diff --git a/ai-hub/app/api/dependencies.py b/ai-hub/app/api/dependencies.py
index 0023ac0..783f8f2 100644
--- a/ai-hub/app/api/dependencies.py
+++ b/ai-hub/app/api/dependencies.py
@@ -37,6 +37,17 @@
     return user
 
 
+async def get_current_admin(
+    current_user: models.User = Depends(get_current_user)
+) -> models.User:
+    if current_user.role != "admin":
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Admin role required"
+        )
+    return current_user
+
+
 class ServiceContainer:
     """
     A flexible container for managing and providing various application services.
diff --git a/ai-hub/app/api/routes/admin.py b/ai-hub/app/api/routes/admin.py
new file mode 100644
index 0000000..1ed915c
--- /dev/null
+++ b/ai-hub/app/api/routes/admin.py
@@ -0,0 +1,120 @@
+from fastapi import APIRouter, Depends, HTTPException
+from app.api import schemas
+from app.api.dependencies import get_current_admin
+from app.config import settings
+
+def create_admin_router() -> APIRouter:
+    router = APIRouter()
+
+    @router.put("/config/oidc", summary="Update OIDC Configuration")
+    async def update_oidc_config(
+        update: schemas.OIDCConfigUpdate,
+        admin = Depends(get_current_admin)
+    ):
+        if update.enabled is not None:
+            settings.OIDC_ENABLED = update.enabled
+        if update.client_id is not None:
+            settings.OIDC_CLIENT_ID = update.client_id
+        if update.client_secret is not None:
+            settings.OIDC_CLIENT_SECRET = update.client_secret
+        if update.server_url is not None:
+            settings.OIDC_SERVER_URL = update.server_url
+        if update.redirect_uri is not None:
+            settings.OIDC_REDIRECT_URI = update.redirect_uri
+        if update.allow_oidc_login is not None:
+            if not update.allow_oidc_login and not settings.ALLOW_PASSWORD_LOGIN:
+                raise HTTPException(status_code=400, detail="Cannot disable OIDC login while password login is also disabled.")
+            settings.ALLOW_OIDC_LOGIN = update.allow_oidc_login
+            
+        settings.save_to_yaml()
+        return {"message": "OIDC configuration updated successfully"}
+
+    @router.put("/config/app", summary="Update Application Configuration")
+    async def update_app_config(
+        update: schemas.AppConfigUpdate,
+        admin = Depends(get_current_admin)
+    ):
+        if update.allow_password_login is not None:
+            if not update.allow_password_login and not settings.ALLOW_OIDC_LOGIN:
+                raise HTTPException(status_code=400, detail="Cannot disable password login while OIDC login is also disabled.")
+            settings.ALLOW_PASSWORD_LOGIN = update.allow_password_login
+            
+        settings.save_to_yaml()
+        return {"message": "Application configuration updated successfully"}
+
+    @router.post("/config/oidc/test", summary="Test OIDC Discovery")
+    async def test_oidc_connection(
+        update: schemas.OIDCConfigUpdate,
+        admin = Depends(get_current_admin)
+    ):
+        if not update.server_url:
+            raise HTTPException(status_code=400, detail="Server URL is required for testing.")
+        
+        import httpx
+        try:
+            discovery_url = update.server_url.rstrip("/") + "/.well-known/openid-configuration"
+            async with httpx.AsyncClient() as client:
+                response = await client.get(discovery_url, timeout=5.0)
+                if response.status_code == 200:
+                    return {"success": True, "message": "OIDC Identity Provider discovered successfully!"}
+                else:
+                    return {"success": False, "message": f"Discovery failed with status {response.status_code}"}
+        except Exception as e:
+            return {"success": False, "message": f"Failed to reach OIDC provider: {str(e)}"}
+
+    @router.post("/config/swarm/test", summary="Test Swarm Connection")
+    async def test_swarm_connection(
+        update: schemas.SwarmConfigUpdate,
+        admin = Depends(get_current_admin)
+    ):
+        if not update.external_endpoint:
+            raise HTTPException(status_code=400, detail="External endpoint is required for testing.")
+        
+        import httpx
+        try:
+            # We try to reach the endpoint. Since it's gRPC, we might just do a TCP check 
+            # or a basic GET if it's behind a proxy that handles health checks.
+            # For simplicity, we'll check if the protocol is valid and we can reach it.
+            async with httpx.AsyncClient() as client:
+                # Most swarm proxies will have a /health or just return 404/405 for GET on root
+                response = await client.get(update.external_endpoint, timeout=5.0)
+                return {"success": True, "message": f"Reached endpoint with status {response.status_code}"}
+        except Exception as e:
+            return {"success": False, "message": f"Failed to connect: {str(e)}"}
+
+    @router.put("/config/swarm", summary="Update Swarm Configuration")
+    async def update_swarm_config(
+        update: schemas.SwarmConfigUpdate,
+        admin = Depends(get_current_admin)
+    ):
+        if update.external_endpoint is not None:
+            settings.GRPC_EXTERNAL_ENDPOINT = update.external_endpoint
+            # Derived TLS enabled from endpoint protocol
+            endpoint = update.external_endpoint.lower()
+            settings.GRPC_TLS_ENABLED = endpoint.startswith("https://") or ":443" in endpoint
+            
+        settings.save_to_yaml()
+        return {"message": "Swarm configuration updated successfully"}
+
+    @router.get("/config", summary="Get Admin Configuration")
+    async def get_admin_config(
+        admin = Depends(get_current_admin)
+    ):
+        return {
+            "app": {
+                "allow_password_login": settings.ALLOW_PASSWORD_LOGIN
+            },
+            "oidc": {
+                "enabled": settings.OIDC_ENABLED,
+                "client_id": settings.OIDC_CLIENT_ID,
+                "client_secret": settings.OIDC_CLIENT_SECRET,
+                "server_url": settings.OIDC_SERVER_URL,
+                "redirect_uri": settings.OIDC_REDIRECT_URI,
+                "allow_oidc_login": settings.ALLOW_OIDC_LOGIN
+            },
+            "swarm": {
+                "external_endpoint": settings.GRPC_EXTERNAL_ENDPOINT
+            }
+        }
+
+    return router
diff --git a/ai-hub/app/api/routes/api.py b/ai-hub/app/api/routes/api.py
index 529e771..3e27520 100644
--- a/ai-hub/app/api/routes/api.py
+++ b/ai-hub/app/api/routes/api.py
@@ -11,6 +11,7 @@
 from .nodes import create_nodes_router
 from .skills import create_skills_router
 from .agent_update import create_agent_update_router
+from .admin import create_admin_router
 
 def create_api_router(services: ServiceContainer) -> APIRouter:
     """
@@ -29,5 +30,6 @@
     router.include_router(create_nodes_router(services))
     router.include_router(create_skills_router(services))
     router.include_router(create_agent_update_router())
+    router.include_router(create_admin_router(), prefix="/admin")
 
     return router
\ No newline at end of file
diff --git a/ai-hub/app/api/routes/general.py b/ai-hub/app/api/routes/general.py
index dd6902d..ece0ba0 100644
--- a/ai-hub/app/api/routes/general.py
+++ b/ai-hub/app/api/routes/general.py
@@ -1,5 +1,6 @@
 from fastapi import APIRouter
 from app.api.dependencies import ServiceContainer
+from app.api.schemas import SystemStatus
 
 def create_general_router(services: ServiceContainer) -> APIRouter:
     router = APIRouter(tags=["General"])
@@ -7,5 +8,16 @@
     @router.get("/", summary="Check Service Status")
     def read_root():
         return {"status": "AI Model Hub is running!"}
+
+    @router.get("/status", response_model=SystemStatus, summary="Get Full System Status")
+    def get_status():
+        settings = services.settings()
+        return SystemStatus(
+            status="running",
+            oidc_enabled=settings.OIDC_ENABLED,
+            tls_enabled=settings.GRPC_TLS_ENABLED,
+            external_endpoint=settings.GRPC_EXTERNAL_ENDPOINT,
+            version=settings.VERSION
+        )
     
     return router
\ No newline at end of file
diff --git a/ai-hub/app/api/routes/nodes.py b/ai-hub/app/api/routes/nodes.py
index 70e081b..479b7a0 100644
--- a/ai-hub/app/api/routes/nodes.py
+++ b/ai-hub/app/api/routes/nodes.py
@@ -251,26 +251,28 @@
         if not user:
             raise HTTPException(status_code=404, detail="User not found.")
 
-        # Both admins and users only see nodes explicitly granted to their group in this user-facing list.
-        # This prevents the 'Personal Preferences' and 'Mesh Explorer' from showing ungranted nodes.
-        
-        # Nodes accessible via user's group (relational)
-        accesses = db.query(models.NodeGroupAccess).filter(
-            models.NodeGroupAccess.group_id == user.group_id
-        ).all()
-        node_ids = set([a.node_id for a in accesses])
-        
-        # Nodes accessible via group policy whitelist
-        if user.group and user.group.policy:
-            policy_nodes = user.group.policy.get("nodes", [])
-            if isinstance(policy_nodes, list):
-                for nid in policy_nodes:
-                    node_ids.add(nid)
+        # Admins see all active nodes for management/configuration purposes.
+        # Regular users only see nodes explicitly granted to their group.
+        if user.role == "admin":
+            nodes = db.query(models.AgentNode).filter(models.AgentNode.is_active == True).all()
+        else:
+            # Nodes accessible via user's group (relational)
+            accesses = db.query(models.NodeGroupAccess).filter(
+                models.NodeGroupAccess.group_id == user.group_id
+            ).all()
+            node_ids = set([a.node_id for a in accesses])
+            
+            # Nodes accessible via group policy whitelist
+            if user.group and user.group.policy:
+                policy_nodes = user.group.policy.get("nodes", [])
+                if isinstance(policy_nodes, list):
+                    for nid in policy_nodes:
+                        node_ids.add(nid)
 
-        nodes = db.query(models.AgentNode).filter(
-            models.AgentNode.node_id.in_(list(node_ids)),
-            models.AgentNode.is_active == True
-        ).all()
+            nodes = db.query(models.AgentNode).filter(
+                models.AgentNode.node_id.in_(list(node_ids)),
+                models.AgentNode.is_active == True
+            ).all()
 
         registry = _registry()
         return [services.mesh_service.node_to_user_view(n, registry) for n in nodes]
@@ -702,19 +704,22 @@
                 logger.warning(f"[📶] User {user_id} not found for global stream.")
                 return
                 
-            # Nodes accessible via user's group
-            accesses = db.query(models.NodeGroupAccess).filter(
-                models.NodeGroupAccess.group_id == user.group_id
-            ).all()
-            accessible_ids = [a.node_id for a in accesses]
-            
-            # Nodes in group policy
-            if user.group and user.group.policy:
-                policy_nodes = user.group.policy.get("nodes", [])
-                if isinstance(policy_nodes, list):
-                    accessible_ids.extend(policy_nodes)
-            
-            accessible_ids = list(set(accessible_ids))
+            if user.role == "admin":
+                accessible_ids = [n.node_id for n in db.query(models.AgentNode).filter(models.AgentNode.is_active == True).all()]
+            else:
+                # Nodes accessible via user's group
+                accesses = db.query(models.NodeGroupAccess).filter(
+                    models.NodeGroupAccess.group_id == user.group_id
+                ).all()
+                accessible_ids = [a.node_id for a in accesses]
+                
+                # Nodes in group policy
+                if user.group and user.group.policy:
+                    policy_nodes = user.group.policy.get("nodes", [])
+                    if isinstance(policy_nodes, list):
+                        accessible_ids.extend(policy_nodes)
+                
+                accessible_ids = list(set(accessible_ids))
 
         try:
             await websocket.accept()
diff --git a/ai-hub/app/api/routes/skills.py b/ai-hub/app/api/routes/skills.py
index a6aa2a6..8020b3e 100644
--- a/ai-hub/app/api/routes/skills.py
+++ b/ai-hub/app/api/routes/skills.py
@@ -17,19 +17,23 @@
         """List all skills accessible to the user."""
         # Start queries
         system_query = db.query(models.Skill).filter(models.Skill.is_system == True)
-        user_query = db.query(models.Skill).filter(
-            models.Skill.owner_id == current_user.id,
-            models.Skill.is_system == False
-        )
+        
+        if current_user.role == 'admin':
+            # Admins see ALL skills (system + user-owned for management)
+            user_query = db.query(models.Skill).filter(models.Skill.is_system == False)
+        else:
+            user_query = db.query(models.Skill).filter(
+                models.Skill.owner_id == current_user.id,
+                models.Skill.is_system == False
+            )
         
         # Policy: Only show enabled skills to non-admins
         if current_user.role != 'admin':
             system_query = system_query.filter(models.Skill.is_enabled == True)
             user_query = user_query.filter(models.Skill.is_enabled == True)
             
-        # Target feature filtering (PostgreSQL JSONB contains or standard JSON)
+        # Target feature filtering
         if feature:
-            # Using standard list comparison as fallback or JSONB contains
             system_skills = [s for s in system_query.all() if feature in (s.features or [])]
             user_skills = [s for s in user_query.all() if feature in (s.features or [])]
         else:
@@ -38,7 +42,7 @@
         
         # Skills shared with the user's group via Group Policy
         group_skills = []
-        if current_user.group and current_user.group.policy:
+        if current_user.role != 'admin' and current_user.group and current_user.group.policy:
             group_skill_names = current_user.group.policy.get("skills", [])
             if group_skill_names:
                 g_query = db.query(models.Skill).filter(
diff --git a/ai-hub/app/api/routes/user.py b/ai-hub/app/api/routes/user.py
index d8c394c..87dd010 100644
--- a/ai-hub/app/api/routes/user.py
+++ b/ai-hub/app/api/routes/user.py
@@ -1,3 +1,4 @@
+from datetime import datetime
 from fastapi import APIRouter, HTTPException, Depends, Header, Query, Request, UploadFile, File
 from fastapi.responses import RedirectResponse as redirect
 from sqlalchemy.orm import Session
@@ -34,7 +35,7 @@
     Retrieves the user ID from the X-User-ID header.
     This simulates an authentication system and is used by the login_required decorator.
     """
-    return x_user_id
+    return x_user_id or "anonymous"
 
 
 def create_users_router(services: ServiceContainer) -> APIRouter:
@@ -63,8 +64,13 @@
         """
         result = await services.auth_service.handle_callback(code, db)
         user_id = result["user_id"]
+        linked = result.get("linked", False)
         
+        # Pass linked flag to frontend for notification
         frontend_redirect_url = f"{state}?user_id={user_id}"
+        if linked:
+            frontend_redirect_url += "&linked=true"
+            
         return redirect(url=frontend_redirect_url)
 
     @router.get("/me", response_model=schemas.UserStatus, summary="Get Current User Status")
@@ -100,6 +106,9 @@
         db: Session = Depends(get_db)
     ):
         """Day 1: Local Username/Password Login."""
+        if not settings.ALLOW_PASSWORD_LOGIN:
+            raise HTTPException(status_code=403, detail="Password-based login is disabled. Please use OIDC/SSO.")
+
         user = db.query(models.User).filter(models.User.email == request.email).first()
         if not user or not user.password_hash:
             raise HTTPException(status_code=401, detail="Invalid email or password")
diff --git a/ai-hub/app/api/schemas.py b/ai-hub/app/api/schemas.py
index 99a9980..d0127ed 100644
--- a/ai-hub/app/api/schemas.py
+++ b/ai-hub/app/api/schemas.py
@@ -21,7 +21,7 @@
 class UserStatus(BaseModel):
     """Schema for the response when checking a user's status."""
     id: str = Field(..., description="The internal user ID.")
-    email: str = Field(..., description="The user's email address.")
+    email: Optional[str] = Field(None, description="The user's email address.")
     is_logged_in: bool = Field(True, description="Indicates if the user is currently authenticated.")
     is_anonymous: bool = Field(False, description="Indicates if the user is an anonymous user.")
     oidc_configured: bool = Field(False, description="Whether OIDC SSO is enabled on the server.")
@@ -84,6 +84,28 @@
     preferences: UserPreferences
     effective: dict = Field(default_factory=dict)
 
+class SystemStatus(BaseModel):
+    """Schema for overall system status, including TLS and OIDC state."""
+    status: str
+    oidc_enabled: bool
+    tls_enabled: bool
+    external_endpoint: Optional[str] = None
+    version: str
+
+class OIDCConfigUpdate(BaseModel):
+    enabled: Optional[bool] = None
+    client_id: Optional[str] = None
+    client_secret: Optional[str] = None
+    server_url: Optional[str] = None
+    redirect_uri: Optional[str] = None
+    allow_oidc_login: Optional[bool] = None
+
+class SwarmConfigUpdate(BaseModel):
+    external_endpoint: Optional[str] = None
+
+class AppConfigUpdate(BaseModel):
+    allow_password_login: Optional[bool] = None
+
 # --- Skill Schemas ---
 class SkillBase(BaseModel):
     name: str
diff --git a/ai-hub/app/app.py b/ai-hub/app/app.py
index 0e6f5fd..3ea1803 100644
--- a/ai-hub/app/app.py
+++ b/ai-hub/app/app.py
@@ -181,6 +181,7 @@
     prompt_service = PromptService()
     # 9. Initialize the Service Container with all initialized services
     services = ServiceContainer()
+    services.with_service("settings", service=lambda: settings)
     services.with_document_service(vector_store=vector_store)
     
     node_registry_service = NodeRegistryService()
diff --git a/ai-hub/app/config.py b/ai-hub/app/config.py
index da2ce5d..04d4216 100644
--- a/ai-hub/app/config.py
+++ b/ai-hub/app/config.py
@@ -15,6 +15,7 @@
     version: str = "1.0.0"
     log_level: str = "INFO"
     super_admins: list[str] = Field(default_factory=list)
+    allow_password_login: bool = True
 
 class OIDCSettings(BaseModel):
     enabled: bool = False
@@ -22,6 +23,7 @@
     client_secret: str = ""
     server_url: str = ""
     redirect_uri: str = ""
+    allow_oidc_login: bool = False
 
 class DatabaseSettings(BaseModel):
     mode: str = "sqlite"
@@ -50,16 +52,23 @@
     index_path: str = "data/faiss_index.bin"
     embedding_dimension: int = 768
 
+class SwarmSettings(BaseModel):
+    external_endpoint: Optional[str] = None
+
 class AppConfig(BaseModel):
     """Top-level Pydantic model for application configuration."""
     application: ApplicationSettings = Field(default_factory=ApplicationSettings)
     database: DatabaseSettings = Field(default_factory=DatabaseSettings)
-    llm_providers: LLMProvidersSettings = Field(default_factory=LLMProvidersSettings)
+    llm_providers: dict[str, dict] = Field(default_factory=dict)
+    active_llm_provider: Optional[str] = None
     vector_store: VectorStoreSettings = Field(default_factory=VectorStoreSettings)
     embedding_provider: EmbeddingProviderSettings = Field(default_factory=EmbeddingProviderSettings)
-    tts_provider: ProviderSettings = Field(default_factory=ProviderSettings)
-    stt_provider: ProviderSettings = Field(default_factory=ProviderSettings)
+    tts_providers: dict[str, dict] = Field(default_factory=dict)
+    active_tts_provider: Optional[str] = None
+    stt_providers: dict[str, dict] = Field(default_factory=dict)
+    active_stt_provider: Optional[str] = None
     oidc: OIDCSettings = Field(default_factory=OIDCSettings)
+    swarm: SwarmSettings = Field(default_factory=SwarmSettings)
 
 
 # --- 2. Create the Final Settings Object ---
@@ -97,11 +106,14 @@
         self.SUPER_ADMINS: list[str] = [x.strip() for x in super_admins_env.split(",")] if super_admins_env else \
                                         get_from_yaml(["application", "super_admins"]) or \
                                         config_from_pydantic.application.super_admins
+        self.ALLOW_PASSWORD_LOGIN: bool = str(os.getenv("ALLOW_PASSWORD_LOGIN") if os.getenv("ALLOW_PASSWORD_LOGIN") is not None else
+                                            get_from_yaml(["application", "allow_password_login"]) if get_from_yaml(["application", "allow_password_login"]) is not None else
+                                            config_from_pydantic.application.allow_password_login).lower() == "true"
 
         # --- OIDC Settings ---
-        self.OIDC_ENABLED: bool = os.getenv("OIDC_ENABLED", "false").lower() == "true" or \
-                                   get_from_yaml(["oidc", "enabled"]) or \
-                                   config_from_pydantic.oidc.enabled
+        self.OIDC_ENABLED: bool = str(os.getenv("OIDC_ENABLED") if os.getenv("OIDC_ENABLED") is not None else
+                                    get_from_yaml(["oidc", "enabled"]) if get_from_yaml(["oidc", "enabled"]) is not None else
+                                    config_from_pydantic.oidc.enabled).lower() == "true"
         self.OIDC_CLIENT_ID: str = os.getenv("OIDC_CLIENT_ID") or \
                                    get_from_yaml(["oidc", "client_id"]) or \
                                    config_from_pydantic.oidc.client_id
@@ -114,6 +126,22 @@
         self.OIDC_REDIRECT_URI: str = os.getenv("OIDC_REDIRECT_URI") or \
                                        get_from_yaml(["oidc", "redirect_uri"]) or \
                                        config_from_pydantic.oidc.redirect_uri
+        self.ALLOW_OIDC_LOGIN: bool = str(os.getenv("ALLOW_OIDC_LOGIN") if os.getenv("ALLOW_OIDC_LOGIN") is not None else
+                                        get_from_yaml(["oidc", "allow_oidc_login"]) if get_from_yaml(["oidc", "allow_oidc_login"]) is not None else
+                                        config_from_pydantic.oidc.allow_oidc_login).lower() == "true"
+        
+        # --- Swarm Settings ---
+        self.GRPC_EXTERNAL_ENDPOINT: Optional[str] = os.getenv("GRPC_EXTERNAL_ENDPOINT") or \
+                                                      get_from_yaml(["swarm", "external_endpoint"]) or \
+                                                      config_from_pydantic.swarm.external_endpoint
+        
+        # Infer TLS from endpoint
+        protocol = self.GRPC_EXTERNAL_ENDPOINT.split("://")[0] if self.GRPC_EXTERNAL_ENDPOINT and "://" in self.GRPC_EXTERNAL_ENDPOINT else "http"
+        self.GRPC_TLS_ENABLED: bool = (protocol == "https")
+        
+        # Legacy paths (no longer in UI, but kept for env var parity if needed)
+        self.GRPC_CERT_PATH: Optional[str] = os.getenv("GRPC_CERT_PATH") or get_from_yaml(["swarm", "cert_path"])
+        self.GRPC_KEY_PATH: Optional[str] = os.getenv("GRPC_KEY_PATH") or get_from_yaml(["swarm", "key_path"])
         
         self.SECRET_KEY: str = os.getenv("SECRET_KEY") or \
                                get_from_yaml(["application", "secret_key"]) or \
@@ -141,8 +169,7 @@
         # We store everything in a flat map for the legacy settings getters, 
         # but also provide a dynamic map.
         
-        # 1. Resolve LLM Providers
-        self.LLM_PROVIDERS = config_from_pydantic.llm_providers.providers or {}
+        self.LLM_PROVIDERS = config_from_pydantic.llm_providers or {}
         # Support legacy environment variables and merge them into the providers map
         for env_key, env_val in os.environ.items():
             if env_key.endswith("_API_KEY") and not any(x in env_key for x in ["TTS", "STT", "EMBEDDING"]):
@@ -186,31 +213,44 @@
                                                  self.GEMINI_API_KEY
 
         # 3. Resolve TTS (Agnostic)
-        self.TTS_PROVIDER: str = os.getenv("TTS_PROVIDER") or \
-                                 get_from_yaml(["tts_provider", "provider"]) or \
-                                 config_from_pydantic.tts_provider.active_provider or "google_gemini"
+        self.TTS_PROVIDERS = config_from_pydantic.tts_providers or {}
+        # Legacy single-provider from YAML/Env
+        legacy_tts_provider = os.getenv("TTS_PROVIDER") or get_from_yaml(["tts_provider", "provider"])
+        if legacy_tts_provider and legacy_tts_provider not in self.TTS_PROVIDERS:
+            self.TTS_PROVIDERS[legacy_tts_provider] = {
+                "provider": legacy_tts_provider,
+                "model_name": os.getenv("TTS_MODEL_NAME") or get_from_yaml(["tts_provider", "model_name"]),
+                "voice_name": os.getenv("TTS_VOICE_NAME") or get_from_yaml(["tts_provider", "voice_name"]),
+                "api_key": os.getenv("TTS_API_KEY") or get_from_yaml(["tts_provider", "api_key"]),
+            }
         
-        # Legacy back-compat fields
-        self.TTS_VOICE_NAME: str = os.getenv("TTS_VOICE_NAME") or \
-                                     get_from_yaml(["tts_provider", "voice_name"]) or \
-                                     config_from_pydantic.tts_provider.voice_name or "Kore"
-        self.TTS_MODEL_NAME: str = os.getenv("TTS_MODEL_NAME") or \
-                                     get_from_yaml(["tts_provider", "model_name"]) or \
-                                     config_from_pydantic.tts_provider.model_name or "gemini-2.5-flash-preview-tts"
-        self.TTS_API_KEY: Optional[str] = os.getenv("TTS_API_KEY") or \
-                                          get_from_yaml(["tts_provider", "api_key"]) or \
-                                          self.GEMINI_API_KEY
+        self.TTS_PROVIDER: str = legacy_tts_provider or \
+                                 config_from_pydantic.active_tts_provider or \
+                                 (list(self.TTS_PROVIDERS.keys())[0] if self.TTS_PROVIDERS else "google_gemini")
+        
+        # Legacy back-compat fields for the active one
+        active_tts = self.TTS_PROVIDERS.get(self.TTS_PROVIDER, {})
+        self.TTS_VOICE_NAME: str = active_tts.get("voice_name") or "Kore"
+        self.TTS_MODEL_NAME: str = active_tts.get("model_name") or "gemini-2.5-flash-preview-tts"
+        self.TTS_API_KEY: Optional[str] = active_tts.get("api_key") or self.GEMINI_API_KEY
 
         # 4. Resolve STT (Agnostic)
-        self.STT_PROVIDER: str = os.getenv("STT_PROVIDER") or \
-                                 get_from_yaml(["stt_provider", "provider"]) or \
-                                 config_from_pydantic.stt_provider.active_provider or "google_gemini"
+        self.STT_PROVIDERS = config_from_pydantic.stt_providers or {}
+        legacy_stt_provider = os.getenv("STT_PROVIDER") or get_from_yaml(["stt_provider", "provider"])
+        if legacy_stt_provider and legacy_stt_provider not in self.STT_PROVIDERS:
+            self.STT_PROVIDERS[legacy_stt_provider] = {
+                "provider": legacy_stt_provider,
+                "model_name": os.getenv("STT_MODEL_NAME") or get_from_yaml(["stt_provider", "model_name"]),
+                "api_key": os.getenv("STT_API_KEY") or get_from_yaml(["stt_provider", "api_key"]),
+            }
+
+        self.STT_PROVIDER: str = legacy_stt_provider or \
+                                 config_from_pydantic.active_stt_provider or \
+                                 (list(self.STT_PROVIDERS.keys())[0] if self.STT_PROVIDERS else "google_gemini")
         
-        self.STT_MODEL_NAME: str = os.getenv("STT_MODEL_NAME") or \
-                                     get_from_yaml(["stt_provider", "model_name"]) or \
-                                     config_from_pydantic.stt_provider.model_name or "gemini-2.5-flash"
-        self.STT_API_KEY: Optional[str] = os.getenv("STT_API_KEY") or \
-                                           get_from_yaml(["stt_provider", "api_key"]) or \
+        active_stt = self.STT_PROVIDERS.get(self.STT_PROVIDER, {})
+        self.STT_MODEL_NAME: str = active_stt.get("model_name") or "gemini-2.5-flash"
+        self.STT_API_KEY: Optional[str] = active_stt.get("api_key") or \
                                            (self.OPENAI_API_KEY if self.STT_PROVIDER == "openai" else self.GEMINI_API_KEY)
         
     def save_to_yaml(self):
@@ -230,7 +270,8 @@
                 "project_name": self.PROJECT_NAME,
                 "version": self.VERSION,
                 "log_level": self.LOG_LEVEL,
-                "super_admins": self.SUPER_ADMINS
+                "super_admins": self.SUPER_ADMINS,
+                "allow_password_login": self.ALLOW_PASSWORD_LOGIN
             },
             "database": {
                 "mode": self.DB_MODE,
@@ -245,21 +286,17 @@
                 "client_id": self.OIDC_CLIENT_ID,
                 "client_secret": self.OIDC_CLIENT_SECRET,
                 "server_url": self.OIDC_SERVER_URL,
-                "redirect_uri": self.OIDC_REDIRECT_URI
+                "redirect_uri": self.OIDC_REDIRECT_URI,
+                "allow_oidc_login": self.ALLOW_OIDC_LOGIN
             },
-            "llm_providers": {
-                "providers": self.LLM_PROVIDERS
-            },
-            "tts_provider": {
-                "provider": self.TTS_PROVIDER,
-                "model_name": self.TTS_MODEL_NAME,
-                "voice_name": self.TTS_VOICE_NAME,
-                "api_key": self.TTS_API_KEY
-            },
-            "stt_provider": {
-                "provider": self.STT_PROVIDER,
-                "model_name": self.STT_MODEL_NAME,
-                "api_key": self.STT_API_KEY
+            "llm_providers": self.LLM_PROVIDERS,
+            "active_llm_provider": getattr(self, "ACTIVE_LLM_PROVIDER", list(self.LLM_PROVIDERS.keys())[0] if self.LLM_PROVIDERS else None),
+            "tts_providers": self.TTS_PROVIDERS,
+            "active_tts_provider": self.TTS_PROVIDER,
+            "stt_providers": self.STT_PROVIDERS,
+            "active_stt_provider": self.STT_PROVIDER,
+            "swarm": {
+                "external_endpoint": self.GRPC_EXTERNAL_ENDPOINT
             }
         }
         
diff --git a/ai-hub/app/core/services/auth.py b/ai-hub/app/core/services/auth.py
index 4657094..9139be7 100644
--- a/ai-hub/app/core/services/auth.py
+++ b/ai-hub/app/core/services/auth.py
@@ -69,10 +69,10 @@
         if not all([oidc_id, email]):
             raise HTTPException(status_code=400, detail="Essential user data missing from ID token (sub and email required).")
 
-        user_id = self.services.user_service.save_user(
+        user_id, linked = self.services.user_service.save_user(
             db=db,
             oidc_id=oidc_id,
             email=email,
             username=username
         )
-        return {"user_id": user_id}
+        return {"user_id": user_id, "linked": linked}
diff --git a/ai-hub/app/core/services/preference.py b/ai-hub/app/core/services/preference.py
index 80dc802..e4e22c4 100644
--- a/ai-hub/app/core/services/preference.py
+++ b/ai-hub/app/core/services/preference.py
@@ -16,11 +16,39 @@
         if len(k) <= 8: return "****"
         return k[:4] + "*" * (len(k)-8) + k[-4:]
 
-    def merge_user_config(self, user, db) -> Dict[str, Any]:
+    def merge_user_config(self, user, db) -> schemas.ConfigResponse:
         prefs_dict = user.preferences or {}
-        llm_prefs = prefs_dict.get("llm", {})
-        tts_prefs = prefs_dict.get("tts", {})
-        stt_prefs = prefs_dict.get("stt", {})
+
+        def normalize_section(section_name, default_active):
+            section = prefs_dict.get(section_name, {})
+            # If already new style, just return a copy
+            if isinstance(section, dict) and "providers" in section:
+                return copy.deepcopy(section)
+            
+            # Legacy transformation
+            providers = {}
+            active = section.get("active_provider") or section.get("provider") or default_active
+            
+            # Known providers to check for legacy transformation
+            legacy_keys = ["openai", "gemini", "deepseek", "gcloud_tts", "azure", "google", "elevenlabs"]
+            for p in legacy_keys:
+                if p in section:
+                    providers[p] = section[p]
+            
+            # If still no providers found but it's not empty, it might be a flat dict of other providers
+            if not providers and section and isinstance(section, dict):
+                for k, v in section.items():
+                    if k not in ["active_provider", "provider", "providers"] and isinstance(v, dict):
+                        providers[k] = v
+
+            return {
+                "active_provider": str(active) if active else default_active,
+                "providers": providers
+            }
+
+        llm_prefs = normalize_section("llm", "deepseek")
+        tts_prefs = normalize_section("tts", settings.TTS_PROVIDER)
+        stt_prefs = normalize_section("stt", settings.STT_PROVIDER)
         
         system_prefs = self.services.user_service.get_system_settings(db)
         system_statuses = system_prefs.get("statuses", {})
@@ -32,93 +60,79 @@
             has_key = p_data and p_data.get("api_key") and p_data.get("api_key") not in ("None", "none", "")
             return is_success or bool(has_key)
 
-        # Build effective providers map
-        # ... simplifying the code from user.py
-        user_providers = llm_prefs.get("providers", {})
-        if not user_providers:
-            system_llm = system_prefs.get("llm", {}).get("providers", {})
-            user_providers = system_llm if system_llm else {
-                "deepseek": {"api_key": settings.DEEPSEEK_API_KEY, "model": settings.DEEPSEEK_MODEL_NAME},
-                "gemini": {"api_key": settings.GEMINI_API_KEY, "model": settings.GEMINI_MODEL_NAME},
-            }
+        # Build effective combined config for processing
+        def get_effective_providers(section_name, user_section_providers, sys_defaults):
+            # Start with system defaults if user has none
+            effective_providers = {}
+            if not user_section_providers:
+                effective_providers = copy.deepcopy(sys_defaults)
+            else:
+                effective_providers = copy.deepcopy(user_section_providers)
+            
+            # Filter by health and mask keys
+            res = {}
+            for p, p_data in effective_providers.items():
+                if p_data and is_provider_healthy(section_name, p, p_data):
+                    masked_data = copy.deepcopy(p_data)
+                    masked_data["api_key"] = self.mask_key(p_data.get("api_key"))
+                    res[p] = masked_data
+            return res
 
-        llm_providers_effective = {
-            p: {"api_key": self.mask_key(p_p.get("api_key")), "model": p_p.get("model")}
-            for p, p_p in user_providers.items() if p_p and is_provider_healthy("llm", p, p_p)
-        }
+        system_llm = system_prefs.get("llm", {}).get("providers", {
+            "deepseek": {"api_key": settings.DEEPSEEK_API_KEY, "model": settings.DEEPSEEK_MODEL_NAME},
+            "gemini": {"api_key": settings.GEMINI_API_KEY, "model": settings.GEMINI_MODEL_NAME},
+        })
+        llm_providers_effective = get_effective_providers("llm", llm_prefs["providers"], system_llm)
 
-        user_tts_providers = tts_prefs.get("providers", {})
-        if not user_tts_providers:
-            system_tts = system_prefs.get("tts", {}).get("providers", {})
-            user_tts_providers = system_tts if system_tts else {
-                settings.TTS_PROVIDER: {
-                    "api_key": settings.TTS_API_KEY,
-                    "model": settings.TTS_MODEL_NAME,
-                    "voice": settings.TTS_VOICE_NAME
-                }
+        system_tts = system_prefs.get("tts", {}).get("providers", {
+            settings.TTS_PROVIDER: {
+                "api_key": settings.TTS_API_KEY,
+                "model": settings.TTS_MODEL_NAME,
+                "voice": settings.TTS_VOICE_NAME
             }
-        
-        tts_providers_effective = {
-            p: {
-                "api_key": self.mask_key(p_p.get("api_key")),
-                "model": p_p.get("model"),
-                "voice": p_p.get("voice")
-            }
-            for p, p_p in user_tts_providers.items() if p_p and is_provider_healthy("tts", p, p_p)
-        }
+        })
+        tts_providers_effective = get_effective_providers("tts", tts_prefs["providers"], system_tts)
 
-        user_stt_providers = stt_prefs.get("stt", {}).get("providers", {}) or stt_prefs.get("providers", {})
-        if not user_stt_providers:
-            system_stt = system_prefs.get("stt", {}).get("providers", {})
-            user_stt_providers = system_stt if system_stt else {
-                settings.STT_PROVIDER: {"api_key": settings.STT_API_KEY, "model": settings.STT_MODEL_NAME}
-            }
-                
-        stt_providers_effective = {
-            p: {"api_key": self.mask_key(p_p.get("api_key")), "model": p_p.get("model")}
-            for p, p_p in user_stt_providers.items() if p_p and is_provider_healthy("stt", p, p_p)
-        }
+        system_stt = system_prefs.get("stt", {}).get("providers", {
+            settings.STT_PROVIDER: {"api_key": settings.STT_API_KEY, "model": settings.STT_MODEL_NAME}
+        })
+        stt_providers_effective = get_effective_providers("stt", stt_prefs["providers"], system_stt)
         
         effective = {
             "llm": {
-                "active_provider": llm_prefs.get("active_provider") or (next(iter(llm_providers_effective), None)) or "deepseek",
+                "active_provider": llm_prefs.get("active_provider") or (next(iter(llm_providers_effective), "deepseek")),
                 "providers": llm_providers_effective
             },
             "tts": {
-                "active_provider": tts_prefs.get("active_provider") or (next(iter(tts_providers_effective), None)) or settings.TTS_PROVIDER,
+                "active_provider": tts_prefs.get("active_provider") or (next(iter(tts_providers_effective), settings.TTS_PROVIDER)),
                 "providers": tts_providers_effective
             },
             "stt": {
-                "active_provider": stt_prefs.get("active_provider") or (next(iter(stt_providers_effective), None)) or settings.STT_PROVIDER,
+                "active_provider": stt_prefs.get("active_provider") or (next(iter(stt_providers_effective), settings.STT_PROVIDER)),
                 "providers": stt_providers_effective
             }
         }
 
         group = user.group or self.services.user_service.get_or_create_default_group(db)
-        if group and user.role != "admin":
+        if group:
             policy = group.policy or {}
-            def apply_policy(section_key, policy_key, p_dict):
+            def apply_policy(section_key, policy_key):
                 allowed = policy.get(policy_key, [])
                 if not allowed:
                     effective[section_key]["providers"] = {}
-                    if p_dict and "providers" in p_dict: p_dict["providers"] = {}
                     effective[section_key]["active_provider"] = ""
-                    return p_dict
+                    return
                 
                 providers = effective[section_key]["providers"]
                 filtered_eff = {k: v for k, v in providers.items() if k in allowed}
                 effective[section_key]["providers"] = filtered_eff
                 
-                if p_dict and "providers" in p_dict:
-                    p_dict["providers"] = {k: v for k, v in p_dict["providers"].items() if k in allowed}
-                
                 if effective[section_key].get("active_provider") not in allowed:
                     effective[section_key]["active_provider"] = next(iter(filtered_eff), None) or ""
-                return p_dict
 
-            llm_prefs = apply_policy("llm", "llm", llm_prefs)
-            tts_prefs = apply_policy("tts", "tts", tts_prefs)
-            stt_prefs = apply_policy("stt", "stt", stt_prefs)
+            apply_policy("llm", "llm")
+            apply_policy("tts", "tts")
+            apply_policy("stt", "stt")
 
         def mask_section_prefs(section_dict):
             if not section_dict: return {}
@@ -139,47 +153,42 @@
             effective=effective
         )
 
+
     def update_user_config(self, user, prefs: schemas.UserPreferences, db) -> schemas.UserPreferences:
         # When saving, if the api_key contains ****, we must retain the old one from the DB
         old_prefs = user.preferences or {}
-        
+
+        def get_old_providers(section_name):
+            section = old_prefs.get(section_name, {})
+            if isinstance(section, dict) and "providers" in section:
+                return section["providers"]
+            
+            # Legacy extraction
+            providers = {}
+            legacy_keys = ["openai", "gemini", "deepseek", "gcloud_tts", "azure", "google", "elevenlabs"]
+            for p in legacy_keys:
+                if p in section:
+                    providers[p] = section[p]
+            
+            if not providers and section and isinstance(section, dict):
+                for k, v in section.items():
+                    if k not in ["active_provider", "provider", "providers"] and isinstance(v, dict):
+                        providers[k] = v
+            return providers
+
         def preserve_masked_keys(section_name, new_section):
             if not new_section or "providers" not in new_section:
                 return
-            old_section = old_prefs.get(section_name, {}).get("providers", {})
+            old_section_providers = get_old_providers(section_name)
             for p_name, p_data in new_section["providers"].items():
-                if p_data.get("api_key") and "***" in p_data["api_key"]:
-                    if p_name in old_section:
-                        p_data["api_key"] = old_section[p_name].get("api_key")
-
-        def resolve_clone_from(section_name, new_section):
-            if not new_section or "providers" not in new_section:
-                return
-            old_section = old_prefs.get(section_name, {}).get("providers", {})
-            system_prefs = self.services.user_service.get_system_settings(db)
-            system_section = system_prefs.get(section_name, {}).get("providers", {})
-
-            for p_name, p_data in new_section["providers"].items():
-                clone_source = p_data.pop("_clone_from", None)
-                if not clone_source:
-                    continue
-                real_key = (
-                    old_section.get(clone_source, {}).get("api_key")
-                    or system_section.get(clone_source, {}).get("api_key")
-                )
-                if real_key and "***" not in str(real_key):
-                    p_data["api_key"] = real_key
-                    logger.info(f"Resolved _clone_from: {p_name} inherited api_key from {clone_source} [{section_name}]")
-                else:
-                    logger.warning(f"Could not resolve _clone_from for {p_name}: source '{clone_source}' key not found or masked.")
+                if p_data.get("api_key") and "***" in str(p_data["api_key"]):
+                    if p_name in old_section_providers:
+                        p_data["api_key"] = old_section_providers[p_name].get("api_key")
 
         if prefs.llm: preserve_masked_keys("llm", prefs.llm)
         if prefs.tts: preserve_masked_keys("tts", prefs.tts)
         if prefs.stt: preserve_masked_keys("stt", prefs.stt)
 
-        if prefs.llm: resolve_clone_from("llm", prefs.llm)
-        if prefs.tts: resolve_clone_from("tts", prefs.tts)
-        if prefs.stt: resolve_clone_from("stt", prefs.stt)
 
         current_prefs = dict(user.preferences or {})
         current_prefs.update({
diff --git a/ai-hub/app/core/services/user.py b/ai-hub/app/core/services/user.py
index e20e51d..beef381 100644
--- a/ai-hub/app/core/services/user.py
+++ b/ai-hub/app/core/services/user.py
@@ -80,53 +80,60 @@
             db.rollback()
             print(f"Failed to bootstrap local admin: {e}")
 
-    def save_user(self, db: Session, oidc_id: str, email: str, username: str) -> str:
+    def save_user(self, db: Session, oidc_id: str, email: str, username: str) -> tuple[str, bool]:
         """
-        Saves or updates a user record based on their OIDC ID.
-        If a user with this OIDC ID exists, it returns their existing ID.
-        Otherwise, it creates a new user record.
-        The first user to register will be granted the 'admin' role.
+        Saves or updates a user record based on their OIDC ID or Email.
+        Returns (user_id, linked_flag)
         """
         try:
-            # Check if a user with this OIDC ID already exists
-            existing_user = db.query(models.User).filter(models.User.oidc_id == oidc_id).first()
+            # 1. Check if a user with this OIDC ID already exists
+            user_by_oidc = db.query(models.User).filter(models.User.oidc_id == oidc_id).first()
 
-            if existing_user:
-                # Update the user's information and login activity
-                existing_user.email = email
-                existing_user.username = username
-                existing_user.last_login_at = datetime.utcnow()
+            if user_by_oidc:
+                user_by_oidc.email = email
+                user_by_oidc.username = username
+                user_by_oidc.last_login_at = datetime.utcnow()
                 
                 # Check if user should be promoted to admin based on config
                 from app.config import settings
-                if email in settings.SUPER_ADMINS and existing_user.role != "admin":
-                    existing_user.role = "admin"
+                if email in settings.SUPER_ADMINS and user_by_oidc.role != "admin":
+                    user_by_oidc.role = "admin"
                 
                 db.commit()
-                return existing_user.id
-            else:
-                # Ensure default group exists
-                default_group = self.get_or_create_default_group(db)
-                
-                # Determine role based on SUPER_ADMINS or fallback to user
-                from app.config import settings
-                role = "admin" if email in settings.SUPER_ADMINS else "user"
+                return user_by_oidc.id, False
 
-                # Create a new user record
-                new_user = models.User(
-                    id=str(uuid.uuid4()),  # Generate a unique ID for the user
-                    oidc_id=oidc_id,
-                    email=email,
-                    username=username,
-                    role=role,
-                    group_id=default_group.id,
-                    created_at=datetime.utcnow(),
-                    last_login_at=datetime.utcnow()
-                )
-                db.add(new_user)
+            # 2. Check if a user with this email already exists (Local -> OIDC Linking)
+            user_by_email = db.query(models.User).filter(models.User.email == email).first()
+            if user_by_email:
+                # Link the OIDC ID to the existing local account
+                user_by_email.oidc_id = oidc_id
+                user_by_email.username = username # Prefer OIDC display name
+                user_by_email.last_login_at = datetime.utcnow()
+                
                 db.commit()
-                db.refresh(new_user)
-                return new_user.id
+                print(f"[Day 2] Linked OIDC identity {oidc_id} to existing account {email}")
+                return user_by_email.id, True
+
+            # 3. Create a new user record
+            default_group = self.get_or_create_default_group(db)
+            from app.config import settings
+            role = "admin" if email in settings.SUPER_ADMINS else "user"
+
+            new_user = models.User(
+                id=str(uuid.uuid4()),
+                oidc_id=oidc_id,
+                email=email,
+                username=username,
+                role=role,
+                group_id=default_group.id,
+                created_at=datetime.utcnow(),
+                last_login_at=datetime.utcnow()
+            )
+            db.add(new_user)
+            db.commit()
+            db.refresh(new_user)
+            return new_user.id, False
+
         except SQLAlchemyError as e:
             db.rollback()
             raise
diff --git a/ai-hub/app/protos/browser_pb2_grpc.py b/ai-hub/app/protos/browser_pb2_grpc.py
index c69dabb..276488e 100644
--- a/ai-hub/app/protos/browser_pb2_grpc.py
+++ b/ai-hub/app/protos/browser_pb2_grpc.py
@@ -2,7 +2,7 @@
 """Client and server classes corresponding to protobuf-defined services."""
 import grpc
 
-from protos import browser_pb2 as protos_dot_browser__pb2
+from app.protos import browser_pb2 as protos_dot_browser__pb2
 
 
 class BrowserServiceStub(object):
diff --git a/docker-compose.yml b/docker-compose.yml
index 838391d..1bfaf84 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,4 +1,3 @@
-version: '3.8'
 
 services:
   # Unified Frontend and Nginx Gateway
@@ -37,6 +36,7 @@
     volumes:
       - ai_hub_data:/app/data:rw
       - ./config.yaml:/app/config.yaml:rw
+      - ./ai-hub/app:/app/app:rw
       - ./agent-node:/app/agent-node-source:ro
       - ./skills:/app/skills:ro
       - browser_shm:/dev/shm:rw
@@ -53,7 +53,7 @@
     container_name: cortex_browser_service
     restart: always
     ports:
-      - "50052:50052"
+      - "50053:50052"
     environment:
       - SHM_PATH=/dev/shm/cortex_browser
     volumes:
diff --git a/docs/auth_tls_todo.md b/docs/auth_tls_todo.md
index fc10662..17581f2 100644
--- a/docs/auth_tls_todo.md
+++ b/docs/auth_tls_todo.md
@@ -14,17 +14,17 @@
 - [x] **Configuration**: Update `Settings` (`app/config.py`) to make OIDC settings optional and add an `oidc_enabled: bool` flag.
 - [x] **Backend Initialization**: If `CORTEX_ADMIN_PASSWORD` is present in the environment for the `SUPER_ADMINS` initialization, hash it and assign it to the admin account.
 - [x] **API Routes**: Create local login endpoints (`POST /api/v1/users/login/local` to issue JWTs) and (`PUT /api/v1/users/password` for password resets).
-- [ ] **Frontend**: Redesign the Auth/Login page to display a Username/Password default form.
+- [x] **Frontend**: Redesign the Auth/Login page to display a Username/Password default form.
 
 ## Phase 3: Day 1 Swarm Control (Insecure/Local Status)
 Support running the mesh over internal loopbacks but strictly warn the end-user.
-- [ ] **Backend Configuration**: Add `GRPC_TLS_ENABLED`, `GRPC_EXTERNAL_ENDPOINT` to `config.py`.
-- [ ] **Backend API**: Expose a `/api/v1/status` or equivalent endpoint providing the current TLS/Hostname state to the frontend.
-- [ ] **Frontend UI**: Add persistent "Insecure Mode" and "Missing External Hostname" warning banners to the Swarm Dashboard frontend when running in Day 1 mode.
+- [x] **Backend Configuration**: Add `GRPC_TLS_ENABLED`, `GRPC_EXTERNAL_ENDPOINT` to `config.py`.
+- [x] **Backend API**: Expose a `/api/v1/status` or equivalent endpoint providing the current TLS/Hostname state to the frontend.
+- [x] **Frontend UI**: Add persistent "Insecure Mode" and "Missing External Hostname" warning banners to the Swarm Dashboard frontend when running in Day 1 mode.
 
 ## Phase 4: Day 2 Single Sign-On (OIDC Linking)
 Allow transition to Enterprise SSO without breaking or duplicate accounting.
-- [ ] **Backend Service**: Update `app/core/services/auth.py` (`handle_callback`) to search for existing local users via `email` and safely link the incoming OIDC `sub` payload.
+- [x] **Backend Service**: Update `app/core/services/auth.py` (`handle_callback`) to search for existing local users via `email` and safely link the incoming OIDC `sub` payload.
 - [ ] **Admin API**: Create `PUT /api/v1/admin/config/oidc` for UI-based toggling and configuration of SSO parameters without restarting.
 - [ ] **Frontend Login**: Dynamically query `/api/v1/auth/config`. If enabled, render the "Log in with SSO" button instead of or alongside local Auth.
 - [ ] **Frontend Settings**: Create an Admin Settings UI panel for OIDC Configuration.
diff --git a/docs/refactor_tracking.md b/docs/refactor_tracking.md
new file mode 100644
index 0000000..c224a39
--- /dev/null
+++ b/docs/refactor_tracking.md
@@ -0,0 +1,18 @@
+# Refactor Tracking: Settings & Persistence
+
+## 1. Open Issues & Future Improvements
+- [x] **UI Modernization (Modals)**: Replaced all native browser pop-outs (`alert()`, `confirm()`, `prompt()`) with custom UI Modals across Nodes, Skills, and Settings features for a persistent premium experience.
+
+## 2. Completed Items (Recent)
+- [x] **Nodes feature Modals Refactor**: Replaced native browser popups with custom Error and Success modals.
+- [x] **Skills feature Modals Refactor**: Replaced native browser popups with custom Error and Confirmation modals.
+- [x] **Settings feature Modals Refactor**: Transitioned group/provider deletion confirmation to custom UI modals.
+- [x] **Chrome Dark Mode Fixes**: Applied comprehensive dark mode visibility fixes to `SwarmControlPage`, `VoiceChatPage`, `ProfilePage`, and all settings cards.
+- [x] **Login Flow Improvement**: Implemented automatic redirect to the home page upon successful local and OIDC login.
+- [x] **User Preference Relocation**: Moved individual user settings (voice chat experience, AI defaults, silences sensitivity) to the Profile page.
+- [x] **Export/Import Relocation**: Moved system-wide Export/Import features to a prominent "System Maintenance & Portability" card in the Settings page.
+- [x] **Swarm Control Structural Fix**: Resolved JSX nesting errors and balanced tags in `SwarmControlPage.js`.
+- [x] **UI Modernization (Modal Triage)**: Replaced several native alerts in core pages with a custom `ErrorModal`.
+- [x] **SettingsPageContent.js Refactoring**: Modularized the settings page into domain-specific cards.
+- [x] **apiService.js Refactoring**: Split monolithic API service into domain-driven modules.
+- [x] **Multi-Provider Refactor**: Successfully transitioned STT and TTS to a multi-provider structure.
diff --git a/frontend/src/features/auth/pages/LoginPage.js b/frontend/src/features/auth/pages/LoginPage.js
index 1e53c14..f8ff809 100644
--- a/frontend/src/features/auth/pages/LoginPage.js
+++ b/frontend/src/features/auth/pages/LoginPage.js
@@ -1,35 +1,53 @@
 import React, { useState, useEffect } from 'react';
-import { login, getUserStatus, logout } from '../../../services/apiService';
+import { login, loginLocal, getUserStatus, logout, getAuthConfig } from '../../../services/apiService';
 
 const LoginPage = () => {
   const [user, setUser] = useState(null);
   const [isLoading, setIsLoading] = useState(false);
   const [error, setError] = useState(null);
+  const [oidcEnabled, setOidcEnabled] = useState(false);
+  
+  // Local login state
+  const [email, setEmail] = useState('');
+  const [password, setPassword] = useState('');
+  const [successMessage, setSuccessMessage] = useState('');
 
   useEffect(() => {
-    // We now look for a 'user_id' in the URL, which is provided by the backend
-    // after a successful OIDC login and callback.
+    // 1. Check if OIDC is enabled
+    const checkConfig = async () => {
+      try {
+        const config = await getAuthConfig();
+        setOidcEnabled(config.oidc_configured);
+      } catch (err) {
+        console.error("Failed to fetch auth config", err);
+      }
+    };
+    checkConfig();
+
+    // 2. Handle OIDC callback or persistent session
     const params = new URLSearchParams(window.location.search);
     const userIdFromUrl = params.get('user_id');
-
-    // First, check localStorage for a saved user ID for persistent login
     const storedUserId = localStorage.getItem('userId');
     const userId = userIdFromUrl || storedUserId;
+    const isLinked = params.get("linked") === "true";
 
     if (userId) {
       setIsLoading(true);
-      // Fetch the full user details using the user ID from the URL.
-      // This is a more secure and robust way to handle the final callback.
       const fetchUserDetails = async () => {
         try {
           const userStatus = await getUserStatus(userId);
           setUser(userStatus);
-          // Store the user ID for future requests (e.g., in localStorage)
           localStorage.setItem('userId', userStatus.id);
-          // Clean up the URL by removing the query parameter
           window.history.replaceState({}, document.title, window.location.pathname);
+          if (isLinked) {
+            setSuccessMessage("Social identity successfully linked to your existing account!");
+          }
+           setTimeout(() => {
+             window.location.href = "/swarm-control";
+           }, 1500);
         } catch (err) {
           setError('Failed to get user status. Please try again.');
+          localStorage.removeItem('userId'); // Clear invalid ID
           console.error(err);
         } finally {
           setIsLoading(false);
@@ -39,12 +57,29 @@
     }
   }, []);
 
-  const handleLogin = () => {
-    // Redirect to the backend's /users/login endpoint
-    // The backend handles the OIDC redirect from there.
+  const handleOidcLogin = () => {
     login();
   };
 
+  const handleLocalLogin = async (e) => {
+    e.preventDefault();
+    setIsLoading(true);
+    setError(null);
+    try {
+      const result = await loginLocal(email, password);
+      setUser({ id: result.user_id, email: result.email });
+      localStorage.setItem('userId', result.user_id);
+      // Redirect to home page after successful local login
+      setTimeout(() => {
+        window.location.href = "/";
+      }, 1000);
+    } catch (err) {
+      setError(err.message || 'Login failed. Please check your credentials.');
+    } finally {
+      setIsLoading(false);
+    }
+  };
+
   const handleLogout = async () => {
     setIsLoading(true);
     try {
@@ -63,60 +98,125 @@
   const renderContent = () => {
     if (isLoading) {
       return (
-        <div className="flex items-center justify-center p-4">
-          <svg className="animate-spin h-5 w-5 mr-3 text-blue-500" viewBox="0 0 24 24">
+        <div className="flex flex-col items-center justify-center p-4">
+          <svg className="animate-spin h-10 w-10 mb-4 text-blue-500" viewBox="0 0 24 24">
             <circle className="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" strokeWidth="4"></circle>
             <path className="opacity-75" fill="currentColor" d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z"></path>
           </svg>
-          <span className="text-gray-600 dark:text-gray-400">Processing login...</span>
-        </div>
-      );
-    }
-
-    if (error) {
-      return (
-        <div className="p-4 bg-red-100 dark:bg-red-900 border border-red-400 dark:border-red-600 rounded-lg text-red-700 dark:text-red-300">
-          <p className="font-bold">Error:</p>
-          <p>{error}</p>
+          <span className="text-gray-600 dark:text-gray-400 font-medium">Authenticating...</span>
         </div>
       );
     }
 
     if (user) {
       return (
-        <div className="p-4 text-green-700 dark:text-green-300 bg-green-100 dark:bg-green-900 border border-green-400 dark:border-green-600 rounded-lg">
-          <h3 className="text-xl font-bold mb-2">Login Successful!</h3>
-          <p>Welcome, <span className="font-semibold">{user.email}</span>.</p>
-          <p>User ID: <span className="font-mono text-sm break-all">{user.id}</span></p>
+        <div className="p-4 text-center">
+          <div className="mb-4 inline-flex items-center justify-center w-16 h-16 bg-green-100 dark:bg-green-900 rounded-full">
+            <svg className="w-8 h-8 text-green-600 dark:text-green-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M5 13l4 4L19 7"></path>
+            </svg>
+          </div>
+          <h3 className="text-2xl font-bold mb-2 text-gray-900 dark:text-white">Welcome Back!</h3>
+          <p className="text-gray-600 dark:text-gray-400 mb-6">{user.email}</p>
           <button
             onClick={handleLogout}
-            className="mt-4 w-full bg-red-600 hover:bg-red-700 text-white font-bold py-3 px-4 rounded-lg transition-colors duration-200 focus:outline-none focus:ring-2 focus:ring-red-500 focus:ring-opacity-50"
+            className="w-full bg-red-600 hover:bg-red-700 text-white font-bold py-3 px-4 rounded-lg transition-all shadow-md focus:outline-none focus:ring-2 focus:ring-red-500"
           >
-            Log Out
+            Sign Out
           </button>
         </div>
       );
     }
 
     return (
-      <>
-        <h2 className="text-3xl font-bold mb-4">Login</h2>
-        <p className="mb-6 text-gray-600 dark:text-gray-400">
-          Click the button below to log in using OpenID Connect (OIDC).
-        </p>
-        <button
-          onClick={handleLogin}
-          className="w-full bg-blue-600 hover:bg-blue-700 text-white font-bold py-3 px-4 rounded-lg transition-colors duration-200 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-opacity-50"
-        >
-          Login with OIDC
-        </button>
-      </>
+      <div className="w-full">
+        <div className="mb-8">
+          <h2 className="text-3xl font-extrabold text-gray-900 dark:text-white mb-2">Sign In</h2>
+          <p className="text-gray-500 dark:text-gray-400">Access your Cortex Hub dashboard</p>
+        </div>
+
+        {error && (
+          <div className="mb-6 p-4 bg-red-50 dark:bg-red-900/30 border-l-4 border-red-500 text-red-700 dark:text-red-400 text-sm text-left">
+            {error}
+          </div>
+        )}
+
+        {successMessage && (
+          <div className="mb-6 p-4 bg-green-50 dark:bg-green-900/30 border-l-4 border-green-500 text-green-700 dark:text-green-400 text-sm text-left">
+            {successMessage}
+          </div>
+        )}
+
+        <form onSubmit={handleLocalLogin} className="space-y-4 text-left">
+          <div>
+            <label className="block text-sm font-medium text-gray-700 dark:text-gray-300 mb-1">Email Address</label>
+            <input
+              type="email"
+              id="email"
+              name="email"
+              required
+              value={email}
+              onChange={(e) => setEmail(e.target.value)}
+              className="w-full px-4 py-2 bg-gray-50 dark:bg-gray-700 border border-gray-300 dark:border-gray-600 rounded-lg focus:ring-2 focus:ring-blue-500 dark:text-white transition-all"
+              placeholder="admin@example.com"
+              autoComplete="email"
+            />
+          </div>
+          <div>
+            <label className="block text-sm font-medium text-gray-700 dark:text-gray-300 mb-1">Password</label>
+            <input
+              type="password"
+              id="password"
+              name="password"
+              required
+              value={password}
+              onChange={(e) => setPassword(e.target.value)}
+              className="w-full px-4 py-2 bg-gray-50 dark:bg-gray-700 border border-gray-300 dark:border-gray-600 rounded-lg focus:ring-2 focus:ring-blue-500 dark:text-white transition-all"
+              placeholder="••••••••"
+              autoComplete="current-password"
+            />
+          </div>
+          <button
+            type="submit"
+            className="w-full bg-blue-600 hover:bg-blue-700 text-white font-bold py-3 px-4 rounded-lg shadow-lg hover:shadow-xl transition-all transform hover:-translate-y-0.5 active:translate-y-0"
+          >
+            Sign In with Password
+          </button>
+        </form>
+
+        {oidcEnabled && (
+          <div className="mt-8">
+            <div className="relative flex items-center justify-center mb-6">
+              <div className="flex-grow border-t border-gray-300 dark:border-gray-600"></div>
+              <span className="flex-shrink mx-4 text-gray-400 text-sm uppercase font-bold tracking-wider">Or</span>
+              <div className="flex-grow border-t border-gray-300 dark:border-gray-600"></div>
+            </div>
+            <button
+              onClick={handleOidcLogin}
+              className="w-full flex items-center justify-center bg-white dark:bg-gray-800 border border-gray-300 dark:border-gray-600 hover:bg-gray-50 dark:hover:bg-gray-700 text-gray-700 dark:text-white font-semibold py-3 px-4 rounded-lg shadow-sm transition-all"
+            >
+              <svg className="w-5 h-5 mr-3" viewBox="0 0 48 48">
+                <path fill="#FFC107" d="M43.611,20.083H42V20H24v8h11.303c-1.649,4.657-6.08,8-11.303,8c-6.627,0-12-5.373-12-12c0-6.627,5.373-12,12-12c3.059,0,5.842,1.154,7.961,3.039l5.657-5.657C34.046,6.053,29.268,4,24,4C12.955,4,4,12.955,4,24c0,11.045,8.955,20,20,20c11.045,0,20-8.955,20-20C44,22.659,43.862,21.35,43.611,20.083z"></path>
+                <path fill="#FF3D00" d="M6.306,14.691l6.571,4.819C14.655,15.108,18.961,12,24,12c3.059,0,5.842,1.154,7.961,3.039l5.657-5.657C34.046,6.053,29.268,4,24,4C16.318,4,9.656,8.337,6.306,14.691z"></path>
+                <path fill="#4CAF50" d="M24,44c5.166,0,9.86-1.977,13.409-5.192l-6.19-5.238C29.211,35.091,26.715,36,24,36c-5.202,0-9.619-3.317-11.283-7.946l-6.522,5.025C9.505,39.556,16.227,44,24,44z"></path>
+                <path fill="#1976D2" d="M43.611,20.083L43.611,20.083L42,20H24v8h11.303c-0.792,2.237-2.231,4.166-4.087,5.571c0.001-0.001,0.002-0.001,0.003-0.002l6.19,5.238C36.971,39.205,44,34,44,24C44,22.659,43.862,21.35,43.611,20.083z"></path>
+              </svg>
+              Sign in with SSO
+            </button>
+          </div>
+        )}
+      </div>
     );
   };
 
   return (
-    <div className="flex flex-col items-center justify-center h-full min-h-screen bg-gray-100 dark:bg-gray-900 text-gray-900 dark:text-gray-100">
-      <div className="bg-white dark:bg-gray-800 p-8 rounded-lg shadow-xl text-center max-w-sm w-full">
+    <div className="flex flex-col items-center justify-center min-h-screen bg-gradient-to-br from-gray-50 to-gray-100 dark:from-gray-900 dark:to-black p-4">
+      <div className="bg-white dark:bg-gray-800 p-10 rounded-2xl shadow-2xl max-w-md w-full border border-gray-100 dark:border-gray-700">
+        <div className="mb-10 flex justify-center">
+           <div className="w-16 h-16 bg-blue-600 rounded-xl flex items-center justify-center shadow-lg transform -rotate-6">
+              <span className="text-white text-3xl font-black">C</span>
+           </div>
+        </div>
         {renderContent()}
       </div>
     </div>
diff --git a/frontend/src/features/chat/components/ChatWindow.css b/frontend/src/features/chat/components/ChatWindow.css
index 7046008..fd514d6 100644
--- a/frontend/src/features/chat/components/ChatWindow.css
+++ b/frontend/src/features/chat/components/ChatWindow.css
@@ -7,6 +7,47 @@
     --chat-bg: #f1f5f9;
 }
 
+@media (prefers-color-scheme: dark) {
+    :root {
+        --assistant-bubble-bg: #1e293b;
+        --reasoning-bg: rgba(15, 23, 42, 0.3);
+        --border-subtle: rgba(255, 255, 255, 0.05);
+        --chat-bg: #111827;
+    }
+
+    .assistant-message {
+        box-shadow: 0 4px 20px rgba(0, 0, 0, 0.2);
+        color: #f3f4f6 !important;
+    }
+
+    /* Force light text color on all nested elements in dark mode */
+    .assistant-message *,
+    .assistant-message p,
+    .assistant-message li,
+    .assistant-message span,
+    .assistant-message div:not(.thought-panel),
+    .assistant-message .markdown-preview * {
+        color: #f3f4f6 !important;
+    }
+
+    /* Explicitly for headers and bold text to be white */
+    .assistant-message .markdown-preview h1,
+    .assistant-message .markdown-preview h2,
+    .assistant-message .markdown-preview h3,
+    .assistant-message .markdown-preview strong {
+        color: #ffffff !important;
+    }
+
+    .thought-panel blockquote {
+        color: #818cf8 !important;
+        background: rgba(129, 140, 248, 0.05) !important;
+    }
+
+    .thought-panel blockquote strong {
+        color: #a5b4fc;
+    }
+}
+
 .dark {
     --assistant-bubble-bg: #1e293b;
     --reasoning-bg: rgba(15, 23, 42, 0.3);
@@ -29,6 +70,25 @@
 
 .dark .assistant-message {
     box-shadow: 0 4px 20px rgba(0, 0, 0, 0.2);
+    color: #f3f4f6 !important; /* gray-100 */
+}
+
+/* Force light text color on all nested elements in dark mode */
+.dark .assistant-message *,
+.dark .assistant-message p,
+.dark .assistant-message li,
+.dark .assistant-message span,
+.dark .assistant-message div:not(.thought-panel),
+.dark .assistant-message .markdown-preview * {
+    color: #f3f4f6 !important;
+}
+
+/* Explicitly for headers and bold text to be white */
+.dark .assistant-message .markdown-preview h1,
+.dark .assistant-message .markdown-preview h2,
+.dark .assistant-message .markdown-preview h3,
+.dark .assistant-message .markdown-preview strong {
+    color: #ffffff !important;
 }
 
 .user-message-container {
@@ -39,6 +99,14 @@
     overflow-wrap: anywhere;
     word-break: break-word;
     white-space: pre-wrap;
+    color: #ffffff !important;
+}
+
+.user-message-container *,
+.user-message-container p,
+.user-message-container span,
+.user-message-container .markdown-preview * {
+    color: #ffffff !important;
 }
 
 @keyframes slideInUp {
diff --git a/frontend/src/features/chat/components/ChatWindow.js b/frontend/src/features/chat/components/ChatWindow.js
index ff572ca..df9d404 100644
--- a/frontend/src/features/chat/components/ChatWindow.js
+++ b/frontend/src/features/chat/components/ChatWindow.js
@@ -102,7 +102,7 @@
   };
 
   return (
-    <div className={message.isUser ? userMessageClasses : assistantMessageClasses}>
+    <div className={message.isUser ? userMessageClasses : `shadow-sm ${assistantMessageClasses}`}>
       {/* Status indicator moved to top/bottom for better visibility */}
       {(message.reasoning || (message.status === "Thinking")) && (
         <div className="mb-3">
@@ -132,7 +132,7 @@
       )}
 
 
-      <div className="markdown-preview max-w-none text-sm leading-relaxed mb-2">
+      <div className={`markdown-preview max-w-none text-sm leading-relaxed mb-2 ${message.isUser ? 'text-white' : 'text-gray-900 dark:text-gray-100'}`}>
         <ReactMarkdown>{message.text}</ReactMarkdown>
       </div>
 
@@ -141,7 +141,7 @@
           <div className="status-chip text-[10px] sm:text-xs text-indigo-600 dark:text-indigo-300 font-semibold italic flex items-center gap-2">
             <div className="w-2 h-2 bg-indigo-500 rounded-full animate-pulse"></div>
             <span className={
-              message.status &&
+              typeof message.status === 'string' &&
                 !message.status.includes("finished in") &&
                 !message.status.startsWith("Thought for")
                 ? "streaming-dots" : ""
diff --git a/frontend/src/features/nodes/pages/NodesPage.js b/frontend/src/features/nodes/pages/NodesPage.js
index 78fdc45..1f69024 100644
--- a/frontend/src/features/nodes/pages/NodesPage.js
+++ b/frontend/src/features/nodes/pages/NodesPage.js
@@ -19,6 +19,8 @@
     const [expandedNodes, setExpandedNodes] = useState({}); // node_id -> boolean
     const [expandedFiles, setExpandedFiles] = useState({}); // node_id -> boolean
     const [editingNodeId, setEditingNodeId] = useState(null);
+    const [errorMessage, setErrorMessage] = useState(null);
+    const [successMessage, setSuccessMessage] = useState(null);
     const [editForm, setEditForm] = useState({
         display_name: '',
         description: '',
@@ -108,7 +110,7 @@
             setShowCreateModal(false);
             fetchData();
         } catch (err) {
-            alert(err.message);
+            setErrorMessage(err.message);
         }
     };
 
@@ -117,7 +119,7 @@
             await adminUpdateNode(node.node_id, { is_active: !node.is_active });
             fetchData();
         } catch (err) {
-            alert(err.message);
+            setErrorMessage(err.message);
         }
     };
 
@@ -128,7 +130,7 @@
             setNodeToDelete(null);
             fetchData();
         } catch (err) {
-            alert(err.message);
+            setErrorMessage(err.message);
         }
     };
 
@@ -147,7 +149,7 @@
             setEditingNodeId(null);
             fetchData();
         } catch (err) {
-            alert(err.message);
+            setErrorMessage(err.message);
         }
     };
 
@@ -724,7 +726,7 @@
                                                                                 onClick={() => {
                                                                                     const cmd = `curl -sSL '${window.location.origin}/api/v1/nodes/provision/${node.node_id}?token=${node.invite_token}' | python3`;
                                                                                     navigator.clipboard.writeText(cmd);
-                                                                                    alert("Provisioning command copied!");
+                                                                                    setSuccessMessage("Provisioning command copied!");
                                                                                 }}
                                                                                 className="absolute top-2 right-2 p-1.5 bg-gray-800 hover:bg-indigo-600 text-gray-400 hover:text-white rounded-lg transition-all opacity-0 group-hover/cmd:opacity-100"
                                                                                 title="Copy to clipboard"
@@ -887,6 +889,52 @@
                     </div>
                 </div>
             )}
+
+            {/* ERROR MODAL */}
+            {errorMessage && (
+                <div className="fixed inset-0 z-[110] flex items-center justify-center bg-black/60 backdrop-blur-sm p-4 animate-in fade-in duration-200">
+                    <div className="bg-white dark:bg-gray-800 rounded-2xl w-full max-w-sm shadow-2xl overflow-hidden animate-in zoom-in-95 duration-200 border dark:border-gray-700">
+                        <div className="p-6 text-center">
+                            <div className="mx-auto flex items-center justify-center h-12 w-12 rounded-full bg-red-100 dark:bg-red-900/30 mb-4">
+                                <svg className="h-6 w-6 text-red-600 dark:text-red-400" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                                    <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" />
+                                </svg>
+                            </div>
+                            <h3 className="text-lg font-bold text-gray-900 dark:text-white mb-2">Operation Failed</h3>
+                            <p className="text-sm text-gray-500 dark:text-gray-400 mb-6">{errorMessage}</p>
+                            <button
+                                onClick={() => setErrorMessage(null)}
+                                className="w-full py-2.5 text-sm font-bold text-white bg-indigo-600 hover:bg-indigo-700 rounded-xl transition-all shadow-lg shadow-indigo-600/20"
+                            >
+                                Dismiss
+                            </button>
+                        </div>
+                    </div>
+                </div>
+            )}
+
+            {/* SUCCESS MODAL */}
+            {successMessage && (
+                <div className="fixed inset-0 z-[110] flex items-center justify-center bg-black/60 backdrop-blur-sm p-4 animate-in fade-in duration-200">
+                    <div className="bg-white dark:bg-gray-800 rounded-2xl w-full max-w-sm shadow-2xl overflow-hidden animate-in zoom-in-95 duration-200 border dark:border-gray-700">
+                        <div className="p-6 text-center">
+                            <div className="mx-auto flex items-center justify-center h-12 w-12 rounded-full bg-green-100 dark:bg-green-900/30 mb-4">
+                                <svg className="h-6 w-6 text-green-600 dark:text-green-400" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                                    <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M5 13l4 4L19 7" />
+                                </svg>
+                            </div>
+                            <h3 className="text-lg font-bold text-gray-900 dark:text-white mb-2">Success</h3>
+                            <p className="text-sm text-gray-500 dark:text-gray-400 mb-6">{successMessage}</p>
+                            <button
+                                onClick={() => setSuccessMessage(null)}
+                                className="w-full py-2.5 text-sm font-bold text-white bg-indigo-600 hover:bg-indigo-700 rounded-xl transition-all shadow-lg shadow-indigo-600/20"
+                            >
+                                Got it
+                            </button>
+                        </div>
+                    </div>
+                </div>
+            )}
         </div>
     );
 };
diff --git a/frontend/src/features/profile/pages/ProfilePage.js b/frontend/src/features/profile/pages/ProfilePage.js
index 69212d2..00b708d 100644
--- a/frontend/src/features/profile/pages/ProfilePage.js
+++ b/frontend/src/features/profile/pages/ProfilePage.js
@@ -13,6 +13,7 @@
     const [loading, setLoading] = useState(true);
     const [saving, setSaving] = useState(false);
     const [message, setMessage] = useState({ type: '', text: '' });
+    const [providerStatuses, setProviderStatuses] = useState({});
     const [editData, setEditData] = useState({
         full_name: '',
         username: '',
@@ -34,6 +35,7 @@
             ]);
             setProfile(prof);
             setConfig(conf.preferences);
+            setProviderStatuses(conf.preferences?.statuses || {});
             setAccessibleNodes(nodes);
             setNodePrefs(nPrefs);
             setAvailable({
@@ -104,6 +106,22 @@
         handleNodePrefChange({ default_node_ids: next });
     };
 
+    const handleGeneralPreferenceUpdate = async (updates) => {
+        try {
+            const newConfig = {
+                ...config,
+                ...updates
+            };
+            await updateUserConfig(newConfig);
+            setConfig(newConfig);
+            setMessage({ type: 'success', text: 'Preferences updated.' });
+            setTimeout(() => setMessage({ type: '', text: '' }), 3000);
+        } catch (err) {
+            setMessage({ type: 'error', text: 'Failed to update preferences.' });
+        }
+    };
+
+
     if (loading) {
         return (
             <div className="flex h-screen items-center justify-center dark:bg-gray-900">
@@ -116,7 +134,7 @@
     const labelClass = "block text-sm font-bold text-gray-700 dark:text-gray-300 mb-2 ml-1";
 
     return (
-        <div className="min-h-screen bg-gray-50 dark:bg-gray-900 pt-20 px-4 sm:px-6 lg:px-8">
+        <div className="h-full overflow-y-auto bg-gray-50 dark:bg-gray-900 pt-20 px-4 sm:px-6 lg:px-8">
             <div className="max-w-4xl mx-auto space-y-8">
                 <header className="flex flex-col sm:flex-row items-center gap-6 bg-white dark:bg-gray-800 p-8 rounded-3xl shadow-xl border border-gray-100 dark:border-gray-700 backdrop-blur-sm">
                     <div className="relative group">
@@ -240,25 +258,90 @@
                             />
                         </div>
 
+                        {/* Voice Experience Section */}
+                        <div className="mt-10 pt-8 border-t border-gray-100 dark:border-gray-700 space-y-6">
+                            <h3 className="text-lg font-black flex items-center gap-3">
+                                <svg className="w-5 h-5 text-indigo-500" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                                    <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2.5} d="M19 11a7 7 0 01-7 7m0 0a7 7 0 01-7-7m7 7v4m0 0H8m4 0h4m-4-8a3 3 0 01-3-3V5a3 3 0 116 0v6a3 3 0 01-3 3z" />
+                                </svg>
+                                Voice Chat Experience
+                            </h3>
+                            
+                            <div className="space-y-6">
+                                <div>
+                                    <label className={labelClass}>AI Voice Identity</label>
+                                    <input 
+                                        type="text" 
+                                        value={config?.voice_voice || ""}
+                                        onChange={(e) => setConfig({...config, voice_voice: e.target.value})}
+                                        onBlur={() => handleGeneralPreferenceUpdate({ voice_voice: config.voice_voice })}
+                                        className={inputClass}
+                                        placeholder="e.g. onyx, alloy, shimmer"
+                                    />
+                                    <p className="text-[10px] text-gray-400 dark:text-gray-500 mt-1 italic">The specific voice profile used by your TTS engine.</p>
+                                </div>
+                                
+                                <div className="p-5 bg-gray-50 dark:bg-gray-900/50 rounded-2xl border border-gray-100 dark:border-gray-800">
+                                    <div className="flex items-center justify-between">
+                                        <div>
+                                            <label className="text-sm font-black text-gray-700 dark:text-gray-200">Continuous Auto-Listening</label>
+                                            <p className="text-[10px] text-gray-400 dark:text-gray-500 font-medium leading-relaxed max-w-[200px]">Automatically reactivates microphone after AI finishes speaking.</p>
+                                        </div>
+                                        <button 
+                                            onClick={() => {
+                                                const newVal = !config?.voice_auto_listen;
+                                                setConfig({...config, voice_auto_listen: newVal});
+                                                handleGeneralPreferenceUpdate({ voice_auto_listen: newVal });
+                                            }}
+                                            className={`relative inline-flex h-6 w-11 items-center rounded-full transition-colors focus:outline-none ${config?.voice_auto_listen ? 'bg-indigo-600' : 'bg-gray-200 dark:bg-gray-700'}`}
+                                        >
+                                            <span className={`inline-block h-4 w-4 transform rounded-full bg-white transition-transform ${config?.voice_auto_listen ? 'translate-x-6' : 'translate-x-1'}`} />
+                                        </button>
+                                    </div>
+                                </div>
+
+                                <div>
+                                    <label className={labelClass}>Silence Sensitivity ({Math.round((config?.voice_sensitivity || 0.5) * 100)}%)</label>
+                                    <input 
+                                        type="range" 
+                                        min="0" max="1" step="0.05"
+                                        value={config?.voice_sensitivity || 0.5}
+                                        onChange={(e) => setConfig({...config, voice_sensitivity: parseFloat(e.target.value)})}
+                                        onMouseUp={() => handleGeneralPreferenceUpdate({ voice_sensitivity: config.voice_sensitivity })}
+                                        className="w-full h-2 bg-gray-200 dark:bg-gray-700 rounded-lg appearance-none cursor-pointer accent-indigo-600"
+                                    />
+                                    <div className="flex justify-between text-[10px] text-gray-400 dark:text-gray-500 font-bold uppercase tracking-widest mt-1">
+                                        <span>Aggressive</span>
+                                        <span>Balanced</span>
+                                        <span>Relaxed</span>
+                                    </div>
+                                </div>
+                            </div>
+                        </div>
+
                         {/* Node Defaults Section */}
-                        {accessibleNodes.length > 0 && (
-                            <div className="mt-10 pt-8 border-t border-gray-100 dark:border-gray-700 space-y-6">
-                                <h3 className="text-lg font-black flex items-center gap-3">
-                                    <svg className="w-5 h-5 text-indigo-500" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2.5} d="M5 12h14M5 12a2 2 0 01-2-2V6a2 2 0 012-2h14a2 2 0 012 2v4a2 2 0 01-2 2M5 12a2 2 0 00-2 2v4a2 2 0 002 2h14a2 2 0 002-2v-4a2 2 0 00-2-2m-7 0V4" /></svg>
-                                    Default Node Attachment
-                                </h3>
-                                <div className="space-y-3">
-                                    <label className={labelClass}>Auto-attach these nodes to new sessions:</label>
+                        <div className="mt-10 pt-8 border-t border-gray-100 dark:border-gray-700 space-y-6">
+                            <h3 className="text-lg font-black flex items-center gap-3">
+                                <svg className="w-5 h-5 text-indigo-500" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                                    <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2.5} d="M5 12h14M5 12a2 2 0 01-2-2V6a2 2 0 012-2h14a2 2 0 012 2v4a2 2 0 01-2 2M5 12a2 2 0 00-2 2v4a2 2 0 002 2h14a2 2 0 002-2v-4a2 2 0 00-2-2m-7 0V4" />
+                                </svg>
+                                Default Node Attachment
+                            </h3>
+
+                            {accessibleNodes.length > 0 ? (
+                                <div className="space-y-4">
+                                    <p className="text-xs text-gray-500 font-bold uppercase tracking-widest mb-2">Auto-attach these nodes to new sessions:</p>
                                     <div className="flex flex-wrap gap-2">
                                         {accessibleNodes.map(node => {
                                             const isActive = (nodePrefs.default_node_ids || []).includes(node.node_id);
                                             return (
                                                 <button
                                                     key={node.node_id}
+                                                    type="button"
                                                     onClick={() => toggleDefaultNode(node.node_id)}
                                                     className={`px-4 py-2 rounded-xl text-[10px] font-black uppercase tracking-widest border-2 transition-all ${isActive
-                                                        ? 'bg-emerald-600 border-emerald-600 text-white shadow-lg'
-                                                        : 'bg-white dark:bg-gray-800 border-gray-200 dark:border-gray-700 text-gray-400 hover:border-emerald-300'
+                                                        ? 'bg-indigo-600 border-indigo-600 text-white shadow-lg shadow-indigo-200 dark:shadow-none translate-y-[-1px]'
+                                                        : 'bg-white dark:bg-gray-800 border-gray-200 dark:border-gray-700 text-gray-400 hover:border-indigo-300'
                                                         }`}
                                                 >
                                                     {node.display_name}
@@ -267,34 +350,39 @@
                                         })}
                                     </div>
                                 </div>
-
-                                <div className="space-y-3 pt-4">
-                                    <label className={labelClass}>Default Sync Workspace Directory</label>
-                                    <div className="flex gap-2">
-                                        <select
-                                            value={nodePrefs.data_source?.source || 'empty'}
-                                            onChange={(e) => handleNodePrefChange({ data_source: { ...nodePrefs.data_source, source: e.target.value } })}
-                                            className="bg-gray-50 dark:bg-gray-900 border border-gray-200 dark:border-gray-700 rounded-xl px-3 py-2 text-xs font-bold text-gray-700 dark:text-gray-300 focus:outline-none focus:ring-2 focus:ring-indigo-500"
-                                        >
-                                            <option value="empty">Empty Workspace</option>
-                                            <option value="node_local">Node Local Path</option>
-                                        </select>
-                                        {nodePrefs.data_source?.source === 'node_local' && (
-                                            <input
-                                                type="text"
-                                                value={nodePrefs.data_source?.path || ''}
-                                                onChange={(e) => handleNodePrefChange({ data_source: { ...nodePrefs.data_source, path: e.target.value } })}
-                                                placeholder="/home/user/workspace"
-                                                className="flex-1 bg-gray-50 dark:bg-gray-900 border border-gray-200 dark:border-gray-700 rounded-xl px-3 py-2 text-xs font-mono text-indigo-600 dark:text-indigo-400 focus:outline-none focus:ring-2 focus:ring-indigo-500"
-                                            />
-                                        )}
-                                    </div>
-                                    <p className="text-[10px] text-gray-400 italic font-medium ml-1">
-                                        Determines where the agent should look for files on the node when starting a chat.
-                                    </p>
+                            ) : (
+                                <div className="p-4 bg-gray-50 dark:bg-gray-900/50 rounded-2xl border border-dashed border-gray-200 dark:border-gray-700">
+                                    <p className="text-xs text-gray-500 italic">No agent nodes are currently assigned to your group.</p>
                                 </div>
+                            )}
+
+                            {/* Workspace Directory (Always visible within the section) */}
+                            <div className="space-y-3 pt-4 border-t border-gray-50 dark:border-gray-800">
+                                <label className={labelClass}>Default Sync Workspace Directory</label>
+                                <div className="flex flex-col sm:flex-row gap-3">
+                                    <select
+                                        value={nodePrefs.data_source?.source || 'empty'}
+                                        onChange={(e) => handleNodePrefChange({ data_source: { ...nodePrefs.data_source, source: e.target.value } })}
+                                        className="bg-white dark:bg-gray-800 border border-gray-200 dark:border-gray-700 rounded-xl px-4 py-3 text-sm font-bold text-gray-700 dark:text-gray-300 focus:outline-none focus:ring-2 focus:ring-indigo-500 shadow-sm"
+                                    >
+                                        <option value="empty">Empty Workspace</option>
+                                        <option value="node_local">Node Local Path</option>
+                                    </select>
+                                    {nodePrefs.data_source?.source === 'node_local' && (
+                                        <input
+                                            type="text"
+                                            value={nodePrefs.data_source?.path || ''}
+                                            onChange={(e) => handleNodePrefChange({ data_source: { ...nodePrefs.data_source, path: e.target.value } })}
+                                            placeholder="/home/user/workspace"
+                                            className="flex-1 bg-white dark:bg-gray-800 border border-gray-200 dark:border-gray-700 rounded-xl px-4 py-3 text-sm font-mono text-indigo-600 dark:text-indigo-400 focus:outline-none focus:ring-2 focus:ring-indigo-500 shadow-sm"
+                                        />
+                                    )}
+                                </div>
+                                <p className="text-[10px] text-gray-400 italic font-medium">
+                                    Determines where the agent should look for files on the node when starting a chat.
+                                </p>
                             </div>
-                        )}
+                        </div>
 
 
                         <div className="mt-8 flex flex-wrap gap-4 items-center p-3 bg-gray-50 dark:bg-gray-800/50 rounded-xl border border-dashed border-gray-200 dark:border-gray-700">
diff --git a/frontend/src/features/settings/components/SettingsPageContent.js b/frontend/src/features/settings/components/SettingsPageContent.js
index 5116b4d..1a8f990 100644
--- a/frontend/src/features/settings/components/SettingsPageContent.js
+++ b/frontend/src/features/settings/components/SettingsPageContent.js
@@ -1,627 +1,125 @@
 import React from 'react';
-import VoicesModal from './components/VoicesModal';
+import AIConfigurationCard from './cards/AIConfigurationCard';
+import IdentityGovernanceCard from './cards/IdentityGovernanceCard';
+import NetworkIdentityCard from './cards/NetworkIdentityCard';
 
 export default function SettingsPageContent({ context }) {
   const {
-    config,
-    effective,
-    loading,
-    saving,
     message,
-    activeConfigTab,
-    setActiveConfigTab,
-    activeAdminTab,
-    setActiveAdminTab,
-    userSearch,
-    setUserSearch,
-    expandedProvider,
-    setExpandedProvider,
-    selectedNewProvider,
-    setSelectedNewProvider,
-    verifying,
-    setVerifying,
-    fetchedModels,
-    setFetchedModels,
-    providerLists,
-    providerStatuses,
-    voiceList,
-    showVoicesModal,
-    setShowVoicesModal,
-    voicesLoading,
-    allUsers,
-    usersLoading,
-    loadUsers,
-    allGroups,
-    groupsLoading,
-    editingGroup,
-    setEditingGroup,
-    addingSection,
-    setAddingSection,
-    addForm,
-    setAddForm,
-    allNodes,
-    nodesLoading,
-    allSkills,
-    skillsLoading,
-    accessibleNodes,
-    nodePrefs,
-    fileInputRef,
-    handleViewVoices,
-    handleRoleToggle,
-    handleGroupChange,
-    handleNodePrefChange,
-    toggleDefaultNode,
-    handleSaveGroup,
-    handleDeleteGroup,
-    handleSave,
-    handleImport,
+    confirmAction,
+    setConfirmAction,
+    executeConfirmAction,
     handleExport,
-    inputClass,
-    labelClass,
-    sectionClass,
-    filteredUsers,
-    sortedGroups,
-    renderProviderSection
+    handleImport,
+    fileInputRef,
+    userProfile
   } = context;
 
   return (
-    <>
-      <div className="h-full overflow-y-auto py-10 px-4 sm:px-6 lg:px-8 font-sans">
+    <div className="h-full overflow-y-auto py-10 px-4 sm:px-6 lg:px-8 font-sans">
       <div className="max-w-3xl mx-auto">
-        <div className="flex justify-between items-end mb-2">
-          <h1 className="text-3xl font-extrabold text-gray-900 dark:text-white tracking-tight">Configuration</h1>
-          <div className="flex gap-2">
-            <input
-              type="file"
-              ref={fileInputRef}
-              style={{ display: 'none' }}
-              accept=".yaml,.yml"
-              onChange={handleImport}
-            />
-            <button
-              type="button"
-              onClick={() => fileInputRef.current?.click()}
-              className="text-sm font-semibold px-4 py-2 border border-gray-300 dark:border-gray-600 rounded-lg hover:bg-gray-100 dark:hover:bg-gray-800 text-gray-700 dark:text-gray-300 transition-colors shadow-sm flex items-center gap-2"
-            >
-              <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M4 16v1a2 2 0 002 2h12a2 2 0 002-2v-1m-4-8l-4-4m0 0L8 8m4-4v12" /></svg>
-              Import
-            </button>
-            <button
-              type="button"
-              onClick={handleExport}
-              className="text-sm font-semibold px-4 py-2 border border-gray-300 dark:border-gray-600 rounded-lg hover:bg-gray-100 dark:hover:bg-gray-800 text-gray-700 dark:text-gray-300 transition-colors shadow-sm flex items-center gap-2"
-            >
-              <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M4 16v1a2 2 0 002 2h12a2 2 0 002-2v-1m-4-4l-4 4m0 0l-4-4m4 4V4" /></svg>
-              Export
-            </button>
-          </div>
-        </div>
-        <p className="text-gray-600 dark:text-gray-400 mb-8">
-          Customize your AI models, backend API tokens, and providers. These settings override system defaults.
-        </p>
-
-        {message.text && (
-          <div className={`p-4 rounded-xl mb-6 shadow-sm border ${message.type === 'error' ? 'bg-red-50 dark:bg-red-900/30 text-red-700 dark:text-red-400 border-red-200 dark:border-red-800' : 'bg-emerald-50 dark:bg-emerald-900/30 text-emerald-700 dark:text-emerald-400 border-emerald-200 dark:border-emerald-800'}`}>
-            {message.text}
-          </div>
-        )}
-
-        <div className="space-y-12 pb-20">
-          {/* Card 1: AI Provider Configuration */}
-          <div className="bg-white dark:bg-gray-800 rounded-3xl shadow-xl overflow-hidden border border-gray-100 dark:border-gray-700 backdrop-blur-sm">
-            <div className="p-6 border-b border-gray-100 dark:border-gray-700 bg-gray-50/30 dark:bg-gray-800/50">
-              <h2 className="text-xl font-black text-gray-900 dark:text-white flex items-center gap-3">
-                <svg className="w-6 h-6 text-indigo-500" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2.5} d="M19.428 15.428a2 2 0 00-1.022-.547l-2.387-.477a2 2 0 00-1.96 1.414l-.503 1.508a10 10 0 01-4.322-4.322l1.508-.503a2 2 0 001.414-1.96l-.477-2.387a2 2 0 00-.547-1.022L7.707 4.707a1 1 0 00-1.414 0l-1.586 1.586a1 1 0 00-.233 1.03 10.001 10.001 0 0011.95 11.95 1 1 0 001.03-.233l1.586-1.586a1 1 0 000-1.414l-1.586-1.586z" /></svg>
-                AI Resource Configuration
-              </h2>
-              <p className="text-xs text-gray-400 mt-1 uppercase font-bold tracking-widest">Manage your providers, models, and API keys</p>
+          <div className="flex flex-col sm:flex-row justify-between items-start sm:items-center mb-8 gap-4">
+            <div className="flex-1">
+              <h1 className="text-3xl font-extrabold text-gray-900 dark:text-white tracking-tight text-transparent bg-clip-text bg-gradient-to-r from-gray-900 via-indigo-900 to-emerald-900 dark:from-white dark:via-indigo-400 dark:to-emerald-400 mb-2">
+                Settings & Governance
+              </h1>
+              <p className="text-gray-600 dark:text-gray-400 font-medium">
+                Manage user roles, AI resources, and system-wide security policies.
+              </p>
             </div>
 
-            {/* Config Tabs */}
-            <div className="flex border-b border-gray-200 dark:border-gray-700 bg-gray-50/50 dark:bg-gray-800/50 overflow-x-auto no-scrollbar">
-              {['llm', 'tts', 'stt'].map((tab) => (
-                <button
-                  key={tab}
-                  type="button"
-                  onClick={() => setActiveConfigTab(tab)}
-                  className={`flex-1 min-w-[100px] py-4 text-[10px] font-black uppercase tracking-widest transition-all duration-200 focus:outline-none ${activeConfigTab === tab
-                    ? 'text-indigo-600 dark:text-indigo-400 border-b-2 border-indigo-600 dark:border-indigo-400 bg-white dark:bg-gray-800'
-                    : 'text-gray-400 dark:text-gray-500 hover:text-gray-600 dark:hover:text-gray-300 hover:bg-gray-100/50 dark:hover:bg-gray-700/30'
-                    }`}
+            {userProfile?.role === 'admin' && (
+              <div className="flex items-center gap-2 pt-2">
+                <button 
+                  onClick={handleExport} 
+                  className="px-4 py-2.5 bg-white dark:bg-gray-800 text-gray-600 dark:text-gray-300 border border-gray-200 dark:border-gray-700 rounded-xl text-[10px] font-black uppercase tracking-widest hover:border-indigo-300 dark:hover:border-indigo-700 hover:text-indigo-600 dark:hover:text-indigo-400 hover:bg-indigo-50 dark:hover:bg-indigo-900/20 transition-all flex items-center gap-2 shadow-sm whitespace-nowrap"
+                  title="Export System YAML"
                 >
-                  {tab === 'llm' ? 'Models' : tab === 'tts' ? 'TTS' : 'STT'}
+                  <svg className="w-4 h-4" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                    <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2.5} d="M4 16v1a3 3 0 003 3h10a3 3 0 003-3v-1m-4-4l-4 4m0 0l-4-4m4 4V4" />
+                  </svg>
+                  Export
                 </button>
-              ))}
-            </div>
-
-            <form onSubmit={handleSave} className="p-6 sm:p-8 space-y-6">
-              {/* LLM Settings */}
-              {activeConfigTab === 'llm' && (
-                <div className={sectionClass}>
-                  {renderProviderSection('llm', providerLists.llm, false)}
-                </div>
-              )}
-
-              {/* TTS Settings */}
-              {activeConfigTab === 'tts' && (
-                <div className={sectionClass}>
-                  {renderProviderSection('tts', providerLists.tts, true)}
-                </div>
-              )}
-
-              {/* STT Settings */}
-              {activeConfigTab === 'stt' && (
-                <div className={sectionClass}>
-                  {renderProviderSection('stt', providerLists.stt, false)}
-                </div>
-              )}
-
-              <div className="pt-6 mt-6 border-t border-gray-100 dark:border-gray-700 flex items-center justify-end">
-                <button
-                  type="submit"
-                  disabled={saving}
-                  className="px-6 py-3 bg-indigo-600 hover:bg-indigo-700 text-white font-bold rounded-xl shadow-lg shadow-indigo-200 dark:shadow-indigo-900/50 transform transition duration-200 hover:scale-[1.02] focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-indigo-500 disabled:opacity-75 disabled:cursor-not-allowed disabled:transform-none flex items-center gap-2"
+                
+                <button 
+                  onClick={() => fileInputRef.current?.click()} 
+                  className="px-4 py-2.5 bg-white dark:bg-gray-800 text-gray-600 dark:text-gray-300 border border-gray-200 dark:border-gray-700 rounded-xl text-[10px] font-black uppercase tracking-widest hover:border-emerald-300 dark:hover:border-emerald-700 hover:text-emerald-600 dark:hover:text-emerald-400 hover:bg-emerald-50 dark:hover:bg-emerald-900/20 transition-all flex items-center gap-2 shadow-sm whitespace-nowrap"
+                  title="Import System YAML"
                 >
-                  {saving && (
-                    <svg className="animate-spin -ml-1 mr-2 h-5 w-5 text-white" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24">
-                      <circle className="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" strokeWidth="4"></circle>
-                      <path className="opacity-75" fill="currentColor" d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z"></path>
-                    </svg>
-                  )}
-                  <span>Save Configuration</span>
+                  <svg className="w-4 h-4" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                    <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2.5} d="M4 16v1a3 3 0 003 3h10a3 3 0 003-3v-1m-4-8l-4-4m0 0L8 8m4-4v12" />
+                  </svg>
+                  Import
                 </button>
-              </div>
-            </form>
-          </div>
-
-          {/* Card 2: Team & Access Management */}
-          <div className="bg-white dark:bg-gray-800 rounded-3xl shadow-xl overflow-hidden border border-gray-100 dark:border-gray-700 backdrop-blur-sm">
-            <div className="p-6 border-b border-gray-100 dark:border-gray-700 bg-gray-50/30 dark:bg-gray-800/50">
-              <h2 className="text-xl font-black text-gray-900 dark:text-white flex items-center gap-3">
-                <svg className="w-6 h-6 text-indigo-500" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2.5} d="M12 4.354a4 4 0 110 5.292M15 21H3v-1a6 6 0 0112 0v1zm0 0h6v-1a6 6 0 00-9-5.197M13 7a4 4 0 11-8 0 4 4 0 018 0z" /></svg>
-                Identity & Access Governance
-              </h2>
-              <p className="text-xs text-gray-400 mt-1 uppercase font-bold tracking-widest">Define groups, policies, and manage members</p>
-            </div>
-
-            {/* Admin Tabs */}
-            <div className="flex border-b border-gray-200 dark:border-gray-700 bg-gray-50/50 dark:bg-gray-800/50 overflow-x-auto no-scrollbar">
-              {['groups', 'users', 'personal'].map((tab) => (
-                <button
-                  key={tab}
-                  type="button"
-                  onClick={() => setActiveAdminTab(tab)}
-                  className={`flex-1 min-w-[100px] py-4 text-[10px] font-black uppercase tracking-widest transition-all duration-200 focus:outline-none ${activeAdminTab === tab
-                    ? 'text-indigo-600 dark:text-indigo-400 border-b-2 border-indigo-600 dark:border-indigo-400 bg-white dark:bg-gray-800'
-                    : 'text-gray-400 dark:text-gray-500 hover:text-gray-600 dark:hover:text-gray-300 hover:bg-gray-100/50 dark:hover:bg-gray-700/30'
-                    }`}
-                >
-                  {tab === 'groups' ? 'Groups' : tab === 'users' ? 'Users' : 'My Profile'}
-                </button>
-              ))}
-            </div>
-
-            <div className="p-6 sm:p-8">
-              {/* Groups Management */}
-              {activeAdminTab === 'groups' && (
-                <div className={sectionClass}>
-                  {!editingGroup ? (
-                    <div className="space-y-6">
-                      <div className="flex items-center justify-between">
-                        <h3 className="text-lg font-black flex items-center gap-3 text-gray-900 dark:text-white">
-                          Registered Groups
-                        </h3>
-                        <button
-                          type="button"
-                          onClick={() => setEditingGroup({ id: 'new', name: '', description: '', policy: { llm: [], tts: [], stt: [], nodes: [], skills: [] } })}
-                          className="px-4 py-2 bg-indigo-600 hover:bg-indigo-700 text-white text-[10px] font-black uppercase tracking-widest rounded-lg shadow-md transition-all flex items-center gap-2"
-                        >
-                          <svg className="w-4 h-4" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={3} d="M12 4v16m8-8H4" /></svg>
-                          Add Group
-                        </button>
-                      </div>
-
-                      <div className="grid grid-cols-1 gap-4">
-                        {sortedGroups.map((g) => (
-                          <div key={g.id} className={`p-4 border ${g.id === 'ungrouped' ? 'border-indigo-300 dark:border-indigo-700 bg-indigo-50/30 dark:bg-indigo-900/10' : 'border-gray-100 dark:border-gray-700 bg-gray-50/50 dark:bg-gray-900/30'} rounded-2xl flex justify-between items-center group/card hover:bg-white dark:hover:bg-gray-800 transition-all hover:shadow-md`}>
-                            <div>
-                              <h4 className="font-bold text-gray-900 dark:text-white flex items-center gap-2">
-                                {g.id === 'ungrouped' ? 'Standard / Guest Policy' : g.name}
-                                {g.id === 'ungrouped' && <span className="text-[10px] font-black uppercase tracking-widest text-indigo-600 dark:text-indigo-400 py-0.5 px-2 bg-indigo-100/50 dark:bg-indigo-900/40 rounded-full">Global Fallback</span>}
-                              </h4>
-                              <p className="text-xs text-gray-500 dark:text-gray-400 mt-1">
-                                {g.id === 'ungrouped' ? 'Baseline access for all unassigned members.' : (g.description || 'No description')}
-                              </p>
-                              <div className="flex gap-2 mt-3 overflow-x-auto no-scrollbar pb-1">
-                                {['llm', 'tts', 'stt', 'nodes', 'skills'].map(section => (
-                                  <div key={section} className="flex flex-col items-center">
-                                    <span className="text-[10px] font-black uppercase tracking-tight text-gray-400 mb-1">{section === 'nodes' ? 'Accessible Nodes' : `${section} Access`}</span>
-                                    <div className="flex -space-x-2">
-                                      {g.policy?.[section]?.length > 0 ? (
-                                        g.policy?.[section].slice(0, 3).map(p => (
-                                          <div key={p} className={`w-5 h-5 rounded-full ${section === 'nodes' ? 'bg-emerald-100 dark:bg-emerald-900 text-emerald-600 dark:text-emerald-400' : (section === 'skills' ? 'bg-amber-100 dark:bg-amber-900 text-amber-600 dark:text-amber-400' : 'bg-indigo-100 dark:bg-indigo-900 text-indigo-600 dark:text-indigo-400')} border-2 border-white dark:border-gray-800 flex items-center justify-center text-[8px] font-bold`} title={p}>
-                                            {p[0].toUpperCase()}
-                                          </div>
-                                        ))
-                                      ) : (
-                                        <span className="text-[10px] text-gray-400 italic">None</span>
-                                      )}
-                                      {g.policy?.[section]?.length > 3 && (
-                                        <div className="w-5 h-5 rounded-full bg-gray-100 dark:bg-gray-700 border-2 border-white dark:border-gray-800 flex items-center justify-center text-[8px] font-bold text-gray-500">
-                                          +{g.policy?.[section].length - 3}
-                                        </div>
-                                      )}
-                                    </div>
-                                  </div>
-                                ))}
-                              </div>
-                            </div>
-                            <div className="flex gap-2">
-                              <button
-                                type="button"
-                                onClick={() => setEditingGroup(g)}
-                                className="p-2 text-indigo-600 hover:bg-indigo-50 dark:hover:bg-indigo-900/30 rounded-lg transition-colors"
-                              >
-                                <svg className="w-5 h-5" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M15.232 5.232l3.536 3.536m-2.036-5.036a2.5 2.5 0 113.536 3.536L6.5 21.036H3v-3.572L16.732 3.732z" /></svg>
-                              </button>
-                              {g.id !== 'ungrouped' && (
-                                <button
-                                  type="button"
-                                  onClick={() => handleDeleteGroup(g.id)}
-                                  className="p-2 text-red-500 hover:bg-red-50 dark:hover:bg-red-900/30 rounded-lg transition-colors"
-                                >
-                                  <svg className="w-5 h-5" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M19 7l-.867 12.142A2 2 0 0116.138 21H7.862a2 2 0 01-1.995-1.858L5 7m5 4v6m4-6v6m1-10V4a1 1 0 00-1-1h-4a1 1 0 00-1 1v3M4 7h16" /></svg>
-                                </button>
-                              )}
-                            </div>
-                          </div>
-                        ))}
-                      </div>
-                    </div>
-                  ) : (
-                    <div className="animate-fade-in space-y-6">
-                      {/* (Group editing form - unchanged logic, just cleaner container) */}
-                      <div className="flex items-center gap-4">
-                        <button type="button" onClick={() => setEditingGroup(null)} className="p-2 text-gray-400 hover:text-gray-600 dark:hover:text-gray-200">
-                          <svg className="w-6 h-6" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M10 19l-7-7m0 0l7-7m-7 7h18" /></svg>
-                        </button>
-                        <h3 className="text-xl font-black text-gray-900 dark:text-white">
-                          {editingGroup.id === 'new' ? 'New Group Policy' : `Edit: ${editingGroup.id === 'ungrouped' ? 'Standard / Guest Policy' : editingGroup.name}`}
-                        </h3>
-                        {editingGroup.id === 'ungrouped' && (
-                          <span className="text-[10px] font-black uppercase tracking-widest text-amber-700 dark:text-amber-400 py-1 px-2.5 bg-amber-100/60 dark:bg-amber-900/30 border border-amber-200 dark:border-amber-800 rounded-full flex items-center gap-1">
-                            <svg className="w-3 h-3" fill="currentColor" viewBox="0 0 20 20"><path fillRule="evenodd" d="M5 9V7a5 5 0 0110 0v2a2 2 0 012 2v5a2 2 0 01-2 2H5a2 2 0 01-2-2v-5a2 2 0 012-2zm8-2v2H7V7a3 3 0 016 0z" clipRule="evenodd" /></svg>
-                            System Group
-                          </span>
-                        )}
-                      </div>
-
-                      <div className="bg-gray-50/50 dark:bg-gray-900/30 p-6 rounded-3xl border border-gray-100 dark:border-gray-700 space-y-6">
-                        <div className="grid grid-cols-1 sm:grid-cols-2 gap-6">
-                          <div>
-                            <label className={labelClass}>Group Name</label>
-                            <input
-                              value={editingGroup.id === 'ungrouped' ? 'Ungrouped (System Default)' : editingGroup.name}
-                              onChange={e => editingGroup.id !== 'ungrouped' && setEditingGroup({ ...editingGroup, name: e.target.value })}
-                              readOnly={editingGroup.id === 'ungrouped'}
-                              placeholder="Engineering, Designers, etc."
-                              className={`${inputClass} ${editingGroup.id === 'ungrouped'
-                                ? 'opacity-60 cursor-not-allowed bg-gray-100 dark:bg-gray-700 text-gray-500 dark:text-gray-400'
-                                : (editingGroup.name.trim() &&
-                                  allGroups.some(g => g.id !== editingGroup.id && g.name.toLowerCase() === editingGroup.name.trim().toLowerCase())
-                                  ? '!border-red-400 dark:!border-red-600 !ring-red-300'
-                                  : '')
-                                }`}
-                            />
-                            {editingGroup.id === 'ungrouped' ? (
-                              <p className="mt-1.5 text-xs text-amber-600 dark:text-amber-400 font-medium flex items-center gap-1">
-                                <svg className="w-3.5 h-3.5" fill="currentColor" viewBox="0 0 20 20"><path fillRule="evenodd" d="M5 9V7a5 5 0 0110 0v2a2 2 0 012 2v5a2 2 0 01-2 2H5a2 2 0 01-2-2v-5a2 2 0 012-2zm8-2v2H7V7a3 3 0 016 0z" clipRule="evenodd" /></svg>
-                                System group name is locked. Only the access policy can be changed.
-                              </p>
-                            ) : editingGroup.name.trim() &&
-                              allGroups.some(g => g.id !== editingGroup.id && g.name.toLowerCase() === editingGroup.name.trim().toLowerCase()) && (
-                              <p className="mt-1.5 text-xs font-semibold text-red-500 flex items-center gap-1">
-                                <svg className="w-3.5 h-3.5" fill="currentColor" viewBox="0 0 20 20"><path fillRule="evenodd" d="M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7 4a1 1 0 11-2 0 1 1 0 012 0zm-1-9a1 1 0 00-1 1v4a1 1 0 102 0V6a1 1 0 00-1-1z" clipRule="evenodd" /></svg>
-                                A group with this name already exists
-                              </p>
-                            )}
-                          </div>
-                          <div>
-                            <label className={labelClass}>Description</label>
-                            <input
-                              value={editingGroup.description || ''}
-                              onChange={e => setEditingGroup({ ...editingGroup, description: e.target.value })}
-                              placeholder="Short description of this group..."
-                              className={inputClass}
-                            />
-                          </div>
-                        </div>
-
-                        <div className="border-t border-gray-200 dark:border-gray-700 pt-6">
-                          <label className="text-sm font-black uppercase tracking-widest text-gray-500 mb-4 block">Provider Access Policy (Whitelists)</label>
-
-                          <div className="grid grid-cols-1 gap-8">
-                            {['llm', 'tts', 'stt', 'nodes', 'skills'].map(section => (
-                              <div key={section} className="space-y-3">
-                                <div className="flex items-center justify-between mb-2">
-                                  <span className="text-[10px] font-black uppercase tracking-widest text-gray-400">{section === 'nodes' ? 'Accessible Nodes' : `${section} Access`}</span>
-                                  <div className="flex gap-2">
-                                    <button type="button" onClick={() => {
-                                      let availableIds = [];
-                                      if (section === 'nodes') {
-                                        availableIds = allNodes.map(n => n.node_id);
-                                      } else if (section === 'skills') {
-                                        availableIds = allSkills.filter(s => !s.is_system).map(s => s.name);
-                                      } else {
-                                        availableIds = effective[section]?.providers ? Object.keys(effective[section].providers) : [];
-                                      }
-                                      setEditingGroup({ ...editingGroup, policy: { ...editingGroup.policy, [section]: availableIds } })
-                                    }} className="text-[10px] font-bold text-indigo-600 dark:text-indigo-400 hover:underline">Select All</button>
-                                    <button type="button" onClick={() => setEditingGroup({ ...editingGroup, policy: { ...editingGroup.policy, [section]: [] } })} className="text-[10px] font-bold text-red-600 dark:text-red-400 hover:underline">Clear</button>
-                                  </div>
-                                </div>
-                                <div className="grid grid-cols-2 sm:grid-cols-3 gap-2">
-                                  {(section === 'nodes' ? allNodes.map(n => ({ id: n.node_id, label: n.display_name })) :
-                                    (section === 'skills' ? allSkills.filter(s => !s.is_system).map(s => ({ id: s.name, label: s.name })) :
-                                      (effective[section]?.providers ? Object.keys(effective[section].providers) : []).map(pId => {
-                                        const baseType = pId.split('_')[0];
-                                        const baseDef = providerLists[section].find(ld => ld.id === baseType || ld.id === pId);
-                                        return { id: pId, label: baseDef ? (pId.includes('_') ? `${baseDef.label} (${pId.split('_').slice(1).join('_')})` : baseDef.label) : pId };
-                                      }))).map(item => {
-                                        const isChecked = (editingGroup.policy?.[section] || []).includes(item.id);
-                                        return (
-                                          <label key={item.id} className={`flex items-center gap-2 px-3 py-2 rounded-xl border cursor-pointer transition-all ${isChecked ? 'bg-indigo-50 dark:bg-indigo-900/30 border-indigo-200 dark:border-indigo-800' : 'border-gray-100 dark:border-gray-700 hover:bg-gray-50 dark:hover:bg-gray-800/50'}`}>
-                                            <input
-                                              type="checkbox"
-                                              checked={isChecked}
-                                              onChange={(e) => {
-                                                const current = editingGroup.policy?.[section] || [];
-                                                const next = e.target.checked ? [...current, item.id] : current.filter(x => x !== item.id);
-                                                setEditingGroup({ ...editingGroup, policy: { ...editingGroup.policy, [section]: next } });
-                                              }}
-                                              className="rounded border-gray-300 dark:border-gray-600 text-indigo-600 focus:ring-indigo-500"
-                                            />
-                                            <span className="text-[11px] font-bold text-gray-700 dark:text-gray-300 truncate" title={item.label}>{item.label}</span>
-                                          </label>
-                                        );
-                                      })}
-                                </div>
-                                {section === 'nodes' && allNodes.length === 0 && (
-                                  <p className="text-[10px] text-gray-400 italic">No agent nodes registered yet.</p>
-                                )}
-                              </div>
-                            ))}
-                          </div>
-
-                          <div className="flex justify-end gap-3 pt-4">
-                            <button type="button" onClick={() => setEditingGroup(null)} className="px-6 py-2 rounded-xl text-sm font-bold text-gray-500 hover:bg-gray-100 dark:hover:bg-gray-800 transition-colors">Cancel</button>
-                            <button type="button" onClick={handleSaveGroup} disabled={saving || !editingGroup.name || allGroups.some(g => g.id !== editingGroup.id && g.name.toLowerCase() === editingGroup.name.trim().toLowerCase())} className="px-8 py-2 bg-indigo-600 text-white rounded-xl text-sm font-black uppercase tracking-widest shadow-lg shadow-indigo-200 dark:shadow-indigo-900/50 hover:bg-indigo-700 disabled:opacity-50 transition-all">
-                              {saving ? 'Saving...' : 'Save Group'}
-                            </button>
-                          </div>
-                        </div>
-                      </div>
-                    </div>
-                  )}
-                </div>
-              )}
-
-              {/* Users Management */}
-              {activeAdminTab === 'users' && (
-                <div className={sectionClass}>
-                  <div className="space-y-6">
-                    <div className="flex flex-col sm:flex-row items-center justify-between gap-4">
-                      <h3 className="text-lg font-black flex items-center gap-3 text-gray-900 dark:text-white">
-                        Active Roster
-                        <span className="text-[10px] py-0.5 px-2 bg-gray-100 dark:bg-gray-700 text-gray-400 rounded-full">{filteredUsers.length}</span>
-                      </h3>
-                      <div className="flex items-center gap-3 w-full sm:w-auto">
-                        <div className="relative flex-1 sm:min-w-[250px]">
-                          <input
-                            type="text"
-                            value={userSearch}
-                            onChange={e => setUserSearch(e.target.value)}
-                            placeholder="Search by name, email..."
-                            className="w-full text-xs p-2.5 pl-9 bg-white dark:bg-gray-800 border border-gray-200 dark:border-gray-700 rounded-xl focus:ring-2 focus:ring-indigo-500 outline-none transition-all"
-                          />
-                          <svg className="w-4 h-4 text-gray-400 absolute left-3 top-1/2 -translate-y-1/2" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2.5} d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0z" /></svg>
-                        </div>
-                        <button onClick={loadUsers} className="p-2.5 text-indigo-600 hover:bg-indigo-50 dark:hover:bg-indigo-900/30 border border-gray-200 dark:border-gray-700 bg-white dark:bg-gray-800 rounded-xl transition-colors">
-                          <svg className={`w-4 h-4 ${usersLoading ? 'animate-spin' : ''}`} fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M4 4v5h.582m15.356 2A8.001 8.001 0 004.582 9m0 0H9m11 11v-5h-.581m0 0a8.003 8.003 0 01-15.357-2m15.357 2H15" /></svg>
-                        </button>
-                      </div>
-                    </div>
-                    <div className="overflow-hidden border border-gray-100 dark:border-gray-700 rounded-2xl shadow-sm bg-gray-50/50 dark:bg-gray-900/30">
-                      <table className="w-full text-left border-collapse">
-                        <thead className="bg-white dark:bg-gray-800">
-                          <tr>
-                            <th className="px-6 py-4 text-[9px] font-black uppercase tracking-widest text-gray-500">Member</th>
-                            <th className="px-6 py-4 text-[9px] font-black uppercase tracking-widest text-gray-500">Policy Group</th>
-                            <th className="px-6 py-4 text-[9px] font-black uppercase tracking-widest text-gray-500">Activity Auditing</th>
-                            <th className="px-6 py-4 text-[9px] font-black uppercase tracking-widest text-gray-500 text-right">Actions</th>
-                          </tr>
-                        </thead>
-                        <tbody className="divide-y divide-gray-100 dark:divide-gray-800">
-                          {filteredUsers.map((u) => (
-                            <tr key={u.id} className="hover:bg-white dark:hover:bg-gray-800/50 transition-colors">
-                              <td className="px-6 py-4">
-                                <div className="flex items-center gap-3">
-                                  <div className={`w-8 h-8 rounded-full flex items-center justify-center text-[10px] font-black ${u.role === 'admin' ? 'bg-indigo-100 text-indigo-700 dark:bg-indigo-900/40 dark:text-indigo-300' : 'bg-gray-100 text-gray-700 dark:bg-gray-700 dark:text-gray-300'}`}>
-                                    {(u.username || u.email || '?')[0].toUpperCase()}
-                                  </div>
-                                  <div>
-                                    <p className="text-xs font-black text-gray-900 dark:text-white truncate max-w-[150px]">{u.username || u.email}</p>
-                                    <p className="text-[10px] text-gray-400 font-bold uppercase tracking-tight">{u.role}</p>
-                                  </div>
-                                </div>
-                              </td>
-                              <td className="px-6 py-4">
-                                <select
-                                  value={u.group_id || 'ungrouped'}
-                                  onChange={(e) => handleGroupChange(u.id, e.target.value)}
-                                  className="text-xs p-1.5 bg-white dark:bg-gray-800 border border-gray-200 dark:border-gray-700 rounded-lg outline-none focus:ring-1 focus:ring-indigo-500 transition-all font-bold text-gray-600 dark:text-gray-300 min-w-[150px]"
-                                >
-                                  {sortedGroups.map(g => (
-                                    <option key={g.id} value={g.id}>
-                                      {g.id === 'ungrouped' ? 'Standard / Guest' : g.name}
-                                    </option>
-                                  ))}
-                                </select>
-                              </td>
-                              <td className="px-6 py-4">
-                                <div className="space-y-1">
-                                  <div className="flex items-center gap-1.5">
-                                    <span className="text-[9px] font-black uppercase text-gray-400">Join:</span>
-                                    <span className="text-[10px] font-bold text-gray-600 dark:text-gray-300">{new Date(u.created_at).toLocaleDateString()}</span>
-                                  </div>
-                                  <div className="flex items-center gap-1.5">
-                                    <span className="text-[9px] font-black uppercase text-gray-400">Last:</span>
-                                    <span className="text-[10px] font-bold text-indigo-600 dark:text-indigo-400">
-                                      {u.last_login_at ? new Date(u.last_login_at).toLocaleDateString() : 'Never'}
-                                    </span>
-                                  </div>
-                                </div>
-                              </td>
-                              <td className="px-6 py-4 text-right">
-                                <button
-                                  type="button"
-                                  onClick={(e) => { e.preventDefault(); handleRoleToggle(u); }}
-                                  className={`text-[9px] font-black uppercase tracking-widest transition-all ${u.role === 'admin'
-                                    ? 'text-red-600 hover:text-red-700'
-                                    : 'text-indigo-600 hover:text-indigo-700'
-                                    }`}
-                                >
-                                  {u.role === 'admin' ? 'Demote' : 'Promote'}
-                                </button>
-                              </td>
-                            </tr>
-                          ))}
-                        </tbody>
-                      </table>
-                      {allUsers.length === 0 && !usersLoading && (
-                        <div className="p-12 text-center text-gray-400 italic text-sm">No other users found.</div>
-                      )}
-                    </div>
-                  </div>
-                </div>
-              )}
-
-              {/* Personal Settings */}
-              {activeAdminTab === 'personal' && (
-                <div className={sectionClass}>
-                  <div className="space-y-8">
-                    <div className="flex items-center gap-3">
-                      <div className="p-2 bg-indigo-50 dark:bg-indigo-900/30 rounded-lg text-indigo-600 dark:text-indigo-400">
-                        <svg className="w-5 h-5" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2.5} d="M16 7a4 4 0 11-8 0 4 4 0 018 0zM12 14a7 7 0 00-7 7h14a7 7 0 00-7-7z" /></svg>
-                      </div>
-                      <div>
-                        <h3 className="text-lg font-black text-gray-900 dark:text-white uppercase tracking-wider">My Preferences</h3>
-                        <p className="text-[10px] text-gray-500 dark:text-gray-400 font-bold uppercase tracking-widest">Customize your individual experience</p>
-                      </div>
-                    </div>
-
-                    <div className="bg-gray-50/50 dark:bg-gray-900/30 p-6 rounded-3xl border border-gray-100 dark:border-gray-700 space-y-8">
-                      {accessibleNodes.length > 0 ? (
-                        <div className="space-y-4">
-                          <label className="text-sm font-black uppercase tracking-widest text-gray-500 block">Default Node Attachment</label>
-                          <p className="text-xs text-gray-400 mb-4">Auto-attach these nodes to new sessions:</p>
-                          <div className="flex flex-wrap gap-2">
-                            {accessibleNodes.map(node => {
-                              const isActive = (nodePrefs.default_node_ids || []).includes(node.node_id);
-                              return (
-                                <button
-                                  key={node.node_id}
-                                  type="button"
-                                  onClick={() => toggleDefaultNode(node.node_id)}
-                                  className={`px-4 py-2 rounded-xl text-[10px] font-black uppercase tracking-widest border-2 transition-all ${isActive
-                                    ? 'bg-emerald-600 border-emerald-600 text-white shadow-lg shadow-emerald-200 dark:shadow-none translate-y-[-1px]'
-                                    : 'bg-white dark:bg-gray-800 border-gray-200 dark:border-gray-700 text-gray-400 hover:border-emerald-300'
-                                    }`}
-                                >
-                                  {node.display_name}
-                                </button>
-                              );
-                            })}
-                          </div>
-                        </div>
-                      ) : (
-                        <div className="p-4 bg-gray-100/50 dark:bg-gray-800/50 rounded-2xl border border-dashed border-gray-200 dark:border-gray-700">
-                          <p className="text-xs text-gray-500 italic">No agent nodes are currently assigned to your group.</p>
-                        </div>
-                      )}
-
-                      <div className="space-y-4 pt-4 border-t border-gray-100 dark:border-gray-700">
-                        <label className="text-sm font-black uppercase tracking-widest text-gray-500 block">Default Sync Workspace Directory</label>
-                        <div className="flex flex-col sm:flex-row gap-3">
-                          <select
-                            value={nodePrefs.data_source?.source || 'empty'}
-                            onChange={(e) => handleNodePrefChange({ data_source: { ...nodePrefs.data_source, source: e.target.value } })}
-                            className="bg-white dark:bg-gray-800 border border-gray-200 dark:border-gray-700 rounded-xl px-4 py-3 text-xs font-bold text-gray-700 dark:text-gray-300 focus:outline-none focus:ring-2 focus:ring-indigo-500 shadow-sm"
-                          >
-                            <option value="empty">Empty Workspace</option>
-                            <option value="node_local">Node Local Path</option>
-                          </select>
-                          {nodePrefs.data_source?.source === 'node_local' && (
-                            <input
-                              type="text"
-                              value={nodePrefs.data_source?.path || ''}
-                              onChange={(e) => handleNodePrefChange({ data_source: { ...nodePrefs.data_source, path: e.target.value } })}
-                              placeholder="/home/user/workspace"
-                              className="flex-1 bg-white dark:bg-gray-800 border border-gray-200 dark:border-gray-700 rounded-xl px-4 py-3 text-xs font-mono text-indigo-600 dark:text-indigo-400 focus:outline-none focus:ring-2 focus:ring-indigo-500 shadow-sm"
-                            />
-                          )}
-                        </div>
-                        <p className="text-[10px] text-gray-400 italic font-medium">
-                          Determines where the agent should look for files on the node when starting a chat.
-                        </p>
-                      </div>
-                    </div>
-                  </div>
-                </div>
-              )}
-            </div>
-            {showVoicesModal && (
-              <div className="fixed inset-0 z-[100] flex items-center justify-center bg-black/50 p-4 transition-opacity" onClick={() => setShowVoicesModal(false)}>
-                <div className="bg-white dark:bg-gray-800 rounded-xl max-w-lg w-full p-6 shadow-2xl relative max-h-[85vh] flex flex-col" onClick={e => e.stopPropagation()}>
-                  <div className="flex justify-between items-center mb-4 border-b border-gray-100 dark:border-gray-700 pb-3">
-                    <div>
-                      <h3 className="text-xl font-bold text-gray-900 dark:text-gray-100">Available Cloud Voices</h3>
-                      <p className="text-xs text-gray-500 mt-1">Found {voiceList.length} voices to choose from.</p>
-                      <p className="text-xs text-indigo-500 font-medium mt-1">Highlighted voices (Chirp, Journey, Studio) use advanced AI for highest quality.</p>
-                    </div>
-                    <button onClick={() => setShowVoicesModal(false)} className="text-gray-400 hover:text-gray-600 dark:hover:text-gray-300 text-3xl font-bold focus:outline-none">&times;</button>
-                  </div>
-                  <div className="overflow-y-auto flex-1 bg-gray-50 dark:bg-gray-900/50 border border-gray-100 dark:border-gray-700 p-2 rounded-lg">
-                    {voicesLoading ? (
-                      <div className="flex h-32 items-center justify-center">
-                        <div className="animate-spin rounded-full h-8 w-8 border-b-2 border-indigo-600 dark:border-indigo-400"></div>
-                      </div>
-                    ) : voiceList.length > 0 ? (
-                      <ul className="space-y-[2px]">
-                        {voiceList.map((v, i) => {
-                          let highlight = v.toLowerCase().includes('chirp') || v.toLowerCase().includes('journey') || v.toLowerCase().includes('studio');
-                          return (
-                            <li key={i} className={`text-sm cursor-text font-mono select-all p-2 hover:bg-white dark:hover:bg-gray-800 rounded transition-colors border border-transparent hover:border-gray-200 dark:hover:border-gray-600 ${highlight ? 'text-indigo-600 dark:text-indigo-400 font-semibold' : 'text-gray-600 dark:text-gray-400'}`}>
-                              {v}
-                            </li>
-                          );
-                        })}
-                      </ul>
-                    ) : (
-                      <p className="text-center text-gray-500 mt-8">No voices found. Make sure your API key is configured and valid.</p>
-                    )}
-                  </div>
-                  <div className="mt-4 text-xs text-gray-500 dark:text-gray-400 flex justify-between items-center">
-                    <span>Double-click a name to select it, then paste it into the field.</span>
-                    <button onClick={() => setShowVoicesModal(false)} className="px-4 py-2 bg-gray-100 hover:bg-gray-200 dark:bg-gray-700 dark:hover:bg-gray-600 text-gray-700 dark:text-gray-300 rounded-lg transition-colors font-medium">Close</button>
-                  </div>
-                </div>
+                <input 
+                  type="file" 
+                  ref={fileInputRef} 
+                  onChange={handleImport} 
+                  accept=".yaml,.yml" 
+                  className="hidden" 
+                  autoComplete="off"
+                  tabIndex="-1"
+                  aria-hidden="true"
+                />
               </div>
             )}
           </div>
+
+          {message.text && (
+            <div className={`p-4 rounded-xl mb-6 shadow-sm border animate-fade-in ${message.type === 'error' ? 'bg-red-50 dark:bg-red-900/30 text-red-700 dark:text-red-400 border-red-200 dark:border-red-800' : 'bg-emerald-50 dark:bg-emerald-900/30 text-emerald-700 dark:text-emerald-400 border-emerald-200 dark:border-emerald-800'}`}>
+              <div className="flex items-center gap-2">
+                {message.type === 'error' ? (
+                  <svg className="w-5 h-5 flex-shrink-0" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2.5} d="M12 8v4m0 4h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z" /></svg>
+                ) : (
+                  <svg className="w-5 h-5 flex-shrink-0" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2.5} d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z" /></svg>
+                )}
+                <span className="text-sm font-bold">{message.text}</span>
+              </div>
+            </div>
+          )}
+
+          <div className="space-y-10 pb-20">
+            {/* --- CARD 1: AI RESOURCE MANAGEMENT --- */}
+            <AIConfigurationCard context={context} />
+
+            {/* --- CARD 2: IDENTITY & ACCESS GOVERNANCE --- */}
+            <IdentityGovernanceCard context={context} />
+
+            {/* --- CARD 4: NETWORK ACCESS & EXTERNAL IDENTITY (ADMIN ONLY) --- */}
+            <NetworkIdentityCard context={context} />
           </div>
-        </div>
+
+          {/* GLOBAL CONFIRMATION MODAL */}
+          {confirmAction && (
+            <div className="fixed inset-0 z-[100] flex items-center justify-center bg-black/60 backdrop-blur-sm p-4 animate-in fade-in duration-200">
+                <div className="bg-white dark:bg-gray-800 rounded-[32px] w-full max-w-md shadow-2xl overflow-hidden animate-in zoom-in-95 duration-200 border dark:border-gray-700">
+                    <div className="p-8 text-center">
+                        <div className="w-20 h-20 bg-red-50 dark:bg-red-900/20 rounded-full flex items-center justify-center mx-auto mb-6 text-3xl">
+                            ⚠️
+                        </div>
+                        <h3 className="text-xl font-black text-gray-900 dark:text-white uppercase tracking-tight mb-2">Final Confirmation</h3>
+                        <p className="text-sm text-gray-500 dark:text-gray-400 mb-8 italic">
+                            {confirmAction.label}
+                        </p>
+                        <div className="flex gap-4">
+                            <button
+                                onClick={() => setConfirmAction(null)}
+                                className="flex-1 py-4 text-xs font-black uppercase tracking-widest text-gray-500 hover:text-gray-700 dark:hover:text-white transition-colors"
+                            >
+                                Cancel
+                            </button>
+                            <button
+                                onClick={executeConfirmAction}
+                                className="flex-1 py-4 text-xs font-black uppercase tracking-widest text-white bg-red-600 hover:bg-red-700 rounded-2xl transition-all shadow-xl shadow-red-600/20 active:scale-95"
+                            >
+                                Confirm
+                            </button>
+                        </div>
+                    </div>
+                </div>
+            </div>
+          )}
       </div>
-    </>
+    </div>
   );
 }
diff --git a/frontend/src/features/settings/components/cards/AIConfigurationCard.js b/frontend/src/features/settings/components/cards/AIConfigurationCard.js
new file mode 100644
index 0000000..348fd1d
--- /dev/null
+++ b/frontend/src/features/settings/components/cards/AIConfigurationCard.js
@@ -0,0 +1,220 @@
+import React from 'react';
+import ProviderPanel from '../shared/ProviderPanel';
+
+const AIConfigurationCard = ({ context }) => {
+  const {
+      config,
+      providerLists,
+      providerStatuses,
+      collapsedSections,
+      setCollapsedSections,
+      activeConfigTab,
+      setActiveConfigTab,
+      addingSection,
+      setAddingSection,
+      addForm,
+      setAddForm,
+      handleConfigChange,
+      handleAddInstance,
+      handleSaveConfig,
+      saving,
+      labelClass,
+      inputClass,
+      sectionClass,
+      fetchedModels,
+      expandedProvider,
+      setExpandedProvider,
+      verifying,
+      handleVerifyProvider,
+      handleDeleteProvider
+  } = context;
+
+  const renderConfigSection = (sectionKey, title, description) => {
+    const sectionConfig = config[sectionKey] || {};
+    const providers = sectionConfig.providers || {};
+    const availableTypes = providerLists[sectionKey] || [];
+
+    return (
+      <div className="space-y-6 animate-fade-in">
+        <div className="flex flex-col sm:flex-row sm:items-center justify-between gap-4 border-b border-gray-100 dark:border-gray-700 pb-4">
+          <div>
+            <h3 className="text-xl font-black text-gray-900 dark:text-white uppercase tracking-tight">{title} Resources</h3>
+            <p className="text-xs text-gray-500 font-bold uppercase tracking-widest mt-1">{description}</p>
+          </div>
+        </div>
+
+        <div className="grid grid-cols-1 gap-4">
+          {Object.entries(providers).map(([id, prefs]) => (
+            <ProviderPanel
+              key={id}
+              id={id}
+              prefs={prefs}
+              sectionKey={sectionKey}
+              status={providerStatuses[`${sectionKey}_${id}`]}
+              providers={providers}
+              expandedProvider={expandedProvider}
+              setExpandedProvider={setExpandedProvider}
+              verifying={verifying}
+              handleVerifyProvider={handleVerifyProvider}
+              handleDeleteProvider={handleDeleteProvider}
+              handleConfigChange={handleConfigChange}
+              labelClass={labelClass}
+              inputClass={inputClass}
+              fetchedModels={fetchedModels}
+            />
+          ))}
+
+          {addingSection === sectionKey ? (
+            <div className="p-6 bg-indigo-50/50 dark:bg-indigo-900/20 border-2 border-dashed border-indigo-200 dark:border-indigo-800 rounded-3xl animate-fade-in">
+              <div className="grid grid-cols-1 sm:grid-cols-2 gap-6">
+                <div className="space-y-1.5">
+                  <label className={labelClass}>Provider Type</label>
+                  <select
+                    value={addForm.type}
+                    onChange={e => setAddForm({ ...addForm, type: e.target.value, model: '' })}
+                    className={inputClass}
+                  >
+                    <option value="">Select reaching...</option>
+                    {availableTypes.map(t => <option key={t.id} value={t.id}>{t.label}</option>)}
+                  </select>
+                </div>
+                <div className="space-y-1.5">
+                  <label className={labelClass}>Instance Suffix (Optional)</label>
+                  <input
+                    type="text"
+                    id={`suffix-${sectionKey}`}
+                    name={`suffix-${sectionKey}`}
+                    placeholder="e.g. dev, prod, testing"
+                    value={addForm.suffix}
+                    onChange={e => setAddForm({ ...addForm, suffix: e.target.value })}
+                    className={inputClass}
+                    autoComplete="off"
+                  />
+                </div>
+                {addForm.type && (
+                  <div className="sm:col-span-2 grid grid-cols-1 sm:grid-cols-2 gap-4 animate-fade-in">
+                    <div className="space-y-1.5">
+                      <label className={labelClass}>{sectionKey === 'tts' && addForm.type === 'gcloud_tts' ? 'Voice ID / Language' : 'Primary Model'}</label>
+                    <input
+                      type="text"
+                      id={`model-search-${sectionKey}`}
+                      name={`model-search-${sectionKey}`}
+                      list={`models-${sectionKey}-${addForm.type}`}
+                      value={typeof addForm.model === 'object' ? (addForm.model.model_name || addForm.model.id || '') : (addForm.model || '')}
+                      onChange={e => setAddForm({ ...addForm, model: e.target.value })}
+                      placeholder="Search or enter model..."
+                      className={inputClass}
+                      autoComplete="off"
+                    />
+                    <datalist id={`models-${sectionKey}-${addForm.type}`}>
+                      {(fetchedModels[`${sectionKey}_${addForm.type}`] || []).map(m => (
+                        <option key={typeof m === 'string' ? m : m.model_name} value={typeof m === 'string' ? m : m.model_name} />
+                      ))}
+                    </datalist>
+                    </div>
+                  </div>
+                )}
+              </div>
+              <div className="flex justify-end gap-3 mt-6">
+                <button onClick={() => setAddingSection(null)} className="px-6 py-2 text-sm font-bold text-gray-500 hover:text-gray-700">Cancel</button>
+                <button
+                  onClick={() => handleAddInstance(sectionKey)}
+                  disabled={!addForm.type}
+                  className="px-8 py-2 bg-indigo-600 text-white rounded-xl text-xs font-black uppercase tracking-widest shadow-lg hover:bg-indigo-700 disabled:opacity-50 transition-all"
+                >
+                  Create Instance
+                </button>
+              </div>
+            </div>
+          ) : (
+            <button
+              onClick={() => { setAddingSection(sectionKey); setAddForm({ type: '', suffix: '', model: '' }); }}
+              className="w-full p-6 border-2 border-dashed border-gray-200 dark:border-gray-700 rounded-3xl text-gray-400 hover:text-indigo-500 hover:border-indigo-300 dark:hover:border-indigo-800 transition-all flex flex-col items-center gap-3"
+            >
+              <div className="w-10 h-10 rounded-full bg-gray-50 dark:bg-gray-800 flex items-center justify-center">
+                <svg className="w-6 h-6" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2.5} d="M12 4v16m8-8H4" /></svg>
+              </div>
+              <span className="text-xs font-black uppercase tracking-widest text-gray-500 dark:text-gray-400">Add New {title} Provider</span>
+            </button>
+          )}
+        </div>
+
+        
+      </div>
+    );
+  };
+
+  return (
+    <div className="bg-white dark:bg-gray-800 rounded-3xl shadow-xl overflow-hidden border border-gray-100 dark:border-gray-700 backdrop-blur-sm transition-all duration-300">
+      <div 
+        onClick={() => setCollapsedSections(prev => ({ ...prev, ai: !prev.ai }))}
+        className="p-6 border-b border-gray-100 dark:border-gray-700 bg-gray-50/30 dark:bg-gray-800/50 cursor-pointer hover:bg-gray-100/50 dark:hover:bg-gray-700/50 transition-colors flex items-center justify-between group"
+      >
+          <div className="flex items-center gap-3">
+              <svg className={`w-6 h-6 text-emerald-500 transition-transform duration-300 ${collapsedSections.ai ? '-rotate-90' : 'rotate-0'}`} fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2.5} d="M13 10V3L4 14h7v7l9-11h-7z" /></svg>
+              <div>
+                <h2 className="text-xl font-black text-gray-900 dark:text-white flex items-center gap-3 uppercase tracking-tight">
+                    AI Resource Management
+                </h2>
+                <p className="text-[10px] text-gray-400 mt-1 uppercase font-bold tracking-widest leading-none">Global AI providers, model endpoints, and synthesis engines</p>
+              </div>
+          </div>
+          <div className="bg-emerald-50 dark:bg-emerald-950/30 p-2 rounded-xl border border-emerald-100 dark:border-emerald-900/50 group-hover:scale-110 transition-transform duration-300">
+            <svg className={`w-4 h-4 text-emerald-600 dark:text-emerald-400 transition-transform duration-300 ${collapsedSections.ai ? 'rotate-180' : 'rotate-0'}`} fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={3} d="M19 9l-7 7-7-7" /></svg>
+          </div>
+      </div>
+      {!collapsedSections.ai && (
+        <div className="animate-fade-in-down">
+          <div className="flex border-b border-gray-200 dark:border-gray-700 bg-gray-100/30 dark:bg-gray-800/80 overflow-x-auto no-scrollbar">
+              {[
+                  { id: 'llm', label: 'Large Models' },
+                  { id: 'tts', label: 'Speech Synthesis' },
+                  { id: 'stt', label: 'Transcription' }
+              ].map((tab) => (
+                  <button
+                      key={tab.id}
+                      type="button"
+                      onClick={() => setActiveConfigTab(tab.id)}
+                      className={`flex-1 min-w-[120px] py-4 text-[10px] font-black uppercase tracking-widest transition-all duration-200 focus:outline-none ${activeConfigTab === tab.id
+                          ? 'text-emerald-600 dark:text-emerald-400 border-b-2 border-emerald-600 dark:border-emerald-400 bg-white dark:bg-gray-800 shadow-sm z-10'
+                          : 'text-gray-400 dark:text-gray-500 hover:text-gray-600 dark:hover:text-gray-300 hover:bg-gray-100/50 dark:hover:bg-gray-700/30'
+                          }`}
+                  >
+                      {tab.label}
+                  </button>
+              ))}
+          </div>
+          <div className="p-6 sm:p-10 bg-gradient-to-br from-white to-gray-50/50 dark:from-gray-800 dark:to-gray-900/50">
+              {activeConfigTab === 'llm' && (
+                  <div className={sectionClass}>
+                      {renderConfigSection('llm', 'Large Language Model', 'Manage global AI providers, specialized models, and API endpoints.')}
+                  </div>
+              )}
+              {activeConfigTab === 'tts' && (
+                  <div className={sectionClass}>
+                      {renderConfigSection('tts', 'Text-to-Speech', 'Configure voice synthesis engines and region-specific endpoints.')}
+                  </div>
+              )}
+              {activeConfigTab === 'stt' && (
+                  <div className={sectionClass}>
+                      {renderConfigSection('stt', 'Speech-to-Text', 'Set up transcription services and language model defaults.')}
+                  </div>
+              )}
+          </div>
+          <div className="px-6 pb-6 flex justify-end">
+            <button
+              onClick={handleSaveConfig}
+              disabled={saving}
+              className="px-8 py-3 bg-emerald-600 hover:bg-emerald-700 text-white rounded-2xl text-xs font-black uppercase tracking-widest shadow-lg shadow-emerald-500/20 active:scale-95 transition-all flex items-center gap-2"
+            >
+              {saving ? 'Saving...' : 'Save AI Configuration'}
+              <svg className="w-4 h-4" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2.5} d="M5 13l4 4L19 7" /></svg>
+            </button>
+          </div>
+        </div>
+      )}
+    </div>
+  );
+};
+
+export default AIConfigurationCard;
diff --git a/frontend/src/features/settings/components/cards/IdentityGovernanceCard.js b/frontend/src/features/settings/components/cards/IdentityGovernanceCard.js
new file mode 100644
index 0000000..18269c6
--- /dev/null
+++ b/frontend/src/features/settings/components/cards/IdentityGovernanceCard.js
@@ -0,0 +1,391 @@
+import React from 'react';
+
+const IdentityGovernanceCard = ({ context }) => {
+  const {
+      collapsedSections,
+      setCollapsedSections,
+      activeAdminTab,
+      setActiveAdminTab,
+      editingGroup,
+      setEditingGroup,
+      sortedGroups,
+      loadGroups,
+      handleDeleteGroup,
+      handleSaveGroup,
+      filteredUsers,
+      userSearch,
+      setUserSearch,
+      loadUsers,
+      usersLoading,
+      handleGroupChange,
+      handleRoleToggle,
+      saving,
+      labelClass,
+      inputClass,
+      sectionClass,
+      allGroups,
+      allNodes,
+      allSkills,
+      allUsers,
+      config,
+      providerLists,
+      userProfile
+  } = context;
+
+  if (userProfile?.role !== 'admin') return null;
+
+  return (
+    <div className="bg-white dark:bg-gray-800 rounded-3xl shadow-xl overflow-hidden border border-gray-100 dark:border-gray-700 backdrop-blur-sm transition-all duration-300">
+      <div 
+        onClick={() => setCollapsedSections(prev => ({ ...prev, identity: !prev.identity }))}
+        className="p-6 border-b border-gray-100 dark:border-gray-700 bg-gray-50/30 dark:bg-gray-800/50 cursor-pointer hover:bg-gray-100/50 dark:hover:bg-gray-700/50 transition-colors flex items-center justify-between group"
+      >
+        <div className="flex items-center gap-3">
+          <svg className={`w-6 h-6 text-indigo-500 transition-transform duration-300 ${collapsedSections.identity ? '-rotate-90' : 'rotate-0'}`} fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2.5} d="M12 4.354a4 4 0 110 5.292M15 21H3v-1a6 6 0 0112 0v1zm0 0h6v-1a6 6 0 00-9-5.197M13 7a4 4 0 11-8 0 4 4 0 018 0z" /></svg>
+          <div>
+            <h2 className="text-xl font-black text-gray-900 dark:text-white flex items-center gap-3 uppercase tracking-tight">
+              Identity & Access Governance
+            </h2>
+            <p className="text-[10px] text-gray-400 mt-1 uppercase font-bold tracking-widest leading-none">Manage user groups, resource whitelists, and individual account policies</p>
+          </div>
+        </div>
+        <div className="bg-indigo-50 dark:bg-indigo-950/30 p-2 rounded-xl border border-indigo-100 dark:border-indigo-900/50 group-hover:scale-110 transition-transform duration-300">
+          <svg className={`w-4 h-4 text-indigo-600 dark:text-indigo-400 transition-transform duration-300 ${collapsedSections.identity ? 'rotate-180' : 'rotate-0'}`} fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={3} d="M19 9l-7 7-7-7" /></svg>
+        </div>
+      </div>
+      {!collapsedSections.identity && (
+        <div className="animate-fade-in-down">
+          <div className="flex border-b border-gray-200 dark:border-gray-700 bg-gray-100/30 dark:bg-gray-800/80 overflow-x-auto no-scrollbar">
+            {[
+              { id: 'groups', label: 'Security Groups', adminOnly: true },
+              { id: 'users', label: 'User Roster', adminOnly: true }
+            ].filter(t => !t.adminOnly || userProfile?.role === 'admin').map((tab) => (
+              <button
+                key={tab.id}
+                type="button"
+                onClick={() => setActiveAdminTab(tab.id)}
+                className={`flex-1 min-w-[120px] py-4 text-[10px] font-black uppercase tracking-widest transition-all duration-200 focus:outline-none ${activeAdminTab === tab.id
+                  ? 'text-indigo-600 dark:text-indigo-400 border-b-2 border-indigo-600 dark:border-indigo-400 bg-white dark:bg-gray-800 shadow-sm z-10'
+                  : 'text-gray-400 dark:text-gray-500 hover:text-gray-600 dark:hover:text-gray-300 hover:bg-gray-100/50 dark:hover:bg-gray-700/30'
+                  }`}
+              >
+                {tab.label}
+              </button>
+            ))}
+          </div>
+
+          <div className="p-6 sm:p-10 bg-gradient-to-br from-white to-gray-50/50 dark:from-gray-800 dark:to-gray-900/50">
+            {/* Groups Management */}
+            {activeAdminTab === 'groups' && (
+              <div className={sectionClass}>
+                {!editingGroup ? (
+                  <div className="animate-fade-in space-y-6">
+                    <div className="flex flex-col sm:flex-row items-center justify-between gap-4">
+                      <div>
+                        <h3 className="text-lg font-black text-gray-900 dark:text-white uppercase tracking-wider">Governed Policy Groups</h3>
+                        <p className="text-[10px] text-gray-500 font-bold uppercase tracking-widest mt-1">Define resource whitelists for teams and users</p>
+                      </div>
+                      <button
+                        onClick={() => {
+                          const newPolicy = { llm: [], tts: [], stt: [], nodes: [], skills: [] };
+                          setEditingGroup({ id: 'new', name: '', description: '', policy: newPolicy });
+                        }}
+                        className="px-6 py-2.5 bg-indigo-600 text-white rounded-xl text-[10px] font-black uppercase tracking-widest shadow-lg shadow-indigo-200 dark:shadow-none hover:bg-indigo-700 transition-all flex items-center gap-2"
+                      >
+                        <svg className="w-4 h-4" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2.5} d="M12 4v16m8-8H4" /></svg>
+                        Create Group
+                      </button>
+                    </div>
+
+                    <div className="grid grid-cols-1 gap-4">
+                      {sortedGroups.map(g => (
+                        <div key={g.id} className="p-5 border border-gray-100 dark:border-gray-700 rounded-3xl bg-white dark:bg-gray-800/80 hover:border-indigo-200 dark:hover:border-indigo-800 transition-all group flex flex-col sm:flex-row items-center justify-between gap-4 shadow-sm hover:shadow-md">
+                          <div className="flex items-center gap-4 flex-1">
+                            <div className="w-12 h-12 rounded-2xl bg-indigo-50 dark:bg-indigo-900/30 flex items-center justify-center text-indigo-600 dark:text-indigo-400 border border-indigo-100 dark:border-indigo-900/50 font-black text-xl">
+                              {g.name[0].toUpperCase()}
+                            </div>
+                            <div>
+                              <div className="flex items-center gap-2">
+                                <h4 className="text-sm font-black text-gray-900 dark:text-white uppercase tracking-tight">{g.id === 'ungrouped' ? 'Ungrouped (Default)' : g.name}</h4>
+                                {g.id === 'ungrouped' && <span className="text-[8px] font-black uppercase bg-gray-100 dark:bg-gray-700 text-gray-500 px-1.5 py-0.5 rounded-full">System</span>}
+                              </div>
+                              <p className="text-xs text-gray-400 mt-1 line-clamp-1">{g.description || 'No description provided.'}</p>
+                              <div className="flex items-center gap-3 mt-2">
+                                {['llm', 'tts', 'stt', 'nodes', 'skills'].map(section => (
+                                  <div key={section} className="flex -space-x-1.5 overflow-hidden">
+                                    {(g.policy?.[section] || []).length > 0 ? (
+                                      (g.policy?.[section] || []).slice(0, 3).map(p => (
+                                        <div key={p} className={`w-5 h-5 rounded-full ${section === 'nodes' ? 'bg-emerald-100 dark:bg-emerald-900 text-emerald-600 dark:text-emerald-400' : (section === 'skills' ? 'bg-amber-100 dark:bg-amber-900 text-amber-600 dark:text-amber-400' : 'bg-indigo-100 dark:bg-indigo-900 text-indigo-600 dark:text-indigo-400')} border-2 border-white dark:border-gray-800 flex items-center justify-center text-[8px] font-bold`} title={p}>
+                                          {p[0].toUpperCase()}
+                                        </div>
+                                      ))
+                                    ) : (
+                                      <span className="text-[10px] text-gray-400 italic">None</span>
+                                    )}
+                                    {g.policy?.[section]?.length > 3 && (
+                                      <div className="w-5 h-5 rounded-full bg-gray-100 dark:bg-gray-700 border-2 border-white dark:border-gray-800 flex items-center justify-center text-[8px] font-bold text-gray-500">
+                                        +{g.policy?.[section].length - 3}
+                                      </div>
+                                    )}
+                                  </div>
+                                ))}
+                              </div>
+                            </div>
+                          </div>
+                          <div className="flex gap-2">
+                            <button
+                              type="button"
+                              onClick={() => setEditingGroup(g)}
+                              className="p-2 text-indigo-600 hover:bg-indigo-50 dark:hover:bg-indigo-900/30 rounded-lg transition-colors"
+                            >
+                              <svg className="w-5 h-5" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M15.232 5.232l3.536 3.536m-2.036-5.036a2.5 2.5 0 113.536 3.536L6.5 21.036H3v-3.572L16.732 3.732z" /></svg>
+                            </button>
+                            {g.id !== 'ungrouped' && (
+                              <button
+                                type="button"
+                                onClick={() => handleDeleteGroup?.(g.id)}
+                                className="p-2 text-red-500 hover:bg-red-50 dark:hover:bg-red-900/30 rounded-lg transition-colors"
+                              >
+                                <svg className="w-5 h-5" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M19 7l-.867 12.142A2 2 0 0116.138 21H7.862a2 2 0 01-1.995-1.858L5 7m5 4v6m4-6v6m1-10V4a1 1 0 00-1-1h-4a1 1 0 00-1 1v3M4 7h16" /></svg>
+                              </button>
+                            )}
+                          </div>
+                        </div>
+                      ))}
+                    </div>
+                  </div>
+                ) : (
+                  <div className="animate-fade-in space-y-6">
+                    {/* (Group editing form - unchanged logic, just cleaner container) */}
+                    <div className="flex items-center gap-4">
+                      <button type="button" onClick={() => setEditingGroup(null)} className="p-2 text-gray-400 hover:text-gray-600 dark:hover:text-gray-200">
+                        <svg className="w-6 h-6" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M10 19l-7-7m0 0l7-7m-7 7h18" /></svg>
+                      </button>
+                      <h3 className="text-xl font-black text-gray-900 dark:text-white">
+                        {editingGroup.id === 'new' ? 'New Group Policy' : `Edit: ${editingGroup.id === 'ungrouped' ? 'Standard / Guest Policy' : editingGroup.name}`}
+                      </h3>
+                      {editingGroup.id === 'ungrouped' && (
+                        <span className="text-[10px] font-black uppercase tracking-widest text-amber-700 dark:text-amber-400 py-1 px-2.5 bg-amber-100/60 dark:bg-amber-900/30 border border-amber-200 dark:border-amber-800 rounded-full flex items-center gap-1">
+                          <svg className="w-3 x-3" fill="currentColor" viewBox="0 0 20 20"><path fillRule="evenodd" d="M5 9V7a5 5 0 0110 0v2a2 2 0 012 2v5a2 2 0 01-2 2H5a2 2 0 01-2-2v-5a2 2 0 012-2zm8-2v2H7V7a3 3 0 016 0z" clipRule="evenodd" /></svg>
+                          System Group
+                        </span>
+                      )}
+                    </div>
+
+                    <div className="bg-gray-50/50 dark:bg-gray-900/30 p-6 rounded-3xl border border-gray-100 dark:border-gray-700 space-y-6">
+                      <div className="grid grid-cols-1 sm:grid-cols-2 gap-6">
+                        <div>
+                          <label className={labelClass}>Group Name</label>
+                          <input
+                            value={editingGroup.id === 'ungrouped' ? 'Ungrouped (System Default)' : editingGroup.name}
+                            onChange={e => editingGroup.id !== 'ungrouped' && setEditingGroup({ ...editingGroup, name: e.target.value })}
+                            readOnly={editingGroup.id === 'ungrouped'}
+                            placeholder="Engineering, Designers, etc."
+                            className={`${inputClass} ${editingGroup.id === 'ungrouped'
+                              ? 'opacity-60 cursor-not-allowed bg-gray-100 dark:bg-gray-700 text-gray-500 dark:text-gray-400'
+                              : (editingGroup.name.trim() &&
+                                allGroups.some(g => g.id !== editingGroup.id && g.name.toLowerCase() === editingGroup.name.trim().toLowerCase())
+                                ? '!border-red-400 dark:!border-red-600 !ring-red-300'
+                                : '')
+                              }`}
+                          />
+                          {editingGroup.id === 'ungrouped' ? (
+                            <p className="mt-1.5 text-xs text-amber-600 dark:text-amber-400 font-medium flex items-center gap-1">
+                              <svg className="w-3.5 h-3.5" fill="currentColor" viewBox="0 0 20 20"><path fillRule="evenodd" d="M5 9V7a5 5 0 0110 0v2a2 2 0 012 2v5a2 2 0 01-2 2H5a2 2 0 01-2-2v-5a2 2 0 012-2zm8-2v2H7V7a3 3 0 016 0z" clipRule="evenodd" /></svg>
+                            System group name is locked. Only the access policy can be changed.
+                          </p>
+                          ) : editingGroup.name.trim() &&
+                            allGroups.some(g => g.id !== editingGroup.id && g.name.toLowerCase() === editingGroup.name.trim().toLowerCase()) && (
+                            <p className="mt-1.5 text-xs font-semibold text-red-500 flex items-center gap-1">
+                              <svg className="w-3.5 h-3.5" fill="currentColor" viewBox="0 0 20 20"><path fillRule="evenodd" d="M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7 4a1 1 0 11-2 0 1 1 0 012 0zm-1-9a1 1 0 00-1 1v4a1 1 0 102 0V6a1 1 0 00-1-1z" clipRule="evenodd" /></svg>
+                              A group with this name already exists
+                            </p>
+                          )}
+                        </div>
+                        <div>
+                          <label className={labelClass}>Description</label>
+                          <input
+                            value={editingGroup.description || ''}
+                            onChange={e => setEditingGroup({ ...editingGroup, description: e.target.value })}
+                            placeholder="Short description of this group..."
+                            className={inputClass}
+                          />
+                        </div>
+                      </div>
+
+                      <div className="border-t border-gray-200 dark:border-gray-700 pt-6">
+                        <label className="text-sm font-black uppercase tracking-widest text-gray-500 mb-4 block">Provider Access Policy (Whitelists)</label>
+
+                        <div className="grid grid-cols-1 gap-8">
+                          {['llm', 'tts', 'stt', 'nodes', 'skills'].map(section => (
+                            <div key={section} className="space-y-3">
+                              <div className="flex items-center justify-between mb-2">
+                                <span className="text-[10px] font-black uppercase tracking-widest text-gray-400">{section === 'nodes' ? 'Accessible Nodes' : `${section} Access`}</span>
+                                <div className="flex gap-2">
+                                  <button type="button" onClick={() => {
+                                    let availableIds = [];
+                                    if (section === 'nodes') {
+                                      availableIds = allNodes.map(n => n.node_id);
+                                    } else if (section === 'skills') {
+                                      availableIds = allSkills.filter(s => !s.is_system).map(s => s.name);
+                                    } else {
+                                      availableIds = config[section]?.providers ? Object.keys(config[section].providers) : [];
+                                    }
+                                    setEditingGroup({ ...editingGroup, policy: { ...editingGroup.policy, [section]: availableIds } })
+                                  }} className="text-[10px] font-bold text-indigo-600 dark:text-indigo-400 hover:underline">Select All</button>
+                                  <button type="button" onClick={() => setEditingGroup({ ...editingGroup, policy: { ...editingGroup.policy, [section]: [] } })} className="text-[10px] font-bold text-red-600 dark:text-red-400 hover:underline">Clear</button>
+                                </div>
+                              </div>
+                              <div className="grid grid-cols-2 sm:grid-cols-3 gap-2">
+                                {(section === 'nodes' ? allNodes.map(n => ({ id: n.node_id, label: n.display_name })) :
+                                  (section === 'skills' ? allSkills.filter(s => !s.is_system).map(s => ({ id: s.name, label: s.name })) :
+                                    (config[section]?.providers ? Object.keys(config[section].providers) : []).map(pId => {
+                                      const baseType = pId.split('_')[0];
+                                      const baseDef = providerLists[section].find(ld => ld.id === baseType || ld.id === pId);
+                                      return { id: pId, label: baseDef ? (pId.includes('_') ? `${baseDef.label} (${pId.split('_').slice(1).join('_')})` : baseDef.label) : pId };
+                                    }))).map(item => {
+                                      const isChecked = (editingGroup.policy?.[section] || []).includes(item.id);
+                                      return (
+                                        <label key={item.id} className={`flex items-center gap-2 px-3 py-2 rounded-xl border cursor-pointer transition-all ${isChecked ? 'bg-indigo-50 dark:bg-indigo-900/30 border-indigo-200 dark:border-indigo-800' : 'border-gray-100 dark:border-gray-700 hover:bg-gray-50 dark:hover:bg-gray-800/50'}`}>
+                                          <input
+                                            type="checkbox"
+                                            checked={isChecked}
+                                            onChange={(e) => {
+                                              const current = editingGroup.policy?.[section] || [];
+                                              const next = e.target.checked ? [...current, item.id] : current.filter(x => x !== item.id);
+                                              setEditingGroup({ ...editingGroup, policy: { ...editingGroup.policy, [section]: next } });
+                                            }}
+                                            className="rounded border-gray-300 dark:border-gray-600 text-indigo-600 focus:ring-indigo-500"
+                                          />
+                                          <span className="text-[11px] font-bold text-gray-700 dark:text-gray-300 truncate" title={item.label}>{item.label}</span>
+                                        </label>
+                                      );
+                                    })}
+                              </div>
+                              {section === 'nodes' && allNodes.length === 0 && (
+                                <p className="text-[10px] text-gray-400 italic">No agent nodes registered yet.</p>
+                              )}
+                            </div>
+                          ))}
+                        </div>
+
+                        <div className="flex justify-end gap-3 pt-4">
+                          <button type="button" onClick={() => setEditingGroup(null)} className="px-6 py-2 rounded-xl text-sm font-bold text-gray-500 hover:bg-gray-100 dark:hover:bg-gray-800 transition-colors">Cancel</button>
+                          <button type="button" onClick={handleSaveGroup} disabled={saving || !editingGroup.name || allGroups.some(g => g.id !== editingGroup.id && g.name.toLowerCase() === editingGroup.name.trim().toLowerCase())} className="px-8 py-2 bg-indigo-600 text-white rounded-xl text-sm font-black uppercase tracking-widest shadow-lg shadow-indigo-200 dark:shadow-indigo-900/50 hover:bg-indigo-700 disabled:opacity-50 transition-all">
+                            {saving ? 'Saving...' : 'Save Group'}
+                          </button>
+                        </div>
+                      </div>
+                    </div>
+                  </div>
+                )}
+              </div>
+            )}
+
+            {/* Users Management */}
+            {activeAdminTab === 'users' && (
+              <div className={sectionClass}>
+                <div className="space-y-6">
+                  <div className="flex flex-col sm:flex-row items-center justify-between gap-4">
+                    <h3 className="text-lg font-black flex items-center gap-3 text-gray-900 dark:text-white">
+                      Active Roster
+                      <span className="text-[10px] py-0.5 px-2 bg-gray-100 dark:bg-gray-700 text-gray-400 rounded-full">{filteredUsers.length}</span>
+                    </h3>
+                    <div className="flex items-center gap-3 w-full sm:w-auto">
+                      <div className="relative flex-1 sm:min-w-[250px]">
+                        <input
+                          type="text"
+                          value={userSearch}
+                          onChange={e => setUserSearch(e.target.value)}
+                          placeholder="Search by name, email..."
+                          className="w-full text-xs p-2.5 pl-9 bg-white dark:bg-gray-800 border border-gray-200 dark:border-gray-700 rounded-xl focus:ring-2 focus:ring-indigo-500 outline-none transition-all"
+                        />
+                        <svg className="w-4 h-4 text-gray-400 absolute left-3 top-1/2 -translate-y-1/2" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2.5} d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0z" /></svg>
+                      </div>
+                      <button onClick={loadUsers} className="p-2.5 text-indigo-600 hover:bg-indigo-50 dark:hover:bg-indigo-900/30 border border-gray-200 dark:border-gray-700 bg-white dark:bg-gray-800 rounded-xl transition-colors">
+                        <svg className={`w-4 h-4 ${usersLoading ? 'animate-spin' : ''}`} fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M4 4v5h.582m15.356 2A8.001 8.001 0 004.582 9m0 0H9m11 11v-5h-.581m0 0a8.003 8.003 0 01-15.357-2m15.357 2H15" /></svg>
+                      </button>
+                    </div>
+                  </div>
+                  <div className="overflow-hidden border border-gray-100 dark:border-gray-700 rounded-2xl shadow-sm bg-gray-50/50 dark:bg-gray-900/30">
+                    <table className="w-full text-left border-collapse">
+                      <thead className="bg-white dark:bg-gray-800">
+                        <tr>
+                          <th className="px-6 py-4 text-[9px] font-black uppercase tracking-widest text-gray-500">Member</th>
+                          <th className="px-6 py-4 text-[9px] font-black uppercase tracking-widest text-gray-500">Policy Group</th>
+                          <th className="px-6 py-4 text-[9px] font-black uppercase tracking-widest text-gray-500">Activity Auditing</th>
+                          <th className="px-6 py-4 text-[9px] font-black uppercase tracking-widest text-gray-500 text-right">Actions</th>
+                        </tr>
+                      </thead>
+                      <tbody className="divide-y divide-gray-100 dark:divide-gray-800">
+                        {filteredUsers.map((u) => (
+                          <tr key={u.id} className="hover:bg-white dark:hover:bg-gray-800/50 transition-colors">
+                            <td className="px-6 py-4">
+                              <div className="flex items-center gap-3">
+                                <div className={`w-8 h-8 rounded-full flex items-center justify-center text-[10px] font-black ${u.role === 'admin' ? 'bg-indigo-100 text-indigo-700 dark:bg-indigo-900/40 dark:text-indigo-300' : 'bg-gray-100 text-gray-700 dark:bg-gray-700 dark:text-gray-300'}`}>
+                                  {(u.username || u.email || '?')[0].toUpperCase()}
+                                </div>
+                                <div>
+                                  <p className="text-xs font-black text-gray-900 dark:text-white truncate max-w-[150px]">{u.username || u.email}</p>
+                                  <p className="text-[10px] text-gray-400 font-bold uppercase tracking-tight">{u.role}</p>
+                                </div>
+                              </div>
+                            </td>
+                            <td className="px-6 py-4">
+                              <select
+                                value={u.group_id || 'ungrouped'}
+                                onChange={(e) => handleGroupChange(u.id, e.target.value)}
+                                className="text-xs p-1.5 bg-white dark:bg-gray-800 border border-gray-200 dark:border-gray-700 rounded-lg outline-none focus:ring-1 focus:ring-indigo-500 transition-all font-bold text-gray-600 dark:text-gray-300 min-w-[150px]"
+                              >
+                                {sortedGroups.map(g => (
+                                  <option key={g.id} value={g.id}>
+                                    {g.id === 'ungrouped' ? 'Standard / Guest' : g.name}
+                                  </option>
+                                ))}
+                              </select>
+                            </td>
+                            <td className="px-6 py-4">
+                              <div className="space-y-1">
+                                <div className="flex items-center gap-1.5">
+                                  <span className="text-[9px] font-black uppercase text-gray-400">Join:</span>
+                                  <span className="text-[10px] font-bold text-gray-600 dark:text-gray-300">{new Date(u.created_at).toLocaleDateString()}</span>
+                                </div>
+                                <div className="flex items-center gap-1.5">
+                                  <span className="text-[9px] font-black uppercase text-gray-400">Last:</span>
+                                  <span className="text-[10px] font-bold text-indigo-600 dark:text-indigo-400">
+                                    {u.last_login_at ? new Date(u.last_login_at).toLocaleDateString() : 'Never'}
+                                  </span>
+                                </div>
+                              </div>
+                            </td>
+                            <td className="px-6 py-4 text-right">
+                              <button
+                                type="button"
+                                onClick={(e) => { e.preventDefault(); handleRoleToggle(u); }}
+                                className={`text-[9px] font-black uppercase tracking-widest transition-all ${u.role === 'admin'
+                                  ? 'text-red-600 hover:text-red-700'
+                                  : 'text-indigo-600 hover:text-indigo-700'
+                                  }`}
+                              >
+                                {u.role === 'admin' ? 'Demote' : 'Promote'}
+                              </button>
+                            </td>
+                          </tr>
+                        ))}
+                      </tbody>
+                    </table>
+                    {allUsers.length === 0 && !usersLoading && (
+                      <div className="p-12 text-center text-gray-400 italic text-sm">No other users found.</div>
+                    )}
+                  </div>
+                </div>
+              </div>
+            )}
+          </div>
+        </div>
+      )}
+    </div>
+  );
+};
+
+export default IdentityGovernanceCard;
diff --git a/frontend/src/features/settings/components/cards/NetworkIdentityCard.js b/frontend/src/features/settings/components/cards/NetworkIdentityCard.js
new file mode 100644
index 0000000..31908cf
--- /dev/null
+++ b/frontend/src/features/settings/components/cards/NetworkIdentityCard.js
@@ -0,0 +1,227 @@
+import React from 'react';
+
+const NetworkIdentityCard = ({ context }) => {
+  const {
+      collapsedSections,
+      setCollapsedSections,
+      adminConfig,
+      setAdminConfig,
+      handleSaveAdminConfig,
+      fileInputRef,
+      handleTestConnection,
+      testingConnection,
+      userProfile,
+      labelClass,
+      inputClass
+  } = context;
+
+  if (userProfile?.role !== 'admin') return null;
+
+  return (
+    <div className="bg-white dark:bg-gray-800 rounded-3xl shadow-xl overflow-hidden border border-gray-100 dark:border-gray-700 backdrop-blur-sm transition-all duration-300">
+      <div 
+        onClick={() => setCollapsedSections(prev => ({ ...prev, infrastructure: !prev.infrastructure }))}
+        className="p-6 border-b border-gray-100 dark:border-gray-700 bg-gray-50/30 dark:bg-gray-800/50 cursor-pointer hover:bg-gray-100/50 dark:hover:bg-gray-700/50 transition-colors flex items-center justify-between group"
+      >
+        <div className="flex items-center gap-3">
+          <svg className={`w-6 h-6 text-amber-500 transition-transform duration-300 ${collapsedSections.infrastructure ? '-rotate-90' : 'rotate-0'}`} fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2.5} d="M10.325 4.317c.426-1.756 2.924-1.756 3.35 0a1.724 1.724 0 002.573 1.066c1.543-.94 3.31.826 2.37 2.37a1.724 1.724 0 001.065 2.572c1.756.426 1.756 2.924 0 3.35a1.724 1.724 0 00-1.066 2.573c.94 1.543-.826 3.31-2.37 2.37a1.724 1.724 0 00-2.572 1.065c-.426 1.756-2.924 1.756-3.35 0a1.724 1.724 0 00-2.573-1.1c-1.543.94-3.31-.826-2.37-2.37a1.724 1.724 0 00-1.065-2.572c-1.756-.426-1.756-2.924 0-3.35a1.724 1.724 0 001.066-2.573c-.94-1.543.826-3.31 2.37-2.37.996.608 2.296.07 2.572-1.065z" /><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2.5} d="M15 12a3 3 0 11-6 0 3 3 0 016 0z" /></svg>
+          <div>
+            <h2 className="text-xl font-black text-gray-900 dark:text-white flex items-center gap-3 uppercase tracking-tight">
+              Network Access & External Identity
+            </h2>
+            <p className="text-[10px] text-gray-400 mt-1 uppercase font-bold tracking-widest leading-none">Manage authentication protocols, SSO, and swarm deployment endpoints</p>
+          </div>
+        </div>
+        <div className="bg-amber-50 dark:bg-amber-950/30 p-2 rounded-xl border border-amber-100 dark:border-amber-900/50 group-hover:scale-110 transition-transform duration-300">
+          <svg className={`w-4 h-4 text-amber-600 dark:text-amber-400 transition-transform duration-300 ${collapsedSections.infrastructure ? 'rotate-180' : 'rotate-0'}`} fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={3} d="M19 9l-7 7-7-7" /></svg>
+        </div>
+      </div>
+
+      {!collapsedSections.infrastructure && (
+        <div className="animate-fade-in-down">
+          <div className="p-8 sm:p-12 space-y-12">
+            {/* Access Security Model */}
+            <div className="space-y-8">
+              <div className="flex flex-col md:flex-row md:items-center justify-between gap-6 p-6 bg-indigo-50/30 dark:bg-indigo-900/10 rounded-3xl border border-indigo-100/50 dark:border-indigo-900/30">
+                <div className="max-w-2xl">
+                  <h3 className="text-xl font-black text-gray-900 dark:text-white flex items-center gap-3 lowercase italic opacity-80 mb-2">
+                    <svg className="w-5 h-5 text-indigo-500" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2.5} d="M12 15v2m-6 4h12a2 2 0 002-2v-6a2 2 0 00-2-2H6a2 2 0 00-2 2v6a2 2 0 002 2zm10-10V7a4 4 0 00-8 0v4h8z" /></svg>
+                    Access Security Model
+                  </h3>
+                  <p className="text-sm text-gray-400 font-bold uppercase tracking-wider leading-relaxed">
+                    Mutual Exclusivity: Enabling OIDC automatically disables local password login to ensure enterprise SSO compliance.
+                  </p>
+                </div>
+                <div className="flex flex-col gap-3 min-w-[200px]">
+                   <button
+                     type="button"
+                     onClick={() => handleSaveAdminConfig('app', { ...(adminConfig.app || {}), allow_password_login: !adminConfig.app?.allow_password_login })}
+                     className={`w-full px-6 py-3 rounded-2xl text-[10px] font-black uppercase tracking-widest transition-all ${adminConfig.app?.allow_password_login ? 'bg-indigo-600 text-white shadow-lg shadow-indigo-500/20' : 'bg-gray-100 dark:bg-gray-800 text-gray-400 dark:text-gray-500'}`}
+                   >
+                     {adminConfig.app?.allow_password_login ? 'Local Password Enabled' : 'Local Password Prohibited'}
+                   </button>
+                   <button
+                     type="button"
+                     onClick={() => handleSaveAdminConfig('oidc', { ...(adminConfig.oidc || {}), enabled: !adminConfig.oidc?.enabled })}
+                     className={`w-full px-6 py-3 rounded-2xl text-[10px] font-black uppercase tracking-widest transition-all ${adminConfig.oidc?.enabled ? 'bg-emerald-600 text-white shadow-lg shadow-emerald-500/20' : 'bg-gray-100 dark:bg-gray-800 text-gray-400 dark:text-gray-500'}`}
+                   >
+                     {adminConfig.oidc?.enabled ? 'OIDC/SSO Integration Active' : 'OIDC/SSO Disabled'}
+                   </button>
+                </div>
+              </div>
+            </div>
+
+            {/* OIDC Details */}
+            <div className="space-y-6 pt-10 border-t border-gray-100 dark:border-gray-700">
+              <div className="flex items-center justify-between">
+                <div>
+                  <h3 className="text-lg font-black text-gray-900 dark:text-white uppercase tracking-tight">
+                    OIDC Configuration Details
+                  </h3>
+                  <p className="text-[10px] text-gray-400 font-bold uppercase tracking-widest mt-1">Enterprise Social Login & Identity Synchronization</p>
+                </div>
+                <div className="flex items-center gap-4">
+                  <button
+                    type="button"
+                    disabled={testingConnection === 'oidc'}
+                    onClick={() => handleTestConnection('oidc')}
+                    className="px-4 py-2 bg-indigo-50 dark:bg-indigo-900/30 text-indigo-600 dark:text-indigo-400 rounded-xl text-[10px] font-black uppercase tracking-widest hover:bg-indigo-100 dark:hover:bg-indigo-900/50 transition-all border border-indigo-100 dark:border-indigo-800"
+                  >
+                    {testingConnection === 'oidc' ? 'Verifying...' : 'Test Connection'}
+                  </button>
+                </div>
+              </div>
+              
+              {/* Local Connection Feedback */}
+              {testingConnection === 'oidc' && (
+                <div className="text-[10px] font-bold text-indigo-500 animate-pulse uppercase tracking-widest">
+                  Attempting to discover OIDC provider configuration...
+                </div>
+              )}
+
+              <div className="grid grid-cols-1 md:grid-cols-2 gap-6 bg-gray-50/50 dark:bg-gray-900/30 p-6 rounded-3xl border border-gray-100 dark:border-gray-700">
+                <div className="space-y-1.5">
+                  <label className={labelClass}>Client ID</label>
+                  <input
+                    type="text"
+                    id="oidc_client_id"
+                    name="oidc_client_id"
+                    value={adminConfig.oidc?.client_id || ''}
+                    onChange={e => setAdminConfig({...adminConfig, oidc: {...adminConfig.oidc, client_id: e.target.value}})}
+                    className={inputClass}
+                    placeholder="e.g. 123456789.apps.googleusercontent.com"
+                    autoComplete="off"
+                  />
+                </div>
+                <div className="space-y-1.5">
+                  <label className={labelClass}>Client Secret</label>
+                  <input
+                    type="password"
+                    id="oidc_client_secret"
+                    name="oidc_client_secret"
+                    value={adminConfig.oidc?.client_secret || ''}
+                    onChange={e => setAdminConfig({...adminConfig, oidc: {...adminConfig.oidc, client_secret: e.target.value}})}
+                    className={inputClass}
+                    placeholder="••••••••••••••••"
+                    autoComplete="new-password"
+                  />
+                </div>
+                <div className="space-y-1.5">
+                  <label className={labelClass}>Discovery / Server URL</label>
+                  <input
+                    type="text"
+                    id="oidc_server_url"
+                    name="oidc_server_url"
+                    value={adminConfig.oidc?.server_url || ''}
+                    onChange={e => setAdminConfig({...adminConfig, oidc: {...adminConfig.oidc, server_url: e.target.value}})}
+                    className={inputClass}
+                    placeholder="https://accounts.google.com"
+                    autoComplete="off"
+                  />
+                </div>
+                <div className="space-y-1.5">
+                  <label className={labelClass}>Redirect URI</label>
+                  <input
+                    type="text"
+                    id="oidc_redirect_uri"
+                    name="oidc_redirect_uri"
+                    value={adminConfig.oidc?.redirect_uri || ''}
+                    onChange={e => setAdminConfig({...adminConfig, oidc: {...adminConfig.oidc, redirect_uri: e.target.value}})}
+                    className={inputClass}
+                    placeholder="https://ai.example.com/login/callback"
+                    autoComplete="off"
+                  />
+                </div>
+                <div className="md:col-span-2 flex justify-end">
+                  <button
+                    type="button"
+                    onClick={() => handleSaveAdminConfig('oidc', adminConfig.oidc)}
+                    className="px-6 py-2 bg-indigo-600 text-white rounded-xl text-[10px] font-black uppercase tracking-widest shadow-md hover:bg-indigo-700 transition-all font-sans"
+                  >
+                    Save OIDC Settings
+                  </button>
+                </div>
+              </div>
+            </div>
+
+            {/* Swarm Details */}
+            <div className="space-y-6 pt-10 border-t border-gray-100 dark:border-gray-700">
+              <div className="flex items-center justify-between">
+                <div>
+                  <h3 className="text-lg font-black text-gray-900 dark:text-white flex items-center gap-2 uppercase tracking-tight">
+                    Swarm Access Configuration
+                  </h3>
+                  <p className="text-[10px] text-gray-400 font-bold uppercase tracking-widest mt-1">Infrastructure gRPC Connectivity & Discovery</p>
+                </div>
+                <div className="flex items-center gap-2">
+                   <button
+                     type="button"
+                     disabled={testingConnection === 'swarm'}
+                     onClick={() => handleTestConnection('swarm')}
+                     className="px-4 py-2 bg-indigo-50 dark:bg-indigo-900/30 text-indigo-600 dark:text-indigo-400 rounded-xl text-[10px] font-black uppercase tracking-widest hover:bg-indigo-100 dark:hover:bg-indigo-900/50 transition-all border border-indigo-100 dark:border-indigo-800"
+                   >
+                     {testingConnection === 'swarm' ? 'Verifying...' : 'Test Connection'}
+                   </button>
+                </div>
+              </div>
+
+              {testingConnection === 'swarm' && (
+                <div className="text-[10px] font-bold text-indigo-500 animate-pulse uppercase tracking-widest">
+                  Pinging Swarm external endpoint...
+                </div>
+              )}
+
+              <div className="grid grid-cols-1 md:grid-cols-1 gap-6 bg-gray-50/50 dark:bg-gray-900/30 p-6 rounded-3xl border border-gray-100 dark:border-gray-700">
+                <div className="space-y-1.5">
+                  <label className={labelClass}>External Endpoint</label>
+                  <p className="text-[10px] text-gray-400 mb-2 italic font-medium">Protocol (http/https) implicitly determines TLS mode.</p>
+                  <input
+                    type="text"
+                    id="swarm_external_endpoint"
+                    name="swarm_external_endpoint"
+                    value={adminConfig.swarm?.external_endpoint || ''}
+                    onChange={e => setAdminConfig({...adminConfig, swarm: {...adminConfig.swarm, external_endpoint: e.target.value}})}
+                    className={inputClass}
+                    placeholder="https://swarm.example.com:443"
+                    autoComplete="off"
+                  />
+                </div>
+                <div className="flex justify-end pt-2">
+                  <button
+                    type="button"
+                    onClick={() => handleSaveAdminConfig('swarm', adminConfig.swarm)}
+                    className="px-6 py-2 bg-indigo-600 text-white rounded-xl text-[10px] font-black uppercase tracking-widest shadow-md hover:bg-indigo-700 transition-all font-sans"
+                  >
+                    Update Swarm Endpoint
+                  </button>
+                </div>
+              </div>
+            </div>
+          </div>
+        </div>
+      )}
+    </div>
+  );
+};
+
+export default NetworkIdentityCard;
diff --git a/frontend/src/features/settings/components/shared/ProviderPanel.js b/frontend/src/features/settings/components/shared/ProviderPanel.js
new file mode 100644
index 0000000..f8be052
--- /dev/null
+++ b/frontend/src/features/settings/components/shared/ProviderPanel.js
@@ -0,0 +1,112 @@
+import React from 'react';
+
+const ProviderPanel = ({ 
+  id, 
+  prefs, 
+  sectionKey, 
+  status, 
+  providers,
+  expandedProvider,
+  setExpandedProvider,
+  verifying,
+  handleVerifyProvider,
+  handleDeleteProvider,
+  handleConfigChange,
+  labelClass,
+  inputClass,
+  fetchedModels
+}) => {
+  const isExpanded = expandedProvider === `${sectionKey}_${id}`;
+  const providerType = prefs.provider_type || id.split('_')[0];
+  const isVerifying = verifying === `${sectionKey}_${id}`;
+
+  return (
+    <div className={`bg-white dark:bg-gray-800 border ${isExpanded ? 'border-indigo-300 dark:border-indigo-700 ring-4 ring-indigo-50 dark:ring-indigo-900/20' : 'border-gray-100 dark:border-gray-700'} rounded-3xl overflow-hidden shadow-sm transition-all duration-300`}>
+      <div
+        className={`px-6 py-5 flex items-center justify-between cursor-pointer hover:bg-gray-50 dark:hover:bg-gray-700/50 transition-colors ${status === 'error' ? 'bg-red-50/30 dark:bg-red-900/10' : ''}`}
+        onClick={() => setExpandedProvider(isExpanded ? null : `${sectionKey}_${id}`)}
+      >
+        <div className="flex items-center gap-4">
+          <div className={`w-10 h-10 rounded-2xl flex items-center justify-center font-black text-xs ${status === 'success' ? 'bg-emerald-100 text-emerald-700 dark:bg-emerald-900/40 dark:text-emerald-300' : (status === 'error' ? 'bg-red-100 text-red-700 dark:bg-red-900/40 dark:text-red-300' : 'bg-gray-100 text-gray-500 dark:bg-gray-700 dark:text-gray-400')}`}>
+            {id.substring(0, 2).toUpperCase()}
+          </div>
+          <div>
+            <h4 className="font-black text-gray-900 dark:text-white uppercase tracking-tight flex items-center gap-2">
+              {id}
+              {status === 'success' && <svg className="w-4 h-4 text-emerald-500" fill="currentColor" viewBox="0 0 20 20"><path fillRule="evenodd" d="M10 18a8 8 0 100-16 8 8 0 000 16zm3.707-9.293a1 1 0 00-1.414-1.414L9 10.586 7.707 9.293a1 1 0 00-1.414 1.414l2 2a1 1 0 001.414 0l4-4z" clipRule="evenodd" /></svg>}
+              {status === 'error' && <svg className="w-4 h-4 text-red-500" fill="currentColor" viewBox="0 0 20 20"><path fillRule="evenodd" d="M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7 4a1 1 0 11-2 0 1 1 0 012 0zm-1-9a1 1 0 00-1 1v4a1 1 0 102 0V6a1 1 0 00-1-1z" clipRule="evenodd" /></svg>}
+            </h4>
+            <p className="text-[10px] text-gray-400 font-bold uppercase tracking-widest">{providerType}</p>
+          </div>
+        </div>
+        <div className="flex items-center gap-3">
+          <button
+            onClick={(e) => { e.stopPropagation(); handleVerifyProvider(sectionKey, id, prefs); }}
+            disabled={isVerifying}
+            className={`px-3 py-1.5 rounded-lg text-[9px] font-black uppercase tracking-widest transition-all ${isVerifying ? 'bg-gray-100 text-gray-400 animate-pulse' : 'bg-indigo-50 text-indigo-600 hover:bg-indigo-100 dark:bg-indigo-900/30 dark:text-indigo-400'}`}
+          >
+            {isVerifying ? 'Verifying...' : 'Test Connection'}
+          </button>
+          <button
+            onClick={(e) => { e.stopPropagation(); handleDeleteProvider(sectionKey, id); }}
+            className="p-1 px-2 text-red-400 hover:text-red-600 hover:bg-red-50 dark:hover:bg-red-900/20 rounded-lg transition-colors"
+          >
+            <svg className="w-5 h-5" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M19 7l-.867 12.142A2 2 0 0116.138 21H7.862a2 2 0 01-1.995-1.858L5 7m5 4v6m4-6v6m1-10V4a1 1 0 00-1-1h-4a1 1 0 00-1 1v3M4 7h16" /></svg>
+          </button>
+          <svg className={`w-5 h-5 text-gray-400 transition-transform duration-300 ${isExpanded ? 'rotate-180' : ''}`} fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2.5} d="M19 9l-7 7-7-7" /></svg>
+        </div>
+      </div>
+
+      {isExpanded && (
+        <div className="p-6 border-t border-gray-100 dark:border-gray-700 bg-gray-50/50 dark:bg-gray-900/30 space-y-6 animate-slide-down">
+          <div className="grid grid-cols-1 sm:grid-cols-2 gap-6">
+            <div className="space-y-1.5">
+              <label className={labelClass}>API Key / Secret</label>
+              <div className="relative">
+                <input
+                  type="password"
+                  id={`api-key-${sectionKey}-${id}`}
+                  name={`api-key-${sectionKey}-${id}`}
+                  value={prefs.api_key || ''}
+                  onChange={e => handleConfigChange(sectionKey, 'providers', { ...providers, [id]: { ...prefs, api_key: e.target.value } }, id)}
+                  placeholder="••••••••••••••••"
+                  className={inputClass}
+                  autoComplete="new-password"
+                />
+              </div>
+            </div>
+            <div className="space-y-1.5">
+              <label className={labelClass}>{sectionKey === 'tts' && providerType === 'gcloud_tts' ? 'Default Voice' : 'Primary Model'}</label>
+              <input
+                type="text"
+                id={`model-${sectionKey}-${id}`}
+                name={`model-${sectionKey}-${id}`}
+                list={`models-${sectionKey}-${id}`}
+                value={(() => {
+                  const val = (sectionKey === 'tts' && providerType === 'gcloud_tts' ? prefs.voice : prefs.model);
+                  if (!val) return '';
+                  return typeof val === 'object' ? (val.model_name || val.id || val.voice_id || '') : val;
+                })() || ''}
+                onChange={e => handleConfigChange(sectionKey, 'providers', { ...providers, [id]: { ...prefs, [sectionKey === 'tts' && providerType === 'gcloud_tts' ? 'voice' : 'model']: e.target.value } }, id)}
+                placeholder="e.g. gpt-4, whisper-1"
+                className={inputClass}
+                autoComplete="off"
+              />
+              <datalist id={`models-${sectionKey}-${id}`}>
+                {(fetchedModels[`${sectionKey}_${providerType}`] || []).map(m => (
+                  <option key={typeof m === 'string' ? m : m.model_name} value={typeof m === 'string' ? m : m.model_name} />
+                ))}
+              </datalist>
+            </div>
+            <div className="space-y-1.5">
+              <label className={labelClass}>Provider Type (System)</label>
+              <input type="text" value={providerType} readOnly className={`${inputClass} opacity-50 cursor-not-allowed`} />
+            </div>
+          </div>
+        </div>
+      )}
+    </div>
+  );
+};
+
+export default ProviderPanel;
diff --git a/frontend/src/features/settings/pages/SettingsPage.js b/frontend/src/features/settings/pages/SettingsPage.js
index dac691d..b479706 100644
--- a/frontend/src/features/settings/pages/SettingsPage.js
+++ b/frontend/src/features/settings/pages/SettingsPage.js
@@ -1,60 +1,87 @@
-import React, { useState, useEffect, useRef } from 'react';
+import React, { useState, useEffect } from 'react';
 import {
-    getUserConfig, updateUserConfig, exportUserConfig, importUserConfig,
-    verifyProvider, getProviderModels, getAllProviders, getVoices,
-    getAdminUsers, updateUserRole, getAdminGroups, createAdminGroup,
-    updateAdminGroup, deleteAdminGroup, updateUserGroup, getAdminNodes,
-    getSkills, getUserNodePreferences, updateUserNodePreferences,
-    getUserAccessibleNodes
+    getUserConfig,
+    getAdminUsers,
+    getAdminGroups,
+    getAdminNodes,
+    updateUserRole,
+    updateUserGroup,
+    createAdminGroup,
+    updateAdminGroup,
+    deleteAdminGroup,
+    getSkills,
+    getUserProfile,
+    getAdminConfig,
+    updateAdminOIDCConfig,
+    updateAdminSwarmConfig,
+    updateAdminAppConfig,
+    testAdminOIDCConfig,
+    testAdminSwarmConfig,
+    getAllProviders,
+    updateUserConfig,
+    getProviderModels,
+    verifyProvider,
+    exportUserConfig,
+    importUserConfig
 } from '../../../services/apiService';
 import SettingsPageContent from '../components/SettingsPageContent';
 
 const SettingsPage = () => {
     const [config, setConfig] = useState({ llm: {}, tts: {}, stt: {} });
-    const [effective, setEffective] = useState({ llm: {}, tts: {}, stt: {} });
     const [loading, setLoading] = useState(true);
     const [saving, setSaving] = useState(false);
     const [message, setMessage] = useState({ type: '', text: '' });
-    const [activeConfigTab, setActiveConfigTab] = useState('llm');
     const [activeAdminTab, setActiveAdminTab] = useState('groups');
     const [userSearch, setUserSearch] = useState('');
-    const [expandedProvider, setExpandedProvider] = useState(null);
-    const [selectedNewProvider, setSelectedNewProvider] = useState('');
-    const [verifying, setVerifying] = useState(null);
-    const [fetchedModels, setFetchedModels] = useState({});
     const [providerLists, setProviderLists] = useState({ llm: [], tts: [], stt: [] });
-    const [providerStatuses, setProviderStatuses] = useState({});
-    const [voiceList, setVoiceList] = useState([]);
-    const [showVoicesModal, setShowVoicesModal] = useState(false);
-    const [voicesLoading, setVoicesLoading] = useState(false);
     const [allUsers, setAllUsers] = useState([]);
     const [usersLoading, setUsersLoading] = useState(false);
     const [allGroups, setAllGroups] = useState([]);
     const [groupsLoading, setGroupsLoading] = useState(false);
     const [editingGroup, setEditingGroup] = useState(null);
-    const [addingSection, setAddingSection] = useState(null);
-    const [addForm, setAddForm] = useState({ type: '', suffix: '', model: '', cloneFrom: '' });
     const [allNodes, setAllNodes] = useState([]);
     const [nodesLoading, setNodesLoading] = useState(false);
     const [allSkills, setAllSkills] = useState([]);
     const [skillsLoading, setSkillsLoading] = useState(false);
-    const [accessibleNodes, setAccessibleNodes] = useState([]);
-    const [nodePrefs, setNodePrefs] = useState({ default_node_ids: [], data_source: { source: 'empty', path: '' } });
-    const fileInputRef = useRef(null);
+    const [adminConfig, setAdminConfig] = useState({ oidc: {}, swarm: {} });
+    const [adminConfigLoading, setAdminConfigLoading] = useState(false);
+    const [userProfile, setUserProfile] = useState(null);
+    const [activeConfigTab, setActiveConfigTab] = useState('llm');
+    const [expandedProvider, setExpandedProvider] = useState(null);
+    const [addingSection, setAddingSection] = useState(null);
+    const [addForm, setAddForm] = useState({ type: '', suffix: '', model: '' });
+    const [collapsedSections, setCollapsedSections] = useState({ ai: true, identity: true, infrastructure: true });
+    const [verifying, setVerifying] = useState(null);
+    const [testingConnection, setTestingConnection] = useState(null); // 'oidc' or 'swarm'
+    const [fetchedModels, setFetchedModels] = useState({});
+    const [providerStatuses, setProviderStatuses] = useState({});
+    const [confirmAction, setConfirmAction] = useState(null); // { type, id, sectionKey, label }
+    const fileInputRef = React.useRef(null);
 
-    const handleViewVoices = async (providerId, apiKey = null) => {
-        setShowVoicesModal(true);
-        setVoicesLoading(true);
-        setVoiceList([]); // Clear previous list while loading
-        try {
-            const voices = await getVoices(providerId, apiKey);
-            setVoiceList(voices);
-        } catch (e) {
-            console.error(e);
-        } finally {
-            setVoicesLoading(false);
+    useEffect(() => {
+        if (expandedProvider) {
+            const parts = expandedProvider.split('_');
+            const sectionKey = parts[0];
+            const providerId = parts.slice(1).join('_');
+            const fetchKey = `${sectionKey}_${providerId}`;
+            if (!fetchedModels[fetchKey]) {
+                getProviderModels(providerId, sectionKey).then(models => {
+                    setFetchedModels(prev => ({ ...prev, [fetchKey]: models }));
+                }).catch(e => console.warn("Failed fetching models for", providerId));
+            }
         }
-    };
+    }, [expandedProvider, fetchedModels]);
+
+    useEffect(() => {
+        if (addingSection && addForm.type) {
+            const fetchKey = `${addingSection}_${addForm.type}`;
+            if (!fetchedModels[fetchKey]) {
+                getProviderModels(addForm.type, addingSection).then(models => {
+                    setFetchedModels(prev => ({ ...prev, [fetchKey]: models }));
+                }).catch(() => { });
+            }
+        }
+    }, [addingSection, addForm.type, fetchedModels]);
 
     useEffect(() => {
         const fetchProviders = async () => {
@@ -82,19 +109,31 @@
         loadGroups();
         loadNodes();
         loadSkills();
-        loadPersonalNodePrefs();
+        loadUserProfile();
     }, []);
 
-    const loadPersonalNodePrefs = async () => {
+
+    const loadUserProfile = async () => {
         try {
-            const [nodes, prefs] = await Promise.all([
-                getUserAccessibleNodes(),
-                getUserNodePreferences()
-            ]);
-            setAccessibleNodes(nodes);
-            setNodePrefs(prefs);
+            const profile = await getUserProfile();
+            setUserProfile(profile);
+            if (profile.role === 'admin') {
+                loadAdminConfig();
+            }
         } catch (e) {
-            console.error("Failed to load personal node prefs", e);
+            console.error("Failed to load user profile", e);
+        }
+    };
+
+    const loadAdminConfig = async () => {
+        try {
+            setAdminConfigLoading(true);
+            const data = await getAdminConfig();
+            setAdminConfig(data);
+        } catch (e) {
+            console.error("Failed to load admin config", e);
+        } finally {
+            setAdminConfigLoading(false);
         }
     };
 
@@ -169,26 +208,6 @@
         }
     };
 
-    const handleNodePrefChange = async (updates) => {
-        try {
-            const newNodePrefs = { ...nodePrefs, ...updates };
-            await updateUserNodePreferences(newNodePrefs);
-            setNodePrefs(newNodePrefs);
-            setMessage({ type: 'success', text: 'Personal node preferences updated.' });
-            setTimeout(() => setMessage({ type: '', text: '' }), 3000);
-        } catch (err) {
-            setMessage({ type: 'error', text: 'Failed to update node preferences.' });
-        }
-    };
-
-    const toggleDefaultNode = (nodeId) => {
-        const current = nodePrefs.default_node_ids || [];
-        const next = current.includes(nodeId)
-            ? current.filter(id => id !== nodeId)
-            : [...current, nodeId];
-        handleNodePrefChange({ default_node_ids: next });
-    };
-
     const handleSaveGroup = async (e) => {
         e.preventDefault();
         try {
@@ -211,8 +230,15 @@
         }
     };
 
-    const handleDeleteGroup = async (groupId) => {
-        if (!window.confirm("Are you sure? Users in this group will be moved to 'Ungrouped'.")) return;
+    const handleDeleteGroup = (groupId) => {
+        setConfirmAction({
+            type: 'delete-group',
+            id: groupId,
+            label: "Are you sure? Users in this group will be moved to 'Ungrouped'."
+        });
+    };
+
+    const confirmDeleteGroup = async (groupId) => {
         try {
             await deleteAdminGroup(groupId);
             setMessage({ type: 'success', text: 'Group deleted' });
@@ -224,73 +250,75 @@
         }
     };
 
-    const loadConfig = async () => {
+    const handleSaveAdminConfig = async (type, data) => {
         try {
-            setLoading(true);
-            const data = await getUserConfig();
-
-            // Pre-seed config with effective providers if the user's config is empty
-            const seedEffective = (prefSec, effSec) => {
-                if (prefSec && prefSec.providers && Object.keys(prefSec.providers).length > 0) return prefSec;
-                return {
-                    ...prefSec,
-                    providers: { ...(effSec?.providers || {}) },
-                    active_provider: prefSec?.active_provider || effSec?.active_provider
-                };
-            };
-
-            setConfig({
-                llm: seedEffective(data.preferences?.llm, data.effective?.llm),
-                tts: seedEffective(data.preferences?.tts, data.effective?.tts),
-                stt: seedEffective(data.preferences?.stt, data.effective?.stt)
-            });
-            setProviderStatuses(data.preferences?.statuses || {});
-            setEffective(data.effective || { llm: {}, tts: {}, stt: {} });
-
-            setMessage({ type: '', text: '' });
-        } catch (err) {
-            console.error("Error loading config:", err);
-            setMessage({ type: 'error', text: 'Failed to load configuration.' });
+            setSaving(true);
+            if (type === 'oidc') {
+                // Mutual Exclusivity: If OIDC is being enabled, disable password login
+                // Note: 'enabled' is the master switch that controls the login button.
+                if (data.enabled === true && adminConfig.app?.allow_password_login) {
+                    await updateAdminAppConfig({ allow_password_login: false });
+                }
+                
+                // Consolidate 'allow_oidc_login' with 'enabled' to prevent redundancy
+                const updatedData = { ...data };
+                if (data.enabled !== undefined) {
+                    updatedData.allow_oidc_login = data.enabled;
+                }
+                
+                await updateAdminOIDCConfig(updatedData);
+                setMessage({ type: 'success', text: 'OIDC configuration updated successfully' });
+            } else if (type === 'swarm') {
+                await updateAdminSwarmConfig(data);
+                setMessage({ type: 'success', text: 'Swarm configuration updated successfully' });
+            } else if (type === 'app') {
+                // Mutual Exclusivity: If password login is being enabled, disable OIDC
+                if (data.allow_password_login === true && adminConfig.oidc?.enabled) {
+                    await updateAdminOIDCConfig({ enabled: false, allow_oidc_login: false });
+                }
+                await updateAdminAppConfig(data);
+                setMessage({ type: 'success', text: 'Application configuration updated successfully' });
+            }
+            loadAdminConfig();
+            setTimeout(() => setMessage({ type: '', text: '' }), 5000);
+        } catch (e) {
+            setMessage({ type: 'error', text: e.message || 'Failed to update admin config' });
         } finally {
-            setLoading(false);
+            setSaving(false);
         }
     };
 
-    useEffect(() => {
-        if (expandedProvider) {
-            const parts = expandedProvider.split('_');
-            const sectionKey = parts[0];
-            const providerId = parts.slice(1).join('_');
-
-            const fetchKey = `${sectionKey}_${providerId}`;
-            if (!fetchedModels[fetchKey]) {
-                getProviderModels(providerId, sectionKey).then(models => {
-                    setFetchedModels(prev => ({ ...prev, [fetchKey]: models }));
-                }).catch(e => console.warn("Failed fetching models for", providerId, "section", sectionKey));
+    const handleTestConnection = async (type) => {
+        try {
+            setTestingConnection(type);
+            setMessage({ type: '', text: `Testing ${type.toUpperCase()} connection...` });
+            let response;
+            if (type === 'oidc') {
+                response = await testAdminOIDCConfig(adminConfig.oidc);
+            } else if (type === 'swarm') {
+                response = await testAdminSwarmConfig(adminConfig.swarm);
             }
-        }
-    }, [expandedProvider, fetchedModels]);
-
-    // Pre-fetch model list for the selected type in the add-new-instance form
-    useEffect(() => {
-        if (addingSection && addForm.type) {
-            const fetchKey = `${addingSection}_${addForm.type}`;
-            if (!fetchedModels[fetchKey]) {
-                getProviderModels(addForm.type, addingSection).then(models => {
-                    setFetchedModels(prev => ({ ...prev, [fetchKey]: models }));
-                }).catch(() => { });
+            
+            if (response && response.success) {
+                setMessage({ type: 'success', text: response.message });
+            } else {
+                setMessage({ type: 'error', text: (response && response.message) || 'Connection test failed.' });
             }
+        } catch (e) {
+            setMessage({ type: 'error', text: e.message || `Error occurred while testing ${type} connection` });
+        } finally {
+            setTestingConnection(null);
+            setTimeout(() => setMessage({ type: '', text: '' }), 10000);
         }
-    }, [addingSection, addForm.type, fetchedModels]);
+    };
 
-    const handleSave = async (e) => {
-        e.preventDefault();
+
+    const handleSaveConfig = async (e) => {
+        if (e) e.preventDefault();
         try {
             setSaving(true);
             setMessage({ type: '', text: 'Saving and verifying configuration...' });
 
-            // Before saving, let's identify any "active" providers that have been modified 
-            // (i.e. they are grey/have no status) and run a quick verification for them.
             const updatedStatuses = { ...providerStatuses };
             const sections = ['llm', 'tts', 'stt'];
 
@@ -317,15 +345,18 @@
 
             setProviderStatuses(updatedStatuses);
             const payload = { ...config, statuses: updatedStatuses };
-            await updateUserConfig(payload);
-
-            // reload after save to get latest effective config
-            await loadConfig();
+            const data = await updateUserConfig(payload);
+            
+            setConfig({
+                llm: data.llm || {},
+                tts: data.tts || {},
+                stt: data.stt || {}
+            });
             setMessage({ type: 'success', text: 'Settings saved and verified successfully!' });
             setTimeout(() => setMessage({ type: '', text: '' }), 3000);
         } catch (err) {
             console.error("Error saving config:", err);
-            setMessage({ type: 'error', text: 'Failed to save configuration: ' + (err.message || "Unknown error") });
+            setMessage({ type: 'error', text: 'Failed to save configuration.' });
         } finally {
             setSaving(false);
         }
@@ -349,35 +380,11 @@
         }
     };
 
-    const handleGrantToAll = async (section, providerId) => {
-        if (!window.confirm(`Are you sure? This will whitelist ${providerId} for ALL existing groups.`)) return;
-        try {
-            setSaving(true);
-            setMessage({ type: '', text: `Syncing group policies for ${providerId}...` });
-            for (const group of allGroups) {
-                const currentPolicy = group.policy || { llm: [], tts: [], stt: [] };
-                const sectionList = currentPolicy[section] || [];
-                if (!sectionList.includes(providerId)) {
-                    const newPolicy = { ...currentPolicy, [section]: [...sectionList, providerId] };
-                    await updateAdminGroup(group.id, { ...group, policy: newPolicy });
-                }
-            }
-            await loadGroups();
-            setMessage({ type: 'success', text: `Global access granted for ${providerId}!` });
-            setTimeout(() => setMessage({ type: '', text: '' }), 3000);
-        } catch (e) {
-            console.error(e);
-            setMessage({ type: 'error', text: 'Failed to sync group access.' });
-        } finally {
-            setSaving(false);
-        }
-    };
-
     const handleImport = async (e) => {
         const file = e.target.files[0];
         if (!file) return;
         try {
-            setLoading(true);
+            setSaving(true);
             const formData = new FormData();
             formData.append('file', file);
             await importUserConfig(formData);
@@ -388,12 +395,12 @@
             console.error("Import Error: ", error);
             setMessage({ type: 'error', text: 'Failed to import YAML: ' + error.message });
         } finally {
-            setLoading(false);
+            setSaving(false);
             if (fileInputRef.current) fileInputRef.current.value = '';
         }
     };
 
-    const handleChange = (section, field, value, providerId = null) => {
+    const handleConfigChange = (section, field, value, providerId = null) => {
         if (field === 'providers' && providerId) {
             setProviderStatuses(prev => {
                 const updated = { ...prev };
@@ -410,6 +417,112 @@
         }));
     };
 
+    const handleVerifyProvider = async (sectionKey, providerId, providerPrefs) => {
+        try {
+            setVerifying(`${sectionKey}_${providerId}`);
+            setMessage({ type: '', text: '' });
+            const payload = {
+                provider_name: providerId,
+                provider_type: providerPrefs.provider_type,
+                api_key: providerPrefs.api_key,
+                model: providerPrefs.model,
+                voice: providerPrefs.voice
+            };
+            const res = await verifyProvider(sectionKey, payload);
+            if (res.success) {
+                const newStatuses = { ...providerStatuses, [`${sectionKey}_${providerId}`]: 'success' };
+                setProviderStatuses(newStatuses);
+                await updateUserConfig({ ...config, statuses: newStatuses });
+                setMessage({ type: 'success', text: `Verified ${providerId} successfully!` });
+            } else {
+                const newStatuses = { ...providerStatuses, [`${sectionKey}_${providerId}`]: 'error' };
+                setProviderStatuses(newStatuses);
+                await updateUserConfig({ ...config, statuses: newStatuses });
+                setMessage({ type: 'error', text: `Verification failed for ${providerId}: ${res.message}` });
+            }
+        } catch (err) {
+            setMessage({ type: 'error', text: `Error verifying ${providerId}.` });
+        } finally {
+            setVerifying(null);
+            setTimeout(() => setMessage({ type: '', text: '' }), 5000);
+        }
+    };
+
+    const handleDeleteProviderAction = (sectionKey, providerId) => {
+        setConfirmAction({
+            type: 'delete-provider',
+            id: providerId,
+            sectionKey,
+            label: `Permanently delete the "${providerId}" resource instance?`
+        });
+    };
+
+    const confirmDeleteProvider = (sectionKey, providerId) => {
+        const newProviders = { ...((config[sectionKey] && config[sectionKey].providers) || {}) };
+        delete newProviders[providerId];
+        handleConfigChange(sectionKey, 'providers', newProviders, providerId);
+        if (expandedProvider === `${sectionKey}_${providerId}`) setExpandedProvider(null);
+    };
+
+    const executeConfirmAction = () => {
+        if (!confirmAction) return;
+        if (confirmAction.type === 'delete-group') {
+            confirmDeleteGroup(confirmAction.id);
+        } else if (confirmAction.type === 'delete-provider') {
+            confirmDeleteProvider(confirmAction.sectionKey, confirmAction.id);
+        }
+        setConfirmAction(null);
+    };
+
+    const handleAddInstance = (sectionKey) => {
+        if (!addForm.type) return;
+        const newId = addForm.suffix ? `${addForm.type}_${addForm.suffix.toLowerCase().replace(/\s+/g, '_')}` : addForm.type;
+
+        if (config[sectionKey]?.providers?.[newId]) {
+            setMessage({ type: 'error', text: `Instance "${newId}" already exists.` });
+            return;
+        }
+
+        const initData = { provider_type: addForm.type };
+
+        if (addForm.model.trim()) {
+            if (sectionKey === 'tts' && addForm.type === 'gcloud_tts') {
+                initData.voice = addForm.model.trim();
+            } else {
+                initData.model = addForm.model.trim();
+            }
+        }
+
+        const newProviders = { ...(config[sectionKey]?.providers || {}) };
+        newProviders[newId] = initData;
+        handleConfigChange(sectionKey, 'providers', newProviders, newId);
+        setAddingSection(null);
+        setAddForm({ type: '', suffix: '', model: '' });
+        setExpandedProvider(`${sectionKey}_${newId}`);
+    };
+
+
+    const loadConfig = async () => {
+        try {
+            setLoading(true);
+            const data = await getUserConfig();
+            setConfig({
+                llm: data.preferences?.llm || {},
+                tts: data.preferences?.tts || {},
+                stt: data.preferences?.stt || {}
+            });
+            if (data.preferences?.statuses) {
+                setProviderStatuses(data.preferences.statuses);
+            }
+            setMessage({ type: '', text: '' });
+        } catch (err) {
+            console.error("Error loading config:", err);
+            setMessage({ type: 'error', text: 'Failed to load configuration.' });
+        } finally {
+            setLoading(false);
+        }
+    };
+
     if (loading) {
         return (
             <div className="flex h-screen items-center justify-center dark:bg-gray-900">
@@ -418,514 +531,6 @@
         );
     }
 
-    const inputClass = "w-full border border-gray-300 dark:border-gray-600 rounded-lg p-3 bg-white dark:bg-gray-800 text-gray-900 dark:text-gray-100 placeholder-gray-400 dark:placeholder-gray-500 focus:outline-none focus:ring-2 focus:ring-indigo-500 transition-colors duration-200 shadow-sm";
-    const labelClass = "block text-sm font-semibold text-gray-700 dark:text-gray-300 mb-2";
-    const sectionClass = "animate-fade-in";
-
-    const renderProviderSection = (sectionKey, providerDefs, allowVoice = false) => {
-        const activeProviderIds = new Set([
-            ...Object.keys(config[sectionKey]?.providers || {})
-        ]);
-        const activeProviders = Array.from(activeProviderIds).map(id => {
-            const baseP = providerDefs.find(p => p.id === id);
-            if (baseP) return baseP;
-            // Handle suffixed IDs (e.g. gemini_2)
-            const parts = id.split('_');
-            let baseId = parts[0];
-            // Special case for google_gemini
-            if (id.startsWith('google_gemini_')) baseId = 'google_gemini';
-
-            const baseDef = providerDefs.find(p => p.id === baseId);
-            const suffix = id.replace(baseId + '_', '');
-            return {
-                id: id,
-                label: baseDef ? `${baseDef.label} (${suffix})` : id
-            };
-        }).sort((a, b) => a.label.localeCompare(b.label));
-
-
-        const handleAddInstance = () => {
-            if (!addForm.type) return;
-            const newId = addForm.suffix ? `${addForm.type}_${addForm.suffix.toLowerCase().replace(/\s+/g, '_')}` : addForm.type;
-
-            if (activeProviderIds.has(newId)) {
-                setMessage({ type: 'error', text: `Instance "${newId}" already exists.` });
-                return;
-            }
-
-            // Build initial provider data
-            const initData = { provider_type: addForm.type };
-
-            // Store a _clone_from marker — the backend will resolve the real API key
-            // from the source provider. We never have the plaintext key on the frontend.
-            if (addForm.cloneFrom) {
-                initData._clone_from = addForm.cloneFrom;
-            }
-
-            // Pre-set model (or voice for Google Cloud TTS) if specified
-            if (addForm.model.trim()) {
-                if (sectionKey === 'tts' && addForm.type === 'gcloud_tts') {
-                    initData.voice = addForm.model.trim();
-                } else {
-                    initData.model = addForm.model.trim();
-                }
-            }
-
-            const newProviders = { ...(config[sectionKey]?.providers || {}) };
-            newProviders[newId] = initData;
-            handleChange(sectionKey, 'providers', newProviders, newId);
-            setAddingSection(null);
-            setAddForm({ type: '', suffix: '', model: '', cloneFrom: '' });
-            setExpandedProvider(`${sectionKey}_${newId}`);
-        };
-
-        // Existing instances of the same type that have an API key — for cloning
-        const cloneableSources = Array.from(activeProviderIds).filter(id => {
-            const baseType = id.startsWith('google_gemini') ? 'google_gemini' : id.split('_')[0];
-            return baseType === addForm.type && id !== addForm.type + (addForm.suffix ? '_' + addForm.suffix.toLowerCase().replace(/\s+/g, '_') : '');
-        });
-
-        const handleDeleteProvider = (providerId) => {
-            const newProviders = { ...((config[sectionKey] && config[sectionKey].providers) || {}) };
-            delete newProviders[providerId];
-            handleChange(sectionKey, 'providers', newProviders, providerId);
-            if (expandedProvider === `${sectionKey}_${providerId}`) setExpandedProvider(null);
-        };
-
-
-
-        const handleVerifyProvider = async (providerId, providerPrefs) => {
-            try {
-                setVerifying(`${sectionKey}_${providerId}`);
-                setMessage({ type: '', text: '' });
-                const payload = {
-                    provider_name: providerId,
-                    provider_type: providerPrefs.provider_type,
-                    api_key: providerPrefs.api_key,
-                    model: providerPrefs.model,
-                    voice: providerPrefs.voice
-                };
-                const res = await verifyProvider(sectionKey, payload);
-                if (res.success) {
-                    const newStatuses = { ...providerStatuses, [`${sectionKey}_${providerId}`]: 'success' };
-                    setProviderStatuses(newStatuses);
-                    await updateUserConfig({ ...config, statuses: newStatuses });
-                    setMessage({ type: 'success', text: `Verified ${providerId} successfully!` });
-                } else {
-                    const newStatuses = { ...providerStatuses, [`${sectionKey}_${providerId}`]: 'error' };
-                    setProviderStatuses(newStatuses);
-                    await updateUserConfig({ ...config, statuses: newStatuses });
-                    setMessage({ type: 'error', text: `Verification failed for ${providerId}: ${res.message}` });
-                }
-            } catch (err) {
-                setMessage({ type: 'error', text: `Error verifying ${providerId}.` });
-            } finally {
-                setVerifying(null);
-                setTimeout(() => setMessage({ type: '', text: '' }), 5000);
-            }
-        };
-
-        return (
-            <div className="space-y-6">
-                {/* Header & Add Form */}
-                <div className="flex flex-col sm:flex-row sm:items-center justify-between gap-4 border-b border-gray-100 dark:border-gray-700 pb-4">
-                    <div className="flex items-center gap-3">
-                        <div className="p-2 bg-indigo-50 dark:bg-indigo-900/30 rounded-lg text-indigo-600 dark:text-indigo-400">
-                            <svg className="w-5 h-5" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M19 11H5m14 0a2 2 0 012 2v6a2 2 0 01-2 2H5a2 2 0 01-2-2v-6a2 2 0 012-2m14 0V9a2 2 0 00-2-2M5 11V9a2 2 0 012-2m0 0V5a2 2 0 012-2h6a2 2 0 012 2v2M7 7h10" /></svg>
-                        </div>
-                        <div>
-                            <h3 className="text-sm font-black text-gray-900 dark:text-white uppercase tracking-wider">Resource Instances</h3>
-                            <p className="text-[10px] text-gray-500 dark:text-gray-400 font-medium">Configure specific account credentials</p>
-                        </div>
-                    </div>
-
-                    {addingSection !== sectionKey ? (
-                        <button
-                            type="button"
-                            onClick={() => { setAddingSection(sectionKey); setAddForm({ type: '', suffix: '', model: '', cloneFrom: '' }); }}
-                            className="px-4 py-2 bg-indigo-600 hover:bg-indigo-700 text-white text-[10px] font-black uppercase tracking-widest rounded-lg shadow-md transition-all flex items-center gap-2"
-                        >
-                            <svg className="w-4 h-4" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2.5} d="M12 6v6m0 0v6m0-6h6m-6 0H6" /></svg>
-                            Register New Instance
-                        </button>
-                    ) : (
-                        <div className="w-full mt-2 bg-white dark:bg-gray-800 border border-indigo-200 dark:border-indigo-700 rounded-2xl shadow-lg p-4 animate-in fade-in slide-in-from-top-2 duration-200 space-y-3">
-                            <p className="text-[10px] font-black uppercase tracking-widest text-indigo-500 mb-1">New Provider Instance</p>
-
-                            {/* Row 1: Type + Label suffix */}
-                            <div className="flex flex-col sm:flex-row gap-3">
-                                <div className="flex-1">
-                                    <label className="block text-[9px] font-black text-gray-400 uppercase tracking-widest mb-1">Provider Type</label>
-                                    <select
-                                        value={addForm.type}
-                                        onChange={(e) => setAddForm({ type: e.target.value, suffix: '', model: '', cloneFrom: '' })}
-                                        className="w-full border border-gray-200 dark:border-gray-700 rounded-lg px-3 py-2 bg-white dark:bg-gray-900 text-sm font-bold text-gray-800 dark:text-gray-100 focus:ring-2 focus:ring-indigo-500 outline-none"
-                                    >
-                                        <option value="">Select type…</option>
-                                        {providerDefs.map(p => (
-                                            <option key={p.id} value={p.id}>{p.label}</option>
-                                        ))}
-                                    </select>
-                                </div>
-                                <div className="flex-1">
-                                    <label className="block text-[9px] font-black text-gray-400 uppercase tracking-widest mb-1">
-                                        Label Suffix <span className="normal-case font-normal text-gray-400">(e.g. flash25, 3pro)</span>
-                                    </label>
-                                    <input
-                                        placeholder="e.g. flash25"
-                                        value={addForm.suffix}
-                                        onChange={(e) => setAddForm({ ...addForm, suffix: e.target.value })}
-                                        className="w-full border border-gray-200 dark:border-gray-700 rounded-lg px-3 py-2 bg-white dark:bg-gray-900 text-sm text-gray-800 dark:text-gray-100 focus:ring-2 focus:ring-indigo-500 outline-none"
-                                    />
-                                    {addForm.type && addForm.suffix && (
-                                        <p className="mt-1 text-[9px] text-gray-400">
-                                            ID: <span className="font-mono text-indigo-500">{addForm.type}_{addForm.suffix.toLowerCase().replace(/\s+/g, '_')}</span>
-                                        </p>
-                                    )}
-                                </div>
-                            </div>
-
-                            {/* Row 2: Model + Clone-from */}
-                            <div className="flex flex-col sm:flex-row gap-3">
-                                <div className="flex-1">
-                                    <label className="block text-[9px] font-black text-gray-400 uppercase tracking-widest mb-1">
-                                        {sectionKey === 'tts' && addForm.type === 'gcloud_tts' ? 'Pre-set Voice' : 'Pre-set Model'} <span className="normal-case font-normal text-gray-400">(users will see this)</span>
-                                    </label>
-                                    {addForm.type && fetchedModels[`${sectionKey}_${addForm.type}`]?.length > 0 ? (
-                                        <select
-                                            value={addForm.model}
-                                            onChange={(e) => setAddForm({ ...addForm, model: e.target.value })}
-                                            className="w-full border border-gray-200 dark:border-gray-700 rounded-lg px-3 py-2 bg-white dark:bg-gray-900 text-sm text-gray-800 dark:text-gray-100 focus:ring-2 focus:ring-indigo-500 outline-none"
-                                        >
-                                            <option value="">-- Choose {sectionKey === 'tts' && addForm.type === 'gcloud_tts' ? 'voice' : 'model'} --</option>
-                                            {fetchedModels[`${sectionKey}_${addForm.type}`].map(m => (
-                                                <option key={m.model_name} value={m.model_name}>
-                                                    {m.model_name}{m.max_input_tokens ? ` (${Math.round(m.max_input_tokens / 1000)}k ctx)` : ''}
-                                                </option>
-                                            ))}
-                                        </select>
-                                    ) : (
-                                        <input
-                                            placeholder={sectionKey === 'tts' && addForm.type === 'gcloud_tts' ? 'e.g. en-US-Journey-F' : 'e.g. gemini-2.5-flash'}
-                                            value={addForm.model}
-                                            onChange={(e) => setAddForm({ ...addForm, model: e.target.value })}
-                                            className="w-full border border-gray-200 dark:border-gray-700 rounded-lg px-3 py-2 bg-white dark:bg-gray-900 text-sm text-gray-800 dark:text-gray-100 focus:ring-2 focus:ring-indigo-500 outline-none"
-                                        />
-                                    )}
-                                </div>
-                                {cloneableSources.length > 0 && (
-                                    <div className="flex-1">
-                                        <label className="block text-[9px] font-black text-gray-400 uppercase tracking-widest mb-1">
-                                            Inherit API Key From <span className="normal-case font-normal text-gray-400">(reuse existing key)</span>
-                                        </label>
-                                        <select
-                                            value={addForm.cloneFrom}
-                                            onChange={(e) => setAddForm({ ...addForm, cloneFrom: e.target.value })}
-                                            className="w-full border border-gray-200 dark:border-gray-700 rounded-lg px-3 py-2 bg-white dark:bg-gray-900 text-sm text-gray-800 dark:text-gray-100 focus:ring-2 focus:ring-indigo-500 outline-none"
-                                        >
-                                            <option value="">-- Enter key manually --</option>
-                                            {cloneableSources.map(id => (
-                                                <option key={id} value={id}>{id}</option>
-                                            ))}
-                                        </select>
-                                        {addForm.cloneFrom && (
-                                            <p className="mt-1 text-[9px] text-emerald-500 font-bold">✓ API key will be copied from "{addForm.cloneFrom}" on save</p>
-                                        )}
-                                    </div>
-                                )}
-                            </div>
-
-                            {/* Action buttons */}
-                            <div className="flex justify-end gap-2 pt-1">
-                                <button
-                                    type="button"
-                                    onClick={() => { setAddingSection(null); setAddForm({ type: '', suffix: '', model: '', cloneFrom: '' }); }}
-                                    className="px-4 py-2 bg-gray-100 dark:bg-gray-700 text-gray-600 dark:text-gray-300 rounded-lg text-sm font-semibold hover:bg-gray-200 dark:hover:bg-gray-600 transition-colors"
-                                >
-                                    Cancel
-                                </button>
-                                <button
-                                    type="button"
-                                    onClick={handleAddInstance}
-                                    disabled={!addForm.type}
-                                    className="px-4 py-2 bg-indigo-600 hover:bg-indigo-700 disabled:opacity-40 text-white rounded-lg text-sm font-black tracking-wide transition-colors flex items-center gap-2"
-                                >
-                                    <svg className="w-4 h-4" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2.5} d="M5 13l4 4L19 7" /></svg>
-                                    Add Instance
-                                </button>
-                            </div>
-                        </div>
-                    )}
-                </div>
-
-                <div className="flex gap-6 items-center px-4 py-3 bg-gray-50 dark:bg-gray-800/40 rounded-xl border border-dashed border-gray-200 dark:border-gray-700">
-                    <span className="text-[10px] font-black uppercase tracking-widest text-gray-400">Status Legend:</span>
-                    <div className="flex items-center gap-2">
-                        <div className="w-2 h-2 rounded-full bg-emerald-500"></div>
-                        <span className="text-[11px] font-bold text-gray-500 dark:text-gray-400">Verified</span>
-                    </div>
-                    <div className="flex items-center gap-2">
-                        <div className="w-2 h-2 rounded-full bg-red-500"></div>
-                        <span className="text-[11px] font-bold text-gray-500 dark:text-gray-400">Failed</span>
-                    </div>
-                    <div className="flex items-center gap-2">
-                        <div className="w-2 h-2 rounded-full bg-gray-300"></div>
-                        <span className="text-[11px] font-bold text-gray-500 dark:text-gray-400">Not Tested</span>
-                    </div>
-                </div>
-
-                <div className="space-y-4">
-                    {activeProviders.length === 0 && (
-                        <p className="text-gray-500 text-sm text-center py-4">No providers enabled. Add one above.</p>
-                    )}
-                    {activeProviders.map((provider) => {
-                        const isExpanded = expandedProvider === `${sectionKey}_${provider.id}`;
-                        const providerPrefs = config[sectionKey]?.providers?.[provider.id] || {};
-                        const providerEff = effective[sectionKey]?.providers?.[provider.id] || {};
-
-                        let displayMeta = providerPrefs.model || providerEff.model;
-                        if (sectionKey === 'tts' && provider.id.startsWith('gcloud_tts')) {
-                            displayMeta = providerPrefs.voice || providerEff.voice;
-                        }
-
-                        return (
-                            <div key={provider.id} className="border border-gray-200 dark:border-gray-700 rounded-lg overflow-hidden bg-white dark:bg-gray-800 shadow-sm transition-all duration-200">
-                                <div
-                                    onClick={() => setExpandedProvider(isExpanded ? null : `${sectionKey}_${provider.id}`)}
-                                    className="flex justify-between items-center p-4 cursor-pointer hover:bg-gray-50 dark:hover:bg-gray-700/50"
-                                >
-                                    <h3 className="font-bold text-gray-900 dark:text-gray-100 flex items-center gap-2 max-w-[150px] sm:max-w-xs truncate">
-                                        <div className={`w-2 h-2 rounded-full flex-shrink-0 ${providerStatuses[`${sectionKey}_${provider.id}`] === 'success' ? 'bg-emerald-500' : providerStatuses[`${sectionKey}_${provider.id}`] === 'error' ? 'bg-red-500' : 'bg-gray-300'}`}></div>
-                                        <span className="truncate">{provider.label}</span>
-                                    </h3>
-                                    <div className="flex items-center gap-2 sm:gap-4 flex-1 justify-end overflow-hidden">
-                                        <div className="text-[10px] font-black uppercase tracking-widest text-gray-500 hidden sm:block truncate max-w-[160px]">
-                                            {displayMeta ? (
-                                                <span className="font-mono normal-case tracking-normal text-gray-400 truncate">
-                                                    {displayMeta}
-                                                </span>
-                                            ) : null}
-                                        </div>
-
-                                        <button
-                                            type="button"
-                                            onClick={(e) => {
-                                                e.stopPropagation();
-                                                handleDeleteProvider(provider.id);
-                                            }}
-                                            className="text-[10px] font-black uppercase tracking-widest text-red-600 bg-red-50 hover:bg-red-100 dark:bg-red-900/30 dark:hover:bg-red-900/50 dark:text-red-400 px-2 py-1.5 rounded transition-all border border-red-100 dark:border-red-800/50"
-                                        >
-                                            Remove
-                                        </button>
-                                        <button
-                                            type="button"
-                                            disabled={verifying === `${sectionKey}_${provider.id}`}
-                                            onClick={(e) => {
-                                                e.stopPropagation();
-                                                handleVerifyProvider(provider.id, providerPrefs);
-                                            }}
-                                            className="text-xs text-emerald-700 bg-emerald-50 hover:bg-emerald-100 dark:bg-emerald-900/40 dark:hover:bg-emerald-900/60 dark:text-emerald-300 font-semibold px-2 py-1 rounded transition-colors"
-                                        >
-                                            {verifying === `${sectionKey}_${provider.id}` ? 'Testing...' : 'Test'}
-                                        </button>
-                                        <svg className={`w-5 h-5 flex-shrink-0 text-gray-500 transform transition-transform ${isExpanded ? 'rotate-180' : ''}`} fill="none" viewBox="0 0 24 24" stroke="currentColor">
-                                            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M19 9l-7 7-7-7" />
-                                        </svg>
-                                    </div>
-                                </div>
-                                {isExpanded && (
-                                    <div className="p-4 border-t border-gray-200 dark:border-gray-700 bg-gray-50 dark:bg-gray-800/50">
-                                        <div className="mb-4 flex gap-4">
-                                            <div className="flex-1">
-                                                <div className="flex items-center justify-between mb-2">
-                                                    <label className={labelClass} style={{ margin: 0 }}>API Key</label>
-                                                </div>
-                                                <>
-                                                    <input
-                                                        type={(providerPrefs.api_key || providerPrefs._clone_from)?.includes('***') ? 'text' : 'password'}
-                                                        value={providerPrefs.api_key || (providerPrefs._clone_from ? '***' : '')}
-                                                        onChange={(e) => {
-                                                            const newProviders = { ...(config[sectionKey]?.providers || {}) };
-                                                            const p = { ...providerPrefs, api_key: e.target.value };
-                                                            delete p._clone_from;
-                                                            newProviders[provider.id] = p;
-                                                            handleChange(sectionKey, 'providers', newProviders, provider.id);
-                                                        }}
-                                                        onFocus={(e) => {
-                                                            if (e.target.value.includes('***')) {
-                                                                const newProviders = { ...(config[sectionKey]?.providers || {}) };
-                                                                const p = { ...providerPrefs, api_key: '' };
-                                                                delete p._clone_from;
-                                                                newProviders[provider.id] = p;
-                                                                handleChange(sectionKey, 'providers', newProviders, provider.id);
-                                                            }
-                                                        }}
-                                                        placeholder="sk-..."
-                                                        className={inputClass}
-                                                    />
-                                                    <p className="mt-2 text-xs text-gray-500 dark:text-gray-400">Specify your API key for {provider.label}.</p>
-                                                </>
-                                            </div>
-                                        </div>
-                                        {!(sectionKey === 'tts' && provider.id === 'gcloud_tts') && (
-                                            <div className="mb-4">
-                                                <label className={labelClass}>Model Selection</label>
-                                                {fetchedModels[`${sectionKey}_${provider.id}`] && fetchedModels[`${sectionKey}_${provider.id}`].length > 0 ? (
-                                                    <select
-                                                        value={providerPrefs.model || ''}
-                                                        onChange={(e) => {
-                                                            const newProviders = { ...(config[sectionKey]?.providers || {}) };
-                                                            newProviders[provider.id] = { ...providerPrefs, model: e.target.value };
-                                                            handleChange(sectionKey, 'providers', newProviders, provider.id);
-                                                        }}
-                                                        className={inputClass}
-                                                    >
-                                                        <option value="">-- Let Backend Decide Default --</option>
-                                                        {fetchedModels[`${sectionKey}_${provider.id}`].map(m => (
-                                                            <option key={m.model_name} value={m.model_name}>
-                                                                {m.model_name} {m.max_input_tokens ? `(Context: ${Math.round(m.max_input_tokens / 1000)}k)` : ''}
-                                                            </option>
-                                                        ))}
-                                                    </select>
-                                                ) : (
-                                                    <input
-                                                        type="text"
-                                                        value={providerPrefs.model || ''}
-                                                        onChange={(e) => {
-                                                            const newProviders = { ...(config[sectionKey]?.providers || {}) };
-                                                            newProviders[provider.id] = { ...providerPrefs, model: e.target.value };
-                                                            handleChange(sectionKey, 'providers', newProviders, provider.id);
-                                                        }}
-                                                        placeholder={provider.id === 'general' ? "E.g. vertex_ai/gemini-1.5-flash" : (sectionKey === 'llm' ? "E.g. gpt-4, claude-3-opus" : "E.g. whisper-1, gemini-1.5-flash")}
-                                                        className={inputClass}
-                                                    />
-                                                )}
-                                                <p className="mt-2 text-xs text-gray-500 dark:text-gray-400">
-                                                    Specify exactly which model to pass to the provider API. Active default: <span className="font-mono text-gray-700 dark:text-gray-300">{providerEff.model || 'None'}</span>
-                                                </p>
-                                            </div>
-                                        )}
-
-                                        {allowVoice && (
-                                            <div className="mb-4">
-                                                <div className="flex items-center justify-between mb-2">
-                                                    <label className={labelClass} style={{ margin: 0 }}>Voice Name</label>
-                                                    <button type="button" onClick={() => handleViewVoices(provider.id, providerPrefs.api_key)} className="flex items-center justify-center w-5 h-5 rounded-full bg-blue-100 dark:bg-blue-900/60 text-blue-600 dark:text-blue-400 text-xs font-bold hover:bg-blue-200 dark:hover:bg-blue-800 transition-colors shadow-sm" title="View available voices">?</button>
-                                                </div>
-                                                <input
-                                                    type="text"
-                                                    value={providerPrefs.voice || ''}
-                                                    onChange={(e) => {
-                                                        const newProviders = { ...(config[sectionKey]?.providers || {}) };
-                                                        newProviders[provider.id] = { ...providerPrefs, voice: e.target.value };
-                                                        handleChange(sectionKey, 'providers', newProviders, provider.id);
-                                                    }}
-                                                    placeholder="E.g., Kore, en-US-Journey-F"
-                                                    className={inputClass}
-                                                />
-                                                <p className="mt-2 text-xs text-gray-500 dark:text-gray-400">
-                                                    Active default: <span className="font-mono text-gray-700 dark:text-gray-300">{providerEff.voice || 'None'}</span>
-                                                </p>
-                                            </div>
-                                        )}
-
-                                        {/* Custom Parameters Section */}
-                                        <div className="mt-4 pt-4 border-t border-gray-100 dark:border-gray-700">
-                                            <label className={`${labelClass} flex items-center gap-2`}>
-                                                Custom Parameters
-                                                <span className="text-[10px] font-normal normal-case text-gray-400">(e.g., vertex_project, vertex_location)</span>
-                                            </label>
-
-                                            <div className="space-y-2 mb-3">
-                                                {Object.entries(providerPrefs).map(([key, value]) => {
-                                                    // Filter out standard fields to only show "custom" ones here
-                                                    if (['api_key', 'model', 'voice'].includes(key)) return null;
-                                                    return (
-                                                        <div key={key} className="flex gap-2 items-center animate-in fade-in slide-in-from-left-2 duration-200">
-                                                            <div className="flex-1 bg-gray-50 dark:bg-gray-800/50 p-2 rounded-lg border border-gray-100 dark:border-gray-700 font-mono text-sm flex justify-between items-center group">
-                                                                <span className="text-indigo-600 dark:text-indigo-400 font-bold">{key}:</span>
-                                                                <span className="truncate ml-2 text-gray-600 dark:text-gray-300">{value}</span>
-                                                            </div>
-                                                            <button
-                                                                type="button"
-                                                                onClick={() => {
-                                                                    const { [key]: deleted, ...rest } = providerPrefs;
-                                                                    const newProviders = { ...(config[sectionKey]?.providers || {}) };
-                                                                    newProviders[provider.id] = rest;
-                                                                    handleChange(sectionKey, 'providers', newProviders, provider.id);
-                                                                }}
-                                                                className="p-2 text-red-500 hover:bg-red-50 dark:hover:bg-red-900/20 rounded-lg transition-colors"
-                                                            >
-                                                                <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M19 7l-.867 12.142A2 2 0 0116.138 21H7.862a2 2 0 01-1.995-1.858L5 7m5 4v6m4-6v6m1-10V4a1 1 0 00-1-1h-4a1 1 0 00-1 1v3M4 7h16" /></svg>
-                                                            </button>
-                                                        </div>
-                                                    );
-                                                })}
-                                            </div>
-
-                                            <div className="flex flex-col sm:flex-row gap-3">
-                                                <div className="flex-[2] min-w-0 sm:min-w-[150px]">
-                                                    <input
-                                                        id={`new-key-${sectionKey}-${provider.id}`}
-                                                        placeholder="Key (e.g. project_id)"
-                                                        className={`${inputClass} !py-3 !text-sm w-full`}
-                                                    />
-                                                </div>
-                                                <div className="flex-[3] min-w-0 sm:min-w-[200px]">
-                                                    <input
-                                                        id={`new-val-${sectionKey}-${provider.id}`}
-                                                        placeholder="Value"
-                                                        className={`${inputClass} !py-3 !text-sm w-full`}
-                                                    />
-                                                </div>
-                                                <button
-                                                    type="button"
-                                                    onClick={() => {
-                                                        const k = document.getElementById(`new-key-${sectionKey}-${provider.id}`).value.trim();
-                                                        const v = document.getElementById(`new-val-${sectionKey}-${provider.id}`).value.trim();
-                                                        if (k && v) {
-                                                            const newProviders = { ...(config[sectionKey]?.providers || {}) };
-                                                            newProviders[provider.id] = { ...providerPrefs, [k]: v };
-                                                            handleChange(sectionKey, 'providers', newProviders, provider.id);
-                                                            document.getElementById(`new-key-${sectionKey}-${provider.id}`).value = '';
-                                                            document.getElementById(`new-val-${sectionKey}-${provider.id}`).value = '';
-                                                        }
-                                                    }}
-                                                    className="px-6 py-3 bg-indigo-50 dark:bg-indigo-900/40 text-indigo-700 dark:text-indigo-300 rounded-xl text-sm font-bold hover:bg-indigo-100 dark:hover:bg-indigo-900/60 transition-all shadow-sm border border-indigo-200 dark:border-indigo-800/50 flex-shrink-0"
-                                                >
-                                                    Add Parameter
-                                                </button>
-                                            </div>
-                                        </div>
-
-                                        <div className="mt-6 pt-6 border-t border-gray-100 dark:border-gray-700 flex items-center justify-between">
-                                            <div>
-                                                <h4 className="text-sm font-bold text-gray-900 dark:text-gray-100 mb-1">Access Control</h4>
-                                                <p className="text-xs text-gray-500 dark:text-gray-400">Manage which groups can use this provider.</p>
-                                            </div>
-                                            <button
-                                                type="button"
-                                                disabled={saving}
-                                                onClick={(e) => {
-                                                    e.stopPropagation();
-                                                    handleGrantToAll(sectionKey, provider.id);
-                                                }}
-                                                className="px-4 py-2 bg-indigo-50 dark:bg-indigo-900/40 text-indigo-700 dark:text-indigo-300 rounded-lg text-sm font-bold hover:bg-indigo-100 dark:hover:bg-indigo-900/60 transition-all shadow-sm border border-indigo-200 dark:border-indigo-800/50"
-                                                title="Add this provider to ALL group whitelists"
-                                            >
-                                                Grant All Groups
-                                            </button>
-                                        </div>
-                                    </div>
-                                )}
-                            </div>
-                        );
-                    })}
-                </div>
-            </div>
-        );
-    };
-
     const filteredUsers = allUsers.filter(u =>
         (u.username || '').toLowerCase().includes(userSearch.toLowerCase()) ||
         (u.email || '').toLowerCase().includes(userSearch.toLowerCase()) ||
@@ -938,591 +543,42 @@
         return a.name.localeCompare(b.name);
     });
 
-    return (
-        <div className="h-full overflow-y-auto py-10 px-4 sm:px-6 lg:px-8 font-sans">
-            <div className="max-w-3xl mx-auto">
-                <div className="flex justify-between items-end mb-2">
-                    <h1 className="text-3xl font-extrabold text-gray-900 dark:text-white tracking-tight">Configuration</h1>
-                    <div className="flex gap-2">
-                        <input
-                            type="file"
-                            ref={fileInputRef}
-                            style={{ display: 'none' }}
-                            accept=".yaml,.yml"
-                            onChange={handleImport}
-                        />
-                        <button
-                            type="button"
-                            onClick={() => fileInputRef.current?.click()}
-                            className="text-sm font-semibold px-4 py-2 border border-gray-300 dark:border-gray-600 rounded-lg hover:bg-gray-100 dark:hover:bg-gray-800 text-gray-700 dark:text-gray-300 transition-colors shadow-sm flex items-center gap-2"
-                        >
-                            <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M4 16v1a2 2 0 002 2h12a2 2 0 002-2v-1m-4-8l-4-4m0 0L8 8m4-4v12" /></svg>
-                            Import
-                        </button>
-                        <button
-                            type="button"
-                            onClick={handleExport}
-                            className="text-sm font-semibold px-4 py-2 border border-gray-300 dark:border-gray-600 rounded-lg hover:bg-gray-100 dark:hover:bg-gray-800 text-gray-700 dark:text-gray-300 transition-colors shadow-sm flex items-center gap-2"
-                        >
-                            <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M4 16v1a2 2 0 002 2h12a2 2 0 002-2v-1m-4-4l-4 4m0 0l-4-4m4 4V4" /></svg>
-                            Export
-                        </button>
-                    </div>
-                </div>
-                <p className="text-gray-600 dark:text-gray-400 mb-8">
-                    Customize your AI models, backend API tokens, and providers. These settings override system defaults.
-                </p>
-
-                {message.text && (
-                    <div className={`p-4 rounded-xl mb-6 shadow-sm border ${message.type === 'error' ? 'bg-red-50 dark:bg-red-900/30 text-red-700 dark:text-red-400 border-red-200 dark:border-red-800' : 'bg-emerald-50 dark:bg-emerald-900/30 text-emerald-700 dark:text-emerald-400 border-emerald-200 dark:border-emerald-800'}`}>
-                        {message.text}
-                    </div>
-                )}
-
-                <div className="space-y-12 pb-20">
-                    {/* Card 1: AI Provider Configuration */}
-                    <div className="bg-white dark:bg-gray-800 rounded-3xl shadow-xl overflow-hidden border border-gray-100 dark:border-gray-700 backdrop-blur-sm">
-                        <div className="p-6 border-b border-gray-100 dark:border-gray-700 bg-gray-50/30 dark:bg-gray-800/50">
-                            <h2 className="text-xl font-black text-gray-900 dark:text-white flex items-center gap-3">
-                                <svg className="w-6 h-6 text-indigo-500" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2.5} d="M19.428 15.428a2 2 0 00-1.022-.547l-2.387-.477a2 2 0 00-1.96 1.414l-.503 1.508a10 10 0 01-4.322-4.322l1.508-.503a2 2 0 001.414-1.96l-.477-2.387a2 2 0 00-.547-1.022L7.707 4.707a1 1 0 00-1.414 0l-1.586 1.586a1 1 0 00-.233 1.03 10.001 10.001 0 0011.95 11.95 1 1 0 001.03-.233l1.586-1.586a1 1 0 000-1.414l-1.586-1.586z" /></svg>
-                                AI Resource Configuration
-                            </h2>
-                            <p className="text-xs text-gray-400 mt-1 uppercase font-bold tracking-widest">Manage your providers, models, and API keys</p>
-                        </div>
-
-                        {/* Config Tabs */}
-                        <div className="flex border-b border-gray-200 dark:border-gray-700 bg-gray-50/50 dark:bg-gray-800/50 overflow-x-auto no-scrollbar">
-                            {['llm', 'tts', 'stt'].map((tab) => (
-                                <button
-                                    key={tab}
-                                    type="button"
-                                    onClick={() => setActiveConfigTab(tab)}
-                                    className={`flex-1 min-w-[100px] py-4 text-[10px] font-black uppercase tracking-widest transition-all duration-200 focus:outline-none ${activeConfigTab === tab
-                                        ? 'text-indigo-600 dark:text-indigo-400 border-b-2 border-indigo-600 dark:border-indigo-400 bg-white dark:bg-gray-800'
-                                        : 'text-gray-400 dark:text-gray-500 hover:text-gray-600 dark:hover:text-gray-300 hover:bg-gray-100/50 dark:hover:bg-gray-700/30'
-                                        }`}
-                                >
-                                    {tab === 'llm' ? 'Models' : tab === 'tts' ? 'TTS' : 'STT'}
-                                </button>
-                            ))}
-                        </div>
-
-                        <form onSubmit={handleSave} className="p-6 sm:p-8 space-y-6">
-                            {/* LLM Settings */}
-                            {activeConfigTab === 'llm' && (
-                                <div className={sectionClass}>
-                                    {renderProviderSection('llm', providerLists.llm, false)}
-                                </div>
-                            )}
-
-                            {/* TTS Settings */}
-                            {activeConfigTab === 'tts' && (
-                                <div className={sectionClass}>
-                                    {renderProviderSection('tts', providerLists.tts, true)}
-                                </div>
-                            )}
-
-                            {/* STT Settings */}
-                            {activeConfigTab === 'stt' && (
-                                <div className={sectionClass}>
-                                    {renderProviderSection('stt', providerLists.stt, false)}
-                                </div>
-                            )}
-
-                            <div className="pt-6 mt-6 border-t border-gray-100 dark:border-gray-700 flex items-center justify-end">
-                                <button
-                                    type="submit"
-                                    disabled={saving}
-                                    className="px-6 py-3 bg-indigo-600 hover:bg-indigo-700 text-white font-bold rounded-xl shadow-lg shadow-indigo-200 dark:shadow-indigo-900/50 transform transition duration-200 hover:scale-[1.02] focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-indigo-500 disabled:opacity-75 disabled:cursor-not-allowed disabled:transform-none flex items-center gap-2"
-                                >
-                                    {saving && (
-                                        <svg className="animate-spin -ml-1 mr-2 h-5 w-5 text-white" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24">
-                                            <circle className="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" strokeWidth="4"></circle>
-                                            <path className="opacity-75" fill="currentColor" d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z"></path>
-                                        </svg>
-                                    )}
-                                    <span>Save Configuration</span>
-                                </button>
-                            </div>
-                        </form>
-                    </div>
-
-                    {/* Card 2: Team & Access Management */}
-                    <div className="bg-white dark:bg-gray-800 rounded-3xl shadow-xl overflow-hidden border border-gray-100 dark:border-gray-700 backdrop-blur-sm">
-                        <div className="p-6 border-b border-gray-100 dark:border-gray-700 bg-gray-50/30 dark:bg-gray-800/50">
-                            <h2 className="text-xl font-black text-gray-900 dark:text-white flex items-center gap-3">
-                                <svg className="w-6 h-6 text-indigo-500" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2.5} d="M12 4.354a4 4 0 110 5.292M15 21H3v-1a6 6 0 0112 0v1zm0 0h6v-1a6 6 0 00-9-5.197M13 7a4 4 0 11-8 0 4 4 0 018 0z" /></svg>
-                                Identity & Access Governance
-                            </h2>
-                            <p className="text-xs text-gray-400 mt-1 uppercase font-bold tracking-widest">Define groups, policies, and manage members</p>
-                        </div>
-
-                        {/* Admin Tabs */}
-                        <div className="flex border-b border-gray-200 dark:border-gray-700 bg-gray-50/50 dark:bg-gray-800/50 overflow-x-auto no-scrollbar">
-                            {['groups', 'users', 'personal'].map((tab) => (
-                                <button
-                                    key={tab}
-                                    type="button"
-                                    onClick={() => setActiveAdminTab(tab)}
-                                    className={`flex-1 min-w-[100px] py-4 text-[10px] font-black uppercase tracking-widest transition-all duration-200 focus:outline-none ${activeAdminTab === tab
-                                        ? 'text-indigo-600 dark:text-indigo-400 border-b-2 border-indigo-600 dark:border-indigo-400 bg-white dark:bg-gray-800'
-                                        : 'text-gray-400 dark:text-gray-500 hover:text-gray-600 dark:hover:text-gray-300 hover:bg-gray-100/50 dark:hover:bg-gray-700/30'
-                                        }`}
-                                >
-                                    {tab === 'groups' ? 'Groups' : tab === 'users' ? 'Users' : 'My Profile'}
-                                </button>
-                            ))}
-                        </div>
-
-                        <div className="p-6 sm:p-8">
-                            {/* Groups Management */}
-                            {activeAdminTab === 'groups' && (
-                                <div className={sectionClass}>
-                                    {!editingGroup ? (
-                                        <div className="space-y-6">
-                                            <div className="flex items-center justify-between">
-                                                <h3 className="text-lg font-black flex items-center gap-3 text-gray-900 dark:text-white">
-                                                    Registered Groups
-                                                </h3>
-                                                <button
-                                                    type="button"
-                                                    onClick={() => setEditingGroup({ id: 'new', name: '', description: '', policy: { llm: [], tts: [], stt: [], nodes: [], skills: [] } })}
-                                                    className="px-4 py-2 bg-indigo-600 hover:bg-indigo-700 text-white text-[10px] font-black uppercase tracking-widest rounded-lg shadow-md transition-all flex items-center gap-2"
-                                                >
-                                                    <svg className="w-4 h-4" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={3} d="M12 4v16m8-8H4" /></svg>
-                                                    Add Group
-                                                </button>
-                                            </div>
-
-                                            <div className="grid grid-cols-1 gap-4">
-                                                {sortedGroups.map((g) => (
-                                                    <div key={g.id} className={`p-4 border ${g.id === 'ungrouped' ? 'border-indigo-300 dark:border-indigo-700 bg-indigo-50/30 dark:bg-indigo-900/10' : 'border-gray-100 dark:border-gray-700 bg-gray-50/50 dark:bg-gray-900/30'} rounded-2xl flex justify-between items-center group/card hover:bg-white dark:hover:bg-gray-800 transition-all hover:shadow-md`}>
-                                                        <div>
-                                                            <h4 className="font-bold text-gray-900 dark:text-gray-100 flex items-center gap-2">
-                                                                {g.id === 'ungrouped' ? 'Standard / Guest Policy' : g.name}
-                                                                {g.id === 'ungrouped' && <span className="text-[10px] font-black uppercase tracking-widest text-indigo-600 dark:text-indigo-400 py-0.5 px-2 bg-indigo-100/50 dark:bg-indigo-900/40 rounded-full">Global Fallback</span>}
-                                                            </h4>
-                                                            <p className="text-xs text-gray-500 dark:text-gray-400 mt-1">
-                                                                {g.id === 'ungrouped' ? 'Baseline access for all unassigned members.' : (g.description || 'No description')}
-                                                            </p>
-                                                            <div className="flex gap-2 mt-3 overflow-x-auto no-scrollbar pb-1">
-                                                                {['llm', 'tts', 'stt', 'nodes', 'skills'].map(section => (
-                                                                    <div key={section} className="flex flex-col items-center">
-                                                                        <span className="text-[9px] font-black uppercase tracking-tight text-gray-400 mb-1">{section}</span>
-                                                                        <div className="flex -space-x-2">
-                                                                            {g.policy?.[section]?.length > 0 ? (
-                                                                                g.policy?.[section].slice(0, 3).map(p => (
-                                                                                    <div key={p} className={`w-5 h-5 rounded-full ${section === 'nodes' ? 'bg-emerald-100 dark:bg-emerald-900 text-emerald-600 dark:text-emerald-400' : (section === 'skills' ? 'bg-amber-100 dark:bg-amber-900 text-amber-600 dark:text-amber-400' : 'bg-indigo-100 dark:bg-indigo-900 text-indigo-600 dark:text-indigo-400')} border-2 border-white dark:border-gray-800 flex items-center justify-center text-[8px] font-bold`} title={p}>
-                                                                                        {p[0].toUpperCase()}
-                                                                                    </div>
-                                                                                ))
-                                                                            ) : (
-                                                                                <span className="text-[10px] text-gray-400 italic">None</span>
-                                                                            )}
-                                                                            {g.policy?.[section]?.length > 3 && (
-                                                                                <div className="w-5 h-5 rounded-full bg-gray-100 dark:bg-gray-700 border-2 border-white dark:border-gray-800 flex items-center justify-center text-[8px] font-bold text-gray-500">
-                                                                                    +{g.policy?.[section].length - 3}
-                                                                                </div>
-                                                                            )}
-                                                                        </div>
-                                                                    </div>
-                                                                ))}
-                                                            </div>
-                                                        </div>
-                                                        <div className="flex gap-2">
-                                                            <button
-                                                                type="button"
-                                                                onClick={() => setEditingGroup(g)}
-                                                                className="p-2 text-indigo-600 hover:bg-indigo-50 dark:hover:bg-indigo-900/30 rounded-lg transition-colors"
-                                                            >
-                                                                <svg className="w-5 h-5" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M15.232 5.232l3.536 3.536m-2.036-5.036a2.5 2.5 0 113.536 3.536L6.5 21.036H3v-3.572L16.732 3.732z" /></svg>
-                                                            </button>
-                                                            {g.id !== 'ungrouped' && (
-                                                                <button
-                                                                    type="button"
-                                                                    onClick={() => handleDeleteGroup(g.id)}
-                                                                    className="p-2 text-red-500 hover:bg-red-50 dark:hover:bg-red-900/30 rounded-lg transition-colors"
-                                                                >
-                                                                    <svg className="w-5 h-5" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M19 7l-.867 12.142A2 2 0 0116.138 21H7.862a2 2 0 01-1.995-1.858L5 7m5 4v6m4-6v6m1-10V4a1 1 0 00-1-1h-4a1 1 0 00-1 1v3M4 7h16" /></svg>
-                                                                </button>
-                                                            )}
-                                                        </div>
-                                                    </div>
-                                                ))}
-                                            </div>
-                                        </div>
-                                    ) : (
-                                        <div className="animate-fade-in space-y-6">
-                                            {/* (Group editing form - unchanged logic, just cleaner container) */}
-                                            <div className="flex items-center gap-4">
-                                                <button type="button" onClick={() => setEditingGroup(null)} className="p-2 text-gray-400 hover:text-gray-600 dark:hover:text-gray-200">
-                                                    <svg className="w-6 h-6" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M10 19l-7-7m0 0l7-7m-7 7h18" /></svg>
-                                                </button>
-                                                <h3 className="text-xl font-black text-gray-900 dark:text-white">
-                                                    {editingGroup.id === 'new' ? 'New Group Policy' : `Edit: ${editingGroup.id === 'ungrouped' ? 'Standard / Guest Policy' : editingGroup.name}`}
-                                                </h3>
-                                                {editingGroup.id === 'ungrouped' && (
-                                                    <span className="text-[10px] font-black uppercase tracking-widest text-amber-700 dark:text-amber-400 py-1 px-2.5 bg-amber-100/60 dark:bg-amber-900/30 border border-amber-200 dark:border-amber-800 rounded-full flex items-center gap-1">
-                                                        <svg className="w-3 h-3" fill="currentColor" viewBox="0 0 20 20"><path fillRule="evenodd" d="M5 9V7a5 5 0 0110 0v2a2 2 0 012 2v5a2 2 0 01-2 2H5a2 2 0 01-2-2v-5a2 2 0 012-2zm8-2v2H7V7a3 3 0 016 0z" clipRule="evenodd" /></svg>
-                                                        System Group
-                                                    </span>
-                                                )}
-                                            </div>
-
-                                            <div className="bg-gray-50/50 dark:bg-gray-900/30 p-6 rounded-3xl border border-gray-100 dark:border-gray-700 space-y-6">
-                                                <div className="grid grid-cols-1 sm:grid-cols-2 gap-6">
-                                                    <div>
-                                                        <label className={labelClass}>Group Name</label>
-                                                        <input
-                                                            value={editingGroup.id === 'ungrouped' ? 'Ungrouped (System Default)' : editingGroup.name}
-                                                            onChange={e => editingGroup.id !== 'ungrouped' && setEditingGroup({ ...editingGroup, name: e.target.value })}
-                                                            readOnly={editingGroup.id === 'ungrouped'}
-                                                            placeholder="Engineering, Designers, etc."
-                                                            className={`${inputClass} ${editingGroup.id === 'ungrouped'
-                                                                ? 'opacity-60 cursor-not-allowed bg-gray-100 dark:bg-gray-700 text-gray-500 dark:text-gray-400'
-                                                                : (editingGroup.name.trim() &&
-                                                                    allGroups.some(g => g.id !== editingGroup.id && g.name.toLowerCase() === editingGroup.name.trim().toLowerCase())
-                                                                    ? '!border-red-400 dark:!border-red-600 !ring-red-300'
-                                                                    : '')
-                                                                }`}
-                                                        />
-                                                        {editingGroup.id === 'ungrouped' ? (
-                                                            <p className="mt-1.5 text-xs text-amber-600 dark:text-amber-400 font-medium flex items-center gap-1">
-                                                                <svg className="w-3.5 h-3.5" fill="currentColor" viewBox="0 0 20 20"><path fillRule="evenodd" d="M5 9V7a5 5 0 0110 0v2a2 2 0 012 2v5a2 2 0 01-2 2H5a2 2 0 01-2-2v-5a2 2 0 012-2zm8-2v2H7V7a3 3 0 016 0z" clipRule="evenodd" /></svg>
-                                                                System group name is locked. Only the access policy can be changed.
-                                                            </p>
-                                                        ) : editingGroup.name.trim() &&
-                                                        allGroups.some(g => g.id !== editingGroup.id && g.name.toLowerCase() === editingGroup.name.trim().toLowerCase()) && (
-                                                            <p className="mt-1.5 text-xs font-semibold text-red-500 flex items-center gap-1">
-                                                                <svg className="w-3.5 h-3.5" fill="currentColor" viewBox="0 0 20 20"><path fillRule="evenodd" d="M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7 4a1 1 0 11-2 0 1 1 0 012 0zm-1-9a1 1 0 00-1 1v4a1 1 0 102 0V6a1 1 0 00-1-1z" clipRule="evenodd" /></svg>
-                                                                A group with this name already exists
-                                                            </p>
-                                                        )}
-                                                    </div>
-                                                    <div>
-                                                        <label className={labelClass}>Description</label>
-                                                        <input
-                                                            value={editingGroup.description || ''}
-                                                            onChange={e => setEditingGroup({ ...editingGroup, description: e.target.value })}
-                                                            placeholder="Short description of this group..."
-                                                            className={inputClass}
-                                                        />
-                                                    </div>
-                                                </div>
-
-                                                <div className="border-t border-gray-200 dark:border-gray-700 pt-6">
-                                                    <label className="text-sm font-black uppercase tracking-widest text-gray-500 mb-4 block">Provider Access Policy (Whitelists)</label>
-
-                                                    <div className="grid grid-cols-1 gap-8">
-                                                        {['llm', 'tts', 'stt', 'nodes', 'skills'].map(section => (
-                                                            <div key={section} className="space-y-3">
-                                                                <div className="flex items-center justify-between mb-2">
-                                                                    <span className="text-[10px] font-black uppercase tracking-widest text-gray-400">{section === 'nodes' ? 'Accessible Nodes' : `${section} Access`}</span>
-                                                                    <div className="flex gap-2">
-                                                                        <button type="button" onClick={() => {
-                                                                            let availableIds = [];
-                                                                            if (section === 'nodes') {
-                                                                                availableIds = allNodes.map(n => n.node_id);
-                                                                            } else if (section === 'skills') {
-                                                                                availableIds = allSkills.map(s => s.name);
-                                                                            } else {
-                                                                                availableIds = effective[section]?.providers ? Object.keys(effective[section].providers) : [];
-                                                                            }
-                                                                            setEditingGroup({ ...editingGroup, policy: { ...editingGroup.policy, [section]: availableIds } })
-                                                                        }} className="text-[10px] font-bold text-indigo-600 dark:text-indigo-400 hover:underline">Select All</button>
-                                                                        <button type="button" onClick={() => setEditingGroup({ ...editingGroup, policy: { ...editingGroup.policy, [section]: [] } })} className="text-[10px] font-bold text-red-600 dark:text-red-400 hover:underline">Clear</button>
-                                                                    </div>
-                                                                </div>
-                                                                <div className="grid grid-cols-2 sm:grid-cols-3 gap-2">
-                                                                    {(section === 'nodes' ? allNodes.map(n => ({ id: n.node_id, label: n.display_name })) :
-                                                                        (section === 'skills' ? allSkills.filter(s => !s.is_system).map(s => ({ id: s.name, label: s.name })) :
-                                                                            (effective[section]?.providers ? Object.keys(effective[section].providers) : []).map(pId => {
-                                                                                const baseType = pId.split('_')[0];
-                                                                                const baseDef = providerLists[section].find(ld => ld.id === baseType || ld.id === pId);
-                                                                                return { id: pId, label: baseDef ? (pId.includes('_') ? `${baseDef.label} (${pId.split('_').slice(1).join('_')})` : baseDef.label) : pId };
-                                                                            }))).map(item => {
-                                                                                const isChecked = (editingGroup.policy?.[section] || []).includes(item.id);
-                                                                                return (
-                                                                                    <label key={item.id} className={`flex items-center gap-2 px-3 py-2 rounded-xl border cursor-pointer transition-all ${isChecked ? 'bg-indigo-50 dark:bg-indigo-900/30 border-indigo-200 dark:border-indigo-800' : 'border-gray-100 dark:border-gray-700 hover:bg-gray-50 dark:hover:bg-gray-800/50'}`}>
-                                                                                        <input
-                                                                                            type="checkbox"
-                                                                                            checked={isChecked}
-                                                                                            onChange={(e) => {
-                                                                                                const current = editingGroup.policy?.[section] || [];
-                                                                                                const next = e.target.checked ? [...current, item.id] : current.filter(x => x !== item.id);
-                                                                                                setEditingGroup({ ...editingGroup, policy: { ...editingGroup.policy, [section]: next } });
-                                                                                            }}
-                                                                                            className="rounded border-gray-300 dark:border-gray-600 text-indigo-600 focus:ring-indigo-500"
-                                                                                        />
-                                                                                        <span className="text-[11px] font-bold text-gray-700 dark:text-gray-300 truncate" title={item.label}>{item.label}</span>
-                                                                                    </label>
-                                                                                );
-                                                                            })}
-                                                                </div>
-                                                                {section === 'nodes' && allNodes.length === 0 && (
-                                                                    <p className="text-[10px] text-gray-400 italic">No agent nodes registered yet.</p>
-                                                                )}
-                                                            </div>
-                                                        ))}
-                                                    </div>
-                                                </div>
-
-                                                <div className="flex justify-end gap-3 pt-4">
-                                                    <button type="button" onClick={() => setEditingGroup(null)} className="px-6 py-2 rounded-xl text-sm font-bold text-gray-500 hover:bg-gray-100 dark:hover:bg-gray-800 transition-colors">Cancel</button>
-                                                    <button type="button" onClick={handleSaveGroup} disabled={saving || !editingGroup.name || allGroups.some(g => g.id !== editingGroup.id && g.name.toLowerCase() === editingGroup.name.trim().toLowerCase())} className="px-8 py-2 bg-indigo-600 text-white rounded-xl text-sm font-black uppercase tracking-widest shadow-lg shadow-indigo-200 dark:shadow-indigo-900/50 hover:bg-indigo-700 disabled:opacity-50 transition-all">
-                                                        {saving ? 'Saving...' : 'Save Group'}
-                                                    </button>
-                                                </div>
-                                            </div>
-                                        </div>
-                                    )}
-                                </div>
-                            )}
-
-                            {/* Users Management */}
-                            {activeAdminTab === 'users' && (
-                                <div className={sectionClass}>
-                                    <div className="space-y-6">
-                                        <div className="flex flex-col sm:flex-row items-center justify-between gap-4">
-                                            <h3 className="text-lg font-black flex items-center gap-3 text-gray-900 dark:text-white">
-                                                Active Roster
-                                                <span className="text-[10px] py-0.5 px-2 bg-gray-100 dark:bg-gray-700 text-gray-400 rounded-full">{filteredUsers.length}</span>
-                                            </h3>
-                                            <div className="flex items-center gap-3 w-full sm:w-auto">
-                                                <div className="relative flex-1 sm:min-w-[250px]">
-                                                    <input
-                                                        type="text"
-                                                        value={userSearch}
-                                                        onChange={e => setUserSearch(e.target.value)}
-                                                        placeholder="Search by name, email..."
-                                                        className="w-full text-xs p-2.5 pl-9 bg-white dark:bg-gray-800 border border-gray-200 dark:border-gray-700 rounded-xl focus:ring-2 focus:ring-indigo-500 outline-none transition-all"
-                                                    />
-                                                    <svg className="w-4 h-4 text-gray-400 absolute left-3 top-1/2 -translate-y-1/2" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2.5} d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0z" /></svg>
-                                                </div>
-                                                <button onClick={loadUsers} className="p-2.5 text-indigo-600 hover:bg-indigo-50 dark:hover:bg-indigo-900/30 border border-gray-200 dark:border-gray-700 bg-white dark:bg-gray-800 rounded-xl transition-colors">
-                                                    <svg className={`w-4 h-4 ${usersLoading ? 'animate-spin' : ''}`} fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M4 4v5h.582m15.356 2A8.001 8.001 0 004.582 9m0 0H9m11 11v-5h-.581m0 0a8.003 8.003 0 01-15.357-2m15.357 2H15" /></svg>
-                                                </button>
-                                            </div>
-                                        </div>
-                                        <div className="overflow-hidden border border-gray-100 dark:border-gray-700 rounded-2xl shadow-sm bg-gray-50/50 dark:bg-gray-900/30">
-                                            <table className="w-full text-left border-collapse">
-                                                <thead className="bg-white dark:bg-gray-800">
-                                                    <tr>
-                                                        <th className="px-6 py-4 text-[9px] font-black uppercase tracking-widest text-gray-500">Member</th>
-                                                        <th className="px-6 py-4 text-[9px] font-black uppercase tracking-widest text-gray-500">Policy Group</th>
-                                                        <th className="px-6 py-4 text-[9px] font-black uppercase tracking-widest text-gray-500">Activity Auditing</th>
-                                                        <th className="px-6 py-4 text-[9px] font-black uppercase tracking-widest text-gray-500 text-right">Actions</th>
-                                                    </tr>
-                                                </thead>
-                                                <tbody className="divide-y divide-gray-100 dark:divide-gray-800">
-                                                    {filteredUsers.map((u) => (
-                                                        <tr key={u.id} className="hover:bg-white dark:hover:bg-gray-800/50 transition-colors">
-                                                            <td className="px-6 py-4">
-                                                                <div className="flex items-center gap-3">
-                                                                    <div className={`w-8 h-8 rounded-full flex items-center justify-center text-[10px] font-black ${u.role === 'admin' ? 'bg-indigo-100 text-indigo-700 dark:bg-indigo-900/40 dark:text-indigo-300' : 'bg-gray-100 text-gray-700 dark:bg-gray-700 dark:text-gray-300'}`}>
-                                                                        {(u.username || u.email || '?')[0].toUpperCase()}
-                                                                    </div>
-                                                                    <div>
-                                                                        <p className="text-xs font-black text-gray-900 dark:text-white truncate max-w-[150px]">{u.username || u.email}</p>
-                                                                        <p className="text-[10px] text-gray-400 font-bold uppercase tracking-tight">{u.role}</p>
-                                                                    </div>
-                                                                </div>
-                                                            </td>
-                                                            <td className="px-6 py-4">
-                                                                <select
-                                                                    value={u.group_id || 'ungrouped'}
-                                                                    onChange={(e) => handleGroupChange(u.id, e.target.value)}
-                                                                    className="text-xs p-1.5 bg-white dark:bg-gray-800 border border-gray-200 dark:border-gray-700 rounded-lg outline-none focus:ring-1 focus:ring-indigo-500 transition-all font-bold text-gray-600 dark:text-gray-300 min-w-[150px]"
-                                                                >
-                                                                    {sortedGroups.map(g => (
-                                                                        <option key={g.id} value={g.id}>
-                                                                            {g.id === 'ungrouped' ? 'Standard / Guest' : g.name}
-                                                                        </option>
-                                                                    ))}
-                                                                </select>
-                                                            </td>
-                                                            <td className="px-6 py-4">
-                                                                <div className="space-y-1">
-                                                                    <div className="flex items-center gap-1.5">
-                                                                        <span className="text-[9px] font-black uppercase text-gray-400">Join:</span>
-                                                                        <span className="text-[10px] font-bold text-gray-600 dark:text-gray-300">{new Date(u.created_at).toLocaleDateString()}</span>
-                                                                    </div>
-                                                                    <div className="flex items-center gap-1.5">
-                                                                        <span className="text-[9px] font-black uppercase text-gray-400">Last:</span>
-                                                                        <span className="text-[10px] font-bold text-indigo-600 dark:text-indigo-400">
-                                                                            {u.last_login_at ? new Date(u.last_login_at).toLocaleDateString() : 'Never'}
-                                                                        </span>
-                                                                    </div>
-                                                                </div>
-                                                            </td>
-                                                            <td className="px-6 py-4 text-right">
-                                                                <button
-                                                                    type="button"
-                                                                    onClick={(e) => { e.preventDefault(); handleRoleToggle(u); }}
-                                                                    className={`text-[9px] font-black uppercase tracking-widest transition-all ${u.role === 'admin'
-                                                                        ? 'text-red-600 hover:text-red-700'
-                                                                        : 'text-indigo-600 hover:text-indigo-700'
-                                                                        }`}
-                                                                >
-                                                                    {u.role === 'admin' ? 'Demote' : 'Promote'}
-                                                                </button>
-                                                            </td>
-                                                        </tr>
-                                                    ))}
-                                                </tbody>
-                                            </table>
-                                            {allUsers.length === 0 && !usersLoading && (
-                                                <div className="p-12 text-center text-gray-400 italic text-sm">No other users found.</div>
-                                            )}
-                                        </div>
-                                    </div>
-                                </div>
-                            )}
-
-                            {/* Personal Settings */}
-                            {activeAdminTab === 'personal' && (
-                                <div className={sectionClass}>
-                                    <div className="space-y-8">
-                                        <div className="flex items-center gap-3">
-                                            <div className="p-2 bg-indigo-50 dark:bg-indigo-900/30 rounded-lg text-indigo-600 dark:text-indigo-400">
-                                                <svg className="w-5 h-5" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2.5} d="M16 7a4 4 0 11-8 0 4 4 0 018 0zM12 14a7 7 0 00-7 7h14a7 7 0 00-7-7z" /></svg>
-                                            </div>
-                                            <div>
-                                                <h3 className="text-lg font-black text-gray-900 dark:text-white uppercase tracking-wider">My Preferences</h3>
-                                                <p className="text-[10px] text-gray-500 dark:text-gray-400 font-bold uppercase tracking-widest">Customize your individual experience</p>
-                                            </div>
-                                        </div>
-
-                                        <div className="bg-gray-50/50 dark:bg-gray-900/30 p-6 rounded-3xl border border-gray-100 dark:border-gray-700 space-y-8">
-                                            {accessibleNodes.length > 0 ? (
-                                                <div className="space-y-4">
-                                                    <label className="text-sm font-black uppercase tracking-widest text-gray-500 block">Default Node Attachment</label>
-                                                    <p className="text-xs text-gray-400 mb-4">Auto-attach these nodes to new sessions:</p>
-                                                    <div className="flex flex-wrap gap-2">
-                                                        {accessibleNodes.map(node => {
-                                                            const isActive = (nodePrefs.default_node_ids || []).includes(node.node_id);
-                                                            return (
-                                                                <button
-                                                                    key={node.node_id}
-                                                                    type="button"
-                                                                    onClick={() => toggleDefaultNode(node.node_id)}
-                                                                    className={`px-4 py-2 rounded-xl text-[10px] font-black uppercase tracking-widest border-2 transition-all ${isActive
-                                                                        ? 'bg-emerald-600 border-emerald-600 text-white shadow-lg shadow-emerald-200 dark:shadow-none translate-y-[-1px]'
-                                                                        : 'bg-white dark:bg-gray-800 border-gray-200 dark:border-gray-700 text-gray-400 hover:border-emerald-300'
-                                                                        }`}
-                                                                >
-                                                                    {node.display_name}
-                                                                </button>
-                                                            );
-                                                        })}
-                                                    </div>
-                                                </div>
-                                            ) : (
-                                                <div className="p-4 bg-gray-100/50 dark:bg-gray-800/50 rounded-2xl border border-dashed border-gray-200 dark:border-gray-700">
-                                                    <p className="text-xs text-gray-500 italic">No agent nodes are currently assigned to your group.</p>
-                                                </div>
-                                            )}
-
-                                            <div className="space-y-4 pt-4 border-t border-gray-100 dark:border-gray-700">
-                                                <label className="text-sm font-black uppercase tracking-widest text-gray-500 block">Default Sync Workspace Directory</label>
-                                                <div className="flex flex-col sm:flex-row gap-3">
-                                                    <select
-                                                        value={nodePrefs.data_source?.source || 'empty'}
-                                                        onChange={(e) => handleNodePrefChange({ data_source: { ...nodePrefs.data_source, source: e.target.value } })}
-                                                        className="bg-white dark:bg-gray-800 border border-gray-200 dark:border-gray-700 rounded-xl px-4 py-3 text-xs font-bold text-gray-700 dark:text-gray-300 focus:outline-none focus:ring-2 focus:ring-indigo-500 shadow-sm"
-                                                    >
-                                                        <option value="empty">Empty Workspace</option>
-                                                        <option value="node_local">Node Local Path</option>
-                                                    </select>
-                                                    {nodePrefs.data_source?.source === 'node_local' && (
-                                                        <input
-                                                            type="text"
-                                                            value={nodePrefs.data_source?.path || ''}
-                                                            onChange={(e) => handleNodePrefChange({ data_source: { ...nodePrefs.data_source, path: e.target.value } })}
-                                                            placeholder="/home/user/workspace"
-                                                            className="flex-1 bg-white dark:bg-gray-800 border border-gray-200 dark:border-gray-700 rounded-xl px-4 py-3 text-xs font-mono text-indigo-600 dark:text-indigo-400 focus:outline-none focus:ring-2 focus:ring-indigo-500 shadow-sm"
-                                                        />
-                                                    )}
-                                                </div>
-                                                <p className="text-[10px] text-gray-400 italic font-medium">
-                                                    Determines where the agent should look for files on the node when starting a chat.
-                                                </p>
-                                            </div>
-                                        </div>
-                                    </div>
-                                </div>
-                            )}
-                        </div>
-                    </div>
-                </div>
-            </div>
-            {showVoicesModal && (
-                <div className="fixed inset-0 z-[100] flex items-center justify-center bg-black/50 p-4 transition-opacity" onClick={() => setShowVoicesModal(false)}>
-                    <div className="bg-white dark:bg-gray-800 rounded-xl max-w-lg w-full p-6 shadow-2xl relative max-h-[85vh] flex flex-col" onClick={e => e.stopPropagation()}>
-                        <div className="flex justify-between items-center mb-4 border-b border-gray-100 dark:border-gray-700 pb-3">
-                            <div>
-                                <h3 className="text-xl font-bold text-gray-900 dark:text-gray-100">Available Cloud Voices</h3>
-                                <p className="text-xs text-gray-500 mt-1">Found {voiceList.length} voices to choose from.</p>
-                                <p className="text-xs text-indigo-500 font-medium mt-1">Highlighted voices (Chirp, Journey, Studio) use advanced AI for highest quality.</p>
-                            </div>
-                            <button onClick={() => setShowVoicesModal(false)} className="text-gray-400 hover:text-gray-600 dark:hover:text-gray-300 text-3xl font-bold focus:outline-none">&times;</button>
-                        </div>
-                        <div className="overflow-y-auto flex-1 bg-gray-50 dark:bg-gray-900/50 border border-gray-100 dark:border-gray-700 p-2 rounded-lg">
-                            {voicesLoading ? (
-                                <div className="flex h-32 items-center justify-center">
-                                    <div className="animate-spin rounded-full h-8 w-8 border-b-2 border-indigo-600 dark:border-indigo-400"></div>
-                                </div>
-                            ) : voiceList.length > 0 ? (
-                                <ul className="space-y-[2px]">
-                                    {voiceList.map((v, i) => {
-                                        let highlight = v.toLowerCase().includes('chirp') || v.toLowerCase().includes('journey') || v.toLowerCase().includes('studio');
-                                        return (
-                                            <li key={i} className={`text-sm cursor-text font-mono select-all p-2 hover:bg-white dark:hover:bg-gray-800 rounded transition-colors border border-transparent hover:border-gray-200 dark:hover:border-gray-600 ${highlight ? 'text-indigo-600 dark:text-indigo-400 font-semibold' : 'text-gray-600 dark:text-gray-400'}`}>
-                                                {v}
-                                            </li>
-                                        )
-                                    })}
-                                </ul>
-                            ) : (
-                                <p className="text-center text-gray-500 mt-8">No voices found. Make sure your API key is configured and valid.</p>
-                            )}
-                        </div>
-                        <div className="mt-4 text-xs text-gray-500 dark:text-gray-400 flex justify-between items-center">
-                            <span>Double-click a name to select it, then paste it into the field.</span>
-                            <button onClick={() => setShowVoicesModal(false)} className="px-4 py-2 bg-gray-100 hover:bg-gray-200 dark:bg-gray-700 dark:hover:bg-gray-600 text-gray-700 dark:text-gray-300 rounded-lg transition-colors font-medium">Close</button>
-                        </div>
-                    </div>
-                </div>
-            )}
-        </div>
-    );
-
     const context = {
         config,
-        effective,
         loading,
         saving,
         message,
-        activeConfigTab,
-        setActiveConfigTab,
         activeAdminTab,
         setActiveAdminTab,
-        userSearch,
-        setUserSearch,
+        activeConfigTab,
+        setActiveConfigTab,
         expandedProvider,
         setExpandedProvider,
-        selectedNewProvider,
-        setSelectedNewProvider,
+        addingSection,
+        setAddingSection,
+        addForm,
+        setAddForm,
+        collapsedSections,
+        setCollapsedSections,
         verifying,
-        setVerifying,
+        testingConnection,
         fetchedModels,
-        setFetchedModels,
-        providerLists,
         providerStatuses,
-        voiceList,
-        showVoicesModal,
-        setShowVoicesModal,
-        voicesLoading,
+        fileInputRef,
+        handleExport,
+        handleImport,
+        handleConfigChange,
+        handleVerifyProvider,
+        handleTestConnection,
+        handleDeleteProvider: handleDeleteProviderAction,
+        handleAddInstance,
+        confirmAction,
+        setConfirmAction,
+        executeConfirmAction,
+
+        userSearch,
+        setUserSearch,
+        providerLists,
         allUsers,
         usersLoading,
         loadUsers,
@@ -1530,33 +586,27 @@
         groupsLoading,
         editingGroup,
         setEditingGroup,
-        addingSection,
-        setAddingSection,
-        addForm,
-        setAddForm,
         allNodes,
         nodesLoading,
         allSkills,
         skillsLoading,
-        accessibleNodes,
-        nodePrefs,
-        fileInputRef,
-        handleViewVoices,
+        adminConfig,
+        setAdminConfig,
+        adminConfigLoading,
+        userProfile,
+        handleSaveAdminConfig,
+        handleSaveConfig,
+        setConfig,
+        setProviderLists,
         handleRoleToggle,
         handleGroupChange,
-        handleNodePrefChange,
-        toggleDefaultNode,
         handleSaveGroup,
         handleDeleteGroup,
-        handleSave,
-        handleImport,
-        handleExport,
-        inputClass,
-        labelClass,
-        sectionClass,
         filteredUsers,
         sortedGroups,
-        renderProviderSection
+        inputClass: "w-full border border-gray-300 dark:border-gray-600 rounded-lg p-3 bg-white dark:bg-gray-800 text-gray-900 dark:text-gray-100 placeholder-gray-400 dark:placeholder-gray-500 focus:outline-none focus:ring-2 focus:ring-indigo-500 transition-colors duration-200 shadow-sm",
+        labelClass: "block text-sm font-semibold text-gray-700 dark:text-gray-300 mb-2",
+        sectionClass: "animate-fade-in"
     };
 
     return <SettingsPageContent context={context} />;
diff --git a/frontend/src/features/skills/components/SkillsPageContent.js b/frontend/src/features/skills/components/SkillsPageContent.js
index 3a5f99f..98a07de 100644
--- a/frontend/src/features/skills/components/SkillsPageContent.js
+++ b/frontend/src/features/skills/components/SkillsPageContent.js
@@ -30,7 +30,12 @@
         formData,
         setFormData,
         showAdvanced,
-        setShowAdvanced
+        setShowAdvanced,
+        errorModalMessage,
+        setErrorModalMessage,
+        confirmDeleteId,
+        setConfirmDeleteId,
+        confirmDelete
     } = context;
 
     const SidebarItem = ({ id, label, icon, count, active }) => (
@@ -430,6 +435,58 @@
                     </div>
                 </div>
             )}
+
+            {/* ERROR MODAL */}
+            {errorModalMessage && (
+                <div className="fixed inset-0 z-[120] flex items-center justify-center bg-black/60 backdrop-blur-sm p-4 animate-in fade-in duration-200">
+                    <div className="bg-white dark:bg-gray-800 rounded-[32px] w-full max-w-md shadow-2xl overflow-hidden animate-in zoom-in-95 duration-200 border border-red-50 dark:border-red-900">
+                        <div className="p-8 text-center">
+                            <div className="w-20 h-20 bg-red-50 dark:bg-red-900/20 rounded-full flex items-center justify-center mx-auto mb-6">
+                                <Icon path="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" className="w-10 h-10 text-red-500" />
+                            </div>
+                            <h3 className="text-xl font-black text-gray-900 dark:text-white uppercase tracking-tight mb-2">Protocol Violation</h3>
+                            <p className="text-sm text-gray-500 dark:text-gray-400 mb-8 italic">{errorModalMessage}</p>
+                            <button
+                                onClick={() => setErrorModalMessage(null)}
+                                className="w-full py-4 text-xs font-black uppercase tracking-widest text-white bg-indigo-600 hover:bg-indigo-700 rounded-2xl transition-all shadow-xl shadow-indigo-600/20 active:scale-95"
+                            >
+                                Dismiss
+                            </button>
+                        </div>
+                    </div>
+                </div>
+            )}
+
+            {/* CONFIRM DELETE MODAL */}
+            {confirmDeleteId && (
+                <div className="fixed inset-0 z-[120] flex items-center justify-center bg-black/60 backdrop-blur-sm p-4 animate-in fade-in duration-200">
+                    <div className="bg-white dark:bg-gray-800 rounded-[32px] w-full max-w-md shadow-2xl overflow-hidden animate-in zoom-in-95 duration-200 border dark:border-gray-700">
+                        <div className="p-8 text-center">
+                            <div className="w-20 h-20 bg-red-50 dark:bg-red-900/20 rounded-full flex items-center justify-center mx-auto mb-6 text-3xl">
+                                🔥
+                            </div>
+                            <h3 className="text-xl font-black text-gray-900 dark:text-white uppercase tracking-tight mb-2">Decomission Skill?</h3>
+                            <p className="text-sm text-gray-500 dark:text-gray-400 mb-8 italic">
+                                Are you certain you wish to purge this capability? This action is irreversible.
+                            </p>
+                            <div className="flex gap-4">
+                                <button
+                                    onClick={() => setConfirmDeleteId(null)}
+                                    className="flex-1 py-4 text-xs font-black uppercase tracking-widest text-gray-500 hover:text-gray-700 dark:hover:text-white transition-colors"
+                                >
+                                    Cancel
+                                </button>
+                                <button
+                                    onClick={confirmDelete}
+                                    className="flex-1 py-4 text-xs font-black uppercase tracking-widest text-white bg-red-600 hover:bg-red-700 rounded-2xl transition-all shadow-xl shadow-red-600/20 active:scale-95"
+                                >
+                                    Confirm
+                                </button>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+            )}
         </div>
     );
 }
diff --git a/frontend/src/features/skills/pages/SkillsPage.js b/frontend/src/features/skills/pages/SkillsPage.js
index 5227abb..0a61314 100644
--- a/frontend/src/features/skills/pages/SkillsPage.js
+++ b/frontend/src/features/skills/pages/SkillsPage.js
@@ -11,6 +11,8 @@
     const [showSystemSkills, setShowSystemSkills] = useState(false);
     const [viewingDoc, setViewingDoc] = useState(null);
     const [showRawDoc, setShowRawDoc] = useState(false);
+    const [errorModalMessage, setErrorModalMessage] = useState(null);
+    const [confirmDeleteId, setConfirmDeleteId] = useState(null);
 
     const [isModalOpen, setIsModalOpen] = useState(false);
     const [editingSkill, setEditingSkill] = useState(null);
@@ -133,7 +135,7 @@
             try {
                 configObj = JSON.parse(formData.config);
             } catch (e) {
-                alert("Invalid JSON in config");
+                setErrorModalMessage("Invalid JSON in config. Please verify your syntax.");
                 return;
             }
 
@@ -150,17 +152,23 @@
             closeModal();
             fetchSkills();
         } catch (err) {
-            alert("Error saving skill");
+            setErrorModalMessage("Error saving skill. Please check your permissions and try again.");
         }
     };
 
-    const handleDelete = async (id) => {
-        if (!window.confirm("Are you sure you want to delete this skill?")) return;
+    const handleDelete = (id) => {
+        setConfirmDeleteId(id);
+    };
+
+    const confirmDelete = async () => {
+        if (!confirmDeleteId) return;
         try {
-            await deleteSkill(id);
+            await deleteSkill(confirmDeleteId);
+            setConfirmDeleteId(null);
             fetchSkills();
         } catch (err) {
-            alert("Error deleting skill");
+            setErrorModalMessage("Error deleting skill. It might be in use or you may lack permissions.");
+            setConfirmDeleteId(null);
         }
     };
 
@@ -194,7 +202,12 @@
         formData,
         setFormData,
         showAdvanced,
-        setShowAdvanced
+        setShowAdvanced,
+        errorModalMessage,
+        setErrorModalMessage,
+        confirmDeleteId,
+        setConfirmDeleteId,
+        confirmDelete
     };
 
     return <SkillsPageContent context={context} />;
diff --git a/frontend/src/features/swarm/pages/SwarmControlPage.js b/frontend/src/features/swarm/pages/SwarmControlPage.js
index d317ae7..3923c83 100644
--- a/frontend/src/features/swarm/pages/SwarmControlPage.js
+++ b/frontend/src/features/swarm/pages/SwarmControlPage.js
@@ -5,7 +5,7 @@
 import {
   updateSession, getSessionNodeStatus, attachNodesToSession,
   detachNodeFromSession, getUserAccessibleNodes, getUserNodePreferences, nodeFsList,
-  clearSessionHistory
+  clearSessionHistory, getSystemStatus
 } from "../../../services/apiService";
 import {
   SwarmControlConsoleOverlay,
@@ -62,6 +62,7 @@
     handleSendChat,
     handleCancelChat,
     setShowErrorModal,
+    setErrorMessage,
     handleSwitchSession,
     sessionId,
     userConfigData,
@@ -83,7 +84,8 @@
       // Reload the page to refresh chat history from the server
       window.location.reload();
     } catch (e) {
-      alert(`Failed to clear history: ${e.message}`);
+      setErrorMessage(`Failed to clear history: ${e.message}`);
+      setShowErrorModal(true);
     } finally {
       setIsClearingHistory(false);
       setShowClearChatModal(false);
@@ -126,6 +128,20 @@
     return localStorage.getItem("swarm_auto_collapse") === "true";
   });
 
+  // Day 1 Swarm Control (Phase 3)
+  const [systemStatus, setSystemStatus] = useState(null);
+  useEffect(() => {
+    const fetchStatus = async () => {
+      try {
+        const status = await getSystemStatus();
+        setSystemStatus(status);
+      } catch (e) {
+        console.warn("Failed to fetch system status", e);
+      }
+    };
+    fetchStatus();
+  }, []);
+
   const toggleAutoCollapse = () => {
     const newState = !autoCollapse;
     setAutoCollapse(newState);
@@ -203,7 +219,8 @@
 
       await fetchNodeInfo();
     } catch (err) {
-      alert(`Sync Error: ${err.message}`);
+      setErrorMessage(`Sync Error: ${err.message}`);
+      setShowErrorModal(true);
     } finally {
       setIsInitiatingSync(false);
     }
@@ -366,25 +383,45 @@
 
       {/* Main content area */}
       <div className="flex-grow flex flex-col min-h-0 min-w-0 bg-transparent" ref={pageContainerRef}>
+        {/* Day 1 Security Banners */}
+        {systemStatus && !systemStatus.tls_enabled && (
+          <div className="bg-amber-600 text-white px-4 py-2 text-xs font-bold text-center flex items-center justify-center gap-2 shadow-md">
+            <svg className="w-4 h-4" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" />
+            </svg>
+            INSECURE MODE: Mesh communication is currently running over unencrypted channels. Strictly for local/internal use only.
+          </div>
+        )}
+        {systemStatus && !systemStatus.external_endpoint && (
+          <div className="bg-indigo-600 text-white px-4 py-2 text-xs font-bold text-center flex items-center justify-center gap-2 shadow-md">
+            <svg className="w-4 h-4" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M13 16h-1v-4h-1m1-4h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+            </svg>
+            HOSTNAME CONFIGURATION: No external hostname detected. Remote nodes may fail to call back to this hub.
+          </div>
+        )}
+        
         <div className="px-6 md:px-16 lg:px-24 w-full h-full pt-12 flex flex-col min-h-0 min-w-0 mx-auto">
           {/* Main Layout Area */}
           <div className="flex flex-row h-full min-h-0 gap-4">
             {/* Chat Area & Console (Left Panel) */}
             <div className="flex flex-col h-full min-h-0 flex-grow min-w-0">
               <div className="flex-grow bg-white dark:bg-gray-800 rounded-xl rounded-b-none shadow-lg border border-gray-200 dark:border-gray-700 flex flex-col min-h-0 min-w-0 transition-all duration-300">
-              <h2 className="p-4 text-xl font-bold flex flex-col md:flex-row justify-between items-start md:items-center border-b border-gray-100 dark:border-gray-700 gap-4 md:gap-0">
+              <div className="p-4 flex flex-col md:flex-row justify-between items-start md:items-center border-b border-gray-100 dark:border-gray-700 gap-4 md:gap-0">
                 <div className="flex flex-wrap items-center gap-3 w-full md:w-auto">
                   <div className="p-2 bg-indigo-100 dark:bg-indigo-900/30 rounded-lg">
                     <svg className="w-6 h-6 text-indigo-600 dark:text-indigo-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
                       <path strokeLinecap="round" strokeLinejoin="round" strokeWidth="2" d="M10 20l4-16m4 4l4 4-4 4M6 16l-4-4 4-4" />
                     </svg>
                   </div>
-                  <div className="flex flex-col">
-                    <span className="text-lg">Swarm Control</span>
-                    <span className="text-[10px] text-gray-500 font-medium uppercase tracking-widest whitespace-nowrap">
-                      Mesh: {accessibleNodes.filter(n => n.last_status === 'online' || n.last_status === 'idle').length} Online / {accessibleNodes.length} Total
-                    </span>
-                  </div>
+                    <div className="flex flex-col">
+                      <h2 className="text-xl font-bold text-gray-900 dark:text-white">
+                        Swarm Control
+                      </h2>
+                      <span className="text-[10px] text-gray-500 dark:text-gray-400 font-medium uppercase tracking-widest whitespace-nowrap">
+                        Mesh: {accessibleNodes.filter(n => n.last_status === 'online' || n.last_status === 'idle').length} Online / {accessibleNodes.length} Total
+                      </span>
+                    </div>
 
                   {/* Nodes Indicator Bar (M3/M6) */}
                   <div className="flex items-center space-x-2 ml-0 md:ml-4 border-l-0 md:border-l pl-0 md:pl-4 dark:border-gray-700 h-10 overflow-visible">
@@ -443,7 +480,7 @@
                       <div className="flex items-center gap-1 border-l dark:border-gray-700 ml-2 pl-2">
                         <button
                           onClick={() => setShowConsole(!showConsole)}
-                          className={`p-1.5 rounded-lg transition-colors ${showConsole ? 'bg-indigo-100 text-indigo-600' : 'text-gray-400 hover:bg-gray-50'}`}
+                          className={`p-1.5 rounded-lg transition-colors ${showConsole ? 'bg-indigo-100 dark:bg-indigo-900/40 text-indigo-600 dark:text-indigo-400' : 'text-gray-400 hover:bg-gray-50 dark:hover:bg-gray-800'}`}
                           title="Toggle Execution Console"
                         >
                           <svg className="w-4 h-4" fill="none" viewBox="0 0 24 24" stroke="currentColor">
@@ -453,7 +490,7 @@
                         {workspaceId && (
                           <button
                             onClick={() => setShowFileExplorer(!showFileExplorer)}
-                            className={`p-1.5 rounded-lg transition-colors ${showFileExplorer ? 'bg-indigo-100 text-indigo-600' : 'text-gray-400 hover:bg-gray-50'}`}
+                            className={`p-1.5 rounded-lg transition-colors ${showFileExplorer ? 'bg-indigo-100 dark:bg-indigo-900/40 text-indigo-600 dark:text-indigo-400' : 'text-gray-400 hover:bg-gray-50 dark:hover:bg-gray-800'}`}
                             title="Toggle File Explorer"
                           >
                             <svg className="w-4 h-4" fill="none" viewBox="0 0 24 24" stroke="currentColor">
@@ -505,7 +542,7 @@
                     </div>
 
                     <div className="flex flex-col items-end hidden md:flex">
-                      <div className="text-[10px] font-bold text-gray-400 dark:text-gray-500 uppercase tracking-widest mb-1">
+                        <div className="text-[10px] font-bold text-gray-400 dark:text-gray-500 uppercase tracking-widest mb-1">
                         Token Usage
                       </div>
                       <div className="flex items-center gap-2">
@@ -515,7 +552,7 @@
                             style={{ width: `${Math.min(tokenUsage?.percentage || 0, 100)}%` }}
                           ></div>
                         </div>
-                        <span className={`text-xs font-mono font-bold ${tokenUsage?.percentage > 80 ? 'text-red-500' : 'text-gray-400'}`}>
+                        <span className={`text-xs font-mono font-bold ${tokenUsage?.percentage > 80 ? 'text-red-500' : 'text-gray-400 dark:text-gray-500'}`}>
                           {tokenUsage?.percentage || 0}%
                         </span>
                       </div>
@@ -541,7 +578,7 @@
                     + NEW
                   </button>
                 </div>
-              </h2>
+              </div>
 
               <div className="flex-grow flex flex-col min-h-0">
                 <ChatArea
@@ -665,7 +702,7 @@
             <div className="px-8 py-5 bg-gray-50 dark:bg-gray-800/50 border-t border-gray-100 dark:border-gray-700 flex justify-end gap-3">
               <button
                 onClick={() => setShowConfigModal(false)}
-                className="px-6 py-2.5 text-sm font-bold text-gray-500 hover:text-gray-800 transition-colors"
+                className="px-6 py-2.5 text-sm font-bold text-gray-500 hover:text-gray-800 dark:hover:text-gray-200 transition-colors"
               >
                 Cancel
               </button>
diff --git a/frontend/src/features/voice/components/VoiceControls.js b/frontend/src/features/voice/components/VoiceControls.js
index 984b079..c3e5736 100644
--- a/frontend/src/features/voice/components/VoiceControls.js
+++ b/frontend/src/features/voice/components/VoiceControls.js
@@ -23,7 +23,7 @@
       {/* Status indicator */}
       <div className="flex items-center gap-2">
         <div className={`w-2 h-2 rounded-full ${isRecording || isAutoListening ? 'bg-red-500 animate-pulse' : 'bg-gray-300 dark:bg-gray-600'}`}></div>
-        <div className="text-center text-xs font-bold text-gray-400 dark:text-gray-500 uppercase tracking-widest">
+        <div className="text-center text-xs font-bold text-gray-400 dark:text-gray-400 uppercase tracking-widest">
           {status || (isBusy ? "Thinking..." : "Ready")}
         </div>
       </div>
diff --git a/frontend/src/features/voice/pages/VoiceChatPage.js b/frontend/src/features/voice/pages/VoiceChatPage.js
index 4ae3ee9..201de72 100644
--- a/frontend/src/features/voice/pages/VoiceChatPage.js
+++ b/frontend/src/features/voice/pages/VoiceChatPage.js
@@ -90,8 +90,8 @@
                     </svg>
                   </div>
                   <div className="flex flex-col">
-                    <span className="text-lg">Voice Chat Assistant</span>
-                    <span className="text-[10px] text-gray-500 font-medium uppercase tracking-widest">Real-time Conversational AI</span>
+                    <span className="text-lg text-gray-900 dark:text-white">Voice Chat Assistant</span>
+                    <span className="text-[10px] text-gray-500 dark:text-gray-400 font-medium uppercase tracking-widest">Real-time Conversational AI</span>
                   </div>
                   {!isConfigured && (
                     <div className="group relative flex items-center">
@@ -115,7 +115,7 @@
                 </div>
                 <div className="flex items-center space-x-6">
                   <div className="flex flex-col items-end">
-                    <div className="text-[10px] font-bold text-gray-400 dark:text-gray-500 uppercase tracking-widest mb-1">
+                    <div className="text-[10px] font-bold text-gray-400 dark:text-gray-400 uppercase tracking-widest mb-1">
                       Token Usage
                     </div>
                     <div className="flex items-center gap-2">
@@ -125,7 +125,7 @@
                           style={{ width: `${Math.min(tokenUsage?.percentage || 0, 100)}%` }}
                         ></div>
                       </div>
-                      <span className={`text-xs font-mono font-bold ${tokenUsage?.percentage > 80 ? 'text-red-500' : 'text-gray-400'}`}>
+                      <span className={`text-xs font-mono font-bold ${tokenUsage?.percentage > 80 ? 'text-red-500' : 'text-gray-400 dark:text-gray-500'}`}>
                         {tokenUsage?.percentage || 0}%
                       </span>
                     </div>
@@ -253,7 +253,7 @@
             <div className="px-8 py-5 bg-gray-50 dark:bg-gray-800/50 border-t border-gray-100 dark:border-gray-700 flex justify-end gap-3">
               <button
                 onClick={() => setShowConfigModal(false)}
-                className="px-6 py-2.5 text-sm font-bold text-gray-500 hover:text-gray-800 transition-colors"
+                className="px-6 py-2.5 text-sm font-bold text-gray-500 hover:text-gray-800 dark:hover:text-gray-200 transition-colors"
               >
                 Cancel
               </button>
diff --git a/frontend/src/index.css b/frontend/src/index.css
index 90d92f8..dbdd91e 100644
--- a/frontend/src/index.css
+++ b/frontend/src/index.css
@@ -3,19 +3,23 @@
 @tailwind utilities;
 
 .markdown-preview h1 {
-    @apply text-xl font-bold mb-3 mt-4 text-gray-900 dark:text-white;
+    @apply text-xl font-bold mb-3 mt-4;
+    color: inherit;
 }
 
 .markdown-preview h2 {
-    @apply text-lg font-bold mb-2 mt-3 text-gray-900 dark:text-white;
+    @apply text-lg font-bold mb-2 mt-3;
+    color: inherit;
 }
 
 .markdown-preview h3 {
-    @apply text-base font-bold mb-1 mt-2 text-gray-800 dark:text-gray-100;
+    @apply text-base font-bold mb-1 mt-2;
+    color: inherit;
 }
 
 .markdown-preview p {
     @apply mb-2 leading-normal;
+    color: inherit;
 }
 
 .markdown-preview ul {
@@ -28,6 +32,7 @@
 
 .markdown-preview li {
     @apply mb-0.5 leading-normal;
+    color: inherit;
 }
 
 .markdown-preview code {
@@ -43,5 +48,42 @@
 }
 
 .markdown-preview strong {
-    @apply font-black text-gray-900 dark:text-white;
+    @apply font-black;
+    color: inherit;
+}
+
+@media (prefers-color-scheme: dark) {
+    .markdown-preview,
+    .markdown-preview p,
+    .markdown-preview li,
+    .markdown-preview span,
+    .markdown-preview h1,
+    .markdown-preview h2,
+    .markdown-preview h3,
+    .markdown-preview strong {
+        color: #f3f4f6 !important;
+    }
+
+    .markdown-preview h1,
+    .markdown-preview h2,
+    .markdown-preview strong {
+        color: #ffffff !important;
+    }
+}
+
+.dark .markdown-preview,
+.dark .markdown-preview p,
+.dark .markdown-preview li,
+.dark .markdown-preview span,
+.dark .markdown-preview h1,
+.dark .markdown-preview h2,
+.dark .markdown-preview h3,
+.dark .markdown-preview strong {
+    color: #f3f4f6 !important;
+}
+
+.dark .markdown-preview h1,
+.dark .markdown-preview h2,
+.dark .markdown-preview strong {
+    color: #ffffff !important;
 }
\ No newline at end of file
diff --git a/frontend/src/services/api/adminService.js b/frontend/src/services/api/adminService.js
new file mode 100644
index 0000000..287c7ae
--- /dev/null
+++ b/frontend/src/services/api/adminService.js
@@ -0,0 +1,203 @@
+import { fetchWithAuth, getUserId } from './apiClient';
+
+/**
+ * [ADMIN ONLY] Fetches all registered users.
+ */
+export const getAdminUsers = async () => {
+  return await fetchWithAuth('/users/admin/users');
+};
+
+/**
+ * [ADMIN ONLY] Updates a user's role.
+ */
+export const updateUserRole = async (targetUserId, role) => {
+  return await fetchWithAuth(`/users/admin/users/${targetUserId}/role`, {
+    method: "PUT",
+    body: { role }
+  });
+};
+
+/**
+ * [ADMIN ONLY] Assigns a user to a group.
+ */
+export const updateUserGroup = async (targetUserId, groupId) => {
+  return await fetchWithAuth(`/users/admin/users/${targetUserId}/group`, {
+    method: "PUT",
+    body: { group_id: groupId }
+  });
+};
+
+/**
+ * [ADMIN ONLY] Fetches all groups.
+ */
+export const getAdminGroups = async () => {
+  return await fetchWithAuth('/users/admin/groups');
+};
+
+/**
+ * [ADMIN ONLY] Creates a new group.
+ */
+export const createAdminGroup = async (groupData) => {
+  return await fetchWithAuth('/users/admin/groups', {
+    method: "POST",
+    body: groupData
+  });
+};
+
+/**
+ * [ADMIN ONLY] Updates a group.
+ */
+export const updateAdminGroup = async (groupId, groupData) => {
+  return await fetchWithAuth(`/users/admin/groups/${groupId}`, {
+    method: "PUT",
+    body: groupData
+  });
+};
+
+/**
+ * [ADMIN ONLY] Deletes a group.
+ */
+export const deleteAdminGroup = async (groupId) => {
+  return await fetchWithAuth(`/users/admin/groups/${groupId}`, {
+    method: "DELETE"
+  });
+};
+
+/**
+ * [ADMIN ONLY] Fetches global server configuration (OIDC, Swarm).
+ */
+export const getAdminConfig = async () => {
+  return await fetchWithAuth('/admin/config');
+};
+
+/**
+ * [ADMIN ONLY] Updates OIDC configuration.
+ */
+export const updateAdminOIDCConfig = async (config) => {
+  return await fetchWithAuth('/admin/config/oidc', {
+    method: "PUT",
+    body: config
+  });
+};
+
+/**
+ * [ADMIN ONLY] Updates Swarm configuration.
+ */
+export const updateAdminSwarmConfig = async (config) => {
+  return await fetchWithAuth('/admin/config/swarm', {
+    method: "PUT",
+    body: config
+  });
+};
+
+/**
+ * [ADMIN ONLY] Updates basic app configuration.
+ */
+export const updateAdminAppConfig = async (config) => {
+  return await fetchWithAuth('/admin/config/app', {
+    method: "PUT",
+    body: config
+  });
+};
+
+/**
+ * [ADMIN ONLY] Tests OIDC connectivity.
+ */
+export const testAdminOIDCConfig = async (config) => {
+  return await fetchWithAuth('/admin/config/oidc/test', {
+    method: "POST",
+    body: config
+  });
+};
+
+/**
+ * [ADMIN ONLY] Tests Swarm endpoint connectivity.
+ */
+export const testAdminSwarmConfig = async (config) => {
+  return await fetchWithAuth('/admin/config/swarm/test', {
+    method: "POST",
+    body: config
+  });
+};
+
+/**
+ * [ADMIN] Fetch all registered nodes.
+ */
+export const getAdminNodes = async () => {
+  const userId = getUserId();
+  return await fetchWithAuth(`/nodes/admin?admin_id=${userId}`);
+};
+
+/**
+ * [ADMIN] Register a new Agent Node.
+ */
+export const adminCreateNode = async (nodeData) => {
+  const userId = getUserId();
+  return await fetchWithAuth(`/nodes/admin?admin_id=${userId}`, {
+    method: "POST",
+    body: nodeData
+  });
+};
+
+/**
+ * [ADMIN] Update node metadata or skill toggles.
+ */
+export const adminUpdateNode = async (nodeId, updateData) => {
+  const userId = getUserId();
+  return await fetchWithAuth(`/nodes/admin/${nodeId}?admin_id=${userId}`, {
+    method: "PATCH",
+    body: updateData
+  });
+};
+
+/**
+ * [ADMIN] Deregister an Agent Node.
+ */
+export const adminDeleteNode = async (nodeId) => {
+  const adminId = getUserId();
+  return await fetchWithAuth(`/nodes/admin/${nodeId}?admin_id=${adminId}`, {
+    method: "DELETE"
+  });
+};
+
+/**
+ * [ADMIN] Grant a group access to a node.
+ */
+export const adminGrantNodeAccess = async (nodeId, grantData) => {
+  const userId = getUserId();
+  return await fetchWithAuth(`/nodes/admin/${nodeId}/access?admin_id=${userId}`, {
+    method: "POST",
+    body: grantData
+  });
+};
+
+/**
+ * [ADMIN] Revoke a group's access to a node.
+ */
+export const adminRevokeNodeAccess = async (nodeId, groupId) => {
+  const userId = getUserId();
+  return await fetchWithAuth(`/nodes/admin/${nodeId}/access/${groupId}?admin_id=${userId}`, {
+    method: "DELETE"
+  });
+};
+
+/**
+ * [ADMIN] Download the pre-configured Agent Node bundle (ZIP).
+ */
+export const adminDownloadNodeBundle = async (nodeId) => {
+  const userId = getUserId();
+  try {
+    const url = `/nodes/admin/${nodeId}/download?admin_id=${userId}`;
+    const response = await fetchWithAuth(url, { method: "GET", raw: true });
+    const blob = await response.blob();
+    const downloadUrl = window.URL.createObjectURL(blob);
+    const link = document.createElement('a');
+    link.href = downloadUrl;
+    link.setAttribute('download', `cortex-node-${nodeId}.zip`);
+    document.body.appendChild(link);
+    link.click();
+    link.remove();
+  } catch (e) {
+    throw new Error(`Failed to download node bundle: ${e.message}`);
+  }
+};
diff --git a/frontend/src/services/api/aiService.js b/frontend/src/services/api/aiService.js
new file mode 100644
index 0000000..3450f87
--- /dev/null
+++ b/frontend/src/services/api/aiService.js
@@ -0,0 +1,201 @@
+import { fetchWithAuth, API_BASE_URL, getUserId } from './apiClient';
+import { convertPcmToFloat32 } from "../audioUtils";
+
+/**
+ * Sends an audio blob to the STT endpoint for transcription.
+ */
+export const transcribeAudio = async (audioBlob, providerName = null) => {
+  const formData = new FormData();
+  formData.append("audio_file", audioBlob, "audio.wav");
+
+  const url = providerName 
+    ? `/stt/transcribe?provider_name=${encodeURIComponent(providerName)}` 
+    : '/stt/transcribe';
+
+  const result = await fetchWithAuth(url, {
+    method: "POST",
+    body: formData
+  });
+  return result.transcript;
+};
+
+/**
+ * Sends a text prompt to the LLM endpoint and gets a streaming text response (SSE).
+ */
+export const chatWithAI = async (sessionId, prompt, providerName = "gemini", onMessage = null) => {
+  const userId = getUserId();
+  const response = await fetch(`${API_BASE_URL}/sessions/${sessionId}/chat`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json", "X-User-ID": userId },
+    body: JSON.stringify({ prompt: prompt, provider_name: providerName }),
+  });
+
+  if (!response.ok) {
+    let detail = "LLM API failed";
+    try {
+      const errBody = await response.json();
+      detail = errBody.detail || JSON.stringify(errBody);
+    } catch { }
+    throw new Error(detail);
+  }
+
+  // Handle Streaming Response
+  const reader = response.body.getReader();
+  const decoder = new TextDecoder();
+  let accumulatedBuffer = "";
+
+  // Track final result for backward compatibility
+  let fullAnswer = "";
+  let lastMessageId = null;
+  let finalProvider = providerName;
+
+  while (true) {
+    const { done, value } = await reader.read();
+    if (done) break;
+
+    accumulatedBuffer += decoder.decode(value, { stream: true });
+
+    const parts = accumulatedBuffer.split("\n\n");
+    accumulatedBuffer = parts.pop();
+
+    for (const part of parts) {
+      if (part.startsWith("data: ")) {
+        try {
+          const jsonStr = part.slice(6).trim();
+          if (jsonStr) {
+            const data = JSON.parse(jsonStr);
+
+            // Accumulate content and info
+            if (data.type === "content" && data.content) {
+              fullAnswer += data.content;
+            } else if (data.type === "finish") {
+              lastMessageId = data.message_id;
+              finalProvider = data.provider;
+            }
+
+            // Pass to streaming callback if provided
+            if (onMessage) onMessage(data);
+          }
+        } catch (e) {
+          console.warn("Failed to parse SSE line:", part, e);
+        }
+      }
+    }
+  }
+
+  // Return the full result as the standard API used to
+  return {
+    answer: fullAnswer,
+    message_id: lastMessageId,
+    provider_used: finalProvider
+  };
+};
+
+/**
+ * Streams speech from the TTS endpoint and processes each chunk.
+ */
+export const streamSpeech = async (text, onData, onDone, providerName = null) => {
+  const userId = getUserId();
+  try {
+    let url = `${API_BASE_URL}/speech?stream=true&as_wav=false`;
+    if (providerName) {
+      url += `&provider_name=${encodeURIComponent(providerName)}`;
+    }
+
+    const response = await fetch(url, {
+      method: "POST",
+      headers: { "Content-Type": "application/json", "X-User-ID": userId },
+      body: JSON.stringify({ text }),
+    }).catch(err => {
+      console.error("Fetch transport error:", err);
+      throw new Error(`Network transport failed: ${err.message}`);
+    });
+
+    if (!response.ok) {
+      let detail = `HTTP error! Status: ${response.status}`;
+      try {
+        const errBody = await response.json();
+        detail = errBody.detail || detail;
+      } catch { }
+      throw new Error(detail);
+    }
+
+    const totalChunks = parseInt(response.headers.get("X-TTS-Chunk-Count") || "0");
+    const reader = response.body.getReader();
+    let leftover = new Uint8Array(0);
+    let chunkIndex = 0;
+
+    try {
+      while (true) {
+        const { done, value: chunk } = await reader.read();
+        if (done) break;
+
+        let combined = new Uint8Array(leftover.length + chunk.length);
+        combined.set(leftover);
+        combined.set(chunk, leftover.length);
+
+        let length = combined.length;
+        if (length % 2 !== 0) length -= 1;
+
+        const toConvert = combined.slice(0, length);
+        leftover = combined.slice(length);
+        const float32Raw = convertPcmToFloat32(toConvert);
+
+        onData(float32Raw, totalChunks, ++chunkIndex);
+      }
+    } catch (readError) {
+      console.error("Error reading response body stream:", readError);
+      throw new Error(`Stream interrupted: ${readError.message}`);
+    }
+  } catch (error) {
+    console.error("Failed to stream speech:", error);
+    throw error;
+  } finally {
+    if (onDone) {
+      await Promise.resolve(onDone());
+    }
+  }
+};
+
+/**
+ * Verify a provider configuration
+ */
+export const verifyProvider = async (section, payload) => {
+  return await fetchWithAuth(`/users/me/config/verify_${section}`, {
+    method: "POST",
+    body: payload
+  });
+};
+
+/**
+ * Fetches available models for a provider.
+ */
+export const getProviderModels = async (providerName, section = "llm") => {
+  const params = new URLSearchParams({ provider_name: providerName, section: section });
+  return await fetchWithAuth(`/users/me/config/models?${params.toString()}`);
+};
+
+/**
+ * Fetches all underlying providers.
+ */
+export const getAllProviders = async (section = "llm") => {
+  const params = new URLSearchParams({ section: section });
+  return await fetchWithAuth(`/users/me/config/providers?${params.toString()}`);
+};
+
+/**
+ * Fetches available TTS voice names.
+ */
+export const getVoices = async (provider = null, apiKey = null) => {
+  try {
+    const urlParams = new URLSearchParams();
+    if (provider) urlParams.append('provider', provider);
+    if (apiKey && apiKey !== 'null') urlParams.append('api_key', apiKey);
+
+    const url = `/speech/voices?${urlParams.toString()}`;
+    return await fetchWithAuth(url, { method: 'GET' });
+  } catch (e) {
+    console.error("Failed to fetch voices", e);
+    return [];
+  }
+};
diff --git a/frontend/src/services/api/apiClient.js b/frontend/src/services/api/apiClient.js
new file mode 100644
index 0000000..eeea608
--- /dev/null
+++ b/frontend/src/services/api/apiClient.js
@@ -0,0 +1,52 @@
+export const API_BASE_URL = process.env.REACT_APP_API_BASE_URL || "http://localhost:8001";
+
+/**
+ * A central utility function to get the user ID.
+ * If not found, it redirects to the login page.
+ * @returns {string} The user ID.
+ */
+export const getUserId = () => {
+  const userId = localStorage.getItem('userId');
+  if (!userId) {
+    console.error("User not authenticated. Redirecting to login.");
+    // Redirect to the login page
+    window.location.href = '/';
+  }
+  return userId;
+};
+
+/**
+ * Base fetch utility with common headers and error handling.
+ */
+export const fetchWithAuth = async (endpoint, options = {}) => {
+  const userId = options.anonymous ? 'anonymous' : getUserId();
+  
+  const headers = {
+    "X-User-ID": userId,
+    ...options.headers,
+  };
+
+  if (options.json !== false && options.body && !(options.body instanceof FormData)) {
+    headers["Content-Type"] = "application/json";
+    options.body = JSON.stringify(options.body);
+  }
+
+  const url = endpoint.startsWith('http') ? endpoint : `${API_BASE_URL}${endpoint}`;
+  
+  const response = await fetch(url, {
+    ...options,
+    headers,
+  });
+
+  if (!response.ok) {
+    let detail = `API error (${response.status})`;
+    try {
+      const errBody = await response.json();
+      detail = errBody.detail || detail;
+    } catch { }
+    throw new Error(detail);
+  }
+
+  if (options.raw) return response;
+  return await response.json();
+};
diff --git a/frontend/src/services/api/nodeService.js b/frontend/src/services/api/nodeService.js
new file mode 100644
index 0000000..355f6b1
--- /dev/null
+++ b/frontend/src/services/api/nodeService.js
@@ -0,0 +1,163 @@
+import { fetchWithAuth, getUserId } from './apiClient';
+
+/**
+ * [USER] List nodes accessible to the current user's group.
+ */
+export const getUserAccessibleNodes = async () => {
+  const userId = getUserId();
+  return await fetchWithAuth(`/nodes/?user_id=${userId}`);
+};
+
+/**
+ * [USER] Fetch node preferences.
+ */
+export const getUserNodePreferences = async () => {
+  const userId = getUserId();
+  return await fetchWithAuth(`/nodes/preferences?user_id=${userId}`);
+};
+
+/**
+ * [USER] Update node preferences.
+ */
+export const updateUserNodePreferences = async (prefs) => {
+  const userId = getUserId();
+  return await fetchWithAuth(`/nodes/preferences?user_id=${userId}`, {
+    method: "PATCH",
+    body: prefs
+  });
+};
+
+/**
+ * [USER] Fetch sync status for all nodes attached to a session.
+ */
+export const getSessionNodeStatus = async (sessionId) => {
+  return await fetchWithAuth(`/sessions/${sessionId}/nodes`);
+};
+
+/**
+ * [USER] Attach more nodes to an active session.
+ */
+export const attachNodesToSession = async (sessionId, nodeIds, config = null) => {
+  return await fetchWithAuth(`/sessions/${sessionId}/nodes`, {
+    method: "POST",
+    body: { node_ids: nodeIds, config }
+  });
+};
+
+/**
+ * [USER] Detach a node from a session.
+ */
+export const detachNodeFromSession = async (sessionId, nodeId) => {
+  return await fetchWithAuth(`/sessions/${sessionId}/nodes/${nodeId}`, {
+    method: "DELETE"
+  });
+};
+
+/**
+ * [AI Observability] Fetch terminal history for a node.
+ */
+export const getNodeTerminalHistory = async (nodeId) => {
+  return await fetchWithAuth(`/nodes/${nodeId}/terminal`);
+};
+
+/**
+ * Dispatch a task to a node.
+ */
+export const dispatchNodeTask = async (nodeId, payload) => {
+  return await fetchWithAuth(`/nodes/${nodeId}/dispatch`, {
+    method: 'POST',
+    body: payload
+  });
+};
+
+/**
+ * Cancel a task on a node.
+ */
+export const cancelNodeTask = async (nodeId, taskId = "") => {
+  return await fetchWithAuth(`/nodes/${nodeId}/cancel?task_id=${taskId}`, {
+    method: 'POST'
+  });
+};
+
+/**
+ * WebSocket helper for live node streams.
+ */
+export const getNodeStreamUrl = (nodeId = null) => {
+  const { API_BASE_URL } = require('./apiClient');
+  // Convert http://... to ws://...
+  const wsBase = API_BASE_URL.replace(/^http/, 'ws');
+  if (nodeId) {
+    const userId = getUserId();
+    return `${wsBase}/nodes/${nodeId}/stream?user_id=${userId}`;
+  }
+  const userId = localStorage.getItem('userId');
+  return `${wsBase}/nodes/stream/all?user_id=${userId}`;
+};
+
+/**
+ * [FS] List directory contents on an agent node.
+ */
+export const nodeFsList = async (nodeId, path = ".", sessionId = null) => {
+  const params = new URLSearchParams({ path });
+  if (sessionId) params.append("session_id", sessionId);
+  return await fetchWithAuth(`/nodes/${nodeId}/fs/ls?${params.toString()}`);
+};
+
+/**
+ * [FS] Read file content from an agent node.
+ */
+export const nodeFsCat = async (nodeId, path, sessionId = null) => {
+  const params = new URLSearchParams({ path });
+  if (sessionId) params.append("session_id", sessionId);
+  return await fetchWithAuth(`/nodes/${nodeId}/fs/cat?${params.toString()}`);
+};
+
+/**
+ * [FS] Create or update a file or directory on an agent node.
+ */
+export const nodeFsTouch = async (nodeId, path, content = "", isDir = false, sessionId = null) => {
+  return await fetchWithAuth(`/nodes/${nodeId}/fs/touch`, {
+    method: "POST",
+    body: { path, content, is_dir: isDir, session_id: sessionId }
+  });
+};
+
+/**
+ * [FS] Upload a file to an agent node via multipart form.
+ */
+export const nodeFsUpload = async (nodeId, path, file, sessionId = null) => {
+  const formData = new FormData();
+  formData.append("file", file);
+  
+  const params = new URLSearchParams({ path });
+  if (sessionId) params.append("session_id", sessionId);
+
+  return await fetchWithAuth(`/nodes/${nodeId}/fs/upload?${params.toString()}`, {
+    method: "POST",
+    body: formData
+  });
+};
+
+/**
+ * [FS] Downloads a file as a blob.
+ */
+export const nodeFsDownloadBlob = async (nodeId, path, sessionId = null) => {
+  const params = new URLSearchParams({ path });
+  if (sessionId) params.append("session_id", sessionId);
+  
+  const response = await fetchWithAuth(`/nodes/${nodeId}/fs/download?${params.toString()}`, {
+    method: "GET",
+    raw: true
+  });
+  return await response.blob();
+};
+
+/**
+ * [FS] Delete a file or directory from an agent node.
+ */
+export const nodeFsRm = async (nodeId, path, sessionId = null) => {
+  return await fetchWithAuth(`/nodes/${nodeId}/fs/rm`, {
+    method: "POST",
+    body: { path, session_id: sessionId }
+  });
+};
diff --git a/frontend/src/services/api/ragService.js b/frontend/src/services/api/ragService.js
new file mode 100644
index 0000000..44ea79f
--- /dev/null
+++ b/frontend/src/services/api/ragService.js
@@ -0,0 +1,14 @@
+import { fetchWithAuth } from './apiClient';
+
+/**
+ * Upload a document to the RAG system.
+ */
+export const uploadDocument = async (file) => {
+  const formData = new FormData();
+  formData.append("file", file);
+
+  return await fetchWithAuth('/rag/documents', {
+    method: "POST",
+    body: formData
+  });
+};
diff --git a/frontend/src/services/api/sessionService.js b/frontend/src/services/api/sessionService.js
new file mode 100644
index 0000000..dd3d869
--- /dev/null
+++ b/frontend/src/services/api/sessionService.js
@@ -0,0 +1,123 @@
+import { fetchWithAuth, getUserId } from './apiClient';
+
+/**
+ * Creates a new chat session.
+ */
+export const createSession = async (featureName = "default", providerName = "deepseek", extraParams = {}) => {
+  const userId = getUserId();
+  return await fetchWithAuth('/sessions/', {
+    method: "POST",
+    body: {
+      user_id: userId,
+      feature_name: featureName,
+      provider_name: providerName,
+      ...extraParams
+    }
+  });
+};
+
+/**
+ * Fetches all sessions for a specific feature for the current user.
+ */
+export const getUserSessions = async (featureName = "default") => {
+  const userId = getUserId();
+  const params = new URLSearchParams({ user_id: userId, feature_name: featureName, _t: Date.now() });
+  return await fetchWithAuth(`/sessions/?${params.toString()}`);
+};
+
+/**
+ * Updates a session's metadata.
+ */
+export const updateSession = async (sessionId, payload) => {
+  return await fetchWithAuth(`/sessions/${sessionId}`, {
+    method: "PATCH",
+    body: payload
+  });
+};
+
+/**
+ * Gets a single chat session by ID.
+ */
+export const getSession = async (sessionId) => {
+  return await fetchWithAuth(`/sessions/${sessionId}`);
+};
+
+/**
+ * Deletes a single chat session by ID.
+ */
+export const deleteSession = async (sessionId) => {
+  return await fetchWithAuth(`/sessions/${sessionId}`, {
+    method: "DELETE"
+  });
+};
+
+/**
+ * Clears all chat messages for a session while preserving the session.
+ */
+export const clearSessionHistory = async (sessionId) => {
+  return await fetchWithAuth(`/sessions/${sessionId}/clear-history`, {
+    method: "POST"
+  });
+};
+
+/**
+ * Deletes all chat sessions for a given feature.
+ */
+export const deleteAllSessions = async (featureName = "default") => {
+  const userId = getUserId();
+  const params = new URLSearchParams({ user_id: userId, feature_name: featureName, _t: Date.now() });
+  return await fetchWithAuth(`/sessions/?${params.toString()}`, {
+    method: "DELETE"
+  });
+};
+
+/**
+ * Fetches the token usage status for a session.
+ */
+export const getSessionTokenStatus = async (sessionId) => {
+  return await fetchWithAuth(`/sessions/${sessionId}/tokens`);
+};
+
+/**
+ * Fetches the chat history for a session.
+ */
+export const getSessionMessages = async (sessionId) => {
+  return await fetchWithAuth(`/sessions/${sessionId}/messages`);
+};
+
+/**
+ * Requests cancellation of any running tasks for a specific session.
+ */
+export const cancelSession = async (sessionId) => {
+  return await fetchWithAuth(`/sessions/${sessionId}/cancel`, {
+    method: "POST"
+  });
+};
+
+/**
+ * Uploads an audio blob for a specific message.
+ */
+export const uploadMessageAudio = async (messageId, audioBlob) => {
+  const formData = new FormData();
+  formData.append("file", audioBlob, "audio.wav");
+
+  return await fetchWithAuth(`/sessions/messages/${messageId}/audio`, {
+    method: "POST",
+    body: formData
+  });
+};
+
+/**
+ * Fetches the audio for a specific message as a blob.
+ */
+export const fetchMessageAudio = async (messageId) => {
+  try {
+    const response = await fetchWithAuth(`/sessions/messages/${messageId}/audio`, {
+      method: "GET",
+      raw: true
+    });
+    return await response.blob();
+  } catch (e) {
+    return null; // Silent if no audio exists
+  }
+};
diff --git a/frontend/src/services/api/skillService.js b/frontend/src/services/api/skillService.js
new file mode 100644
index 0000000..473f0b7
--- /dev/null
+++ b/frontend/src/services/api/skillService.js
@@ -0,0 +1,37 @@
+import { fetchWithAuth } from './apiClient';
+
+/**
+ * Fetches all skills.
+ */
+export const getSkills = async () => {
+  return await fetchWithAuth('/skills/');
+};
+
+/**
+ * Creates a new skill.
+ */
+export const createSkill = async (skillData) => {
+  return await fetchWithAuth('/skills/', {
+    method: "POST",
+    body: skillData
+  });
+};
+
+/**
+ * Updates a skill.
+ */
+export const updateSkill = async (skillId, skillData) => {
+  return await fetchWithAuth(`/skills/${skillId}`, {
+    method: "PUT",
+    body: skillData
+  });
+};
+
+/**
+ * Deletes a skill.
+ */
+export const deleteSkill = async (skillId) => {
+  return await fetchWithAuth(`/skills/${skillId}`, {
+    method: "DELETE"
+  });
+};
diff --git a/frontend/src/services/api/systemService.js b/frontend/src/services/api/systemService.js
new file mode 100644
index 0000000..cbc493c
--- /dev/null
+++ b/frontend/src/services/api/systemService.js
@@ -0,0 +1,13 @@
+import { fetchWithAuth } from './apiClient';
+
+/**
+ * Fetches the system status.
+ */
+export const getSystemStatus = async () => {
+  try {
+    return await fetchWithAuth('/status', { anonymous: true });
+  } catch (error) {
+    console.error('getSystemStatus failed:', error);
+    throw error;
+  }
+};
diff --git a/frontend/src/services/api/userService.js b/frontend/src/services/api/userService.js
new file mode 100644
index 0000000..5032949
--- /dev/null
+++ b/frontend/src/services/api/userService.js
@@ -0,0 +1,108 @@
+import { fetchWithAuth, API_BASE_URL } from './apiClient';
+
+const USERS_LOGIN_ENDPOINT = `${API_BASE_URL}/users/login`;
+const USERS_LOGOUT_ENDPOINT = `${API_BASE_URL}/users/logout`;
+const USERS_ME_ENDPOINT = `${API_BASE_URL}/users/me`;
+
+/**
+ * Initiates the OIDC login flow.
+ */
+export const login = () => {
+  const frontendCallbackUri = window.location.origin;
+  const loginUrl = `${USERS_LOGIN_ENDPOINT}?frontend_callback_uri=${encodeURIComponent(frontendCallbackUri)}`;
+  window.location.href = loginUrl;
+};
+
+/**
+ * Performs local email/password login.
+ */
+export const loginLocal = async (email, password) => {
+  const response = await fetch(`${USERS_LOGIN_ENDPOINT}/local`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ email, password }),
+  });
+  if (!response.ok) {
+    const err = await response.json().catch(() => ({ detail: "Login failed" }));
+    throw new Error(err.detail || `Login failed. Status: ${response.status}`);
+  }
+  return await response.json();
+};
+
+/**
+ * Fetches authentication configuration.
+ */
+export const getAuthConfig = async () => {
+  const response = await fetch(`${API_BASE_URL}/users/me`, {
+    method: "GET",
+    headers: { "X-User-ID": "anonymous" },
+  });
+  if (!response.ok) return { oidc_configured: false };
+  const data = await response.json();
+  return { oidc_configured: data.oidc_configured };
+};
+
+/**
+ * Fetches the current user's status.
+ */
+export const getUserStatus = async (userId) => {
+  return await fetchWithAuth('/users/me', { method: 'GET', headers: { 'X-User-ID': userId } });
+};
+
+/**
+ * Logs the current user out.
+ */
+export const logout = async () => {
+  return await fetchWithAuth('/users/logout', { method: 'POST' });
+};
+
+/**
+ * Fetches the user profile info.
+ */
+export const getUserProfile = async () => {
+  return await fetchWithAuth('/users/me/profile', { method: 'GET' });
+};
+
+/**
+ * Updates the user profile info.
+ */
+export const updateUserProfile = async (profileData) => {
+  return await fetchWithAuth('/users/me/profile', { 
+    method: 'PUT', 
+    body: profileData 
+  });
+};
+
+/**
+ * Fetches the current user's preferences.
+ */
+export const getUserConfig = async () => {
+  return await fetchWithAuth('/users/me/config');
+};
+
+/**
+ * Updates the current user's preferences.
+ */
+export const updateUserConfig = async (config) => {
+  return await fetchWithAuth('/users/me/config', { 
+    method: 'PUT', 
+    body: config 
+  });
+};
+
+/**
+ * Download the effective user configurations as YAML.
+ */
+export const exportUserConfig = async () => {
+  return await fetchWithAuth('/users/me/config/export', { method: 'GET', raw: true });
+};
+
+/**
+ * Import user configuration via multipart form.
+ */
+export const importUserConfig = async (formData) => {
+  return await fetchWithAuth('/users/me/config/import', { 
+    method: 'POST', 
+    body: formData 
+  });
+};
diff --git a/frontend/src/services/apiService.js b/frontend/src/services/apiService.js
index d10b3ec..347b89a 100644
--- a/frontend/src/services/apiService.js
+++ b/frontend/src/services/apiService.js
@@ -1,1216 +1,18 @@
-// This file handles all communication with your API endpoints.
-// It is designed to be stateless and does not use any React hooks.
-
-import { convertPcmToFloat32 } from "./audioUtils";
-
-// Read base API URL from environment variables, defaulting to localhost
-const API_BASE_URL = process.env.REACT_APP_API_BASE_URL || "http://localhost:8001";
-export { API_BASE_URL };
-const CHAT_ENDPOINT = `${API_BASE_URL}/chat`;
-const USER_CONFIG_ENDPOINT = `${API_BASE_URL}/users/me/config`;
-const STT_ENDPOINT = `${API_BASE_URL}/stt/transcribe`;
-const SESSIONS_CREATE_ENDPOINT = `${API_BASE_URL}/sessions/`;
-const SESSIONS_CHAT_ENDPOINT = (id) => `${API_BASE_URL}/sessions/${id}/chat`;
-const SESSIONS_TOKEN_ENDPOINT = (id) => `${API_BASE_URL}/sessions/${id}/tokens`;
-const SESSIONS_MESSAGES_ENDPOINT = (id) => `${API_BASE_URL}/sessions/${id}/messages`;
-const SESSIONS_BASE_ENDPOINT = (id) => `${API_BASE_URL}/sessions/${id}`;
-const SESSIONS_MESSAGE_AUDIO_ENDPOINT = (id) => `${API_BASE_URL}/sessions/messages/${id}/audio`;
-const TTS_ENDPOINT = `${API_BASE_URL}/speech`;
-const USERS_LOGIN_ENDPOINT = `${API_BASE_URL}/users/login`;
-const USERS_LOGOUT_ENDPOINT = `${API_BASE_URL}/users/logout`;
-const USERS_ME_ENDPOINT = `${API_BASE_URL}/users/me`;
-
 /**
- * A central utility function to get the user ID.
- * If not found, it redirects to the login page.
- * @returns {string} The user ID.
+ * apiService.js - Entry point for all API services.
+ * This file re-exports all modular services for backward compatibility
+ * while encouraging a more organized structure in 'services/api/'.
  */
-const getUserId = () => {
-  const userId = localStorage.getItem('userId');
-  if (!userId) {
-    console.error("User not authenticated. Redirecting to login.");
-    // Redirect to the login page
-    window.location.href = '/';
-  }
-  return userId;
-};
 
-/**
- * Initiates the OIDC login flow by redirecting the user to the login endpoint.
- * This function now sends the frontend's URI to the backend so the backend
- * knows where to redirect the user after a successful login with the OIDC provider.
- */
-export const login = () => {
-  // Pass the current frontend origin to the backend's login endpoint.
-  // The backend will use this as the `state` parameter for the OIDC provider.
-  const frontendCallbackUri = window.location.origin;
-  const loginUrl = `${USERS_LOGIN_ENDPOINT}?frontend_callback_uri=${encodeURIComponent(frontendCallbackUri)}`;
-  window.location.href = loginUrl;
-};
+// Central Client & Constants
+export * from './api/apiClient';
 
-/**
- * Fetches the current user's status from the backend.
- * @param {string} userId - The unique ID of the current user.
- * @returns {Promise<Object>} The user status object from the API response.
- */
-export const getUserStatus = async (userId) => {
-  // The backend uses the 'X-User-ID' header to identify the user.
-  const response = await fetch(USERS_ME_ENDPOINT, {
-    method: "GET",
-    headers: {
-      "X-User-ID": userId,
-    },
-  });
-  if (!response.ok) {
-    throw new Error(`Failed to get user status. Status: ${response.status}`);
-  }
-  return await response.json();
-};
-
-/**
- * Logs the current user out.
- * @returns {Promise<Object>} The logout message from the API response.
- */
-export const logout = async () => {
-  const response = await fetch(USERS_LOGOUT_ENDPOINT, {
-    method: "POST",
-  });
-  if (!response.ok) {
-    throw new Error(`Failed to log out. Status: ${response.status}`);
-  }
-  return await response.json();
-};
-
-
-// --- Updated Existing Functions ---
-
-const SESSIONS_GET_ALL_ENDPOINT = `${API_BASE_URL}/sessions/`;
-const SESSIONS_DELETE_ENDPOINT = (id) => `${API_BASE_URL}/sessions/${id}`;
-
-/**
- * Creates a new chat session.
- * @param {string} featureName - The namespace for isolated feature tracking.
- * @param {string} providerName - The initial LLM provider for the session.
- * @returns {Promise<Object>} The session object from the API response.
- */
-export const createSession = async (featureName = "default", providerName = "deepseek", extraParams = {}) => {
-  const userId = getUserId();
-  const response = await fetch(SESSIONS_CREATE_ENDPOINT, {
-    method: "POST",
-    headers: { "Content-Type": "application/json", "X-User-ID": userId },
-    body: JSON.stringify({
-      user_id: userId,
-      feature_name: featureName,
-      provider_name: providerName,
-      ...extraParams
-    }),
-  });
-  if (!response.ok) {
-    throw new Error(`Failed to create session. Status: ${response.status}`);
-  }
-  return await response.json();
-};
-
-/**
- * Fetches all sessions for a specific feature for the current user.
- * @param {string} featureName - The namespace for isolated feature tracking.
- * @returns {Promise<Array>} The sessions list from the API response.
- */
-export const getUserSessions = async (featureName = "default") => {
-  const userId = getUserId();
-  const params = new URLSearchParams({ user_id: userId, feature_name: featureName, _t: Date.now() });
-  const response = await fetch(`${SESSIONS_GET_ALL_ENDPOINT}?${params.toString()}`, {
-    method: "GET",
-    headers: { "X-User-ID": userId },
-  });
-  if (!response.ok) {
-    throw new Error(`Failed to fetch sessions. Status: ${response.status}`);
-  }
-  return await response.json();
-};
-
-/**
- * Updates a session's metadata.
- * @param {string} sessionId
- * @param {object} payload - { title, provider_name }
- */
-export const updateSession = async (sessionId, payload) => {
-  const userId = getUserId();
-  const response = await fetch(SESSIONS_BASE_ENDPOINT(sessionId), {
-    method: "PATCH",
-    headers: {
-      "Content-Type": "application/json",
-      "X-User-ID": userId,
-    },
-    body: JSON.stringify(payload),
-  });
-  if (!response.ok) {
-    throw new Error(`Failed to update session. Status: ${response.status}`);
-  }
-  return await response.json();
-};
-
-/**
- * Clears all chat messages for a session while preserving the session
- * (node attachments, workspace ID, sync config all remain intact).
- * @param {number} sessionId
- */
-export const clearSessionHistory = async (sessionId) => {
-  const userId = getUserId();
-  const response = await fetch(`${SESSIONS_BASE_ENDPOINT(sessionId)}/clear-history`, {
-    method: "POST",
-    headers: { "X-User-ID": userId },
-  });
-  if (!response.ok) {
-    throw new Error(`Failed to clear history. Status: ${response.status}`);
-  }
-  return await response.json();
-};
-
-/**
- * Uploads an audio blob for a specific message.
- */
-export const uploadMessageAudio = async (messageId, audioBlob) => {
-  const userId = getUserId();
-  const formData = new FormData();
-  formData.append("file", audioBlob, "audio.wav");
-
-  const response = await fetch(SESSIONS_MESSAGE_AUDIO_ENDPOINT(messageId), {
-    method: "POST",
-    headers: { "X-User-ID": userId },
-    body: formData,
-  });
-  if (!response.ok) {
-    throw new Error(`Failed to upload audio. Status: ${response.status}`);
-  }
-  return await response.json();
-};
-
-/**
- * Fetches the audio for a specific message as a blob.
- */
-export const fetchMessageAudio = async (messageId) => {
-  const userId = getUserId();
-  const response = await fetch(SESSIONS_MESSAGE_AUDIO_ENDPOINT(messageId), {
-    method: "GET",
-    headers: { "X-User-ID": userId },
-  });
-  if (!response.ok) {
-    return null; // Silent if no audio exists
-  }
-  return await response.blob();
-};
-
-/**
- * Deletes a single chat session by ID.
- * @param {string} sessionId - The session ID to delete.
- */
-export const deleteSession = async (sessionId) => {
-  const userId = getUserId();
-  const response = await fetch(SESSIONS_DELETE_ENDPOINT(sessionId), {
-    method: "DELETE",
-    headers: { "X-User-ID": userId },
-  });
-  if (!response.ok) {
-    throw new Error(`Failed to delete session. Status: ${response.status}`);
-  }
-  return await response.json();
-};
-
-/**
- * Gets a single chat session by ID.
- * @param {string} sessionId - The session ID to fetch.
- */
-export const getSession = async (sessionId) => {
-  const userId = getUserId();
-  // We can reuse SESSIONS_DELETE_ENDPOINT generator since it creates the URL with the ID
-  const response = await fetch(SESSIONS_DELETE_ENDPOINT(sessionId), {
-    method: "GET",
-    headers: { "X-User-ID": userId },
-  });
-  if (!response.ok) {
-    throw new Error(`Failed to fetch session. Status: ${response.status}`);
-  }
-  return await response.json();
-};
-
-/**
- * Deletes all chat sessions for a given feature.
- * @param {string} featureName - The feature namespace to clear.
- */
-export const deleteAllSessions = async (featureName = "default") => {
-  const userId = getUserId();
-  const params = new URLSearchParams({ user_id: userId, feature_name: featureName, _t: Date.now() });
-  const response = await fetch(`${SESSIONS_GET_ALL_ENDPOINT}?${params.toString()}`, {
-    method: "DELETE",
-    headers: { "X-User-ID": userId },
-  });
-  if (!response.ok) {
-    throw new Error(`Failed to delete all sessions. Status: ${response.status}`);
-  }
-  return await response.json();
-};
-
-/**
- * Fetches the token usage status for a session.
- * @param {string} sessionId - The session ID to fetch tokens for.
- * @returns {Promise<Object>} The token usage object.
- */
-export const getSessionTokenStatus = async (sessionId) => {
-  const userId = getUserId();
-  const response = await fetch(SESSIONS_TOKEN_ENDPOINT(sessionId), {
-    method: "GET",
-    headers: { "X-User-ID": userId },
-  });
-  if (!response.ok) {
-    throw new Error(`Failed to fetch token status. Status: ${response.status}`);
-  }
-  return await response.json();
-};
-
-/**
- * Fetches the chat history for a session.
- * @param {string} sessionId - The session ID to fetch messages for.
- * @returns {Promise<Object>} The message history object.
- */
-export const getSessionMessages = async (sessionId) => {
-  const userId = getUserId();
-  const response = await fetch(SESSIONS_MESSAGES_ENDPOINT(sessionId), {
-    method: "GET",
-    headers: { "X-User-ID": userId },
-  });
-  if (!response.ok) {
-    throw new Error(`Failed to fetch session messages. Status: ${response.status}`);
-  }
-  return await response.json();
-};
-/**
- * Requests cancellation of any running tasks for a specific session.
- * @param {string} sessionId
- */
-export const cancelSession = async (sessionId) => {
-  const userId = getUserId();
-  const response = await fetch(`${API_BASE_URL}/sessions/${sessionId}/cancel`, {
-    method: "POST",
-    headers: { "X-User-ID": userId },
-  });
-  if (!response.ok) {
-    throw new Error(`Failed to cancel session. Status: ${response.status}`);
-  }
-  return await response.json();
-};
-
-// --- Unchanged Functions ---
-
-/**
- * Sends an audio blob to the STT endpoint for transcription.
- * @param {Blob} audioBlob - The recorded audio data.
- * @returns {Promise<string>} The transcribed text.
- */
-export const transcribeAudio = async (audioBlob, providerName = null) => {
-  const userId = getUserId();
-  const formData = new FormData();
-  formData.append("audio_file", audioBlob, "audio.wav");
-
-  let url = STT_ENDPOINT;
-  if (providerName) {
-    url += `?provider_name=${encodeURIComponent(providerName)}`;
-  }
-
-  const response = await fetch(url, {
-    method: "POST",
-    body: formData,
-    headers: { "X-User-ID": userId },
-  });
-  if (!response.ok) {
-    let detail = `STT API failed (${response.status})`;
-    try {
-      const errBody = await response.json();
-      detail = errBody.detail || detail;
-    } catch { }
-    throw new Error(detail);
-  }
-  const result = await response.json();
-  return result.transcript;
-};
-
-/**
- * Sends a text prompt to the LLM endpoint and gets a streaming text response (SSE).
- * @param {string} sessionId - The current chat session ID.
- * @param {string} prompt - The user's text prompt.
- * @param {string} providerName - AI model provider.
- * @param {function} onMessage - Callback for each event chunk {type, content}.
- */
-export const chatWithAI = async (sessionId, prompt, providerName = "gemini", onMessage = null) => {
-  const userId = getUserId();
-  const response = await fetch(SESSIONS_CHAT_ENDPOINT(sessionId), {
-    method: "POST",
-    headers: { "Content-Type": "application/json", "X-User-ID": userId },
-    body: JSON.stringify({ prompt: prompt, provider_name: providerName }),
-  });
-
-  if (!response.ok) {
-    let detail = "LLM API failed";
-    try {
-      const errBody = await response.json();
-      detail = errBody.detail || JSON.stringify(errBody);
-    } catch { }
-    throw new Error(detail);
-  }
-
-  // Handle Streaming Response
-  const reader = response.body.getReader();
-  const decoder = new TextDecoder();
-  let accumulatedBuffer = "";
-
-  // Track final result for backward compatibility
-  let fullAnswer = "";
-  let lastMessageId = null;
-  let finalProvider = providerName;
-
-  while (true) {
-    const { done, value } = await reader.read();
-    if (done) break;
-
-    accumulatedBuffer += decoder.decode(value, { stream: true });
-
-    const parts = accumulatedBuffer.split("\n\n");
-    accumulatedBuffer = parts.pop();
-
-    for (const part of parts) {
-      if (part.startsWith("data: ")) {
-        try {
-          const jsonStr = part.slice(6).trim();
-          if (jsonStr) {
-            const data = JSON.parse(jsonStr);
-
-            // Accumulate content and info
-            if (data.type === "content" && data.content) {
-              fullAnswer += data.content;
-            } else if (data.type === "finish") {
-              lastMessageId = data.message_id;
-              finalProvider = data.provider;
-            }
-
-            // Pass to streaming callback if provided
-            if (onMessage) onMessage(data);
-          }
-        } catch (e) {
-          console.warn("Failed to parse SSE line:", part, e);
-        }
-      }
-    }
-  }
-
-  // Return the full result as the standard API used to
-  return {
-    answer: fullAnswer,
-    message_id: lastMessageId,
-    provider_used: finalProvider
-  };
-};
-
-
-
-/**
- * Streams speech from the TTS endpoint and processes each chunk.
- * It uses a callback to pass the processed audio data back to the caller.
- * @param {string} text - The text to be synthesized.
- * @param {function(Float32Array, number, number): void} onData - Callback (data, totalChunks, currentChunkIndex).
- * @param {function(): void} onDone - Callback to execute when the stream is finished.
- * @returns {Promise<void>}
- */
-export const streamSpeech = async (text, onData, onDone, providerName = null) => {
-  const userId = getUserId();
-  try {
-    let url = `${TTS_ENDPOINT}?stream=true&as_wav=false`;
-    if (providerName) {
-      url += `&provider_name=${encodeURIComponent(providerName)}`;
-    }
-
-    const response = await fetch(url, {
-      method: "POST",
-      headers: { "Content-Type": "application/json", "X-User-ID": userId },
-      body: JSON.stringify({ text }),
-    }).catch(err => {
-      console.error("Fetch transport error:", err);
-      throw new Error(`Network transport failed: ${err.message}`);
-    });
-
-    if (!response.ok) {
-      let detail = `HTTP error! Status: ${response.status}`;
-      try {
-        const errBody = await response.json();
-        detail = errBody.detail || detail;
-      } catch { }
-      throw new Error(detail);
-    }
-
-    const totalChunks = parseInt(response.headers.get("X-TTS-Chunk-Count") || "0");
-    const reader = response.body.getReader();
-    let leftover = new Uint8Array(0);
-    let chunkIndex = 0;
-
-    try {
-      while (true) {
-        const { done, value: chunk } = await reader.read();
-        if (done) break;
-
-        let combined = new Uint8Array(leftover.length + chunk.length);
-        combined.set(leftover);
-        combined.set(chunk, leftover.length);
-
-        let length = combined.length;
-        if (length % 2 !== 0) length -= 1;
-
-        const toConvert = combined.slice(0, length);
-        leftover = combined.slice(length);
-        const float32Raw = convertPcmToFloat32(toConvert);
-
-        onData(float32Raw, totalChunks, ++chunkIndex);
-      }
-    } catch (readError) {
-      console.error("Error reading response body stream:", readError);
-      throw new Error(`Stream interrupted: ${readError.message}`);
-    }
-  } catch (error) {
-    console.error("Failed to stream speech:", error);
-    throw error;
-  } finally {
-    if (onDone) {
-      // await onDone to ensure persistent storage is finished before resolving
-      await Promise.resolve(onDone());
-    }
-  }
-};
-
-/**
- * Fetches the current user's preferences.
- * @returns {Promise<Object>} The user preferences object.
- */
-export const getUserConfig = async () => {
-  const userId = getUserId();
-  const response = await fetch(USER_CONFIG_ENDPOINT, {
-    headers: { "X-User-ID": userId },
-  });
-  if (!response.ok) {
-    throw new Error(`Failed to fetch user config. Status: ${response.status}`);
-  }
-  return await response.json();
-};
-
-/**
- * Updates the current user's preferences.
- * @param {Object} config The new configuration object.
- * @returns {Promise<Object>} The updated user preferences object.
- */
-export const updateUserConfig = async (config) => {
-  const userId = getUserId();
-  const response = await fetch(USER_CONFIG_ENDPOINT, {
-    method: "PUT",
-    headers: {
-      "X-User-ID": userId,
-      "Content-Type": "application/json",
-    },
-    body: JSON.stringify(config),
-  });
-  if (!response.ok) {
-    throw new Error(`Failed to update user config. Status: ${response.status}`);
-  }
-  return await response.json();
-};
-
-/**
- * Download the effective user configurations as YAML.
- * @returns {Promise<Response>} The raw API response to extract the file.
- */
-export const exportUserConfig = async () => {
-  const userId = getUserId();
-  const exportUrl = `${USER_CONFIG_ENDPOINT}/export`;
-  const response = await fetch(exportUrl, {
-    method: "GET",
-    headers: { "X-User-ID": userId },
-  });
-  if (!response.ok) {
-    throw new Error(`Failed to export config. Status: ${response.status}`);
-  }
-  return response;
-};
-
-/**
- * Download the effective user configurations as YAML.
- * @returns {Promise<Response>} The raw API response to extract the file.
- */
-export const uploadDocument = async (file) => {
-  const userId = getUserId();
-  const formData = new FormData();
-  formData.append("file", file);
-
-  const response = await fetch(`${API_BASE_URL}/rag/documents`, {
-    method: "POST",
-    headers: {
-      "X-User-ID": userId,
-    },
-    body: formData,
-  });
-
-  if (!response.ok) {
-    throw new Error(`Failed to upload document. Status: ${response.status}`);
-  }
-
-  return await response.json();
-};
-
-/**
- * Verify a provider configuration
- * @param {string} section - 'llm', 'tts', or 'stt'
- * @param {Object} payload - { provider_name, api_key, model, voice }
- */
-export const verifyProvider = async (section, payload) => {
-  const userId = getUserId();
-  const response = await fetch(`${API_BASE_URL}/users/me/config/verify_${section}`, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      "X-User-ID": userId,
-    },
-    body: JSON.stringify(payload),
-  });
-  if (!response.ok) {
-    throw new Error(`Failed to verify provider. Status: ${response.status}`);
-  }
-  return await response.json();
-};
-
-export const getProviderModels = async (providerName, section = "llm") => {
-  const userId = getUserId();
-  const params = new URLSearchParams({ provider_name: providerName, section: section });
-  const response = await fetch(`${API_BASE_URL}/users/me/config/models?${params.toString()}`, {
-    method: "GET",
-    headers: {
-      "X-User-ID": userId,
-    },
-  });
-  if (!response.ok) {
-    throw new Error(`Failed to fetch models for ${providerName}`);
-  }
-  return await response.json();
-};
-
-export const getAllProviders = async (section = "llm") => {
-  const userId = getUserId();
-  const params = new URLSearchParams({ section: section });
-  const response = await fetch(`${API_BASE_URL}/users/me/config/providers?${params.toString()}`, {
-    method: "GET",
-    headers: {
-      "X-User-ID": userId,
-    },
-  });
-  if (!response.ok) {
-    throw new Error(`Failed to fetch underlying providers.`);
-  }
-  return await response.json();
-};
-
-/**
- * Fetches the user profile info.
- */
-export const getUserProfile = async () => {
-  const userId = getUserId();
-  const response = await fetch(`${API_BASE_URL}/users/me/profile`, {
-    method: "GET",
-    headers: { "X-User-ID": userId },
-  });
-  if (!response.ok) throw new Error("Failed to fetch user profile");
-  return await response.json();
-};
-
-/**
- * Updates the user profile info.
- */
-export const updateUserProfile = async (profileData) => {
-  const userId = getUserId();
-  const response = await fetch(`${API_BASE_URL}/users/me/profile`, {
-    method: "PUT",
-    headers: {
-      "Content-Type": "application/json",
-      "X-User-ID": userId,
-    },
-    body: JSON.stringify(profileData),
-  });
-  if (!response.ok) throw new Error("Failed to update user profile");
-  return await response.json();
-};
-
-/**
- * Fetches available TTS voice names.
- */
-export const getVoices = async (provider = null, apiKey = null) => {
-  try {
-    const userId = getUserId();
-    const urlParams = new URLSearchParams();
-    if (provider) urlParams.append('provider', provider);
-    if (apiKey && apiKey !== 'null') urlParams.append('api_key', apiKey);
-
-    const url = `${API_BASE_URL}/speech/voices?${urlParams.toString()}`;
-
-    const response = await fetch(url, {
-      method: 'GET',
-      headers: { 'X-User-ID': userId }
-    });
-    if (!response.ok) return [];
-    return await response.json();
-  } catch (e) {
-    console.error("Failed to fetch voices", e);
-    return [];
-  }
-};
-
-export const importUserConfig = async (formData) => {
-  const userId = getUserId();
-  const response = await fetch(`${API_BASE_URL}/users/me/config/import`, {
-    method: "POST",
-    headers: {
-      "X-User-ID": userId,
-    },
-    body: formData,
-  });
-  if (!response.ok) {
-    const errorData = await response.json().catch(() => ({}));
-    throw new Error(errorData.detail || `Failed to import configuration. Status: ${response.status}`);
-  }
-  return await response.json();
-};
-
-/**
- * [ADMIN ONLY] Fetches all registered users.
- */
-export const getAdminUsers = async () => {
-  const userId = getUserId();
-  const response = await fetch(`${API_BASE_URL}/users/admin/users`, {
-    method: "GET",
-    headers: { "X-User-ID": userId },
-  });
-  if (!response.ok) throw new Error("Failed to fetch admin user list");
-  return await response.json();
-};
-
-/**
- * [ADMIN ONLY] Updates a user's role.
- */
-export const updateUserRole = async (targetUserId, role) => {
-  const userId = getUserId();
-  const response = await fetch(`${API_BASE_URL}/users/admin/users/${targetUserId}/role`, {
-    method: "PUT",
-    headers: {
-      "Content-Type": "application/json",
-      "X-User-ID": userId,
-    },
-    body: JSON.stringify({ role }),
-  });
-  if (!response.ok) throw new Error("Failed to update user role");
-  return await response.json();
-};
-
-/**
- * [ADMIN ONLY] Assigns a user to a group.
- */
-export const updateUserGroup = async (targetUserId, groupId) => {
-  const userId = getUserId();
-  const response = await fetch(`${API_BASE_URL}/users/admin/users/${targetUserId}/group`, {
-    method: "PUT",
-    headers: {
-      "Content-Type": "application/json",
-      "X-User-ID": userId,
-    },
-    body: JSON.stringify({ group_id: groupId }),
-  });
-  if (!response.ok) throw new Error("Failed to update user group");
-  return await response.json();
-};
-
-/**
- * [ADMIN ONLY] Fetches all groups.
- */
-export const getAdminGroups = async () => {
-  const userId = getUserId();
-  const response = await fetch(`${API_BASE_URL}/users/admin/groups`, {
-    method: "GET",
-    headers: { "X-User-ID": userId },
-  });
-  if (!response.ok) throw new Error("Failed to fetch group list");
-  return await response.json();
-};
-
-/**
- * [ADMIN ONLY] Creates a new group.
- */
-export const createAdminGroup = async (groupData) => {
-  const userId = getUserId();
-  const response = await fetch(`${API_BASE_URL}/users/admin/groups`, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      "X-User-ID": userId,
-    },
-    body: JSON.stringify(groupData),
-  });
-  if (!response.ok) {
-    const errData = await response.json().catch(() => ({}));
-    throw new Error(errData.detail || "Failed to create group");
-  }
-  return await response.json();
-};
-
-/**
- * [ADMIN ONLY] Updates a group.
- */
-export const updateAdminGroup = async (groupId, groupData) => {
-  const userId = getUserId();
-  const response = await fetch(`${API_BASE_URL}/users/admin/groups/${groupId}`, {
-    method: "PUT",
-    headers: {
-      "Content-Type": "application/json",
-      "X-User-ID": userId,
-    },
-    body: JSON.stringify(groupData),
-  });
-  if (!response.ok) {
-    const errData = await response.json().catch(() => ({}));
-    throw new Error(errData.detail || "Failed to update group");
-  }
-  return await response.json();
-};
-
-/**
- * [ADMIN ONLY] Deletes a group.
- */
-export const deleteAdminGroup = async (groupId) => {
-  const userId = getUserId();
-  const response = await fetch(`${API_BASE_URL}/users/admin/groups/${groupId}`, {
-    method: "DELETE",
-    headers: { "X-User-ID": userId },
-  });
-  if (!response.ok) throw new Error("Failed to delete group");
-  return await response.json();
-};
-
-// --- Agent Node APIs ---
-
-const NODES_BASE_ENDPOINT = `${API_BASE_URL}/nodes`;
-
-/**
- * [ADMIN] Fetch all registered nodes with full detail (tokens, config).
- */
-export const getAdminNodes = async () => {
-  const userId = getUserId();
-  const response = await fetch(`${NODES_BASE_ENDPOINT}/admin?admin_id=${userId}`, {
-    method: "GET",
-    headers: { "X-User-ID": userId },
-  });
-  if (!response.ok) throw new Error("Failed to fetch admin node list");
-  return await response.json();
-};
-
-/**
- * [ADMIN] Register a new Agent Node.
- */
-export const adminCreateNode = async (nodeData) => {
-  const userId = getUserId();
-  const response = await fetch(`${NODES_BASE_ENDPOINT}/admin?admin_id=${userId}`, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      "X-User-ID": userId,
-    },
-    body: JSON.stringify(nodeData),
-  });
-  if (!response.ok) {
-    const errData = await response.json().catch(() => ({}));
-    throw new Error(errData.detail || "Failed to create node registration");
-  }
-  return await response.json();
-};
-
-/**
- * [ADMIN] Update node metadata or skill toggles.
- */
-export const adminUpdateNode = async (nodeId, updateData) => {
-  const userId = getUserId();
-  const response = await fetch(`${NODES_BASE_ENDPOINT}/admin/${nodeId}?admin_id=${userId}`, {
-    method: "PATCH",
-    headers: {
-      "Content-Type": "application/json",
-      "X-User-ID": userId,
-    },
-    body: JSON.stringify(updateData),
-  });
-  if (!response.ok) throw new Error("Failed to update node configuration");
-  return await response.json();
-};
-
-/**
- * [ADMIN] Deregister an Agent Node.
- */
-export const adminDeleteNode = async (nodeId) => {
-  const adminId = getUserId();
-  const response = await fetch(`${NODES_BASE_ENDPOINT}/admin/${nodeId}?admin_id=${adminId}`, {
-    method: "DELETE",
-    headers: { "X-User-ID": adminId },
-  });
-  if (!response.ok) throw new Error("Failed to delete node");
-  return await response.json();
-};
-
-/**
- * [ADMIN] Grant a group access to a node.
- */
-export const adminGrantNodeAccess = async (nodeId, grantData) => {
-  const userId = getUserId();
-  const response = await fetch(`${NODES_BASE_ENDPOINT}/admin/${nodeId}/access?admin_id=${userId}`, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      "X-User-ID": userId,
-    },
-    body: JSON.stringify(grantData),
-  });
-  if (!response.ok) throw new Error("Failed to grant node access");
-  return await response.json();
-};
-
-/**
- * [ADMIN] Revoke a group's access to a node.
- */
-export const adminRevokeNodeAccess = async (nodeId, groupId) => {
-  const userId = getUserId();
-  const response = await fetch(`${NODES_BASE_ENDPOINT}/admin/${nodeId}/access/${groupId}?admin_id=${userId}`, {
-    method: "DELETE",
-    headers: { "X-User-ID": userId },
-  });
-  if (!response.ok) throw new Error("Failed to revoke node access");
-  return await response.json();
-};
-
-/**
- * [ADMIN] Download the pre-configured Agent Node bundle (ZIP).
- */
-export const adminDownloadNodeBundle = async (nodeId) => {
-  const userId = getUserId();
-  const url = `${NODES_BASE_ENDPOINT}/admin/${nodeId}/download?admin_id=${userId}`;
-  const response = await fetch(url, {
-    method: "GET",
-    headers: { "X-User-ID": userId },
-  });
-  if (!response.ok) throw new Error("Failed to download node bundle");
-
-  // Handle binary download
-  const blob = await response.blob();
-  const downloadUrl = window.URL.createObjectURL(blob);
-  const link = document.createElement('a');
-  link.href = downloadUrl;
-  link.setAttribute('download', `cortex-node-${nodeId}.zip`);
-  document.body.appendChild(link);
-  link.click();
-  link.remove();
-};
-
-/**
- * [USER] List nodes accessible to the current user's group.
- */
-export const getUserAccessibleNodes = async () => {
-  const userId = getUserId();
-  const response = await fetch(`${NODES_BASE_ENDPOINT}/?user_id=${userId}`, {
-    method: "GET",
-    headers: { "X-User-ID": userId },
-  });
-  if (!response.ok) throw new Error("Failed to fetch accessible nodes");
-  return await response.json();
-};
-
-/**
- * [USER] Update node preferences (default nodes, sync data source).
- */
-export const updateUserNodePreferences = async (prefs) => {
-  const userId = getUserId();
-  const response = await fetch(`${NODES_BASE_ENDPOINT}/preferences?user_id=${userId}`, {
-    method: "PATCH",
-    headers: {
-      "Content-Type": "application/json",
-      "X-User-ID": userId,
-    },
-    body: JSON.stringify(prefs),
-  });
-  if (!response.ok) throw new Error("Failed to save node preferences");
-  return await response.json();
-};
-
-/**
- * [FS] List directory contents on an agent node.
- */
-export const nodeFsList = async (nodeId, path = ".", sessionId = null) => {
-  const userId = getUserId();
-  const params = new URLSearchParams({ path });
-  if (sessionId) params.append("session_id", sessionId);
-  const response = await fetch(`${NODES_BASE_ENDPOINT}/${nodeId}/fs/ls?${params.toString()}`, {
-    method: "GET",
-    headers: { "X-User-ID": userId },
-  });
-  if (!response.ok) {
-    let detail = "Failed to list directory";
-    try {
-      const errBody = await response.json();
-      detail = errBody.detail || detail;
-    } catch { }
-    throw new Error(detail);
-  }
-  return await response.json();
-};
-
-/**
- * [FS] Read file content from an agent node.
- */
-export const nodeFsCat = async (nodeId, path, sessionId = null) => {
-  const userId = getUserId();
-  const params = new URLSearchParams({ path });
-  if (sessionId) params.append("session_id", sessionId);
-  const response = await fetch(`${NODES_BASE_ENDPOINT}/${nodeId}/fs/cat?${params.toString()}`, {
-    method: "GET",
-    headers: { "X-User-ID": userId },
-  });
-  if (!response.ok) throw new Error("Failed to read file");
-  return await response.json();
-};
-
-/**
- * [FS] Create or update a file or directory on an agent node.
- */
-export const nodeFsTouch = async (nodeId, path, content = "", isDir = false, sessionId = null) => {
-  const userId = getUserId();
-  const response = await fetch(`${NODES_BASE_ENDPOINT}/${nodeId}/fs/touch`, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      "X-User-ID": userId,
-    },
-    body: JSON.stringify({ path, content, is_dir: isDir, session_id: sessionId }),
-  });
-  if (!response.ok) throw new Error("Failed to create file/directory");
-  return await response.json();
-};
-
-/**
- * [FS] Upload a file to an agent node via multipart form.
- */
-export const nodeFsUpload = async (nodeId, path, file, sessionId = null) => {
-  const userId = getUserId();
-  const formData = new FormData();
-  formData.append("file", file);
-  
-  const params = new URLSearchParams({ path });
-  if (sessionId) params.append("session_id", sessionId);
-
-  const response = await fetch(`${NODES_BASE_ENDPOINT}/${nodeId}/fs/upload?${params.toString()}`, {
-    method: "POST",
-    headers: {
-      "X-User-ID": userId,
-    },
-    body: formData,
-  });
-  if (!response.ok) throw new Error("Failed to upload file");
-  return await response.json();
-};
-
-/**
- * [FS] Downloads a file as a blob (preserves headers).
- */
-export const nodeFsDownloadBlob = async (nodeId, path, sessionId = null) => {
-  const userId = getUserId();
-  const params = new URLSearchParams({ path });
-  if (sessionId) params.append("session_id", sessionId);
-  
-  const response = await fetch(`${NODES_BASE_ENDPOINT}/${nodeId}/fs/download?${params.toString()}`, {
-    method: "GET",
-    headers: { "X-User-ID": userId },
-  });
-  if (!response.ok) throw new Error("Failed to download file");
-  return await response.blob();
-};
-
-/**
- * [FS] Delete a file or directory from an agent node.
- */
-export const nodeFsRm = async (nodeId, path, sessionId = null) => {
-  const userId = getUserId();
-  const response = await fetch(`${NODES_BASE_ENDPOINT}/${nodeId}/fs/rm`, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      "X-User-ID": userId,
-    },
-    body: JSON.stringify({ path, session_id: sessionId }),
-  });
-  if (!response.ok) throw new Error("Failed to delete file/directory");
-  return await response.json();
-};
-
-/**
- * [USER] Fetch node preferences.
- */
-export const getUserNodePreferences = async () => {
-  const userId = getUserId();
-  const response = await fetch(`${NODES_BASE_ENDPOINT}/preferences?user_id=${userId}`, {
-    method: "GET",
-    headers: { "X-User-ID": userId },
-  });
-  if (!response.ok) throw new Error("Failed to fetch node preferences");
-  return await response.json();
-};
-
-/**
- * [USER] Fetch sync status for all nodes attached to a session.
- */
-export const getSessionNodeStatus = async (sessionId) => {
-  const userId = getUserId();
-  const response = await fetch(`${API_BASE_URL}/sessions/${sessionId}/nodes`, {
-    method: "GET",
-    headers: { "X-User-ID": userId },
-  });
-  if (!response.ok) throw new Error("Failed to fetch session node status");
-  return await response.json();
-};
-
-/**
- * [USER] Attach more nodes to an active session.
- */
-export const attachNodesToSession = async (sessionId, nodeIds, config = null) => {
-  const userId = getUserId();
-  const response = await fetch(`${API_BASE_URL}/sessions/${sessionId}/nodes`, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      "X-User-ID": userId,
-    },
-    body: JSON.stringify({ node_ids: nodeIds, config }),
-  });
-  if (!response.ok) throw new Error("Failed to attach nodes to session");
-  return await response.json();
-};
-
-/**
- * [USER] Detach a node from a session.
- */
-export const detachNodeFromSession = async (sessionId, nodeId) => {
-  const userId = getUserId();
-  const response = await fetch(`${API_BASE_URL}/sessions/${sessionId}/nodes/${nodeId}`, {
-    method: "DELETE",
-    headers: { "X-User-ID": userId },
-  });
-  if (!response.ok) throw new Error("Failed to detach node from session");
-  return await response.json();
-};
-
-/**
- * WebSocket helper for live node streams.
- */
-export const getNodeStreamUrl = (nodeId = null) => {
-  // Convert http://... to ws://...
-  const wsBase = API_BASE_URL.replace(/^http/, 'ws');
-  if (nodeId) {
-    const userId = getUserId();
-    return `${wsBase}/nodes/${nodeId}/stream?user_id=${userId}`;
-  }
-  const userId = localStorage.getItem('userId');
-  return `${wsBase}/nodes/stream/all?user_id=${userId}`;
-};
-
-/**
- * [AI Observability] Fetch terminal history for a node.
- */
-export const getNodeTerminalHistory = async (nodeId) => {
-  const userId = getUserId();
-  const response = await fetch(`${API_BASE_URL}/nodes/${nodeId}/terminal`, {
-    method: "GET",
-    headers: { "X-User-ID": userId },
-  });
-  if (!response.ok) throw new Error("Failed to fetch node terminal history");
-  return await response.json();
-};
-
-export const dispatchNodeTask = async (nodeId, payload) => {
-  const userId = getUserId();
-  const response = await fetch(`${API_BASE_URL}/nodes/${nodeId}/dispatch`, {
-    method: 'POST',
-    headers: {
-      'Content-Type': 'application/json',
-      'X-User-ID': userId,
-    },
-    body: JSON.stringify(payload),
-  });
-
-  if (!response.ok) {
-    const errorData = await response.json().catch(() => ({}));
-    throw new Error(errorData.detail || `Failed to dispatch task: ${response.statusText}`);
-  }
-
-  return await response.json();
-};
-
-export const cancelNodeTask = async (nodeId, taskId = "") => {
-  const userId = getUserId();
-  const response = await fetch(`${API_BASE_URL}/nodes/${nodeId}/cancel?task_id=${taskId}`, {
-    method: 'POST',
-    headers: {
-      'X-User-ID': userId,
-    }
-  });
-
-  if (!response.ok) {
-    throw new Error(`Failed to cancel task: ${response.statusText}`);
-  }
-
-  return await response.json();
-};
-
-// --- Skills API ---
-
-export const getSkills = async () => {
-  const userId = getUserId();
-  const response = await fetch(`${API_BASE_URL}/skills/`, {
-    headers: { "X-User-ID": userId },
-  });
-  if (!response.ok) throw new Error("Failed to fetch skills");
-  return await response.json();
-};
-
-export const createSkill = async (skillData) => {
-  const userId = getUserId();
-  const response = await fetch(`${API_BASE_URL}/skills/`, {
-    method: "POST",
-    headers: { "Content-Type": "application/json", "X-User-ID": userId },
-    body: JSON.stringify(skillData),
-  });
-  if (!response.ok) throw new Error("Failed to create skill");
-  return await response.json();
-};
-
-export const updateSkill = async (skillId, skillData) => {
-  const userId = getUserId();
-  const response = await fetch(`${API_BASE_URL}/skills/${skillId}`, {
-    method: "PUT",
-    headers: { "Content-Type": "application/json", "X-User-ID": userId },
-    body: JSON.stringify(skillData),
-  });
-  if (!response.ok) throw new Error("Failed to update skill");
-  return await response.json();
-};
-
-export const deleteSkill = async (skillId) => {
-  const userId = getUserId();
-  const response = await fetch(`${API_BASE_URL}/skills/${skillId}`, {
-    method: "DELETE",
-    headers: { "X-User-ID": userId },
-  });
-  if (!response.ok) throw new Error("Failed to delete skill");
-  return await response.json();
-};
+// Domain Services
+export * from './api/userService';
+export * from './api/sessionService';
+export * from './api/aiService';
+export * from './api/adminService';
+export * from './api/nodeService';
+export * from './api/skillService';
+export * from './api/ragService';
+export * from './api/systemService';
diff --git a/frontend/src/shared/components/SessionSidebar.css b/frontend/src/shared/components/SessionSidebar.css
index c7bc4a7..55d80aa 100644
--- a/frontend/src/shared/components/SessionSidebar.css
+++ b/frontend/src/shared/components/SessionSidebar.css
@@ -26,16 +26,14 @@
 }
 
 /* Dark-mode variant — triggered by Tailwind's .dark class on <html> */
-@media (prefers-color-scheme: dark) {
-    .session-sidebar {
-        background-color: rgb(31 41 55 / 0.98);
-        /* gray-800 */
-        border-right-color: rgb(55 65 81);
-        /* gray-700 */
-        color: #f3f4f6;
-        /* gray-100 */
-        box-shadow: 4px 0 20px rgb(0 0 0 / 0.4);
-    }
+.dark .session-sidebar {
+    background-color: rgb(31 41 55 / 0.98);
+    /* gray-800 */
+    border-right-color: rgb(55 65 81);
+    /* gray-700 */
+    color: #f3f4f6;
+    /* gray-100 */
+    box-shadow: 4px 0 20px rgb(0 0 0 / 0.4);
 }
 
 .session-sidebar.open {
@@ -71,10 +69,8 @@
     padding: 4px 2px;
 }
 
-@media (prefers-color-scheme: dark) {
-    .sidebar-toggle {
-        border-color: rgb(55 65 81);
-    }
+.dark .sidebar-toggle {
+    border-color: rgb(55 65 81);
 }
 
 .sidebar-toggle-arrow {
@@ -115,10 +111,8 @@
     border-bottom: 1px solid rgb(209 213 219);
 }
 
-@media (prefers-color-scheme: dark) {
-    .sidebar-header {
-        border-bottom-color: rgb(55 65 81);
-    }
+.dark .sidebar-header {
+    border-bottom-color: rgb(55 65 81);
 }
 
 .sidebar-header h3 {
@@ -184,12 +178,10 @@
     position: relative;
 }
 
-@media (prefers-color-scheme: dark) {
-    .sidebar-item {
-        background-color: rgb(55 65 81 / 0.6);
-        /* gray-700 */
-        border-color: rgb(75 85 99);
-    }
+.dark .sidebar-item {
+    background-color: rgb(55 65 81 / 0.6);
+    /* gray-700 */
+    border-color: rgb(75 85 99);
 }
 
 .sidebar-item:hover {
@@ -200,11 +192,9 @@
     box-shadow: 0 1px 4px rgb(99 102 241 / 0.12);
 }
 
-@media (prefers-color-scheme: dark) {
-    .sidebar-item:hover {
-        background-color: rgb(49 46 129 / 0.4);
-        border-color: #6366f1;
-    }
+.dark .sidebar-item:hover {
+    background-color: rgb(49 46 129 / 0.4);
+    border-color: #6366f1;
 }
 
 /* Active (current) session */
@@ -216,13 +206,11 @@
     border-left: 3px solid #6366f1;
 }
 
-@media (prefers-color-scheme: dark) {
-    .sidebar-item.active {
-        background-color: rgb(49 46 129 / 0.5);
-        border-color: #818cf8;
-        /* indigo-400 */
-        border-left-color: #818cf8;
-    }
+.dark .sidebar-item.active {
+    background-color: rgb(49 46 129 / 0.5);
+    border-color: #818cf8;
+    /* indigo-400 */
+    border-left-color: #818cf8;
 }
 
 /* ── Card body ───────────────────────────────────────────────────────── */
@@ -272,12 +260,10 @@
     border-radius: 3px;
 }
 
-@media (prefers-color-scheme: dark) {
-    .sidebar-item-provider {
-        background: rgb(49 46 129 / 0.5);
-        border-color: #6366f1;
-        color: #a5b4fc;
-    }
+.dark .sidebar-item-provider {
+    background: rgb(49 46 129 / 0.5);
+    border-color: #6366f1;
+    color: #a5b4fc;
 }
 
 /* ── Delete (×) button on each card ─────────────────────────────────── */
@@ -318,12 +304,10 @@
     background: #9ca3af;
 }
 
-@media (prefers-color-scheme: dark) {
-    .sidebar-list::-webkit-scrollbar-thumb {
-        background: #4b5563;
-    }
+.dark .sidebar-list::-webkit-scrollbar-thumb {
+    background: #4b5563;
+}
 
-    .sidebar-list::-webkit-scrollbar-thumb:hover {
-        background: #6b7280;
-    }
+.dark .sidebar-list::-webkit-scrollbar-thumb:hover {
+    background: #6b7280;
 }
\ No newline at end of file
diff --git a/frontend/src/shared/components/SessionSidebar.js b/frontend/src/shared/components/SessionSidebar.js
index 831e9ba..b3078ff 100644
--- a/frontend/src/shared/components/SessionSidebar.js
+++ b/frontend/src/shared/components/SessionSidebar.js
@@ -52,7 +52,14 @@
                         localStorage.removeItem(`sessionId_${featureName}`);
                         if (onNewSession) onNewSession();
                     }
-                } catch { alert('Failed to delete session.'); }
+                } catch { 
+                    setConfirmModal({ 
+                        isOpen: true, 
+                        title: 'Protocol Error', 
+                        message: 'Failed to purge session data from the nexus.', 
+                        onConfirm: () => {} 
+                    }); 
+                }
             }
         });
     };
@@ -68,7 +75,14 @@
                     await deleteAllSessions(featureName);
                     fetchSessions();
                     if (onNewSession) onNewSession();
-                } catch { alert('Failed to delete all sessions.'); }
+                } catch { 
+                    setConfirmModal({ 
+                        isOpen: true, 
+                        title: 'Protocol Error', 
+                        message: 'Failed to clear session history. System integrity may be compromised.', 
+                        onConfirm: () => {} 
+                    }); 
+                }
             }
         });
     };
@@ -178,15 +192,17 @@
                             >
                                 Cancel
                             </button>
-                            <button
-                                onClick={() => {
-                                    confirmModal.onConfirm();
-                                    setConfirmModal({ ...confirmModal, isOpen: false });
-                                }}
-                                className="flex-1 bg-red-600 text-white font-bold py-3 rounded-xl transition-all shadow-lg shadow-red-500/20 active:scale-95 underline-none"
-                            >
-                                Delete
-                            </button>
+                            {confirmModal.onConfirm && (
+                                <button
+                                    onClick={() => {
+                                        confirmModal.onConfirm();
+                                        setConfirmModal({ ...confirmModal, isOpen: false });
+                                    }}
+                                    className="flex-1 bg-red-600 text-white font-bold py-3 rounded-xl transition-all shadow-lg shadow-red-500/20 active:scale-95 underline-none"
+                                >
+                                    Delete
+                                </button>
+                            )}
                         </div>
                     </div>
                 </div>
diff --git a/frontend/tailwind.config.js b/frontend/tailwind.config.js
index 80695b1..da267f9 100644
--- a/frontend/tailwind.config.js
+++ b/frontend/tailwind.config.js
@@ -1,4 +1,5 @@
 module.exports = {
+    darkMode: 'class',
     content: [
       "./src/**/*.{js,jsx,ts,tsx}", // React files
       "./public/index.html"         // (optional, if using CRA)