fix(m7.1): correct middleware layer order so JwksState is visible

Axum applies layers outermost-first. With the previous ordering
(`Extension(jwks_state)` first, `require_jwt_auth` last), the JWT
middleware ran before the Extension layer attached `JwksState` to
the request, so `request.extensions().get::<JwksState>()` always
returned None and the middleware silently passed through every
request as if Keycloak weren't configured.

Verified end-to-end against the local CERTifAI Keycloak realm:
- no token / bad token -> 401
- active / trial -> 200 read, write reaches handler
- frozen -> 200 read, 402 on writes
- archived -> 410 on every method

The bug was invisible to the unit + integration tests because they
construct the layer stack manually; only the live wiring exhibited it.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.cargo/audit.toml

@@ -0,0 +1,10 @@
+[advisories]
+ignore = [
+    # hickory-proto 0.25.x pulled in transitively via mongodb → hickory-resolver.
+    # MongoDB 3.x has not yet released with hickory-resolver 0.26.x, so we cannot
+    # upgrade past this without a mongodb release. Both are DNS-layer DoS vectors
+    # requiring a MITM/controlled DNS server against MongoDB's hostname resolution —
+    # not a realistic attack surface here. Revisit when mongodb bumps hickory.
+    "RUSTSEC-2026-0118", # NSEC3 loop, no fix available upstream
+    "RUSTSEC-2026-0119", # O(n²) name compression, fixed in hickory-proto >=0.26.1
+]

.gitea/workflows/ci.yml

@@ -145,13 +145,20 @@ jobs:
     needs: [detect-changes]
     if: needs.detect-changes.outputs.agent == 'true'
     container:
-      image: alpine:latest
+      image: docker:27-cli
     steps:
-      - name: Trigger Coolify deploy
+      - name: Build, push and trigger orca redeploy
         run: |
-          apk add --no-cache curl
+          apk add --no-cache git curl openssl
-          curl -sf "${{ secrets.COOLIFY_WEBHOOK_AGENT }}" \
+          git init && git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
-            -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"
+          git fetch --depth=1 origin "${GITHUB_SHA}" && git checkout FETCH_HEAD
+          IMAGE=registry.meghsakha.com/compliance-agent
+          echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login registry.meghsakha.com -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
+          docker build -f Dockerfile.agent -t "$IMAGE:latest" -t "$IMAGE:${GITHUB_SHA}" .
+          docker push "$IMAGE:latest" && docker push "$IMAGE:${GITHUB_SHA}"
+          PAYLOAD=$(printf '{"ref":"refs/heads/main","repository":{"full_name":"sharang/compliance-scanner-agent"},"head_commit":{"id":"%s","message":"deploy agent"}}' "${GITHUB_SHA}")
+          SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "${{ secrets.ORCA_WEBHOOK_SECRET }}" | awk '{print $2}')
+          RESP=$(curl -fsS -w "\nHTTP %{http_code}" -X POST "http://46.225.100.82:6880/api/v1/webhooks/github" -H "Content-Type: application/json" -H "X-Hub-Signature-256: sha256=$SIG" -d "$PAYLOAD"); echo "$RESP"
 
   deploy-dashboard:
     name: Deploy Dashboard
@@ -159,13 +166,20 @@ jobs:
     needs: [detect-changes]
     if: needs.detect-changes.outputs.dashboard == 'true'
     container:
-      image: alpine:latest
+      image: docker:27-cli
     steps:
-      - name: Trigger Coolify deploy
+      - name: Build, push and trigger orca redeploy
         run: |
-          apk add --no-cache curl
+          apk add --no-cache git curl openssl
-          curl -sf "${{ secrets.COOLIFY_WEBHOOK_DASHBOARD }}" \
+          git init && git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
-            -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"
+          git fetch --depth=1 origin "${GITHUB_SHA}" && git checkout FETCH_HEAD
+          IMAGE=registry.meghsakha.com/compliance-dashboard
+          echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login registry.meghsakha.com -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
+          docker build -f Dockerfile.dashboard -t "$IMAGE:latest" -t "$IMAGE:${GITHUB_SHA}" .
+          docker push "$IMAGE:latest" && docker push "$IMAGE:${GITHUB_SHA}"
+          PAYLOAD=$(printf '{"ref":"refs/heads/main","repository":{"full_name":"sharang/compliance-scanner-agent"},"head_commit":{"id":"%s","message":"deploy dashboard"}}' "${GITHUB_SHA}")
+          SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "${{ secrets.ORCA_WEBHOOK_SECRET }}" | awk '{print $2}')
+          RESP=$(curl -fsS -w "\nHTTP %{http_code}" -X POST "http://46.225.100.82:6880/api/v1/webhooks/github" -H "Content-Type: application/json" -H "X-Hub-Signature-256: sha256=$SIG" -d "$PAYLOAD"); echo "$RESP"
 
   deploy-docs:
     name: Deploy Docs
@@ -173,13 +187,20 @@ jobs:
     needs: [detect-changes]
     if: needs.detect-changes.outputs.docs == 'true'
     container:
-      image: alpine:latest
+      image: docker:27-cli
     steps:
-      - name: Trigger Coolify deploy
+      - name: Build, push and trigger orca redeploy
         run: |
-          apk add --no-cache curl
+          apk add --no-cache git curl openssl
-          curl -sf "${{ secrets.COOLIFY_WEBHOOK_DOCS }}" \
+          git init && git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
-            -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"
+          git fetch --depth=1 origin "${GITHUB_SHA}" && git checkout FETCH_HEAD
+          IMAGE=registry.meghsakha.com/compliance-docs
+          echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login registry.meghsakha.com -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
+          docker build -f Dockerfile.docs -t "$IMAGE:latest" -t "$IMAGE:${GITHUB_SHA}" .
+          docker push "$IMAGE:latest" && docker push "$IMAGE:${GITHUB_SHA}"
+          PAYLOAD=$(printf '{"ref":"refs/heads/main","repository":{"full_name":"sharang/compliance-scanner-agent"},"head_commit":{"id":"%s","message":"deploy docs"}}' "${GITHUB_SHA}")
+          SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "${{ secrets.ORCA_WEBHOOK_SECRET }}" | awk '{print $2}')
+          RESP=$(curl -fsS -w "\nHTTP %{http_code}" -X POST "http://46.225.100.82:6880/api/v1/webhooks/github" -H "Content-Type: application/json" -H "X-Hub-Signature-256: sha256=$SIG" -d "$PAYLOAD"); echo "$RESP"
 
   deploy-mcp:
     name: Deploy MCP
@@ -187,10 +208,17 @@ jobs:
     needs: [detect-changes]
     if: needs.detect-changes.outputs.mcp == 'true'
     container:
-      image: alpine:latest
+      image: docker:27-cli
     steps:
-      - name: Trigger Coolify deploy
+      - name: Build, push and trigger orca redeploy
         run: |
-          apk add --no-cache curl
+          apk add --no-cache git curl openssl
-          curl -sf "${{ secrets.COOLIFY_WEBHOOK_MCP }}" \
+          git init && git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
-            -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"
+          git fetch --depth=1 origin "${GITHUB_SHA}" && git checkout FETCH_HEAD
+          IMAGE=registry.meghsakha.com/compliance-mcp
+          echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login registry.meghsakha.com -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
+          docker build -f Dockerfile.mcp -t "$IMAGE:latest" -t "$IMAGE:${GITHUB_SHA}" .
+          docker push "$IMAGE:latest" && docker push "$IMAGE:${GITHUB_SHA}"
+          PAYLOAD=$(printf '{"ref":"refs/heads/main","repository":{"full_name":"sharang/compliance-scanner-agent"},"head_commit":{"id":"%s","message":"deploy mcp"}}' "${GITHUB_SHA}")
+          SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "${{ secrets.ORCA_WEBHOOK_SECRET }}" | awk '{print $2}')
+          RESP=$(curl -fsS -w "\nHTTP %{http_code}" -X POST "http://46.225.100.82:6880/api/v1/webhooks/github" -H "Content-Type: application/json" -H "X-Hub-Signature-256: sha256=$SIG" -d "$PAYLOAD"); echo "$RESP"

Cargo.lock

@@ -687,6 +687,7 @@ dependencies = [
  "tokio-cron-scheduler",
  "tokio-stream",
  "tokio-tungstenite 0.26.2",
+ "tower",
  "tower-http",
  "tracing",
  "tracing-subscriber",
@@ -3524,9 +3525,9 @@ checksum = "224484c5d09285a7b8cb0a0c117e847ebd14cb6e4470ecf68cdb89c503b0edb9"
 
 [[package]]
 name = "mongodb"
-version = "3.5.1"
+version = "3.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "803dd859e8afa084c255a8effd8000ff86f7c8076a50cd6d8c99e8f3496f75c2"
+checksum = "1ef2c933617431ad0246fb5b43c425ebdae18c7f7259c87de0726d93b0e7e91b"
 dependencies = [
  "base64",
  "bitflags",
@@ -3570,9 +3571,9 @@ dependencies = [
 
 [[package]]
 name = "mongodb-internal-macros"
-version = "3.5.1"
+version = "3.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a973ef3dd3dbc6f6e65bbdecfd9ec5e781b9e7493b0f369a7c62e35d8e5ae2c8"
+checksum = "9e5758dc828eb2d02ec30563cba365609d56ddd833190b192beaee2b475a7bb3"
 dependencies = [
  "macro_magic",
  "proc-macro2",
@@ -4699,9 +4700,9 @@ dependencies = [
 
 [[package]]
 name = "rustls-webpki"
-version = "0.103.10"
+version = "0.103.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df33b2b81ac578cabaf06b89b0631153a3f416b0a886e8a7a1707fb51abbd1ef"
+checksum = "61c429a8649f110dddef65e2a5ad240f747e85f7758a6bccc7e5777bd33f756e"
 dependencies = [
  "ring",
  "rustls-pki-types",

Dockerfile.agent

@@ -33,9 +33,15 @@ RUN pip3 install --break-system-packages ruff
 
 COPY --from=builder /app/target/release/compliance-agent /usr/local/bin/compliance-agent
 
+# Copy documentation for the help chat assistant
+COPY --from=builder /app/README.md /app/README.md
+COPY --from=builder /app/docs /app/docs
+ENV HELP_DOCS_PATH=/app
+
 # Ensure SSH key directory exists
 RUN mkdir -p /data/compliance-scanner/ssh
 
 EXPOSE 3001 3002
 
 ENTRYPOINT ["compliance-agent"]
+

Dockerfile.dashboard

@@ -1,6 +1,6 @@
 FROM rust:1.94-bookworm AS builder
 
-RUN cargo install dioxus-cli --version 0.7.4
+RUN cargo install dioxus-cli --version 0.7.3 --locked
 
 ARG DOCS_URL=/docs
 
@@ -20,3 +20,4 @@ ENV IP=0.0.0.0
 EXPOSE 8080
 
 ENTRYPOINT ["./compliance-dashboard"]
+

Dockerfile.docs

@@ -12,3 +12,4 @@ RUN rm /etc/nginx/conf.d/default.conf
 COPY docs/nginx.conf /etc/nginx/conf.d/default.conf
 COPY --from=builder /app/.vitepress/dist /usr/share/nginx/html
 EXPOSE 80
+

Dockerfile.mcp

@@ -14,3 +14,4 @@ EXPOSE 8090
 ENV MCP_PORT=8090
 
 ENTRYPOINT ["compliance-mcp"]
+

compliance-agent/Cargo.toml

@@ -25,7 +25,7 @@ uuid = { workspace = true }
 secrecy = { workspace = true }
 regex = { workspace = true }
 axum = "0.8"
-tower-http = { version = "0.6", features = ["cors", "trace"] }
+tower-http = { version = "0.6", features = ["cors", "trace", "set-header"] }
 git2 = "0.20"
 octocrab = "0.44"
 tokio-cron-scheduler = "0.13"
@@ -52,4 +52,5 @@ mongodb = { workspace = true }
 uuid = { workspace = true }
 secrecy = { workspace = true }
 axum = "0.8"
+tower = { version = "0.5", features = ["util"] }
 tower-http = { version = "0.6", features = ["cors"] }

compliance-agent/src/agent.rs

@@ -35,11 +35,16 @@ impl ComplianceAgent {
             config.litellm_model.clone(),
             config.litellm_embed_model.clone(),
         ));
+        let http = reqwest::Client::builder()
+            .timeout(std::time::Duration::from_secs(30))
+            .connect_timeout(std::time::Duration::from_secs(10))
+            .build()
+            .unwrap_or_default();
         Self {
             config,
             db,
             llm,
-            http: reqwest::Client::new(),
+            http,
             session_streams: Arc::new(DashMap::new()),
             session_pause: Arc::new(DashMap::new()),
             session_semaphore: Arc::new(Semaphore::new(DEFAULT_MAX_CONCURRENT_SESSIONS)),

compliance-agent/src/api/auth_middleware.rs

@@ -1,10 +1,29 @@
+//! M7.1 — JWT validation + tenant context propagation.
+//!
+//! `require_jwt_auth` validates a Bearer JWT against Keycloak's JWKS and
+//! attaches a `TenantContext` to the request extensions. Downstream
+//! middleware (`require_tenant_status`) and Axum extractors (`TenantCtx`)
+//! read it from there.
+//!
+//! Skipped paths:
+//! * `/api/v1/health` — Kubernetes liveness; never authenticated.
+//!
+//! Failure modes:
+//! * No `JwksState` extension → pass-through (single-tenant dev mode).
+//! * Missing / malformed Bearer header → 401.
+//! * Signature / expiry invalid → 401.
+//! * Claims present but tenant_id missing → 401 (treated as a malformed
+//!   token; the realm must always issue tenant_id).
+
 use std::sync::Arc;
 
 use axum::{
     extract::Request,
+    http::Method,
     middleware::Next,
     response::{IntoResponse, Response},
 };
+use compliance_core::{OrgRole, TenantContext, TenantStatus};
 use jsonwebtoken::{decode, decode_header, jwk::JwkSet, DecodingKey, Validation};
 use reqwest::StatusCode;
 use serde::Deserialize;
@@ -17,20 +36,39 @@ pub struct JwksState {
     pub jwks_url: String,
 }
 
+/// Raw shape of the JWT payload — matches the breakpilot-dev realm's
+/// protocol-mapper output. Missing fields default to "" / empty so a
+/// realm that hasn't been fully wired yet still validates.
 #[derive(Debug, Deserialize)]
 struct Claims {
-    #[allow(dead_code)]
     sub: String,
+    #[serde(default)]
+    name: Option<String>,
+    #[serde(default)]
+    preferred_username: Option<String>,
+    #[serde(default)]
+    tenant_id: String,
+    #[serde(default)]
+    tenant_slug: String,
+    #[serde(default)]
+    org_roles: Vec<String>,
+    #[serde(default)]
+    products: Vec<String>,
+    #[serde(default)]
+    plan: String,
+    #[serde(default)]
+    tenant_status: Option<TenantStatus>,
 }
 
 const PUBLIC_ENDPOINTS: &[&str] = &["/api/v1/health"];
 
-/// Middleware that validates Bearer JWT tokens against Keycloak's JWKS.
+/// Middleware that validates Bearer JWT tokens against Keycloak's JWKS
+/// and attaches a `TenantContext` extension on success.
 ///
-/// Skips validation for health check endpoints.
+/// Skips validation for the health endpoint.
-/// If `JwksState` is not present as an extension (keycloak not configured),
+/// If `JwksState` is not present (Keycloak not configured), requests
-/// all requests pass through.
+/// pass through and downstream code must handle the missing context.
-pub async fn require_jwt_auth(request: Request, next: Next) -> Response {
+pub async fn require_jwt_auth(mut request: Request, next: Next) -> Response {
     let path = request.uri().path();
 
     if PUBLIC_ENDPOINTS.contains(&path) {
@@ -53,7 +91,10 @@ pub async fn require_jwt_auth(request: Request, next: Next) -> Response {
     };
 
     match validate_token(token, &jwks_state).await {
-        Ok(()) => next.run(request).await,
+        Ok(ctx) => {
+            request.extensions_mut().insert(ctx);
+            next.run(request).await
+        }
         Err(e) => {
             tracing::warn!("JWT validation failed: {e}");
             (StatusCode::UNAUTHORIZED, "Invalid token").into_response()
@@ -61,7 +102,47 @@ pub async fn require_jwt_auth(request: Request, next: Next) -> Response {
     }
 }
 
-async fn validate_token(token: &str, state: &JwksState) -> Result<(), String> {
+/// Middleware that enforces the M7.1 `tenant_status` contract.
+///
+/// * `Active` / `Trial` / `Demo` — pass through.
+/// * `Frozen` — read-only after cancel / non-payment. Writes return 402.
+/// * `Archived` — data-retention window closed. Every request returns 410.
+///
+/// Pass-through when no `TenantContext` is present (single-tenant dev or
+/// the upstream JWT middleware ran without `JwksState`).
+pub async fn require_tenant_status(request: Request, next: Next) -> Response {
+    let ctx = match request.extensions().get::<TenantContext>() {
+        Some(c) => c.clone(),
+        None => return next.run(request).await,
+    };
+
+    if ctx.status.is_archived() {
+        return (
+            StatusCode::GONE,
+            "Tenant archived — data retention window closed",
+        )
+            .into_response();
+    }
+
+    if ctx.status.is_frozen() && is_write(request.method()) {
+        return (
+            StatusCode::PAYMENT_REQUIRED,
+            "Tenant frozen — read-only. Re-activate to resume writes.",
+        )
+            .into_response();
+    }
+
+    next.run(request).await
+}
+
+/// Treat anything other than GET/HEAD/OPTIONS as a write. Good enough for
+/// REST. The few exceptions (e.g. read-side POSTs) can opt out at the
+/// handler level once we have them.
+fn is_write(m: &Method) -> bool {
+    !matches!(m, &Method::GET | &Method::HEAD | &Method::OPTIONS)
+}
+
+async fn validate_token(token: &str, state: &JwksState) -> Result<TenantContext, String> {
     let header = decode_header(token).map_err(|e| format!("failed to decode JWT header: {e}"))?;
 
     let kid = header
@@ -83,10 +164,37 @@ async fn validate_token(token: &str, state: &JwksState) -> Result<(), String> {
     validation.validate_exp = true;
     validation.validate_aud = false;
 
-    decode::<Claims>(token, &decoding_key, &validation)
+    let data = decode::<Claims>(token, &decoding_key, &validation)
         .map_err(|e| format!("token validation failed: {e}"))?;
 
-    Ok(())
+    claims_to_context(data.claims)
+}
+
+/// Map the decoded JWT payload into the platform-wide `TenantContext`.
+/// Pulled out for unit testing — no I/O.
+fn claims_to_context(c: Claims) -> Result<TenantContext, String> {
+    if c.tenant_id.is_empty() {
+        return Err("JWT is missing tenant_id claim".to_string());
+    }
+
+    let status = c.tenant_status.unwrap_or_else(|| {
+        tracing::warn!(
+            "JWT missing tenant_status claim for tenant {} — defaulting to Trial",
+            c.tenant_id
+        );
+        TenantStatus::Trial
+    });
+
+    Ok(TenantContext {
+        tenant_id: c.tenant_id,
+        tenant_slug: c.tenant_slug,
+        org_roles: c.org_roles.iter().map(|r| OrgRole::parse(r)).collect(),
+        products: c.products,
+        plan: c.plan,
+        status,
+        user_id: c.sub,
+        user_name: c.name.or(c.preferred_username),
+    })
 }
 
 async fn fetch_or_get_jwks(state: &JwksState) -> Result<JwkSet, String> {
@@ -111,3 +219,87 @@ async fn fetch_or_get_jwks(state: &JwksState) -> Result<JwkSet, String> {
 
     Ok(jwks)
 }
+
+#[cfg(test)]
+#[allow(clippy::expect_used, clippy::unwrap_used)]
+mod tests {
+    use super::*;
+
+    fn base_claims() -> Claims {
+        Claims {
+            sub: "user-123".to_string(),
+            name: Some("Alice Acme".to_string()),
+            preferred_username: None,
+            tenant_id: "00000000-0000-0000-0000-000000000001".to_string(),
+            tenant_slug: "acme".to_string(),
+            org_roles: vec!["IT_ADMIN".to_string()],
+            products: vec!["compliance".to_string()],
+            plan: "professional".to_string(),
+            tenant_status: Some(TenantStatus::Active),
+        }
+    }
+
+    #[test]
+    fn claims_to_context_happy_path() {
+        let ctx = claims_to_context(base_claims()).expect("should map");
+        assert_eq!(ctx.tenant_id, "00000000-0000-0000-0000-000000000001");
+        assert_eq!(ctx.tenant_slug, "acme");
+        assert_eq!(ctx.org_roles, vec![OrgRole::ItAdmin]);
+        assert_eq!(ctx.products, vec!["compliance"]);
+        assert_eq!(ctx.plan, "professional");
+        assert_eq!(ctx.status, TenantStatus::Active);
+        assert_eq!(ctx.user_id, "user-123");
+        assert_eq!(ctx.user_name.as_deref(), Some("Alice Acme"));
+    }
+
+    #[test]
+    fn claims_to_context_rejects_missing_tenant_id() {
+        let mut c = base_claims();
+        c.tenant_id = "".to_string();
+        let err = claims_to_context(c).expect_err("should reject");
+        assert!(err.contains("tenant_id"));
+    }
+
+    #[test]
+    fn claims_to_context_defaults_status_when_missing() {
+        let mut c = base_claims();
+        c.tenant_status = None;
+        let ctx = claims_to_context(c).expect("should map");
+        assert_eq!(ctx.status, TenantStatus::Trial);
+    }
+
+    #[test]
+    fn claims_to_context_falls_back_to_preferred_username() {
+        let mut c = base_claims();
+        c.name = None;
+        c.preferred_username = Some("alice@acme.dev".to_string());
+        let ctx = claims_to_context(c).expect("should map");
+        assert_eq!(ctx.user_name.as_deref(), Some("alice@acme.dev"));
+    }
+
+    #[test]
+    fn claims_to_context_parses_multiple_roles() {
+        let mut c = base_claims();
+        c.org_roles = vec![
+            "IT_ADMIN".to_string(),
+            "CXO".to_string(),
+            "GARBAGE".to_string(),
+        ];
+        let ctx = claims_to_context(c).expect("should map");
+        assert_eq!(
+            ctx.org_roles,
+            vec![OrgRole::ItAdmin, OrgRole::Cxo, OrgRole::Unknown]
+        );
+    }
+
+    #[test]
+    fn is_write_detects_methods() {
+        assert!(!is_write(&Method::GET));
+        assert!(!is_write(&Method::HEAD));
+        assert!(!is_write(&Method::OPTIONS));
+        assert!(is_write(&Method::POST));
+        assert!(is_write(&Method::PUT));
+        assert!(is_write(&Method::PATCH));
+        assert!(is_write(&Method::DELETE));
+    }
+}

compliance-agent/src/api/handlers/help_chat.rs

@@ -104,28 +104,58 @@ fn load_docs(root: &Path) -> String {
 
 /// Returns a reference to the cached doc context string, initialised on
 /// first call via `OnceLock`.
+///
+/// Discovery order:
+/// 1. `HELP_DOCS_PATH` env var (explicit override)
+/// 2. Walk up from the binary location
+/// 3. Current working directory
+/// 4. Common Docker paths (/app, /opt/compliance-scanner)
 fn doc_context() -> &'static str {
     DOC_CONTEXT.get_or_init(|| {
+        // 1. Explicit env var
+        if let Ok(path) = std::env::var("HELP_DOCS_PATH") {
+            let p = PathBuf::from(&path);
+            if p.join("README.md").is_file() || p.join("docs").is_dir() {
+                tracing::info!("help_chat: loading docs from HELP_DOCS_PATH={path}");
+                return load_docs(&p);
+            }
+            tracing::warn!("help_chat: HELP_DOCS_PATH={path} has no README.md or docs/");
+        }
+
+        // 2. Walk up from binary location
         let start = std::env::current_exe()
             .ok()
             .and_then(|p| p.parent().map(Path::to_path_buf))
             .unwrap_or_else(|| PathBuf::from("."));
 
-        match find_project_root(&start) {
+        if let Some(root) = find_project_root(&start) {
-            Some(root) => load_docs(&root),
+            return load_docs(&root);
-            None => {
+        }
-                // Fallback: try current working directory
+
-                let cwd = std::env::current_dir().unwrap_or_else(|_| PathBuf::from("."));
+        // 3. Current working directory
+        if let Ok(cwd) = std::env::current_dir() {
+            if let Some(root) = find_project_root(&cwd) {
+                return load_docs(&root);
+            }
             if cwd.join("README.md").is_file() {
                 return load_docs(&cwd);
             }
+        }
+
+        // 4. Common Docker/deployment paths
+        for candidate in ["/app", "/opt/compliance-scanner", "/srv/compliance-scanner"] {
+            let p = PathBuf::from(candidate);
+            if p.join("README.md").is_file() || p.join("docs").is_dir() {
+                tracing::info!("help_chat: found docs at {candidate}");
+                return load_docs(&p);
+            }
+        }
+
         tracing::error!(
-                    "help_chat: could not locate project root from {}; doc context will be empty",
+            "help_chat: could not locate project root; doc context will be empty. \
-                    start.display()
+             Set HELP_DOCS_PATH to the directory containing README.md and docs/"
         );
         String::new()
-            }
-        }
     })
 }
 

compliance-agent/src/api/handlers/mod.rs

@@ -6,6 +6,7 @@ pub mod graph;
 pub mod health;
 pub mod help_chat;
 pub mod issues;
+pub mod notifications;
 pub mod pentest_handlers;
 pub use pentest_handlers as pentest;
 pub mod repos;

compliance-agent/src/api/handlers/notifications.rs

@@ -0,0 +1,178 @@
+use axum::extract::Extension;
+use axum::http::StatusCode;
+use axum::Json;
+use mongodb::bson::doc;
+use serde::Deserialize;
+
+use compliance_core::models::notification::CveNotification;
+
+use super::dto::{AgentExt, ApiResponse};
+
+/// GET /api/v1/notifications — List CVE notifications (newest first)
+#[tracing::instrument(skip_all)]
+pub async fn list_notifications(
+    Extension(agent): AgentExt,
+    axum::extract::Query(params): axum::extract::Query<NotificationFilter>,
+) -> Result<Json<ApiResponse<Vec<CveNotification>>>, StatusCode> {
+    let mut filter = doc! {};
+
+    // Filter by status (default: show new + read, exclude dismissed)
+    match params.status.as_deref() {
+        Some("all") => {}
+        Some(s) => {
+            filter.insert("status", s);
+        }
+        None => {
+            filter.insert("status", doc! { "$in": ["new", "read"] });
+        }
+    }
+
+    // Filter by severity
+    if let Some(ref sev) = params.severity {
+        filter.insert("severity", sev.as_str());
+    }
+
+    // Filter by repo
+    if let Some(ref repo_id) = params.repo_id {
+        filter.insert("repo_id", repo_id.as_str());
+    }
+
+    let page = params.page.unwrap_or(1).max(1);
+    let limit = params.limit.unwrap_or(50).min(200);
+    let skip = (page - 1) * limit as u64;
+
+    let total = agent
+        .db
+        .cve_notifications()
+        .count_documents(filter.clone())
+        .await
+        .unwrap_or(0);
+
+    let notifications: Vec<CveNotification> = match agent
+        .db
+        .cve_notifications()
+        .find(filter)
+        .sort(doc! { "created_at": -1 })
+        .skip(skip)
+        .limit(limit)
+        .await
+    {
+        Ok(cursor) => {
+            use futures_util::StreamExt;
+            let mut items = Vec::new();
+            let mut cursor = cursor;
+            while let Some(Ok(n)) = cursor.next().await {
+                items.push(n);
+            }
+            items
+        }
+        Err(e) => {
+            tracing::error!("Failed to list notifications: {e}");
+            return Err(StatusCode::INTERNAL_SERVER_ERROR);
+        }
+    };
+
+    Ok(Json(ApiResponse {
+        data: notifications,
+        total: Some(total),
+        page: Some(page),
+    }))
+}
+
+/// GET /api/v1/notifications/count — Count of unread notifications
+#[tracing::instrument(skip_all)]
+pub async fn notification_count(
+    Extension(agent): AgentExt,
+) -> Result<Json<serde_json::Value>, StatusCode> {
+    let count = agent
+        .db
+        .cve_notifications()
+        .count_documents(doc! { "status": "new" })
+        .await
+        .unwrap_or(0);
+
+    Ok(Json(serde_json::json!({ "count": count })))
+}
+
+/// PATCH /api/v1/notifications/:id/read — Mark a notification as read
+#[tracing::instrument(skip_all, fields(id = %id))]
+pub async fn mark_read(
+    Extension(agent): AgentExt,
+    axum::extract::Path(id): axum::extract::Path<String>,
+) -> Result<Json<serde_json::Value>, StatusCode> {
+    let oid = mongodb::bson::oid::ObjectId::parse_str(&id).map_err(|_| StatusCode::BAD_REQUEST)?;
+
+    let result = agent
+        .db
+        .cve_notifications()
+        .update_one(
+            doc! { "_id": oid },
+            doc! { "$set": {
+                "status": "read",
+                "read_at": mongodb::bson::DateTime::now(),
+            }},
+        )
+        .await
+        .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
+
+    if result.matched_count == 0 {
+        return Err(StatusCode::NOT_FOUND);
+    }
+    Ok(Json(serde_json::json!({ "status": "read" })))
+}
+
+/// PATCH /api/v1/notifications/:id/dismiss — Dismiss a notification
+#[tracing::instrument(skip_all, fields(id = %id))]
+pub async fn dismiss_notification(
+    Extension(agent): AgentExt,
+    axum::extract::Path(id): axum::extract::Path<String>,
+) -> Result<Json<serde_json::Value>, StatusCode> {
+    let oid = mongodb::bson::oid::ObjectId::parse_str(&id).map_err(|_| StatusCode::BAD_REQUEST)?;
+
+    let result = agent
+        .db
+        .cve_notifications()
+        .update_one(
+            doc! { "_id": oid },
+            doc! { "$set": { "status": "dismissed" } },
+        )
+        .await
+        .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
+
+    if result.matched_count == 0 {
+        return Err(StatusCode::NOT_FOUND);
+    }
+    Ok(Json(serde_json::json!({ "status": "dismissed" })))
+}
+
+/// POST /api/v1/notifications/read-all — Mark all new notifications as read
+#[tracing::instrument(skip_all)]
+pub async fn mark_all_read(
+    Extension(agent): AgentExt,
+) -> Result<Json<serde_json::Value>, StatusCode> {
+    let result = agent
+        .db
+        .cve_notifications()
+        .update_many(
+            doc! { "status": "new" },
+            doc! { "$set": {
+                "status": "read",
+                "read_at": mongodb::bson::DateTime::now(),
+            }},
+        )
+        .await
+        .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
+
+    Ok(Json(
+        serde_json::json!({ "updated": result.modified_count }),
+    ))
+}
+
+#[derive(Debug, Deserialize)]
+pub struct NotificationFilter {
+    pub status: Option<String>,
+    pub severity: Option<String>,
+    pub repo_id: Option<String>,
+    pub page: Option<u64>,
+    pub limit: Option<i64>,
+}

compliance-agent/src/api/mod.rs

@@ -2,5 +2,7 @@ pub mod auth_middleware;
 pub mod handlers;
 pub mod routes;
 pub mod server;
+pub mod tenant_ctx;
 
 pub use server::start_api_server;
+pub use tenant_ctx::TenantCtx;

compliance-agent/src/api/routes.rs

@@ -101,6 +101,27 @@ pub fn build_router() -> Router {
         )
         // Help chat (documentation-grounded Q&A)
         .route("/api/v1/help/chat", post(handlers::help_chat::help_chat))
+        // CVE notification endpoints
+        .route(
+            "/api/v1/notifications",
+            get(handlers::notifications::list_notifications),
+        )
+        .route(
+            "/api/v1/notifications/count",
+            get(handlers::notifications::notification_count),
+        )
+        .route(
+            "/api/v1/notifications/read-all",
+            post(handlers::notifications::mark_all_read),
+        )
+        .route(
+            "/api/v1/notifications/{id}/read",
+            patch(handlers::notifications::mark_read),
+        )
+        .route(
+            "/api/v1/notifications/{id}/dismiss",
+            patch(handlers::notifications::dismiss_notification),
+        )
         // Pentest API endpoints
         .route(
             "/api/v1/pentest/lookup-repo",

compliance-agent/src/api/server.rs

@@ -1,12 +1,14 @@
 use std::sync::Arc;
 
+use axum::http::HeaderValue;
 use axum::{middleware, Extension};
 use tokio::sync::RwLock;
 use tower_http::cors::CorsLayer;
+use tower_http::set_header::SetResponseHeaderLayer;
 use tower_http::trace::TraceLayer;
 
 use crate::agent::ComplianceAgent;
-use crate::api::auth_middleware::{require_jwt_auth, JwksState};
+use crate::api::auth_middleware::{require_jwt_auth, require_tenant_status, JwksState};
 use crate::api::routes;
 use crate::error::AgentError;
 
@@ -14,7 +16,24 @@ pub async fn start_api_server(agent: ComplianceAgent, port: u16) -> Result<(), A
     let mut app = routes::build_router()
         .layer(Extension(Arc::new(agent.clone())))
         .layer(CorsLayer::permissive())
-        .layer(TraceLayer::new_for_http());
+        .layer(TraceLayer::new_for_http())
+        // Security headers (defense-in-depth, primary enforcement via Traefik)
+        .layer(SetResponseHeaderLayer::overriding(
+            axum::http::header::STRICT_TRANSPORT_SECURITY,
+            HeaderValue::from_static("max-age=31536000; includeSubDomains"),
+        ))
+        .layer(SetResponseHeaderLayer::overriding(
+            axum::http::header::X_FRAME_OPTIONS,
+            HeaderValue::from_static("DENY"),
+        ))
+        .layer(SetResponseHeaderLayer::overriding(
+            axum::http::header::X_CONTENT_TYPE_OPTIONS,
+            HeaderValue::from_static("nosniff"),
+        ))
+        .layer(SetResponseHeaderLayer::overriding(
+            axum::http::header::REFERRER_POLICY,
+            HeaderValue::from_static("strict-origin-when-cross-origin"),
+        ));
 
     if let (Some(kc_url), Some(kc_realm)) =
         (&agent.config.keycloak_url, &agent.config.keycloak_realm)
@@ -25,9 +44,14 @@ pub async fn start_api_server(agent: ComplianceAgent, port: u16) -> Result<(), A
             jwks_url,
         };
         tracing::info!("Keycloak JWT auth enabled for realm '{kc_realm}'");
+        // Layers execute outermost-first. The Extension must run before
+        // require_jwt_auth so that middleware can read JwksState from
+        // request extensions, and the status gate must run after the
+        // JWT auth so TenantContext is in extensions.
         app = app
-            .layer(Extension(jwks_state))
+            .layer(middleware::from_fn(require_tenant_status))
-            .layer(middleware::from_fn(require_jwt_auth));
+            .layer(middleware::from_fn(require_jwt_auth))
+            .layer(Extension(jwks_state));
     } else {
         tracing::warn!("Keycloak not configured - API endpoints are unprotected");
     }

compliance-agent/src/api/tenant_ctx.rs

@@ -0,0 +1,94 @@
+//! Axum extractor for the per-request `TenantContext`.
+//!
+//! Handlers consume it as a normal extractor argument:
+//!
+//! ```ignore
+//! async fn list_findings(TenantCtx(ctx): TenantCtx) -> Json<...> {
+//!     let filter = compliance_core::db::tenant_filter(&ctx);
+//!     ...
+//! }
+//! ```
+//!
+//! The middleware (`require_jwt_auth`) is responsible for inserting the
+//! context into the request extensions. If it's missing on a route that
+//! uses this extractor, that's a bug in the wiring — we return 401 so the
+//! caller sees an auth failure rather than a 500.
+
+use axum::{
+    extract::FromRequestParts,
+    http::{request::Parts, StatusCode},
+    response::{IntoResponse, Response},
+};
+use compliance_core::TenantContext;
+
+#[derive(Debug, Clone)]
+pub struct TenantCtx(pub TenantContext);
+
+#[derive(Debug)]
+pub struct TenantCtxRejection;
+
+impl IntoResponse for TenantCtxRejection {
+    fn into_response(self) -> Response {
+        (
+            StatusCode::UNAUTHORIZED,
+            "Missing tenant context — request was not authenticated",
+        )
+            .into_response()
+    }
+}
+
+impl<S> FromRequestParts<S> for TenantCtx
+where
+    S: Send + Sync,
+{
+    type Rejection = TenantCtxRejection;
+
+    async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
+        parts
+            .extensions
+            .get::<TenantContext>()
+            .cloned()
+            .map(TenantCtx)
+            .ok_or(TenantCtxRejection)
+    }
+}
+
+#[cfg(test)]
+#[allow(clippy::expect_used, clippy::unwrap_used)]
+mod tests {
+    use super::*;
+    use axum::http::Request;
+    use compliance_core::TenantStatus;
+
+    fn ctx() -> TenantContext {
+        TenantContext {
+            tenant_id: "t-1".to_string(),
+            tenant_slug: "acme".to_string(),
+            org_roles: vec![],
+            products: vec![],
+            plan: "starter".to_string(),
+            status: TenantStatus::Active,
+            user_id: "u-1".to_string(),
+            user_name: None,
+        }
+    }
+
+    #[tokio::test]
+    async fn extracts_context_when_present() {
+        let mut req = Request::new(());
+        req.extensions_mut().insert(ctx());
+        let (mut parts, _) = req.into_parts();
+        let TenantCtx(found) = TenantCtx::from_request_parts(&mut parts, &())
+            .await
+            .expect("extractor should succeed");
+        assert_eq!(found.tenant_id, "t-1");
+    }
+
+    #[tokio::test]
+    async fn rejects_when_missing() {
+        let req: Request<()> = Request::new(());
+        let (mut parts, _) = req.into_parts();
+        let err = TenantCtx::from_request_parts(&mut parts, &()).await;
+        assert!(err.is_err());
+    }
+}

compliance-agent/src/config.rs

@@ -42,7 +42,7 @@ pub fn load_config() -> Result<AgentConfig, AgentError> {
             .unwrap_or(3001),
         scan_schedule: env_var_opt("SCAN_SCHEDULE").unwrap_or_else(|| "0 0 */6 * * *".to_string()),
         cve_monitor_schedule: env_var_opt("CVE_MONITOR_SCHEDULE")
-            .unwrap_or_else(|| "0 0 0 * * *".to_string()),
+            .unwrap_or_else(|| "0 0 * * * *".to_string()),
         git_clone_base_path: env_var_opt("GIT_CLONE_BASE_PATH")
             .unwrap_or_else(|| "/tmp/compliance-scanner/repos".to_string()),
         ssh_key_path: env_var_opt("SSH_KEY_PATH")

compliance-agent/src/database.rs

@@ -78,6 +78,25 @@ impl Database {
             )
             .await?;
 
+        // cve_notifications: unique cve_id + repo_id + package, status filter
+        self.cve_notifications()
+            .create_index(
+                IndexModel::builder()
+                    .keys(
+                        doc! { "cve_id": 1, "repo_id": 1, "package_name": 1, "package_version": 1 },
+                    )
+                    .options(IndexOptions::builder().unique(true).build())
+                    .build(),
+            )
+            .await?;
+        self.cve_notifications()
+            .create_index(
+                IndexModel::builder()
+                    .keys(doc! { "status": 1, "created_at": -1 })
+                    .build(),
+            )
+            .await?;
+
         // tracker_issues: unique finding_id
         self.tracker_issues()
             .create_index(
@@ -222,6 +241,12 @@ impl Database {
         self.inner.collection("cve_alerts")
     }
 
+    pub fn cve_notifications(
+        &self,
+    ) -> Collection<compliance_core::models::notification::CveNotification> {
+        self.inner.collection("cve_notifications")
+    }
+
     pub fn tracker_issues(&self) -> Collection<TrackerIssue> {
         self.inner.collection("tracker_issues")
     }

compliance-agent/src/llm/client.rs

@@ -19,12 +19,17 @@ impl LlmClient {
         model: String,
         embed_model: String,
     ) -> Self {
+        let http = reqwest::Client::builder()
+            .timeout(std::time::Duration::from_secs(300))
+            .connect_timeout(std::time::Duration::from_secs(10))
+            .build()
+            .unwrap_or_default();
         Self {
             base_url,
             api_key,
             model,
             embed_model,
-            http: reqwest::Client::new(),
+            http,
         }
     }
 

compliance-agent/src/main.rs

@@ -4,7 +4,7 @@ use compliance_agent::{agent, api, config, database, scheduler, ssh, webhooks};
 async fn main() -> Result<(), Box<dyn std::error::Error>> {
     match dotenvy::dotenv() {
         Ok(path) => eprintln!("[dotenv] Loaded from: {}", path.display()),
-        Err(e) => eprintln!("[dotenv] FAILED: {e}"),
+        Err(_) => eprintln!("[dotenv] No .env file found, using environment variables"),
     }
 
     let _telemetry_guard = compliance_core::telemetry::init_telemetry("compliance-agent");

compliance-agent/src/pipeline/gitleaks.rs

@@ -19,7 +19,9 @@ impl Scanner for GitleaksScanner {
 
     #[tracing::instrument(skip_all)]
     async fn scan(&self, repo_path: &Path, repo_id: &str) -> Result<ScanOutput, CoreError> {
-        let output = tokio::process::Command::new("gitleaks")
+        let output = tokio::time::timeout(
+            std::time::Duration::from_secs(300),
+            tokio::process::Command::new("gitleaks")
                 .args([
                     "detect",
                     "--source",
@@ -33,8 +35,13 @@ impl Scanner for GitleaksScanner {
                     "0",
                 ])
                 .current_dir(repo_path)
-            .output()
+                .output(),
+        )
         .await
+        .map_err(|_| CoreError::Scanner {
+            scanner: "gitleaks".to_string(),
+            source: "timed out after 5 minutes".into(),
+        })?
         .map_err(|e| CoreError::Scanner {
             scanner: "gitleaks".to_string(),
             source: Box::new(e),

compliance-agent/src/pipeline/orchestrator.rs

@@ -174,19 +174,26 @@ impl PipelineOrchestrator {
                 k.expose_secret().to_string()
             }),
         );
-        let cve_alerts = match async {
+        let cve_alerts = match tokio::time::timeout(
+            std::time::Duration::from_secs(600),
+            async {
                 cve_scanner
                     .scan_dependencies(&repo_id, &mut sbom_entries)
                     .await
             }
-        .instrument(tracing::info_span!("stage_cve_scanning"))
+            .instrument(tracing::info_span!("stage_cve_scanning")),
+        )
         .await
         {
-            Ok(alerts) => alerts,
+            Ok(Ok(alerts)) => alerts,
-            Err(e) => {
+            Ok(Err(e)) => {
                 tracing::warn!("[{repo_id}] CVE scanning failed: {e}");
                 Vec::new()
             }
+            Err(_) => {
+                tracing::warn!("[{repo_id}] CVE scanning timed out after 10 minutes");
+                Vec::new()
+            }
         };
 
         // Stage 4: Pattern Scanning (GDPR + OAuth)
@@ -315,8 +322,15 @@ impl PipelineOrchestrator {
                 .await?;
         }
 
-        // Persist CVE alerts (upsert by cve_id + repo_id)
+        // Persist CVE alerts and create notifications
+        {
+            use compliance_core::models::notification::{parse_severity, CveNotification};
+
+            let repo_name = repo.name.clone();
+            let mut new_notif_count = 0u32;
+
             for alert in &cve_alerts {
+                // Upsert the alert
                 let filter = doc! {
                     "cve_id": &alert.cve_id,
                     "repo_id": &alert.repo_id,
@@ -329,6 +343,46 @@ impl PipelineOrchestrator {
                     .update_one(filter, update)
                     .upsert(true)
                     .await?;
+
+                // Create notification (dedup by cve_id + repo + package + version)
+                let notif_filter = doc! {
+                    "cve_id": &alert.cve_id,
+                    "repo_id": &alert.repo_id,
+                    "package_name": &alert.affected_package,
+                    "package_version": &alert.affected_version,
+                };
+                let severity = parse_severity(alert.severity.as_deref(), alert.cvss_score);
+                let mut notification = CveNotification::new(
+                    alert.cve_id.clone(),
+                    repo_id.clone(),
+                    repo_name.clone(),
+                    alert.affected_package.clone(),
+                    alert.affected_version.clone(),
+                    severity,
+                );
+                notification.cvss_score = alert.cvss_score;
+                notification.summary = alert.summary.clone();
+                notification.url = Some(format!("https://osv.dev/vulnerability/{}", alert.cve_id));
+
+                let notif_update = doc! {
+                    "$setOnInsert": mongodb::bson::to_bson(&notification).unwrap_or_default()
+                };
+                if let Ok(result) = self
+                    .db
+                    .cve_notifications()
+                    .update_one(notif_filter, notif_update)
+                    .upsert(true)
+                    .await
+                {
+                    if result.upserted_id.is_some() {
+                        new_notif_count += 1;
+                    }
+                }
+            }
+
+            if new_notif_count > 0 {
+                tracing::info!("[{repo_id}] Created {new_notif_count} CVE notification(s)");
+            }
         }
 
         // Stage 6: Issue Creation

compliance-agent/src/pipeline/sbom/syft.rs

@@ -5,16 +5,22 @@ use compliance_core::CoreError;
 
 #[tracing::instrument(skip_all, fields(repo_id = %repo_id))]
 pub(super) async fn run_syft(repo_path: &Path, repo_id: &str) -> Result<Vec<SbomEntry>, CoreError> {
-    let output = tokio::process::Command::new("syft")
+    let output = tokio::time::timeout(
+        std::time::Duration::from_secs(300),
+        tokio::process::Command::new("syft")
             .arg(repo_path)
             .args(["-o", "cyclonedx-json"])
-        // Enable remote license lookups for all ecosystems
             .env("SYFT_GOLANG_SEARCH_REMOTE_LICENSES", "true")
             .env("SYFT_JAVASCRIPT_SEARCH_REMOTE_LICENSES", "true")
             .env("SYFT_PYTHON_SEARCH_REMOTE_LICENSES", "true")
             .env("SYFT_JAVA_USE_NETWORK", "true")
-        .output()
+            .output(),
+    )
     .await
+    .map_err(|_| CoreError::Scanner {
+        scanner: "syft".to_string(),
+        source: "timed out after 5 minutes".into(),
+    })?
     .map_err(|e| CoreError::Scanner {
         scanner: "syft".to_string(),
         source: Box::new(e),

compliance-agent/src/pipeline/semgrep.rs

@@ -19,11 +19,26 @@ impl Scanner for SemgrepScanner {
 
     #[tracing::instrument(skip_all)]
     async fn scan(&self, repo_path: &Path, repo_id: &str) -> Result<ScanOutput, CoreError> {
-        let output = tokio::process::Command::new("semgrep")
+        let output = tokio::time::timeout(
-            .args(["--config=auto", "--json", "--quiet"])
+            std::time::Duration::from_secs(600),
+            tokio::process::Command::new("semgrep")
+                .args([
+                    "--config=auto",
+                    "--json",
+                    "--quiet",
+                    "--max-memory",
+                    "500",
+                    "--jobs",
+                    "1",
+                ])
                 .arg(repo_path)
-            .output()
+                .output(),
+        )
         .await
+        .map_err(|_| CoreError::Scanner {
+            scanner: "semgrep".to_string(),
+            source: "timed out after 10 minutes".into(),
+        })?
         .map_err(|e| CoreError::Scanner {
             scanner: "semgrep".to_string(),
             source: Box::new(e),

compliance-agent/src/rag/pipeline.rs

@@ -6,11 +6,16 @@ use compliance_core::models::embedding::{CodeEmbedding, EmbeddingBuildRun, Embed
 use compliance_core::models::graph::CodeNode;
 use compliance_graph::graph::chunking::extract_chunks;
 use compliance_graph::graph::embedding_store::EmbeddingStore;
+use futures_util::stream::{FuturesUnordered, StreamExt};
 use tracing::{error, info};
 
 use crate::error::AgentError;
 use crate::llm::LlmClient;
 
+const EMBED_BATCH_SIZE: usize = 20;
+const EMBED_CONCURRENCY: usize = 4;
+const EMBED_FLUSH_EVERY: usize = 200;
+
 /// RAG pipeline for building embeddings and performing retrieval
 pub struct RagPipeline {
     llm: Arc<LlmClient>,
@@ -77,25 +82,33 @@ impl RagPipeline {
             .await
             .map_err(|e| AgentError::Other(format!("Failed to delete old embeddings: {e}")))?;
 
-        // Step 3: Batch embed (small batches to stay within model limits)
+        // Step 3: Batch embed with bounded concurrency. Flush to Mongo and
-        let batch_size = 20;
+        // update progress periodically so the dashboard can show live status.
-        let mut all_embeddings = Vec::new();
+        let mut pending = Vec::with_capacity(EMBED_FLUSH_EVERY);
         let mut embedded_count = 0u32;
 
-        for batch_start in (0..chunks.len()).step_by(batch_size) {
+        // Build the list of batch indices to process.
-            let batch_end = (batch_start + batch_size).min(chunks.len());
+        let batches: Vec<(usize, usize)> = (0..chunks.len())
-            let batch_chunks = &chunks[batch_start..batch_end];
+            .step_by(EMBED_BATCH_SIZE)
-
+            .map(|start| (start, (start + EMBED_BATCH_SIZE).min(chunks.len())))
-            // Prepare texts: context_header + content
-            let texts: Vec<String> = batch_chunks
-                .iter()
-                .map(|c| format!("{}\n{}", c.context_header, c.content))
             .collect();
 
-            match self.llm.embed(texts).await {
+        let mut batch_iter = batches.into_iter();
-                Ok(vectors) => {
+        let mut in_flight = FuturesUnordered::new();
+
+        // Prime up to EMBED_CONCURRENCY batches.
+        for _ in 0..EMBED_CONCURRENCY {
+            if let Some((start, end)) = batch_iter.next() {
+                in_flight.push(self.embed_batch(&chunks[start..end], start, end));
+            }
+        }
+
+        while let Some(result) = in_flight.next().await {
+            match result {
+                Ok((start, end, vectors)) => {
+                    let batch_chunks = &chunks[start..end];
                     for (chunk, embedding) in batch_chunks.iter().zip(vectors) {
-                        all_embeddings.push(CodeEmbedding {
+                        pending.push(CodeEmbedding {
                             id: None,
                             repo_id: repo_id.to_string(),
                             graph_build_id: graph_build_id.to_string(),
@@ -113,9 +126,45 @@ impl RagPipeline {
                         });
                     }
                     embedded_count += batch_chunks.len() as u32;
+
+                    // Flush pending embeddings to Mongo periodically and update progress.
+                    if pending.len() >= EMBED_FLUSH_EVERY {
+                        self.embedding_store
+                            .store_embeddings(&pending)
+                            .await
+                            .map_err(|e| {
+                                AgentError::Other(format!("Failed to store embeddings: {e}"))
+                            })?;
+                        pending.clear();
+                    }
+
+                    // Always update the progress counter on the build doc — even if
+                    // we haven't flushed embeddings yet — so the UI shows movement.
+                    if let Err(e) = self
+                        .embedding_store
+                        .update_build(
+                            repo_id,
+                            graph_build_id,
+                            EmbeddingBuildStatus::Running,
+                            embedded_count,
+                            None,
+                        )
+                        .await
+                    {
+                        error!("[{repo_id}] Failed to update build progress: {e}");
+                    }
+
+                    // Queue the next batch to keep concurrency saturated.
+                    if let Some((s, e)) = batch_iter.next() {
+                        in_flight.push(self.embed_batch(&chunks[s..e], s, e));
+                    }
                 }
                 Err(e) => {
                     error!("[{repo_id}] Embedding batch failed: {e}");
+                    // Flush whatever we have so partial progress isn't lost.
+                    if !pending.is_empty() {
+                        let _ = self.embedding_store.store_embeddings(&pending).await;
+                    }
                     build.status = EmbeddingBuildStatus::Failed;
                     build.error_message = Some(e.to_string());
                     build.completed_at = Some(Utc::now());
@@ -134,11 +183,13 @@ impl RagPipeline {
             }
         }
 
-        // Step 4: Store all embeddings
+        // Step 4: Flush any remaining embeddings
+        if !pending.is_empty() {
             self.embedding_store
-            .store_embeddings(&all_embeddings)
+                .store_embeddings(&pending)
                 .await
                 .map_err(|e| AgentError::Other(format!("Failed to store embeddings: {e}")))?;
+        }
 
         // Step 5: Update build status
         build.status = EmbeddingBuildStatus::Completed;
@@ -161,4 +212,21 @@ impl RagPipeline {
         );
         Ok(build)
     }
+
+    /// Embed one batch of chunks. Returns the (start, end, vectors) tuple so
+    /// out-of-order completion from `FuturesUnordered` can still be reconciled
+    /// against the original chunk slice.
+    async fn embed_batch(
+        &self,
+        batch_chunks: &[compliance_graph::graph::chunking::CodeChunk],
+        start: usize,
+        end: usize,
+    ) -> Result<(usize, usize, Vec<Vec<f64>>), AgentError> {
+        let texts: Vec<String> = batch_chunks
+            .iter()
+            .map(|c| format!("{}\n{}", c.context_header, c.content))
+            .collect();
+        let vectors = self.llm.embed(texts).await?;
+        Ok((start, end, vectors))
+    }
 }

compliance-agent/src/scheduler.rs

@@ -82,24 +82,158 @@ async fn scan_all_repos(agent: &ComplianceAgent) {
 }
 
 async fn monitor_cves(agent: &ComplianceAgent) {
+    use compliance_core::models::notification::{parse_severity, CveNotification};
+    use compliance_core::models::SbomEntry;
     use futures_util::StreamExt;
 
-    // Re-scan all SBOM entries for new CVEs
+    // Fetch all SBOM entries grouped by repo
     let cursor = match agent.db.sbom_entries().find(doc! {}).await {
         Ok(c) => c,
         Err(e) => {
-            tracing::error!("Failed to list SBOM entries for CVE monitoring: {e}");
+            tracing::error!("CVE monitor: failed to list SBOM entries: {e}");
             return;
         }
     };
-
+    let entries: Vec<SbomEntry> = cursor.filter_map(|r| async { r.ok() }).collect().await;
-    let entries: Vec<_> = cursor.filter_map(|r| async { r.ok() }).collect().await;
-
     if entries.is_empty() {
+        tracing::debug!("CVE monitor: no SBOM entries, skipping");
         return;
     }
 
-    tracing::info!("CVE monitor: checking {} dependencies", entries.len());
+    tracing::info!(
-    // The actual CVE checking is handled by the CveScanner in the pipeline
+        "CVE monitor: checking {} dependencies for new CVEs",
-    // This is a simplified version that just logs the activity
+        entries.len()
+    );
+
+    // Build a repo_id → repo_name lookup
+    let repo_ids: std::collections::HashSet<String> =
+        entries.iter().map(|e| e.repo_id.clone()).collect();
+    let mut repo_names: std::collections::HashMap<String, String> =
+        std::collections::HashMap::new();
+    for rid in &repo_ids {
+        if let Ok(oid) = mongodb::bson::oid::ObjectId::parse_str(rid) {
+            if let Ok(Some(repo)) = agent.db.repositories().find_one(doc! { "_id": oid }).await {
+                repo_names.insert(rid.clone(), repo.name.clone());
+            }
+        }
+    }
+
+    // Use the existing CveScanner to query OSV.dev
+    let nvd_key = agent.config.nvd_api_key.as_ref().map(|k| {
+        use secrecy::ExposeSecret;
+        k.expose_secret().to_string()
+    });
+    let scanner = crate::pipeline::cve::CveScanner::new(
+        agent.http.clone(),
+        agent.config.searxng_url.clone(),
+        nvd_key,
+    );
+
+    // Group entries by repo for scanning
+    let mut entries_by_repo: std::collections::HashMap<String, Vec<SbomEntry>> =
+        std::collections::HashMap::new();
+    for entry in entries {
+        entries_by_repo
+            .entry(entry.repo_id.clone())
+            .or_default()
+            .push(entry);
+    }
+
+    let mut new_notifications = 0u32;
+
+    for (repo_id, mut repo_entries) in entries_by_repo {
+        let repo_name = repo_names
+            .get(&repo_id)
+            .cloned()
+            .unwrap_or_else(|| repo_id.clone());
+
+        // Scan dependencies for CVEs
+        let alerts = match scanner.scan_dependencies(&repo_id, &mut repo_entries).await {
+            Ok(a) => a,
+            Err(e) => {
+                tracing::warn!("CVE monitor: scan failed for {repo_name}: {e}");
+                continue;
+            }
+        };
+
+        // Upsert CVE alerts (existing logic)
+        for alert in &alerts {
+            let filter = doc! { "cve_id": &alert.cve_id, "repo_id": &alert.repo_id };
+            let update = doc! { "$setOnInsert": mongodb::bson::to_bson(alert).unwrap_or_default() };
+            let _ = agent
+                .db
+                .cve_alerts()
+                .update_one(filter, update)
+                .upsert(true)
+                .await;
+        }
+
+        // Update SBOM entries with discovered vulnerabilities
+        for entry in &repo_entries {
+            if entry.known_vulnerabilities.is_empty() {
+                continue;
+            }
+            if let Some(entry_id) = &entry.id {
+                let _ = agent
+                    .db
+                    .sbom_entries()
+                    .update_one(
+                        doc! { "_id": entry_id },
+                        doc! { "$set": {
+                            "known_vulnerabilities": mongodb::bson::to_bson(&entry.known_vulnerabilities).unwrap_or_default(),
+                            "updated_at": mongodb::bson::DateTime::now(),
+                        }},
+                    )
+                    .await;
+            }
+        }
+
+        // Create notifications for NEW CVEs (dedup against existing notifications)
+        for alert in &alerts {
+            let filter = doc! {
+                "cve_id": &alert.cve_id,
+                "repo_id": &alert.repo_id,
+                "package_name": &alert.affected_package,
+                "package_version": &alert.affected_version,
+            };
+            // Only insert if not already exists (upsert with $setOnInsert)
+            let severity = parse_severity(alert.severity.as_deref(), alert.cvss_score);
+            let mut notification = CveNotification::new(
+                alert.cve_id.clone(),
+                repo_id.clone(),
+                repo_name.clone(),
+                alert.affected_package.clone(),
+                alert.affected_version.clone(),
+                severity,
+            );
+            notification.cvss_score = alert.cvss_score;
+            notification.summary = alert.summary.clone();
+            notification.url = Some(format!("https://osv.dev/vulnerability/{}", alert.cve_id));
+
+            let update = doc! {
+                "$setOnInsert": mongodb::bson::to_bson(&notification).unwrap_or_default()
+            };
+            match agent
+                .db
+                .cve_notifications()
+                .update_one(filter, update)
+                .upsert(true)
+                .await
+            {
+                Ok(result) if result.upserted_id.is_some() => {
+                    new_notifications += 1;
+                }
+                Err(e) => {
+                    tracing::warn!("CVE monitor: failed to create notification: {e}");
+                }
+                _ => {} // Already exists
+            }
+        }
+    }
+
+    if new_notifications > 0 {
+        tracing::info!("CVE monitor: created {new_notifications} new notification(s)");
+    } else {
+        tracing::info!("CVE monitor: no new CVEs found");
+    }
 }

compliance-agent/tests/tenant_status_middleware.rs

@@ -0,0 +1,123 @@
+//! M7.1 — integration tests for `require_tenant_status`.
+//!
+//! Exercises the middleware end-to-end through an Axum router so we
+//! catch wiring bugs (extension propagation, method matching) that pure
+//! unit tests would miss.
+
+#![allow(clippy::expect_used, clippy::unwrap_used)]
+
+use axum::{
+    body::Body,
+    extract::Request,
+    http::{Method, StatusCode},
+    middleware::{from_fn, Next},
+    response::Response,
+    routing::{get, post},
+    Router,
+};
+use compliance_agent::api::auth_middleware::require_tenant_status;
+use compliance_core::{TenantContext, TenantStatus};
+use tower::ServiceExt;
+
+fn ctx_with(status: TenantStatus) -> TenantContext {
+    TenantContext {
+        tenant_id: "t-1".to_string(),
+        tenant_slug: "acme".to_string(),
+        org_roles: vec![],
+        products: vec![],
+        plan: "starter".to_string(),
+        status,
+        user_id: "u-1".to_string(),
+        user_name: None,
+    }
+}
+
+fn router_with_ctx(ctx: Option<TenantContext>) -> Router {
+    let injector = move |mut req: Request, next: Next| {
+        let ctx = ctx.clone();
+        async move {
+            if let Some(c) = ctx {
+                req.extensions_mut().insert(c);
+            }
+            next.run(req).await
+        }
+    };
+
+    Router::new()
+        .route("/r", get(|| async { "read" }))
+        .route("/w", post(|| async { "write" }))
+        .layer(from_fn(require_tenant_status))
+        .layer(from_fn(injector))
+}
+
+async fn call(router: Router, method: Method, path: &str) -> Response {
+    let req = Request::builder()
+        .method(method)
+        .uri(path)
+        .body(Body::empty())
+        .expect("request build");
+    router.oneshot(req).await.expect("oneshot")
+}
+
+#[tokio::test]
+async fn active_tenant_can_read_and_write() {
+    let r = router_with_ctx(Some(ctx_with(TenantStatus::Active)));
+    assert_eq!(
+        call(r.clone(), Method::GET, "/r").await.status(),
+        StatusCode::OK
+    );
+    assert_eq!(call(r, Method::POST, "/w").await.status(), StatusCode::OK);
+}
+
+#[tokio::test]
+async fn trial_tenant_can_read_and_write() {
+    let r = router_with_ctx(Some(ctx_with(TenantStatus::Trial)));
+    assert_eq!(
+        call(r.clone(), Method::GET, "/r").await.status(),
+        StatusCode::OK
+    );
+    assert_eq!(call(r, Method::POST, "/w").await.status(), StatusCode::OK);
+}
+
+#[tokio::test]
+async fn demo_tenant_can_read_and_write() {
+    let r = router_with_ctx(Some(ctx_with(TenantStatus::Demo)));
+    assert_eq!(
+        call(r.clone(), Method::GET, "/r").await.status(),
+        StatusCode::OK
+    );
+    assert_eq!(call(r, Method::POST, "/w").await.status(), StatusCode::OK);
+}
+
+#[tokio::test]
+async fn frozen_tenant_can_read_but_not_write() {
+    let r = router_with_ctx(Some(ctx_with(TenantStatus::Frozen)));
+    assert_eq!(
+        call(r.clone(), Method::GET, "/r").await.status(),
+        StatusCode::OK
+    );
+    assert_eq!(
+        call(r, Method::POST, "/w").await.status(),
+        StatusCode::PAYMENT_REQUIRED
+    );
+}
+
+#[tokio::test]
+async fn archived_tenant_is_gone_on_every_method() {
+    let r = router_with_ctx(Some(ctx_with(TenantStatus::Archived)));
+    assert_eq!(
+        call(r.clone(), Method::GET, "/r").await.status(),
+        StatusCode::GONE
+    );
+    assert_eq!(call(r, Method::POST, "/w").await.status(), StatusCode::GONE);
+}
+
+#[tokio::test]
+async fn no_context_passes_through() {
+    let r = router_with_ctx(None);
+    assert_eq!(
+        call(r.clone(), Method::GET, "/r").await.status(),
+        StatusCode::OK
+    );
+    assert_eq!(call(r, Method::POST, "/w").await.status(), StatusCode::OK);
+}

compliance-core/src/db.rs

@@ -0,0 +1,75 @@
+//! Database helpers shared across the workspace.
+//!
+//! `tenant_filter` returns the BSON filter that every query and update
+//! against a tenant-scoped collection MUST include. Centralising it here
+//! makes the rule grep-able and keeps query call-sites from accidentally
+//! omitting it.
+//!
+//! Future work (M7.2+): each collection model grows a `tenant_id` field
+//! and every `find` / `update_*` / `delete_*` call gets this filter
+//! merged in. The migration to per-collection scoping is tracked
+//! separately — this helper is the building block.
+
+use bson::{doc, Document};
+
+use crate::TenantContext;
+
+/// Returns `{ "tenant_id": <ctx.tenant_id> }`. Merge this into every
+/// query filter against a tenant-scoped collection.
+///
+/// Use [`tenant_filter_merge`] when you need to combine it with other
+/// query conditions — it preserves both halves without overwriting.
+pub fn tenant_filter(ctx: &TenantContext) -> Document {
+    doc! { "tenant_id": &ctx.tenant_id }
+}
+
+/// Returns the tenant filter merged with caller-supplied conditions.
+/// The tenant_id always wins on key conflict — callers cannot
+/// accidentally override the scoping.
+pub fn tenant_filter_merge(ctx: &TenantContext, mut extra: Document) -> Document {
+    extra.insert("tenant_id", &ctx.tenant_id);
+    extra
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::TenantStatus;
+
+    fn ctx() -> TenantContext {
+        TenantContext {
+            tenant_id: "t-abc".to_string(),
+            tenant_slug: "acme".to_string(),
+            org_roles: vec![],
+            products: vec![],
+            plan: "starter".to_string(),
+            status: TenantStatus::Active,
+            user_id: "u-1".to_string(),
+            user_name: None,
+        }
+    }
+
+    #[test]
+    fn produces_tenant_id_filter() {
+        let f = tenant_filter(&ctx());
+        assert_eq!(f.get_str("tenant_id"), Ok("t-abc"));
+        assert_eq!(f.len(), 1);
+    }
+
+    #[test]
+    fn merge_preserves_extra_conditions() {
+        let extra = doc! { "status": "open", "severity": "high" };
+        let f = tenant_filter_merge(&ctx(), extra);
+        assert_eq!(f.get_str("tenant_id"), Ok("t-abc"));
+        assert_eq!(f.get_str("status"), Ok("open"));
+        assert_eq!(f.get_str("severity"), Ok("high"));
+    }
+
+    #[test]
+    fn merge_overrides_caller_tenant_id() {
+        let extra = doc! { "tenant_id": "evil-other", "status": "open" };
+        let f = tenant_filter_merge(&ctx(), extra);
+        assert_eq!(f.get_str("tenant_id"), Ok("t-abc"));
+        assert_eq!(f.get_str("status"), Ok("open"));
+    }
+}

compliance-core/src/lib.rs

@@ -1,9 +1,12 @@
 pub mod config;
+pub mod db;
 pub mod error;
 pub mod models;
 #[cfg(feature = "telemetry")]
 pub mod telemetry;
+pub mod tenant;
 pub mod traits;
 
 pub use config::{AgentConfig, DashboardConfig};
 pub use error::CoreError;
+pub use tenant::{OrgRole, TenantContext, TenantStatus};

compliance-core/src/models/mod.rs

@@ -7,6 +7,7 @@ pub mod finding;
 pub mod graph;
 pub mod issue;
 pub mod mcp;
+pub mod notification;
 pub mod pentest;
 pub mod repository;
 pub mod sbom;
@@ -27,6 +28,7 @@ pub use graph::{
 };
 pub use issue::{IssueStatus, TrackerIssue, TrackerType};
 pub use mcp::{McpServerConfig, McpServerStatus, McpTransport};
+pub use notification::{CveNotification, NotificationSeverity, NotificationStatus};
 pub use pentest::{
     AttackChainNode, AttackNodeStatus, AuthMode, CodeContextHint, Environment, IdentityProvider,
     PentestAuthConfig, PentestConfig, PentestEvent, PentestMessage, PentestSession, PentestStats,

compliance-core/src/models/notification.rs

@@ -0,0 +1,103 @@
+use chrono::{DateTime, Utc};
+use serde::{Deserialize, Serialize};
+
+/// Status of a CVE notification
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+#[serde(rename_all = "lowercase")]
+pub enum NotificationStatus {
+    /// Newly created, not yet seen by the user
+    New,
+    /// User has seen it (e.g., opened the notification panel)
+    Read,
+    /// User has explicitly acknowledged/dismissed it
+    Dismissed,
+}
+
+/// Severity level for notification filtering
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord)]
+#[serde(rename_all = "lowercase")]
+pub enum NotificationSeverity {
+    Low,
+    Medium,
+    High,
+    Critical,
+}
+
+/// A notification about a newly discovered CVE affecting a tracked dependency.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct CveNotification {
+    #[serde(rename = "_id", skip_serializing_if = "Option::is_none")]
+    pub id: Option<bson::oid::ObjectId>,
+    /// The CVE/GHSA identifier
+    pub cve_id: String,
+    /// Repository where the vulnerable dependency is used
+    pub repo_id: String,
+    /// Repository name (denormalized for display)
+    pub repo_name: String,
+    /// Affected package name
+    pub package_name: String,
+    /// Affected version
+    pub package_version: String,
+    /// Human-readable severity
+    pub severity: NotificationSeverity,
+    /// CVSS score if available
+    pub cvss_score: Option<f64>,
+    /// Short summary of the vulnerability
+    pub summary: Option<String>,
+    /// Link to vulnerability details
+    pub url: Option<String>,
+    /// Notification lifecycle status
+    pub status: NotificationStatus,
+    /// When the CVE was first detected for this dependency
+    #[serde(with = "super::serde_helpers::bson_datetime")]
+    pub created_at: DateTime<Utc>,
+    /// When the user last interacted with this notification
+    pub read_at: Option<DateTime<Utc>>,
+}
+
+impl CveNotification {
+    pub fn new(
+        cve_id: String,
+        repo_id: String,
+        repo_name: String,
+        package_name: String,
+        package_version: String,
+        severity: NotificationSeverity,
+    ) -> Self {
+        Self {
+            id: None,
+            cve_id,
+            repo_id,
+            repo_name,
+            package_name,
+            package_version,
+            severity,
+            cvss_score: None,
+            summary: None,
+            url: None,
+            status: NotificationStatus::New,
+            created_at: Utc::now(),
+            read_at: None,
+        }
+    }
+}
+
+/// Map an OSV/NVD severity string to our notification severity
+pub fn parse_severity(s: Option<&str>, cvss: Option<f64>) -> NotificationSeverity {
+    // Prefer CVSS score if available
+    if let Some(score) = cvss {
+        return match score {
+            s if s >= 9.0 => NotificationSeverity::Critical,
+            s if s >= 7.0 => NotificationSeverity::High,
+            s if s >= 4.0 => NotificationSeverity::Medium,
+            _ => NotificationSeverity::Low,
+        };
+    }
+    // Fall back to string severity
+    match s.map(|s| s.to_uppercase()).as_deref() {
+        Some("CRITICAL") => NotificationSeverity::Critical,
+        Some("HIGH") => NotificationSeverity::High,
+        Some("MODERATE" | "MEDIUM") => NotificationSeverity::Medium,
+        _ => NotificationSeverity::Low,
+    }
+}

compliance-core/src/tenant.rs

@@ -0,0 +1,165 @@
+//! Tenant context propagated through every authenticated request.
+//!
+//! This module is the M7.1 single source of truth for "who is this request
+//! for". Claims come from a Keycloak-issued JWT and land here via
+//! `compliance-agent`'s `require_jwt_auth` middleware. Handlers reach into
+//! the request extensions with the `TenantCtx` Axum extractor.
+//!
+//! The shape mirrors the JWT claim names the breakpilot-platform realm
+//! emits (see `platform/orca-platform/dev/keycloak/realm-export.json`).
+//! Stable contract — adding fields is fine; renaming is a breaking
+//! change for every downstream product.
+
+use serde::{Deserialize, Serialize};
+
+/// Tenant lifecycle status from `PLATFORM_ARCHITECTURE.md §5c`.
+///
+/// Drives the `tenant_status` middleware:
+/// * `Demo` / `Trial` / `Active` — full access.
+/// * `Frozen` — read-only after cancel / non-payment. Mutating endpoints
+///   return 402.
+/// * `Archived` — data-retention window closed. Every endpoint returns 410.
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
+#[serde(rename_all = "lowercase")]
+pub enum TenantStatus {
+    Demo,
+    Trial,
+    Active,
+    Frozen,
+    Archived,
+}
+
+impl TenantStatus {
+    /// True for statuses that block write paths.
+    pub fn is_frozen(&self) -> bool {
+        matches!(self, TenantStatus::Frozen)
+    }
+    /// True for statuses that block every request.
+    pub fn is_archived(&self) -> bool {
+        matches!(self, TenantStatus::Archived)
+    }
+    /// True for the shared demo tenant — metering, billing, and audit
+    /// export are skipped.
+    pub fn is_demo(&self) -> bool {
+        matches!(self, TenantStatus::Demo)
+    }
+}
+
+impl std::fmt::Display for TenantStatus {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            Self::Demo => write!(f, "demo"),
+            Self::Trial => write!(f, "trial"),
+            Self::Active => write!(f, "active"),
+            Self::Frozen => write!(f, "frozen"),
+            Self::Archived => write!(f, "archived"),
+        }
+    }
+}
+
+/// Org-level role baked into the JWT by the realm's protocol mapper.
+/// `PLATFORM_ARCHITECTURE.md §6` is the canonical list.
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
+#[serde(rename_all = "UPPERCASE")]
+pub enum OrgRole {
+    ItAdmin,
+    Cxo,
+    Finance,
+    Legal,
+    User,
+    /// Anything we haven't enumerated yet — forwards-compatible.
+    #[serde(other)]
+    Unknown,
+}
+
+impl OrgRole {
+    /// Parses a single role string (Keycloak emits these as `IT_ADMIN`,
+    /// `CXO`, etc.). Round-trips with the JSON layer.
+    pub fn parse(s: &str) -> Self {
+        match s {
+            "IT_ADMIN" => OrgRole::ItAdmin,
+            "CXO" => OrgRole::Cxo,
+            "FINANCE" => OrgRole::Finance,
+            "LEGAL" => OrgRole::Legal,
+            "USER" => OrgRole::User,
+            _ => OrgRole::Unknown,
+        }
+    }
+}
+
+/// Everything `compliance-agent` knows about the requesting tenant at the
+/// moment a request lands. Cheap to clone (every field is owned + small).
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct TenantContext {
+    /// `tenants.id` from the platform's tenant-registry (UUID).
+    pub tenant_id: String,
+    /// Lowercase URL-safe slug. Useful for log lines + audit emit.
+    pub tenant_slug: String,
+    /// Org-level roles the authenticated user holds inside this tenant.
+    /// Drives the per-handler RBAC in `M7.1-followup` PRs.
+    pub org_roles: Vec<OrgRole>,
+    /// Products this tenant is currently entitled to. Used to short-circuit
+    /// MCP / API calls for unsubscribed products.
+    pub products: Vec<String>,
+    /// Customer plan (`starter` / `professional` / `enterprise`) — gates
+    /// per-plan feature flags (e.g., MCP server is enterprise-only).
+    pub plan: String,
+    /// Lifecycle status — read by `require_tenant_status` middleware.
+    pub status: TenantStatus,
+    /// Keycloak user id of the requester (`sub` claim). Required for audit
+    /// emit so we know WHO did the thing, not just WHICH tenant.
+    pub user_id: String,
+    /// Optional user-facing name from the `name` / `preferred_username`
+    /// claim. Only used in audit + log lines.
+    pub user_name: Option<String>,
+}
+
+impl TenantContext {
+    /// True if the caller holds at least one of the listed roles.
+    pub fn has_any_role(&self, roles: &[OrgRole]) -> bool {
+        self.org_roles.iter().any(|r| roles.contains(r))
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn org_role_parses_known_values() {
+        assert_eq!(OrgRole::parse("IT_ADMIN"), OrgRole::ItAdmin);
+        assert_eq!(OrgRole::parse("CXO"), OrgRole::Cxo);
+        assert_eq!(OrgRole::parse("USER"), OrgRole::User);
+    }
+
+    #[test]
+    fn org_role_unknown_is_forward_compat() {
+        assert_eq!(OrgRole::parse("FUTURE_ROLE"), OrgRole::Unknown);
+    }
+
+    #[test]
+    fn tenant_status_predicates() {
+        assert!(TenantStatus::Frozen.is_frozen());
+        assert!(!TenantStatus::Active.is_frozen());
+        assert!(TenantStatus::Archived.is_archived());
+        assert!(TenantStatus::Demo.is_demo());
+        assert!(!TenantStatus::Active.is_demo());
+    }
+
+    #[test]
+    fn has_any_role_matches() {
+        let ctx = TenantContext {
+            tenant_id: "t1".into(),
+            tenant_slug: "acme".into(),
+            org_roles: vec![OrgRole::ItAdmin],
+            products: vec![],
+            plan: "professional".into(),
+            status: TenantStatus::Active,
+            user_id: "u".into(),
+            user_name: None,
+        };
+        assert!(ctx.has_any_role(&[OrgRole::ItAdmin]));
+        assert!(ctx.has_any_role(&[OrgRole::Cxo, OrgRole::ItAdmin]));
+        assert!(!ctx.has_any_role(&[OrgRole::User, OrgRole::Cxo]));
+    }
+}

compliance-dashboard/Cargo.toml

@@ -51,7 +51,7 @@ thiserror = { workspace = true }
 
 # Web-only
 reqwest = { workspace = true, optional = true }
-web-sys = { version = "0.3", optional = true, features = ["Blob", "BlobPropertyBag", "HtmlAnchorElement", "Url", "Document", "Window"] }
+web-sys = { version = "0.3", optional = true, features = ["Blob", "BlobPropertyBag", "HtmlAnchorElement", "Url", "Document", "Element", "Window", "Storage", "MediaQueryList"] }
 js-sys = { version = "0.3", optional = true }
 wasm-bindgen = { version = "0.2", optional = true }
 gloo-timers = { version = "0.3", features = ["futures"], optional = true }

compliance-dashboard/assets/main.css

@@ -61,6 +61,77 @@
     --ease-spring: cubic-bezier(0.34, 1.56, 0.64, 1);
 }
 
+/* ── Light theme tokens ──
+   Applied when the user has explicitly chosen light (`data-theme="light"`)
+   OR when their OS prefers light AND they have made no explicit choice. */
+:root[data-theme="light"] {
+    --bg-primary: #f5f7fb;
+    --bg-secondary: #ffffff;
+    --bg-card: rgba(255, 255, 255, 0.85);
+    --bg-card-solid: #ffffff;
+    --bg-card-hover: #f1f5fb;
+    --bg-elevated: #f8fafc;
+
+    --text-primary: #0c1426;
+    --text-secondary: #475569;
+    --text-tertiary: #8a9bb4;
+
+    --accent: #0070d4;
+    --accent-hover: #0080f0;
+    --accent-muted: rgba(0, 112, 212, 0.10);
+    --accent-glow: 0 0 20px rgba(0, 112, 212, 0.10);
+
+    --border: #e2e8f0;
+    --border-bright: #cbd5e1;
+    --border-accent: rgba(0, 112, 212, 0.30);
+
+    --danger: #dc2626;
+    --danger-bg: rgba(220, 38, 38, 0.08);
+    --warning: #d97706;
+    --warning-bg: rgba(217, 119, 6, 0.08);
+    --success: #16a34a;
+    --success-bg: rgba(22, 163, 74, 0.08);
+    --info: #2563eb;
+    --info-bg: rgba(37, 99, 235, 0.08);
+    --orange: #ea580c;
+    --orange-bg: rgba(234, 88, 12, 0.08);
+}
+
+@media (prefers-color-scheme: light) {
+    :root:not([data-theme="dark"]) {
+        --bg-primary: #f5f7fb;
+        --bg-secondary: #ffffff;
+        --bg-card: rgba(255, 255, 255, 0.85);
+        --bg-card-solid: #ffffff;
+        --bg-card-hover: #f1f5fb;
+        --bg-elevated: #f8fafc;
+
+        --text-primary: #0c1426;
+        --text-secondary: #475569;
+        --text-tertiary: #8a9bb4;
+
+        --accent: #0070d4;
+        --accent-hover: #0080f0;
+        --accent-muted: rgba(0, 112, 212, 0.10);
+        --accent-glow: 0 0 20px rgba(0, 112, 212, 0.10);
+
+        --border: #e2e8f0;
+        --border-bright: #cbd5e1;
+        --border-accent: rgba(0, 112, 212, 0.30);
+
+        --danger: #dc2626;
+        --danger-bg: rgba(220, 38, 38, 0.08);
+        --warning: #d97706;
+        --warning-bg: rgba(217, 119, 6, 0.08);
+        --success: #16a34a;
+        --success-bg: rgba(22, 163, 74, 0.08);
+        --info: #2563eb;
+        --info-bg: rgba(37, 99, 235, 0.08);
+        --orange: #ea580c;
+        --orange-bg: rgba(234, 88, 12, 0.08);
+    }
+}
+
 
 /* ── Reset & Base ── */
 
@@ -396,6 +467,44 @@ code {
     background: rgba(0, 200, 255, 0.06);
 }
 
+.theme-toggle {
+    background: none;
+    border: none;
+    border-top: 1px solid var(--border);
+    color: var(--text-secondary);
+    padding: 11px 18px;
+    cursor: pointer;
+    display: flex;
+    align-items: center;
+    gap: 11px;
+    font-family: var(--font-body);
+    font-size: 13.5px;
+    font-weight: 500;
+    transition: color 0.2s, background 0.2s;
+    width: 100%;
+    text-align: left;
+}
+
+.theme-toggle:hover {
+    color: var(--accent);
+    background: var(--accent-muted);
+}
+
+.theme-toggle svg {
+    flex-shrink: 0;
+    opacity: 0.75;
+    transition: opacity 0.2s;
+}
+
+.theme-toggle:hover svg {
+    opacity: 1;
+}
+
+.sidebar.collapsed .theme-toggle {
+    justify-content: center;
+    padding: 11px 0;
+}
+
 .sidebar.collapsed .sidebar-header {
     padding: 22px 0;
     justify-content: center;
@@ -3847,3 +3956,75 @@ tbody tr:last-child td {
 .help-chat-send:not(:disabled):hover {
     background: var(--accent-hover);
 }
+
+/* ═══════════════════════════════════════════════════════════════
+   NOTIFICATION BELL — CVE alert dropdown
+   ═══════════════════════════════════════════════════════════════ */
+.notification-bell-wrapper { position: fixed; top: 16px; right: 28px; z-index: 48; }
+.notification-bell-btn { position: relative; background: var(--bg-elevated); border: 1px solid var(--border); border-radius: 10px; padding: 8px 10px; color: var(--text-secondary); cursor: pointer; display: flex; align-items: center; transition: color 0.15s, border-color 0.15s; }
+.notification-bell-btn:hover { color: var(--text-primary); border-color: var(--border-bright); }
+.notification-badge { position: absolute; top: -4px; right: -4px; background: var(--danger); color: #fff; font-size: 10px; font-weight: 700; min-width: 18px; height: 18px; border-radius: 9px; display: flex; align-items: center; justify-content: center; padding: 0 4px; font-family: 'Outfit', sans-serif; }
+.notification-panel { position: absolute; top: 44px; right: 0; width: 380px; max-height: 480px; background: var(--bg-secondary); border: 1px solid var(--border-bright); border-radius: 12px; overflow: hidden; box-shadow: 0 12px 48px rgba(0,0,0,0.5); display: flex; flex-direction: column; }
+.notification-panel-header { display: flex; align-items: center; justify-content: space-between; padding: 12px 16px; border-bottom: 1px solid var(--border); font-family: 'Outfit', sans-serif; font-weight: 600; font-size: 14px; color: var(--text-primary); }
+.notification-close-btn { background: none; border: none; color: var(--text-secondary); cursor: pointer; padding: 2px; }
+.notification-panel-body { overflow-y: auto; flex: 1; padding: 8px; }
+.notification-loading, .notification-empty { display: flex; flex-direction: column; align-items: center; justify-content: center; padding: 32px 16px; color: var(--text-secondary); font-size: 13px; gap: 8px; }
+.notification-item { padding: 10px 12px; border-radius: 8px; margin-bottom: 4px; background: var(--bg-card); border: 1px solid var(--border); transition: border-color 0.15s; }
+.notification-item:hover { border-color: var(--border-bright); }
+.notification-item-header { display: flex; align-items: center; gap: 8px; margin-bottom: 4px; }
+.notification-sev { font-size: 10px; font-weight: 700; padding: 2px 6px; border-radius: 4px; text-transform: uppercase; letter-spacing: 0.5px; font-family: 'Outfit', sans-serif; }
+.notification-sev.sev-critical { background: var(--danger-bg); color: var(--danger); }
+.notification-sev.sev-high { background: rgba(255,140,0,0.12); color: #ff8c00; }
+.notification-sev.sev-medium { background: var(--warning-bg); color: var(--warning); }
+.notification-sev.sev-low { background: rgba(0,200,255,0.08); color: var(--accent); }
+.notification-cve-id { font-size: 12px; font-weight: 600; color: var(--text-primary); font-family: 'JetBrains Mono', monospace; }
+.notification-cve-id a { color: var(--accent); text-decoration: none; }
+.notification-cve-id a:hover { text-decoration: underline; }
+.notification-cvss { font-size: 10px; color: var(--text-secondary); margin-left: auto; font-family: 'JetBrains Mono', monospace; }
+.notification-dismiss-btn { background: none; border: none; color: var(--text-tertiary); cursor: pointer; padding: 2px; margin-left: 4px; }
+.notification-dismiss-btn:hover { color: var(--danger); }
+.notification-item-pkg { font-size: 12px; color: var(--text-primary); font-family: 'JetBrains Mono', monospace; }
+.notification-item-repo { font-size: 11px; color: var(--text-secondary); margin-bottom: 4px; }
+.notification-item-summary { font-size: 11px; color: var(--text-secondary); line-height: 1.4; display: -webkit-box; -webkit-line-clamp: 2; -webkit-box-orient: vertical; overflow: hidden; }
+
+/* ═══════════════════════════════════════════════════════════════
+   COPY BUTTON — Reusable clipboard copy component
+   ═══════════════════════════════════════════════════════════════ */
+.copy-btn { background: none; border: 1px solid var(--border); border-radius: 6px; padding: 5px 7px; color: var(--text-secondary); cursor: pointer; display: inline-flex; align-items: center; transition: color 0.15s, border-color 0.15s, background 0.15s; flex-shrink: 0; }
+.copy-btn:hover { color: var(--accent); border-color: var(--accent); background: var(--accent-muted); }
+.copy-btn-sm { padding: 3px 5px; border-radius: 4px; }
+/* Copyable inline field pattern: value + copy button side by side */
+.copyable { display: flex; align-items: center; gap: 6px; }
+.copyable code, .copyable .mono { flex: 1; min-width: 0; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; }
+.code-snippet-wrapper { position: relative; }
+.code-snippet-header { display: flex; align-items: center; justify-content: space-between; margin-bottom: 4px; gap: 8px; }
+
+
+/* ═══════════════════════════════════════════════════════════════
+   LIGHT THEME — surface overrides for the few hardcoded dark
+   colors that don't go through CSS custom properties.
+   ═══════════════════════════════════════════════════════════════ */
+
+:root[data-theme="light"] .main-content {
+    background-image: radial-gradient(circle at 1px 1px, rgba(100, 116, 139, 0.18) 1px, transparent 0);
+}
+:root[data-theme="light"] .code-block {
+    background: #f8fafc;
+    color: #0c1426;
+}
+:root[data-theme="light"] .graph-stab-overlay {
+    background: radial-gradient(ellipse at center, rgba(245, 247, 251, 0.92) 0%, rgba(245, 247, 251, 0.98) 100%);
+}
+
+@media (prefers-color-scheme: light) {
+    :root:not([data-theme="dark"]) .main-content {
+        background-image: radial-gradient(circle at 1px 1px, rgba(100, 116, 139, 0.18) 1px, transparent 0);
+    }
+    :root:not([data-theme="dark"]) .code-block {
+        background: #f8fafc;
+        color: #0c1426;
+    }
+    :root:not([data-theme="dark"]) .graph-stab-overlay {
+        background: radial-gradient(ellipse at center, rgba(245, 247, 251, 0.92) 0%, rgba(245, 247, 251, 0.98) 100%);
+    }
+}

compliance-dashboard/src/components/app_shell.rs

@@ -2,6 +2,7 @@ use dioxus::prelude::*;
 
 use crate::app::Route;
 use crate::components::help_chat::HelpChat;
+use crate::components::notification_bell::NotificationBell;
 use crate::components::sidebar::Sidebar;
 use crate::components::toast::{ToastContainer, Toasts};
 use crate::infrastructure::auth_check::check_auth;
@@ -21,6 +22,7 @@ pub fn AppShell() -> Element {
                     main { class: "main-content",
                         Outlet::<Route> {}
                     }
+                    NotificationBell {}
                     ToastContainer {}
                     HelpChat {}
                 }
@@ -30,7 +32,7 @@ pub fn AppShell() -> Element {
             // Not authenticated — redirect to Keycloak login
             rsx! {
                 document::Script {
-                    dangerous_inner_html: "window.location.href = '/auth';"
+                    "window.location.href = '/auth';"
                 }
             }
         }

compliance-dashboard/src/components/code_snippet.rs

@@ -1,5 +1,7 @@
 use dioxus::prelude::*;
 
+use crate::components::copy_button::CopyButton;
+
 #[component]
 pub fn CodeSnippet(
     code: String,
@@ -7,16 +9,19 @@ pub fn CodeSnippet(
     #[props(default)] line_number: u32,
 ) -> Element {
     rsx! {
-        div {
+        div { class: "code-snippet-wrapper",
+            div { class: "code-snippet-header",
                 if !file_path.is_empty() {
-                div {
+                    span {
-                    style: "font-size: 12px; color: var(--text-secondary); margin-bottom: 4px; font-family: monospace;",
+                        style: "font-size: 12px; color: var(--text-secondary); font-family: monospace;",
                         "{file_path}"
                         if line_number > 0 {
                             ":{line_number}"
                         }
                     }
                 }
+                CopyButton { value: code.clone(), small: true }
+            }
             pre { class: "code-block", "{code}" }
         }
     }

compliance-dashboard/src/components/copy_button.rs

@@ -0,0 +1,49 @@
+use dioxus::prelude::*;
+use dioxus_free_icons::icons::bs_icons::*;
+use dioxus_free_icons::Icon;
+
+/// A small copy-to-clipboard button that shows a checkmark after copying.
+///
+/// Usage: `CopyButton { value: "text to copy" }`
+#[component]
+pub fn CopyButton(value: String, #[props(default = false)] small: bool) -> Element {
+    let mut copied = use_signal(|| false);
+
+    let size = if small { 12 } else { 14 };
+    let class = if small {
+        "copy-btn copy-btn-sm"
+    } else {
+        "copy-btn"
+    };
+
+    rsx! {
+        button {
+            class: class,
+            title: if copied() { "Copied!" } else { "Copy to clipboard" },
+            onclick: move |_| {
+                let val = value.clone();
+                // Escape for JS single-quoted string
+                let escaped = val
+                    .replace('\\', "\\\\")
+                    .replace('\'', "\\'")
+                    .replace('\n', "\\n")
+                    .replace('\r', "\\r");
+                let js = format!("navigator.clipboard.writeText('{escaped}')");
+                document::eval(&js);
+                copied.set(true);
+                spawn(async move {
+                    #[cfg(feature = "web")]
+                    gloo_timers::future::TimeoutFuture::new(2000).await;
+                    #[cfg(not(feature = "web"))]
+                    tokio::time::sleep(std::time::Duration::from_secs(2)).await;
+                    copied.set(false);
+                });
+            },
+            if copied() {
+                Icon { icon: BsCheckLg, width: size, height: size }
+            } else {
+                Icon { icon: BsClipboard, width: size, height: size }
+            }
+        }
+    }
+}

compliance-dashboard/src/components/mod.rs

@@ -2,12 +2,15 @@ pub mod app_shell;
 pub mod attack_chain;
 pub mod code_inspector;
 pub mod code_snippet;
+pub mod copy_button;
 pub mod file_tree;
 pub mod help_chat;
+pub mod notification_bell;
 pub mod page_header;
 pub mod pagination;
 pub mod pentest_wizard;
 pub mod severity_badge;
 pub mod sidebar;
 pub mod stat_card;
+pub mod theme_toggle;
 pub mod toast;

compliance-dashboard/src/components/notification_bell.rs

@@ -0,0 +1,155 @@
+use dioxus::prelude::*;
+use dioxus_free_icons::icons::bs_icons::*;
+use dioxus_free_icons::Icon;
+
+use crate::infrastructure::notifications::{
+    dismiss_notification, fetch_notification_count, fetch_notifications,
+    mark_all_notifications_read,
+};
+
+#[component]
+pub fn NotificationBell() -> Element {
+    let mut is_open = use_signal(|| false);
+    let mut count = use_signal(|| 0u64);
+    let mut notifications = use_signal(Vec::new);
+    let mut is_loading = use_signal(|| false);
+
+    // Poll notification count every 30 seconds
+    use_resource(move || async move {
+        loop {
+            if let Ok(c) = fetch_notification_count().await {
+                count.set(c);
+            }
+            #[cfg(feature = "web")]
+            {
+                gloo_timers::future::TimeoutFuture::new(30_000).await;
+            }
+            #[cfg(not(feature = "web"))]
+            {
+                tokio::time::sleep(std::time::Duration::from_secs(30)).await;
+            }
+        }
+    });
+
+    // Load notifications when panel opens
+    let load_notifications = move |_| {
+        is_open.set(!is_open());
+        if !is_open() {
+            return;
+        }
+        is_loading.set(true);
+        spawn(async move {
+            if let Ok(resp) = fetch_notifications().await {
+                notifications.set(resp.data);
+            }
+            // Mark all as read when panel opens
+            let _ = mark_all_notifications_read().await;
+            count.set(0);
+            is_loading.set(false);
+        });
+    };
+
+    let on_dismiss = move |id: String| {
+        spawn(async move {
+            let _ = dismiss_notification(id.clone()).await;
+            notifications.write().retain(|n| {
+                n.id.as_ref()
+                    .and_then(|v| v.get("$oid"))
+                    .and_then(|v| v.as_str())
+                    != Some(&id)
+            });
+        });
+    };
+
+    rsx! {
+        div { class: "notification-bell-wrapper",
+            // Bell button
+            button {
+                class: "notification-bell-btn",
+                onclick: load_notifications,
+                title: "CVE Alerts",
+                Icon { icon: BsBell, width: 18, height: 18 }
+                if count() > 0 {
+                    span { class: "notification-badge", "{count()}" }
+                }
+            }
+
+            // Dropdown panel
+            if is_open() {
+                div { class: "notification-panel",
+                    div { class: "notification-panel-header",
+                        span { "CVE Alerts" }
+                        button {
+                            class: "notification-close-btn",
+                            onclick: move |_| is_open.set(false),
+                            Icon { icon: BsX, width: 16, height: 16 }
+                        }
+                    }
+                    div { class: "notification-panel-body",
+                        if is_loading() {
+                            div { class: "notification-loading", "Loading..." }
+                        } else if notifications().is_empty() {
+                            div { class: "notification-empty",
+                                Icon { icon: BsShieldCheck, width: 32, height: 32 }
+                                p { "No CVE alerts" }
+                            }
+                        } else {
+                            for notif in notifications().iter() {
+                                {
+                                    let id = notif.id.as_ref()
+                                        .and_then(|v| v.get("$oid"))
+                                        .and_then(|v| v.as_str())
+                                        .unwrap_or("")
+                                        .to_string();
+                                    let sev_class = match notif.severity.as_str() {
+                                        "critical" => "sev-critical",
+                                        "high" => "sev-high",
+                                        "medium" => "sev-medium",
+                                        _ => "sev-low",
+                                    };
+                                    let dismiss_id = id.clone();
+                                    rsx! {
+                                        div { class: "notification-item",
+                                            div { class: "notification-item-header",
+                                                span { class: "notification-sev {sev_class}",
+                                                    "{notif.severity.to_uppercase()}"
+                                                }
+                                                span { class: "notification-cve-id",
+                                                    if let Some(ref url) = notif.url {
+                                                        a { href: "{url}", target: "_blank", "{notif.cve_id}" }
+                                                    } else {
+                                                        "{notif.cve_id}"
+                                                    }
+                                                }
+                                                if let Some(score) = notif.cvss_score {
+                                                    span { class: "notification-cvss", "CVSS {score:.1}" }
+                                                }
+                                                button {
+                                                    class: "notification-dismiss-btn",
+                                                    title: "Dismiss",
+                                                    onclick: move |_| on_dismiss(dismiss_id.clone()),
+                                                    Icon { icon: BsXCircle, width: 14, height: 14 }
+                                                }
+                                            }
+                                            div { class: "notification-item-pkg",
+                                                "{notif.package_name} {notif.package_version}"
+                                            }
+                                            div { class: "notification-item-repo",
+                                                "{notif.repo_name}"
+                                            }
+                                            if let Some(ref summary) = notif.summary {
+                                                div { class: "notification-item-summary",
+                                                    "{summary}"
+                                                }
+                                            }
+                                        }
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    }
+}

compliance-dashboard/src/components/sidebar.rs

@@ -4,6 +4,7 @@ use dioxus_free_icons::icons::bs_icons::*;
 use dioxus_free_icons::Icon;
 
 use crate::app::Route;
+use crate::components::theme_toggle::ThemeToggle;
 
 struct NavItem {
     label: &'static str,
@@ -106,6 +107,7 @@ pub fn Sidebar() -> Element {
             }
             // Spacer pushes footer to the bottom
             div { class: "sidebar-spacer" }
+            ThemeToggle { collapsed: collapsed() }
             button {
                 class: "sidebar-toggle",
                 onclick: move |_| collapsed.set(!collapsed()),

compliance-dashboard/src/components/theme_toggle.rs

@@ -0,0 +1,104 @@
+use dioxus::prelude::*;
+use dioxus_free_icons::icons::bs_icons::{BsMoonStars, BsSun};
+use dioxus_free_icons::Icon;
+
+#[cfg(feature = "web")]
+const STORAGE_KEY: &str = "compliance-scanner.theme";
+
+/// Sidebar-footer theme toggle. Reads the initial state on mount from
+/// localStorage (explicit user choice) or `prefers-color-scheme` (OS default),
+/// then writes back to both the `<html data-theme="...">` attribute and
+/// localStorage on every click.
+#[component]
+pub fn ThemeToggle(collapsed: bool) -> Element {
+    // `None` until the on-mount effect resolves the real value, so SSR doesn't
+    // render the wrong icon for the user's actual theme.
+    let mut is_dark = use_signal(|| None::<bool>);
+
+    use_effect(move || {
+        let (dark, from_storage) = initial_theme();
+        is_dark.set(Some(dark));
+        // If the user already made an explicit choice (in localStorage), assert it
+        // on the DOM so an OS-vs-stored mismatch can't briefly show the wrong theme.
+        if from_storage {
+            apply_theme(dark);
+        }
+    });
+
+    let label = if collapsed {
+        ""
+    } else if is_dark().unwrap_or(true) {
+        "Light mode"
+    } else {
+        "Dark mode"
+    };
+
+    let title = if is_dark().unwrap_or(true) {
+        "Switch to light mode"
+    } else {
+        "Switch to dark mode"
+    };
+
+    rsx! {
+        button {
+            class: "theme-toggle",
+            r#type: "button",
+            title: "{title}",
+            "aria-label": "{title}",
+            onclick: move |_| {
+                let next_dark = !is_dark().unwrap_or(true);
+                is_dark.set(Some(next_dark));
+                apply_theme(next_dark);
+            },
+            if is_dark().unwrap_or(true) {
+                Icon { icon: BsSun, width: 16, height: 16 }
+            } else {
+                Icon { icon: BsMoonStars, width: 16, height: 16 }
+            }
+            if !collapsed {
+                span { class: "theme-toggle-label", "{label}" }
+            }
+        }
+    }
+}
+
+/// Returns `(is_dark, from_storage)`. `from_storage` is true when an explicit
+/// user choice is in localStorage; false when we fell back to OS preference
+/// (or to the dark default).
+#[cfg(feature = "web")]
+fn initial_theme() -> (bool, bool) {
+    if let Some(window) = web_sys::window() {
+        if let Ok(Some(storage)) = window.local_storage() {
+            if let Ok(Some(value)) = storage.get_item(STORAGE_KEY) {
+                return (value == "dark", true);
+            }
+        }
+        if let Ok(Some(mql)) = window.match_media("(prefers-color-scheme: dark)") {
+            return (mql.matches(), false);
+        }
+    }
+    (true, false)
+}
+
+#[cfg(not(feature = "web"))]
+fn initial_theme() -> (bool, bool) {
+    (true, false)
+}
+
+#[cfg(feature = "web")]
+fn apply_theme(dark: bool) {
+    let theme = if dark { "dark" } else { "light" };
+    if let Some(window) = web_sys::window() {
+        if let Some(document) = window.document() {
+            if let Some(root) = document.document_element() {
+                let _ = root.set_attribute("data-theme", theme);
+            }
+        }
+        if let Ok(Some(storage)) = window.local_storage() {
+            let _ = storage.set_item(STORAGE_KEY, theme);
+        }
+    }
+}
+
+#[cfg(not(feature = "web"))]
+fn apply_theme(_dark: bool) {}

compliance-dashboard/src/infrastructure/mod.rs

@@ -8,6 +8,7 @@ pub mod graph;
 pub mod help_chat;
 pub mod issues;
 pub mod mcp;
+pub mod notifications;
 pub mod pentest;
 #[allow(clippy::too_many_arguments)]
 pub mod repositories;

compliance-dashboard/src/infrastructure/notifications.rs

@@ -0,0 +1,91 @@
+use dioxus::prelude::*;
+use serde::{Deserialize, Serialize};
+
+#[derive(Debug, Clone, Serialize, Deserialize, Default)]
+pub struct NotificationListResponse {
+    pub data: Vec<CveNotificationData>,
+    #[serde(default)]
+    pub total: Option<u64>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, Default)]
+pub struct CveNotificationData {
+    #[serde(rename = "_id")]
+    pub id: Option<serde_json::Value>,
+    pub cve_id: String,
+    pub repo_name: String,
+    pub package_name: String,
+    pub package_version: String,
+    pub severity: String,
+    pub cvss_score: Option<f64>,
+    pub summary: Option<String>,
+    pub url: Option<String>,
+    pub status: String,
+    #[serde(default)]
+    pub created_at: Option<serde_json::Value>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, Default)]
+pub struct NotificationCountResponse {
+    pub count: u64,
+}
+
+#[server]
+pub async fn fetch_notification_count() -> Result<u64, ServerFnError> {
+    let state: super::server_state::ServerState =
+        dioxus_fullstack::FullstackContext::extract().await?;
+
+    let url = format!("{}/api/v1/notifications/count", state.agent_api_url);
+    let resp = reqwest::get(&url)
+        .await
+        .map_err(|e| ServerFnError::new(e.to_string()))?;
+    let body: NotificationCountResponse = resp
+        .json()
+        .await
+        .map_err(|e| ServerFnError::new(e.to_string()))?;
+    Ok(body.count)
+}
+
+#[server]
+pub async fn fetch_notifications() -> Result<NotificationListResponse, ServerFnError> {
+    let state: super::server_state::ServerState =
+        dioxus_fullstack::FullstackContext::extract().await?;
+
+    let url = format!("{}/api/v1/notifications?limit=20", state.agent_api_url);
+    let resp = reqwest::get(&url)
+        .await
+        .map_err(|e| ServerFnError::new(e.to_string()))?;
+    let body: NotificationListResponse = resp
+        .json()
+        .await
+        .map_err(|e| ServerFnError::new(e.to_string()))?;
+    Ok(body)
+}
+
+#[server]
+pub async fn mark_all_notifications_read() -> Result<(), ServerFnError> {
+    let state: super::server_state::ServerState =
+        dioxus_fullstack::FullstackContext::extract().await?;
+
+    let url = format!("{}/api/v1/notifications/read-all", state.agent_api_url);
+    reqwest::Client::new()
+        .post(&url)
+        .send()
+        .await
+        .map_err(|e| ServerFnError::new(e.to_string()))?;
+    Ok(())
+}
+
+#[server]
+pub async fn dismiss_notification(id: String) -> Result<(), ServerFnError> {
+    let state: super::server_state::ServerState =
+        dioxus_fullstack::FullstackContext::extract().await?;
+
+    let url = format!("{}/api/v1/notifications/{id}/dismiss", state.agent_api_url);
+    reqwest::Client::new()
+        .patch(&url)
+        .send()
+        .await
+        .map_err(|e| ServerFnError::new(e.to_string()))?;
+    Ok(())
+}

compliance-dashboard/src/pages/mcp_servers.rs

@@ -259,7 +259,10 @@ pub fn McpServersPage() -> Element {
                                                 div { class: "mcp-detail-row",
                                                     Icon { icon: BsGlobe, width: 13, height: 13 }
                                                     span { class: "mcp-detail-label", "Endpoint" }
+                                                    div { class: "copyable",
                                                         code { class: "mcp-detail-value", "{server.endpoint_url}" }
+                                                        crate::components::copy_button::CopyButton { value: server.endpoint_url.clone(), small: true }
+                                                    }
                                                 }
                                                 div { class: "mcp-detail-row",
                                                     Icon { icon: BsHddNetwork, width: 13, height: 13 }

compliance-dashboard/src/pages/repositories.rs

@@ -137,13 +137,20 @@ pub fn RepositoriesPage() -> Element {
                                 "For SSH URLs: add this deploy key (read-only) to your repository"
                             }
                             div {
-                                style: "margin-top: 4px; padding: 8px; background: var(--bg-secondary); border-radius: 4px; font-family: monospace; font-size: 11px; word-break: break-all; user-select: all;",
+                                class: "copyable",
+                                style: "margin-top: 4px; padding: 8px; background: var(--bg-secondary); border-radius: 4px;",
+                                code {
+                                    style: "font-size: 11px; word-break: break-all; user-select: all;",
                                     if ssh_public_key().is_empty() {
                                         "Loading..."
                                     } else {
                                         "{ssh_public_key}"
                                     }
                                 }
+                                if !ssh_public_key().is_empty() {
+                                    crate::components::copy_button::CopyButton { value: ssh_public_key(), small: true }
+                                }
+                            }
                         }
 
                         // HTTPS auth fields
@@ -390,29 +397,38 @@ pub fn RepositoriesPage() -> Element {
                         }
                         div { class: "form-group",
                             label { "Webhook URL" }
-                            input {
+                            {
-                                r#type: "text",
-                                readonly: true,
-                                style: "font-family: monospace; font-size: 12px;",
-                                value: {
                                 #[cfg(feature = "web")]
                                 let origin = web_sys::window()
                                     .and_then(|w: web_sys::Window| w.location().origin().ok())
                                     .unwrap_or_default();
                                 #[cfg(not(feature = "web"))]
                                 let origin = String::new();
-                                    format!("{origin}/webhook/{}/{eid}", edit_webhook_tracker())
+                                let webhook_url = format!("{origin}/webhook/{}/{eid}", edit_webhook_tracker());
-                                },
+                                rsx! {
+                                    div { class: "copyable",
+                                        input {
+                                            r#type: "text",
+                                            readonly: true,
+                                            style: "font-family: monospace; font-size: 12px; flex: 1;",
+                                            value: "{webhook_url}",
+                                        }
+                                        crate::components::copy_button::CopyButton { value: webhook_url.clone() }
+                                    }
+                                }
                             }
                         }
                         div { class: "form-group",
                             label { "Webhook Secret" }
+                            div { class: "copyable",
                                 input {
                                     r#type: "text",
                                     readonly: true,
-                                style: "font-family: monospace; font-size: 12px;",
+                                    style: "font-family: monospace; font-size: 12px; flex: 1;",
                                     value: "{secret}",
                                 }
+                                crate::components::copy_button::CopyButton { value: secret.clone() }
+                            }
                         }
                     }
                     div { class: "modal-actions",