N, Tasks 32–44): `useBillingStore` Zustand store + `useBillingPoll` mounted in `AppLayout`; `useFeature` / `useFeatureLimit` (60s module cache, lazy `/usage/{field}` fetch with silent fallback — endpoint deferred) / `useTrialBanner` (fractional-day boundary so 24h = warning); `FeatureGate` / `UpgradePrompt` (inline `FEATURE_CATALOG`) / `EmailVerificationGate` (mounted in AppLayout around `<ViewTransitionOutlet />`). `RegisterPage` redesign with OAuth buttons + invite-code conditional; `OAuthCallbackPage` with CSRF state validation + UTF-8-safe base64url state encoding (factored into `lib/oauthState.ts`); `useAppConfig` hook. `AcceptInvitePage` at `/accept-invite` with locked email; `EmailVerificationBanner` refactored to design-system tokens; `EmailVerificationWall` polished; `VerifyEmailPage` at `/verify-email` with single-fire ref guard; `WelcomeRouter` + `WelcomeStep1/2/3` at `/welcome*`; `TrialPill` in topbar (8 stages); `NextStepCard` + `SetupChecklist` (replace orphaned `OnboardingChecklist`); `PricingPage` at `/pricing`; `ContactSalesPage` at `/contact-sales`; `LandingPage` got "See pricing" CTA + replaced beta-signup form with `<Link>`.
+- Final cross-cutting review caught one real bug — relative `/beta-signup` 307 target landing on API origin instead of frontend — fixed via amend (HEAD `c75ce0c`).
+- Tests: ~165+ new tests across backend pytest + frontend vitest. Sweep at end-of-branch all-green; tsc -b clean.
+- Phase O (Tasks 45–47) is explicit manual operations: Stripe live-mode setup, internal validation via `INTERNAL_TESTER_EMAILS` per-email allowlist (backend support for that allowlist is NOT yet built), feature-flag flip + week-1 monitoring. Surfaced as the resume point in HANDOFF.md.
+- Working tree was dirty before this session (`.ai/HANDOFF.md`, `.env.example`s, `core.*` core dumps, `docs/architecture/`, `docs/tutorials/`); intentionally not staged into Phase 2 commits. Files touched: see `git log --oneline f918b76..HEAD` on `feat/self-serve-signup-phase-2`.
+
+---
+
+## 2026-05-02 ~01:00 UTC — Claude — In-product User Guides Diátaxis rewrite shipped (PR #159)
+
+- Audited the in-product `/guides` collection against live UI via `/browse` (engineer + owner test users). Existing 15 guides predated the FlowPilot pivot — every "click X in the sidebar" reference was wrong (Dashboard → Home, All Flows → Flows, Sessions → History, Exports gone, etc.). Three guides described surfaces that no longer exist: Maintenance Flows, AI Assistant page, Flow Assist Sparkles button. Findings written to `/tmp/guides-audit.md`.
+- Rebuilt `frontend/src/data/guides.ts` from scratch as 43 problem-oriented Diátaxis how-tos under 10 categories. Single-outcome each, terse imperative steps, real UI labels (Create New, Sign in, Manage, Build New Script, Send Invite, Save Settings, Create Category, etc.). Added `category: CategoryId` and optional `relatedSlugs?: string[]` to the `Guide` interface; new `Category` type and `categories` const drive the hub layout. `GuidesHubPage` now renders category sections (auto-hides empty); `GuideDetailPage` renders a Related guides footer; `GuideCard` lost its misleading "N sections" subtitle.
+- Fixed `GuideSection.tsx`: `step.tip` was rendered as plain text so `**bold**` markdown in tips rendered literally. Applied the same regex replacement used on `step.instruction`. Verified against `/guides/start-a-session` tip block.
+- Authored 14 net-new how-tos for FlowPilot-era surfaces with no prior coverage: tasklane-keyboard-flow, view-what-we-know, ask-ai-mid-session, pause-and-leave-session, resolve-a-session, record-suggested-fix-outcome, escalate-a-session, post-docs-to-ticket, send-client-update, build-script-from-scratch, open-suggested-flow, pin-a-flow, invite-teammate. Dropped change-teammate-role from scope — couldn't verify the role-change UI control without a non-owner test member.
+- Verified owner-only surfaces with `pro@resolutionflow.example.com`: Membership inline form on `/account` (not a separate `/team-members` route), `/account/categories` real button is **Create Category** (not Add), `/account/chat-retention` real fields are **Retention Period (days)** + **Max Conversations** + **Save Settings**, `/account/integrations` form fields confirmed. Three guides corrected post-audit.
+- Smoke-tested all 43 detail pages — every slug renders, no "Guide Not Found" fallthroughs.
+- Added `100.64.78.44 docker-01` entry to `/etc/hosts` (user ran `sudo tee` from a normal terminal because the LXC `!` shell prefix can't drive interactive sudo). Should now persist across `/browse` sessions on this LXC.
+- `docker exec -w /app resolutionflow_frontend npx tsc -b` clean.
+- Files touched: `frontend/src/data/guides.ts`, `frontend/src/pages/GuidesHubPage.tsx`, `frontend/src/pages/GuideDetailPage.tsx`, `frontend/src/components/guides/GuideCard.tsx`, `frontend/src/components/guides/GuideSection.tsx`, `CHANGELOG.md`, `.ai/CURRENT_TASK.md`, `.ai/HANDOFF.md`, `.ai/SESSION_LOG.md`. Working tree dirty — user not yet asked to commit.
+
+---
+
+## 2026-05-01 21:55 UTC — Claude — Session-screen impeccable pass + tasklane keyboard flow shipped (PR #158)
+
+- Ran the `/impeccable` skill against the assistant chat session screen (chat history / chat bar / TaskLane). Initial design-health score: 24/40 with explicit DESIGN-SYSTEM violations (gradient surfaces in WhatWeKnow + ProposalBanner, side stripes in TaskLane done states + every banner mode, accent borderTop on lane header, backdrop blur on handoff overlay).
+- Walked through all 5 impeccable sub-passes (distill, quieter, layout, typeset, polish). Score after pass: 33/40 (+9). Biggest gains in Aesthetic & Minimalist (1→3), Consistency & Standards (1→3), Recognition Rather Than Recall (2→4).
+- Inline iterations on top of the impeccable steps: linked banner ↔ script-panel lifecycle (collapse hides both, dismiss closes both, any outcome closes both); collapsible WhatWeKnow with `sessionStorage` memory + auto-collapse-at-5-facts; full keyboard flow on TaskLane (Enter submits + auto-advances, Shift+Enter newline, Esc cancels, focus jumps to Send Responses after the last task).
+- Side fix: `ParameterizationPreview` was over-highlighting short parameter values (a `"D"` lit up every capital D in `Get-ADUser`/`Add-Type`/etc.). Added a word-boundary guard, conditional on whether the value itself starts/ends with a word character so values with leading punctuation (`"D:\\Folder"`) still match cleanly.
+- Followups logged in `.ai/TODO.md`: `ConcludeSessionModal` multi-select for paused/escalated outcomes (real feature work — engineers often need ≥2 of Ticket Notes / Client Update / Email Draft), and `bg-card-hover` Tailwind drift in `CommandPalette` (silently broken classes — two-line fix).
+- Branched as `feat/session-distill-quieter`, 4 commits (impeccable pass, parameterize fix, TODO followups, hint contrast + font-sans audit). PR #158 created via Gitea API (`$GITEA_TOKEN` env, no `gh` on this LXC). Merged into `main` as `5e10005`. Local branch deleted.
+- Validation at every commit boundary: `docker exec -w /app resolutionflow_frontend npx tsc -b`, `npm run lint`, and `npm run build` all clean.
+- Files touched: 14 frontend files (TaskLane, AssistantChatPage, ChatMessage, ProposalBanner, WhatWeKnow, WhatWeKnowItem, SuggestedFlowCard, ChatSidebar, ConcludeSessionModal, ChatTabStrip, ActionCardGroup, AddNoteButton, ParameterizationPreview), `.ai/TODO.md`, `.ai/CURRENT_TASK.md`, `.ai/HANDOFF.md`, `.ai/SESSION_LOG.md`, `CHANGELOG.md`, `CURRENT-STATE.md`.
+
+## 2026-05-01 07:20 UTC — Codex — Start issue cleanup plan sections 1 and 2
+
+- Started `docs/plans/2026-05-01-issue-cleanup-plan.md` sections 1 and 2.
+- Cleaned frontend lint to zero warnings by removing stale lint disables, tightening hook dependencies, and adding justified comments where effects are intentionally keyed to route or owner identity.
+- Added e2e selectors for session history controls and the FlowPilot command-palette entry.
+- Added `AssistantChatPage` observability for unexpected `currentChatRef` stale async discards.
+- Added `TaskLane` diagnostic help affordances for common command categories and documented #128 as "keep the existing responsive side-panel/bottom-drawer behavior until pilot feedback says otherwise."
+- Verified `npm run lint`, `npx tsc -b`, and `npm run build` in `resolutionflow_frontend`; build only reported the existing Vite large-chunk warning.
+- Files touched: frontend lint-cleanup files, `frontend/src/components/assistant/TaskLane.tsx`, `frontend/src/pages/AssistantChatPage.tsx`, `frontend/src/pages/SessionHistoryPage.tsx`, `frontend/src/components/layout/CommandPalette.tsx`, `docs/plans/2026-05-01-issue-cleanup-plan.md`, `.ai/HANDOFF.md`, `.ai/SESSION_LOG.md`.
+
+## 2026-05-01 06:05 UTC — Codex — Clean stale TODOs and add issue cleanup plan
+
+- Removed the resolved pytest-xdist item from `.ai/TODO.md` and reset "Up next" to no selected task.
+- Removed the resolved "Add role gate to handoff claim endpoint" backlog item from `.ai/TODO.md`.
+- Updated the frontend lint cleanup TODO from 23 warnings to the current `npm run lint` result: 24 warnings, 0 errors.
+- Tried to close Gitea #127 through the API, but this environment has no Gitea token; API returned `401 token is required`.
+- Added `docs/plans/2026-05-01-issue-cleanup-plan.md` with safe tracker actions and a recommended order for clearing remaining issues.
+- Files touched: `.ai/TODO.md`, `.ai/HANDOFF.md`, `.ai/SESSION_LOG.md`, `docs/plans/2026-05-01-issue-cleanup-plan.md`.
+
+## 2026-05-01 05:40 UTC — Codex — Audit TODO backlog and Gitea issue validity
+
+- Compared `.ai/TODO.md`, inline code TODOs, and open Gitea issues against current `main`.
+- Verified pytest-xdist is already shipped (`backend/requirements-dev.txt`, `backend/tests/conftest.py`, `.gitea/workflows/ci.yml`) so the `.ai/TODO.md` xdist item is stale. Ran frontend lint in Docker; current state is `0 errors, 24 warnings`, so the lint cleanup item remains valid but its count is stale.
+- Verified Gitea issue status: #58, #60, #128, #129, #130 remain valid; #66 is partially resolved by current `.rfflow` import/export and should be narrowed to template packs/marketplace; #127 is mostly resolved by current UI copy and prompt boundaries unless an always-visible scope badge is still wanted. Open PR #124 is stale/unmergeable against current `main`.
+- Verified inline TODOs still valid: post-session contextual feedback prompt, FlowPilot analytics domain/time-entry placeholders, prompt-cache verification note unless live telemetry has confirmed it, proposal `modify` flow editor wiring, and procedural ghost-step accept/dismiss buttons.
+- Files touched: `.ai/HANDOFF.md`, `.ai/SESSION_LOG.md`.
+
+## 2026-05-01 03:45 UTC — Claude Opus 4.7 — QA, merge, and ship PR #156 pending-verification
+
+- Committed two logical units of pending work on `feat/fix-pending-verification`: prior session's local review fixes as `5bee264` (Codex-attributed, 5 source files + 3 `.ai/` notes) and this session's docker-exec docs as `15042af` (Claude-attributed, `.ai/PROJECT_CONTEXT.md` + `AGENTS.md`). Cleaned up a 20MB `core.22120` Chromium dump left behind by an earlier sandbox crash.
+- Resolved a tooling gap surfaced by Codex's prior session ("npm/python/python3 are not on the host path") by documenting that this code-server LXC uses bun + docker for the toolchain. The `docker exec resolutionflow_{backend,frontend}` form is now the canonical command pattern in `.ai/PROJECT_CONTEXT.md`.
+- Got `$B`/Playwright Chromium running in the code-server LXC. After the user's restart cleared the AppArmor unprivileged-userns block, Chromium still aborted at the deeper `sandbox/linux/services/credentials.cc` layer because of the LXC namespace constraint. Workaround: launch browse with `CONTAINER=1` so it auto-adds `--no-sandbox`. Also added `100.64.78.44 docker-01` to code-server's `/etc/hosts` (via `docker exec -u 0`) so the headless browser could resolve the bake-in `VITE_API_URL`.
+- Drove `/qa` against the dev stack at `http://100.64.78.44:5173`. No naturally-occurring `applied_pending` fix existed in the DB, so seeded session `4a558056-bcbd-4b51-925b-248d70eb318d` and fix `cd4ff2fd-751a-4bcb-8cfa-3c77b4864fb2` into the test state (un-resolved session, swapped supersession on the two fixes). Saved a restore script first; verified DB matches pre-test state after teardown.
+- QA result: 5/7 scripted checks PASS with concrete DB + UI evidence. Banner renders correctly ("Awaiting verification" header, "Parked" tag, fix title + pending_reason, 4 actions). "Update reason" updates server-side. "It worked" → `applied_success` with `verified_at` stamped. "Dismiss" → `dismissed` with no terminal timestamp. Page-level Resolve auto-patches `applied_pending` → `applied_success` before the resolution flow opens. Page-level Escalate fires `EscalateInterceptDialog` with the generalized "still needs an outcome" copy. 2 entry-path checks (VerifyingBanner overflow, nudge "Still checking") deferred because they require live AI-generated chat state to drive; the mutating handlers behind those entry paths are verified via the tested transitions. Report at `.gstack/qa-reports/qa-report-pending-verification-2026-04-30.md`.
+- Pushed `feat/fix-pending-verification`. Polled Gitea actions runs 161; required `CI / frontend` and `CI / backend` plus `CI / e2e` all green. Merged via Gitea API as a merge commit (`3ba4532`).
+- Post-merge cleanup: fast-forwarded local `main`, deleted `feat/fix-pending-verification` locally and on the remote. Wrote handoff updates on `chore/post-156-handoff` matching the prior `chore/post-153-handoff` pattern.
+- Files touched (this session): `.ai/CURRENT_TASK.md`, `.ai/HANDOFF.md`, `.ai/PROJECT_CONTEXT.md`, `.ai/SESSION_LOG.md`, `AGENTS.md`, `.gstack/qa-reports/qa-report-pending-verification-2026-04-30.md`, `.gstack/qa-reports/screenshots/01-08*.png`. Plus the two prior-session-authored commits committed by this session (5 source + 3 `.ai/` notes).
+
 ## 2026-05-01 02:24 UTC — Codex — Review-fix PR #156 pending-verification flow

 - Reviewed PR #156 for bugs and found three actionable gaps: pending fixes could be resolved from the page-level Resolve path without updating the fix outcome, the PendingBanner lacked the dismiss action described in the PR body, and new system-prompt examples used real-looking pending reasons contrary to the prompt anti-parrot lesson.
@@ -238,3 +455,13 @@
 - Files touched: `.ai/*.md` (created), `CLAUDE.md` (rewritten), `AGENTS.md` (created), `SESSION-HANDOFF.md` (deleted).
 - Follow-up (same day): Codex review pass flagged stale SaaS-role claim and incomplete file-listings carried over from the pre-migration CLAUDE.md. Verified against `backend/app/core/permissions.py`, `frontend/src/hooks/usePermissions.ts`, `backend/app/api/deps.py`, `backend/app/api/router.py`, and `backend/app/services/psa/`. Corrected PROJECT_CONTEXT.md role hierarchy (`super_admin > owner > engineer > viewer`, not `team_admin`), added `require_account_owner` / `require_team_admin` to deps list, replaced stale endpoint comment with a summary pointing at `api/router.py`, added `exceptions.py` + `ticket_context.py` to the PSA file list. Also replaced seed-example content in `CURRENT_TASK.md` and `TODO.md` with clearer empty-state sentinels.
 - Branch cleanup (same day): committed pending test-isolation work as `b14a16a chore(tests): gate RLS tests behind RUN_RLS_TESTS flag`, new Phase 9 review doc as `b3506b5 docs(pilot): phase 9 review issues`, and `.remember/` gitignore entry as `b3be1e0 chore: ignore .remember/ skill runtime state`. Deleted `docs/landing-handoff/` (prepared for external design work, not meant to live in the repo). Working tree clean; 3 cleanup commits unpushed.
+
+## 2026-05-07 UTC — Codex — Resolve PR #162 CI failures
+
+- Investigated Gitea PR #162 failing checks for `feat/self-serve-signup-phase-2`. Public status metadata was available, but job logs required Gitea login and no token was present.
+- Standardized backend development/CI Python on 3.12.13 to match the Docker image: added `.python-version`, updated Gitea CI Python setup, rebuilt the local backend virtualenv, and verified native `pytest` / `alembic` command availability with explicit local env.
+- Added explicit Node 20 setup to Gitea frontend and e2e jobs so CI no longer depends on the runner's ambient Node installation.
+- Reproduced the remaining frontend failure locally. Lint failed on Phase 2 React code because the current eslint stack flags exported pure helpers, render-time `Date.now()`, and effect-driven state synchronization.
+- Patched the affected frontend surfaces narrowly: dashboard helper exports, app-config cache handling, feature-limit cache/fetch state, trial-banner time capture, invite/OAuth route error state, pricing loading state, and OAuth authorize URL helper export.
+- Verified sequential frontend CI locally in Docker: `npm run lint` passed, `npm run test:coverage` passed (`198` tests), and `npm run build` passed with only Vite chunk-size warnings.
+- Files touched: `.python-version`, `.gitea/workflows/ci.yml`, `.github/workflows/ci.yml`, `.ai/*`, `README.md`, `DEV-ENV.md`, and the frontend lint-fix files under `frontend/src/components/dashboard`, `frontend/src/hooks`, and `frontend/src/pages`.
--- a/.ai/TODO.md
+++ b/.ai/TODO.md
@@ -5,11 +5,11 @@

 ## Up next

- [ ] **Parallelize backend pytest with pytest-xdist.** ✅ landing as PR #151. Verified locally: backend suite 22 min → 4m 28s with `-n auto` on the 8-core homelab runner. Per-worker DB isolation via `PYTEST_XDIST_WORKER` in conftest.py.
+None selected. Pick from the backlog below or `03-DEVELOPMENT-ROADMAP.md`.

 ## Backlog

- [ ] **Frontend lint warnings cleanup.** 23 `react-hooks/exhaustive-deps` warnings remain after PR #149 (mostly missing-deps in useEffect). Either fix them or audit them for known-safe ones and add eslint-disable comments. Not blocking CI today.
+- [ ] **Frontend lint warnings cleanup.** `npm run lint` currently reports 24 warnings (0 errors): mostly `react-hooks/exhaustive-deps` plus a few unused eslint-disable directives. Either fix them or audit known-safe ones and add/remove eslint-disable comments intentionally. Not blocking CI today.
 - [ ] **Audit `filterwarnings` ignores added in `wip(handoff): restore backend suite to green`.** Codex added narrow `ResourceWarning` filters for unclosed socket/transport/event-loop noise from pytest-asyncio teardown. Worth periodically reviewing whether those are still needed (e.g. when bumping pytest-asyncio) — if a real warning appears in those forms it would be silenced.
 - [ ] **Add `data-testid` attributes to e2e-critical interactive elements.** PR #152 fixed five Playwright tests by chasing UI-text changes (`Sessions` → `Session History`, `Account Settings` → `Account Management`, `/assistant` → `/pilot`, "Flow Sessions" tab, Resume button on session cards). Each was a one-line selector update, but every UI churn re-breaks them. Adding stable `data-testid` attributes on the targeted elements (page heading wrappers, tab nav, primary action buttons) and switching tests to `getByTestId` would make these immune to copy/route renames. Scope it small — start with `SessionHistoryPage` heading, the AI/Flow Sessions tab buttons, the per-session `Resume` button, and the command-palette FlowPilot option.
 - [ ] **Per-test transactional rollback in `test_db` fixture.** Bigger engineering than xdist (which we already shipped). Instead of `DROP SCHEMA public CASCADE` per test, wrap each test in a savepoint and rollback at teardown. ~30-40% additional speedup on top of xdist for test-DB-heavy tests. Real refactor; only worth it if the suite gets significantly larger or runs more frequently.
@@ -20,4 +20,8 @@

 - [ ] **Mobile/responsive design for EscalationQueue + handoff-context screen.** Pre-PMF wedge demo targets desktop only — MSP techs work on laptops/desktops in shop environments. Once 3+ paying customers exist and a tech requests mobile (likely on-call use case), spec the responsive behavior: stacked card layout below `sm:` breakpoint, full-bleed handoff-context overlay on mobile, swipe-to-claim gesture instead of Pick Up button. Surfaced from /plan-design-review on the Escalation-Mode wedge plan.

- [ ] **(MOVED IN-SCOPE for Escalation Mode v1, 2026-04-27)** ~~Add role gate to handoff claim endpoint.~~ Codex review correctly flagged this as wedge-relevant (the race-condition story depends on auth gating). Now part of the Escalation Mode v1 build, not a deferred TODO.
+- [ ] **`bg-card-hover` Tailwind class doesn't resolve.** [`frontend/src/components/layout/CommandPalette.tsx:450-451`](../frontend/src/components/layout/CommandPalette.tsx) uses `bg-card-hover` as a Tailwind utility, but Tailwind v4 generates `bg-{token}` from `--color-{token}` — and the token in [`frontend/src/index.css:15`](../frontend/src/index.css) is `--color-bg-card-hover`, which generates `bg-bg-card-hover`, not `bg-card-hover`. So those classes silently produce nothing. Other call sites (KnowledgeBaseCards, TeamSummary, ProposalBanner) use the explicit `hover:bg-[var(--color-bg-card-hover)]` form which works. Fix: change the CommandPalette classes to the explicit-var form, OR add a `--color-card-hover` semantic mapping in index.css alongside `--color-card`. Surfaced 2026-05-01 during impeccable polish sweep.
+
+- [ ] **`ConcludeSessionModal` paused/escalated step forces single-artifact choice — should allow multi-select.** [`frontend/src/components/assistant/ConcludeSessionModal.tsx`](../frontend/src/components/assistant/ConcludeSessionModal.tsx) ~lines 430-474 ("Paused/Escalated: status update options"). Today the engineer clicks ONE of Ticket Notes / Client Update / Email Draft, the buttons disappear, and the result replaces them. Real MSP escalations almost always need at least two: technical notes for the next engineer's PSA AND a non-technical client update. Same for pause (client update + ticket notes for context when resuming). Recommended shape: multi-select with smart defaults — three checkboxes (`☑ Ticket Notes  ☑ Client Update  ☐ Email Draft`); for `escalated` pre-check Ticket Notes + Client Update; for `paused` pre-check Client Update only. One "Generate" button fires all selected in parallel via existing `aiSessionsApi.generateStatusUpdate(...)` (already supports the three `audience` values: `ticket_notes`, `client_update`, `email_draft`). Each result renders in its own card with its own Copy / Post-to-PSA / Send-Email action. Surfaced 2026-05-01. Feature work, not polish — touches streaming wiring for parallel calls.
+
+- [ ] **Centralize plan-tier taxonomy — derive admin plan dropdown (and validation) from `plan_limits`, not hardcoded lists.** Chose **Option B** over a one-line patch (see [DECISIONS.md](DECISIONS.md) 2026-05-29). *Surfaced by a prod bug (2026-05-28):* the admin "Change Plan" dropdown at [`AccountDetailPage.tsx:443-445`](../frontend/src/pages/admin/AccountDetailPage.tsx) still offered `free / pro / team` — the dead `team` slug (renamed to `enterprise` in migration `4ce3e594cb87`, 2026-05-07) and missing `starter`/`enterprise`. Selecting "Team" sends `{plan:"team"}` to `PUT /admin/accounts/{id}/subscription/plan`, which 400s on `if data.plan not in ("free","pro","starter","enterprise")` ([admin.py:994](../backend/app/api/endpoints/admin.py#L994), duplicated at [:975](../backend/app/api/endpoints/admin.py#L975)). The 400 detail was swallowed by a generic `toast.error('Failed to update plan')` ([AccountDetailPage.tsx:196](../frontend/src/pages/admin/AccountDetailPage.tsx)), so it presented as "AI sessions are down" (real cause: owner account had no paid plan; AI is plan-gated). **Root cause of the root cause:** the allowed-plan list is hand-duplicated across ≥6 sites and drifted (2nd such incident). **Duplication sites to consolidate:** backend [`admin.py:975`](../backend/app/api/endpoints/admin.py#L975) + [`:994`](../backend/app/api/endpoints/admin.py#L994) (tuple, twice), [`schemas/admin.py:128`](../backend/app/schemas/admin.py) (`AdminAccountCreate.plan` Literal), frontend `AccountDetailPage.tsx` dropdown, `AccountsPage.tsx` create-account dropdown, `types/admin.ts` + `types/account.ts` + `types/billing.ts`, `hooks/useSubscription.ts` (`isPaidPlan`), `components/subscription/CheckoutButton.tsx` (`planLabels`). **Source of truth:** the `plan_limits` table (rows: free/starter/pro/enterprise) — `PlanLimitWithBillingResponse` already exposes `is_public` + `sort_order` + `display_name` for ordering/labels. **End state (B):** admin dropdown + pricing/checkout derive options from a plans endpoint backed by `plan_limits` (filter `is_public`, order by `sort_order`, label from `display_name`); backend validation checks against actual `plan_limits` rows instead of a hardcoded tuple. **Trivial first commit (land anytime to unblock the admin tool):** fix the `AccountDetailPage` dropdown to `Free / Starter / Pro / Enterprise` and surface the backend error detail in the toast. ⚠️ The `'team'` string in `Tree.visibility` / `StepLibrary.visibility` is a *separate domain* (shared-with-account) — do NOT touch it.
--- a/.env.example
+++ b/.env.example
@@ -0,0 +1,12 @@
+REPO_ROOT=/opt/docker/code-server/workspace/resolutionflow
+POSTGRES_PORT=5433
+SECRET_KEY=
+ANTHROPIC_API_KEY=
+GOOGLE_AI_API_KEY=
+
+STRIPE_SECRET_KEY=sk_test_
+STRIPE_PUBLISHABLE_KEY=pk_test_
+STRIPE_WEBHOOK_SECRET=whsec_
+VITE_STRIPE_PUBLISHABLE_KEY=pk_test_
+
+INTERNAL_TESTER_EMAILS=internaltest@resolutionflow.com
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -46,6 +46,11 @@ jobs:
    steps:
      - uses: actions/checkout@v4

+      - name: Set up Python 3.12
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
      - name: Cache pip
        uses: actions/cache@v3
        with:
@@ -105,6 +110,11 @@ jobs:
    steps:
      - uses: actions/checkout@v4

+      - name: Set up Node.js 20
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+
      - name: Cache npm
        uses: actions/cache@v3
        with:
@@ -171,6 +181,16 @@ jobs:
    steps:
      - uses: actions/checkout@v4

+      - name: Set up Python 3.12
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Set up Node.js 20
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+
      - name: Cache pip
        uses: actions/cache@v3
        with:
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -37,10 +37,10 @@ jobs:
    steps:
      - uses: actions/checkout@v5

-      - name: Set up Python 3.11
+      - name: Set up Python 3.12
        uses: actions/setup-python@v5
        with:
-          python-version: "3.11"
+          python-version: "3.12"
          cache: pip
          cache-dependency-path: |
            backend/requirements.txt
@@ -143,10 +143,10 @@ jobs:
    steps:
      - uses: actions/checkout@v5

-      - name: Set up Python 3.11
+      - name: Set up Python 3.12
        uses: actions/setup-python@v5
        with:
-          python-version: "3.11"
+          python-version: "3.12"
          cache: pip
          cache-dependency-path: |
            backend/requirements.txt
--- a/.gitignore
+++ b/.gitignore
@@ -237,6 +237,10 @@ package.json
 package-lock.json
 .worktrees/
 .gstack/
+
+# Core dumps from crashed processes (e.g. core.12345)
+core.[0-9]*
+**/core.[0-9]*
 .gitnexus

 # graphify knowledge graph outputs
--- a/.python-version
+++ b/.python-version
@@ -0,0 +1 @@
+3.12.13
--- a/03-DEVELOPMENT-ROADMAP.md
+++ b/03-DEVELOPMENT-ROADMAP.md
@@ -1,11 +1,25 @@
 # Development Roadmap

-> **Last Updated:** March 18, 2026
-> **Product:** ResolutionFlow (repo: patherly)
+> **Last Updated:** May 7, 2026
+> **Product:** ResolutionFlow (repo path: `resolutionflow/`; `patherly` is the legacy internal name)
 > **Target Market:** MSP companies — IT service providers managing infrastructure and support for multiple clients

 ---

+## Status as of 2026-05-07
+
+The historical phase content below (Phase 1 through Phase 5) is preserved as a factual record. **This section is the live status overlay — read it first.**
+
+**Where we are:** Pre-PMF, Go-to-Market Validation. Backend feature-complete (50+ endpoints, 100+ tests). FlowPilot session UX is the daily-driver surface and recently went through PR #155 (escalation wedge), #156 (`applied_pending` non-terminal status), #158 (impeccable pass + tasklane keyboard flow), #159 (Diátaxis User Guides), #160 (sidebar IA + account redesign).
+
+**Currently in flight:** Self-serve signup cutover. Phase 1 backend (#161) and Phase 2 frontend (#162) merged. PR #164 (open) closes the last code blockers — plan taxonomy reconciliation (`team` → `enterprise`, add `starter`) and `INTERNAL_TESTER_EMAILS` allowlist for the soft cutover. After merge, remaining work is **manual operations only**: Stripe Dashboard live-mode setup, Railway prod env vars, internal validation pass, public flag flip. See `docs/superpowers/plans/2026-05-06-self-serve-signup-phase-2-frontend-cutover.md` Phase O for the checklist.
+
+**Product thesis being tested:** "We're not a documentation app. We are the documentation builders." Captured in `~/.gstack/projects/chihlasm-resolutionflow/abc-feat-self-serve-signup-phase-2-design-20260507-112020.md` (office-hours design doc). Pre-build assignment: 3 calls with external Directors of Onboarding (cold, no friendly contacts) to validate the framing before adopting it as the public positioning.
+
+**What's not yet decided:** Whether to formally cut branching Flows from the pilot UI surface in favor of a Project (linear procedure) + FlowPilot + Documentation-Builder positioning. Discussed in /office-hours but no implementation work scheduled — gated on the 3 external validation calls.
+
+---
+
 ## Completed Work

 ### Phase 1: MVP
@@ -72,13 +86,26 @@

 | Task | Status | Notes |
 |------|--------|-------|
-| ConnectWise PSA Integration (Advanced) | In Progress | Core done — ticket linking, note posting, member mapping. Remaining: callback webhooks, deeper ticket context in sessions |
-| PR #114 Merge | In Progress | Empty states, onboarding, PDF exports, branding, supporting data — ready for review |
+| Self-serve signup cutover (Phase O) | In Progress | PR #164 merge → Stripe live-mode Dashboard setup → Railway prod env vars → internal validation → public flag flip. Code blockers cleared by #164 (taxonomy + `INTERNAL_TESTER_EMAILS` allowlist). |
+| External validation of documentation-builder thesis | Not started | 3 calls with external Directors of Onboarding (cold). Decision gate before scoping a "Day 1 onboarding checklist" build. |
+| ConnectWise PSA Integration (Advanced) | Deferred | Core complete — ticket linking, note posting, member mapping, ticket context retrieval. Callback webhooks deferred until pilot signal demands them. |

 ---

 ## What's Next

+### Phase O Cutover (Weeks 0-1)
+
+| Step | Status |
+|---|---|
+| Merge PR #164 (taxonomy reconciliation + allowlist) | Open, CI green |
+| Stripe Dashboard live-mode setup (Products + Prices for Starter/Pro, no Prices on Enterprise, Customer Portal config, webhook endpoint with 5 events) | Manual op |
+| Railway prod env vars (`sk_live_*`, `whsec_*`, `INTERNAL_TESTER_EMAILS`, prod Google + Microsoft OAuth credentials, `OAUTH_REDIRECT_BASE`, `STRIPE_PUBLISHABLE_KEY`, `VITE_STRIPE_PUBLISHABLE_KEY` for frontend redeploy) | Manual op |
+| Run `python -m scripts.sync_stripe_plan_ids` against prod backend; verify `plan_billing` has `sk_live_*` price IDs | Manual op |
+| Internal validation pass (9 scenarios from Phase O Task 46) | Manual op |
+| Email pilots about complimentary status, flip `SELF_SERVE_ENABLED=true` (frontend redeploy required for `VITE_SELF_SERVE_ENABLED`) | Manual op |
+| PostHog signup-funnel dashboard + Sentry alert at >1/hour Stripe webhook errors | Manual op |
+
 ### Near-Term Priorities (from Stack Priorities Plan)

 | Feature | Status | Description |
@@ -86,7 +113,7 @@
 | Coverage gates in CI | ✅ Complete | Backend enforced at 80%, frontend coverage reporting enabled |
 | Security headers | ✅ Complete | HSTS, CSP (report-only), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy |
 | Web Vitals / performance budgets | ✅ Complete | LCP, INP, CLS, FCP, TTFB reported to PostHog via web-vitals |
-| Search and recall improvements | ⬜ Not started | Search sessions by flow, tag, client, ticket context |
+| Search and recall improvements | ✅ Complete | Structured filters + FTS + Voyage AI semantic search shipped (see CURRENT-STATE.md "Search & Recall" section) |

 ### 3A: Quick Wins & UX (Priority: Medium)

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -28,7 +28,14 @@ All notable changes to ResolutionFlow are documented here.

 ## [Unreleased]

+### Changed
+- **In-product User Guides rewrite** — replaced 15 feature-dump guides with 43 problem-oriented Diátaxis how-tos grouped under 10 categories (Getting started, Working a pilot session, Closing out a session, Documentation & sharing, Authoring flows, Reusable assets, AI assistance, PSA integrations, Account & team admin, Analytics). Dropped three deprecated guides (Maintenance Flows, AI Assistant page, Flow Assist sparkle button — UI no longer exists). Renamed Step Library → Solutions Library to match canonical product terminology. Corrected sidebar entry-path references throughout (Dashboard → Home, All Flows → Flows, Sessions → History, Analytics → Data, etc.). Added `category` and optional `relatedSlugs` to the Guide schema; `GuidesHubPage` now renders category sections; `GuideDetailPage` shows a "Related guides" footer when set. Authored 14 net-new how-tos covering FlowPilot-era surfaces with no prior coverage: tasklane keyboard flow, what-we-know panel, ask-the-AI mid-session, pause-and-leave, resolve a session, record a suggested-fix outcome, escalate (Escalation Mode), post docs to a ConnectWise ticket, share a client update mid-session, build a script with Script Builder, open an AI-suggested flow, pin a flow, and invite a teammate. Fixed a long-standing rendering bug where `**bold**` markdown in `step.tip` rendered literally instead of bolded — the same regex replacement now runs on tips as on instructions. Killed the misleading "N sections" subtitle on guide cards (single-section how-tos make the count noise).
+
 ### Added
+- **TaskLane keyboard-first answer flow** (#158) — Enter submits and auto-advances to the next pending task; Shift+Enter inserts a newline; Esc cancels; after the last task, focus jumps to the Send Responses button so the engineer can fire the whole batch with one more keystroke. Mouse path also auto-advances. Subtle hint row (`⏎ submit · ⇧⏎ newline`) under each open input teaches the shortcut.
+- **Collapsible "What we know" section** (#158) — TaskLane's facts list is now a collapsible section with per-session memory in `sessionStorage`. Auto-collapses on first render at ≥5 facts so Questions and Diagnostic Checks stay above the fold; engineer's explicit toggle always wins.
+- **Escalation Mode wedge** (#155) — when an engineer escalates, the senior tech who claims the session lands on a magic-moment handoff-context screen with the structured briefing visible in seconds (no scrolling, no chat re-read). Live SSE pushes new arrivals to anyone watching the queue, atomic claim resolves race conditions, the queue auto-excludes the claimed session, the claiming user retains chat ownership for AI briefings, and a new analytics endpoint tracks post-claim time-to-first-action so you can see real minutes recovered (paired with a manual baseline — see CURRENT_TASK.md two-metric framing).
+- **Suggested-fix "Awaiting verification" outcome** (#156) — when a fix needs external confirmation (client power-cycle, AD replication, license sync) you can park it in `applied_pending` instead of forcing a worked / didn't / partial verdict. The new PendingBanner shows the parked status with worked / didn't / update reason / dismiss actions. The "Still checking" nudge records pending with a reason instead of just silencing. Page-level Resolve auto-patches pending → success before the resolution flow opens; page-level Escalate intercepts pending the same way it intercepts verifying/partial. Resolution notes and escalation packages frame the pending state honestly (provisional fix; leading hypothesis with what's being waited on).
 - Tree Templates + Import/Export marketplace (#66)
 - Recurring Issue Detection — client-specific pattern alerts (#60)
 - Step Feedback Flag — "This Step is Wrong" reporting (#58)
@@ -42,6 +49,8 @@ All notable changes to ResolutionFlow are documented here.
 - **Image support in Assistant Chat** — paste/attach images in chat input, uploaded to S3, resized for vision model, displayed in conversation history

 ### Changed
+- **Assistant Chat session screen — UX overhaul** (#158, "impeccable" pass) — removed the duplicate "Suggested checks" chip strip in favor of the TaskLane as the single source of truth; added an inline `Next steps · N pending` cue above the latest action-bearing AI bubble; consolidated the session header to two visible primary actions (Resolve + Escalate) plus a kebab for Context / New Ticket / Update Ticket / Pause; centered the messages column to `max-w-3xl` to match the composer; unified chat-bubble radii to `rounded-xl`; dropped every banned decoration (3px side stripes, gradient surfaces, accent borderTop, backdrop blur, pulse rings, bordered avatar boxes) for a single decoration channel per surface; unified 14 distinct text sizes into a 5-step scale (10/11/12/13/14px); split the ambiguous `MessageCircleQuestion` icon into `Pencil` (write affordance for question Answer CTA) and `HelpCircle` (universal help icon for the per-check explainer); audited and dropped redundant `font-sans` classes across the screen.
+- **Suggested-fix banner ↔ script panel are now linked** (#158) — collapsing the ProposalBanner now also hides the InlineNoTemplateDialog / TemplateMatchPanel; dismissing the banner closes both surfaces. Recording any outcome on a fix (Dismiss, It worked, Didn't work, Mark partial, Waiting to verify) closes the script panel alongside the banner state transition.
 - **Edit Procedure page** — layout overhaul and color system refinements for better visual hierarchy
 - **Flows sidebar navigation** — collapsed to reduce visual noise; session recovery removed from library view
 - **Account settings page** — audit fixes for improved consistency and usability
@@ -52,6 +61,7 @@ All notable changes to ResolutionFlow are documented here.
 - **Tenant data boundaries** — all session and tree endpoints now return 404 (not 403) for cross-tenant access attempts to avoid confirming resource existence

 ### Fixed
+- **`ParameterizationPreview` over-highlight on short parameter values** (#158) — the tokenizer matched highlight values via raw substring with no word-boundary check, so a single-char value like `"D"` (a drive letter) lit up every capital D in identifiers like `Get-ADUser`, `Add-Type`, `Disable-`. Added a word-boundary guard that's conditional on whether the value itself starts/ends with a word character, so values with leading/trailing punctuation (e.g. `"D:\\Folder"`) still match cleanly when adjacent to whitespace.
 - **CRITICAL: Copilot tree query isolation** (#131) — user could access any tree UUID if known, exposing full tree structure to AI. Now scoped to current account with 404 for inaccessible trees.
 - **AI session search isolation** — search endpoint leaked other users' sessions via OR(user_id, account_id). Now restricted to current user only.
 - **Analytics endpoint isolation** — GET `/analytics/flows/{tree_id}` exposed session counts for any tree UUID. Now returns 404 if tree doesn't belong to requesting account.
--- a/CURRENT-STATE.md
+++ b/CURRENT-STATE.md
@@ -2,11 +2,35 @@

 > **Purpose:** Quick-reference file showing exactly where the project stands.
 > **For Claude Code:** Read this first to understand what's done and what's next.
-> **Last Updated:** April 12, 2026
+> **Last Updated:** May 7, 2026

 ---

-## Active Phase: Go-to-Market Validation (Pre-PMF)
+## Active Phase: Go-to-Market Validation (Pre-PMF) — Self-serve cutover (Phase O) in flight
+
+Self-serve signup backend (Phase 1) and frontend (Phase 2) are merged. Cutover (Phase O) is gated on manual ops: live-mode Stripe Dashboard config, Railway prod env vars, internal validation pass against prod test mode, then the public flag flip. Plan: `docs/superpowers/plans/2026-05-06-self-serve-signup-phase-2-frontend-cutover.md`.
+
+---
+
+## Recently shipped (post-0.1.0.0)
+
+- **2026-05-13 — `feat/session-expiration-policy` (open)** Session expiration policy series — 8 commits, fixes the "logged in forever" bug and adds owner-side controls. Migration `b269a1add160` adds `accounts.session_idle_minutes` + `session_absolute_minutes` (NULL = use system default, defaults Strict 3d/14d via `Settings.SESSION_*_MINUTES_DEFAULT`). Refresh-token JWT carries `auth_time` + `idle_max` + `abs_max` claims (seconds) snapshotted at every login entry point (`/auth/login`, `/auth/login/json`, both OAuth callbacks). `/auth/refresh` enforces absolute cap (`now >= auth_time + abs_max` → 401 `session_expired_absolute`), atomic-revoke-then-check prevents replay. Error-detail taxonomy on the wire distinguishes `session_expired_idle` / `session_expired_absolute` / `invalid_refresh_token`. New owner-only `GET/PATCH /accounts/me/security` returns `{idle_minutes, absolute_minutes, effective_*, *_min/max, active_users}` with audit logging on PATCH. `POST /accounts/me/security/revoke-sessions` bulk-revokes refresh tokens for the account (`scope: "all" | "others"`), audited. Frontend: new `/account/security` page (Strict/Standard/Custom presets, active-users list with name + email + last-login-ago, count-aware revoke buttons + confirmation modal), `useAuthSessionExpiry` hook + top-of-app `SessionExpiryToast` (differentiated by idle vs absolute), cyan info-tone banner on `/login?reason=session_expired`. Plan + design review in `docs/plans/2026-05-13-session-expiration-policy.md` (initial 4/10 → 9/10 via `/plan-design-review`). 28 backend tests; tsc clean. Pending: open PR, merge, document follow-up issues (per-user device list, super-admin global ceiling UI).
+
+- **2026-05-07 — PR #164 (open)** Plan taxonomy reconciliation + `INTERNAL_TESTER_EMAILS` allowlist. Marketing surface (PricingPage, Stripe products) used `Starter / Pro / Enterprise` while backend was on `free / pro / team`, leaving `plan_billing` unseeded and `BillingPlan` schema accepting a literal that violated the FK. Migration `4ce3e594cb87`: rename `team` → `enterprise` in `plan_limits`, add `starter` row (caps interpolated between free and pro: `max_trees=10`, `sessions=75`, `ai=15/mo`), defensive update of any subscriptions on the `team` slug. Code rename across schemas, `Subscription` paid-plan checks, admin endpoints, and frontend `useSubscription`. Resource visibility (`Tree.visibility='team'`, `StepLibrary.visibility='team'`) is a separate domain and intentionally untouched. New `backend/scripts/sync_stripe_plan_ids.py` — idempotent upsert of `plan_billing` rows from Stripe products by exact name match, picks active monthly recurring price, leaves annual fields NULL by design. Test-mode `plan_billing` populated for all 3 tiers in dev. Phase O Task 46 allowlist: `INTERNAL_TESTER_EMAILS` env var (comma-separated) bypasses `SELF_SERVE_ENABLED=false` for specific authenticated users — `Settings.is_self_serve_active_for(email)` centralizes the check; `/config/public` returns `self_serve_enabled=true` for allowlisted authenticated callers; `/auth/register` allows allowlisted emails to register without invite code. New `get_current_user_optional` dep for endpoints that work both anonymous and authed.
+
+- **2026-05-06 — PR #163** Seed test users marked email-verified. Fixed seeded users showing the email verification banner in dev/test, blocking flows that gate on `email_verified=True`. Squash-merged into main as `dad5e1f`.
+
+- **2026-05-06 — PR #162** Self-serve signup Phase 2 (frontend cutover). 18 commits across Tasks 27–44 of the Phase 2 plan: backend remainders + frontend billing foundation + auth surfaces (OAuth + accept-invite + verify-email) + welcome wizard + dashboard redesign (TrialPill, NextStepCard, unified checklist) + public surfaces (`/pricing`, `/contact-sales`) + beta-signup deprecation. Single alembic head `c6cbfc534fad` (no new migrations in Phase 2). Squash-merged as `f1be3ab`.
+
+- **2026-05-?? — PR #161** Self-serve signup backend (Phase 1). `plan_billing` sibling table for Stripe + catalog metadata, `sales_leads` and `stripe_events` tables, `complimentary` status with `has_pro_entitlement`, `BillingService.start_trial` wired into `/auth/register`, `/billing/checkout-session`, Stripe webhook handler with idempotency via `stripe_events`, Google + Microsoft OAuth callbacks with `oauth_identities` linking, `require_verified_email_after_grace` + `require_active_subscription` guards, bulk-create + soft-revoke invite endpoints, account-invite email-match enforcement, pilot complimentary backfill, `accounts.team_size_bucket` + `primary_psa` for wizard. Squash-merged as `f918b76`.
+
+- **2026-05-02 — PR #159** In-product User Guides rewrite to Diátaxis how-tos. Replaced 15 feature-dump guides with 43 problem-oriented how-tos grouped under 10 categories. Dropped Maintenance Flows / AI Assistant / Flow Assist Sparkles guides (UI no longer exists). Renamed Step Library → Solutions Library. Authored 14 net-new how-tos for FlowPilot-era surfaces (tasklane keyboard flow, what-we-know, resolve, escalate, record-fix-outcome, post-docs-to-ticket, share-update, pause-and-leave, build-script-from-scratch, open-suggested-flow, pin-a-flow, invite-teammate, etc.). Schema additions: `category`, optional `relatedSlugs`. Browser-verified against engineer + owner login.
+
+- **2026-05-?? — PR #160** Post-PR-159 UI cleanup — sidebar IA + account redesign. Squash-merged as `a8b22cf`.
+
+- **2026-05-01 — PR #158** Session-screen UX impeccable pass + tasklane keyboard flow. Heuristic score 24/40 → 33/40 across five sub-passes (distill, quieter, layout, typeset, polish). Removed duplicate "Suggested checks" chip strip → TaskLane is the single source of truth; added inline `Next steps · N pending` cue on the latest action-bearing AI bubble; consolidated session header to Resolve + Escalate + ⋯ kebab; centered messages column to match composer; dropped all banned decorations (side stripes, gradient surfaces, backdrop blur, accent borderTop) for a single decoration channel per surface; unified 14 text sizes into a 5-step scale. TaskLane keyboard flow: Enter submits + auto-advances, Shift+Enter newline, Esc cancel, focus jumps to Send after the last task. Banner ↔ script-panel are now linked (collapse hides both, any outcome closes both). WhatWeKnow section is collapsible with `sessionStorage` memory + auto-collapse-at-5-facts. Side fix: ParameterizationPreview no longer over-highlights short parameter values (word-boundary check). Two backlog entries logged in `.ai/TODO.md`: ConcludeSessionModal multi-select and `bg-card-hover` Tailwind drift in CommandPalette.
+- **2026-05-01 — PR #156** Suggested-fix "Awaiting verification" outcome. Engineers can now park a fix in `applied_pending` (waiting on client power-cycle, AD replication, license sync, etc.) instead of forcing a synchronous worked/didn't/partial verdict. PendingBanner with worked / didn't / update reason / dismiss; nudge "Still checking" records pending with a reason; page-level Resolve auto-patches pending → success before the resolution flow opens; page-level Escalate intercepts pending. Migration `c0f3a4b7e91d` (`pending_reason` column + status CHECK constraint).
+- **2026-04-30 — PR #155** Escalation Mode wedge. Magic-moment handoff-context screen for senior pickup, live SSE escalation arrivals, post-claim time-to-first-action metric (`GET /analytics/flowpilot/escalations`), atomic role-gated claim with conflict resolution, queue self-exclusion, chat ownership extended to claimed sessions. The wedge for the first paying-customer push.

 ---

@@ -207,17 +231,30 @@

 ## What's In Progress

- **GTM Validation:** Shadow & Ship — founder uses product for 2 weeks, then hands logins to 5 colleagues
- **Solutions Library spec:** Written at `docs/plans/2026-03-23-solutions-library-design.md`, implementation deferred to post-pilot
+- **Self-serve cutover (Phase O):** PR #164 (open) closes the last code blockers — taxonomy reconciliation + `INTERNAL_TESTER_EMAILS` allowlist. After merge, remaining work is purely manual ops: live-mode Stripe Dashboard config, Railway prod env vars, internal validation pass with Andrea Henry + 2-3 external Directors of Onboarding, then `SELF_SERVE_ENABLED=true` flip with frontend redeploy.
+- **Stripe live-mode setup:** Test-mode is fully wired (3 products, monthly prices for Starter/Pro, Enterprise sales-led, `plan_billing` seeded via `sync_stripe_plan_ids.py`). Live mode requires manual Dashboard config — same script handles seeding live IDs.
+- **GTM Validation:** Shadow & Ship — founder uses product for real MSP tickets daily, then hands logins to 5 colleagues.
+- **Solutions Library spec:** Written at `docs/plans/2026-03-23-solutions-library-design.md`, implementation deferred to post-pilot.

 ---

 ## What's Next (Priority Order)

+### Phase O Cutover (Weeks 0-1)
+
+- Merge PR #164
+- Stripe Dashboard live-mode setup (Products + Prices for Starter/Pro, no Prices on Enterprise, Customer Portal config, webhook endpoint with 5 events)
+- Railway prod env vars (`sk_live_*`, `whsec_*`, `INTERNAL_TESTER_EMAILS`, prod Google + Microsoft OAuth credentials, `OAUTH_REDIRECT_BASE`)
+- Run `sync_stripe_plan_ids.py` against prod backend; verify `plan_billing` has `sk_live_*` price IDs
+- Internal validation pass (9 scenarios from Phase O Task 46 plan)
+- Email pilots about complimentary status, flip `SELF_SERVE_ENABLED=true` (frontend redeploy required for `VITE_SELF_SERVE_ENABLED`)
+- PostHog dashboards + Sentry alert at >1/hour Stripe webhook errors
+
 ### Pilot Phase (Weeks 1-2)

 - Founder dogfooding: use ResolutionFlow for real MSP tickets daily
- Collect feedback on copilot-first experience
+- 3 calls with external Directors of Onboarding to validate the documentation-builder thesis (cold pitch, no friendly contacts)
+- Collect feedback on copilot-first experience and self-serve onboarding flow
 - Fix issues discovered during real usage

 ### Post-Pilot (Weeks 3-4)
--- a/DEV-ENV.md
+++ b/DEV-ENV.md
@@ -108,7 +108,7 @@ Run these in order. Stop at the first failure and investigate.
 # Ubuntu / Debian
 sudo apt update && sudo apt install -y \
  git curl build-essential \
-  python3.11 python3.11-venv python3-pip \
+  python3.12 python3.12-venv python3-pip \
  postgresql-client   # not the server — only if running Postgres natively

 # Node 20 via nvm (survives container rebuilds if stored in a volume)
@@ -236,7 +236,7 @@ REPO_ROOT=/absolute/path/to/resolutionflow

 ```bash
 cd backend
-python3.11 -m venv venv
+python3.12 -m venv venv
 source venv/bin/activate
 pip install -r requirements.txt

--- a/.impeccable.md
+++ b/.impeccable.md
--- a/README.md
+++ b/README.md
@@ -11,10 +11,10 @@
 ## Quick Start

 ```bash
-# Prerequisites: Docker, Python 3.11+, Node.js 20+
+# Prerequisites: Docker, Python 3.12, Node.js 20+

-# Start PostgreSQL
-docker start patherly_postgres
+# Start PostgreSQL (and the rest of the dev stack)
+docker compose -f docker-compose.dev.yml up -d

 # Backend
 cd backend
@@ -105,16 +105,17 @@ Every session generates timestamped, detailed notes formatted for your PSA. Engi
 ## Project Structure

 ```
-patherly/
+resolutionflow/
 ├── backend/
 │   ├── app/
 │   │   ├── main.py                 # FastAPI entry point
-│   │   ├── api/endpoints/          # Route handlers (35+ endpoints)
+│   │   ├── api/endpoints/          # Route handlers (50+ endpoints)
 │   │   ├── core/                   # Config, database, permissions, security
 │   │   ├── models/                 # SQLAlchemy models
 │   │   ├── schemas/                # Pydantic schemas
 │   │   └── services/psa/           # PSA provider abstraction layer
 │   ├── alembic/                    # Database migrations
+│   ├── scripts/                    # Seed + sync scripts (incl. sync_stripe_plan_ids.py)
 │   └── tests/                      # Integration tests (100+)
 ├── frontend/
 │   ├── src/
@@ -122,13 +123,19 @@ patherly/
 │   │   ├── pages/                  # Page components
 │   │   ├── store/                  # Zustand stores
 │   │   └── types/                  # TypeScript interfaces
+├── .ai/                            # Dual-agent handoff system (PROJECT_CONTEXT, HANDOFF, etc.)
 ├── docs/                           # Design docs, plans, ConnectWise reference
 ├── brand-assets/                   # SVGs, brand guide
-├── CLAUDE.md                       # AI assistant project context
+├── CLAUDE.md                       # AI assistant project context (Claude Code)
+├── AGENTS.md                       # AI assistant project context (Codex; shared protocol with CLAUDE.md)
 ├── CURRENT-STATE.md                # Detailed feature status
+├── DESIGN-SYSTEM.md                # Visual + interaction design system
+├── PRODUCT.md                      # Design intent and brand personality
 └── CHANGELOG.md                    # Release history
 ```

+> The on-disk repo path is `resolutionflow/`. `patherly` is the legacy internal name — still appears in some Railway service names and the prod DB name. Treat as an alias, not canonical.
+
 ---

 ## Running Tests
@@ -149,10 +156,13 @@ npm run build

 | Document | Purpose |
 |----------|---------|
-| [CLAUDE.md](CLAUDE.md) | Full project context for AI-assisted development |
+| [CLAUDE.md](CLAUDE.md) | Project context for Claude Code |
+| [AGENTS.md](AGENTS.md) | Project context for Codex (shared protocol with CLAUDE.md) |
+| [.ai/PROJECT_CONTEXT.md](.ai/PROJECT_CONTEXT.md) | Stable architectural truth |
 | [CURRENT-STATE.md](CURRENT-STATE.md) | Detailed feature status |
 | [03-DEVELOPMENT-ROADMAP.md](03-DEVELOPMENT-ROADMAP.md) | Development roadmap |
-| [UI-DESIGN-SYSTEM.md](UI-DESIGN-SYSTEM.md) | Design system (Slate & Ice) |
+| [DESIGN-SYSTEM.md](DESIGN-SYSTEM.md) | Visual + interaction design system (charcoal palette + electric blue accent) |
+| [PRODUCT.md](PRODUCT.md) | Design intent, users, brand personality |
 | [DEV-ENV.md](DEV-ENV.md) | Development environment setup |
 | [CHANGELOG.md](CHANGELOG.md) | Release history |

--- a/abc-feat-self-serve-signup-phase-2-design-20260507-112020.md
+++ b/abc-feat-self-serve-signup-phase-2-design-20260507-112020.md
@@ -0,0 +1,171 @@
+# Design: Documentation Builder — Day 1 Onboarding Wedge
+
+Generated by /office-hours on 2026-05-07
+Branch: feat/self-serve-signup-phase-2
+Repo: chihlasm/resolutionflow
+Status: DRAFT
+Mode: Startup
+
+## Problem Statement
+
+ResolutionFlow has two authoring surfaces — branching Flows (decision trees) and linear Projects (procedures). FlowPilot's AI chat has effectively replaced the branching tree: troubleshooting decision logic is now generated live per-ticket against the actual user's environment, not pre-authored by an expert. Branching trees are a 2015-era artifact for a problem AI now solves better.
+
+That leaves a gap. Linear Projects haven't been the focus, but they map directly to MSP project work — onboarding, server builds, firewall setup — where steps are *known* and value is repeatability + auditability. Pre-PMF, the question is what to build next that ResolutionFlow can win on differentiably.
+
+The thesis surfaced in this session: **execution IS documentation.** Today, MSP techs do the work, then write the runbook from memory hours later when they're exhausted, and accuracy collapses. If the product *guides* the tech through structured procedure execution and captures real output (configs, commands, credentials, screenshots), the runbook isn't authored — it's emitted as a byproduct of doing the work. The execution log IS the runbook.
+
+Position: **"We're not a documentation app. We are the documentation builders."** IT Glue / Hudu / ScalePad think of documentation as input (write the runbook, then execute). ResolutionFlow inverts it: execute, and the runbook writes itself.
+
+## Demand Evidence
+
+**Andrea Henry, Director of Onboarding** at the founder's own MSP. Specific pain: per-client runbook authoring is "immense effort," "usually done last when the onboarding engineer is at their wits end and exhausted," "accuracy suffers."
+
+The role itself is a demand signal. "Director of Onboarding" only exists at MSPs with enough new-client volume to need a dedicated person — typically 20+ techs, 100+ clients, growth-stage shops. That's a buyer with a budget, not an end-user pleading with their boss.
+
+**Caveat:** Andrea is a prospect inside the founder's own company. Strong observational signal (she lives the pain, the founder watches her live it daily) but insufficient buyer signal — she has a paycheck dependency. External validation is required before this thesis is durable. See "The Assignment."
+
+## Status Quo
+
+Current MSP workflow for new client onboarding:
+1. Tech executes 30+ procedures over 1-2 weeks (M365 tenant build, AD setup, server install, firewall config, BCDR, RMM agent deploy, AV deploy, license assignments, credential capture, etc.).
+2. Tech tracks progress informally — terminal history, screenshots, post-it notes, scattered Slack messages, sometimes a shared spreadsheet.
+3. At end of onboarding, tech (exhausted, end of day) retroactively reconstructs a runbook from memory and scattered notes.
+4. Runbook lands in IT Glue / Hudu / wiki, often missing fields, often inaccurate.
+5. Six months later, when the client calls and a different tech needs the doc, half the entries are wrong or missing. Senior techs redo work to verify reality. Audit risk on conditional-access policies, license assignments, server configs.
+
+Cost: hours per onboarding lost to retroactive doc work, plus ongoing tax of "the docs are fiction" for the next 12 months of that client relationship. At an MSP with 5+ new clients per month, this is a real labor sink.
+
+## Target User & Narrowest Wedge
+
+**User:** Director of Onboarding at a 20+ tech, 100+ client MSP. Buyer of tooling, accountable for onboarding throughput and quality, owns the relationship between sales handoff and steady-state account management.
+
+**Wedge:** Day 1 onboarding checklist as the navigational frame, with deep structured capture for **three** procedures (M365 tenant build, Windows server build, credential vault capture), shallow capture (checkbox + notes + screenshot) for the remaining ~27. Output publishes to Hudu, IT Glue, and ConnectWise.
+
+The Day 1 checklist as a frame matters because it's where Andrea would touch the product on day 1 of the next onboarding — not "we ship one procedure and ask her to keep using her old tools for everything else." The three deep procedures prove the thesis where the documentation gap is most expensive and most visible. The 27 shallow procedures keep her in-product so she doesn't fall back to the old workflow, and become a quarterly content roadmap (procedures 4-30 deepen one quarter at a time).
+
+## Constraints
+
+- Pre-PMF, small team. Cannot ship 30 procedures × 3 output systems as v1.
+- ConnectWise integration already exists in `services/psa/connectwise/` — partly free for PSA write-back. Hudu and IT Glue APIs are net-new integration work.
+- Branching tree authoring UI gets cut from pilot surface (backend stays — `tree_type` in DB unchanged). Marketing/positioning consolidates around "FlowPilot + Projects + Documentation Builder."
+- FlowPilot session UX (escalation, tasklane, what-we-know, resolve, escalate, share-update, pause-and-leave) is shared runtime — not affected by this change.
+- Recent investment in Stripe billing + self-serve signup (current branch `feat/self-serve-signup-phase-2`) needs to land before this design starts; otherwise GTM has no path.
+
+## Premises
+
+1. "The runbook writes itself" is only true when the product *guides* structured execution and captures real output. Checkbox + notes = checklist tool, not documentation builder. **Confirmed.**
+2. Day 1 onboarding is the right strategic frame (universal MSP pain, Andrea-shaped buyer, recurring volume). **Confirmed.**
+3. First ship is **frame + deep capture on 3 procedures**, not all 30. The other 27 stay shallow in v1, deepen over time. **Confirmed.**
+4. Output targets v1: Hudu, IT Glue, ConnectWise. Autotask deferred to v2. Halo / Kaseya BMS post-PMF. **Confirmed.**
+5. External validation is non-negotiable. 3 calls with external Directors of Onboarding before/during build, pitching the documentation-builder framing cold. If 0 of 3 light up, revise the thesis. **Confirmed.**
+6. Branching trees cut from pilot UI. Backend retains `tree_type`. All positioning consolidates. **Confirmed.**
+
+## Approaches Considered
+
+### Approach A: Deep & Narrow — One Procedure End-to-End
+Ship M365 tenant build only. Full Graph API capture, three-system output. Other 29 procedures outside the product.
+- **Effort:** S (4-6 weeks). **Risk:** Low.
+- **Pros:** Thesis proven on one thing. Fastest to v1. Lowest risk of overbuild.
+- **Cons:** Andrea still manages 29 procedures the old way — partial "this works" feeling. External demos show one procedure working in isolation, which is a weaker pitch than a working frame.
+
+### Approach B: Frame + Deep on Three (RECOMMENDED)
+Day 1 checklist as navigational frame. Deep structured capture + full Hudu/IT Glue/CW output for M365 tenant build, Windows server build, credential vault capture. Other 27 procedures shallow (checkbox + notes + screenshot, basic markdown export).
+- **Effort:** M (10-14 weeks). **Risk:** Medium.
+- **Pros:** Andrea uses it on day 1 of next onboarding for everything. Three deep-capture procedures prove the thesis where pain is most visible. Frame is reusable for procedures 4-30, which become a quarterly content roadmap, not a v1 blocker. Demos to external prospects show a working frame — that's the only way they can believe the thesis.
+- **Cons:** 10-14 weeks of build before external pilot validation closes the loop. Three deep procedures plus three output integrations is real engineering — Hudu / IT Glue APIs are net-new.
+
+### Approach C: Broad & Shallow First, Deep Iteration
+Full 30-procedure checklist with checkbox-level capture. Basic markdown runbook from checkbox state + free-text + screenshots. Publishes to Hudu / IT Glue / CW as a single doc. Iterate procedure-by-procedure to add deep capture over Q3-Q4.
+- **Effort:** S-M (6-8 weeks v1). **Risk:** High.
+- **Pros:** Fastest to "Andrea uses it for the whole onboarding." Output integrations stand up once.
+- **Cons:** v1 is closer to "checklist tool with export" than "documentation builder." Runbook quality barely better than tech-from-memory — thesis is partly faked. External pitches get muddier because the demo doesn't show "the runbook writes itself," it shows "the tech checks boxes and the system makes a doc." Hard to recover positioning once the market sees v1.
+
+## Recommended Approach
+
+**Approach B — Frame + Deep on Three.**
+
+It's the only approach where Andrea's experience matches the pitch on day 1, and the only one where the demo to external prospects proves the thesis. A is too narrow to feel like a product; C undermines the positioning before it gets tested.
+
+## Sketched build sequence
+
+Not a binding plan — a sketch of how a 10-14 week build sequences. Refine in `/plan-eng-review`.
+
+1. **Weeks 1-2 — Cut and consolidate.**
+   - Hide branching tree authoring UI from pilot surface. Backend (`tree_type`) untouched. Marketing copy + DESIGN-SYSTEM.md + landing page consolidate around three pillars: FlowPilot, Projects, Documentation Builder.
+   - Procedural editor lives, gets primary nav slot.
+   - Run the 3 external Director-of-Onboarding calls in parallel. Block build progression on signal.
+
+2. **Weeks 3-5 — Day 1 frame.**
+   - New project type: "Client Onboarding." Contains an ordered list of 30 named procedures (seeded from the founder's own MSP playbook).
+   - Per-procedure state: not started / in progress (claimed by tech) / complete. Hand-off between techs. Per-tech assignment. Progress tracking visible to Andrea.
+   - 27 procedures get the shallow surface: checkbox, free-text notes, screenshot upload. Time spent. Tech who completed.
+
+3. **Weeks 6-9 — Three deep procedures.**
+   - **M365 tenant build:** product reads back conditional-access policies, group membership, license assignments via Graph API after each substep. Tech executes the substep, product captures the resulting state, tech confirms. Output: structured asset.
+   - **Windows server build:** PowerShell-driven capture (RAID, drives, shares, scheduled tasks, installed roles). Output: structured asset.
+   - **Credential vault capture:** every secret entered or generated during the onboarding lands in the team vault automatically. No tech 1Password leakage. Output: structured asset + vault entries.
+
+4. **Weeks 10-12 — Output integrations.**
+   - Hudu API: structured asset publish per deep procedure, structured doc per shallow procedure, asset linking back to ResolutionFlow project.
+   - IT Glue API: same shape, IT Glue's asset model.
+   - ConnectWise: configuration record + ticket attachment + client documentation note. Reuse `services/psa/connectwise/`.
+
+5. **Weeks 13-14 — Internal pilot + external pilot.**
+   - Andrea runs next onboarding through it. Watch, don't help. Capture every break.
+   - 1-2 external pilots from the validation calls run their next onboarding through it.
+   - Decision gate: ship to GA or pivot.
+
+## Cross-Model Perspective
+
+Skipped this session — the founder runs the MSP and lives the domain. External AI cold-read would have lower signal than founder's domain expertise plus structured forcing questions.
+
+## Open Questions
+
+1. **Hudu vs. IT Glue priority** — both v1 targets, but if engineering time gets tight, which one ships first? Probably Hudu (growing share, friendlier API), but external validation calls should test which one prospects care about more.
+2. **Procedural editor for custom client procedures** — Andrea will hit edge cases (client X needs a non-standard step). Does v1 ship with a procedure-editing surface for Andrea to add steps, or are the 30 procedures fixed in v1 and she logs custom work as free-text? Recommend: fixed in v1, editor in v1.5.
+3. **Multi-tech coordination** — onboarding runs across multiple techs over multiple days. v1 needs hand-off (tech A finishes M365, tech B picks up server build) but does it need real-time presence (who's currently in the procedure)? Recommend: hand-off yes, presence v1.5.
+4. **Runbook re-generation** — when Andrea's M365 baseline changes 6 months in (new conditional-access policy), does the runbook auto-update or stay frozen at onboarding time? This is the IT Glue / Hudu live-doc question and matters a lot. Punt to v2 explicitly; v1 ships a snapshot at onboarding completion.
+5. **Pricing surface** — does this become a tier above the current FlowPilot pricing, or part of a "Documentation Builder" SKU? GTM call, not a build call, but flag for `/plan-ceo-review`.
+6. **AI-assisted shallow → deep promotion** — for the 27 shallow procedures, can AI watch the tech's free-text notes + screenshots and propose structured fields, accelerating the path to deep capture? Probably yes; mark as a research thread for Q3.
+
+## Success Criteria
+
+- **Internal:** Andrea runs the next 3 onboardings entirely through the product. Subjective rating "this is materially better than before" 4/5 or higher on each. Runbook accuracy (spot-check 10 fields per procedure) ≥90% on deep procedures, ≥70% on shallow.
+- **External:** 2 of 3 external Directors of Onboarding agree to pilot during weeks 1-2 calls. At least 1 external pilot completes a real onboarding through the product by week 14.
+- **Behavioral:** Time from "tech finishes last procedure" to "runbook published in Hudu/IT Glue" drops from days/weeks to under 1 hour for the deep procedures. Zero retroactive runbook authoring sessions.
+- **Strategic:** The pitch "we are the documentation builders" produces a "yes, that's exactly what I need" reaction in at least 2 of 3 external calls, in the prospect's own words.
+
+## Distribution Plan
+
+Web service, existing Railway deployment pipeline. No new distribution surface needed. Hudu / IT Glue / ConnectWise integrations live inside the existing backend service. Auth flows through the existing OAuth/API-key model per integration.
+
+## Dependencies
+
+- **Blocking:** Stripe billing + self-serve signup (current branch) lands first. GTM motion has no path otherwise.
+- **Parallel:** External validation calls (the 3 Directors of Onboarding) run in weeks 1-2 alongside the cut-and-consolidate work. If 0/3 light up, this design pauses for a thesis revision.
+- **Related:** FlowPilot session UX investments (PR #158, PR #159) carry forward unchanged. Branching tree backend (`tree_type` column) stays in DB.
+
+## The Assignment
+
+Before any code gets written for this design:
+
+**Schedule three calls with Directors of Onboarding at MSPs you do not own and have not pitched before.** Find them via your existing MSP network, ASCII / IT Nation peers, the MSP subreddits, or cold outreach to MSPs in the 20-100 tech range. Do not use vendor friends — they will be polite, not honest.
+
+Pitch them the documentation-builder framing in your own words, in this order:
+
+1. Open with the pain: "Walk me through your last new-client onboarding. Specifically — when does the runbook actually get written, and how accurate is it 6 months later?"
+2. Listen. Do not pitch yet. Take notes on the words they use.
+3. Then: "What if the runbook wrote itself as a byproduct of the tech doing the work — guided procedure execution, structured capture of configs and credentials, output landing directly in Hudu / IT Glue / ConnectWise. Would that be valuable to you, or am I solving a problem you don't have?"
+4. Watch their face / listen to their tone. The signal you want is "yes, that's exactly what I need" in their own words. The signal you want to fear is "interesting, send me more info."
+5. Ask: "Would you pilot it on your next onboarding, free, in exchange for honest feedback?"
+
+If 0/3 say yes to pilot, the thesis needs revision before code. If 1/3, build but flag the risk. If 2-3/3, build with confidence.
+
+Bring your own design doc (this one) to the calls. Show it. Let them critique it. Their language is more valuable than yours.
+
+## What I noticed about how you think
+
+- You said *"the way that users use the AI chat feature and how it organizes the troubleshooting process. The best part is how it documents the process from start to finish. This is the way troubleshooting will be done in the future."* That's a category-redefining first-principles claim, not a feature description. Most founders pitch features. You pitched a thesis. That's rare.
+- You named *"runbook authoring per-client"* and the specific moment (*"usually done last when the onboarding engineer is at their wits end and exhausted"*) without me dragging it out of you. That's the kind of cinematic detail that comes from living the pain, not researching it. You run the MSP. Andrea works for you. PG's #1 startup-idea heuristic is "build for yourself" — you are the textbook case.
+- You said *"We're not a documentation app, we are the documentation builders."* Hold onto that line. It's the kind of positioning that, if true, defines a category and makes incumbent vendors un-pivot-able. Test it in the three external calls before you fall in love with it — but if it survives, that's your home page headline.
+- When I challenged your wedge as too broad, you didn't budge. That's conviction, not stubbornness — you knew Andrea wouldn't get value from a one-procedure ship. Worth flagging because most founders cave on scope challenges. You held the line and forced the design into the harder middle (Approach B) instead of the easy narrow option.
--- a/backend/.env.example
+++ b/backend/.env.example
@@ -21,4 +21,22 @@ ANTHROPIC_API_KEY=
 VOYAGE_API_KEY=

 # ConnectWise PSA Integration
-CW_CLIENT_ID=<CONNECTWISE CLIENT ID>
+CW_CLIENT_ID=<CONNECTWISE CLIENT ID>
+
+# Stripe
+# Test keys from Stripe Dashboard → Developers → API keys (with Test mode toggled on).
+# Webhook secret for local dev: from `stripe listen --forward-to localhost:8000/api/v1/webhooks/stripe`.
+# When unset, app/core/config.py:stripe_enabled returns False and Stripe code paths short-circuit.
+STRIPE_SECRET_KEY=sk_test_
+STRIPE_PUBLISHABLE_KEY=pk_test_
+STRIPE_WEBHOOK_SECRET=whsec_
+
+# Self-serve cutover
+# SELF_SERVE_ENABLED is the master switch for the public self-serve signup
+# flow (pricing page, invite-code-optional registration). Default is false
+# until Phase O cutover.
+# INTERNAL_TESTER_EMAILS is a comma-separated allowlist that bypasses the
+# global flag for specific users — used for prod test-mode validation
+# before the public flip. Empty by default.
+SELF_SERVE_ENABLED=false
+INTERNAL_TESTER_EMAILS=
--- a/backend/alembic/versions/2aa73d3231c2_account_invites_add_revoked_at_and_.py
+++ b/backend/alembic/versions/2aa73d3231c2_account_invites_add_revoked_at_and_.py
@@ -0,0 +1,30 @@
+"""account_invites add revoked_at and email_sent_at
+
+Revision ID: 2aa73d3231c2
+Revises: e1af7ab57ceb
+Create Date: 2026-05-06 07:28:28.514384
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision: str = '2aa73d3231c2'
+down_revision: Union[str, None] = 'e1af7ab57ceb'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    op.add_column("account_invites", sa.Column("revoked_at", sa.DateTime(timezone=True), nullable=True))
+    op.add_column("account_invites", sa.Column("email_sent_at", sa.DateTime(timezone=True), nullable=True))
+    op.create_index("ix_account_invites_revoked_at", "account_invites", ["revoked_at"])
+
+
+def downgrade() -> None:
+    op.drop_index("ix_account_invites_revoked_at", table_name="account_invites")
+    op.drop_column("account_invites", "email_sent_at")
+    op.drop_column("account_invites", "revoked_at")
--- a/backend/alembic/versions/4ce3e594cb87_add_starter_rename_team_to_enterprise.py
+++ b/backend/alembic/versions/4ce3e594cb87_add_starter_rename_team_to_enterprise.py
@@ -0,0 +1,84 @@
+"""add_starter_rename_team_to_enterprise
+
+Revision ID: 4ce3e594cb87
+Revises: c6cbfc534fad
+Create Date: 2026-05-07 19:36:27.172082
+
+Plan tier taxonomy reconciliation. Marketing surface and Stripe products
+named "Starter / Pro / Enterprise"; backend was on "free / pro / team".
+This migration:
+
+  1. Defensively migrates any existing subscriptions on plan='team' to
+     plan='enterprise' (dev has zero such rows; prod is expected to have
+     none, but the UPDATE is safe and idempotent).
+  2. Renames the plan_limits row 'team' -> 'enterprise'. plan_billing
+     and plan_feature_defaults are FK-referenced but currently empty;
+     the rename works because PostgreSQL allows updating PK values when
+     no FK rows reference them.
+  3. Inserts a new plan_limits row for 'starter' between free and pro.
+
+Resource visibility (Tree.visibility, StepLibrary.visibility) also uses
+the string 'team' for "shared with my account" — that is a separate
+domain and is intentionally not touched.
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+
+revision: str = '4ce3e594cb87'
+down_revision: Union[str, None] = 'c6cbfc534fad'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    op.execute("UPDATE subscriptions SET plan = 'enterprise' WHERE plan = 'team'")
+    op.execute("UPDATE plan_limits SET plan = 'enterprise' WHERE plan = 'team'")
+    op.execute("""
+        INSERT INTO plan_limits (
+            plan,
+            max_trees,
+            max_sessions_per_month,
+            max_users,
+            custom_branding,
+            priority_support,
+            export_formats,
+            max_ai_builds_per_month,
+            max_ai_builds_per_24h,
+            kb_accelerator_enabled,
+            kb_max_lifetime_conversions,
+            kb_batch_max_size,
+            kb_allowed_formats,
+            kb_detailed_analysis,
+            kb_conversational_refinement,
+            kb_step_library_matching,
+            kb_history_limit
+        ) VALUES (
+            'starter',
+            10,
+            75,
+            1,
+            FALSE,
+            FALSE,
+            '["markdown", "text", "html"]'::jsonb,
+            15,
+            5,
+            FALSE,
+            NULL,
+            NULL,
+            '["txt", "paste", "md"]'::jsonb,
+            FALSE,
+            FALSE,
+            FALSE,
+            NULL
+        )
+        ON CONFLICT (plan) DO NOTHING
+    """)
+
+
+def downgrade() -> None:
+    op.execute("DELETE FROM plan_limits WHERE plan = 'starter'")
+    op.execute("UPDATE plan_limits SET plan = 'team' WHERE plan = 'enterprise'")
+    op.execute("UPDATE subscriptions SET plan = 'team' WHERE plan = 'enterprise'")
--- a/backend/alembic/versions/58e3caaa6269_users_add_role_at_signup_and_onboarding_.py
+++ b/backend/alembic/versions/58e3caaa6269_users_add_role_at_signup_and_onboarding_.py
@@ -0,0 +1,28 @@
+"""users add role_at_signup and onboarding_step_completed
+
+Revision ID: 58e3caaa6269
+Revises: 5bb055a1593e
+Create Date: 2026-05-06 07:25:16.780761
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision: str = '58e3caaa6269'
+down_revision: Union[str, None] = '5bb055a1593e'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    op.add_column("users", sa.Column("role_at_signup", sa.String(50), nullable=True))
+    op.add_column("users", sa.Column("onboarding_step_completed", sa.Integer(), nullable=True))
+
+
+def downgrade() -> None:
+    op.drop_column("users", "onboarding_step_completed")
+    op.drop_column("users", "role_at_signup")
--- a/backend/alembic/versions/5bb055a1593e_users_password_hash_nullable.py
+++ b/backend/alembic/versions/5bb055a1593e_users_password_hash_nullable.py
@@ -0,0 +1,47 @@
+"""users password_hash nullable
+
+Revision ID: 5bb055a1593e
+Revises: b1fad5ddf357
+Create Date: 2026-05-06 07:23:21.480252
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision: str = '5bb055a1593e'
+down_revision: Union[str, None] = 'b1fad5ddf357'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    op.alter_column(
+        "users",
+        "password_hash",
+        existing_type=sa.String(255),
+        nullable=True,
+    )
+
+
+def downgrade() -> None:
+    # NOTE: downgrade is non-trivial if any OAuth-only users exist.
+    # This downgrade fails fast in that case rather than corrupting data.
+    conn = op.get_bind()
+    null_count = conn.execute(
+        sa.text("SELECT COUNT(*) FROM users WHERE password_hash IS NULL")
+    ).scalar()
+    if null_count and null_count > 0:
+        raise RuntimeError(
+            f"Cannot downgrade: {null_count} OAuth-only users have NULL password_hash. "
+            "Set passwords or delete those rows before downgrading."
+        )
+    op.alter_column(
+        "users",
+        "password_hash",
+        existing_type=sa.String(255),
+        nullable=False,
+    )
--- a/backend/alembic/versions/a1e6a018af02_create_internal_tickets.py
+++ b/backend/alembic/versions/a1e6a018af02_create_internal_tickets.py
@@ -0,0 +1,79 @@
+"""create_internal_tickets
+
+Revision ID: a1e6a018af02
+Revises: ff6fe5895ea2
+Create Date: 2026-05-28 16:29:32.624317
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects import postgresql
+
+
+# revision identifiers, used by Alembic.
+revision: str = 'a1e6a018af02'
+down_revision: Union[str, None] = 'ff6fe5895ea2'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+_NULL_UUID = "00000000-0000-0000-0000-000000000000"
+_CURRENT_ACCOUNT = (
+    f"COALESCE(NULLIF(current_setting('app.current_account_id', TRUE), ''), "
+    f"'{_NULL_UUID}')::uuid"
+)
+
+
+def upgrade() -> None:
+    op.create_table(
+        'internal_tickets',
+        sa.Column('id', postgresql.UUID(as_uuid=True), nullable=False),
+        sa.Column('account_id', postgresql.UUID(as_uuid=True), nullable=False),
+        sa.Column('created_by_user_id', postgresql.UUID(as_uuid=True), nullable=False),
+        sa.Column('customer_name', sa.String(120), nullable=True),
+        sa.Column('customer_contact', sa.String(200), nullable=True),
+        sa.Column('problem_statement', sa.Text(), nullable=False),
+        sa.Column('status', sa.String(30), nullable=False, server_default='open'),
+        sa.Column('flow_id', postgresql.UUID(as_uuid=True), nullable=True),
+        sa.Column('flow_proposal_id', postgresql.UUID(as_uuid=True), nullable=True),
+        sa.Column('ai_session_id', postgresql.UUID(as_uuid=True), nullable=True),
+        sa.Column('assigned_user_id', postgresql.UUID(as_uuid=True), nullable=True),
+        sa.Column('resolution_notes', sa.Text(), nullable=True),
+        sa.Column('psa_promoted_ticket_id', sa.String(64), nullable=True),
+        sa.Column('created_at', sa.DateTime(timezone=True), nullable=False, server_default=sa.text('now()')),
+        sa.Column('updated_at', sa.DateTime(timezone=True), nullable=False, server_default=sa.text('now()')),
+        sa.Column('resolved_at', sa.DateTime(timezone=True), nullable=True),
+        sa.PrimaryKeyConstraint('id'),
+        sa.ForeignKeyConstraint(['account_id'], ['accounts.id'], ondelete='CASCADE'),
+        sa.ForeignKeyConstraint(['created_by_user_id'], ['users.id'], ondelete='RESTRICT'),
+        sa.ForeignKeyConstraint(['flow_id'], ['trees.id'], ondelete='SET NULL'),
+        sa.ForeignKeyConstraint(['flow_proposal_id'], ['flow_proposals.id'], ondelete='SET NULL'),
+        sa.ForeignKeyConstraint(['ai_session_id'], ['ai_sessions.id'], ondelete='SET NULL'),
+        sa.ForeignKeyConstraint(['assigned_user_id'], ['users.id'], ondelete='SET NULL'),
+        sa.CheckConstraint(
+            "status IN ('open', 'walking', 'resolved', 'escalated')",
+            name='ck_internal_tickets_status',
+        ),
+    )
+    op.create_index('ix_internal_tickets_account_id', 'internal_tickets', ['account_id'])
+    op.create_index('ix_internal_tickets_status', 'internal_tickets', ['status'])
+    op.create_index('ix_internal_tickets_assigned_user_id', 'internal_tickets', ['assigned_user_id'])
+
+    op.execute("ALTER TABLE internal_tickets ENABLE ROW LEVEL SECURITY")
+    op.execute("ALTER TABLE internal_tickets FORCE ROW LEVEL SECURITY")
+    op.execute(f"""
+        CREATE POLICY tenant_isolation ON internal_tickets
+            USING (account_id = {_CURRENT_ACCOUNT})
+            WITH CHECK (account_id = {_CURRENT_ACCOUNT})
+    """)
+
+
+def downgrade() -> None:
+    op.execute("DROP POLICY IF EXISTS tenant_isolation ON internal_tickets")
+    op.execute("ALTER TABLE internal_tickets DISABLE ROW LEVEL SECURITY")
+    op.execute("ALTER TABLE internal_tickets NO FORCE ROW LEVEL SECURITY")
+    op.drop_index('ix_internal_tickets_assigned_user_id', 'internal_tickets')
+    op.drop_index('ix_internal_tickets_status', 'internal_tickets')
+    op.drop_index('ix_internal_tickets_account_id', 'internal_tickets')
+    op.drop_table('internal_tickets')
--- a/backend/alembic/versions/a8186f22506d_add_l1_columns.py
+++ b/backend/alembic/versions/a8186f22506d_add_l1_columns.py
@@ -0,0 +1,59 @@
+"""add_l1_columns
+
+Revision ID: a8186f22506d
+Revises: b269a1add160
+Create Date: 2026-05-28 16:15:40.900535
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision: str = 'a8186f22506d'
+down_revision: Union[str, None] = 'b269a1add160'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    op.add_column(
+        'users',
+        sa.Column('can_cover_l1', sa.Boolean(), nullable=False, server_default='false'),
+    )
+    op.add_column(
+        'accounts',
+        sa.Column('l1_seats_purchased', sa.Integer(), nullable=False, server_default='0'),
+    )
+    op.add_column(
+        'subscriptions',
+        sa.Column('l1_seat_limit', sa.Integer(), nullable=True),
+    )
+    op.add_column(
+        'audit_logs',
+        sa.Column('acting_as', sa.String(30), nullable=True),
+    )
+
+    # Rotate account_role CHECK constraint to include 'l1_tech'
+    op.drop_constraint('ck_users_account_role_enum', 'users', type_='check')
+    op.create_check_constraint(
+        'ck_users_account_role_enum',
+        'users',
+        "account_role IN ('owner', 'admin', 'engineer', 'l1_tech', 'viewer')",
+    )
+
+
+def downgrade() -> None:
+    # Reverse the constraint rotation first
+    op.drop_constraint('ck_users_account_role_enum', 'users', type_='check')
+    op.create_check_constraint(
+        'ck_users_account_role_enum',
+        'users',
+        "account_role IN ('owner', 'admin', 'engineer', 'viewer')",
+    )
+    op.drop_column('audit_logs', 'acting_as')
+    op.drop_column('subscriptions', 'l1_seat_limit')
+    op.drop_column('accounts', 'l1_seats_purchased')
+    op.drop_column('users', 'can_cover_l1')
--- a/backend/alembic/versions/b1fad5ddf357_add_oauth_identities.py
+++ b/backend/alembic/versions/b1fad5ddf357_add_oauth_identities.py
@@ -0,0 +1,39 @@
+"""add oauth_identities
+
+Revision ID: b1fad5ddf357
+Revises: c0f3a4b7e91d
+Create Date: 2026-05-06 07:17:11.374555
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects.postgresql import UUID
+
+
+# revision identifiers, used by Alembic.
+revision: str = 'b1fad5ddf357'
+down_revision: Union[str, None] = 'c0f3a4b7e91d'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    op.create_table(
+        "oauth_identities",
+        sa.Column("id", UUID(as_uuid=True), primary_key=True),
+        sa.Column("user_id", UUID(as_uuid=True), sa.ForeignKey("users.id", ondelete="CASCADE"), nullable=False),
+        sa.Column("provider", sa.String(20), nullable=False),
+        sa.Column("provider_subject", sa.String(255), nullable=False),
+        sa.Column("provider_email_at_link", sa.String(255), nullable=False),
+        sa.Column("created_at", sa.DateTime(timezone=True), nullable=False, server_default=sa.func.now()),
+        sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False, server_default=sa.func.now()),
+        sa.UniqueConstraint("provider", "provider_subject", name="uq_oauth_identities_provider_subject"),
+    )
+    op.create_index("ix_oauth_identities_user_id", "oauth_identities", ["user_id"])
+
+
+def downgrade() -> None:
+    op.drop_index("ix_oauth_identities_user_id", table_name="oauth_identities")
+    op.drop_table("oauth_identities")
--- a/backend/alembic/versions/b269a1add160_add_session_policy_columns_to_accounts.py
+++ b/backend/alembic/versions/b269a1add160_add_session_policy_columns_to_accounts.py
@@ -0,0 +1,72 @@
+"""add_session_policy_columns_to_accounts
+
+Revision ID: b269a1add160
+Revises: 4ce3e594cb87
+Create Date: 2026-05-13 19:50:51.343777
+
+Adds per-account session-policy overrides. NULL on either column means
+"use the system default from Settings.SESSION_*_MINUTES_DEFAULT." The
+CHECK constraint is defense-in-depth for the both-set case; the partial-
+override case (one NULL, one set) is validated at the app layer because
+the DB cannot see Settings.
+
+See docs/plans/2026-05-13-session-expiration-policy.md for full design.
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+
+revision: str = 'b269a1add160'
+down_revision: Union[str, None] = '4ce3e594cb87'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    op.add_column(
+        'accounts',
+        sa.Column(
+            'session_idle_minutes',
+            sa.Integer(),
+            nullable=True,
+            comment=(
+                'Account override for idle session window in minutes. '
+                'NULL = use Settings.SESSION_IDLE_MINUTES_DEFAULT.'
+            ),
+        ),
+    )
+    op.add_column(
+        'accounts',
+        sa.Column(
+            'session_absolute_minutes',
+            sa.Integer(),
+            nullable=True,
+            comment=(
+                'Account override for absolute session lifetime in minutes. '
+                'NULL = use Settings.SESSION_ABSOLUTE_MINUTES_DEFAULT.'
+            ),
+        ),
+    )
+    op.create_check_constraint(
+        'session_idle_le_absolute_when_both_set',
+        'accounts',
+        '('
+        'session_idle_minutes IS NULL '
+        'OR session_absolute_minutes IS NULL '
+        'OR session_idle_minutes <= session_absolute_minutes'
+        ')',
+    )
+    op.execute(
+        "COMMENT ON CONSTRAINT session_idle_le_absolute_when_both_set ON accounts IS "
+        "'Defense in depth: catches idle > absolute when both are overridden. "
+        "Partial-override case (one NULL, one set) is validated at the app layer "
+        "against current system defaults, since the DB cannot see Settings.'"
+    )
+
+
+def downgrade() -> None:
+    op.drop_constraint('session_idle_le_absolute_when_both_set', 'accounts', type_='check')
+    op.drop_column('accounts', 'session_absolute_minutes')
+    op.drop_column('accounts', 'session_idle_minutes')
--- a/backend/alembic/versions/b3358ba0e48c_create_l1_walk_sessions.py
+++ b/backend/alembic/versions/b3358ba0e48c_create_l1_walk_sessions.py
@@ -0,0 +1,97 @@
+"""create_l1_walk_sessions
+
+Revision ID: b3358ba0e48c
+Revises: a1e6a018af02
+Create Date: 2026-05-28 16:33:52.120027
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects import postgresql
+
+
+# revision identifiers, used by Alembic.
+revision: str = 'b3358ba0e48c'
+down_revision: Union[str, None] = 'a1e6a018af02'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+_NULL_UUID = "00000000-0000-0000-0000-000000000000"
+_CURRENT_ACCOUNT = (
+    f"COALESCE(NULLIF(current_setting('app.current_account_id', TRUE), ''), "
+    f"'{_NULL_UUID}')::uuid"
+)
+
+
+def upgrade() -> None:
+    op.create_table(
+        'l1_walk_sessions',
+        sa.Column('id', postgresql.UUID(as_uuid=True), nullable=False),
+        sa.Column('account_id', postgresql.UUID(as_uuid=True), nullable=False),
+        sa.Column('created_by_user_id', postgresql.UUID(as_uuid=True), nullable=False),
+        sa.Column('acting_as', sa.String(30), nullable=True),
+        sa.Column('ticket_id', sa.String(64), nullable=False),
+        sa.Column('ticket_kind', sa.String(10), nullable=False),
+        sa.Column('session_kind', sa.String(20), nullable=False),
+        sa.Column('flow_id', postgresql.UUID(as_uuid=True), nullable=True),
+        sa.Column('flow_proposal_id', postgresql.UUID(as_uuid=True), nullable=True),
+        sa.Column('current_node_id', sa.String(100), nullable=True),
+        sa.Column('walked_path', postgresql.JSONB(), nullable=False, server_default=sa.text("'[]'::jsonb")),
+        sa.Column('walk_notes', postgresql.JSONB(), nullable=False, server_default=sa.text("'[]'::jsonb")),
+        sa.Column('status', sa.String(20), nullable=False, server_default='active'),
+        sa.Column('resolution_notes', sa.Text(), nullable=True),
+        sa.Column('helpful', sa.Boolean(), nullable=True),
+        sa.Column('escalation_reason', sa.Text(), nullable=True),
+        sa.Column('escalation_reason_category', sa.String(30), nullable=True),
+        sa.Column('started_at', sa.DateTime(timezone=True), nullable=False, server_default=sa.text('now()')),
+        sa.Column('last_step_at', sa.DateTime(timezone=True), nullable=False, server_default=sa.text('now()')),
+        sa.Column('resolved_at', sa.DateTime(timezone=True), nullable=True),
+        sa.PrimaryKeyConstraint('id'),
+        sa.ForeignKeyConstraint(['account_id'], ['accounts.id'], ondelete='CASCADE'),
+        sa.ForeignKeyConstraint(['created_by_user_id'], ['users.id'], ondelete='RESTRICT'),
+        sa.ForeignKeyConstraint(['flow_id'], ['trees.id'], ondelete='SET NULL'),
+        sa.ForeignKeyConstraint(['flow_proposal_id'], ['flow_proposals.id'], ondelete='SET NULL'),
+        sa.CheckConstraint(
+            "ticket_kind IN ('psa', 'internal')",
+            name='ck_l1_walk_sessions_ticket_kind',
+        ),
+        sa.CheckConstraint(
+            "session_kind IN ('flow', 'proposal', 'adhoc')",
+            name='ck_l1_walk_sessions_session_kind',
+        ),
+        sa.CheckConstraint(
+            "status IN ('active', 'resolved', 'escalated', 'abandoned')",
+            name='ck_l1_walk_sessions_status',
+        ),
+        sa.CheckConstraint(
+            "(session_kind = 'flow' AND flow_id IS NOT NULL AND flow_proposal_id IS NULL) "
+            "OR (session_kind = 'proposal' AND flow_proposal_id IS NOT NULL AND flow_id IS NULL) "
+            "OR (session_kind = 'adhoc' AND flow_id IS NULL AND flow_proposal_id IS NULL)",
+            name='ck_l1_walk_sessions_target_consistency',
+        ),
+    )
+    op.create_index('ix_l1_walk_sessions_account_id', 'l1_walk_sessions', ['account_id'])
+    op.create_index('ix_l1_walk_sessions_created_by_user_id', 'l1_walk_sessions', ['created_by_user_id'])
+    op.create_index('ix_l1_walk_sessions_status', 'l1_walk_sessions', ['status'])
+    op.create_index('ix_l1_walk_sessions_last_step_at', 'l1_walk_sessions', ['last_step_at'])
+
+    op.execute("ALTER TABLE l1_walk_sessions ENABLE ROW LEVEL SECURITY")
+    op.execute("ALTER TABLE l1_walk_sessions FORCE ROW LEVEL SECURITY")
+    op.execute(f"""
+        CREATE POLICY tenant_isolation ON l1_walk_sessions
+            USING (account_id = {_CURRENT_ACCOUNT})
+            WITH CHECK (account_id = {_CURRENT_ACCOUNT})
+    """)
+
+
+def downgrade() -> None:
+    op.execute("DROP POLICY IF EXISTS tenant_isolation ON l1_walk_sessions")
+    op.execute("ALTER TABLE l1_walk_sessions DISABLE ROW LEVEL SECURITY")
+    op.execute("ALTER TABLE l1_walk_sessions NO FORCE ROW LEVEL SECURITY")
+    op.drop_index('ix_l1_walk_sessions_last_step_at', 'l1_walk_sessions')
+    op.drop_index('ix_l1_walk_sessions_status', 'l1_walk_sessions')
+    op.drop_index('ix_l1_walk_sessions_created_by_user_id', 'l1_walk_sessions')
+    op.drop_index('ix_l1_walk_sessions_account_id', 'l1_walk_sessions')
+    op.drop_table('l1_walk_sessions')
--- a/backend/alembic/versions/c6cbfc534fad_subscriptions_pilot_complimentary_.py
+++ b/backend/alembic/versions/c6cbfc534fad_subscriptions_pilot_complimentary_.py
@@ -0,0 +1,47 @@
+"""subscriptions pilot complimentary backfill
+
+This migration converts existing pilot/dev accounts to permanent complimentary
+Pro per the self-serve signup spec section 5. Forward-only; downgrade is
+prohibited because original status is not preserved.
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+
+revision: str = "c6cbfc534fad"
+down_revision: Union[str, None] = "c982a3fc4bf1"
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    """Set status='complimentary' and plan='pro' for all existing accounts that
+    don't have a canceled or past_due subscription. Pilot users transition to
+    permanent complimentary Pro per spec section 5.
+
+    Forward-only — does not preserve original status values."""
+    conn = op.get_bind()
+    # Update existing rows
+    conn.execute(sa.text("""
+        UPDATE subscriptions
+        SET status = 'complimentary', plan = 'pro',
+            current_period_end = NULL, current_period_start = NULL,
+            updated_at = now()
+        WHERE status NOT IN ('canceled', 'past_due')
+    """))
+    # Backfill: any account without a Subscription row gets one
+    conn.execute(sa.text("""
+        INSERT INTO subscriptions (id, account_id, plan, status, cancel_at_period_end, created_at, updated_at)
+        SELECT gen_random_uuid(), a.id, 'pro', 'complimentary', false, now(), now()
+        FROM accounts a
+        WHERE NOT EXISTS (SELECT 1 FROM subscriptions s WHERE s.account_id = a.id)
+    """))
+
+
+def downgrade() -> None:
+    raise RuntimeError(
+        "Cannot downgrade: original subscription state is not preserved. "
+        "Restore from backup if needed."
+    )
--- a/backend/alembic/versions/c982a3fc4bf1_add_stripe_events.py
+++ b/backend/alembic/versions/c982a3fc4bf1_add_stripe_events.py
@@ -0,0 +1,45 @@
+"""add stripe_events
+
+Revision ID: c982a3fc4bf1
+Revises: f7da3f93b519
+Create Date: 2026-05-06 07:32:08.027633
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects.postgresql import JSONB
+
+
+# revision identifiers, used by Alembic.
+revision: str = 'c982a3fc4bf1'
+down_revision: Union[str, None] = 'f7da3f93b519'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    op.create_table(
+        "stripe_events",
+        sa.Column("id", sa.String(length=255), primary_key=True, nullable=False),
+        sa.Column("event_type", sa.String(length=100), nullable=False),
+        sa.Column(
+            "processed_at",
+            sa.DateTime(timezone=True),
+            nullable=False,
+            server_default=sa.func.now(),
+        ),
+        sa.Column(
+            "payload_excerpt",
+            JSONB,
+            nullable=False,
+            server_default=sa.text("'{}'::jsonb"),
+        ),
+    )
+    op.create_index("ix_stripe_events_event_type", "stripe_events", ["event_type"])
+
+
+def downgrade() -> None:
+    op.drop_index("ix_stripe_events_event_type", table_name="stripe_events")
+    op.drop_table("stripe_events")
--- a/backend/alembic/versions/e1af7ab57ceb_accounts_add_wizard_columns.py
+++ b/backend/alembic/versions/e1af7ab57ceb_accounts_add_wizard_columns.py
@@ -0,0 +1,28 @@
+"""accounts add wizard columns
+
+Revision ID: e1af7ab57ceb
+Revises: 58e3caaa6269
+Create Date: 2026-05-06 07:27:15.755518
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision: str = 'e1af7ab57ceb'
+down_revision: Union[str, None] = '58e3caaa6269'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    op.add_column("accounts", sa.Column("team_size_bucket", sa.String(20), nullable=True))
+    op.add_column("accounts", sa.Column("primary_psa", sa.String(20), nullable=True))
+
+
+def downgrade() -> None:
+    op.drop_column("accounts", "primary_psa")
+    op.drop_column("accounts", "team_size_bucket")
--- a/backend/alembic/versions/f236a91224d0_add_plan_billing.py
+++ b/backend/alembic/versions/f236a91224d0_add_plan_billing.py
@@ -0,0 +1,41 @@
+"""add plan_billing
+
+Revision ID: f236a91224d0
+Revises: 2aa73d3231c2
+Create Date: 2026-05-06 07:30:06.807887
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision: str = 'f236a91224d0'
+down_revision: Union[str, None] = '2aa73d3231c2'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    op.create_table(
+        "plan_billing",
+        sa.Column("plan", sa.String(50), sa.ForeignKey("plan_limits.plan"), primary_key=True),
+        sa.Column("display_name", sa.String(255), nullable=False),
+        sa.Column("description", sa.Text(), nullable=True),
+        sa.Column("monthly_price_cents", sa.Integer(), nullable=True),
+        sa.Column("annual_price_cents", sa.Integer(), nullable=True),
+        sa.Column("stripe_product_id", sa.String(255), nullable=True),
+        sa.Column("stripe_monthly_price_id", sa.String(255), nullable=True),
+        sa.Column("stripe_annual_price_id", sa.String(255), nullable=True),
+        sa.Column("is_public", sa.Boolean(), nullable=False, server_default=sa.text("true")),
+        sa.Column("is_archived", sa.Boolean(), nullable=False, server_default=sa.text("false")),
+        sa.Column("sort_order", sa.Integer(), nullable=False, server_default=sa.text("0")),
+        sa.Column("created_at", sa.DateTime(timezone=True), nullable=False, server_default=sa.func.now()),
+        sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False, server_default=sa.func.now()),
+    )
+
+
+def downgrade() -> None:
+    op.drop_table("plan_billing")
--- a/backend/alembic/versions/f7da3f93b519_add_sales_leads.py
+++ b/backend/alembic/versions/f7da3f93b519_add_sales_leads.py
@@ -0,0 +1,57 @@
+"""add sales_leads
+
+Revision ID: f7da3f93b519
+Revises: f236a91224d0
+Create Date: 2026-05-06 07:31:39.533305
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects.postgresql import UUID
+
+
+# revision identifiers, used by Alembic.
+revision: str = 'f7da3f93b519'
+down_revision: Union[str, None] = 'f236a91224d0'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    op.create_table(
+        "sales_leads",
+        sa.Column("id", UUID(as_uuid=True), primary_key=True, nullable=False),
+        sa.Column("email", sa.String(length=255), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.Column("company", sa.String(length=255), nullable=False),
+        sa.Column("team_size", sa.String(length=20), nullable=True),
+        sa.Column("message", sa.Text(), nullable=True),
+        sa.Column("source", sa.String(length=50), nullable=False),
+        sa.Column("posthog_distinct_id", sa.String(length=255), nullable=True),
+        sa.Column(
+            "status",
+            sa.String(length=20),
+            nullable=False,
+            server_default=sa.text("'new'"),
+        ),
+        sa.Column(
+            "created_at",
+            sa.DateTime(timezone=True),
+            nullable=False,
+            server_default=sa.func.now(),
+        ),
+        sa.Column(
+            "updated_at",
+            sa.DateTime(timezone=True),
+            nullable=False,
+            server_default=sa.func.now(),
+        ),
+    )
+    op.create_index("ix_sales_leads_email", "sales_leads", ["email"])
+
+
+def downgrade() -> None:
+    op.drop_index("ix_sales_leads_email", table_name="sales_leads")
+    op.drop_table("sales_leads")
--- a/backend/alembic/versions/ff6fe5895ea2_extend_flow_proposals_l1.py
+++ b/backend/alembic/versions/ff6fe5895ea2_extend_flow_proposals_l1.py
@@ -0,0 +1,52 @@
+"""extend_flow_proposals_l1
+
+Revision ID: ff6fe5895ea2
+Revises: a8186f22506d
+Create Date: 2026-05-28 16:26:06.932886
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision: str = 'ff6fe5895ea2'
+down_revision: Union[str, None] = 'a8186f22506d'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    op.add_column('flow_proposals', sa.Column('source', sa.String(30), nullable=True))
+    op.add_column('flow_proposals', sa.Column('linked_ticket_id', sa.String(64), nullable=True))
+    op.add_column('flow_proposals', sa.Column('linked_ticket_kind', sa.String(10), nullable=True))
+    op.add_column(
+        'flow_proposals',
+        sa.Column('validated_by_outcome', sa.Boolean(), nullable=False, server_default='false'),
+    )
+
+    # Backfill existing rows then enforce NOT NULL on source
+    op.execute("UPDATE flow_proposals SET source = 'manual_draft' WHERE source IS NULL")
+    op.alter_column('flow_proposals', 'source', nullable=False)
+
+    op.create_check_constraint(
+        'ck_flow_proposals_source',
+        'flow_proposals',
+        "source IN ('ai_realtime_l1', 'kb_accelerator', 'manual_draft', 'ai_promoted')",
+    )
+    op.create_check_constraint(
+        'ck_flow_proposals_linked_ticket_kind',
+        'flow_proposals',
+        "linked_ticket_kind IS NULL OR linked_ticket_kind IN ('psa', 'internal')",
+    )
+
+
+def downgrade() -> None:
+    op.drop_constraint('ck_flow_proposals_linked_ticket_kind', 'flow_proposals', type_='check')
+    op.drop_constraint('ck_flow_proposals_source', 'flow_proposals', type_='check')
+    op.drop_column('flow_proposals', 'validated_by_outcome')
+    op.drop_column('flow_proposals', 'linked_ticket_kind')
+    op.drop_column('flow_proposals', 'linked_ticket_id')
+    op.drop_column('flow_proposals', 'source')
--- a/backend/app/api/deps.py
+++ b/backend/app/api/deps.py
@@ -7,7 +7,13 @@ from sqlalchemy import select
 import sentry_sdk

 from app.core.database import get_db
-from app.core.security import decode_token
+from jose import JWTError
+
+from app.core.security import (
+    IdleTokenExpired,
+    decode_refresh_token_strict,
+    decode_token,
+)
 from app.models.user import User
 from app.models.plan_limits import PlanLimits
 from app.core.tenant_context import set_current_account_id, clear_current_account_id
@@ -64,15 +70,72 @@ async def get_current_user(
    return user


+async def get_current_user_optional(
+    request: Request,
+    db: Annotated[AsyncSession, Depends(get_admin_db)],
+) -> Optional[User]:
+    """Best-effort current user for endpoints that work both anonymous and authed.
+
+    Returns None on missing/invalid/expired token instead of raising. Used by
+    surfaces like /config/public that anonymous clients can hit but where an
+    authenticated user gets a tailored response (e.g. INTERNAL_TESTER_EMAILS
+    allowlist override).
+    """
+    auth_header = request.headers.get("Authorization") or request.headers.get("authorization")
+    if not auth_header or not auth_header.lower().startswith("bearer "):
+        return None
+    token = auth_header.split(None, 1)[1].strip()
+    if not token:
+        return None
+
+    payload = decode_token(token)
+    if payload is None or payload.get("type") != "access":
+        return None
+
+    user_id = payload.get("sub")
+    if user_id is None:
+        return None
+    try:
+        user_uuid = UUID(user_id)
+    except ValueError:
+        return None
+
+    result = await db.execute(select(User).where(User.id == user_uuid))
+    return result.scalar_one_or_none()
+
+
 async def get_refresh_token_payload(
    token: Annotated[str, Depends(oauth2_scheme)]
 ) -> dict:
-    """Extract and validate a refresh token from the Authorization header."""
-    payload = decode_token(token)
-    if payload is None or payload.get("type") != "refresh":
+    """Extract and validate a refresh token from the Authorization header.
+
+    Returns one of three outcomes via HTTP 401 `detail`:
+    - `session_expired_idle` — JWT signature valid but `exp` past
+    - `invalid_refresh_token` — any other decode failure, or `type != "refresh"`
+    - (200 path) — returns the decoded payload
+
+    The frontend uses these to choose between the "your session ended for
+    security" banner and a plain logout redirect. See
+    docs/plans/2026-05-13-session-expiration-policy.md §4.10.
+    """
+    try:
+        payload = decode_refresh_token_strict(token)
+    except IdleTokenExpired:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
-            detail="Invalid refresh token",
+            detail="session_expired_idle",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+    except JWTError:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="invalid_refresh_token",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+    if payload.get("type") != "refresh":
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="invalid_refresh_token",
            headers={"WWW-Authenticate": "Bearer"},
        )
    return payload
@@ -83,11 +146,12 @@ async def get_current_active_user(
    current_user: Annotated[User, Depends(get_current_user)],
    db: Annotated[AsyncSession, Depends(get_admin_db)],
 ) -> User:
-    """Ensure user is active (not disabled). Auto-downgrades expired trials.
-    Enforces must_change_password — blocks all routes except allowlist.
+    """Ensure user is active (not disabled). Enforces must_change_password —
+    blocks all routes except allowlist.

-    Uses get_admin_db: runs before require_tenant_context sets the ContextVar,
-    so tenant-scoped tables (subscriptions) would return 0 rows via app role.
+    Trial expiry enforcement now happens via require_active_subscription in
+    individual routers, NOT here. This dep no longer mutates Subscription
+    state.
    """
    if not current_user.is_active:
        raise HTTPException(
@@ -106,26 +170,6 @@ async def get_current_active_user(
    # Set Sentry user context for error attribution
    sentry_sdk.set_user({"id": str(current_user.id), "email": current_user.email})

-    # Lightweight trial expiry check
-    if current_user.account_id:
-        from app.models.subscription import Subscription
-        from datetime import datetime, timezone
-        result = await db.execute(
-            select(Subscription).where(Subscription.account_id == current_user.account_id)
-        )
-        subscription = result.scalar_one_or_none()
-        if (
-            subscription
-            and subscription.status == "trialing"
-            and subscription.current_period_end
-            and subscription.current_period_end < datetime.now(timezone.utc)
-        ):
-            subscription.plan = "free"
-            subscription.status = "active"
-            subscription.current_period_end = None
-            subscription.current_period_start = None
-            await db.commit()
-
    return current_user


@@ -155,6 +199,53 @@ async def require_engineer_or_admin(
    )


+async def require_l1(
+    current_user: Annotated[User, Depends(get_current_active_user)]
+) -> User:
+    """L1 tech exact-match (with super_admin bypass for support)."""
+    if current_user.is_super_admin:
+        return current_user
+    if current_user.account_role != "l1_tech":
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="L1 tech role required",
+        )
+    return current_user
+
+
+async def require_l1_or_coverage(
+    current_user: Annotated[User, Depends(get_current_active_user)]
+) -> User:
+    """L1 endpoints: l1_tech, owners, super_admin, or engineers with can_cover_l1=True."""
+    if current_user.is_super_admin:
+        return current_user
+    role = current_user.account_role
+    if role == "l1_tech":
+        return current_user
+    if role == "owner":
+        return current_user
+    if role == "engineer" and current_user.can_cover_l1:
+        return current_user
+    raise HTTPException(
+        status_code=status.HTTP_403_FORBIDDEN,
+        detail="L1 access requires l1_tech role or engineer coverage flag",
+    )
+
+
+async def require_l1_or_above(
+    current_user: Annotated[User, Depends(get_current_active_user)]
+) -> User:
+    """Any tier from l1_tech upward (l1_tech, engineer, owner, super_admin)."""
+    if current_user.is_super_admin:
+        return current_user
+    if current_user.account_role in ("l1_tech", "engineer", "owner"):
+        return current_user
+    raise HTTPException(
+        status_code=status.HTTP_403_FORBIDDEN,
+        detail="L1 or above required",
+    )
+
+
 async def require_team_admin(
    current_user: Annotated[User, Depends(get_current_active_user)]
 ) -> User:
@@ -241,3 +332,117 @@ async def require_admin_db(
    the user object is needed in the handler.
    """
    return db
+
+
+_SUBSCRIPTION_GUARD_ALLOWLIST = {
+    "/api/v1/auth/me",
+    "/api/v1/auth/logout",
+    "/api/v1/auth/password/change",
+    "/api/v1/auth/email/send-verification",
+    "/api/v1/auth/email/verify",
+    "/api/v1/billing/state",
+    "/api/v1/billing/checkout-session",
+    "/api/v1/billing/portal-session",
+    "/api/v1/users/me",
+    "/api/v1/users/me/onboarding-step",
+    "/api/v1/users/me/onboarding-dismiss-rest",
+}
+
+
+async def require_active_subscription(
+    request: Request,
+    current_user: Annotated[User, Depends(get_current_active_user)],
+    db: Annotated[AsyncSession, Depends(get_admin_db)],
+):
+    """Returns the Subscription row when the account has access; raises 402
+    when locked. Mounted on routers requiring Pro entitlement.
+
+    'Locked' = (trialing AND current_period_end < now()) OR
+              (canceled OR incomplete OR no subscription).
+    Active states: active, complimentary, trialing-with-time-remaining, past_due.
+    """
+    if request.url.path in _SUBSCRIPTION_GUARD_ALLOWLIST:
+        return None
+
+    from app.models.subscription import Subscription
+    from datetime import datetime, timezone
+
+    result = await db.execute(
+        select(Subscription).where(Subscription.account_id == current_user.account_id)
+    )
+    sub = result.scalar_one_or_none()
+
+    if sub is None:
+        raise HTTPException(
+            status_code=402,
+            detail={"error": "no_subscription", "upgrade_url": "/account/billing/select-plan"},
+        )
+
+    now = datetime.now(timezone.utc)
+    is_live = (
+        sub.status in ("active", "complimentary", "past_due")
+        or (
+            sub.status == "trialing"
+            and sub.current_period_end is not None
+            and sub.current_period_end > now
+        )
+    )
+    if not is_live:
+        raise HTTPException(
+            status_code=402,
+            detail={
+                "error": "subscription_inactive",
+                "status": sub.status,
+                "plan": sub.plan,
+                "current_period_end": sub.current_period_end.isoformat() if sub.current_period_end else None,
+                "upgrade_url": "/account/billing/select-plan",
+            },
+        )
+
+    return sub
+
+
+_EMAIL_VERIFICATION_ALLOWLIST = {
+    "/api/v1/auth/me",
+    "/api/v1/auth/logout",
+    "/api/v1/auth/email/send-verification",
+    "/api/v1/auth/email/verify",
+    "/api/v1/auth/password/change",
+    "/api/v1/users/me",
+    "/api/v1/users/me/onboarding-step",
+    "/api/v1/users/me/onboarding-dismiss-rest",
+    "/api/v1/billing/state",
+    "/api/v1/billing/checkout-session",
+    "/api/v1/billing/portal-session",
+}
+
+VERIFICATION_GRACE_DAYS = 7
+
+
+async def require_verified_email_after_grace(
+    request: Request,
+    current_user: Annotated[User, Depends(get_current_active_user)],
+):
+    """Enforces 'this user has verified email OR is still in 7-day grace.'
+    OAuth signups bypass cleanly because /auth/{google,microsoft}/callback
+    sets users.email_verified_at = now() (provider-attested)."""
+    from datetime import datetime, timezone, timedelta
+
+    if request.url.path in _EMAIL_VERIFICATION_ALLOWLIST:
+        return
+
+    if current_user.email_verified_at is not None:
+        return
+
+    grace_ends = current_user.created_at + timedelta(days=VERIFICATION_GRACE_DAYS)
+    if datetime.now(timezone.utc) < grace_ends:
+        return
+
+    raise HTTPException(
+        status_code=403,
+        detail={
+            "error": "email_not_verified",
+            "grace_ended_at": grace_ends.isoformat(),
+            "resend_url": "/api/v1/auth/email/send-verification",
+        },
+    )
--- a/backend/app/api/endpoints/account_invite_lookup.py
+++ b/backend/app/api/endpoints/account_invite_lookup.py
@@ -0,0 +1,54 @@
+"""Public endpoint for resolving an account invite code into display info.
+
+Mounted as a public route (no tenant context, no auth) — used by the
+/accept-invite page on the frontend so an invitee can see what account they
+are about to join before they sign up. Uses the BYPASSRLS admin session
+factory because account_invites is account-scoped under Phase 4 RLS but the
+caller has no tenant identity yet.
+"""
+
+from typing import Annotated
+
+from fastapi import APIRouter, Depends, HTTPException
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+from sqlalchemy.orm import joinedload
+
+from app.core.admin_database import get_admin_db
+from app.models.account_invite import AccountInvite
+from app.schemas.oauth import InviteLookupResponse
+
+router = APIRouter(prefix="/accounts", tags=["account-invite-lookup"])
+
+
+@router.get("/invites/{code}/lookup", response_model=InviteLookupResponse)
+async def lookup_invite(
+    code: str,
+    db: Annotated[AsyncSession, Depends(get_admin_db)],
+) -> InviteLookupResponse:
+    """Return minimal display data for a valid (unused, unexpired, not revoked)
+    invite. Returns 404 with `invite_invalid_or_expired_or_revoked` for any
+    invalid state — the AcceptInvitePage shows a single "ask the inviter to
+    resend" message regardless of which condition failed (anti-enumeration)."""
+    result = await db.execute(
+        select(AccountInvite)
+        .where(AccountInvite.code == code)
+        .options(
+            joinedload(AccountInvite.account),
+            joinedload(AccountInvite.invited_by),
+        )
+    )
+    invite = result.scalar_one_or_none()
+
+    if invite is None or not invite.is_valid:
+        raise HTTPException(
+            status_code=404,
+            detail={"error": "invite_invalid_or_expired_or_revoked"},
+        )
+
+    return InviteLookupResponse(
+        account_name=invite.account.name,
+        inviter_name=invite.invited_by.name,
+        invited_email=invite.email,
+        role=invite.role,
+    )
--- a/backend/app/api/endpoints/account_security.py
+++ b/backend/app/api/endpoints/account_security.py
@@ -0,0 +1,214 @@
+"""Account session-policy endpoints — owner-only.
+
+GET /accounts/me/security  — read the policy + system bounds.
+PATCH /accounts/me/security — set or clear the per-account override.
+
+POST /accounts/me/security/revoke-sessions lands in the next commit.
+
+See docs/plans/2026-05-13-session-expiration-policy.md §4.7 / §4.11.
+"""
+from datetime import datetime, timezone
+from typing import Annotated
+
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy import select, update as sa_update
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.api.deps import require_account_owner
+from app.core.admin_database import get_admin_db
+from app.core.audit import log_audit
+from app.core.config import settings
+from app.core.security import resolve_session_policy
+from app.models.account import Account
+from app.models.refresh_token import RefreshToken
+from app.models.user import User
+from app.schemas.account_security import (
+    ActiveUser,
+    RevokeSessionsRequest,
+    RevokeSessionsResponse,
+    SessionPolicyResponse,
+    SessionPolicyUpdateRequest,
+)
+
+router = APIRouter(prefix="/accounts/me/security", tags=["account-security"])
+
+
+def _policy_response(
+    account: Account, active_users: list[ActiveUser]
+) -> SessionPolicyResponse:
+    eff_idle, eff_abs = resolve_session_policy(account)
+    return SessionPolicyResponse(
+        idle_minutes=account.session_idle_minutes,
+        absolute_minutes=account.session_absolute_minutes,
+        effective_idle_minutes=eff_idle,
+        effective_absolute_minutes=eff_abs,
+        idle_minutes_min=settings.SESSION_IDLE_MINUTES_MIN,
+        idle_minutes_max=settings.SESSION_IDLE_MINUTES_MAX,
+        absolute_minutes_min=settings.SESSION_ABSOLUTE_MINUTES_MIN,
+        absolute_minutes_max=settings.SESSION_ABSOLUTE_MINUTES_MAX,
+        active_users=active_users,
+    )
+
+
+async def _load_account(db: AsyncSession, account_id) -> Account:
+    return (
+        await db.execute(select(Account).where(Account.id == account_id))
+    ).scalar_one()
+
+
+async def _load_active_users(db: AsyncSession, account_id) -> list[ActiveUser]:
+    """Return distinct users in this account who currently hold an
+    un-revoked refresh token. See plan §4.7."""
+    from app.models.refresh_token import RefreshToken
+
+    stmt = (
+        select(User.id, User.name, User.email, User.last_login)
+        .join(RefreshToken, RefreshToken.user_id == User.id)
+        .where(User.account_id == account_id, RefreshToken.revoked_at.is_(None))
+        .distinct()
+        .order_by(User.last_login.desc().nulls_last())
+    )
+    rows = (await db.execute(stmt)).all()
+    return [
+        ActiveUser(user_id=row.id, name=row.name, email=row.email, last_login_at=row.last_login)
+        for row in rows
+    ]
+
+
+@router.get("", response_model=SessionPolicyResponse)
+async def get_session_policy(
+    current_user: Annotated[User, Depends(require_account_owner)],
+    db: Annotated[AsyncSession, Depends(get_admin_db)],
+):
+    account = await _load_account(db, current_user.account_id)
+    active_users = await _load_active_users(db, current_user.account_id)
+    return _policy_response(account, active_users)
+
+
+@router.patch("", response_model=SessionPolicyResponse)
+async def update_session_policy(
+    body: SessionPolicyUpdateRequest,
+    current_user: Annotated[User, Depends(require_account_owner)],
+    db: Annotated[AsyncSession, Depends(get_admin_db)],
+):
+    account = await _load_account(db, current_user.account_id)
+
+    # Snapshot effective values BEFORE change, for audit.
+    old_idle = account.session_idle_minutes
+    old_abs = account.session_absolute_minutes
+    effective_old_idle, effective_old_abs = resolve_session_policy(account)
+
+    new_idle = body.idle_minutes
+    new_abs = body.absolute_minutes
+
+    # Per-field bound checks. NULL clears the override and is always valid.
+    if new_idle is not None and not (
+        settings.SESSION_IDLE_MINUTES_MIN <= new_idle <= settings.SESSION_IDLE_MINUTES_MAX
+    ):
+        raise HTTPException(
+            status_code=status.HTTP_422_UNPROCESSABLE_ENTITY,
+            detail=(
+                f"idle_minutes must be between {settings.SESSION_IDLE_MINUTES_MIN} "
+                f"and {settings.SESSION_IDLE_MINUTES_MAX}"
+            ),
+        )
+    if new_abs is not None and not (
+        settings.SESSION_ABSOLUTE_MINUTES_MIN <= new_abs <= settings.SESSION_ABSOLUTE_MINUTES_MAX
+    ):
+        raise HTTPException(
+            status_code=status.HTTP_422_UNPROCESSABLE_ENTITY,
+            detail=(
+                f"absolute_minutes must be between {settings.SESSION_ABSOLUTE_MINUTES_MIN} "
+                f"and {settings.SESSION_ABSOLUTE_MINUTES_MAX}"
+            ),
+        )
+
+    # Effective-value invariant: idle must not exceed absolute after defaults.
+    # The DB CHECK only catches the both-set case; this catches the partial-
+    # override case where (e.g.) idle=43200 with absolute=NULL would yield an
+    # effective idle larger than the system default absolute.
+    effective_new_idle = new_idle if new_idle is not None else settings.SESSION_IDLE_MINUTES_DEFAULT
+    effective_new_abs = new_abs if new_abs is not None else settings.SESSION_ABSOLUTE_MINUTES_DEFAULT
+    if effective_new_idle > effective_new_abs:
+        raise HTTPException(
+            status_code=status.HTTP_422_UNPROCESSABLE_ENTITY,
+            detail=(
+                f"Effective idle ({effective_new_idle}min) cannot exceed effective "
+                f"absolute ({effective_new_abs}min)"
+            ),
+        )
+
+    account.session_idle_minutes = new_idle
+    account.session_absolute_minutes = new_abs
+
+    await log_audit(
+        db,
+        user_id=current_user.id,
+        account_id=account.id,
+        action="account.session_policy_update",
+        resource_type="account",
+        resource_id=account.id,
+        details={
+            "old": {"idle_minutes": old_idle, "absolute_minutes": old_abs},
+            "new": {"idle_minutes": new_idle, "absolute_minutes": new_abs},
+            "effective_old": {
+                "idle_minutes": effective_old_idle,
+                "absolute_minutes": effective_old_abs,
+            },
+            "effective_new": {
+                "idle_minutes": effective_new_idle,
+                "absolute_minutes": effective_new_abs,
+            },
+        },
+    )
+    await db.commit()
+    await db.refresh(account)
+    active_users = await _load_active_users(db, account.id)
+    return _policy_response(account, active_users)
+
+
+@router.post("/revoke-sessions", response_model=RevokeSessionsResponse)
+async def revoke_sessions(
+    body: RevokeSessionsRequest,
+    current_user: Annotated[User, Depends(require_account_owner)],
+    db: Annotated[AsyncSession, Depends(get_admin_db)],
+):
+    """Bulk-revoke refresh tokens for users in the caller's account.
+
+    `scope="all"` revokes every active session in the account, including
+    the caller's own. `scope="others"` preserves the caller's sessions.
+    The caller's access token is NOT revoked (we don't track access JTIs);
+    it dies on its 5-minute timer. For `scope="all"`, the frontend is
+    expected to log the caller out locally after the response.
+
+    See docs/plans/2026-05-13-session-expiration-policy.md §4.11.
+    """
+    # Subquery: refresh-token rows belonging to users in this account.
+    user_ids_subq = select(User.id).where(User.account_id == current_user.account_id)
+
+    stmt = (
+        sa_update(RefreshToken)
+        .where(
+            RefreshToken.user_id.in_(user_ids_subq),
+            RefreshToken.revoked_at.is_(None),
+        )
+        .values(revoked_at=datetime.now(timezone.utc))
+        .returning(RefreshToken.id)
+    )
+    if body.scope == "others":
+        stmt = stmt.where(RefreshToken.user_id != current_user.id)
+
+    result = await db.execute(stmt)
+    revoked_count = len(result.all())
+
+    await log_audit(
+        db,
+        user_id=current_user.id,
+        account_id=current_user.account_id,
+        action="account.sessions_revoked_bulk",
+        resource_type="account",
+        resource_id=current_user.account_id,
+        details={"scope": body.scope, "revoked_count": revoked_count},
+    )
+    await db.commit()
+    return RevokeSessionsResponse(revoked_count=revoked_count)
--- a/backend/app/api/endpoints/accounts.py
+++ b/backend/app/api/endpoints/accounts.py
@@ -19,15 +19,56 @@ from app.models.account_invite import AccountInvite
 from app.models.account_settings import AccountSettings
 from app.models.subscription import Subscription
 from app.models.user import User
-from app.schemas.account import AccountResponse, AccountUpdate, AccountInviteCreate, AccountInviteResponse, TransferOwnershipRequest
+from app.schemas.account import AccountResponse, AccountUpdate, AccountInviteCreate, AccountInviteResponse, AccountInviteBulkCreate, AccountInviteBulkResponse, TransferOwnershipRequest
 from app.schemas.subscription import SubscriptionResponse, PlanLimitsResponse, UsageResponse, SubscriptionDetails
-from app.schemas.user import UserResponse, AccountRoleUpdate
+from app.schemas.user import UserResponse, AccountRoleUpdate, CoverageUpdate
 from app.core.security import verify_password
-from app.api.deps import get_current_active_user, require_account_owner
+from app.api.deps import get_current_active_user, require_account_owner, require_engineer_or_admin
+from app.services.seat_enforcement import check_seat_available, get_seat_usage
+from app.schemas.seat_enforcement import SeatUsage
+
+_SEAT_CHECKED_ROLES = frozenset({"engineer", "l1_tech"})

 router = APIRouter(prefix="/accounts", tags=["accounts"])


+async def _load_account(db: AsyncSession, account_id: UUID) -> Account:
+    """Load an Account by id; raises 404 if missing."""
+    result = await db.execute(select(Account).where(Account.id == account_id))
+    account = result.scalar_one_or_none()
+    if account is None:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Account not found")
+    return account
+
+
+async def _enforce_seat_limit(db: AsyncSession, account_id: UUID, role: str) -> None:
+    """Raise HTTP 402 if the account has no capacity for the given role.
+
+    Only fires for seat-counted roles (engineer, l1_tech).
+    Accounts without a subscription (free / pre-billing) are not blocked.
+    Grandfathering: if current > limit, existing users keep access; this
+    helper only blocks new additions.
+    """
+    if role not in _SEAT_CHECKED_ROLES:
+        return
+    sub = await get_account_subscription(account_id, db)
+    if sub is None:
+        return  # no subscription → no enforcement
+    account = await _load_account(db, account_id)
+    seat_result = await check_seat_available(account, sub, role, db)
+    if not seat_result.available:
+        raise HTTPException(
+            status_code=status.HTTP_402_PAYMENT_REQUIRED,
+            detail={
+                "code": "seat_limit_exceeded",
+                "role": seat_result.role,
+                "current": seat_result.current,
+                "limit": seat_result.limit,
+                "upgrade_url": "/account/billing",
+            },
+        )
+
+
@router.get("/me", response_model=AccountResponse)
 async def get_my_account(
    db: Annotated[AsyncSession, Depends(get_db)],
@@ -88,6 +129,41 @@ async def get_my_members(
    return result.scalars().all()


+@router.get("/me/seats", response_model=SeatUsage)
+async def get_my_account_seat_usage(
+    db: Annotated[AsyncSession, Depends(get_db)],
+    current_user: Annotated[User, Depends(require_engineer_or_admin)],
+):
+    """Returns engineer + l1_tech seat-usage counts. Accessible to engineer+.
+
+    Powers the SeatCounterWidget on admin/users and account/users surfaces.
+    """
+    account = await _load_account(db, current_user.account_id)
+    sub = await get_account_subscription(current_user.account_id, db)
+    if sub is None:
+        # No subscription → treat as unlimited; return live counts with no limit
+        from sqlalchemy import func
+        engineer_count = (await db.execute(
+            select(func.count(User.id))
+            .where(User.account_id == account.id)
+            .where(User.account_role == "engineer")
+            .where(User.is_active.is_(True))
+        )).scalar_one()
+        l1_count = (await db.execute(
+            select(func.count(User.id))
+            .where(User.account_id == account.id)
+            .where(User.account_role == "l1_tech")
+            .where(User.is_active.is_(True))
+        )).scalar_one()
+        from app.schemas.seat_enforcement import SeatCheckResult
+        return SeatUsage(
+            engineer=SeatCheckResult(available=True, current=engineer_count, limit=None, role="engineer"),
+            l1_tech=SeatCheckResult(available=True, current=l1_count, limit=None, role="l1_tech"),
+        )
+    engineer, l1_tech = await get_seat_usage(account, sub, db)
+    return SeatUsage(engineer=engineer, l1_tech=l1_tech)
+
+
@router.patch("/me", response_model=AccountResponse)
 async def update_my_account(
    data: AccountUpdate,
@@ -141,12 +217,54 @@ async def update_member_role(
            detail="Cannot change your own role"
        )

+    # Seat enforcement: check capacity before promoting to a seat-counted role.
+    # Demotions (engineer/l1_tech → viewer) and lateral moves skip the check.
+    if data.account_role != user.account_role:
+        await _enforce_seat_limit(db, current_user.account_id, data.account_role)
+
    user.account_role = data.account_role
    await db.commit()
    await db.refresh(user)
    return user


+@router.patch("/me/members/{user_id}/coverage", response_model=UserResponse)
+async def update_member_coverage(
+    user_id: UUID,
+    data: CoverageUpdate,
+    db: Annotated[AsyncSession, Depends(get_db)],
+    current_user: Annotated[User, Depends(require_account_owner)],
+):
+    """Toggle the `can_cover_l1` flag on an engineer in your account.
+
+    Owner-only. Returns 404 if target user not in your account. Returns 422
+    if target user's role is not 'engineer' (coverage flag only applies to
+    engineers — owners/super_admins already see L1 surface; viewers/l1_techs
+    don't need this flag).
+    """
+    result = await db.execute(
+        select(User).where(
+            User.id == user_id,
+            User.account_id == current_user.account_id,
+        )
+    )
+    target = result.scalar_one_or_none()
+    if target is None:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="User not found in your account",
+        )
+    if target.account_role != "engineer":
+        raise HTTPException(
+            status_code=status.HTTP_422_UNPROCESSABLE_ENTITY,
+            detail="can_cover_l1 only applies to engineers",
+        )
+    target.can_cover_l1 = data.can_cover_l1
+    await db.commit()
+    await db.refresh(target)
+    return target
+
+
@router.post("/me/transfer-ownership", response_model=AccountResponse)
 async def transfer_ownership(
    data: TransferOwnershipRequest,
@@ -260,7 +378,10 @@ async def create_invite(
    db: Annotated[AsyncSession, Depends(get_db)],
    current_user: Annotated[User, Depends(require_account_owner)]
 ):
-    """Create an invite to join this account (owner only)."""
+    """Create an invite to join this account (owner only). Sends invite email."""
+    # Seat enforcement: block invite if the target role is at capacity.
+    await _enforce_seat_limit(db, current_user.account_id, data.role)
+
    code = secrets.token_urlsafe(16)

    expires_at = None
@@ -276,11 +397,115 @@ async def create_invite(
        expires_at=expires_at,
    )
    db.add(invite)
+    await db.flush()
+
+    # Lookup account name for email
+    account_result = await db.execute(
+        select(Account).where(Account.id == current_user.account_id)
+    )
+    account = account_result.scalar_one()
+
+    # Send invite email — non-blocking on failure (function returns False on error)
+    email_sent = await EmailService.send_account_invite_email(
+        to_email=invite.email,
+        code=code,
+        account_name=account.name,
+        role=invite.role,
+    )
+    if email_sent:
+        invite.email_sent_at = datetime.now(timezone.utc)
+
    await db.commit()
    await db.refresh(invite)
    return invite


+@router.post("/me/invites/bulk", response_model=AccountInviteBulkResponse, status_code=status.HTTP_201_CREATED)
+async def create_invites_bulk(
+    payload: AccountInviteBulkCreate,
+    db: Annotated[AsyncSession, Depends(get_db)],
+    current_user: Annotated[User, Depends(require_account_owner)]
+):
+    """Create multiple invites in one call (wizard step 3 supports up to N).
+    Per-row failures are returned in `failed`; successes in `created`."""
+    # Lookup account once for email rendering
+    account_result = await db.execute(
+        select(Account).where(Account.id == current_user.account_id)
+    )
+    account = account_result.scalar_one()
+
+    created: list[AccountInvite] = []
+    failed: list[dict] = []
+    for invite_data in payload.invites:
+        try:
+            # Seat enforcement per invite row — 402 bubbles as an HTTPException
+            # which is caught below and recorded in `failed`.
+            await _enforce_seat_limit(db, current_user.account_id, invite_data.role)
+
+            code = secrets.token_urlsafe(16)
+            expires_at = None
+            if invite_data.expires_in_days:
+                expires_at = datetime.now(timezone.utc) + timedelta(days=invite_data.expires_in_days)
+
+            invite = AccountInvite(
+                account_id=current_user.account_id,
+                invited_by_id=current_user.id,
+                email=invite_data.email,
+                code=code,
+                role=invite_data.role,
+                expires_at=expires_at,
+            )
+            db.add(invite)
+            await db.flush()
+
+            email_sent = await EmailService.send_account_invite_email(
+                to_email=invite.email,
+                code=code,
+                account_name=account.name,
+                role=invite.role,
+            )
+            if email_sent:
+                invite.email_sent_at = datetime.now(timezone.utc)
+
+            created.append(invite)
+        except HTTPException as exc:
+            failed.append({"email": invite_data.email, "error": exc.detail})
+        except Exception as e:
+            failed.append({"email": invite_data.email, "error": str(e)})
+
+    await db.commit()
+    for inv in created:
+        await db.refresh(inv)
+
+    return AccountInviteBulkResponse(created=created, failed=failed)
+
+
+@router.delete("/me/invites/{invite_id}", status_code=status.HTTP_204_NO_CONTENT)
+async def revoke_invite(
+    invite_id: UUID,
+    db: Annotated[AsyncSession, Depends(get_db)],
+    current_user: Annotated[User, Depends(require_account_owner)]
+):
+    """Soft-revoke an invitation by setting revoked_at. Idempotent on already-
+    revoked invites; rejects already-accepted invites."""
+    result = await db.execute(
+        select(AccountInvite).where(
+            AccountInvite.id == invite_id,
+            AccountInvite.account_id == current_user.account_id,
+        )
+    )
+    invite = result.scalar_one_or_none()
+    if not invite:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Invite not found")
+    if invite.is_revoked:
+        return None  # idempotent
+    if invite.is_used:
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Cannot revoke an accepted invite")
+    invite.revoked_at = datetime.now(timezone.utc)
+    await db.commit()
+    return None
+
+
@router.post("/me/invites/{invite_id}/resend", response_model=AccountInviteResponse)
 async def resend_invite(
    invite_id: UUID,
--- a/backend/app/api/endpoints/admin.py
+++ b/backend/app/api/endpoints/admin.py
@@ -972,7 +972,7 @@ async def update_user_plan(
    current_user: Annotated[User, Depends(require_admin)],
 ):
    """Change a user's subscription plan (super admin only)."""
-    if data.plan not in ("free", "pro", "team"):
+    if data.plan not in ("free", "pro", "starter", "enterprise"):
        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Invalid plan")
    user, subscription = await _get_user_subscription(user_id, db)
    old_plan = subscription.plan
@@ -991,7 +991,7 @@ async def update_account_plan(
    current_user: Annotated[User, Depends(require_admin)],
 ):
    """Change an account subscription plan (super admin only)."""
-    if data.plan not in ("free", "pro", "team"):
+    if data.plan not in ("free", "pro", "starter", "enterprise"):
        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Invalid plan")
    account, subscription = await _get_account_subscription(account_id, db)
    old_plan = subscription.plan
--- a/backend/app/api/endpoints/admin_dashboard.py
+++ b/backend/app/api/endpoints/admin_dashboard.py
@@ -28,7 +28,7 @@ async def get_dashboard_metrics(
    ) or 0
    paid_accounts = await db.scalar(
        select(func.count()).select_from(Subscription).where(
-            Subscription.plan.in_(["pro", "team"])
+            Subscription.plan.in_(["pro", "starter", "enterprise"])
        )
    ) or 0
    total_trees = await db.scalar(
--- a/backend/app/api/endpoints/admin_plan_limits.py
+++ b/backend/app/api/endpoints/admin_plan_limits.py
@@ -8,34 +8,101 @@ from app.core.database import get_db
 from app.core.audit import log_audit
 from app.models.user import User
 from app.models.plan_limits import PlanLimits
+from app.models.plan_billing import PlanBilling
 from app.models.account import Account
 from app.models.account_limit_override import AccountLimitOverride
+from app.models.subscription import Subscription
 from app.schemas.admin import (
-    PlanLimitResponse, PlanLimitUpdate,
+    PlanLimitResponse, PlanLimitUpdate, PlanLimitWithBillingResponse,
    AccountOverrideCreate, AccountOverrideUpdate, AccountOverrideResponse,
 )
 from app.api.deps import require_admin
+from app.services.billing import BillingService

 router = APIRouter(prefix="/admin", tags=["admin-plan-limits"])


-@router.get("/plan-limits", response_model=list[PlanLimitResponse])
+# Fields on PlanLimitUpdate that map to plan_billing (not plan_limits).
+_PLAN_BILLING_FIELDS = (
+    "display_name",
+    "description",
+    "monthly_price_cents",
+    "annual_price_cents",
+    "stripe_product_id",
+    "stripe_monthly_price_id",
+    "stripe_annual_price_id",
+    "is_public",
+    "is_archived",
+    "sort_order",
+)
+
+# Subset of _PLAN_BILLING_FIELDS that are NOT NULL on the PlanBilling model.
+# These are Optional[...] on PlanLimitUpdate, so a caller sending an explicit
+# null for any of them would otherwise trigger a NOT NULL violation at commit.
+_PLAN_BILLING_NOT_NULL_FIELDS = frozenset({
+    "display_name",
+    "is_public",
+    "is_archived",
+    "sort_order",
+})
+
+
+def _merge_plan_with_billing(
+    plan: PlanLimits, billing: PlanBilling | None
+) -> PlanLimitWithBillingResponse:
+    """Build a merged response. Billing fields are None when no plan_billing row
+    exists for the plan."""
+    payload = {
+        "plan": plan.plan,
+        "max_trees": plan.max_trees,
+        "max_sessions_per_month": plan.max_sessions_per_month,
+        "max_users": plan.max_users,
+        "custom_branding": plan.custom_branding,
+        "priority_support": plan.priority_support,
+        "export_formats": plan.export_formats or [],
+    }
+    if billing is not None:
+        payload.update({
+            "display_name": billing.display_name,
+            "description": billing.description,
+            "monthly_price_cents": billing.monthly_price_cents,
+            "annual_price_cents": billing.annual_price_cents,
+            "stripe_product_id": billing.stripe_product_id,
+            "stripe_monthly_price_id": billing.stripe_monthly_price_id,
+            "stripe_annual_price_id": billing.stripe_annual_price_id,
+            "is_public": billing.is_public,
+            "is_archived": billing.is_archived,
+            "sort_order": billing.sort_order,
+        })
+    return PlanLimitWithBillingResponse(**payload)
+
+
+@router.get("/plan-limits", response_model=list[PlanLimitWithBillingResponse])
 async def list_plan_limits(
    db: Annotated[AsyncSession, Depends(get_db)],
    current_user: Annotated[User, Depends(require_admin)],
 ):
-    """List all plan limit configurations."""
-    result = await db.execute(select(PlanLimits))
-    return result.scalars().all()
+    """List all plan limit configurations, merged with plan_billing fields
+    where present. Plans without a plan_billing row return None for the
+    billing fields."""
+    rows = (await db.execute(
+        select(PlanLimits, PlanBilling)
+        .outerjoin(PlanBilling, PlanLimits.plan == PlanBilling.plan)
+    )).all()
+    return [_merge_plan_with_billing(pl, pb) for pl, pb in rows]


-@router.put("/plan-limits", response_model=PlanLimitResponse)
+@router.put("/plan-limits", response_model=PlanLimitWithBillingResponse)
 async def update_plan_limits(
    data: PlanLimitUpdate,
    db: Annotated[AsyncSession, Depends(get_db)],
    current_user: Annotated[User, Depends(require_admin)],
 ):
-    """Update a plan's limits."""
+    """Update a plan's limits and (if any plan_billing field is included)
+    upsert the matching plan_billing row in the same transaction. After
+    commit, invalidates the in-process billing cache for accounts on this
+    plan (currently a no-op — see BillingService.invalidate_billing_cache).
+    """
    result = await db.execute(select(PlanLimits).where(PlanLimits.plan == data.plan))
    plan = result.scalar_one_or_none()
    if not plan:
@@ -48,10 +115,50 @@ async def update_plan_limits(
    plan.priority_support = data.priority_support
    plan.export_formats = data.export_formats

-    await log_audit(db, current_user.id, "plan_limits.update", "plan_limits", details={"plan": data.plan})
+    # Did the request include any plan_billing field? (Pydantic gives us
+    # `model_fields_set` to distinguish "user passed null" from "field omitted".)
+    billing_fields_set = data.model_fields_set & set(_PLAN_BILLING_FIELDS)
+    billing: PlanBilling | None = None
+    if billing_fields_set:
+        billing = (await db.execute(
+            select(PlanBilling).where(PlanBilling.plan == data.plan)
+        )).scalar_one_or_none()
+
+        if billing is None:
+            # Create. display_name is required on the model — derive from the
+            # plan name when the caller didn't supply one (e.g. "pro" → "Pro").
+            display_name = data.display_name or data.plan.capitalize()
+            billing = PlanBilling(plan=data.plan, display_name=display_name)
+            db.add(billing)
+
+        # Apply only the fields the caller actually included. Allows partial
+        # updates without clobbering existing values.
+        for field in billing_fields_set:
+            value = getattr(data, field)
+            if value is None and field in _PLAN_BILLING_NOT_NULL_FIELDS:
+                # Don't NULL out a NOT NULL column on update.
+                continue
+            setattr(billing, field, value)
+
+    await log_audit(
+        db, current_user.id, "plan_limits.update", "plan_limits",
+        details={"plan": data.plan, "updated_billing": bool(billing_fields_set)},
+    )
    await db.commit()
    await db.refresh(plan)
-    return plan
+    if billing is not None:
+        await db.refresh(billing)
+
+    # Invalidate any in-process billing cache for accounts on this plan.
+    # TODO: invalidate app.state.billing_cache when added.
+    account_ids = [
+        row[0] for row in (await db.execute(
+            select(Subscription.account_id).where(Subscription.plan == data.plan)
+        )).all()
+    ]
+    await BillingService.invalidate_billing_cache(account_ids)
+
+    return _merge_plan_with_billing(plan, billing)


@router.get("/account-overrides", response_model=list[AccountOverrideResponse])
--- a/backend/app/api/endpoints/auth.py
+++ b/backend/app/api/endpoints/auth.py
@@ -1,3 +1,4 @@
+import logging
 import secrets
 import string
 from datetime import datetime, timezone, timedelta
@@ -19,6 +20,7 @@ from app.core.security import (
    create_email_verification_token,
    decode_token,
    hash_token,
+    resolve_session_policy,
 )
 from app.models.user import User
 from app.models.invite_code import InviteCode
@@ -41,11 +43,21 @@ from app.core.email import EmailService
 from app.api.deps import get_current_active_user, get_refresh_token_payload
 from app.core.audit import log_audit

+logger = logging.getLogger(__name__)
+
 router = APIRouter(prefix="/auth", tags=["authentication"])


-async def _store_refresh_token(db: AsyncSession, refresh_token_str: str, user_id) -> None:
-    """Decode a refresh token JWT and store its hash in the database."""
+async def store_refresh_token(db: AsyncSession, refresh_token_str: str, user_id) -> None:
+    """Decode a refresh token JWT and store its hash in the database.
+
+    Module-public so OAuth callback endpoints (and any future token-issuing
+    surface) can register the JTI in the ``refresh_tokens`` table the same
+    way ``/auth/login`` does. Without this the first ``/auth/refresh`` call
+    will reject the token as "revoked" because no row exists.
+
+    Caller is responsible for committing the session.
+    """
    payload = decode_token(refresh_token_str)
    if payload and payload.get("jti"):
        token_record = RefreshToken(
@@ -56,12 +68,130 @@ async def _store_refresh_token(db: AsyncSession, refresh_token_str: str, user_id
        db.add(token_record)


+async def _mint_session_tokens(user: User, db: AsyncSession) -> Token:
+    """Mint a fresh refresh+access pair for a new login.
+
+    Snapshots the account's current session policy into the refresh JWT
+    (auth_time/idle_max/abs_max) and registers the JTI in refresh_tokens.
+    Caller is responsible for committing the session. Use this for every
+    NEW login (password, OAuth, etc.) — for /auth/refresh use
+    _refresh_session_tokens instead, which carries claims forward.
+
+    See docs/plans/2026-05-13-session-expiration-policy.md §4.6.
+    """
+    account = (
+        await db.execute(select(Account).where(Account.id == user.account_id))
+    ).scalar_one()
+    idle_minutes, abs_minutes = resolve_session_policy(account)
+    idle_max_seconds = idle_minutes * 60
+    abs_max_seconds = abs_minutes * 60
+
+    now = datetime.now(timezone.utc)
+    auth_time_unix = int(now.timestamp())
+
+    refresh_token_str = create_refresh_token(
+        user_id=str(user.id),
+        auth_time=auth_time_unix,
+        idle_max_seconds=idle_max_seconds,
+        abs_max_seconds=abs_max_seconds,
+    )
+    access_token = create_access_token(data={"sub": str(user.id)})
+    await store_refresh_token(db, refresh_token_str, user.id)
+
+    return Token(
+        access_token=access_token,
+        refresh_token=refresh_token_str,
+        token_type="bearer",
+        must_change_password=user.must_change_password,
+        idle_expires_at=now + timedelta(seconds=idle_max_seconds),
+        absolute_expires_at=datetime.fromtimestamp(
+            auth_time_unix + abs_max_seconds, tz=timezone.utc
+        ),
+    )
+
+
+async def _resolve_refresh_claims(
+    payload: dict, user: User, db: AsyncSession
+) -> tuple[int, int, int]:
+    """Return (auth_time, idle_max_seconds, abs_max_seconds) for a refresh.
+
+    Grandfathers legacy tokens issued before the session-policy PR: tokens
+    missing any of auth_time/idle_max/abs_max get treated as if just minted
+    under the account's current policy. One free rotation under the new
+    rules — see plan §5.1. Callers that have the claims use them as-is.
+    """
+    auth_time = payload.get("auth_time")
+    idle_max_seconds = payload.get("idle_max")
+    abs_max_seconds = payload.get("abs_max")
+
+    if auth_time is None or idle_max_seconds is None or abs_max_seconds is None:
+        account = (
+            await db.execute(select(Account).where(Account.id == user.account_id))
+        ).scalar_one()
+        idle_minutes, abs_minutes = resolve_session_policy(account)
+        auth_time = int(datetime.now(timezone.utc).timestamp())
+        idle_max_seconds = idle_minutes * 60
+        abs_max_seconds = abs_minutes * 60
+
+    return auth_time, idle_max_seconds, abs_max_seconds
+
+
+async def _mint_with_claims(
+    user: User,
+    auth_time: int,
+    idle_max_seconds: int,
+    abs_max_seconds: int,
+    db: AsyncSession,
+) -> Token:
+    """Mint a refresh+access pair carrying explicit session-policy claims.
+
+    Used by /auth/refresh after the grandfather + absolute-cap checks
+    have already produced the effective claim values. Caller commits.
+    """
+    now = datetime.now(timezone.utc)
+    refresh_token_str = create_refresh_token(
+        user_id=str(user.id),
+        auth_time=auth_time,
+        idle_max_seconds=idle_max_seconds,
+        abs_max_seconds=abs_max_seconds,
+    )
+    access_token = create_access_token(data={"sub": str(user.id)})
+    await store_refresh_token(db, refresh_token_str, user.id)
+
+    return Token(
+        access_token=access_token,
+        refresh_token=refresh_token_str,
+        token_type="bearer",
+        must_change_password=user.must_change_password,
+        idle_expires_at=now + timedelta(seconds=idle_max_seconds),
+        absolute_expires_at=datetime.fromtimestamp(
+            auth_time + abs_max_seconds, tz=timezone.utc
+        ),
+    )
+
+
 def _generate_display_code() -> str:
    """Generate a random 8-character alphanumeric display code."""
    chars = string.ascii_uppercase + string.digits
    return ''.join(secrets.choice(chars) for _ in range(8))


+async def _reject_if_oauth_only(db: AsyncSession, user) -> None:
+    """If the user has no password_hash, raise 400 with a list of linked
+    providers so the client can redirect them to the right OAuth flow."""
+    if user is None or user.password_hash is not None:
+        return
+    from app.models.oauth_identity import OAuthIdentity
+    result = await db.execute(
+        select(OAuthIdentity.provider).where(OAuthIdentity.user_id == user.id)
+    )
+    providers = [row for row in result.scalars().all()]
+    raise HTTPException(
+        status_code=400,
+        detail={"error": "use_oauth_provider", "providers": providers},
+    )
+
+
@router.post("/register", response_model=UserResponse, status_code=status.HTTP_201_CREATED)
@limiter.limit("3/minute")
 async def register(
@@ -108,10 +238,24 @@ async def register(
                detail="Account invite code has expired"
            )

+        if account_invite_record.email.lower() != user_data.email.lower():
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail={"error": "invite_email_mismatch"},
+            )
+
    # Validate platform invite code (skip if account invite was provided)
    invite_code_record = None
    if not account_invite_record:
-        if settings.REQUIRE_INVITE_CODE and not user_data.invite_code:
+        # When SELF_SERVE_ENABLED is on, the platform invite gate is bypassed
+        # entirely — public self-serve signup is the whole point. The
+        # invite_code field stays in the schema for backward compatibility
+        # and so paid/trial-bearing codes still apply when supplied.
+        if (
+            settings.REQUIRE_INVITE_CODE
+            and not settings.is_self_serve_active_for(user_data.email)
+            and not user_data.invite_code
+        ):
            raise HTTPException(
                status_code=status.HTTP_400_BAD_REQUEST,
                detail="Invite code is required"
@@ -145,6 +289,33 @@ async def register(
                    detail="Invite code has expired"
                )

+    # Seat enforcement: re-check at accept time (race-condition guard).
+    # Fires only when an account invite is being accepted and the target role
+    # is seat-counted (engineer, l1_tech). Accounts without a subscription
+    # (free / pre-billing) are not blocked.
+    if account_invite_record and account_invite_record.role in ("engineer", "l1_tech"):
+        from app.core.subscriptions import get_account_subscription
+        from app.services.seat_enforcement import check_seat_available
+        from app.models.account import Account as _Account
+        sub = await get_account_subscription(account_invite_record.account_id, db)
+        if sub is not None:
+            acct_result = await db.execute(
+                select(_Account).where(_Account.id == account_invite_record.account_id)
+            )
+            acct = acct_result.scalar_one()
+            seat_result = await check_seat_available(acct, sub, account_invite_record.role, db)
+            if not seat_result.available:
+                raise HTTPException(
+                    status_code=status.HTTP_402_PAYMENT_REQUIRED,
+                    detail={
+                        "code": "seat_limit_exceeded",
+                        "role": seat_result.role,
+                        "current": seat_result.current,
+                        "limit": seat_result.limit,
+                        "upgrade_url": "/account/billing",
+                    },
+                )
+
    # Check if email already exists
    result = await db.execute(select(User).where(User.email == user_data.email))
    existing_user = result.scalar_one_or_none()
@@ -195,26 +366,30 @@ async def register(
        # Now set account owner and create subscription
        new_account.owner_id = new_user.id

-        # Apply plan/trial from invite code if present
-        sub_plan = "free"
-        sub_status = "active"
-        period_start = None
-        period_end = None
        if invite_code_record and invite_code_record.assigned_plan:
+            # Plan/trial driven by platform invite code (existing pilot flow)
            sub_plan = invite_code_record.assigned_plan
+            sub_status = "active"
+            period_start = None
+            period_end = None
            if invite_code_record.trial_duration_days:
                sub_status = "trialing"
                period_start = datetime.now(timezone.utc)
                period_end = period_start + timedelta(days=invite_code_record.trial_duration_days)
-
-        new_subscription = Subscription(
-            account_id=new_account.id,
-            plan=sub_plan,
-            status=sub_status,
-            current_period_start=period_start,
-            current_period_end=period_end,
-        )
-        db.add(new_subscription)
+            db.add(Subscription(
+                account_id=new_account.id,
+                plan=sub_plan,
+                status=sub_status,
+                current_period_start=period_start,
+                current_period_end=period_end,
+            ))
+        else:
+            # New self-serve shop — start the standard Pro trial.
+            # start_trial commits internally; flush our pending User/Account changes
+            # first so the FK is satisfied.
+            await db.flush()
+            from app.services.billing import BillingService
+            await BillingService.start_trial(db, new_account.id)

    # Mark platform invite code as used
    if invite_code_record:
@@ -224,6 +399,34 @@ async def register(
    await db.commit()
    await db.refresh(new_user)

+    # Auto-send verification email for newly-registered users.
+    # Skip silently if verification already done (shouldn't happen for fresh
+    # users, but defensive).
+    if new_user.email_verified_at is None:
+        verification_enabled = await SettingsManager.get(
+            "email_verification_enabled", db, default=True
+        )
+        if verification_enabled:
+            try:
+                raw_token = create_email_verification_token(str(new_user.id))
+                payload = decode_token(raw_token)
+                if payload and payload.get("jti"):
+                    token_record = EmailVerificationToken(
+                        token_hash=hash_token(payload["jti"]),
+                        user_id=new_user.id,
+                        expires_at=datetime.fromtimestamp(payload["exp"], tz=timezone.utc),
+                    )
+                    db.add(token_record)
+                    await db.commit()
+
+                    verification_url = f"{settings.FRONTEND_URL}/verify-email?token={raw_token}"
+                    await EmailService.send_email_verification_email(
+                        to_email=new_user.email,
+                        verification_url=verification_url,
+                    )
+            except Exception as e:
+                logger.warning("verification email send failed for %s: %s", new_user.email, e)
+
    return new_user


@@ -239,6 +442,7 @@ async def login(
    result = await db.execute(select(User).where(User.email == form_data.username))
    user = result.scalar_one_or_none()

+    await _reject_if_oauth_only(db, user)
    if not user or not verify_password(form_data.password, user.password_hash):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
@@ -249,20 +453,9 @@ async def login(
    # Update last login
    user.last_login = datetime.now(timezone.utc)

-    # Create tokens
-    access_token = create_access_token(data={"sub": str(user.id)})
-    refresh_token_str = create_refresh_token(data={"sub": str(user.id)})
-
-    # Store refresh token hash in DB
-    await _store_refresh_token(db, refresh_token_str, user.id)
+    token = await _mint_session_tokens(user, db)
    await db.commit()
-
-    return Token(
-        access_token=access_token,
-        refresh_token=refresh_token_str,
-        token_type="bearer",
-        must_change_password=user.must_change_password,
-    )
+    return token


@router.post("/login/json", response_model=Token)
@@ -276,6 +469,7 @@ async def login_json(
    result = await db.execute(select(User).where(User.email == credentials.email))
    user = result.scalar_one_or_none()

+    await _reject_if_oauth_only(db, user)
    if not user or not verify_password(credentials.password, user.password_hash):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
@@ -284,19 +478,9 @@ async def login_json(

    user.last_login = datetime.now(timezone.utc)

-    access_token = create_access_token(data={"sub": str(user.id)})
-    refresh_token_str = create_refresh_token(data={"sub": str(user.id)})
-
-    # Store refresh token hash in DB
-    await _store_refresh_token(db, refresh_token_str, user.id)
+    token = await _mint_session_tokens(user, db)
    await db.commit()
-
-    return Token(
-        access_token=access_token,
-        refresh_token=refresh_token_str,
-        token_type="bearer",
-        must_change_password=user.must_change_password,
-    )
+    return token


@router.post("/refresh", response_model=Token)
@@ -306,13 +490,39 @@ async def refresh_token(
    payload: Annotated[dict, Depends(get_refresh_token_payload)],
    db: Annotated[AsyncSession, Depends(get_admin_db)]
 ):
-    """Refresh access token using refresh token (rotation: old token is revoked)."""
+    """Refresh access token, enforcing both idle and absolute session windows.
+
+    Algorithm (see plan §4.5):
+
+    1. Decode refresh JWT (the dep already rejects idle-expired tokens with
+       session_expired_idle).
+    2. Load the user. If missing or inactive, 401 invalid_refresh_token.
+    3. Resolve effective auth_time/idle_max/abs_max (grandfather legacy
+       tokens that pre-date this PR).
+    4. Atomically revoke the JTI regardless of outcome — so an absolute-
+       expired token cannot be replayed; the second attempt finds it
+       already revoked and gets invalid_refresh_token instead.
+    5. If the atomic UPDATE matched zero rows, 401 invalid_refresh_token.
+    6. If now >= auth_time + abs_max, 401 session_expired_absolute.
+    7. Otherwise mint new tokens carrying the claims forward.
+    """
    user_id = payload.get("sub")
    jti = payload.get("jti")

-    # Atomically revoke the old refresh token (token rotation).
-    # Using a conditional UPDATE prevents the race where two concurrent
-    # refresh requests both read revoked_at=NULL and both succeed.
+    user = (await db.execute(select(User).where(User.id == user_id))).scalar_one_or_none()
+    if not user or not user.is_active:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="invalid_refresh_token",
+        )
+
+    auth_time, idle_max_seconds, abs_max_seconds = await _resolve_refresh_claims(
+        payload, user, db
+    )
+
+    # Atomically revoke the old refresh token first — this consumes the
+    # token regardless of whether the absolute check passes, so an absolute-
+    # expired token cannot be replayed.
    if jti:
        token_hash = hash_token(jti)
        result = await db.execute(
@@ -325,35 +535,31 @@ async def refresh_token(
            .returning(RefreshToken.id, RefreshToken.user_id)
        )
        revoked_row = result.fetchone()
-
        if not revoked_row:
-            # Either the token doesn't exist or was already revoked/used
            raise HTTPException(
                status_code=status.HTTP_401_UNAUTHORIZED,
-                detail="Refresh token has been revoked"
+                detail="invalid_refresh_token",
            )

-    result = await db.execute(select(User).where(User.id == user_id))
-    user = result.scalar_one_or_none()
-
-    if not user:
+    # Absolute-window check. Boundary is `>=`, not `>` — a deadline equal to
+    # now is expired. The token row has already been revoked above, so the
+    # client cannot retry this token even though we're raising after the
+    # consume.
+    now_unix = int(datetime.now(timezone.utc).timestamp())
+    if now_unix >= auth_time + abs_max_seconds:
+        # Commit the revoke so the consumed-on-failure invariant survives
+        # any subsequent rollback in the request lifecycle.
+        await db.commit()
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
-            detail="User not found"
+            detail="session_expired_absolute",
        )

-    access_token = create_access_token(data={"sub": str(user.id)})
-    new_refresh_token_str = create_refresh_token(data={"sub": str(user.id)})
-
-    # Store new refresh token
-    await _store_refresh_token(db, new_refresh_token_str, user.id)
-    await db.commit()
-
-    return Token(
-        access_token=access_token,
-        refresh_token=new_refresh_token_str,
-        token_type="bearer"
+    token = await _mint_with_claims(
+        user, auth_time, idle_max_seconds, abs_max_seconds, db
    )
+    await db.commit()
+    return token


@router.get("/me", response_model=UserResponse)
@@ -441,6 +647,7 @@ async def change_password(
    db: Annotated[AsyncSession, Depends(get_admin_db)]
 ):
    """Change the current user's password."""
+    await _reject_if_oauth_only(db, current_user)
    if not verify_password(data.current_password, current_user.password_hash):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
@@ -484,7 +691,7 @@ async def forgot_password(
    result = await db.execute(select(User).where(User.email == data.email))
    user = result.scalar_one_or_none()

-    if user:
+    if user and user.password_hash is not None:
        # Create reset token JWT
        raw_token = create_password_reset_token(str(user.id))
        payload = decode_token(raw_token)
--- a/backend/app/api/endpoints/beta_signup.py
+++ b/backend/app/api/endpoints/beta_signup.py
@@ -1,31 +1,44 @@
-"""Public beta signup endpoint — no auth required."""
+"""Legacy beta signup endpoint — redirects to /register?from=beta.
+
+Phase 2 (self-serve signup) makes the public register flow the canonical
+front door. The old `/api/v1/beta-signup` POST endpoint is kept mounted to
+preserve any external links that still hit it, but now responds with a
+307 Temporary Redirect to `/register?from=beta` so the user lands in the
+real signup flow. The `?from=beta` marker lets the frontend tag the
+signup origin for analytics.
+
+Note: there is no `beta_signup` database table — the original endpoint
+only fired a notification email. There is therefore no waitlist to email
+and no migration to run when retiring the endpoint.
+"""

 import logging
-from fastapi import APIRouter, HTTPException
-from pydantic import BaseModel, EmailStr
-from app.core.email import EmailService
+
+from fastapi import APIRouter
+from fastapi.responses import RedirectResponse
+
+from app.core.config import settings

 logger = logging.getLogger(__name__)

 router = APIRouter(prefix="/beta-signup", tags=["beta"])

-
-class BetaSignupRequest(BaseModel):
-    email: EmailStr
+# Local-dev fallback when FRONTEND_URL isn't configured. The redirect must
+# be absolute — a relative URL would resolve against the API origin
+# (api.resolutionflow.com), which has no /register page.
+_DEFAULT_FRONTEND_URL = "http://localhost:5173"


-class BetaSignupResponse(BaseModel):
-    success: bool
-    message: str
+@router.post("", include_in_schema=False)
+async def beta_signup_redirect() -> RedirectResponse:
+    """Redirect legacy beta-signup POST to the public register page.

-
-@router.post("", response_model=BetaSignupResponse)
-async def beta_signup(data: BetaSignupRequest):
-    """Collect beta interest — sends notification to beta@resolutionflow.com."""
-    sent = await EmailService.send_beta_signup_notification(data.email)
-    if not sent:
-        logger.warning("Beta signup recorded (email delivery skipped): %s", data.email)
-    return BetaSignupResponse(
-        success=True,
-        message="Thanks! We'll be in touch with beta access details.",
+    Returns 307 so any client following the redirect preserves the HTTP
+    method; the frontend treats `/register?from=beta` as the canonical
+    entry point and reads the `from` query param for analytics.
+    """
+    frontend_url = settings.FRONTEND_URL or _DEFAULT_FRONTEND_URL
+    return RedirectResponse(
+        url=f"{frontend_url}/register?from=beta",
+        status_code=307,
    )
--- a/backend/app/api/endpoints/billing.py
+++ b/backend/app/api/endpoints/billing.py
@@ -0,0 +1,76 @@
+from typing import Annotated
+
+from fastapi import APIRouter, Depends, HTTPException
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.api.deps import get_current_active_user
+from app.core.admin_database import get_admin_db
+from app.core.config import settings
+from app.models.account import Account
+from app.models.user import User
+from app.schemas.billing import (
+    BillingPortalSessionResponse,
+    BillingStateResponse,
+    CheckoutSessionCreate,
+    CheckoutSessionResponse,
+)
+from app.services.billing import BillingService
+
+router = APIRouter(prefix="/billing", tags=["billing"])
+
+
+@router.post("/checkout-session", response_model=CheckoutSessionResponse)
+async def create_checkout_session(
+    payload: CheckoutSessionCreate,
+    current_user: Annotated[User, Depends(get_current_active_user)],
+    db: Annotated[AsyncSession, Depends(get_admin_db)],
+) -> CheckoutSessionResponse:
+    account = (await db.execute(
+        select(Account).where(Account.id == current_user.account_id)
+    )).scalar_one()
+    url = await BillingService.create_checkout_session(
+        db=db,
+        account=account,
+        plan=payload.plan,
+        seats=payload.seats,
+        billing_interval=payload.billing_interval,
+        success_url=f"{settings.FRONTEND_URL}/account/billing?success=1",
+        cancel_url=f"{settings.FRONTEND_URL}/account/billing/select-plan",
+    )
+    return CheckoutSessionResponse(url=url)
+
+
+@router.get("/state", response_model=BillingStateResponse)
+async def get_billing_state(
+    current_user: Annotated[User, Depends(get_current_active_user)],
+    db: Annotated[AsyncSession, Depends(get_admin_db)],
+) -> BillingStateResponse:
+    account = (await db.execute(
+        select(Account).where(Account.id == current_user.account_id)
+    )).scalar_one()
+    state = await BillingService.get_billing_state(db, account)
+    return BillingStateResponse(**state)
+
+
+@router.get("/portal-session", response_model=BillingPortalSessionResponse)
+async def get_billing_portal_session(
+    current_user: Annotated[User, Depends(get_current_active_user)],
+    db: Annotated[AsyncSession, Depends(get_admin_db)],
+) -> BillingPortalSessionResponse:
+    """Return a Stripe-hosted Customer Portal URL for the account so the user
+    can update card / cancel. Allowlisted from the subscription + email-verify
+    guards (a canceled or unverified-past-grace user must still be able to
+    update billing)."""
+    if not settings.stripe_enabled:
+        raise HTTPException(status_code=503, detail={"error": "stripe_not_configured"})
+
+    account = (await db.execute(
+        select(Account).where(Account.id == current_user.account_id)
+    )).scalar_one()
+
+    try:
+        url = await BillingService.open_customer_portal(account)
+    except ValueError:
+        raise HTTPException(status_code=400, detail={"error": "no_stripe_customer"})
+    return BillingPortalSessionResponse(url=url)
--- a/backend/app/api/endpoints/config.py
+++ b/backend/app/api/endpoints/config.py
@@ -0,0 +1,50 @@
+"""Public runtime configuration endpoint.
+
+GET /api/v1/config/public
+  Returns the small set of runtime flags the frontend needs at app load
+  to decide whether to render the self-serve signup flow and which OAuth
+  buttons to show. No authentication required.
+
+The response model lives in `app.schemas.config` so it can be reused by
+frontend codegen and other call sites if needed.
+"""
+
+from __future__ import annotations
+
+from typing import Annotated, Optional
+
+from fastapi import APIRouter, Depends
+
+from app.api.deps import get_current_user_optional
+from app.core.config import settings
+from app.models.user import User
+from app.schemas.config import PublicConfigResponse
+
+router = APIRouter(prefix="/config", tags=["config"])
+
+
+@router.get("/public", response_model=PublicConfigResponse)
+async def get_public_config(
+    current_user: Annotated[Optional[User], Depends(get_current_user_optional)],
+) -> PublicConfigResponse:
+    """Return public-safe runtime config.
+
+    `oauth_providers` reflects which OAuth client IDs are configured server
+    side; the frontend uses it to render only buttons that will actually
+    succeed. `self_serve_enabled` is the master switch for the new public
+    self-serve signup flow; an authenticated caller whose email is on the
+    INTERNAL_TESTER_EMAILS allowlist sees `True` even when the global flag
+    is off, so internal validation in prod test mode can exercise the full
+    surface before the public flip.
+    """
+    providers: list[str] = []
+    if settings.GOOGLE_CLIENT_ID:
+        providers.append("google")
+    if settings.MS_CLIENT_ID:
+        providers.append("microsoft")
+
+    user_email = current_user.email if current_user else None
+    return PublicConfigResponse(
+        self_serve_enabled=settings.is_self_serve_active_for(user_email),
+        oauth_providers=providers,
+    )
--- a/backend/app/api/endpoints/l1.py
+++ b/backend/app/api/endpoints/l1.py
@@ -0,0 +1,277 @@
+"""L1 Workspace endpoints (Phase 1).
+
+PSA-merge queue support + AI build path are deferred to Phase 2.
+"""
+from typing import Annotated, Optional
+from uuid import UUID
+
+from fastapi import APIRouter, Depends, HTTPException, status as http_status
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.api.deps import get_db, require_l1_or_coverage
+from app.models.l1_walk_session import L1WalkSession
+from app.models.user import User
+from app.schemas.l1 import (
+    EscalateRequest,
+    EscalateWithoutWalkRequest,
+    IntakeRequest,
+    IntakeResponse,
+    NotesRequest,
+    QueueRow,
+    ResolveRequest,
+    StepRequest,
+    WalkSessionResponse,
+)
+from app.services import internal_ticket_service, l1_session_service
+
+
+router = APIRouter(prefix="/l1", tags=["l1"])
+
+
+def _to_response(session: L1WalkSession) -> WalkSessionResponse:
+    return WalkSessionResponse(
+        id=session.id,
+        session_kind=session.session_kind,
+        flow_id=session.flow_id,
+        flow_proposal_id=session.flow_proposal_id,
+        current_node_id=session.current_node_id,
+        walked_path=session.walked_path or [],
+        walk_notes=session.walk_notes or [],
+        status=session.status,
+        started_at=session.started_at,
+        last_step_at=session.last_step_at,
+        resolved_at=session.resolved_at,
+    )
+
+
+async def _get_session_or_404(
+    db: AsyncSession, session_id: UUID, user: User
+) -> L1WalkSession:
+    """Fetch a session by id, scoped to the caller's account.
+
+    Phase 1 policy (per spec §7.9): sessions are account-scoped, not
+    user-scoped. Any L1 or coverage engineer in the same account can
+    step/note/resolve/escalate any session — supports team coverage
+    (e.g., L1 hands off mid-shift; coverage engineer takes over a call).
+    For a stricter "creator-only" policy, add
+    ``created_by_user_id == user.id`` here.
+    """
+    session = await db.get(L1WalkSession, session_id)
+    if session is None or session.account_id != user.account_id:
+        raise HTTPException(
+            status_code=http_status.HTTP_404_NOT_FOUND,
+            detail="Session not found",
+        )
+    return session
+
+
+@router.post("/intake", response_model=IntakeResponse)
+async def intake(
+    payload: IntakeRequest,
+    db: Annotated[AsyncSession, Depends(get_db)],
+    user: Annotated[User, Depends(require_l1_or_coverage)],
+):
+    """L1 intake: creates an internal ticket and starts a walk session.
+
+    Phase 1: internal-ticket only (PSA support follows in Phase 2 escalation polish).
+    If `flow_id` is provided, starts a flow session; otherwise an adhoc session.
+    """
+    ticket = await internal_ticket_service.create_ticket(
+        db,
+        account_id=user.account_id,
+        created_by_user_id=user.id,
+        problem_statement=payload.problem_statement,
+        customer_name=payload.customer_name,
+        customer_contact=payload.customer_contact,
+    )
+    if payload.flow_id is not None:
+        session = await l1_session_service.start_flow_session(
+            db,
+            account_id=user.account_id,
+            user=user,
+            flow_id=payload.flow_id,
+            ticket_id=str(ticket.id),
+            ticket_kind="internal",
+        )
+    else:
+        session = await l1_session_service.start_adhoc_session(
+            db,
+            account_id=user.account_id,
+            user=user,
+            ticket_id=str(ticket.id),
+            ticket_kind="internal",
+        )
+    await db.commit()
+    return IntakeResponse(
+        session_id=session.id,
+        session_kind=session.session_kind,
+        ticket_id=str(ticket.id),
+        ticket_kind="internal",
+    )
+
+
+@router.get("/queue", response_model=list[QueueRow])
+async def queue(
+    db: Annotated[AsyncSession, Depends(get_db)],
+    user: Annotated[User, Depends(require_l1_or_coverage)],
+    status_filter: Optional[str] = None,
+    limit: int = 50,
+):
+    """Phase 1 queue: internal tickets only. PSA-fed rows in Phase 2."""
+    tickets = await internal_ticket_service.list_tickets_for_account(
+        db,
+        account_id=user.account_id,
+        status=status_filter,
+        limit=limit,
+    )
+    return [
+        QueueRow(
+            ticket_id=str(t.id),
+            ticket_kind="internal",
+            problem_statement=t.problem_statement,
+            customer_name=t.customer_name,
+            status=t.status,
+            created_at=t.created_at,
+        )
+        for t in tickets
+    ]
+
+
+@router.get("/sessions/active", response_model=list[WalkSessionResponse])
+async def list_active_sessions(
+    db: Annotated[AsyncSession, Depends(get_db)],
+    user: Annotated[User, Depends(require_l1_or_coverage)],
+):
+    """The caller's currently-active sessions (for the dashboard 'Resume in progress' widget)."""
+    stmt = (
+        select(L1WalkSession)
+        .where(L1WalkSession.created_by_user_id == user.id)
+        .where(L1WalkSession.status == "active")
+        .order_by(L1WalkSession.last_step_at.desc())
+        .limit(20)
+    )
+    result = await db.execute(stmt)
+    return [_to_response(s) for s in result.scalars()]
+
+
+@router.get("/sessions/{session_id}", response_model=WalkSessionResponse)
+async def get_session(
+    session_id: UUID,
+    db: Annotated[AsyncSession, Depends(get_db)],
+    user: Annotated[User, Depends(require_l1_or_coverage)],
+):
+    session = await _get_session_or_404(db, session_id, user)
+    return _to_response(session)
+
+
+@router.post("/sessions/{session_id}/step", response_model=WalkSessionResponse)
+async def post_step(
+    session_id: UUID,
+    payload: StepRequest,
+    db: Annotated[AsyncSession, Depends(get_db)],
+    user: Annotated[User, Depends(require_l1_or_coverage)],
+):
+    await _get_session_or_404(db, session_id, user)
+    try:
+        updated = await l1_session_service.record_step(
+            db,
+            session_id=session_id,
+            node_id=payload.node_id,
+            question=payload.question,
+            answer=payload.answer,
+            note=payload.note,
+        )
+    except ValueError as exc:
+        raise HTTPException(status_code=http_status.HTTP_400_BAD_REQUEST, detail=str(exc))
+    await db.commit()
+    return _to_response(updated)
+
+
+@router.post("/sessions/{session_id}/notes", response_model=WalkSessionResponse)
+async def post_notes(
+    session_id: UUID,
+    payload: NotesRequest,
+    db: Annotated[AsyncSession, Depends(get_db)],
+    user: Annotated[User, Depends(require_l1_or_coverage)],
+):
+    await _get_session_or_404(db, session_id, user)
+    try:
+        updated = await l1_session_service.update_notes(
+            db,
+            session_id=session_id,
+            notes=payload.notes,
+        )
+    except ValueError as exc:
+        raise HTTPException(status_code=http_status.HTTP_400_BAD_REQUEST, detail=str(exc))
+    await db.commit()
+    return _to_response(updated)
+
+
+@router.post("/sessions/{session_id}/resolve", response_model=WalkSessionResponse)
+async def post_resolve(
+    session_id: UUID,
+    payload: ResolveRequest,
+    db: Annotated[AsyncSession, Depends(get_db)],
+    user: Annotated[User, Depends(require_l1_or_coverage)],
+):
+    await _get_session_or_404(db, session_id, user)
+    try:
+        updated = await l1_session_service.resolve(
+            db,
+            session_id=session_id,
+            helpful=payload.helpful,
+            resolution_notes=payload.resolution_notes,
+        )
+    except ValueError as exc:
+        raise HTTPException(status_code=http_status.HTTP_400_BAD_REQUEST, detail=str(exc))
+    await db.commit()
+    return _to_response(updated)
+
+
+@router.post("/sessions/{session_id}/escalate", response_model=WalkSessionResponse)
+async def post_escalate(
+    session_id: UUID,
+    payload: EscalateRequest,
+    db: Annotated[AsyncSession, Depends(get_db)],
+    user: Annotated[User, Depends(require_l1_or_coverage)],
+):
+    await _get_session_or_404(db, session_id, user)
+    try:
+        updated = await l1_session_service.escalate(
+            db,
+            session_id=session_id,
+            reason=payload.reason or "",
+            reason_category=payload.reason_category,
+        )
+    except ValueError as exc:
+        raise HTTPException(status_code=http_status.HTTP_400_BAD_REQUEST, detail=str(exc))
+    await db.commit()
+    return _to_response(updated)
+
+
+@router.post("/escalate-without-walk", response_model=WalkSessionResponse)
+async def post_escalate_without_walk(
+    payload: EscalateWithoutWalkRequest,
+    db: Annotated[AsyncSession, Depends(get_db)],
+    user: Annotated[User, Depends(require_l1_or_coverage)],
+):
+    ticket = await internal_ticket_service.create_ticket(
+        db,
+        account_id=user.account_id,
+        created_by_user_id=user.id,
+        problem_statement=payload.problem_statement,
+        customer_name=payload.customer_name,
+        customer_contact=payload.customer_contact,
+    )
+    session = await l1_session_service.escalate_without_walk(
+        db,
+        account_id=user.account_id,
+        user=user,
+        ticket_id=str(ticket.id),
+        ticket_kind="internal",
+        reason_category=payload.reason_category,
+        reason=payload.reason,
+    )
+    await db.commit()
+    return _to_response(session)
--- a/backend/app/api/endpoints/oauth.py
+++ b/backend/app/api/endpoints/oauth.py
@@ -0,0 +1,247 @@
+import secrets
+import string
+from datetime import datetime, timezone
+from typing import Annotated
+
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.api.endpoints.auth import _mint_session_tokens
+from app.core.admin_database import get_admin_db
+from app.core.config import settings
+from app.models.account import Account
+from app.models.account_invite import AccountInvite
+from app.models.oauth_identity import OAuthIdentity
+from app.models.user import User
+from app.schemas.oauth import OAuthCallbackPayload, OAuthCallbackResponse
+from app.services.billing import BillingService
+from app.services.oauth_providers import (
+    google_exchange_code,
+    microsoft_exchange_code,
+    OAuthProfile,
+)
+
+router = APIRouter(prefix="/auth", tags=["auth-oauth"])
+
+
+def _generate_display_code(length: int = 8) -> str:
+    """Match the helper used by /auth/register — A-Z + 0-9, length 8."""
+    alphabet = string.ascii_uppercase + string.digits
+    return "".join(secrets.choice(alphabet) for _ in range(length))
+
+
+async def _sign_in_or_register(
+    db: AsyncSession,
+    provider: str,
+    profile: OAuthProfile,
+    *,
+    account_invite_code: str | None = None,
+    invited_email: str | None = None,
+) -> tuple[User, bool]:
+    """Returns (user, is_new_user). Idempotent on (provider, provider_subject).
+
+    When ``account_invite_code`` is supplied (from the /accept-invite flow),
+    a brand-new user is created inside the invited account instead of getting
+    a personal account + Pro trial. Mismatch between the OAuth profile email
+    and ``invited_email`` raises ``invite_email_mismatch`` per the spec
+    contract that mirrors the email+password register path.
+    """
+    identity = (
+        await db.execute(
+            select(OAuthIdentity).where(
+                OAuthIdentity.provider == provider,
+                OAuthIdentity.provider_subject == profile.provider_subject,
+            )
+        )
+    ).scalar_one_or_none()
+
+    if identity:
+        user = (
+            await db.execute(select(User).where(User.id == identity.user_id))
+        ).scalar_one()
+        return user, False
+
+    user = (
+        await db.execute(select(User).where(User.email == profile.email))
+    ).scalar_one_or_none()
+    is_new_user = user is None
+
+    # If the user arrived via an invite link but already has a ResolutionFlow
+    # account (e.g., previously signed up with email+password), silently
+    # linking the OAuth identity to that existing account would bypass the
+    # invite — they'd stay in their personal account and the invite would
+    # never be consumed. Fail loud instead so they can sign in and accept the
+    # invite from the dashboard. The "invited user wants to transfer accounts"
+    # case is a v2 concern.
+    if account_invite_code and not is_new_user:
+        raise HTTPException(
+            status_code=400,
+            detail={
+                "error": "email_already_registered_use_login",
+                "message": (
+                    "An account already exists for this email. Please sign in "
+                    "instead, then accept the invite from your dashboard."
+                ),
+            },
+        )
+
+    invite_record: AccountInvite | None = None
+    if is_new_user and account_invite_code:
+        # SELECT FOR UPDATE so two concurrent OAuth callbacks can't both
+        # consume the same invite code.
+        invite_record = (
+            await db.execute(
+                select(AccountInvite)
+                .where(AccountInvite.code == account_invite_code)
+                .with_for_update()
+            )
+        ).scalar_one_or_none()
+        if invite_record is None or not invite_record.is_valid:
+            raise HTTPException(
+                status_code=400,
+                detail={"error": "invite_invalid_or_expired_or_revoked"},
+            )
+        # Verify the OAuth profile email matches what was invited. We compare
+        # against the invite row directly (source of truth), but also accept
+        # the client-supplied invited_email as a defensive equality check.
+        if invite_record.email.lower() != profile.email.lower():
+            raise HTTPException(
+                status_code=400,
+                detail={"error": "invite_email_mismatch"},
+            )
+        if invited_email and invited_email.lower() != invite_record.email.lower():
+            raise HTTPException(
+                status_code=400,
+                detail={"error": "invite_email_mismatch"},
+            )
+
+    if is_new_user:
+        if invite_record is not None:
+            # Seat enforcement: re-check at OAuth accept time (race-condition guard).
+            if invite_record.role in ("engineer", "l1_tech"):
+                from app.core.subscriptions import get_account_subscription
+                from app.services.seat_enforcement import check_seat_available
+                sub = await get_account_subscription(invite_record.account_id, db)
+                if sub is not None:
+                    acct_result = await db.execute(
+                        select(Account).where(Account.id == invite_record.account_id)
+                    )
+                    acct = acct_result.scalar_one()
+                    seat_result = await check_seat_available(acct, sub, invite_record.role, db)
+                    if not seat_result.available:
+                        raise HTTPException(
+                            status_code=status.HTTP_402_PAYMENT_REQUIRED,
+                            detail={
+                                "code": "seat_limit_exceeded",
+                                "role": seat_result.role,
+                                "current": seat_result.current,
+                                "limit": seat_result.limit,
+                                "upgrade_url": "/account/billing",
+                            },
+                        )
+
+            # Join the invited account directly — no personal account, no
+            # trial creation.
+            user = User(
+                email=profile.email,
+                name=profile.name,
+                password_hash=None,
+                account_id=invite_record.account_id,
+                account_role=invite_record.role,
+                role="engineer",
+                email_verified_at=datetime.now(timezone.utc),
+            )
+            db.add(user)
+            await db.flush()
+            invite_record.accepted_by_id = user.id
+            invite_record.used_at = datetime.now(timezone.utc)
+            await db.flush()
+        else:
+            account = Account(
+                name=f"{profile.name}'s Account",
+                display_code=_generate_display_code(),
+            )
+            db.add(account)
+            await db.flush()
+            user = User(
+                email=profile.email,
+                name=profile.name,
+                password_hash=None,
+                account_id=account.id,
+                account_role="owner",
+                role="engineer",
+                email_verified_at=datetime.now(timezone.utc),
+            )
+            db.add(user)
+            await db.flush()
+            account.owner_id = user.id
+            await db.flush()
+            # start_trial commits internally; flushed account/user above.
+            await BillingService.start_trial(db, account.id)
+
+    db.add(
+        OAuthIdentity(
+            user_id=user.id,
+            provider=provider,
+            provider_subject=profile.provider_subject,
+            provider_email_at_link=profile.email,
+        )
+    )
+    await db.commit()
+    await db.refresh(user)
+    return user, is_new_user
+
+
+@router.post("/google/callback", response_model=OAuthCallbackResponse)
+async def google_callback(
+    payload: OAuthCallbackPayload,
+    db: Annotated[AsyncSession, Depends(get_admin_db)],
+) -> OAuthCallbackResponse:
+    if not settings.GOOGLE_CLIENT_ID:
+        raise HTTPException(status_code=503, detail="Google sign-in not configured")
+    redirect_uri = f"{settings.OAUTH_REDIRECT_BASE}/auth/google/callback"
+    profile = await google_exchange_code(payload.code, redirect_uri)
+    user, is_new = await _sign_in_or_register(
+        db,
+        "google",
+        profile,
+        account_invite_code=payload.account_invite_code,
+        invited_email=payload.invited_email,
+    )
+    token = await _mint_session_tokens(user, db)
+    await db.commit()
+    return OAuthCallbackResponse(
+        access_token=token.access_token,
+        refresh_token=token.refresh_token,
+        is_new_user=is_new,
+        idle_expires_at=token.idle_expires_at,
+        absolute_expires_at=token.absolute_expires_at,
+    )
+
+
+@router.post("/microsoft/callback", response_model=OAuthCallbackResponse)
+async def microsoft_callback(
+    payload: OAuthCallbackPayload,
+    db: Annotated[AsyncSession, Depends(get_admin_db)],
+) -> OAuthCallbackResponse:
+    if not settings.MS_CLIENT_ID:
+        raise HTTPException(status_code=503, detail="Microsoft sign-in not configured")
+    redirect_uri = f"{settings.OAUTH_REDIRECT_BASE}/auth/microsoft/callback"
+    profile = await microsoft_exchange_code(payload.code, redirect_uri)
+    user, is_new = await _sign_in_or_register(
+        db,
+        "microsoft",
+        profile,
+        account_invite_code=payload.account_invite_code,
+        invited_email=payload.invited_email,
+    )
+    token = await _mint_session_tokens(user, db)
+    await db.commit()
+    return OAuthCallbackResponse(
+        access_token=token.access_token,
+        refresh_token=token.refresh_token,
+        is_new_user=is_new,
+        idle_expires_at=token.idle_expires_at,
+        absolute_expires_at=token.absolute_expires_at,
+    )
--- a/backend/app/api/endpoints/onboarding.py
+++ b/backend/app/api/endpoints/onboarding.py
@@ -2,19 +2,24 @@

 from typing import Annotated

-from fastapi import APIRouter, Depends
+from fastapi import APIRouter, Depends, HTTPException, status
 from sqlalchemy import func, select
 from sqlalchemy.ext.asyncio import AsyncSession

 from app.api.deps import get_current_active_user
 from app.core.database import get_db
 from app.core.admin_database import get_admin_db
+from app.models.account import Account
 from app.models.assistant_chat import AssistantChat
 from app.models.psa_connection import PsaConnection
 from app.models.session import Session
 from app.models.tree import Tree
 from app.models.user import User
-from app.schemas.onboarding import OnboardingStatus
+from app.schemas.onboarding import (
+    OnboardingStatus,
+    OnboardingStepRequest,
+    OnboardingStepResponse,
+)

 router = APIRouter(prefix="/users", tags=["onboarding"])

@@ -85,6 +90,10 @@ async def get_onboarding_status(
            )
            connected_psa = (psa_q.scalar() or 0) > 0

+    # New (Phase 2 — Task 41)
+    email_verified = current_user.email_verified_at is not None
+    shop_setup_done = (current_user.onboarding_step_completed or 0) >= 1
+
    return OnboardingStatus(
        created_flow=created_flow,
        ran_session=ran_session,
@@ -94,6 +103,8 @@ async def get_onboarding_status(
        connected_psa=connected_psa,
        is_team_user=is_team_user,
        dismissed=current_user.onboarding_dismissed,
+        email_verified=email_verified,
+        shop_setup_done=shop_setup_done,
    )


@@ -109,3 +120,98 @@ async def dismiss_onboarding(

    # Return updated status (reuse the GET logic)
    return await get_onboarding_status(db=db, current_user=current_user)
+
+
+# ---------------------------------------------------------------------------
+# Welcome wizard endpoints (Phase 2)
+#
+# These persist Step 1/2/3 progress for the post-signup welcome wizard.
+# Mounted on /users/me/* (the parent router prefix is /users) so the wizard
+# can run before email verification and during trial.
+# ---------------------------------------------------------------------------
+
+
+@router.patch("/me/onboarding-step", response_model=OnboardingStepResponse)
+async def patch_onboarding_step(
+    body: OnboardingStepRequest,
+    db: Annotated[AsyncSession, Depends(get_admin_db)],
+    current_user: Annotated[User, Depends(get_current_active_user)],
+) -> OnboardingStepResponse:
+    """Persist welcome-wizard progress for the current user.
+
+    Contract:
+    - step=1 + complete writes accounts.name, accounts.team_size_bucket,
+      users.role_at_signup, then sets users.onboarding_step_completed=1.
+    - step=2 + complete writes accounts.primary_psa, then sets
+      users.onboarding_step_completed=2.
+    - step=3 + complete just sets users.onboarding_step_completed=3
+      (invites are POSTed separately).
+    - action="skip" ignores `data` entirely and only advances the step.
+    - The new step must be >= current onboarding_step_completed (None=>0);
+      otherwise 400. Idempotent re-PATCH of the same step succeeds.
+    """
+    current_step = current_user.onboarding_step_completed or 0
+    if body.step < current_step:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail={
+                "error": "step_cannot_decrease",
+                "current_step": current_step,
+                "requested_step": body.step,
+            },
+        )
+
+    if body.action == "complete" and body.data is not None and body.step in (1, 2):
+        # Load the user's account for field writes. Step 3 has no data writes.
+        account_result = await db.execute(
+            select(Account).where(Account.id == current_user.account_id)
+        )
+        account = account_result.scalar_one_or_none()
+        if account is None:
+            # Should never happen — user is required to have an account_id.
+            raise HTTPException(
+                status_code=status.HTTP_404_NOT_FOUND,
+                detail="account_not_found",
+            )
+
+        if body.step == 1:
+            data = body.data
+            if data.company_name is not None:
+                account.name = data.company_name
+            if data.team_size_bucket is not None:
+                account.team_size_bucket = data.team_size_bucket
+            if data.role_at_signup is not None:
+                current_user.role_at_signup = data.role_at_signup
+        elif body.step == 2:
+            data = body.data
+            if data.primary_psa is not None:
+                account.primary_psa = data.primary_psa
+
+    current_user.onboarding_step_completed = body.step
+    await db.commit()
+    await db.refresh(current_user)
+
+    return OnboardingStepResponse(
+        onboarding_step_completed=current_user.onboarding_step_completed,
+        onboarding_dismissed=current_user.onboarding_dismissed,
+    )
+
+
+@router.post("/me/onboarding-dismiss-rest", response_model=OnboardingStepResponse)
+async def dismiss_onboarding_rest(
+    db: Annotated[AsyncSession, Depends(get_admin_db)],
+    current_user: Annotated[User, Depends(get_current_active_user)],
+) -> OnboardingStepResponse:
+    """Set users.onboarding_dismissed=TRUE — backs the wizard's "Skip the rest" button.
+
+    Returns the same shape as the step PATCH so the frontend can update its
+    local store from a single response.
+    """
+    current_user.onboarding_dismissed = True
+    await db.commit()
+    await db.refresh(current_user)
+
+    return OnboardingStepResponse(
+        onboarding_step_completed=current_user.onboarding_step_completed,
+        onboarding_dismissed=current_user.onboarding_dismissed,
+    )
--- a/backend/app/api/endpoints/plans_public.py
+++ b/backend/app/api/endpoints/plans_public.py
@@ -0,0 +1,58 @@
+"""Public plans endpoint — no auth required.
+
+GET /api/v1/plans/public
+  Returns the public-safe view of `plan_billing` joined with
+  `plan_limits.max_users` (exposed as `max_seats`), filtered to
+  `is_public=True AND is_archived=False`, ordered by sort_order ASC, plan ASC.
+
+Distinct from `/admin/plan-limits` (admin-only, returns ALL plans including
+archived/internal). This endpoint exists to power the marketing /pricing page
+without exposing the rest of the admin-only billing surface.
+"""
+
+from __future__ import annotations
+
+from typing import Annotated
+
+from fastapi import APIRouter, Depends
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.core.admin_database import get_admin_db
+from app.models.plan_billing import PlanBilling
+from app.models.plan_limits import PlanLimits
+from app.schemas.billing import PublicPlanResponse
+
+router = APIRouter(prefix="/plans", tags=["plans"])
+
+
+@router.get("/public", response_model=list[PublicPlanResponse])
+async def list_public_plans(
+    db: Annotated[AsyncSession, Depends(get_admin_db)],
+) -> list[PublicPlanResponse]:
+    """List public, non-archived plans for the marketing /pricing page.
+
+    Public — no auth. Uses `get_admin_db` because this is a cross-tenant read
+    of the global plan catalog (same pattern as `/config/public`).
+    """
+    stmt = (
+        select(PlanBilling, PlanLimits.max_users)
+        .outerjoin(PlanLimits, PlanBilling.plan == PlanLimits.plan)
+        .where(PlanBilling.is_public.is_(True))
+        .where(PlanBilling.is_archived.is_(False))
+        .order_by(PlanBilling.sort_order.asc(), PlanBilling.plan.asc())
+    )
+    rows = (await db.execute(stmt)).all()
+    return [
+        PublicPlanResponse(
+            plan=billing.plan,
+            display_name=billing.display_name,
+            description=billing.description,
+            monthly_price_cents=billing.monthly_price_cents,
+            annual_price_cents=billing.annual_price_cents,
+            max_seats=max_users,
+            sort_order=billing.sort_order,
+            is_public=billing.is_public,
+        )
+        for billing, max_users in rows
+    ]
--- a/backend/app/api/endpoints/sales_leads.py
+++ b/backend/app/api/endpoints/sales_leads.py
@@ -0,0 +1,114 @@
+"""Public Talk-to-Sales endpoint — no auth required.
+
+POST /api/v1/sales-leads
+  - Inserts a sales_leads row.
+  - Fires (best-effort) a notification email to settings.SALES_LEAD_RECIPIENT_EMAIL.
+  - Emits a server-side PostHog event (best-effort).
+  - Rate-limited per IP (5/hour).
+"""
+
+from __future__ import annotations
+
+import asyncio
+import logging
+from typing import Annotated
+
+from fastapi import APIRouter, Depends, Request
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.core.admin_database import get_admin_db
+from app.core.config import settings
+from app.core.email import EmailService
+from app.core.rate_limit import limiter
+from app.models.sales_lead import SalesLead
+from app.schemas.sales_lead import SalesLeadCreate, SalesLeadCreateResponse
+
+logger = logging.getLogger(__name__)
+
+router = APIRouter(prefix="/sales-leads", tags=["sales"])
+
+
+async def _send_notification_email(lead: SalesLead) -> None:
+    """Fire-and-forget wrapper. EmailService methods never raise, but we
+    still wrap in a try/except to defend against future regressions."""
+    try:
+        await EmailService.send_sales_lead_notification(
+            to_email=settings.SALES_LEAD_RECIPIENT_EMAIL,
+            lead=lead,
+        )
+    except Exception:
+        logger.warning(
+            "Sales lead notification email failed for lead %s",
+            lead.id,
+            exc_info=True,
+        )
+
+
+def _capture_posthog_event(lead: SalesLead) -> None:
+    """Emit `talk_to_sales_form_submitted` server-side. Best-effort.
+
+    Backend PostHog SDK isn't initialized in the project today; this function
+    is the single instrumentation point so wiring it up later is a one-line
+    change. The call is wrapped so any future failure can never fail the
+    request.
+    """
+    try:
+        # Lazy import — keeps the dependency optional. When the backend
+        # PostHog client is wired in (likely as `app.core.analytics.posthog`),
+        # swap the import path here and the event will fire automatically.
+        try:
+            from app.core.analytics import posthog  # type: ignore[attr-defined]
+        except ImportError:
+            logger.debug(
+                "PostHog server-side capture skipped — client not configured"
+            )
+            return
+
+        distinct_id = lead.posthog_distinct_id or f"sales_lead:{lead.id}"
+        posthog.capture(
+            distinct_id=distinct_id,
+            event="talk_to_sales_form_submitted",
+            properties={
+                "source": lead.source,
+                "company": lead.company,
+                "team_size": lead.team_size,
+            },
+        )
+    except Exception:
+        logger.warning(
+            "PostHog capture failed for sales lead %s",
+            lead.id,
+            exc_info=True,
+        )
+
+
+@router.post("", response_model=SalesLeadCreateResponse, status_code=201)
+@limiter.limit("5/hour")
+async def create_sales_lead(
+    request: Request,
+    data: SalesLeadCreate,
+    db: Annotated[AsyncSession, Depends(get_admin_db)],
+) -> SalesLeadCreateResponse:
+    """Public Talk-to-Sales submission.
+
+    Creates a sales_leads row, fires (best-effort) a notification email and a
+    server-side PostHog event. Rate-limited per IP at 5/hour.
+    """
+    lead = SalesLead(
+        email=str(data.email).lower(),
+        name=data.name,
+        company=data.company,
+        team_size=data.team_size,
+        message=data.message,
+        source=data.source,
+        posthog_distinct_id=data.posthog_distinct_id,
+    )
+    db.add(lead)
+    await db.commit()
+    await db.refresh(lead)
+
+    # Fire-and-forget: email + analytics. Failures must not fail the request.
+    asyncio.create_task(_send_notification_email(lead))
+    _capture_posthog_event(lead)
+
+    return SalesLeadCreateResponse(id=lead.id, status="received")
--- a/backend/app/api/endpoints/webhooks.py
+++ b/backend/app/api/endpoints/webhooks.py
@@ -1,10 +1,10 @@
 import logging
-from fastapi import APIRouter, Request, HTTPException, status, Depends
+from fastapi import APIRouter, Request, HTTPException, Depends
 from sqlalchemy.ext.asyncio import AsyncSession

-from app.core.database import get_db
+from app.core.admin_database import get_admin_db
 from app.core.config import settings
-from app.core.stripe_handlers import WEBHOOK_HANDLERS
+from app.services.billing import BillingService

 logger = logging.getLogger(__name__)

@@ -14,49 +14,36 @@ router = APIRouter(prefix="/webhooks", tags=["webhooks"])
@router.post("/stripe")
 async def stripe_webhook(
    request: Request,
-    db: AsyncSession = Depends(get_db),
+    db: AsyncSession = Depends(get_admin_db),
 ):
-    """Handle Stripe webhook events.
+    """Stripe webhook handler. Public endpoint; signature verification is the
+    only gate. Idempotency via stripe_events table.

-    Returns 200 for all events to prevent Stripe retries.
-    Actual processing happens only when Stripe is configured.
+    Returns 200 even when Stripe is not configured — keeps the receiver
+    permissive for local dev.
    """
-    if not settings.stripe_enabled:
+    if not settings.stripe_enabled or not settings.STRIPE_WEBHOOK_SECRET:
        return {"status": "ok", "message": "Stripe not configured, event ignored"}

    payload = await request.body()
    sig_header = request.headers.get("stripe-signature")
-
    if not sig_header:
-        raise HTTPException(
-            status_code=status.HTTP_400_BAD_REQUEST,
-            detail="Missing stripe-signature header"
-        )
+        raise HTTPException(status_code=400, detail="Missing stripe-signature header")

-    # Verify webhook signature
    try:
        import stripe
        stripe.api_key = settings.STRIPE_SECRET_KEY
        event = stripe.Webhook.construct_event(
            payload, sig_header, settings.STRIPE_WEBHOOK_SECRET
        )
-    except ImportError:
-        logger.warning("stripe package not installed, cannot verify webhook")
-        return {"status": "ok", "message": "stripe package not installed"}
    except Exception as e:
-        logger.error("Stripe webhook signature verification failed: %s", e)
-        raise HTTPException(
-            status_code=status.HTTP_400_BAD_REQUEST,
-            detail="Invalid signature"
-        )
+        logger.warning("stripe webhook bad signature: %s", e)
+        raise HTTPException(status_code=400, detail="Invalid signature")

-    event_type = event.get("type", "")
-    handler = WEBHOOK_HANDLERS.get(event_type)
-
-    if handler:
-        try:
-            await handler(event, db)
-        except Exception:
-            logger.exception("Error handling Stripe event %s", event_type)
-
-    return {"status": "ok"}
+    applied = await BillingService.apply_subscription_event(
+        db,
+        event_id=event["id"],
+        event_type=event["type"],
+        payload={"data": event["data"]},
+    )
+    return {"status": "ok", "applied": applied}
--- a/backend/app/api/router.py
+++ b/backend/app/api/router.py
@@ -1,9 +1,14 @@
 from fastapi import APIRouter, Depends

-from app.api.deps import require_tenant_context
+from app.api.deps import (
+    require_tenant_context,
+    require_active_subscription,
+    require_verified_email_after_grace,
+)
 from app.api.endpoints import (
    admin,
    admin_audit,
+    l1,
    admin_categories,
    admin_dashboard,
    admin_feature_flags,
@@ -19,10 +24,13 @@ from app.api.endpoints import (
    analytics,
    assistant_chat,
    auth,
+    billing,
    beta_feedback,
    beta_signup,
+    sales_leads,
    branding,
    categories,
+    config as config_endpoints,
    copilot,
    device_types,
    draft_templates,
@@ -36,7 +44,9 @@ from app.api.endpoints import (
    maintenance_schedules,
    network_diagrams,
    notifications,
+    oauth as oauth_endpoints,
    onboarding,
+    plans_public,
    public_templates,
    ratings,
    scripts,
@@ -62,6 +72,8 @@ from app.api.endpoints import (
    uploads,
    webhooks,
    accounts,
+    account_invite_lookup,
+    account_security,
 )

 api_router = APIRouter()
@@ -77,12 +89,18 @@ api_router = APIRouter()
 # in Phase 1. This will need revisiting in Phase 2 when `users` gets RLS.
 # ---------------------------------------------------------------------------
 api_router.include_router(auth.router)
+api_router.include_router(oauth_endpoints.router)
+api_router.include_router(billing.router)     # Reachable when subscription locked
 api_router.include_router(shared.router)       # Public share links (no auth)
 api_router.include_router(shares.public_router)  # Public session share links (optional auth)
 api_router.include_router(beta_signup.router)
+api_router.include_router(sales_leads.router)  # Talk-to-Sales (no auth, rate-limited)
 api_router.include_router(webhooks.router)     # Stripe webhook receiver
 api_router.include_router(public_templates.router)  # Public gallery (no auth, rate-limited)
 api_router.include_router(survey.router)       # Public survey flow (no auth, rate-limited)
+api_router.include_router(config_endpoints.router)  # Public runtime feature flags
+api_router.include_router(account_invite_lookup.router)  # Public invite-code lookup for /accept-invite
+api_router.include_router(plans_public.router)  # Public plan catalog for /pricing page

 # ---------------------------------------------------------------------------
 # Admin endpoints — super_admin only
@@ -102,23 +120,37 @@ api_router.include_router(admin_survey.router)
 api_router.include_router(admin_gallery.router)
 # ---------------------------------------------------------------------------
 # User-facing endpoints — tenant context required
+#
+# _tenant_deps:  routers that only require an authenticated user inside a
+#                tenant (auth/account/admin/non-Pro feature surfaces).
+# _pro_deps:     routers gated behind an active Pro subscription. Adds
+#                require_active_subscription which raises 402 unless the
+#                account's Subscription is active/complimentary/past_due or
+#                trialing-with-time-remaining. Allowlisted paths in deps.py
+#                bypass the gate for billing/account admin/auth flows.
 # ---------------------------------------------------------------------------
 _tenant_deps = [Depends(require_tenant_context)]
+_pro_deps = [
+    Depends(require_tenant_context),
+    Depends(require_active_subscription),
+    Depends(require_verified_email_after_grace),
+]

-api_router.include_router(trees.router, dependencies=_tenant_deps)
+api_router.include_router(trees.router, dependencies=_pro_deps)
 api_router.include_router(sidebar.router, dependencies=_tenant_deps)
-api_router.include_router(sessions.router, dependencies=_tenant_deps)
+api_router.include_router(sessions.router, dependencies=_pro_deps)
 api_router.include_router(invite.router, dependencies=_tenant_deps)
 api_router.include_router(categories.router, dependencies=_tenant_deps)
 api_router.include_router(tags.router, dependencies=_tenant_deps)
 api_router.include_router(folders.router, dependencies=_tenant_deps)
-api_router.include_router(step_categories.router, dependencies=_tenant_deps)
-api_router.include_router(steps.router, dependencies=_tenant_deps)
+api_router.include_router(step_categories.router, dependencies=_pro_deps)
+api_router.include_router(steps.router, dependencies=_pro_deps)
 api_router.include_router(accounts.router, dependencies=_tenant_deps)
+api_router.include_router(account_security.router, dependencies=_tenant_deps)
 api_router.include_router(shares.router, dependencies=_tenant_deps)
 api_router.include_router(tree_markdown.router, dependencies=_tenant_deps)
 api_router.include_router(ratings.router, dependencies=_tenant_deps)
-api_router.include_router(analytics.router, dependencies=_tenant_deps)
+api_router.include_router(analytics.router, dependencies=_pro_deps)
 api_router.include_router(target_lists.router, dependencies=_tenant_deps)
 api_router.include_router(maintenance_schedules.router, dependencies=_tenant_deps)
 api_router.include_router(feedback.router, dependencies=_tenant_deps)
@@ -126,31 +158,34 @@ api_router.include_router(ai_builder.router, dependencies=_tenant_deps)
 api_router.include_router(ai_fix.router, dependencies=_tenant_deps)
 api_router.include_router(ai_chat.router, dependencies=_tenant_deps)
 api_router.include_router(copilot.router, dependencies=_tenant_deps)
-api_router.include_router(assistant_chat.router, dependencies=_tenant_deps)
+api_router.include_router(assistant_chat.router, dependencies=_pro_deps)
 api_router.include_router(tree_transfer.router, dependencies=_tenant_deps)
 api_router.include_router(ai_suggestions.router, dependencies=_tenant_deps)
 api_router.include_router(kb_accelerator.router, dependencies=_tenant_deps)
-api_router.include_router(scripts.router, dependencies=_tenant_deps)
-api_router.include_router(integrations.router, dependencies=_tenant_deps)
+api_router.include_router(scripts.router, dependencies=_pro_deps)
+api_router.include_router(integrations.router, dependencies=_pro_deps)
 api_router.include_router(onboarding.router, dependencies=_tenant_deps)
 api_router.include_router(branding.router, dependencies=_tenant_deps)
 api_router.include_router(supporting_data.router, dependencies=_tenant_deps)
 api_router.include_router(network_diagrams.router, dependencies=_tenant_deps)
 # session_handoffs queue router must come before ai_sessions to avoid conflict
-api_router.include_router(session_handoffs.queue_router, dependencies=_tenant_deps)
-api_router.include_router(session_resolutions.router, dependencies=_tenant_deps)
+api_router.include_router(session_handoffs.queue_router, dependencies=_pro_deps)
+api_router.include_router(session_resolutions.router, dependencies=_pro_deps)
 # session_facts mounts under /ai-sessions/{id}/facts — register before ai_sessions
 # so the {session_id}/facts subpaths take precedence over any future generic catchalls.
-api_router.include_router(session_facts.router, dependencies=_tenant_deps)
-api_router.include_router(session_suggested_fixes.router, dependencies=_tenant_deps)
+api_router.include_router(session_facts.router, dependencies=_pro_deps)
+api_router.include_router(session_suggested_fixes.router, dependencies=_pro_deps)
 api_router.include_router(draft_templates.router, dependencies=_tenant_deps)
-api_router.include_router(ai_sessions.router, dependencies=_tenant_deps)
-api_router.include_router(flow_proposals.router, dependencies=_tenant_deps)
-api_router.include_router(flowpilot_analytics.router, dependencies=_tenant_deps)
+api_router.include_router(ai_sessions.router, dependencies=_pro_deps)
+api_router.include_router(flow_proposals.router, dependencies=_pro_deps)
+api_router.include_router(flowpilot_analytics.router, dependencies=_pro_deps)
 api_router.include_router(notifications.router, dependencies=_tenant_deps)
 api_router.include_router(uploads.router, dependencies=_tenant_deps)
-api_router.include_router(script_builder.router, dependencies=_tenant_deps)
+api_router.include_router(script_builder.router, dependencies=_pro_deps)
 api_router.include_router(beta_feedback.router, dependencies=_tenant_deps)
-api_router.include_router(session_branches.router, dependencies=_tenant_deps)
-api_router.include_router(session_handoffs.router, dependencies=_tenant_deps)
+api_router.include_router(session_branches.router, dependencies=_pro_deps)
+api_router.include_router(session_handoffs.router, dependencies=_pro_deps)
 api_router.include_router(device_types.router, dependencies=_tenant_deps)
+# L1 is a separate seat-counted SKU; subscription gating is enforced by
+# seat_enforcement (engineer + l1_seat_limit), not require_active_subscription.
+api_router.include_router(l1.router, dependencies=_tenant_deps)
--- a/backend/app/core/ai_provider.py
+++ b/backend/app/core/ai_provider.py
@@ -147,6 +147,40 @@ def build_anthropic_chat_messages(
    return messages


+def _extract_text_from_response(response: Any, model: str) -> str:
+    """Return the first text block's text from an Anthropic message response.
+
+    Robustness over the naive ``response.content[0].text``:
+    - Skips non-text leading blocks (e.g. ``thinking``) and returns the first
+      block whose ``type == "text"``. Indexing ``content[0]`` blindly throws or
+      returns garbage the moment a non-text block leads the response.
+    - Surfaces truncation/refusal: when ``stop_reason`` is ``max_tokens`` or
+      ``refusal``, emits a structured warning so silent output corruption
+      (truncated JSON, empty refusals) is observable rather than handed
+      downstream to be guessed at.
+    - Raises ``ValueError`` when no text block is present (e.g. a bare refusal)
+      instead of returning a non-text block's attributes.
+    """
+    stop_reason = getattr(response, "stop_reason", None)
+    if stop_reason in ("max_tokens", "refusal"):
+        logger.warning(
+            "anthropic.stop_reason",
+            extra={
+                "event": "anthropic.stop_reason",
+                "model": model,
+                "stop_reason": stop_reason,
+            },
+        )
+
+    for block in response.content:
+        if getattr(block, "type", None) == "text":
+            return block.text
+
+    raise ValueError(
+        f"Anthropic response contained no text block (stop_reason={stop_reason!r})"
+    )
+
+
 def _log_anthropic_cache_usage(usage: Any, model: str) -> None:
    """Emit a structured log line capturing cache_read / cache_creation tokens."""
    cache_read = getattr(usage, "cache_read_input_tokens", 0) or 0
@@ -176,6 +210,7 @@ class AIProvider(ABC):
        system_prompt: str | list[SystemBlock],
        messages: list[dict[str, Any]],
        max_tokens: int = 4096,
+        schema: dict[str, Any] | None = None,
    ) -> tuple[str, int, int]:
        """Generate a JSON response from the AI model.

@@ -185,6 +220,15 @@ class AIProvider(ABC):
                Anthropic prompt caching per module-docstring policy.
            messages: List of message dicts with "role" and "content" keys.
            max_tokens: Maximum output tokens.
+            schema: Optional JSON Schema constraining the response shape.
+                When provided, the Anthropic backend uses structured outputs
+                (`output_config.format`) to guarantee valid, parseable JSON —
+                no markdown fences, no truncated-brace repair. Must satisfy the
+                structured-output schema limits (every object needs
+                `additionalProperties: false`; no recursion; numeric/string
+                constraints are stripped). `None` preserves the legacy
+                prompt-only behavior. The Gemini backend currently ignores this
+                argument (it already requests `application/json`).

        Returns:
            Tuple of (response_text, input_tokens, output_tokens).
@@ -231,7 +275,11 @@ class GeminiProvider(AIProvider):
        system_prompt: str | list[SystemBlock],
        messages: list[dict[str, Any]],
        max_tokens: int = 4096,
+        schema: dict[str, Any] | None = None,
    ) -> tuple[str, int, int]:
+        # `schema` is accepted for interface parity but ignored: Gemini already
+        # constrains output via response_mime_type="application/json" below.
+        # Mapping JSON Schema -> Gemini response_schema is deferred.
        from google import genai
        from google.genai import types as genai_types

@@ -362,18 +410,28 @@ class AnthropicProvider(AIProvider):
        system_prompt: str | list[SystemBlock],
        messages: list[dict[str, Any]],
        max_tokens: int = 4096,
+        schema: dict[str, Any] | None = None,
    ) -> tuple[str, int, int]:
        client = _get_anthropic_client(self._api_key, self._timeout)
        normalized_system = _normalize_system_for_anthropic(system_prompt)

-        response = await client.messages.create(
-            model=self._model,
-            max_tokens=max_tokens,
-            system=normalized_system,
-            messages=messages,
-        )
+        create_kwargs: dict[str, Any] = {
+            "model": self._model,
+            "max_tokens": max_tokens,
+            "system": normalized_system,
+            "messages": messages,
+        }
+        if schema is not None:
+            # Structured outputs: constrain the response to valid JSON matching
+            # the schema (Sonnet 4.6 / Haiku 4.5). Removes the need for
+            # markdown-fence stripping and truncated-JSON repair downstream.
+            create_kwargs["output_config"] = {
+                "format": {"type": "json_schema", "schema": schema}
+            }

-        text = response.content[0].text
+        response = await client.messages.create(**create_kwargs)
+
+        text = _extract_text_from_response(response, self._model)
        input_tokens = response.usage.input_tokens
        output_tokens = response.usage.output_tokens

--- a/backend/app/core/audit.py
+++ b/backend/app/core/audit.py
@@ -13,13 +13,20 @@ async def log_audit(
    resource_id: Optional[UUID] = None,
    details: Optional[dict] = None,
    account_id: Optional[UUID] = None,
+    acting_as: Optional[str] = None,
 ) -> None:
-    """Record an audit log entry. Does not commit — piggybacks on the caller's commit."""
+    """Record an audit log entry. Does not commit — caller's commit picks it up.
+
+    acting_as: optional tag from the session (e.g. 'l1_coverage' for engineers
+    on the L1 surface, None for native l1_tech users).
+    """
    if account_id is None:
        # Derive from the acting user's account as a fallback (one extra query).
        from sqlalchemy import select
        from app.models.user import User
-        result = await db.execute(select(User.account_id).where(User.id == user_id))
+        result = await db.execute(
+            select(User.account_id).where(User.id == user_id)
+        )
        account_id = result.scalar_one()

    entry = AuditLog(
@@ -29,5 +36,6 @@ async def log_audit(
        resource_type=resource_type,
        resource_id=resource_id,
        details=details,
+        acting_as=acting_as,
    )
    db.add(entry)
--- a/backend/app/core/config.py
+++ b/backend/app/core/config.py
@@ -69,6 +69,19 @@ class Settings(BaseSettings):
    ACCESS_TOKEN_EXPIRE_MINUTES: int = 5
    REFRESH_TOKEN_EXPIRE_DAYS: int = 7

+    # Session policy — see docs/plans/2026-05-13-session-expiration-policy.md
+    # Refresh tokens enforce two windows: idle (between rotations) and absolute
+    # (from original login). Defaults can be overridden per-account, bounded by
+    # the MIN/MAX values below. Values are minutes everywhere except inside the
+    # refresh JWT, where idle_max/abs_max are stored as seconds for direct
+    # Unix-time math.
+    SESSION_IDLE_MINUTES_DEFAULT: int = 4320      # 3 days
+    SESSION_ABSOLUTE_MINUTES_DEFAULT: int = 20160  # 14 days
+    SESSION_IDLE_MINUTES_MIN: int = 15
+    SESSION_IDLE_MINUTES_MAX: int = 43200          # 30 days
+    SESSION_ABSOLUTE_MINUTES_MIN: int = 60         # 1 hour
+    SESSION_ABSOLUTE_MINUTES_MAX: int = 129600     # 90 days
+
    # Security
    BCRYPT_ROUNDS: int = 12

@@ -84,6 +97,7 @@ class Settings(BaseSettings):
    RESEND_API_KEY: Optional[str] = None
    FROM_EMAIL: str = "ResolutionFlow <invites@resolutionflow.com>"
    FEEDBACK_EMAIL: Optional[str] = None
+    SALES_LEAD_RECIPIENT_EMAIL: str = "sales@resolutionflow.com"

    @property
    def email_enabled(self) -> bool:
@@ -94,11 +108,46 @@ class Settings(BaseSettings):
    STRIPE_SECRET_KEY: Optional[str] = None
    STRIPE_PUBLISHABLE_KEY: Optional[str] = None
    STRIPE_WEBHOOK_SECRET: Optional[str] = None
+    SELF_SERVE_ENABLED: bool = False
+
+    # Internal tester allowlist for soft cutover. Comma-separated emails;
+    # when SELF_SERVE_ENABLED is False, listed users still see the self-serve
+    # surfaces (pricing page, invite-code-optional registration, etc.) so the
+    # full flow can be exercised in prod test mode before public flip.
+    INTERNAL_TESTER_EMAILS: list[str] = []
+
+    @field_validator("INTERNAL_TESTER_EMAILS", mode="before")
+    @classmethod
+    def split_internal_tester_emails(cls, v) -> list[str]:
+        """Parse a comma-separated string into a normalized lowercase list."""
+        if v is None or v == "":
+            return []
+        if isinstance(v, list):
+            return [e.strip().lower() for e in v if e and e.strip()]
+        if isinstance(v, str):
+            return [e.strip().lower() for e in v.split(",") if e.strip()]
+        return []
+
+    def is_internal_tester(self, email: Optional[str]) -> bool:
+        """Case-insensitive allowlist check. None/empty email is never a tester."""
+        if not email:
+            return False
+        return email.lower() in self.INTERNAL_TESTER_EMAILS
+
+    def is_self_serve_active_for(self, email: Optional[str]) -> bool:
+        """True if self-serve surfaces should render for this user.
+
+        Either the global flag is on, or the user is on the internal-tester
+        allowlist. Anonymous calls (email is None) only see the global flag.
+        """
+        if self.SELF_SERVE_ENABLED:
+            return True
+        return self.is_internal_tester(email)

    @property
    def stripe_enabled(self) -> bool:
        """Check if Stripe is configured."""
-        return self.STRIPE_SECRET_KEY is not None and self.STRIPE_WEBHOOK_SECRET is not None
+        return bool(self.STRIPE_SECRET_KEY)

    # AI Flow Builder
    ANTHROPIC_API_KEY: Optional[str] = None
@@ -106,6 +155,12 @@ class Settings(BaseSettings):
    AI_CONVERSATION_TTL_HOURS: int = 24
    AI_MAX_CALLS_PER_FLOW: int = 10
    AI_REQUEST_TIMEOUT_SECONDS: int = 120
+    # When True, KB conversion constrains the Anthropic response with a JSON
+    # schema (structured outputs) instead of relying on prompt-only JSON +
+    # downstream fence-stripping / brace-repair. Default OFF: enable in staging
+    # and smoke-test constrained decoding against the live model before turning
+    # it on in production. Only affects the Anthropic backend.
+    AI_KB_CONVERT_STRUCTURED_OUTPUT: bool = False
    # AI Provider selection
    AI_PROVIDER: str = "anthropic"  # "gemini" or "anthropic"
    GOOGLE_AI_API_KEY: Optional[str] = None
@@ -193,6 +248,13 @@ class Settings(BaseSettings):
        """Check if ConnectWise integration is configured."""
        return self.CW_CLIENT_ID is not None

+    # OAuth providers (self-serve signup)
+    GOOGLE_CLIENT_ID: Optional[str] = None
+    GOOGLE_CLIENT_SECRET: Optional[str] = None
+    MS_CLIENT_ID: Optional[str] = None
+    MS_CLIENT_SECRET: Optional[str] = None
+    OAUTH_REDIRECT_BASE: str = "http://localhost:5173"
+
    # Monitoring
    SENTRY_DSN: Optional[str] = None

--- a/backend/app/core/email.py
+++ b/backend/app/core/email.py
@@ -1,6 +1,11 @@
 import logging
+from typing import TYPE_CHECKING
+
 from app.core.config import settings

+if TYPE_CHECKING:
+    from app.models.sales_lead import SalesLead
+
 logger = logging.getLogger(__name__)


@@ -484,6 +489,99 @@ class EmailService:
            logger.exception("Failed to send beta signup notification for %s", signup_email)
            return False

+    @staticmethod
+    async def send_sales_lead_notification(
+        to_email: str,
+        lead: "SalesLead",
+    ) -> bool:
+        """Notify the sales recipient about a new Talk-to-Sales submission.
+
+        Fire-and-forget. Returns False (and logs) on any failure; never raises.
+        """
+        if not settings.email_enabled:
+            logger.warning(
+                "Sales lead email not sent — RESEND_API_KEY not configured (lead %s)",
+                lead.id,
+            )
+            return False
+
+        try:
+            import resend
+            import html as html_mod
+            from datetime import datetime, timezone
+
+            resend.api_key = settings.RESEND_API_KEY
+
+            date_str = datetime.now(timezone.utc).strftime("%Y-%m-%d %H:%M UTC")
+            safe_email = html_mod.escape(lead.email)
+            safe_name = html_mod.escape(lead.name)
+            safe_company = html_mod.escape(lead.company)
+            safe_team_size = html_mod.escape(lead.team_size or "—")
+            safe_source = html_mod.escape(lead.source)
+            safe_message = html_mod.escape(lead.message or "(no message)")
+            subject = f"[ResolutionFlow Sales] New lead — {safe_company} ({safe_email})"
+
+            email_html = f"""<!DOCTYPE html>
+<html><head><meta charset="utf-8"><meta name="viewport" content="width=device-width"></head>
+<body style="margin:0;padding:0;background:#101114;font-family:'Inter',Helvetica,Arial,sans-serif;">
+<table width="100%" cellpadding="0" cellspacing="0" style="background:#101114;padding:40px 0;">
+<tr><td align="center">
+<table width="560" cellpadding="0" cellspacing="0" style="background:#14161a;border:1px solid rgba(255,255,255,0.06);border-radius:16px;">
+  <tr><td style="padding:40px 40px 24px;text-align:center;">
+    <h1 style="margin:0;color:#f8fafc;font-size:24px;font-weight:600;">Resolution<span style="color:#06b6d4;">Flow</span></h1>
+    <p style="margin:8px 0 0;color:#5a6170;font-size:14px;">New Sales Lead</p>
+  </td></tr>
+  <tr><td style="padding:0 40px 16px;">
+    <p style="margin:0;color:#8891a0;font-size:16px;line-height:1.6;">
+      Source: <strong style="color:#f8fafc;">{safe_source}</strong>
+    </p>
+  </td></tr>
+  <tr><td style="padding:0 40px 16px;">
+    <table width="100%" cellpadding="0" cellspacing="0" style="background:rgba(0,0,0,0.3);border:1px solid rgba(255,255,255,0.06);border-radius:12px;">
+      <tr><td style="padding:16px;">
+        <p style="margin:0 0 4px;color:#5a6170;font-size:12px;text-transform:uppercase;letter-spacing:1px;">Name</p>
+        <p style="margin:0 0 12px;color:#f8fafc;font-size:16px;font-weight:600;">{safe_name}</p>
+        <p style="margin:0 0 4px;color:#5a6170;font-size:12px;text-transform:uppercase;letter-spacing:1px;">Email</p>
+        <p style="margin:0 0 12px;color:#22d3ee;font-size:16px;font-weight:600;">{safe_email}</p>
+        <p style="margin:0 0 4px;color:#5a6170;font-size:12px;text-transform:uppercase;letter-spacing:1px;">Company</p>
+        <p style="margin:0 0 12px;color:#f8fafc;font-size:16px;font-weight:600;">{safe_company}</p>
+        <p style="margin:0 0 4px;color:#5a6170;font-size:12px;text-transform:uppercase;letter-spacing:1px;">Team Size</p>
+        <p style="margin:0;color:#f8fafc;font-size:16px;font-weight:600;">{safe_team_size}</p>
+      </td></tr>
+    </table>
+  </td></tr>
+  <tr><td style="padding:0 40px 16px;">
+    <p style="margin:0 0 4px;color:#5a6170;font-size:12px;text-transform:uppercase;letter-spacing:1px;">Message</p>
+    <p style="margin:0;color:#8891a0;font-size:14px;line-height:1.6;white-space:pre-wrap;">{safe_message}</p>
+  </td></tr>
+  <tr><td style="padding:0 40px 32px;">
+    <p style="margin:0;color:#5a6170;font-size:12px;text-align:center;">
+      Submitted at {date_str} · Lead ID: {lead.id}
+    </p>
+  </td></tr>
+</table>
+</td></tr>
+</table>
+</body></html>"""
+
+            resend.Emails.send({
+                "from": settings.FROM_EMAIL,
+                "to": [to_email],
+                "reply_to": lead.email,
+                "subject": subject,
+                "html": email_html,
+            })
+            logger.info("Sales lead notification sent for %s (lead %s)", lead.email, lead.id)
+            return True
+
+        except Exception:
+            logger.exception(
+                "Failed to send sales lead notification for %s (lead %s)",
+                lead.email,
+                lead.id,
+            )
+            return False
+
    @staticmethod
    async def send_notification_email(
        to_email: str,
--- a/backend/app/core/kb_conversion_service.py
+++ b/backend/app/core/kb_conversion_service.py
@@ -202,6 +202,115 @@ the engineer attached, NOT from this schema):
 9. Return ONLY valid JSON — no markdown fences, no explanation text."""


+# ── Structured-output schemas ──
+#
+# These constrain the model's JSON via Anthropic structured outputs
+# (output_config.format) so the response is guaranteed valid and parseable —
+# no markdown fences, no truncated-brace repair. They must be a SUPERSET of
+# every field the corresponding system prompt instructs the model to emit:
+# additionalProperties is False everywhere, so any field the prompt asks for
+# but the schema omits would be impossible to produce.
+#
+# `type`/`field_type` are intentionally left as plain strings (no enum): the
+# downstream parser already normalizes/tolerates the type values, and an enum
+# risks constraining the model away from a value the prompt would yield.
+
+_TROUBLESHOOTING_OPTION_SCHEMA: dict[str, Any] = {
+    "type": "object",
+    "properties": {
+        "label": {"type": "string"},
+        "next_node_id": {"type": "string"},
+    },
+    "required": ["label", "next_node_id"],
+    "additionalProperties": False,
+}
+
+_TROUBLESHOOTING_NODE_SCHEMA: dict[str, Any] = {
+    "type": "object",
+    "properties": {
+        "id": {"type": "string"},
+        "type": {"type": "string"},
+        "question": {"type": "string"},
+        "options": {"type": "array", "items": _TROUBLESHOOTING_OPTION_SCHEMA},
+        "next_node_id": {"type": "string"},
+        "confidence": {"type": "number"},
+        "source_excerpt": {"type": "string"},
+    },
+    # Only the universal fields are required. `question`/`options`/`next_node_id`
+    # vary by node type and stay optional so a resolution node need not carry
+    # options and an action node need not carry a question.
+    "required": ["id", "type", "confidence", "source_excerpt"],
+    "additionalProperties": False,
+}
+
+TROUBLESHOOTING_SCHEMA: dict[str, Any] = {
+    "type": "object",
+    "properties": {
+        "title": {"type": "string"},
+        "description": {"type": "string"},
+        "nodes": {"type": "array", "items": _TROUBLESHOOTING_NODE_SCHEMA},
+    },
+    "required": ["title", "description", "nodes"],
+    "additionalProperties": False,
+}
+
+_PROCEDURAL_STEP_SCHEMA: dict[str, Any] = {
+    "type": "object",
+    "properties": {
+        "id": {"type": "string"},
+        "type": {"type": "string"},
+        "content": {"type": "string"},
+        "confidence": {"type": "number"},
+        "source_excerpt": {"type": "string"},
+    },
+    "required": ["id", "type", "content", "confidence", "source_excerpt"],
+    "additionalProperties": False,
+}
+
+_PROCEDURAL_INTAKE_SCHEMA: dict[str, Any] = {
+    "type": "object",
+    "properties": {
+        "variable_name": {"type": "string"},
+        "label": {"type": "string"},
+        "field_type": {"type": "string"},
+        "required": {"type": "boolean"},
+        "display_order": {"type": "integer"},
+    },
+    "required": [
+        "variable_name",
+        "label",
+        "field_type",
+        "required",
+        "display_order",
+    ],
+    "additionalProperties": False,
+}
+
+PROCEDURAL_SCHEMA: dict[str, Any] = {
+    "type": "object",
+    "properties": {
+        "title": {"type": "string"},
+        "description": {"type": "string"},
+        "steps": {"type": "array", "items": _PROCEDURAL_STEP_SCHEMA},
+        "intake_form": {"type": "array", "items": _PROCEDURAL_INTAKE_SCHEMA},
+    },
+    "required": ["title", "description", "steps", "intake_form"],
+    "additionalProperties": False,
+}
+
+
+def _schema_for_target_type(target_type: str) -> dict[str, Any]:
+    """Return the structured-output schema for a KB conversion target type.
+
+    Mirrors the prompt selection in ``convert_document``: only
+    ``"troubleshooting"`` uses the decision-tree schema; everything else is
+    treated as a procedural flow.
+    """
+    if target_type == "troubleshooting":
+        return TROUBLESHOOTING_SCHEMA
+    return PROCEDURAL_SCHEMA
+
+
 def _build_user_message(
    source_text: str,
    source_metadata: dict[str, Any] | None,
@@ -404,6 +513,16 @@ async def convert_document(
    model = settings.get_model_for_action("kb_convert")
    provider = get_ai_provider(model=model)

+    # Structured outputs (flagged): constrain the response to a JSON schema so
+    # the model can't emit fences or truncated JSON. Falls back to prompt-only
+    # JSON (schema=None) when disabled; the parse path below stays intact either
+    # way as a belt-and-suspenders fallback.
+    schema = (
+        _schema_for_target_type(kb_import.target_type)
+        if settings.AI_KB_CONVERT_STRUCTURED_OUTPUT
+        else None
+    )
+
    try:
        raw_text, input_tokens, output_tokens = await provider.generate_json(
            system_prompt=[
@@ -414,6 +533,7 @@ async def convert_document(
            ],
            messages=[{"role": "user", "content": user_message}],
            max_tokens=16384,
+            schema=schema,
        )
    except Exception as e:
        logger.error("AI conversion failed for kb_import=%s: %s", kb_import.id, e)
--- a/backend/app/core/permissions.py
+++ b/backend/app/core/permissions.py
@@ -1,11 +1,12 @@
 """
 Centralized permission checks for ResolutionFlow.

-Role hierarchy: super_admin > owner > engineer > viewer
+Role hierarchy: super_admin > owner > engineer > l1_tech > viewer

 - super_admin: is_super_admin=True, full system access
 - owner:       account_role='owner', manage account resources
 - engineer:    account_role='engineer' (default), CRUD own trees/steps
+- l1_tech:     account_role='l1_tech', use /l1/* surface only — walk flows, resolve/escalate
 - viewer:      account_role='viewer', read-only (can browse, run sessions, rate steps)
 """
 from __future__ import annotations
@@ -23,7 +24,8 @@ ROLE_HIERARCHY = {
    "super_admin": 4,
    "owner": 3,
    "engineer": 2,
-    "viewer": 1,
+    "l1_tech": 1,
+    "viewer": 0,
 }


--- a/backend/app/core/security.py
+++ b/backend/app/core/security.py
@@ -5,9 +5,18 @@ import uuid
 from datetime import datetime, timedelta, timezone
 from typing import Optional
 from jose import JWTError, jwt
+from jose.exceptions import ExpiredSignatureError
 from passlib.context import CryptContext
 from .config import settings

+
+class IdleTokenExpired(Exception):
+    """Raised by decode_refresh_token_strict when a refresh JWT is past its `exp`.
+
+    Distinct from JWTError so callers can map idle expiry to `session_expired_idle`
+    on the wire while all other decode failures map to `invalid_refresh_token`.
+    """
+
 pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")


@@ -33,14 +42,54 @@ def create_access_token(data: dict, expires_delta: Optional[timedelta] = None) -
    return encoded_jwt


-def create_refresh_token(data: dict) -> str:
-    """Create a JWT refresh token with a unique jti for revocation tracking."""
-    to_encode = data.copy()
-    expire = datetime.now(timezone.utc) + timedelta(days=settings.REFRESH_TOKEN_EXPIRE_DAYS)
+def create_refresh_token(
+    user_id: str,
+    *,
+    auth_time: int,
+    idle_max_seconds: int,
+    abs_max_seconds: int,
+) -> str:
+    """Create a JWT refresh token with session-policy claims embedded.
+
+    The JWT carries five claims beyond the standard `sub`/`type`/`jti`:
+
+    - `auth_time`: Unix-seconds timestamp of the original login; never reset
+      on rotation. Used by `/auth/refresh` to enforce the absolute cap.
+    - `idle_max`: idle window in seconds, snapshotted from the account's
+      policy at login. Carried forward across rotations unchanged.
+    - `abs_max`: absolute lifetime in seconds, snapshotted at login.
+    - `exp`: current idle deadline (`now + idle_max`). Standard JWT expiry.
+
+    See docs/plans/2026-05-13-session-expiration-policy.md §4.2 for the unit
+    convention (everything outside the JWT is minutes; inside the JWT it's
+    seconds so `auth_time + abs_max` is direct Unix math).
+    """
+    now = datetime.now(timezone.utc)
+    expire = now + timedelta(seconds=idle_max_seconds)
    jti = str(uuid.uuid4())
-    to_encode.update({"exp": expire, "type": "refresh", "jti": jti})
-    encoded_jwt = jwt.encode(to_encode, settings.SECRET_KEY, algorithm=settings.ALGORITHM)
-    return encoded_jwt
+    to_encode = {
+        "sub": user_id,
+        "type": "refresh",
+        "jti": jti,
+        "exp": expire,
+        "auth_time": auth_time,
+        "idle_max": idle_max_seconds,
+        "abs_max": abs_max_seconds,
+    }
+    return jwt.encode(to_encode, settings.SECRET_KEY, algorithm=settings.ALGORITHM)
+
+
+def resolve_session_policy(account) -> tuple[int, int]:
+    """Return (idle_minutes, absolute_minutes) for an account.
+
+    NULL overrides fall back to the system defaults from Settings. Partial
+    overrides (one column NULL, one set) are intentionally allowed at this
+    layer; the PATCH /accounts/me/security endpoint validates the resolved
+    effective values to enforce idle <= absolute. See plan §4.3.
+    """
+    idle = account.session_idle_minutes or settings.SESSION_IDLE_MINUTES_DEFAULT
+    absolute = account.session_absolute_minutes or settings.SESSION_ABSOLUTE_MINUTES_DEFAULT
+    return idle, absolute


 def hash_token(jti: str) -> str:
@@ -49,7 +98,14 @@ def hash_token(jti: str) -> str:


 def decode_token(token: str) -> Optional[dict]:
-    """Decode and validate a JWT token."""
+    """Decode and validate a JWT token.
+
+    Collapses all jose errors (including expiry) into None — preserved for
+    access tokens, password-reset tokens, and email-verification tokens where
+    the caller does not need to distinguish expiry from invalid. Refresh tokens
+    use decode_refresh_token_strict instead so they can map idle expiry to
+    `session_expired_idle` distinctly.
+    """
    try:
        payload = jwt.decode(token, settings.SECRET_KEY, algorithms=[settings.ALGORITHM])
        return payload
@@ -57,6 +113,24 @@ def decode_token(token: str) -> Optional[dict]:
        return None


+def decode_refresh_token_strict(token: str) -> dict:
+    """Decode a refresh token, distinguishing idle expiry from invalid.
+
+    Raises:
+        IdleTokenExpired: token signature is valid but `exp` is past — i.e. the
+            idle window has elapsed.
+        JWTError: any other decode failure (bad signature, malformed, wrong
+            algorithm).
+
+    Type discrimination (`type == "refresh"`) is the caller's responsibility —
+    this function only inspects the JWT itself.
+    """
+    try:
+        return jwt.decode(token, settings.SECRET_KEY, algorithms=[settings.ALGORITHM])
+    except ExpiredSignatureError as e:
+        raise IdleTokenExpired() from e
+
+
 def create_password_reset_token(user_id: str) -> str:
    """Create a JWT password reset token (30-minute expiry, unique JTI)."""
    jti = str(uuid.uuid4())
--- a/backend/app/main.py
+++ b/backend/app/main.py
@@ -221,6 +221,18 @@ async def lifespan(app: FastAPI):
        max_instances=1,
    )

+    # L1 walk session cleanup: flip stale active sessions to 'abandoned' (hourly)
+    from app.services.l1_session_cleanup import run_cleanup_job as l1_cleanup_run
+    scheduler.add_job(
+        l1_cleanup_run,
+        trigger="interval",
+        hours=1,
+        id="l1_session_cleanup",
+        replace_existing=True,
+        max_instances=1,
+        args=[async_session_maker],
+    )
+
    # Auto-seed trees in background on PR environments
    seed_task = None
    if settings.SEED_ON_DEPLOY:
--- a/backend/app/models/init.py
+++ b/backend/app/models/init.py
@@ -62,6 +62,12 @@ from .session_fact import SessionFact
 from .session_suggested_fix import SessionSuggestedFix
 from .draft_template import DraftTemplate
 from .account_settings import AccountSettings
+from .oauth_identity import OAuthIdentity  # noqa: F401
+from .plan_billing import PlanBilling  # noqa: F401
+from .sales_lead import SalesLead  # noqa: F401
+from .stripe_event import StripeEvent  # noqa: F401
+from .internal_ticket import InternalTicket  # noqa: F401
+from .l1_walk_session import L1WalkSession  # noqa: F401

 __all__ = [
    "User",
@@ -138,4 +144,10 @@ __all__ = [
    "SessionSuggestedFix",
    "DraftTemplate",
    "AccountSettings",
+    "OAuthIdentity",
+    "PlanBilling",
+    "SalesLead",
+    "StripeEvent",
+    "InternalTicket",
+    "L1WalkSession",
 ]
--- a/backend/app/models/account.py
+++ b/backend/app/models/account.py
@@ -44,10 +44,23 @@ class Account(Base):
        Integer, nullable=True, default=100, server_default="100"
    )

+    # Session policy override (NULL = use Settings.SESSION_*_MINUTES_DEFAULT).
+    # Validated at the app layer because the DB cannot see Settings; a DB
+    # CHECK constraint covers the both-set case only.
+    session_idle_minutes: Mapped[Optional[int]] = mapped_column(Integer, nullable=True)
+    session_absolute_minutes: Mapped[Optional[int]] = mapped_column(Integer, nullable=True)
+
    # Custom branding (Task 9)
    branding_logo_url: Mapped[Optional[str]] = mapped_column(String(500), nullable=True)
    branding_primary_color: Mapped[Optional[str]] = mapped_column(String(7), nullable=True)  # hex like #06b6d4
    branding_company_name: Mapped[Optional[str]] = mapped_column(String(200), nullable=True)
+    team_size_bucket: Mapped[Optional[str]] = mapped_column(String(20), nullable=True)
+    primary_psa: Mapped[Optional[str]] = mapped_column(String(20), nullable=True)
+
+    # L1 workspace seats
+    l1_seats_purchased: Mapped[int] = mapped_column(
+        Integer, nullable=False, server_default="0"
+    )

    # SSO / SAML groundwork (Task 11)
    sso_enabled: Mapped[bool] = mapped_column(Boolean, default=False, server_default="false")
--- a/backend/app/models/account_invite.py
+++ b/backend/app/models/account_invite.py
@@ -27,6 +27,8 @@ class AccountInvite(Base):
    expires_at: Mapped[Optional[datetime]] = mapped_column(DateTime(timezone=True), nullable=True)
    created_at: Mapped[datetime] = mapped_column(DateTime(timezone=True), default=lambda: datetime.now(timezone.utc))
    used_at: Mapped[Optional[datetime]] = mapped_column(DateTime(timezone=True), nullable=True)
+    revoked_at: Mapped[Optional[datetime]] = mapped_column(DateTime(timezone=True), nullable=True)
+    email_sent_at: Mapped[Optional[datetime]] = mapped_column(DateTime(timezone=True), nullable=True)

    # Relationships
    account: Mapped["Account"] = relationship("Account")
@@ -37,6 +39,10 @@ class AccountInvite(Base):
    def is_used(self) -> bool:
        return self.accepted_by_id is not None

+    @property
+    def is_revoked(self) -> bool:
+        return self.revoked_at is not None
+
    @property
    def is_expired(self) -> bool:
        if self.expires_at is None:
@@ -45,4 +51,4 @@ class AccountInvite(Base):

    @property
    def is_valid(self) -> bool:
-        return not self.is_used and not self.is_expired
+        return not self.is_used and not self.is_expired and not self.is_revoked
--- a/backend/app/models/audit_log.py
+++ b/backend/app/models/audit_log.py
@@ -35,6 +35,7 @@ class AuditLog(Base):
    )
    details: Mapped[Optional[dict]] = mapped_column(JSONB, nullable=True)
    ip_address: Mapped[Optional[str]] = mapped_column(String(45), nullable=True)
+    acting_as: Mapped[Optional[str]] = mapped_column(String(30), nullable=True)
    created_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True),
        default=lambda: datetime.now(timezone.utc)
--- a/backend/app/models/flow_proposal.py
+++ b/backend/app/models/flow_proposal.py
@@ -7,7 +7,7 @@ import uuid
 from datetime import datetime, timezone
 from typing import Optional, Any, TYPE_CHECKING

-from sqlalchemy import String, Text, DateTime, ForeignKey, Integer, Float, CheckConstraint
+from sqlalchemy import String, Text, DateTime, ForeignKey, Integer, Float, Boolean, CheckConstraint, text as sa_text
 from sqlalchemy.orm import Mapped, mapped_column, relationship
 from sqlalchemy.dialects.postgresql import UUID, JSONB

@@ -48,6 +48,14 @@ class FlowProposal(Base):
            "status IN ('pending', 'approved', 'modified', 'rejected', 'dismissed', 'auto_reinforced')",
            name="ck_flow_proposals_status",
        ),
+        CheckConstraint(
+            "source IN ('ai_realtime_l1', 'kb_accelerator', 'manual_draft', 'ai_promoted')",
+            name="ck_flow_proposals_source",
+        ),
+        CheckConstraint(
+            "linked_ticket_kind IS NULL OR linked_ticket_kind IN ('psa', 'internal')",
+            name="ck_flow_proposals_linked_ticket_kind",
+        ),
    )

    id: Mapped[uuid.UUID] = mapped_column(
@@ -135,6 +143,16 @@ class FlowProposal(Base):
        comment="The flow that was created/updated when this proposal was approved",
    )

+    # ── L1 workspace ──
+    source: Mapped[str] = mapped_column(
+        String(30), nullable=False, server_default=sa_text("'manual_draft'"),
+    )
+    linked_ticket_id: Mapped[Optional[str]] = mapped_column(String(64), nullable=True)
+    linked_ticket_kind: Mapped[Optional[str]] = mapped_column(String(10), nullable=True)
+    validated_by_outcome: Mapped[bool] = mapped_column(
+        Boolean(), nullable=False, server_default=sa_text('false'),
+    )
+
    # ── Timestamps ──
    created_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True), default=lambda: datetime.now(timezone.utc)
--- a/backend/app/models/internal_ticket.py
+++ b/backend/app/models/internal_ticket.py
@@ -0,0 +1,117 @@
+"""Internal ticket model.
+
+Fallback ticket table for L1 intake when the account has no PSA integration.
+Tracks the customer-facing problem, resolution lifecycle, and optional links
+to a flow, flow proposal, AI session, and assigned engineer.
+"""
+import uuid
+from datetime import datetime, timezone
+from typing import Optional, TYPE_CHECKING
+
+from sqlalchemy import String, Text, DateTime, ForeignKey, CheckConstraint
+from sqlalchemy import text as sa_text
+from sqlalchemy.orm import Mapped, mapped_column, relationship
+from sqlalchemy.dialects.postgresql import UUID
+
+from app.core.database import Base
+
+if TYPE_CHECKING:
+    from app.models.account import Account
+    from app.models.user import User
+    from app.models.tree import Tree
+    from app.models.flow_proposal import FlowProposal
+    from app.models.ai_session import AISession
+
+
+class InternalTicket(Base):
+    """A fallback support ticket for accounts without a PSA integration.
+
+    status lifecycle:
+    - open: Submitted, not yet picked up.
+    - walking: L1 technician is actively walking the flow.
+    - resolved: Issue resolved; resolution_notes captured.
+    - escalated: Could not resolve; requires higher-tier intervention.
+    """
+    __tablename__ = "internal_tickets"
+    __table_args__ = (
+        CheckConstraint(
+            "status IN ('open', 'walking', 'resolved', 'escalated')",
+            name="ck_internal_tickets_status",
+        ),
+    )
+
+    id: Mapped[uuid.UUID] = mapped_column(
+        UUID(as_uuid=True), primary_key=True, default=uuid.uuid4
+    )
+    account_id: Mapped[uuid.UUID] = mapped_column(
+        UUID(as_uuid=True),
+        ForeignKey("accounts.id", ondelete="CASCADE"),
+        nullable=False,
+        index=True,
+    )
+    created_by_user_id: Mapped[uuid.UUID] = mapped_column(
+        UUID(as_uuid=True),
+        ForeignKey("users.id", ondelete="RESTRICT"),
+        nullable=False,
+    )
+
+    # ── Customer info ──
+    customer_name: Mapped[Optional[str]] = mapped_column(String(120), nullable=True)
+    customer_contact: Mapped[Optional[str]] = mapped_column(String(200), nullable=True)
+    problem_statement: Mapped[str] = mapped_column(Text(), nullable=False)
+
+    # ── Lifecycle ──
+    status: Mapped[str] = mapped_column(
+        String(30), nullable=False, server_default=sa_text("'open'"), index=True,
+    )
+
+    # ── Optional links ──
+    flow_id: Mapped[Optional[uuid.UUID]] = mapped_column(
+        UUID(as_uuid=True),
+        ForeignKey("trees.id", ondelete="SET NULL"),
+        nullable=True,
+    )
+    flow_proposal_id: Mapped[Optional[uuid.UUID]] = mapped_column(
+        UUID(as_uuid=True),
+        ForeignKey("flow_proposals.id", ondelete="SET NULL"),
+        nullable=True,
+    )
+    ai_session_id: Mapped[Optional[uuid.UUID]] = mapped_column(
+        UUID(as_uuid=True),
+        ForeignKey("ai_sessions.id", ondelete="SET NULL"),
+        nullable=True,
+    )
+    assigned_user_id: Mapped[Optional[uuid.UUID]] = mapped_column(
+        UUID(as_uuid=True),
+        ForeignKey("users.id", ondelete="SET NULL"),
+        nullable=True,
+        index=True,
+    )
+
+    # ── Resolution ──
+    resolution_notes: Mapped[Optional[str]] = mapped_column(Text(), nullable=True)
+    psa_promoted_ticket_id: Mapped[Optional[str]] = mapped_column(
+        String(64), nullable=True,
+        comment="External PSA ticket ID when this ticket is promoted to a PSA system",
+    )
+
+    # ── Timestamps ──
+    created_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True), default=lambda: datetime.now(timezone.utc)
+    )
+    updated_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True),
+        default=lambda: datetime.now(timezone.utc),
+        onupdate=lambda: datetime.now(timezone.utc),
+    )
+    resolved_at: Mapped[Optional[datetime]] = mapped_column(
+        DateTime(timezone=True), nullable=True,
+    )
+
+    # ── Relationships ──
+    account: Mapped["Account"] = relationship("Account")
+    created_by: Mapped["User"] = relationship("User", foreign_keys=[created_by_user_id])
+    assigned_user: Mapped[Optional["User"]] = relationship("User", foreign_keys=[assigned_user_id])
+    flow: Mapped[Optional["Tree"]] = relationship("Tree")
+    flow_proposal: Mapped[Optional["FlowProposal"]] = relationship("FlowProposal")
+    ai_session: Mapped[Optional["AISession"]] = relationship("AISession")
--- a/backend/app/models/l1_walk_session.py
+++ b/backend/app/models/l1_walk_session.py
@@ -0,0 +1,141 @@
+"""L1 walk session model.
+
+Per-session state for an L1 technician walking a ticket through a flow,
+flow proposal, or ad-hoc investigation. Tracks the walked path, notes
+captured at each step, and terminal resolution / escalation metadata.
+"""
+import uuid
+from datetime import datetime, timezone
+from typing import Any, Optional, TYPE_CHECKING
+
+import sqlalchemy as sa
+from sqlalchemy import String, Text, DateTime, Boolean, ForeignKey, CheckConstraint
+from sqlalchemy import text as sa_text
+from sqlalchemy.orm import Mapped, mapped_column, relationship
+from sqlalchemy.dialects.postgresql import UUID, JSONB
+
+from app.core.database import Base
+
+if TYPE_CHECKING:
+    from app.models.account import Account
+    from app.models.user import User
+    from app.models.tree import Tree
+    from app.models.flow_proposal import FlowProposal
+
+
+class L1WalkSession(Base):
+    """A single L1 technician session walking a ticket.
+
+    session_kind values:
+    - flow: Walking a published flow (flow_id required, flow_proposal_id null).
+    - proposal: Walking a draft flow proposal (flow_proposal_id required, flow_id null).
+    - adhoc: Free-form investigation (both flow_id and flow_proposal_id null).
+
+    status lifecycle:
+    - active: Session is in progress.
+    - resolved: Issue resolved; resolution_notes captured.
+    - escalated: Could not resolve; escalation_reason captured.
+    - abandoned: Session exited without resolution or explicit escalation.
+    """
+
+    __tablename__ = "l1_walk_sessions"
+    __table_args__ = (
+        CheckConstraint(
+            "ticket_kind IN ('psa', 'internal')",
+            name="ck_l1_walk_sessions_ticket_kind",
+        ),
+        CheckConstraint(
+            "session_kind IN ('flow', 'proposal', 'adhoc')",
+            name="ck_l1_walk_sessions_session_kind",
+        ),
+        CheckConstraint(
+            "status IN ('active', 'resolved', 'escalated', 'abandoned')",
+            name="ck_l1_walk_sessions_status",
+        ),
+        CheckConstraint(
+            "(session_kind = 'flow' AND flow_id IS NOT NULL AND flow_proposal_id IS NULL) "
+            "OR (session_kind = 'proposal' AND flow_proposal_id IS NOT NULL AND flow_id IS NULL) "
+            "OR (session_kind = 'adhoc' AND flow_id IS NULL AND flow_proposal_id IS NULL)",
+            name="ck_l1_walk_sessions_target_consistency",
+        ),
+    )
+
+    id: Mapped[uuid.UUID] = mapped_column(
+        UUID(as_uuid=True), primary_key=True, default=uuid.uuid4
+    )
+    account_id: Mapped[uuid.UUID] = mapped_column(
+        UUID(as_uuid=True),
+        ForeignKey("accounts.id", ondelete="CASCADE"),
+        nullable=False,
+        index=True,
+    )
+    created_by_user_id: Mapped[uuid.UUID] = mapped_column(
+        UUID(as_uuid=True),
+        ForeignKey("users.id", ondelete="RESTRICT"),
+        nullable=False,
+        index=True,
+    )
+
+    # ── Actor context ──
+    acting_as: Mapped[Optional[str]] = mapped_column(String(30), nullable=True)
+
+    # ── Ticket reference ──
+    ticket_id: Mapped[str] = mapped_column(String(64), nullable=False)
+    ticket_kind: Mapped[str] = mapped_column(String(10), nullable=False)
+
+    # ── Session kind + target ──
+    session_kind: Mapped[str] = mapped_column(String(20), nullable=False)
+    flow_id: Mapped[Optional[uuid.UUID]] = mapped_column(
+        UUID(as_uuid=True),
+        ForeignKey("trees.id", ondelete="SET NULL"),
+        nullable=True,
+    )
+    flow_proposal_id: Mapped[Optional[uuid.UUID]] = mapped_column(
+        UUID(as_uuid=True),
+        ForeignKey("flow_proposals.id", ondelete="SET NULL"),
+        nullable=True,
+    )
+
+    # ── Navigation state ──
+    current_node_id: Mapped[Optional[str]] = mapped_column(String(100), nullable=True)
+    walked_path: Mapped[list[dict[str, Any]]] = mapped_column(
+        JSONB(), nullable=False, server_default=sa_text("'[]'::jsonb"),
+    )
+    walk_notes: Mapped[list[dict[str, Any]]] = mapped_column(
+        JSONB(), nullable=False, server_default=sa_text("'[]'::jsonb"),
+    )
+
+    # ── Lifecycle ──
+    status: Mapped[str] = mapped_column(
+        String(20), nullable=False, server_default=sa_text("'active'"), index=True,
+    )
+
+    # ── Resolution ──
+    resolution_notes: Mapped[Optional[str]] = mapped_column(Text(), nullable=True)
+    helpful: Mapped[Optional[bool]] = mapped_column(Boolean(), nullable=True)
+
+    # ── Escalation ──
+    escalation_reason: Mapped[Optional[str]] = mapped_column(Text(), nullable=True)
+    escalation_reason_category: Mapped[Optional[str]] = mapped_column(
+        String(30), nullable=True,
+    )
+
+    # ── Timestamps ──
+    started_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True), default=lambda: datetime.now(timezone.utc)
+    )
+    last_step_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True),
+        default=lambda: datetime.now(timezone.utc),
+        onupdate=lambda: datetime.now(timezone.utc),
+        index=True,
+    )
+    resolved_at: Mapped[Optional[datetime]] = mapped_column(
+        DateTime(timezone=True), nullable=True,
+    )
+
+    # ── Relationships ──
+    account: Mapped["Account"] = relationship("Account")
+    created_by: Mapped["User"] = relationship("User", foreign_keys=[created_by_user_id])
+    flow: Mapped[Optional["Tree"]] = relationship("Tree")
+    flow_proposal: Mapped[Optional["FlowProposal"]] = relationship("FlowProposal")
--- a/backend/app/models/oauth_identity.py
+++ b/backend/app/models/oauth_identity.py
@@ -0,0 +1,36 @@
+import uuid
+from datetime import datetime, timezone
+from typing import TYPE_CHECKING
+from sqlalchemy import String, DateTime, ForeignKey, UniqueConstraint, Index
+from sqlalchemy.orm import Mapped, mapped_column, relationship
+from sqlalchemy.dialects.postgresql import UUID
+from app.core.database import Base
+
+if TYPE_CHECKING:
+    from app.models.user import User
+
+
+class OAuthIdentity(Base):
+    __tablename__ = "oauth_identities"
+    __table_args__ = (
+        UniqueConstraint("provider", "provider_subject", name="uq_oauth_identities_provider_subject"),
+        Index("ix_oauth_identities_user_id", "user_id"),
+    )
+
+    id: Mapped[uuid.UUID] = mapped_column(UUID(as_uuid=True), primary_key=True, default=uuid.uuid4)
+    user_id: Mapped[uuid.UUID] = mapped_column(
+        UUID(as_uuid=True), ForeignKey("users.id", ondelete="CASCADE"), nullable=False
+    )
+    provider: Mapped[str] = mapped_column(String(20), nullable=False)
+    provider_subject: Mapped[str] = mapped_column(String(255), nullable=False)
+    provider_email_at_link: Mapped[str] = mapped_column(String(255), nullable=False)
+    created_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True), default=lambda: datetime.now(timezone.utc)
+    )
+    updated_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True),
+        default=lambda: datetime.now(timezone.utc),
+        onupdate=lambda: datetime.now(timezone.utc),
+    )
+
+    user: Mapped["User"] = relationship("User", backref="oauth_identities")
--- a/backend/app/models/plan_billing.py
+++ b/backend/app/models/plan_billing.py
@@ -0,0 +1,31 @@
+from datetime import datetime, timezone
+from typing import Optional
+from sqlalchemy import String, Integer, Boolean, DateTime, ForeignKey, Text
+from sqlalchemy.orm import Mapped, mapped_column
+from app.core.database import Base
+
+
+class PlanBilling(Base):
+    __tablename__ = "plan_billing"
+
+    plan: Mapped[str] = mapped_column(
+        String(50), ForeignKey("plan_limits.plan"), primary_key=True
+    )
+    display_name: Mapped[str] = mapped_column(String(255), nullable=False)
+    description: Mapped[Optional[str]] = mapped_column(Text, nullable=True)
+    monthly_price_cents: Mapped[Optional[int]] = mapped_column(Integer, nullable=True)
+    annual_price_cents: Mapped[Optional[int]] = mapped_column(Integer, nullable=True)
+    stripe_product_id: Mapped[Optional[str]] = mapped_column(String(255), nullable=True)
+    stripe_monthly_price_id: Mapped[Optional[str]] = mapped_column(String(255), nullable=True)
+    stripe_annual_price_id: Mapped[Optional[str]] = mapped_column(String(255), nullable=True)
+    is_public: Mapped[bool] = mapped_column(Boolean, nullable=False, default=True)
+    is_archived: Mapped[bool] = mapped_column(Boolean, nullable=False, default=False)
+    sort_order: Mapped[int] = mapped_column(Integer, nullable=False, default=0)
+    created_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True), default=lambda: datetime.now(timezone.utc)
+    )
+    updated_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True),
+        default=lambda: datetime.now(timezone.utc),
+        onupdate=lambda: datetime.now(timezone.utc),
+    )
--- a/backend/app/models/sales_lead.py
+++ b/backend/app/models/sales_lead.py
@@ -0,0 +1,28 @@
+import uuid
+from datetime import datetime, timezone
+from typing import Optional
+from sqlalchemy import String, DateTime, Text, Index
+from sqlalchemy.orm import Mapped, mapped_column
+from sqlalchemy.dialects.postgresql import UUID
+from app.core.database import Base
+
+
+class SalesLead(Base):
+    __tablename__ = "sales_leads"
+    __table_args__ = (Index("ix_sales_leads_email", "email"),)
+
+    id: Mapped[uuid.UUID] = mapped_column(UUID(as_uuid=True), primary_key=True, default=uuid.uuid4)
+    email: Mapped[str] = mapped_column(String(255), nullable=False)
+    name: Mapped[str] = mapped_column(String(255), nullable=False)
+    company: Mapped[str] = mapped_column(String(255), nullable=False)
+    team_size: Mapped[Optional[str]] = mapped_column(String(20), nullable=True)
+    message: Mapped[Optional[str]] = mapped_column(Text, nullable=True)
+    source: Mapped[str] = mapped_column(String(50), nullable=False)
+    posthog_distinct_id: Mapped[Optional[str]] = mapped_column(String(255), nullable=True)
+    status: Mapped[str] = mapped_column(String(20), nullable=False, default="new")
+    created_at: Mapped[datetime] = mapped_column(DateTime(timezone=True), default=lambda: datetime.now(timezone.utc))
+    updated_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True),
+        default=lambda: datetime.now(timezone.utc),
+        onupdate=lambda: datetime.now(timezone.utc),
+    )
--- a/backend/app/models/stripe_event.py
+++ b/backend/app/models/stripe_event.py
@@ -0,0 +1,17 @@
+from datetime import datetime, timezone
+from sqlalchemy import String, DateTime, Index
+from sqlalchemy.orm import Mapped, mapped_column
+from sqlalchemy.dialects.postgresql import JSONB
+from app.core.database import Base
+
+
+class StripeEvent(Base):
+    __tablename__ = "stripe_events"
+    __table_args__ = (Index("ix_stripe_events_event_type", "event_type"),)
+
+    id: Mapped[str] = mapped_column(String(255), primary_key=True)  # Stripe event id
+    event_type: Mapped[str] = mapped_column(String(100), nullable=False)
+    processed_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True), default=lambda: datetime.now(timezone.utc)
+    )
+    payload_excerpt: Mapped[dict] = mapped_column(JSONB, nullable=False, default=dict)
--- a/backend/app/models/subscription.py
+++ b/backend/app/models/subscription.py
@@ -21,6 +21,7 @@ class Subscription(Base):
    billing_interval: Mapped[Optional[str]] = mapped_column(String(20), nullable=True)
    status: Mapped[str] = mapped_column(String(50), nullable=False, default="active")
    seat_limit: Mapped[Optional[int]] = mapped_column(Integer, nullable=True)
+    l1_seat_limit: Mapped[Optional[int]] = mapped_column(Integer, nullable=True)
    current_period_start: Mapped[Optional[datetime]] = mapped_column(DateTime(timezone=True), nullable=True)
    current_period_end: Mapped[Optional[datetime]] = mapped_column(DateTime(timezone=True), nullable=True)
    cancel_at_period_end: Mapped[bool] = mapped_column(Boolean, nullable=False, default=False)
@@ -32,8 +33,20 @@ class Subscription(Base):

    @property
    def is_active(self) -> bool:
-        return self.status in ("active", "trialing")
+        return self.status in ("active", "trialing", "complimentary")

    @property
    def is_paid(self) -> bool:
-        return self.plan in ("pro", "team")
+        # Excludes complimentary and trialing so MRR/paid-customer metrics aren't inflated.
+        return self.plan in ("pro", "starter", "enterprise") and self.status not in ("complimentary", "trialing")
+
+    @property
+    def has_pro_entitlement(self) -> bool:
+        """True if the account can access Pro features right now."""
+        if self.plan in ("pro", "starter", "enterprise"):
+            if self.status in ("active", "complimentary"):
+                return True
+        if self.status == "trialing" and self.current_period_end is not None:
+            from datetime import datetime, timezone
+            return self.current_period_end > datetime.now(timezone.utc)
+        return False
--- a/backend/app/models/user.py
+++ b/backend/app/models/user.py
@@ -1,7 +1,7 @@
 import uuid
 from datetime import datetime, timezone
 from typing import Optional, TYPE_CHECKING
-from sqlalchemy import String, DateTime, ForeignKey, Boolean, CheckConstraint, Text
+from sqlalchemy import String, DateTime, ForeignKey, Boolean, CheckConstraint, Text, Integer, text
 from sqlalchemy.orm import Mapped, mapped_column, relationship
 from sqlalchemy.dialects.postgresql import UUID
 from app.core.database import Base
@@ -22,7 +22,7 @@ class User(Base):
            name='ck_users_role_enum'
        ),
        CheckConstraint(
-            "account_role IN ('owner', 'admin', 'engineer', 'viewer')",
+            "account_role IN ('owner', 'admin', 'engineer', 'l1_tech', 'viewer')",
            name='ck_users_account_role_enum'
        ),
    )
@@ -33,7 +33,7 @@ class User(Base):
        default=uuid.uuid4
    )
    email: Mapped[str] = mapped_column(String(255), unique=True, nullable=False, index=True)
-    password_hash: Mapped[str] = mapped_column(String(255), nullable=False)
+    password_hash: Mapped[Optional[str]] = mapped_column(String(255), nullable=True)
    name: Mapped[str] = mapped_column(String(255), nullable=False)
    role: Mapped[str] = mapped_column(String(50), nullable=False, default="engineer")
    is_super_admin: Mapped[bool] = mapped_column(Boolean, nullable=False, default=False)
@@ -50,6 +50,9 @@ class User(Base):
        index=True
    )
    account_role: Mapped[str] = mapped_column(String(50), nullable=False, default="engineer")
+    can_cover_l1: Mapped[bool] = mapped_column(
+        Boolean(), nullable=False, server_default=text('false')
+    )

    # Legacy team columns (kept for PR A coexistence)
    team_id: Mapped[Optional[uuid.UUID]] = mapped_column(
@@ -76,6 +79,8 @@ class User(Base):

    # Onboarding
    onboarding_dismissed: Mapped[bool] = mapped_column(Boolean, default=False, nullable=False, server_default="false")
+    role_at_signup: Mapped[Optional[str]] = mapped_column(String(50), nullable=True)
+    onboarding_step_completed: Mapped[Optional[int]] = mapped_column(Integer, nullable=True)

    # Branding (solo pros without a team)
    logo_data: Mapped[Optional[str]] = mapped_column(Text, nullable=True)
--- a/backend/app/schemas/account.py
+++ b/backend/app/schemas/account.py
@@ -27,7 +27,7 @@ class TransferOwnershipRequest(BaseModel):

 class AccountInviteCreate(BaseModel):
    email: str = Field(..., max_length=255)
-    role: str = Field("engineer", pattern="^(engineer|viewer)$")
+    role: str = Field("engineer", pattern="^(engineer|viewer|l1_tech)$")
    expires_in_days: Optional[int] = Field(None, ge=1, le=30)


@@ -42,3 +42,12 @@ class AccountInviteResponse(BaseModel):
    used_at: Optional[datetime] = None

    model_config = {"from_attributes": True}
+
+
+class AccountInviteBulkCreate(BaseModel):
+    invites: list[AccountInviteCreate]
+
+
+class AccountInviteBulkResponse(BaseModel):
+    created: list[AccountInviteResponse]
+    failed: list[dict]  # entries shaped {"email": str, "error": str}
--- a/backend/app/schemas/account_security.py
+++ b/backend/app/schemas/account_security.py
@@ -0,0 +1,77 @@
+"""Schemas for /accounts/me/security — session-policy management.
+
+See docs/plans/2026-05-13-session-expiration-policy.md §4.7 and §4.11.
+"""
+from datetime import datetime
+from typing import Literal, Optional
+from uuid import UUID
+
+from pydantic import BaseModel, Field
+
+
+class ActiveUser(BaseModel):
+    """One row in the active-users list on GET /accounts/me/security.
+
+    Rendered as 'name (email) · logged in 2d ago' on the Account Security
+    page. `last_login_at` reflects the last successful sign-in, not the last
+    refresh-token use — that requires the deferred refresh_tokens.last_used_at
+    follow-up (see plan §9).
+    """
+
+    user_id: UUID
+    name: str
+    email: str
+    last_login_at: Optional[datetime] = None
+
+
+class SessionPolicyResponse(BaseModel):
+    """GET /accounts/me/security — the policy in effect for this account.
+
+    Surfaces both the override (which may be NULL) and the effective value
+    (after defaults applied) so the frontend can show the current state
+    without re-implementing the defaults logic.
+    """
+
+    # Per-account override values, NULL = "use system default."
+    idle_minutes: Optional[int] = Field(
+        default=None,
+        description="Account override; NULL means use the system default.",
+    )
+    absolute_minutes: Optional[int] = Field(default=None)
+
+    # Effective values after defaults applied (always non-NULL).
+    effective_idle_minutes: int
+    effective_absolute_minutes: int
+
+    # System-imposed bounds for the Custom-preset form inputs.
+    idle_minutes_min: int
+    idle_minutes_max: int
+    absolute_minutes_min: int
+    absolute_minutes_max: int
+
+    # Active sessions in this account — users with at least one un-revoked
+    # refresh token. Drives the Active Sessions section in the UI.
+    active_users: list[ActiveUser] = Field(default_factory=list)
+
+
+class SessionPolicyUpdateRequest(BaseModel):
+    """PATCH /accounts/me/security — set or clear the per-account override.
+
+    Pass `null` for either field to clear the override and fall back to the
+    system default. Both bounds checks and the idle <= absolute invariant
+    are validated against the *effective* values at the endpoint, since the
+    DB CHECK constraint only covers the both-set case.
+    """
+
+    idle_minutes: Optional[int] = None
+    absolute_minutes: Optional[int] = None
+
+
+class RevokeSessionsRequest(BaseModel):
+    """POST /accounts/me/security/revoke-sessions — bulk-revoke refresh tokens."""
+
+    scope: Literal["all", "others"] = "all"
+
+
+class RevokeSessionsResponse(BaseModel):
+    revoked_count: int
--- a/backend/app/schemas/admin.py
+++ b/backend/app/schemas/admin.py
@@ -125,7 +125,7 @@ class AdminAccountDetailResponse(AdminAccountListItem):

 class AdminAccountCreate(BaseModel):
    name: str = Field(..., min_length=1, max_length=255)
-    plan: Literal["free", "pro", "team"] = "free"
+    plan: Literal["free", "pro", "starter", "enterprise"] = "free"
    owner_email: Optional[EmailStr] = Field(None, description="Email of an existing user to set as owner")


@@ -172,6 +172,21 @@ class PlanLimitResponse(BaseModel):
        from_attributes = True


+class PlanLimitWithBillingResponse(PlanLimitResponse):
+    """PlanLimits + plan_billing fields merged. Billing fields are None when no
+    plan_billing row exists for the plan yet."""
+    display_name: Optional[str] = None
+    description: Optional[str] = None
+    monthly_price_cents: Optional[int] = None
+    annual_price_cents: Optional[int] = None
+    stripe_product_id: Optional[str] = None
+    stripe_monthly_price_id: Optional[str] = None
+    stripe_annual_price_id: Optional[str] = None
+    is_public: Optional[bool] = None
+    is_archived: Optional[bool] = None
+    sort_order: Optional[int] = None
+
+
 class PlanLimitUpdate(BaseModel):
    plan: str
    max_trees: Optional[int] = None
@@ -180,6 +195,19 @@ class PlanLimitUpdate(BaseModel):
    custom_branding: bool = False
    priority_support: bool = False
    export_formats: list = Field(default_factory=lambda: ["markdown", "text"])
+    # plan_billing fields — all optional, partial-update semantics. If any are
+    # set in the body, the admin endpoint upserts the plan_billing row in the
+    # same transaction.
+    display_name: Optional[str] = None
+    description: Optional[str] = None
+    monthly_price_cents: Optional[int] = None
+    annual_price_cents: Optional[int] = None
+    stripe_product_id: Optional[str] = None
+    stripe_monthly_price_id: Optional[str] = None
+    stripe_annual_price_id: Optional[str] = None
+    is_public: Optional[bool] = None
+    is_archived: Optional[bool] = None
+    sort_order: Optional[int] = None


 class AccountOverrideCreate(BaseModel):
--- a/backend/app/schemas/billing.py
+++ b/backend/app/schemas/billing.py
@@ -0,0 +1,64 @@
+from typing import Literal, Optional, Dict, Any
+from datetime import datetime
+from pydantic import BaseModel
+
+
+class CheckoutSessionCreate(BaseModel):
+    plan: Literal["pro", "starter", "enterprise"]
+    seats: int
+    billing_interval: Literal["monthly", "annual"] = "monthly"
+
+
+class CheckoutSessionResponse(BaseModel):
+    url: str
+
+
+class BillingPortalSessionResponse(BaseModel):
+    url: str
+
+
+class SubscriptionState(BaseModel):
+    status: str
+    plan: str
+    current_period_start: Optional[datetime]
+    current_period_end: Optional[datetime]
+    cancel_at_period_end: bool
+    seat_limit: Optional[int]
+    has_pro_entitlement: bool
+    is_paid: bool
+
+
+class PlanBillingState(BaseModel):
+    display_name: str
+    description: Optional[str] = None
+    monthly_price_cents: Optional[int] = None
+    annual_price_cents: Optional[int] = None
+
+    model_config = {"from_attributes": True}
+
+
+class BillingStateResponse(BaseModel):
+    subscription: SubscriptionState
+    plan_billing: Optional[PlanBillingState]
+    plan_limits: Dict[str, Any]
+    enabled_features: Dict[str, bool]
+
+
+class PublicPlanResponse(BaseModel):
+    """Public-safe view of a billable plan, used by the marketing /pricing page.
+
+    Sourced from `plan_billing` joined with `plan_limits.max_users` (exposed
+    here as `max_seats`). Always filtered server-side to is_public=True and
+    is_archived=False, so `is_public` is a constant True for any row returned
+    here — included for clarity and forward compatibility.
+    """
+    plan: str
+    display_name: str
+    description: Optional[str] = None
+    monthly_price_cents: Optional[int] = None
+    annual_price_cents: Optional[int] = None
+    max_seats: Optional[int] = None
+    sort_order: int
+    is_public: bool = True
+
+    model_config = {"from_attributes": True}
--- a/backend/app/schemas/config.py
+++ b/backend/app/schemas/config.py
@@ -0,0 +1,18 @@
+"""Pydantic schemas for public runtime configuration."""
+
+from __future__ import annotations
+
+from typing import List
+
+from pydantic import BaseModel
+
+
+class PublicConfigResponse(BaseModel):
+    """Runtime feature flags + OAuth provider list exposed to anonymous clients.
+
+    Read once by the frontend at app load to decide whether to render the
+    self-serve signup flow and which OAuth buttons to show.
+    """
+
+    self_serve_enabled: bool
+    oauth_providers: List[str]
--- a/backend/app/schemas/invite_code.py
+++ b/backend/app/schemas/invite_code.py
@@ -9,7 +9,7 @@ class InviteCodeCreate(BaseModel):
    expires_at: Optional[datetime] = Field(None, description="Optional expiration time")
    note: Optional[str] = Field(None, max_length=255, description="Note about who this code is for")
    email: Optional[EmailStr] = Field(None, description="Recipient email for invite delivery")
-    assigned_plan: Literal["free", "pro", "team"] = Field("free", description="Plan to assign on registration")
+    assigned_plan: Literal["free", "pro", "starter", "enterprise"] = Field("free", description="Plan to assign on registration")
    trial_duration_days: Optional[int] = Field(None, ge=1, le=90, description="Trial duration in days (1-90)")

    @model_validator(mode="after")
--- a/backend/app/schemas/l1.py
+++ b/backend/app/schemas/l1.py
@@ -0,0 +1,72 @@
+"""Pydantic schemas for the /l1/* endpoint surface."""
+from datetime import datetime
+from typing import Any, Literal, Optional
+from uuid import UUID
+
+from pydantic import BaseModel, Field
+
+
+class IntakeRequest(BaseModel):
+    problem_statement: str = Field(..., min_length=1)
+    customer_name: Optional[str] = None
+    customer_contact: Optional[str] = None
+    flow_id: Optional[UUID] = None
+
+
+class IntakeResponse(BaseModel):
+    session_id: UUID
+    session_kind: Literal["flow", "proposal", "adhoc"]
+    ticket_id: str
+    ticket_kind: Literal["psa", "internal"]
+
+
+class StepRequest(BaseModel):
+    node_id: str
+    question: str
+    answer: str
+    note: Optional[str] = None
+
+
+class NotesRequest(BaseModel):
+    notes: list[dict[str, Any]]
+
+
+class ResolveRequest(BaseModel):
+    helpful: bool
+    resolution_notes: str
+
+
+class EscalateRequest(BaseModel):
+    reason: Optional[str] = None
+    reason_category: str = Field(..., min_length=1)
+
+
+class EscalateWithoutWalkRequest(BaseModel):
+    problem_statement: str = Field(..., min_length=1)
+    customer_name: Optional[str] = None
+    customer_contact: Optional[str] = None
+    reason_category: str = Field(..., min_length=1)
+    reason: Optional[str] = None
+
+
+class WalkSessionResponse(BaseModel):
+    id: UUID
+    session_kind: str
+    flow_id: Optional[UUID]
+    flow_proposal_id: Optional[UUID]
+    current_node_id: Optional[str]
+    walked_path: list[dict[str, Any]]
+    walk_notes: list[dict[str, Any]]
+    status: str
+    started_at: datetime
+    last_step_at: datetime
+    resolved_at: Optional[datetime]
+
+
+class QueueRow(BaseModel):
+    ticket_id: str
+    ticket_kind: Literal["psa", "internal"]
+    problem_statement: Optional[str] = None
+    customer_name: Optional[str] = None
+    status: str
+    created_at: Optional[datetime] = None
--- a/backend/app/schemas/oauth.py
+++ b/backend/app/schemas/oauth.py
@@ -0,0 +1,39 @@
+from datetime import datetime
+
+from pydantic import BaseModel
+
+
+class OAuthCallbackPayload(BaseModel):
+    code: str
+    state: str | None = None
+    # When the OAuth flow originated from /accept-invite, the frontend round-trips
+    # the invite code + invited email so the backend can link the new user to the
+    # invited account instead of creating a personal one.
+    account_invite_code: str | None = None
+    invited_email: str | None = None
+
+
+class OAuthCallbackResponse(BaseModel):
+    access_token: str
+    refresh_token: str
+    token_type: str = "bearer"
+    is_new_user: bool
+    # Session-policy expiry windows — mirrors Token in token.py so the
+    # frontend can drive expiry-soon toasts identically for password and
+    # OAuth logins.
+    idle_expires_at: datetime | None = None
+    absolute_expires_at: datetime | None = None
+
+
+class InviteLookupResponse(BaseModel):
+    """Public response surface for GET /accounts/invites/{code}/lookup.
+
+    Returns the minimum context needed for the AcceptInvitePage:
+    account name (so we can title the card), inviter name (for the resend
+    fallback message), invited email (locked into the form), and role.
+    """
+
+    account_name: str
+    inviter_name: str
+    invited_email: str
+    role: str
--- a/backend/app/schemas/onboarding.py
+++ b/backend/app/schemas/onboarding.py
@@ -1,12 +1,55 @@
-from pydantic import BaseModel
+from typing import Literal, Optional
+
+from pydantic import BaseModel, Field


 class OnboardingStatus(BaseModel):
    created_flow: bool
    ran_session: bool
    exported_session: bool
+    # Kept for backward-compat during deploy; new code paths should not branch on this.
    tried_ai_assistant: bool
    invited_teammate: bool
    connected_psa: bool
    is_team_user: bool
    dismissed: bool
+    # New (Phase 2 — Task 41) — drive the unified next-step card + checklist.
+    email_verified: bool
+    shop_setup_done: bool
+
+
+# --- Welcome wizard (Phase 2) ----------------------------------------------
+
+
+TeamSizeBucket = Literal["1-2", "3-5", "6-10", "11-25", "26+"]
+RoleAtSignup = Literal["owner", "lead_tech", "tech", "other"]
+PrimaryPsa = Literal["connectwise", "autotask", "halopsa", "none"]
+WizardStep = Literal[1, 2, 3]
+WizardAction = Literal["complete", "skip"]
+
+
+class OnboardingStepData(BaseModel):
+    """Optional payload carried with `action="complete"` for steps 1 and 2.
+
+    Step 1 fields: company_name, team_size_bucket, role_at_signup
+    Step 2 fields: primary_psa
+    Step 3 has no data (invitations posted separately).
+    """
+
+    # Step 1
+    company_name: Optional[str] = Field(default=None, max_length=255)
+    team_size_bucket: Optional[TeamSizeBucket] = None
+    role_at_signup: Optional[RoleAtSignup] = None
+    # Step 2
+    primary_psa: Optional[PrimaryPsa] = None
+
+
+class OnboardingStepRequest(BaseModel):
+    step: WizardStep
+    action: WizardAction
+    data: Optional[OnboardingStepData] = None
+
+
+class OnboardingStepResponse(BaseModel):
+    onboarding_step_completed: Optional[int]
+    onboarding_dismissed: bool
--- a/backend/app/schemas/sales_lead.py
+++ b/backend/app/schemas/sales_lead.py
@@ -0,0 +1,27 @@
+"""Pydantic schemas for Talk-to-Sales submissions."""
+
+from typing import Literal, Optional
+from uuid import UUID
+
+from pydantic import BaseModel, ConfigDict, EmailStr, Field
+
+SalesLeadSource = Literal["pricing_page", "register_footer", "landing_page"]
+
+
+class SalesLeadCreate(BaseModel):
+    """Public Talk-to-Sales form submission."""
+
+    model_config = ConfigDict(str_strip_whitespace=True)
+
+    email: EmailStr
+    name: str = Field(..., min_length=1, max_length=255)
+    company: str = Field(..., min_length=1, max_length=255)
+    team_size: Optional[str] = Field(default=None, max_length=20)
+    message: Optional[str] = Field(default=None, max_length=5000)
+    source: SalesLeadSource
+    posthog_distinct_id: Optional[str] = Field(default=None, max_length=255)
+
+
+class SalesLeadCreateResponse(BaseModel):
+    id: UUID
+    status: Literal["received"] = "received"
--- a/backend/app/schemas/seat_enforcement.py
+++ b/backend/app/schemas/seat_enforcement.py
@@ -0,0 +1,18 @@
+from typing import Literal, Optional
+
+from pydantic import BaseModel
+
+
+Role = Literal['engineer', 'l1_tech']
+
+
+class SeatCheckResult(BaseModel):
+    available: bool
+    current: int
+    limit: Optional[int]   # None = unlimited
+    role: Role
+
+
+class SeatUsage(BaseModel):
+    engineer: SeatCheckResult
+    l1_tech: SeatCheckResult
--- a/backend/app/schemas/subscription.py
+++ b/backend/app/schemas/subscription.py
@@ -41,7 +41,7 @@ class SubscriptionDetails(BaseModel):


 class SubscriptionPlanUpdate(BaseModel):
-    plan: str  # free, pro, team
+    plan: str  # free, pro, starter, enterprise

    model_config = {"json_schema_extra": {"examples": [{"plan": "pro"}]}}

--- a/backend/app/schemas/token.py
+++ b/backend/app/schemas/token.py
@@ -1,3 +1,4 @@
+from datetime import datetime
 from typing import Optional
 from pydantic import BaseModel

@@ -7,6 +8,12 @@ class Token(BaseModel):
    refresh_token: str
    token_type: str = "bearer"
    must_change_password: bool = False
+    # Session-policy expiry windows derived from the refresh JWT. Frontend
+    # uses these to drive the "your session ends soon" toast and to know
+    # when /auth/refresh will reject for absolute expiry. See
+    # docs/plans/2026-05-13-session-expiration-policy.md §4.2.
+    idle_expires_at: Optional[datetime] = None
+    absolute_expires_at: Optional[datetime] = None


 class TokenPayload(BaseModel):
--- a/backend/app/schemas/user.py
+++ b/backend/app/schemas/user.py
@@ -58,6 +58,9 @@ class UserResponse(UserBase):
    timezone: str = "UTC"
    avatar_url: Optional[str] = None
    email_verified_at: Optional[datetime] = None
+    onboarding_step_completed: Optional[int] = None
+    onboarding_dismissed: bool = False
+    can_cover_l1: bool = False

    class Config:
        from_attributes = True
@@ -70,4 +73,8 @@ class RoleUpdate(BaseModel):
 class AccountRoleUpdate(BaseModel):
    # Ownership changes must go through the explicit transfer-ownership flow so
    # account.owner_id stays consistent with user.account_role.
-    account_role: str = Field(..., pattern="^(admin|engineer|viewer)$")
+    account_role: str = Field(..., pattern="^(admin|engineer|viewer|l1_tech)$")
+
+
+class CoverageUpdate(BaseModel):
+    can_cover_l1: bool
--- a/backend/app/services/billing.py
+++ b/backend/app/services/billing.py
@@ -0,0 +1,356 @@
+"""Single billing service module. Stripe is the only impl — no provider
+abstraction. Account row is canonical local state; Stripe is canonical
+remote state; the webhook handler bridges the two."""
+import logging
+from datetime import datetime, timezone, timedelta
+
+import stripe
+from sqlalchemy import select
+from sqlalchemy.exc import IntegrityError
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.core.config import settings
+from app.models.account import Account
+from app.models.plan_billing import PlanBilling
+from app.models.stripe_event import StripeEvent
+from app.models.subscription import Subscription
+
+
+TRIAL_DAYS = 14
+
+logger = logging.getLogger(__name__)
+
+
+class BillingService:
+    @staticmethod
+    async def invalidate_billing_cache(account_ids) -> None:
+        """No-op stub for future in-process billing cache invalidation.
+
+        Today there is no `app.state.billing_cache` — `BillingService.get_billing_state`
+        always reads fresh from the DB. Call sites that mutate plan/feature data
+        invoke this hook so that wiring is in place when an in-process cache is
+        added later. Until then, this just logs.
+
+        TODO: when an in-process billing cache (e.g. `app.state.billing_cache`)
+        is introduced, evict entries for the given account_ids here.
+        """
+        try:
+            count = len(list(account_ids))
+        except TypeError:
+            count = -1
+        logger.debug(
+            "BillingService.invalidate_billing_cache called for %d account(s) "
+            "(no-op stub — wire to app.state.billing_cache when added)",
+            count,
+        )
+
+    @staticmethod
+    async def start_trial(db: AsyncSession, account_id) -> Subscription:
+        """Idempotent. Creates a trialing Subscription on Pro for the account if
+        one doesn't exist; otherwise returns the existing row."""
+        result = await db.execute(
+            select(Subscription).where(Subscription.account_id == account_id)
+        )
+        existing = result.scalar_one_or_none()
+        if existing is not None:
+            return existing
+
+        sub = Subscription(
+            account_id=account_id,
+            plan="pro",
+            status="trialing",
+            current_period_start=datetime.now(timezone.utc),
+            current_period_end=datetime.now(timezone.utc) + timedelta(days=TRIAL_DAYS),
+        )
+        db.add(sub)
+        await db.commit()
+        await db.refresh(sub)
+        return sub
+
+    @staticmethod
+    async def create_checkout_session(
+        db: AsyncSession,
+        account: Account,
+        plan: str,
+        seats: int,
+        billing_interval: str,
+        success_url: str,
+        cancel_url: str,
+    ) -> str:
+        """Create a Stripe Checkout Session for subscription purchase. If the
+        account currently has a trialing subscription with time remaining, that
+        trial end is preserved on the new Stripe subscription so the user
+        isn't charged early."""
+        if not settings.stripe_enabled:
+            raise RuntimeError("Stripe not configured")
+        stripe.api_key = settings.STRIPE_SECRET_KEY
+
+        plan_billing = (await db.execute(
+            select(PlanBilling).where(PlanBilling.plan == plan)
+        )).scalar_one_or_none()
+        if plan_billing is None:
+            raise ValueError(f"Unknown plan: {plan}")
+        price_id = (
+            plan_billing.stripe_monthly_price_id if billing_interval == "monthly"
+            else plan_billing.stripe_annual_price_id
+        )
+        if price_id is None:
+            raise RuntimeError(
+                f"Plan '{plan}' has no Stripe price for {billing_interval}"
+            )
+
+        if account.stripe_customer_id is None:
+            customer = stripe.Customer.create(
+                email=None,
+                metadata={"account_id": str(account.id)},
+            )
+            account.stripe_customer_id = customer.id
+            await db.commit()
+
+        sub = (await db.execute(
+            select(Subscription).where(Subscription.account_id == account.id)
+        )).scalar_one_or_none()
+        subscription_data = {}
+        if (
+            sub
+            and sub.status == "trialing"
+            and sub.current_period_end
+            and sub.current_period_end > datetime.now(timezone.utc)
+        ):
+            subscription_data["trial_end"] = int(sub.current_period_end.timestamp())
+
+        session = stripe.checkout.Session.create(
+            customer=account.stripe_customer_id,
+            line_items=[{"price": price_id, "quantity": seats}],
+            mode="subscription",
+            subscription_data=subscription_data or None,
+            success_url=success_url,
+            cancel_url=cancel_url,
+            allow_promotion_codes=False,
+        )
+        return session.url
+
+    @staticmethod
+    async def open_customer_portal(account: Account) -> str:
+        """Create a Stripe-hosted Customer Portal session and return the URL.
+
+        Raises RuntimeError if Stripe isn't configured (endpoint maps to 503).
+        Raises ValueError if the account has no stripe_customer_id yet — the
+        user must complete a checkout first (endpoint maps to 400).
+        """
+        if not settings.stripe_enabled:
+            raise RuntimeError("Stripe not configured")
+        if account.stripe_customer_id is None:
+            raise ValueError("no_stripe_customer")
+        stripe.api_key = settings.STRIPE_SECRET_KEY
+        session = stripe.billing_portal.Session.create(
+            customer=account.stripe_customer_id,
+            return_url=f"{settings.FRONTEND_URL}/account/billing",
+        )
+        return session.url
+
+    @staticmethod
+    async def get_billing_state(db: AsyncSession, account):
+        """Aggregate Subscription + PlanLimits + PlanBilling + resolved feature
+        flags for the account."""
+        from app.models.plan_limits import PlanLimits
+        from app.models.plan_billing import PlanBilling
+        from app.models.feature_flag import (
+            FeatureFlag, PlanFeatureDefault, AccountFeatureOverride,
+        )
+
+        sub = (await db.execute(
+            select(Subscription).where(Subscription.account_id == account.id)
+        )).scalar_one_or_none()
+        if sub is None:
+            from fastapi import HTTPException
+            raise HTTPException(status_code=404, detail="No subscription for account")
+
+        pl = (await db.execute(
+            select(PlanLimits).where(PlanLimits.plan == sub.plan)
+        )).scalar_one_or_none()
+        pb = (await db.execute(
+            select(PlanBilling).where(PlanBilling.plan == sub.plan)
+        )).scalar_one_or_none()
+
+        # Resolved feature flags: plan defaults overridden by account overrides
+        defaults = (await db.execute(
+            select(PlanFeatureDefault, FeatureFlag)
+            .join(FeatureFlag, PlanFeatureDefault.flag_id == FeatureFlag.id)
+            .where(PlanFeatureDefault.plan == sub.plan)
+        )).all()
+        resolved = {flag.flag_key: pfd.enabled for pfd, flag in defaults}
+        overrides = (await db.execute(
+            select(AccountFeatureOverride, FeatureFlag)
+            .join(FeatureFlag, AccountFeatureOverride.flag_id == FeatureFlag.id)
+            .where(AccountFeatureOverride.account_id == account.id)
+        )).all()
+        for ovr, flag in overrides:
+            resolved[flag.flag_key] = ovr.enabled
+
+        return {
+            "subscription": {
+                "status": sub.status,
+                "plan": sub.plan,
+                "current_period_start": sub.current_period_start,
+                "current_period_end": sub.current_period_end,
+                "cancel_at_period_end": sub.cancel_at_period_end,
+                "seat_limit": sub.seat_limit,
+                "has_pro_entitlement": sub.has_pro_entitlement,
+                "is_paid": sub.is_paid,
+            },
+            "plan_billing": pb,
+            "plan_limits": _plan_limits_to_dict(pl) if pl else {},
+            "enabled_features": resolved,
+        }
+
+    @staticmethod
+    async def apply_subscription_event(
+        db: AsyncSession, event_id: str, event_type: str, payload: dict
+    ) -> bool:
+        """Idempotent. Returns True if the event was applied; False if it had
+        already been processed (idempotent ack). The webhook handler returns 200
+        either way.
+
+        Atomic: the StripeEvent idempotency mark and the handler's state
+        mutations are committed in a single transaction. If the handler raises
+        the entire transaction (idempotency mark + partial mutations) is rolled
+        back, so a Stripe retry will re-run the handler. Without this, a
+        handler that fails mid-flight would leave the StripeEvent row persisted
+        and silently desync subscription state from Stripe.
+        """
+        db.add(StripeEvent(
+            id=event_id,
+            event_type=event_type,
+            payload_excerpt=_excerpt(payload),
+        ))
+        try:
+            await db.flush()
+        except IntegrityError:
+            # Duplicate event_id — already processed (or in flight). Ack with False.
+            await db.rollback()
+            return False
+
+        try:
+            if event_type == "checkout.session.completed":
+                await _handle_checkout_completed(db, payload)
+            elif event_type == "customer.subscription.updated":
+                await _handle_subscription_updated(db, payload)
+            elif event_type == "customer.subscription.deleted":
+                await _handle_subscription_deleted(db, payload)
+            elif event_type == "invoice.payment_failed":
+                await _handle_payment_failed(db, payload)
+            elif event_type == "invoice.payment_succeeded":
+                await _handle_payment_succeeded(db, payload)
+            await db.commit()
+        except Exception:
+            # Roll back the StripeEvent insert + any partial handler mutations
+            # so Stripe's retry can re-run cleanly.
+            await db.rollback()
+            raise
+        return True
+
+
+def _plan_limits_to_dict(pl) -> dict:
+    return {c.name: getattr(pl, c.name) for c in pl.__table__.columns}
+
+
+def _excerpt(payload: dict) -> dict:
+    obj = payload.get("data", {}).get("object", {})
+    return {
+        "object_id": obj.get("id"),
+        "customer": obj.get("customer"),
+        "subscription": obj.get("subscription"),
+        "status": obj.get("status"),
+    }
+
+
+async def _handle_checkout_completed(db: AsyncSession, payload: dict):
+    obj = payload["data"]["object"]
+    customer_id = obj["customer"]
+    subscription_id = obj["subscription"]
+
+    account = (await db.execute(
+        select(Account).where(Account.stripe_customer_id == customer_id)
+    )).scalar_one_or_none()
+    if account is None:
+        return
+
+    sub = (await db.execute(
+        select(Subscription).where(Subscription.account_id == account.id)
+    )).scalar_one_or_none()
+    if sub is None:
+        return
+
+    stripe.api_key = settings.STRIPE_SECRET_KEY
+    stripe_sub = stripe.Subscription.retrieve(subscription_id)
+    sub.stripe_subscription_id = subscription_id
+    sub.stripe_price_id = stripe_sub["items"]["data"][0]["price"]["id"]
+    sub.status = "active"
+    sub.current_period_start = datetime.fromtimestamp(stripe_sub["current_period_start"], tz=timezone.utc)
+    sub.current_period_end = datetime.fromtimestamp(stripe_sub["current_period_end"], tz=timezone.utc)
+    sub.seat_limit = stripe_sub["items"]["data"][0]["quantity"]
+    pb = (await db.execute(
+        select(PlanBilling).where(
+            (PlanBilling.stripe_monthly_price_id == sub.stripe_price_id) |
+            (PlanBilling.stripe_annual_price_id == sub.stripe_price_id)
+        )
+    )).scalar_one_or_none()
+    if pb is not None:
+        sub.plan = pb.plan
+    # No commit — apply_subscription_event commits once for the full event.
+
+
+async def _handle_subscription_updated(db: AsyncSession, payload: dict):
+    obj = payload["data"]["object"]
+    sub = (await db.execute(
+        select(Subscription).where(Subscription.stripe_subscription_id == obj["id"])
+    )).scalar_one_or_none()
+    if sub is None:
+        return
+    sub.status = obj["status"]
+    sub.current_period_start = datetime.fromtimestamp(obj["current_period_start"], tz=timezone.utc)
+    sub.current_period_end = datetime.fromtimestamp(obj["current_period_end"], tz=timezone.utc)
+    sub.cancel_at_period_end = obj.get("cancel_at_period_end", False)
+    sub.seat_limit = obj["items"]["data"][0]["quantity"]
+    # No commit — apply_subscription_event commits once for the full event.
+
+
+async def _handle_subscription_deleted(db: AsyncSession, payload: dict):
+    obj = payload["data"]["object"]
+    sub = (await db.execute(
+        select(Subscription).where(Subscription.stripe_subscription_id == obj["id"])
+    )).scalar_one_or_none()
+    if sub is None:
+        return
+    sub.status = "canceled"
+    # No commit — apply_subscription_event commits once for the full event.
+
+
+async def _handle_payment_failed(db: AsyncSession, payload: dict):
+    obj = payload["data"]["object"]
+    subscription_id = obj.get("subscription")
+    if not subscription_id:
+        return
+    sub = (await db.execute(
+        select(Subscription).where(Subscription.stripe_subscription_id == subscription_id)
+    )).scalar_one_or_none()
+    if sub is None:
+        return
+    sub.status = "past_due"
+    # No commit — apply_subscription_event commits once for the full event.
+
+
+async def _handle_payment_succeeded(db: AsyncSession, payload: dict):
+    obj = payload["data"]["object"]
+    subscription_id = obj.get("subscription")
+    if not subscription_id:
+        return
+    sub = (await db.execute(
+        select(Subscription).where(Subscription.stripe_subscription_id == subscription_id)
+    )).scalar_one_or_none()
+    if sub is None:
+        return
+    if sub.status == "past_due":
+        sub.status = "active"
+    # No commit — apply_subscription_event commits once for the full event.
--- a/backend/app/services/internal_ticket_service.py
+++ b/backend/app/services/internal_ticket_service.py
@@ -0,0 +1,90 @@
+"""CRUD + status transitions for internal_tickets (the no-PSA fallback ticket model)."""
+from datetime import datetime, timezone
+from typing import Optional
+from uuid import UUID
+
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.models.internal_ticket import InternalTicket
+
+
+async def create_ticket(
+    db: AsyncSession,
+    *,
+    account_id: UUID,
+    created_by_user_id: UUID,
+    problem_statement: str,
+    customer_name: Optional[str] = None,
+    customer_contact: Optional[str] = None,
+) -> InternalTicket:
+    """Create a new internal ticket in 'open' status."""
+    ticket = InternalTicket(
+        account_id=account_id,
+        created_by_user_id=created_by_user_id,
+        problem_statement=problem_statement,
+        customer_name=customer_name,
+        customer_contact=customer_contact,
+    )
+    db.add(ticket)
+    await db.flush()
+    return ticket
+
+
+async def update_status(
+    db: AsyncSession,
+    *,
+    ticket_id: UUID,
+    status: str,
+    resolution_notes: Optional[str] = None,
+    assigned_user_id: Optional[UUID] = None,
+) -> InternalTicket:
+    """Transition a ticket to a new status. Sets resolved_at when status='resolved'."""
+    ticket = await db.get(InternalTicket, ticket_id)
+    if not ticket:
+        raise ValueError(f"InternalTicket {ticket_id} not found")
+    ticket.status = status
+    if status == 'resolved':
+        ticket.resolved_at = datetime.now(timezone.utc)
+        if resolution_notes is not None:
+            ticket.resolution_notes = resolution_notes
+    if assigned_user_id is not None:
+        ticket.assigned_user_id = assigned_user_id
+    await db.flush()
+    return ticket
+
+
+async def get_ticket(db: AsyncSession, *, ticket_id: UUID) -> Optional[InternalTicket]:
+    """Fetch a ticket by ID. Returns None if not found."""
+    return await db.get(InternalTicket, ticket_id)
+
+
+async def list_tickets_for_account(
+    db: AsyncSession,
+    *,
+    account_id: UUID,
+    status: Optional[str] = None,
+    limit: int = 100,
+) -> list[InternalTicket]:
+    """List tickets for an account, optionally filtered by status, newest first."""
+    stmt = select(InternalTicket).where(InternalTicket.account_id == account_id)
+    if status:
+        stmt = stmt.where(InternalTicket.status == status)
+    stmt = stmt.order_by(InternalTicket.created_at.desc()).limit(limit)
+    result = await db.execute(stmt)
+    return list(result.scalars())
+
+
+async def promote_to_psa(
+    db: AsyncSession,
+    *,
+    ticket_id: UUID,
+    psa_ticket_id: str,
+) -> InternalTicket:
+    """Mark an internal ticket as promoted to PSA."""
+    ticket = await db.get(InternalTicket, ticket_id)
+    if not ticket:
+        raise ValueError(f"InternalTicket {ticket_id} not found")
+    ticket.psa_promoted_ticket_id = psa_ticket_id
+    await db.flush()
+    return ticket
--- a/backend/app/services/l1_session_cleanup.py
+++ b/backend/app/services/l1_session_cleanup.py
@@ -0,0 +1,49 @@
+"""Hourly cleanup job: flip stale active L1WalkSessions to 'abandoned'.
+
+Sessions with status='active' and last_step_at older than 24h are considered
+abandoned (L1 closed the browser, customer hung up, etc.). Flipping them
+removes them from the "Resume in progress" widget while preserving the row
+for audit/reporting.
+
+Run via APScheduler interval job, max_instances=1 (Lesson 1).
+"""
+import logging
+from datetime import datetime, timedelta, timezone
+
+from sqlalchemy import update
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.models.l1_walk_session import L1WalkSession
+
+
+logger = logging.getLogger(__name__)
+
+
+async def flip_stale_sessions(db: AsyncSession) -> int:
+    """Flip active sessions to 'abandoned' if last_step_at < now - 24h.
+
+    Returns the number of sessions flipped.
+    """
+    cutoff = datetime.now(timezone.utc) - timedelta(hours=24)
+    stmt = (
+        update(L1WalkSession)
+        .where(L1WalkSession.status == "active")
+        .where(L1WalkSession.last_step_at < cutoff)
+        .values(status="abandoned")
+    )
+    result = await db.execute(stmt)
+    await db.commit()
+    return result.rowcount or 0
+
+
+async def run_cleanup_job(session_factory) -> None:
+    """APScheduler entry point. Uses the admin session factory (no RLS context)."""
+    async with session_factory() as db:
+        try:
+            count = await flip_stale_sessions(db)
+            if count > 0:
+                logger.info(
+                    "l1_session_cleanup: flipped %d sessions to abandoned", count
+                )
+        except Exception:
+            logger.exception("l1_session_cleanup: error during run")
--- a/backend/app/services/l1_session_service.py
+++ b/backend/app/services/l1_session_service.py
@@ -0,0 +1,321 @@
+"""L1 session lifecycle: start (flow/proposal/adhoc), step, notes, resolve, escalate.
+
+start_* functions live in T12; step/notes are T13; resolve/escalate are T14.
+"""
+import json
+from datetime import datetime, timezone
+from typing import Optional
+from uuid import UUID
+
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.core.audit import log_audit
+from app.models.flow_proposal import FlowProposal
+from app.models.l1_walk_session import L1WalkSession
+from app.models.user import User
+from app.services import internal_ticket_service
+
+
+def _resolve_acting_as(user: User) -> Optional[str]:
+    """An engineer (whether covering or not) gets tagged for audit when using L1 surface.
+
+    Returns 'l1_coverage' for engineers (only engineers WITH the coverage flag should
+    reach this code path — the require_l1_or_coverage dep gates that). For native
+    l1_tech users, returns None (no special tag — they ARE l1).
+    """
+    if user.account_role == "engineer":
+        return "l1_coverage"
+    return None
+
+
+async def start_flow_session(
+    db: AsyncSession,
+    *,
+    account_id: UUID,
+    user: User,
+    flow_id: UUID,
+    ticket_id: str,
+    ticket_kind: str,  # 'psa' | 'internal'
+) -> L1WalkSession:
+    """Start a session walking an authored flow."""
+    session = L1WalkSession(
+        account_id=account_id,
+        created_by_user_id=user.id,
+        acting_as=_resolve_acting_as(user),
+        ticket_id=ticket_id,
+        ticket_kind=ticket_kind,
+        session_kind="flow",
+        flow_id=flow_id,
+    )
+    db.add(session)
+    await db.flush()
+    return session
+
+
+async def start_proposal_session(
+    db: AsyncSession,
+    *,
+    account_id: UUID,
+    user: User,
+    flow_proposal_id: UUID,
+    ticket_id: str,
+    ticket_kind: str,
+) -> L1WalkSession:
+    """Start a session walking an AI-built FlowProposal."""
+    session = L1WalkSession(
+        account_id=account_id,
+        created_by_user_id=user.id,
+        acting_as=_resolve_acting_as(user),
+        ticket_id=ticket_id,
+        ticket_kind=ticket_kind,
+        session_kind="proposal",
+        flow_proposal_id=flow_proposal_id,
+    )
+    db.add(session)
+    await db.flush()
+    return session
+
+
+async def start_adhoc_session(
+    db: AsyncSession,
+    *,
+    account_id: UUID,
+    user: User,
+    ticket_id: str,
+    ticket_kind: str,
+) -> L1WalkSession:
+    """Start an ad-hoc session with no tree (free-form note-taking only)."""
+    session = L1WalkSession(
+        account_id=account_id,
+        created_by_user_id=user.id,
+        acting_as=_resolve_acting_as(user),
+        ticket_id=ticket_id,
+        ticket_kind=ticket_kind,
+        session_kind="adhoc",
+    )
+    db.add(session)
+    await db.flush()
+    return session
+
+
+async def record_step(
+    db: AsyncSession,
+    *,
+    session_id: UUID,
+    node_id: str,
+    question: str,
+    answer: str,
+    note: Optional[str] = None,
+) -> L1WalkSession:
+    """Record an answered step in a tree walk. Appends to walked_path JSONB and
+    advances current_node_id. Raises ValueError on adhoc sessions or inactive
+    sessions. Updates last_step_at."""
+    session = await db.get(L1WalkSession, session_id)
+    if not session:
+        raise ValueError(f"L1WalkSession {session_id} not found")
+    if session.session_kind == "adhoc":
+        raise ValueError("Cannot record step on adhoc session — use update_notes")
+    if session.status != "active":
+        raise ValueError(f"Session {session_id} is not active (status={session.status})")
+    entry = {
+        "node_id": node_id,
+        "question": question,
+        "answer": answer,
+        "l1_note": note,
+    }
+    # JSONB requires assigning a new list — in-place mutation isn't tracked
+    session.walked_path = [*session.walked_path, entry]
+    session.current_node_id = node_id
+    session.last_step_at = datetime.now(timezone.utc)
+    await db.flush()
+    return session
+
+
+async def update_notes(
+    db: AsyncSession,
+    *,
+    session_id: UUID,
+    notes: list[dict],
+) -> L1WalkSession:
+    """Replace walk_notes on an active session. Used by adhoc walks for
+    debounced autosave. Raises ValueError if missing or inactive. Caps notes
+    payload at 256KB to prevent unbounded growth."""
+    session = await db.get(L1WalkSession, session_id)
+    if not session:
+        raise ValueError(f"L1WalkSession {session_id} not found")
+    if session.status != "active":
+        raise ValueError(f"Session {session_id} is not active (status={session.status})")
+    encoded_size = len(json.dumps(notes).encode("utf-8"))
+    if encoded_size > 256 * 1024:
+        raise ValueError("walk_notes exceeds 256KB cap — consider escalating")
+    session.walk_notes = notes
+    session.last_step_at = datetime.now(timezone.utc)
+    await db.flush()
+    return session
+
+
+async def resolve(
+    db: AsyncSession,
+    *,
+    session_id: UUID,
+    helpful: bool,
+    resolution_notes: str,
+) -> L1WalkSession:
+    """Close a session as resolved.
+
+    - Sets status='resolved', helpful, resolution_notes, resolved_at.
+    - On helpful=True AND session_kind='proposal': flips
+      flow_proposal.validated_by_outcome=True (one-bit aggregate signal).
+    - Closes the linked internal ticket (PSA close stubbed for Phase 2).
+    - Raises ValueError on missing or non-active session.
+    """
+    session = await db.get(L1WalkSession, session_id)
+    if not session:
+        raise ValueError(f"L1WalkSession {session_id} not found")
+    if session.status != "active":
+        raise ValueError(f"Session not active (status={session.status})")
+    now = datetime.now(timezone.utc)
+    session.status = "resolved"
+    session.helpful = helpful
+    session.resolution_notes = resolution_notes
+    session.resolved_at = now
+    session.last_step_at = now
+
+    if helpful and session.session_kind == "proposal" and session.flow_proposal_id:
+        proposal = await db.get(FlowProposal, session.flow_proposal_id)
+        if proposal:
+            proposal.validated_by_outcome = True
+
+    if session.ticket_kind == "internal":
+        await internal_ticket_service.update_status(
+            db,
+            ticket_id=UUID(session.ticket_id),
+            status="resolved",
+            resolution_notes=resolution_notes,
+        )
+    # PSA close deferred to Phase 2 — no-op for now
+
+    await log_audit(
+        db,
+        user_id=session.created_by_user_id,
+        action="l1.session.resolve",
+        resource_type="l1_walk_session",
+        resource_id=session.id,
+        details={
+            "session_kind": session.session_kind,
+            "helpful": helpful,
+            "ticket_id": session.ticket_id,
+            "ticket_kind": session.ticket_kind,
+        },
+        account_id=session.account_id,
+        acting_as=session.acting_as,
+    )
+    await db.flush()
+    return session
+
+
+async def escalate(
+    db: AsyncSession,
+    *,
+    session_id: UUID,
+    reason: str,
+    reason_category: str,
+) -> L1WalkSession:
+    """Escalate an active session to engineering.
+
+    - Sets status='escalated', escalation_reason, escalation_reason_category, resolved_at.
+    - Marks the linked internal ticket as escalated (PSA reassign deferred to Phase 2).
+    - Raises ValueError on missing or non-active session.
+    """
+    session = await db.get(L1WalkSession, session_id)
+    if not session:
+        raise ValueError(f"L1WalkSession {session_id} not found")
+    if session.status != "active":
+        raise ValueError(f"Session not active (status={session.status})")
+    now = datetime.now(timezone.utc)
+    session.status = "escalated"
+    session.escalation_reason = reason
+    session.escalation_reason_category = reason_category
+    session.resolved_at = now
+    session.last_step_at = now
+
+    if session.ticket_kind == "internal":
+        await internal_ticket_service.update_status(
+            db,
+            ticket_id=UUID(session.ticket_id),
+            status="escalated",
+        )
+    # PSA reassign deferred to Phase 2
+
+    await log_audit(
+        db,
+        user_id=session.created_by_user_id,
+        action="l1.session.escalate",
+        resource_type="l1_walk_session",
+        resource_id=session.id,
+        details={
+            "session_kind": session.session_kind,
+            "escalation_reason_category": reason_category,
+            "ticket_id": session.ticket_id,
+            "ticket_kind": session.ticket_kind,
+        },
+        account_id=session.account_id,
+        acting_as=session.acting_as,
+    )
+    await db.flush()
+    return session
+
+
+async def escalate_without_walk(
+    db: AsyncSession,
+    *,
+    account_id: UUID,
+    user: User,
+    ticket_id: str,
+    ticket_kind: str,
+    reason_category: str,
+    reason: Optional[str] = None,
+) -> L1WalkSession:
+    """Create an immediately-escalated session with no walked_path.
+
+    Used from the BuildAbortedNoKB screen (no KB content available to walk a
+    tree). Captures the call as an audit record + escalates the ticket without
+    requiring a walker session in between.
+    """
+    now = datetime.now(timezone.utc)
+    session = L1WalkSession(
+        account_id=account_id,
+        created_by_user_id=user.id,
+        acting_as=_resolve_acting_as(user),
+        ticket_id=ticket_id,
+        ticket_kind=ticket_kind,
+        session_kind="adhoc",
+        status="escalated",
+        escalation_reason=reason,
+        escalation_reason_category=reason_category,
+        resolved_at=now,
+        last_step_at=now,
+    )
+    db.add(session)
+    if ticket_kind == "internal":
+        await internal_ticket_service.update_status(
+            db,
+            ticket_id=UUID(ticket_id),
+            status="escalated",
+        )
+    await db.flush()  # flush first so session.id is populated
+    await log_audit(
+        db,
+        user_id=session.created_by_user_id,
+        action="l1.session.escalate_no_walk",
+        resource_type="l1_walk_session",
+        resource_id=session.id,
+        details={
+            "escalation_reason_category": reason_category,
+            "ticket_id": ticket_id,
+            "ticket_kind": ticket_kind,
+        },
+        account_id=session.account_id,
+        acting_as=session.acting_as,
+    )
+    return session
--- a/backend/app/services/oauth_providers.py
+++ b/backend/app/services/oauth_providers.py
@@ -0,0 +1,71 @@
+"""OAuth provider helpers. Each provider exposes:
+- exchange_code(code, redirect_uri) -> OAuthProfile
+"""
+from dataclasses import dataclass
+
+import httpx
+from app.core.config import settings
+
+
+@dataclass
+class OAuthProfile:
+    provider_subject: str
+    email: str
+    name: str
+
+
+async def google_exchange_code(code: str, redirect_uri: str) -> OAuthProfile:
+    async with httpx.AsyncClient(timeout=10) as cli:
+        token_response = await cli.post(
+            "https://oauth2.googleapis.com/token",
+            data={
+                "code": code,
+                "client_id": settings.GOOGLE_CLIENT_ID,
+                "client_secret": settings.GOOGLE_CLIENT_SECRET,
+                "redirect_uri": redirect_uri,
+                "grant_type": "authorization_code",
+            },
+        )
+        token_response.raise_for_status()
+        access_token = token_response.json()["access_token"]
+
+        userinfo = await cli.get(
+            "https://openidconnect.googleapis.com/v1/userinfo",
+            headers={"Authorization": f"Bearer {access_token}"},
+        )
+        userinfo.raise_for_status()
+        data = userinfo.json()
+        return OAuthProfile(
+            provider_subject=data["sub"],
+            email=data["email"],
+            name=data.get("name") or data["email"].split("@")[0],
+        )
+
+
+async def microsoft_exchange_code(code: str, redirect_uri: str) -> OAuthProfile:
+    async with httpx.AsyncClient(timeout=10) as cli:
+        token_response = await cli.post(
+            "https://login.microsoftonline.com/common/oauth2/v2.0/token",
+            data={
+                "code": code,
+                "client_id": settings.MS_CLIENT_ID,
+                "client_secret": settings.MS_CLIENT_SECRET,
+                "redirect_uri": redirect_uri,
+                "grant_type": "authorization_code",
+                "scope": "openid email profile",
+            },
+        )
+        token_response.raise_for_status()
+        access_token = token_response.json()["access_token"]
+
+        userinfo = await cli.get(
+            "https://graph.microsoft.com/v1.0/me",
+            headers={"Authorization": f"Bearer {access_token}"},
+        )
+        userinfo.raise_for_status()
+        data = userinfo.json()
+        return OAuthProfile(
+            provider_subject=data["id"],
+            email=data.get("mail") or data["userPrincipalName"],
+            name=data.get("displayName") or data["userPrincipalName"].split("@")[0],
+        )
--- a/backend/app/services/seat_enforcement.py
+++ b/backend/app/services/seat_enforcement.py
@@ -0,0 +1,63 @@
+from typing import Literal
+
+from sqlalchemy import func, select
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.models.account import Account
+from app.models.subscription import Subscription
+from app.models.user import User
+from app.schemas.seat_enforcement import SeatCheckResult
+
+
+Role = Literal['engineer', 'l1_tech']
+
+
+def _limit_for_role(subscription: Subscription, role: Role) -> int | None:
+    if role == 'engineer':
+        return subscription.seat_limit
+    if role == 'l1_tech':
+        return subscription.l1_seat_limit
+    raise ValueError(f"Unknown role: {role}")
+
+
+async def check_seat_available(
+    account: Account,
+    subscription: Subscription,
+    role: Role,
+    db: AsyncSession,
+) -> SeatCheckResult:
+    """
+    Count active users with the given role in the account, compare against
+    the role-specific seat limit on the subscription. Returns availability.
+
+    None limit = unlimited (returns available=True).
+    """
+    limit = _limit_for_role(subscription, role)
+
+    stmt = (
+        select(func.count(User.id))
+        .where(User.account_id == account.id)
+        .where(User.account_role == role)
+        .where(User.is_active.is_(True))
+    )
+    current = (await db.execute(stmt)).scalar_one()
+
+    if limit is None:
+        return SeatCheckResult(available=True, current=current, limit=None, role=role)
+    return SeatCheckResult(
+        available=current < limit,
+        current=current,
+        limit=limit,
+        role=role,
+    )
+
+
+async def get_seat_usage(
+    account: Account,
+    subscription: Subscription,
+    db: AsyncSession,
+) -> tuple[SeatCheckResult, SeatCheckResult]:
+    """Return (engineer, l1_tech) seat-usage tuple for the seat-counter widget."""
+    eng = await check_seat_available(account, subscription, 'engineer', db)
+    l1 = await check_seat_available(account, subscription, 'l1_tech', db)
+    return eng, l1
--- a/backend/scripts/create_site_admin.py
+++ b/backend/scripts/create_site_admin.py
@@ -0,0 +1,274 @@
+#!/usr/bin/env python3
+"""
+Create or promote a site-wide super-admin user on any environment.
+
+Designed for the prod bootstrap case where no admin exists yet and self-serve
+signup is gated, so there is no way to obtain admin access through the UI.
+Also safe to use as a recovery tool: if an admin email exists already, the
+script just promotes them to `is_super_admin=True` instead of duplicating.
+
+Usage:
+
+  # Bootstrap a fresh super-admin and email a password-reset link:
+  python -m scripts.create_site_admin --email michael@resolutionflow.com --send-reset
+
+  # Same but emit the reset URL on stdout instead of sending email (useful
+  # if email infra is not configured yet or if you want to bypass the inbox):
+  python -m scripts.create_site_admin --email michael@resolutionflow.com --print-reset
+
+  # Promote an existing user (no reset needed if they already have a password):
+  python -m scripts.create_site_admin --email michael@resolutionflow.com --promote-only
+
+The script is idempotent. Running it twice on the same email is safe.
+"""
+
+from __future__ import annotations
+
+import argparse
+import asyncio
+import random
+import string
+import sys
+import uuid
+from datetime import datetime, timezone
+from typing import Optional
+
+from sqlalchemy import text
+from sqlalchemy.ext.asyncio import AsyncConnection, create_async_engine
+
+from app.core.config import settings
+from app.core.email import EmailService
+from app.core.security import (
+    create_password_reset_token,
+    decode_token,
+    hash_token,
+)
+
+
+def _display_code() -> str:
+    return "".join(random.choices(string.ascii_uppercase + string.digits, k=8))
+
+
+async def _find_user(conn: AsyncConnection, email: str):
+    result = await conn.execute(
+        text(
+            "SELECT id, account_id, is_super_admin, password_hash "
+            "FROM users WHERE email = :email"
+        ),
+        {"email": email},
+    )
+    return result.first()
+
+
+async def _create_user_and_account(
+    conn: AsyncConnection,
+    email: str,
+    name: str,
+    account_name: str,
+    now: datetime,
+) -> uuid.UUID:
+    """Create a new Account and a new super-admin User as its owner.
+
+    Mirrors the shape used by seed_test_users.py for the super-admin row,
+    minus the shared dev password — this bootstrap user gets no password
+    until the reset flow runs.
+    """
+    account_id = uuid.uuid4()
+    user_id = uuid.uuid4()
+
+    await conn.execute(
+        text(
+            """
+            INSERT INTO accounts (id, name, display_code, created_at, updated_at)
+            VALUES (:id, :name, :code, :now, :now)
+            """
+        ),
+        {"id": account_id, "name": account_name, "code": _display_code(), "now": now},
+    )
+    await conn.execute(
+        text(
+            """
+            INSERT INTO users (
+                id, email, password_hash, name, role, is_super_admin,
+                is_team_admin, is_active, account_id, account_role,
+                created_at, email_verified_at
+            )
+            VALUES (
+                :id, :email, NULL, :name, 'engineer', true,
+                false, true, :account_id, 'owner',
+                :now, :now
+            )
+            """
+        ),
+        {
+            "id": user_id,
+            "email": email,
+            "name": name,
+            "account_id": account_id,
+            "now": now,
+        },
+    )
+    await conn.execute(
+        text("UPDATE accounts SET owner_id = :uid WHERE id = :aid"),
+        {"uid": user_id, "aid": account_id},
+    )
+    return user_id
+
+
+async def _promote_existing(conn: AsyncConnection, user_id: uuid.UUID, now: datetime) -> None:
+    """Promote an existing user to super-admin and backfill verification."""
+    await conn.execute(
+        text(
+            """
+            UPDATE users
+            SET is_super_admin = true,
+                email_verified_at = COALESCE(email_verified_at, :now),
+                is_active = true
+            WHERE id = :uid
+            """
+        ),
+        {"uid": user_id, "now": now},
+    )
+
+
+async def _issue_reset_link(
+    conn: AsyncConnection, user_id: uuid.UUID, send_email: bool, email: str
+) -> Optional[str]:
+    """Generate a password-reset token, persist its hash, and return the URL.
+
+    Mirrors /auth/password/forgot. We commit the token row directly because
+    the script owns its own transaction (not the API request lifecycle).
+    """
+    raw_token = create_password_reset_token(str(user_id))
+    payload = decode_token(raw_token)
+    if not payload or not payload.get("jti"):
+        return None
+
+    await conn.execute(
+        text(
+            """
+            INSERT INTO password_reset_tokens
+                (id, token_hash, user_id, expires_at, created_at)
+            VALUES (:id, :token_hash, :user_id, :expires_at, :created_at)
+            """
+        ),
+        {
+            "id": uuid.uuid4(),
+            "token_hash": hash_token(payload["jti"]),
+            "user_id": user_id,
+            "expires_at": datetime.fromtimestamp(payload["exp"], tz=timezone.utc),
+            "created_at": datetime.now(timezone.utc),
+        },
+    )
+
+    reset_url = f"{settings.FRONTEND_URL}/reset-password?token={raw_token}"
+
+    if send_email:
+        # Best-effort. If email infra is misconfigured, the caller still
+        # has --print-reset as a fallback.
+        try:
+            await EmailService.send_password_reset_email(
+                to_email=email, reset_url=reset_url
+            )
+        except Exception as exc:  # noqa: BLE001
+            print(f"  [WARN]  Email send failed: {exc}")
+            print(f"  [WARN]  Use the printed URL below as a fallback.")
+
+    return reset_url
+
+
+async def main(args: argparse.Namespace) -> int:
+    email = args.email.strip().lower()
+    name = args.name or email.split("@", 1)[0].title()
+    account_name = args.account_name or "ResolutionFlow Admin"
+
+    admin_url = getattr(settings, "ADMIN_DATABASE_URL", None) or settings.DATABASE_URL
+    engine = create_async_engine(admin_url, echo=False)
+    now = datetime.now(timezone.utc)
+
+    try:
+        async with engine.begin() as conn:
+            existing = await _find_user(conn, email)
+
+            if existing is None:
+                if args.promote_only:
+                    print(f"[ERROR] --promote-only set but no user with email {email!r} exists.")
+                    return 1
+                user_id = await _create_user_and_account(
+                    conn, email, name, account_name, now
+                )
+                print(f"  [OK]    Created super-admin user {email} (id={user_id})")
+            else:
+                user_id = existing.id
+                if existing.is_super_admin:
+                    print(f"  [SKIP]  {email} already exists and is super-admin (id={user_id})")
+                else:
+                    await _promote_existing(conn, user_id, now)
+                    print(f"  [OK]    Promoted {email} to super-admin (id={user_id})")
+
+            # Skip reset issuance for --promote-only when the user already
+            # has a password (they can just log in with their existing creds).
+            should_issue_reset = not args.promote_only or (
+                existing is not None and existing.password_hash is None
+            )
+
+            if should_issue_reset:
+                reset_url = await _issue_reset_link(
+                    conn, user_id, send_email=args.send_reset, email=email
+                )
+                if reset_url is None:
+                    print("  [ERROR] Failed to mint password-reset token.")
+                    return 2
+
+                print()
+                if args.send_reset:
+                    print(f"  [OK]    Password-reset email sent to {email}")
+                    print(f"  [INFO]  Reset link (also emailed) — copy if email is delayed:")
+                if args.print_reset or not args.send_reset:
+                    print(f"          {reset_url}")
+                else:
+                    print(f"          {reset_url}")
+                print()
+                print("  This link expires per PASSWORD_RESET_TOKEN_EXPIRE in settings.")
+
+    finally:
+        await engine.dispose()
+
+    return 0
+
+
+def _build_parser() -> argparse.ArgumentParser:
+    p = argparse.ArgumentParser(
+        prog="create_site_admin",
+        description="Create or promote a site-wide super-admin user.",
+    )
+    p.add_argument("--email", required=True, help="Email of the admin (will be normalized to lowercase).")
+    p.add_argument("--name", help="Display name. Defaults to the local part of the email, title-cased.")
+    p.add_argument(
+        "--account-name",
+        help="Account name to create alongside a brand-new user. Ignored if the user already exists. Defaults to 'ResolutionFlow Admin'.",
+    )
+    mode = p.add_mutually_exclusive_group()
+    mode.add_argument(
+        "--send-reset",
+        action="store_true",
+        help="Send a password-reset email to the admin. The reset URL is also printed to stdout as a fallback.",
+    )
+    mode.add_argument(
+        "--print-reset",
+        action="store_true",
+        help="Mint a reset token and print the URL to stdout WITHOUT sending email. Use when email infra is not configured.",
+    )
+    mode.add_argument(
+        "--promote-only",
+        action="store_true",
+        help="Only promote an existing user to super-admin. Will NOT create a new user, and will NOT issue a reset link unless the existing user has no password.",
+    )
+    return p
+
+
+if __name__ == "__main__":
+    print("\n[*] ResolutionFlow — Site Admin Bootstrap")
+    print("=" * 60)
+    args = _build_parser().parse_args()
+    sys.exit(asyncio.run(main(args)))
--- a/backend/scripts/seed_test_users.py
+++ b/backend/scripts/seed_test_users.py
@@ -2,11 +2,13 @@
 """
 Create test user accounts for local development.

-Creates 4 accounts:
-  1. Super Admin    – platform-wide admin (manages everything)
-  2. Pro Solo User  – single user on a "pro" plan
-  3. Team Admin     – admin of a team account ("team" plan)
-  4. Team Engineer  – regular engineer on the same team account
+Creates 6 accounts:
+  1. Super Admin          – platform-wide admin (manages everything)
+  2. Pro Solo User        – single user on a "pro" plan
+  3. Team Admin           – admin of a team account ("team" plan)
+  4. Team Engineer        – regular engineer on the same team account
+  5. L1 Tech              – l1_tech role on the Acme MSP team (E2E: L1 happy path)
+  6. Coverage Engineer    – engineer with can_cover_l1=True (E2E: coverage banner)

 Usage:
  cd backend
@@ -71,6 +73,29 @@ USERS = [
        "account_name": "Acme MSP",  # same shared account
        "account_role": "engineer",
        "plan": None,  # uses the team_admin's account & subscription
+        "can_cover_l1": False,
+    },
+    {
+        "key": "l1_tech",
+        "name": "Lee L1Tech",
+        "email": "l1@resolutionflow.example.com",
+        "is_super_admin": False,
+        "is_team_admin": False,
+        "account_name": "Acme MSP",  # same shared account as team_admin
+        "account_role": "l1_tech",
+        "plan": None,  # uses the team_admin's account & subscription
+        "can_cover_l1": False,
+    },
+    {
+        "key": "coverage_engineer",
+        "name": "Casey Coverage",
+        "email": "engineer-coverage@resolutionflow.example.com",
+        "is_super_admin": False,
+        "is_team_admin": False,
+        "account_name": "Acme MSP",  # same shared account as team_admin
+        "account_role": "engineer",
+        "plan": None,  # uses the team_admin's account & subscription
+        "can_cover_l1": True,
    },
 ]

@@ -97,13 +122,26 @@ async def main() -> None:
            )
            row = result.first()
            if row:
-                print(f"  [SKIP]  {cfg['email']} already exists")
+                # Backfill email_verified_at for existing rows so older test
+                # users created before this script set the field still bypass
+                # the 7-day verification grace.
+                await conn.execute(
+                    text("""
+                        UPDATE users
+                        SET email_verified_at = COALESCE(email_verified_at, :now)
+                        WHERE email = :email
+                    """),
+                    {"email": cfg["email"], "now": now},
+                )
+                print(f"  [SKIP]  {cfg['email']} already exists (email_verified_at backfilled if null)")
                if cfg["key"] == "team_admin":
                    team_account_id = row.account_id
                continue

            # ---- Create or reuse Account ----
-            if cfg["key"] == "team_engineer":
+            # Users that share the Acme MSP account (no own account to create)
+            _acme_members = {"team_engineer", "l1_tech", "coverage_engineer"}
+            if cfg["key"] in _acme_members:
                if team_account_id is None:
                    result = await conn.execute(
                        text("SELECT id FROM accounts WHERE name = :name"),
@@ -130,12 +168,18 @@ async def main() -> None:

            # ---- Create User ----
            user_id = uuid.uuid4()
+            # email_verified_at is stamped at seed time so test users bypass the
+            # 7-day verification grace immediately. Without this, fixtures hit
+            # require_verified_email_after_grace once their created_at ages past
+            # 7 days and get walled out of protected routes.
+            can_cover_l1 = cfg.get("can_cover_l1", False)
            await conn.execute(
                text("""
                    INSERT INTO users (id, email, password_hash, name, role, is_super_admin,
-                                       is_team_admin, is_active, account_id, account_role, created_at)
+                                       is_team_admin, is_active, account_id, account_role,
+                                       can_cover_l1, created_at, email_verified_at)
                    VALUES (:id, :email, :pw, :name, 'engineer', :is_sa, :is_ta, true,
-                            :account_id, :account_role, :now)
+                            :account_id, :account_role, :can_cover_l1, :now, :now)
                """),
                {
                    "id": user_id,
@@ -146,12 +190,13 @@ async def main() -> None:
                    "is_ta": cfg["is_team_admin"],
                    "account_id": account_id,
                    "account_role": cfg["account_role"],
+                    "can_cover_l1": can_cover_l1,
                    "now": now,
                },
            )

-            # Set account owner (skip for team_engineer — they don't own the account)
-            if cfg["key"] != "team_engineer":
+            # Set account owner (skip for shared-account members — they don't own the account)
+            if cfg["key"] not in _acme_members:
                await conn.execute(
                    text("UPDATE accounts SET owner_id = :uid WHERE id = :aid"),
                    {"uid": user_id, "aid": account_id},
@@ -167,7 +212,8 @@ async def main() -> None:
                    {"id": uuid.uuid4(), "aid": account_id, "plan": cfg["plan"], "now": now},
                )

-            print(f"  [OK]    {cfg['email']:40s}  account_role={cfg['account_role']:<10s}  plan={cfg['plan'] or '(shared)'}")
+            cover_flag = " [can_cover_l1]" if can_cover_l1 else ""
+            print(f"  [OK]    {cfg['email']:40s}  account_role={cfg['account_role']:<12s}  plan={cfg['plan'] or '(shared)'}{cover_flag}")

    await engine.dispose()

@@ -178,10 +224,12 @@ async def main() -> None:
    print("=" * 60)
    print()
    print("  Accounts:")
-    print(f"    Super Admin :  admin@resolutionflow.example.com")
-    print(f"    Pro Solo    :  pro@resolutionflow.example.com")
-    print(f"    Team Admin  :  teamadmin@resolutionflow.example.com")
-    print(f"    Team Engineer: engineer@resolutionflow.example.com")
+    print(f"    Super Admin       :  admin@resolutionflow.example.com")
+    print(f"    Pro Solo          :  pro@resolutionflow.example.com")
+    print(f"    Team Admin        :  teamadmin@resolutionflow.example.com")
+    print(f"    Team Engineer     :  engineer@resolutionflow.example.com")
+    print(f"    L1 Tech           :  l1@resolutionflow.example.com")
+    print(f"    Coverage Engineer :  engineer-coverage@resolutionflow.example.com")
    print()


--- a/backend/scripts/sync_stripe_plan_ids.py
+++ b/backend/scripts/sync_stripe_plan_ids.py
@@ -0,0 +1,199 @@
+#!/usr/bin/env python3
+"""Sync plan_billing rows from Stripe products and prices.
+
+Reads the active Stripe environment (test or live, determined by
+STRIPE_SECRET_KEY in env), looks up the canonical ResolutionFlow products
+by exact name match, picks the active monthly recurring price for tiers
+that have one, and upserts plan_billing rows.
+
+Idempotent. Safe to re-run after price changes, after live cutover, or
+after rotating Stripe keys.
+
+Tier mapping (name in Stripe -> plan slug in plan_limits):
+  ResolutionFlow Starter      -> starter   (monthly price required)
+  ResolutionFlow Pro          -> pro       (monthly price required)
+  ResolutionFlow Enterprise   -> enterprise (no price, sales-led)
+
+Annual prices are intentionally not supported in this iteration. The
+plan_billing schema allows annual fields (stripe_annual_price_id,
+annual_price_cents); this script leaves them NULL.
+
+Usage:
+  docker exec -w /app resolutionflow_backend python -m scripts.sync_stripe_plan_ids
+  docker exec -w /app resolutionflow_backend python -m scripts.sync_stripe_plan_ids --dry-run
+"""
+import argparse
+import asyncio
+import logging
+import sys
+from typing import Optional
+
+import stripe
+
+from app.core.config import settings
+from app.core.database import async_session_maker
+from sqlalchemy import text
+
+
+logger = logging.getLogger("sync_stripe_plan_ids")
+logging.basicConfig(
+    level=logging.INFO,
+    format="%(asctime)s %(levelname)s %(message)s",
+)
+
+
+PLAN_NAME_TO_SLUG = {
+    "ResolutionFlow Starter": "starter",
+    "ResolutionFlow Pro": "pro",
+    "ResolutionFlow Enterprise": "enterprise",
+}
+
+PLANS_REQUIRING_PRICE = {"starter", "pro"}
+
+PLAN_DEFAULTS = {
+    "starter": {"sort_order": 10, "is_public": True},
+    "pro": {"sort_order": 20, "is_public": True},
+    "enterprise": {"sort_order": 30, "is_public": True},
+}
+
+
+def find_product_by_name(target: str) -> Optional[stripe.Product]:
+    """Page through active products and return the first exact name match."""
+    for product in stripe.Product.list(active=True, limit=100).auto_paging_iter():
+        if product.name == target:
+            return product
+    return None
+
+
+def find_active_monthly_price(product_id: str) -> Optional[stripe.Price]:
+    """Return the active recurring monthly price for a product, or None."""
+    candidates = [
+        p
+        for p in stripe.Price.list(product=product_id, active=True, limit=100).auto_paging_iter()
+        if p.type == "recurring"
+        and p.recurring is not None
+        and p.recurring.get("interval") == "month"
+        and p.recurring.get("interval_count", 1) == 1
+    ]
+    if not candidates:
+        return None
+    if len(candidates) > 1:
+        logger.warning(
+            "Product %s has %d active monthly recurring prices; picking %s. "
+            "Archive the others to silence this warning.",
+            product_id, len(candidates), candidates[0].id,
+        )
+    return candidates[0]
+
+
+async def upsert_plan_billing(
+    plan: str,
+    display_name: str,
+    description: Optional[str],
+    monthly_price_cents: Optional[int],
+    stripe_product_id: Optional[str],
+    stripe_monthly_price_id: Optional[str],
+    sort_order: int,
+    is_public: bool,
+    dry_run: bool,
+) -> None:
+    """Upsert one plan_billing row. Annual fields stay NULL."""
+    if dry_run:
+        logger.info(
+            "[dry-run] would upsert plan=%s display=%s monthly_cents=%s "
+            "product=%s monthly_price=%s",
+            plan, display_name, monthly_price_cents,
+            stripe_product_id, stripe_monthly_price_id,
+        )
+        return
+
+    sql = text("""
+        INSERT INTO plan_billing (
+            plan, display_name, description,
+            monthly_price_cents, annual_price_cents,
+            stripe_product_id, stripe_monthly_price_id, stripe_annual_price_id,
+            is_public, is_archived, sort_order
+        ) VALUES (
+            :plan, :display_name, :description,
+            :monthly_price_cents, NULL,
+            :stripe_product_id, :stripe_monthly_price_id, NULL,
+            :is_public, FALSE, :sort_order
+        )
+        ON CONFLICT (plan) DO UPDATE SET
+            display_name = EXCLUDED.display_name,
+            description = EXCLUDED.description,
+            monthly_price_cents = EXCLUDED.monthly_price_cents,
+            stripe_product_id = EXCLUDED.stripe_product_id,
+            stripe_monthly_price_id = EXCLUDED.stripe_monthly_price_id,
+            is_public = EXCLUDED.is_public,
+            sort_order = EXCLUDED.sort_order,
+            updated_at = NOW()
+    """)
+    async with async_session_maker() as session:
+        await session.execute(sql, {
+            "plan": plan,
+            "display_name": display_name,
+            "description": description,
+            "monthly_price_cents": monthly_price_cents,
+            "stripe_product_id": stripe_product_id,
+            "stripe_monthly_price_id": stripe_monthly_price_id,
+            "is_public": is_public,
+            "sort_order": sort_order,
+        })
+        await session.commit()
+    logger.info("upserted plan_billing for plan=%s", plan)
+
+
+async def main(dry_run: bool) -> int:
+    if not settings.STRIPE_SECRET_KEY:
+        logger.error("STRIPE_SECRET_KEY is not set. Refusing to run.")
+        return 2
+
+    stripe.api_key = settings.STRIPE_SECRET_KEY
+    mode = "live" if settings.STRIPE_SECRET_KEY.startswith("sk_live_") else "test"
+    logger.info("connected to Stripe in %s mode", mode)
+
+    errors: list[str] = []
+
+    for product_name, plan in PLAN_NAME_TO_SLUG.items():
+        defaults = PLAN_DEFAULTS[plan]
+        product = find_product_by_name(product_name)
+        if product is None:
+            errors.append(f"Stripe product not found: {product_name!r}")
+            continue
+
+        price = None
+        if plan in PLANS_REQUIRING_PRICE:
+            price = find_active_monthly_price(product.id)
+            if price is None:
+                errors.append(
+                    f"No active monthly recurring price for {product_name!r} "
+                    f"(product {product.id})"
+                )
+                continue
+
+        await upsert_plan_billing(
+            plan=plan,
+            display_name=product.name,
+            description=product.description,
+            monthly_price_cents=price.unit_amount if price else None,
+            stripe_product_id=product.id,
+            stripe_monthly_price_id=price.id if price else None,
+            sort_order=defaults["sort_order"],
+            is_public=defaults["is_public"],
+            dry_run=dry_run,
+        )
+
+    if errors:
+        for e in errors:
+            logger.error(e)
+        return 1
+    logger.info("done")
+    return 0
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description=__doc__)
+    parser.add_argument("--dry-run", action="store_true", help="Log actions without writing.")
+    args = parser.parse_args()
+    sys.exit(asyncio.run(main(dry_run=args.dry_run)))
--- a/backend/tests/conftest.py
+++ b/backend/tests/conftest.py
@@ -105,7 +105,7 @@ assert "test" in _test_db_name, (
 )

 _RUN_RLS_TESTS = os.environ.get("RUN_RLS_TESTS") == "1"
-_RLS_ISOLATION_FILE = "test_rls_isolation.py"
+_RLS_TEST_FILES = {"test_rls_isolation.py", "test_l1_rls.py"}


 def pytest_collection_modifyitems(config, items):
@@ -117,7 +117,9 @@ def pytest_collection_modifyitems(config, items):
    deselected = []
    for item in items:
        item_path = getattr(item, "path", None) or getattr(item, "fspath", None)
-        if item_path and str(item_path).endswith(_RLS_ISOLATION_FILE):
+        if item_path and any(
+            str(item_path).endswith(f) for f in _RLS_TEST_FILES
+        ):
            deselected.append(item)
        else:
            selected.append(item)
@@ -172,8 +174,9 @@ async def test_db() -> AsyncGenerator[AsyncSession, None]:
            INSERT INTO plan_limits (plan, max_trees, max_sessions_per_month, max_users, custom_branding, priority_support, export_formats)
            VALUES
                ('free', 3, 20, 1, false, false, '["markdown", "text"]'),
+                ('starter', 10, 75, 1, false, false, '["markdown", "text", "html"]'),
                ('pro', 25, 200, 5, true, false, '["markdown", "text", "html"]'),
-                ('team', NULL, NULL, NULL, true, true, '["markdown", "text", "html"]')
+                ('enterprise', NULL, NULL, NULL, true, true, '["markdown", "text", "html"]')
        """))

        # Seed the platform/system account (PLATFORM_ACCOUNT_ID) needed by
@@ -248,13 +251,23 @@ async def client(test_db: AsyncSession):


@pytest.fixture
-async def test_user(client):
+async def test_user(client, test_db):
    """
    Create a test user and return their credentials.

+    Also seeds a default active Pro Subscription so Pro-guarded routes work
+    in tests. Phase 1 Task 11 added require_active_subscription; without
+    this seed every existing test that hits a Pro router would 402. The
+    register endpoint creates a default `free`/`active` Subscription, so
+    we delete-then-insert to avoid the unique account_id constraint.
+
    Returns:
        dict with email, password, and user_data
    """
+    import uuid
+    from sqlalchemy import delete
+    from app.models.subscription import Subscription
+
    user_data = {
        "email": "test@example.com",
        "password": "TestPassword123!",
@@ -264,6 +277,13 @@ async def test_user(client):
    response = await client.post("/api/v1/auth/register", json=user_data)
    assert response.status_code == 200 or response.status_code == 201

+    account_id = uuid.UUID(response.json()["account_id"])
+    await test_db.execute(
+        delete(Subscription).where(Subscription.account_id == account_id)
+    )
+    test_db.add(Subscription(account_id=account_id, plan="pro", status="active"))
+    await test_db.commit()
+
    return {
        "email": user_data["email"],
        "password": user_data["password"],
@@ -346,11 +366,14 @@ async def test_admin(client, test_db):
    Create a test super-admin user.

    Registers as engineer (the only role available at registration),
-    then promotes to super_admin directly via the DB session.
+    then promotes to super_admin directly via the DB session. Also
+    seeds a default active Pro Subscription (see test_user docstring).
    """
+    import uuid
    from uuid import UUID as PyUUID
-    from sqlalchemy import select
+    from sqlalchemy import select, delete
    from app.models.user import User
+    from app.models.subscription import Subscription

    admin_data = {
        "email": "admin@example.com",
@@ -365,6 +388,12 @@ async def test_admin(client, test_db):
    result = await test_db.execute(select(User).where(User.id == user_id))
    user = result.scalar_one()
    user.is_super_admin = True
+
+    account_id = uuid.UUID(response.json()["account_id"])
+    await test_db.execute(
+        delete(Subscription).where(Subscription.account_id == account_id)
+    )
+    test_db.add(Subscription(account_id=account_id, plan="pro", status="active"))
    await test_db.commit()

    return {
--- a/backend/tests/test_account_invite_extensions.py
+++ b/backend/tests/test_account_invite_extensions.py
@@ -0,0 +1,180 @@
+import pytest
+from unittest.mock import AsyncMock, patch
+from sqlalchemy import select
+from app.models.account_invite import AccountInvite
+
+
+@pytest.mark.asyncio
+async def test_create_invite_sends_email_and_stamps_email_sent_at(
+    client, test_db, test_user, auth_headers
+):
+    """Regression: today's create_invite does NOT send email. After this task, it MUST."""
+    with patch(
+        "app.core.email.EmailService.send_account_invite_email",
+        new_callable=AsyncMock, return_value=True,
+    ) as mock_send:
+        response = await client.post(
+            "/api/v1/accounts/me/invites",
+            json={"email": "teammate@example.com", "role": "engineer"},
+            headers=auth_headers,
+        )
+    assert response.status_code == 201, response.json()
+    mock_send.assert_called_once()
+    kwargs = mock_send.call_args.kwargs
+    assert kwargs["to_email"] == "teammate@example.com"
+    assert kwargs["role"] == "engineer"
+    assert kwargs["code"]
+
+    invite = (await test_db.execute(
+        select(AccountInvite).where(AccountInvite.email == "teammate@example.com")
+    )).scalar_one()
+    assert invite.email_sent_at is not None
+
+
+@pytest.mark.asyncio
+async def test_create_invite_email_failure_still_creates_row(
+    client, test_db, test_user, auth_headers
+):
+    """When EmailService returns False, the invite row is still created but
+    email_sent_at remains NULL."""
+    with patch(
+        "app.core.email.EmailService.send_account_invite_email",
+        new_callable=AsyncMock, return_value=False,
+    ):
+        response = await client.post(
+            "/api/v1/accounts/me/invites",
+            json={"email": "fail-mail@example.com", "role": "engineer"},
+            headers=auth_headers,
+        )
+    assert response.status_code == 201
+
+    invite = (await test_db.execute(
+        select(AccountInvite).where(AccountInvite.email == "fail-mail@example.com")
+    )).scalar_one()
+    assert invite.email_sent_at is None
+
+
+@pytest.mark.asyncio
+async def test_bulk_invite_creates_n_rows_and_sends_n_emails(
+    client, test_db, test_user, auth_headers
+):
+    with patch(
+        "app.core.email.EmailService.send_account_invite_email",
+        new_callable=AsyncMock, return_value=True,
+    ) as mock_send:
+        response = await client.post(
+            "/api/v1/accounts/me/invites/bulk",
+            json={"invites": [
+                {"email": "a@example.com", "role": "engineer"},
+                {"email": "b@example.com", "role": "engineer"},
+                {"email": "c@example.com", "role": "viewer"},
+            ]},
+            headers=auth_headers,
+        )
+    assert response.status_code == 201, response.json()
+    body = response.json()
+    assert len(body["created"]) == 3
+    assert body["failed"] == []
+    assert mock_send.call_count == 3
+
+
+@pytest.mark.asyncio
+async def test_revoke_invite_sets_revoked_at(client, test_db, test_user, auth_headers):
+    import uuid
+    from datetime import datetime, timezone, timedelta
+    from app.models.account_invite import AccountInvite
+
+    invited_by_id = uuid.UUID(test_user["user_data"]["id"])
+    account_id = uuid.UUID(test_user["user_data"]["account_id"])
+
+    invite = AccountInvite(
+        account_id=account_id,
+        invited_by_id=invited_by_id,
+        email="revoked@example.com",
+        code="REVOKEME01",
+        role="engineer",
+        expires_at=datetime.now(timezone.utc) + timedelta(days=7),
+    )
+    test_db.add(invite)
+    await test_db.commit()
+    invite_id = invite.id
+
+    response = await client.delete(
+        f"/api/v1/accounts/me/invites/{invite_id}",
+        headers=auth_headers,
+    )
+    assert response.status_code == 204
+
+    await test_db.refresh(invite)
+    assert invite.revoked_at is not None
+    assert invite.is_valid is False
+
+
+@pytest.mark.asyncio
+async def test_revoke_invite_idempotent(client, test_db, test_user, auth_headers):
+    import uuid
+    from datetime import datetime, timezone, timedelta
+    from app.models.account_invite import AccountInvite
+
+    invited_by_id = uuid.UUID(test_user["user_data"]["id"])
+    account_id = uuid.UUID(test_user["user_data"]["account_id"])
+
+    invite = AccountInvite(
+        account_id=account_id,
+        invited_by_id=invited_by_id,
+        email="revoked2@example.com",
+        code="REVOKEME02",
+        role="engineer",
+        revoked_at=datetime.now(timezone.utc),
+        expires_at=datetime.now(timezone.utc) + timedelta(days=7),
+    )
+    test_db.add(invite)
+    await test_db.commit()
+    invite_id = invite.id
+
+    response = await client.delete(
+        f"/api/v1/accounts/me/invites/{invite_id}",
+        headers=auth_headers,
+    )
+    assert response.status_code == 204
+
+
+@pytest.mark.asyncio
+async def test_revoke_invite_404_when_not_found(client, test_user, auth_headers):
+    import uuid
+    response = await client.delete(
+        f"/api/v1/accounts/me/invites/{uuid.uuid4()}",
+        headers=auth_headers,
+    )
+    assert response.status_code == 404
+
+
+@pytest.mark.asyncio
+async def test_revoke_used_invite_returns_400(
+    client, test_db, test_user, auth_headers
+):
+    import uuid
+    from datetime import datetime, timezone, timedelta
+    from app.models.account_invite import AccountInvite
+
+    invited_by_id = uuid.UUID(test_user["user_data"]["id"])
+    account_id = uuid.UUID(test_user["user_data"]["account_id"])
+
+    invite = AccountInvite(
+        account_id=account_id,
+        invited_by_id=invited_by_id,
+        email="used@example.com",
+        code="USEDCODE01",
+        role="engineer",
+        accepted_by_id=invited_by_id,  # mark as used
+        expires_at=datetime.now(timezone.utc) + timedelta(days=7),
+    )
+    test_db.add(invite)
+    await test_db.commit()
+    invite_id = invite.id
+
+    response = await client.delete(
+        f"/api/v1/accounts/me/invites/{invite_id}",
+        headers=auth_headers,
+    )
+    assert response.status_code == 400
--- a/backend/tests/test_account_invite_lookup.py
+++ b/backend/tests/test_account_invite_lookup.py
@@ -0,0 +1,290 @@
+"""Tests for the public GET /accounts/invites/{code}/lookup endpoint
+(consumed by the /accept-invite page on the frontend)."""
+
+import uuid
+from datetime import datetime, timedelta, timezone
+from unittest.mock import AsyncMock, patch
+
+import pytest
+from sqlalchemy import select
+
+from app.models.account_invite import AccountInvite
+
+
+@pytest.mark.asyncio
+async def test_invite_lookup_returns_account_info_for_valid_code(
+    client, test_db, test_user, auth_headers
+):
+    """A freshly-created, unused, unexpired invite resolves to the inviter's
+    account name + the inviter's display name + the invited email + role."""
+    with patch(
+        "app.core.email.EmailService.send_account_invite_email",
+        new_callable=AsyncMock,
+        return_value=True,
+    ):
+        create_resp = await client.post(
+            "/api/v1/accounts/me/invites",
+            json={"email": "lookup@example.com", "role": "engineer"},
+            headers=auth_headers,
+        )
+    assert create_resp.status_code == 201, create_resp.json()
+    code = create_resp.json()["code"]
+
+    response = await client.get(f"/api/v1/accounts/invites/{code}/lookup")
+    assert response.status_code == 200, response.json()
+    body = response.json()
+
+    assert body["invited_email"] == "lookup@example.com"
+    assert body["role"] == "engineer"
+    assert body["inviter_name"] == test_user["user_data"]["name"]
+    # account_name is whatever the test_user fixture seeded for the account.
+    assert isinstance(body["account_name"], str) and body["account_name"]
+
+
+@pytest.mark.asyncio
+async def test_invite_lookup_returns_404_for_invalid_or_expired_code(
+    client, test_db, test_user
+):
+    """Three failure modes (unknown code, expired, revoked, used) all collapse
+    to the same 404 + invite_invalid_or_expired_or_revoked error code."""
+    invited_by_id = uuid.UUID(test_user["user_data"]["id"])
+    account_id = uuid.UUID(test_user["user_data"]["account_id"])
+
+    # 1) Unknown code
+    unknown = await client.get("/api/v1/accounts/invites/DOESNOTEXIST/lookup")
+    assert unknown.status_code == 404
+    assert unknown.json()["detail"]["error"] == "invite_invalid_or_expired_or_revoked"
+
+    # 2) Expired
+    expired_invite = AccountInvite(
+        account_id=account_id,
+        invited_by_id=invited_by_id,
+        email="expired@example.com",
+        code="EXPIREDLOOKUP01",
+        role="engineer",
+        expires_at=datetime.now(timezone.utc) - timedelta(days=1),
+    )
+    test_db.add(expired_invite)
+    await test_db.commit()
+    expired = await client.get("/api/v1/accounts/invites/EXPIREDLOOKUP01/lookup")
+    assert expired.status_code == 404
+    assert expired.json()["detail"]["error"] == "invite_invalid_or_expired_or_revoked"
+
+    # 3) Revoked
+    revoked_invite = AccountInvite(
+        account_id=account_id,
+        invited_by_id=invited_by_id,
+        email="revoked@example.com",
+        code="REVOKEDLOOKUP01",
+        role="engineer",
+        expires_at=datetime.now(timezone.utc) + timedelta(days=7),
+        revoked_at=datetime.now(timezone.utc),
+    )
+    test_db.add(revoked_invite)
+    await test_db.commit()
+    revoked = await client.get("/api/v1/accounts/invites/REVOKEDLOOKUP01/lookup")
+    assert revoked.status_code == 404
+    assert revoked.json()["detail"]["error"] == "invite_invalid_or_expired_or_revoked"
+
+    # 4) Already used
+    used_invite = AccountInvite(
+        account_id=account_id,
+        invited_by_id=invited_by_id,
+        email="used@example.com",
+        code="USEDLOOKUP01",
+        role="engineer",
+        expires_at=datetime.now(timezone.utc) + timedelta(days=7),
+        accepted_by_id=invited_by_id,
+        used_at=datetime.now(timezone.utc),
+    )
+    test_db.add(used_invite)
+    await test_db.commit()
+    used = await client.get("/api/v1/accounts/invites/USEDLOOKUP01/lookup")
+    assert used.status_code == 404
+    assert used.json()["detail"]["error"] == "invite_invalid_or_expired_or_revoked"
+
+    # Sanity: rows survived (no destructive side effects).
+    persisted = (
+        await test_db.execute(
+            select(AccountInvite).where(
+                AccountInvite.code.in_(
+                    ["EXPIREDLOOKUP01", "REVOKEDLOOKUP01", "USEDLOOKUP01"]
+                )
+            )
+        )
+    ).scalars().all()
+    assert len(persisted) == 3
+
+
+@pytest.mark.asyncio
+async def test_oauth_callback_links_invite_when_account_invite_code_supplied(
+    client, test_db, test_user, auth_headers, monkeypatch
+):
+    """Brand-new OAuth user with account_invite_code joins the invited account
+    instead of getting a personal one. Invite is marked used."""
+    from app.core.config import settings
+    from app.models.user import User
+    from app.services.oauth_providers import OAuthProfile
+
+    monkeypatch.setattr(settings, "GOOGLE_CLIENT_ID", "client_dummy")
+    monkeypatch.setattr(settings, "GOOGLE_CLIENT_SECRET", "secret_dummy")
+
+    with patch(
+        "app.core.email.EmailService.send_account_invite_email",
+        new_callable=AsyncMock,
+        return_value=True,
+    ):
+        create_resp = await client.post(
+            "/api/v1/accounts/me/invites",
+            json={"email": "oauth-invite@example.com", "role": "engineer"},
+            headers=auth_headers,
+        )
+    code = create_resp.json()["code"]
+    inviter_account_id = uuid.UUID(test_user["user_data"]["account_id"])
+
+    profile = OAuthProfile(
+        provider_subject="google_invite_subject_1",
+        email="oauth-invite@example.com",
+        name="OAuth Invitee",
+    )
+    with patch("app.api.endpoints.oauth.google_exchange_code", return_value=profile):
+        response = await client.post(
+            "/api/v1/auth/google/callback",
+            json={
+                "code": "auth_code_xyz",
+                "account_invite_code": code,
+                "invited_email": "oauth-invite@example.com",
+            },
+        )
+    assert response.status_code == 200, response.json()
+    assert response.json()["is_new_user"] is True
+
+    user = (
+        await test_db.execute(
+            select(User).where(User.email == "oauth-invite@example.com")
+        )
+    ).scalar_one()
+    assert user.account_id == inviter_account_id
+    assert user.account_role == "engineer"
+
+    invite = (
+        await test_db.execute(
+            select(AccountInvite).where(AccountInvite.code == code)
+        )
+    ).scalar_one()
+    assert invite.used_at is not None
+    assert invite.accepted_by_id == user.id
+
+
+@pytest.mark.asyncio
+async def test_oauth_callback_existing_email_with_invite_returns_400(
+    client, test_db, test_user, auth_headers, monkeypatch
+):
+    """If a user already exists with the invited email (e.g., previously
+    registered via password), arriving via /accept-invite OAuth must NOT
+    silently link the OAuth identity to their existing account and skip the
+    invite. Surface email_already_registered_use_login so the user signs in
+    and accepts the invite from the dashboard instead."""
+    from app.core.config import settings
+    from app.services.oauth_providers import OAuthProfile
+
+    monkeypatch.setattr(settings, "GOOGLE_CLIENT_ID", "client_dummy")
+    monkeypatch.setattr(settings, "GOOGLE_CLIENT_SECRET", "secret_dummy")
+
+    # 1) Pre-existing user with a password (separate from the inviter).
+    existing_email = "already-here@example.com"
+    register_resp = await client.post(
+        "/api/v1/auth/register",
+        json={
+            "email": existing_email,
+            "password": "PreviousPassword123!",
+            "name": "Already Here",
+        },
+    )
+    assert register_resp.status_code in (200, 201), register_resp.json()
+
+    # 2) Inviter creates an invite for that exact email.
+    with patch(
+        "app.core.email.EmailService.send_account_invite_email",
+        new_callable=AsyncMock,
+        return_value=True,
+    ):
+        create_resp = await client.post(
+            "/api/v1/accounts/me/invites",
+            json={"email": existing_email, "role": "engineer"},
+            headers=auth_headers,
+        )
+    assert create_resp.status_code == 201, create_resp.json()
+    code = create_resp.json()["code"]
+
+    # 3) The existing user does Google OAuth and the callback receives the
+    #    invite code. Backend must reject — not link silently.
+    profile = OAuthProfile(
+        provider_subject="google_existing_subject_1",
+        email=existing_email,
+        name="Already Here",
+    )
+    with patch("app.api.endpoints.oauth.google_exchange_code", return_value=profile):
+        response = await client.post(
+            "/api/v1/auth/google/callback",
+            json={
+                "code": "auth_code_xyz",
+                "account_invite_code": code,
+                "invited_email": existing_email,
+            },
+        )
+    assert response.status_code == 400, response.json()
+    assert (
+        response.json()["detail"]["error"] == "email_already_registered_use_login"
+    )
+
+    # 4) Sanity: the invite was NOT consumed.
+    invite = (
+        await test_db.execute(
+            select(AccountInvite).where(AccountInvite.code == code)
+        )
+    ).scalar_one()
+    assert invite.used_at is None
+    assert invite.accepted_by_id is None
+
+
+@pytest.mark.asyncio
+async def test_oauth_callback_invite_email_mismatch_returns_400(
+    client, test_db, test_user, auth_headers, monkeypatch
+):
+    """If the OAuth profile's email differs from the invite's email, the
+    backend rejects the link with invite_email_mismatch (mirrors register)."""
+    from app.core.config import settings
+    from app.services.oauth_providers import OAuthProfile
+
+    monkeypatch.setattr(settings, "GOOGLE_CLIENT_ID", "client_dummy")
+    monkeypatch.setattr(settings, "GOOGLE_CLIENT_SECRET", "secret_dummy")
+
+    with patch(
+        "app.core.email.EmailService.send_account_invite_email",
+        new_callable=AsyncMock,
+        return_value=True,
+    ):
+        create_resp = await client.post(
+            "/api/v1/accounts/me/invites",
+            json={"email": "expected@example.com", "role": "engineer"},
+            headers=auth_headers,
+        )
+    code = create_resp.json()["code"]
+
+    profile = OAuthProfile(
+        provider_subject="google_invite_subject_2",
+        email="different@example.com",
+        name="Wrong Email",
+    )
+    with patch("app.api.endpoints.oauth.google_exchange_code", return_value=profile):
+        response = await client.post(
+            "/api/v1/auth/google/callback",
+            json={
+                "code": "auth_code_xyz",
+                "account_invite_code": code,
+                "invited_email": "expected@example.com",
+            },
+        )
+    assert response.status_code == 400, response.json()
+    assert response.json()["detail"]["error"] == "invite_email_mismatch"
--- a/backend/tests/test_account_invite_model.py
+++ b/backend/tests/test_account_invite_model.py
@@ -0,0 +1,27 @@
+import pytest
+from datetime import datetime, timezone, timedelta
+from app.models.account_invite import AccountInvite
+
+
+def make_invite(**kwargs):
+    return AccountInvite(
+        account_id=kwargs.get("account_id", "00000000-0000-0000-0000-000000000001"),
+        invited_by_id=kwargs.get("invited_by_id", "00000000-0000-0000-0000-000000000002"),
+        email=kwargs.get("email", "x@y.com"),
+        code=kwargs.get("code", "ABCD1234"),
+        role=kwargs.get("role", "engineer"),
+        accepted_by_id=kwargs.get("accepted_by_id"),
+        expires_at=kwargs.get("expires_at"),
+        revoked_at=kwargs.get("revoked_at"),
+    )
+
+
+def test_invite_revoked_is_invalid():
+    invite = make_invite(revoked_at=datetime.now(timezone.utc))
+    assert invite.is_revoked is True
+    assert invite.is_valid is False
+
+
+def test_invite_unrevoked_unexpired_unused_is_valid():
+    invite = make_invite(expires_at=datetime.now(timezone.utc) + timedelta(days=7))
+    assert invite.is_valid is True
--- a/Show More
+++ b/Show More