diff --git a/.env.local.example b/.env.local.example
index 67b694a6..4c74c896 100644
--- a/.env.local.example
+++ b/.env.local.example
@@ -1,8 +1,20 @@
 # Required: The PDS / handle resolver URL
 NEXT_PUBLIC_PDS_URL=https://certified.one
 
-# Required in production: The public URL of this app (used for OAuth client_id and redirect_uris)
-PUBLIC_URL=http://localhost:3000
+# Public URL of this app — used for OAuth client_id, redirect_uris, and the
+# CSRF Origin allowlist.
+#
+# Production:  set to the deployed origin, e.g. https://certified.app
+# Local dev:   use http://127.0.0.1:3000 (NOT http://localhost:3000).
+#              The atproto OAuth client rejects http:// URLs unless they're
+#              the spec's `http://localhost` (literal, no port) loopback
+#              exception — and cookies don't cross localhost ↔ 127.0.0.1,
+#              so pick the IP form and stick to it for the whole flow.
+#              When PUBLIC_URL is missing or http://, src/lib/auth/oauth-client.ts
+#              auto-switches to the loopback dev metadata
+#              (buildAtprotoLoopbackClientMetadata) so sign-in works without
+#              a public HTTPS host.
+PUBLIC_URL=http://127.0.0.1:3000
 
 # Required in production: Secret for signing session cookies (generate with: openssl rand -hex 32)
 COOKIE_SECRET=dev-secret-change-in-production
@@ -13,6 +25,8 @@ UPSTASH_REDIS_REST_URL=
 UPSTASH_REDIS_REST_TOKEN=
 
 # Optional: Set to enable confidential client (private_key_jwt) authentication
+# in production. Ignored in loopback dev mode (the spec mandates
+# token_endpoint_auth_method: none for loopback clients).
 # Generate with: openssl ecparam -name prime256v1 -genkey -noout | openssl pkcs8 -topk8 -nocrypt
 # ATPROTO_PRIVATE_KEY=
 
diff --git a/.gitignore b/.gitignore
index 181a5a40..5635e17a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -40,3 +40,4 @@ yarn-error.log*
 # typescript
 *.tsbuildinfo
 next-env.d.ts
+.pi/
diff --git a/AGENTS.md b/AGENTS.md
index cf98125a..16b2046b 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -1,183 +1,894 @@
-# Agent Instructions
+# Agent Instructions — Certified
 
-See `README.md` for project overview, architecture, and setup.
+This document is the canonical reference for coding agents working in this repository. It supersedes the shorter `AGENTS.md` and complements `README.md`. Read it end-to-end on a fresh clone; treat the file map and security rules as authoritative.
 
-## Quick Reference
+> **Before you touch anything: work from a git worktree, not the main checkout.** See [§19 Git & Deployment](#19-git--deployment) for the exact commands. The main `/Users/sharfy/Code/certified-app` checkout is the user's active working tree — every task gets its own `../certified-app-<slug>` worktree.
+
+## Table of Contents
+
+1. [Project Overview](#1-project-overview)
+2. [Tech Stack](#2-tech-stack)
+3. [Quick Reference](#3-quick-reference)
+4. [Environment Variables](#4-environment-variables)
+5. [Architecture & Data Flow](#5-architecture--data-flow)
+6. [Provider Tree & Layout System](#6-provider-tree--layout-system)
+7. [Routing Map](#7-routing-map)
+8. [Authentication Flow](#8-authentication-flow)
+9. [API Routes Catalog](#9-api-routes-catalog)
+10. [XRPC Proxy](#10-xrpc-proxy)
+11. [CSS Conventions](#11-css-conventions)
+12. [Component Conventions](#12-component-conventions)
+13. [Hooks Catalog](#13-hooks-catalog)
+14. [State Management](#14-state-management)
+15. [Groups Feature](#15-groups-feature)
+16. [Identity-Link / Wallet Attestation](#16-identity-link--wallet-attestation)
+17. [Security Rules](#17-security-rules)
+18. [SEO / GEO](#18-seo--geo)
+19. [Git & Deployment](#19-git--deployment)
+20. [File Map](#20-file-map)
+21. [Known Limitations](#21-known-limitations)
+22. [Common Pitfalls](#22-common-pitfalls)
+23. [Adding a New Feature — Checklist](#23-adding-a-new-feature--checklist)
+24. [Adding a New API Route — Checklist](#24-adding-a-new-api-route--checklist)
+25. [Conventions: Errors, Loading, A11y](#25-conventions-errors-loading-a11y)
+
+---
+
+## 1. Project Overview
+
+Certified is a passwordless identity platform built on **AT Protocol** (atproto), operated by the **Hypercerts Foundation**. It lets a user create one identity that travels across partner applications with full data portability and no vendor lock-in.
+
+- **Primary user** — anyone signing in to a partner app via Certified, plus admins managing groups (organizations).
+- **Two domains** — `certified.app` (this app, the BFF + UI) and `certified.one` (the ePDS / extended Personal Data Server that hosts user data). When a user signs up they get an atproto identity rooted at `certified.one`; they can also sign in with any external atproto handle.
+- **AT Protocol context** — atproto identities are DIDs (`did:plc:...` or `did:web:...`). Each DID resolves to a DID document that points to a PDS service endpoint, where records are stored under collections (NSIDs) like `app.bsky.actor.profile` or the Certified-specific `app.certified.actor.profile`. This app does not run a PDS itself — it is a thin OAuth client + BFF that proxies XRPC calls.
+- **Custom collections** the app reads/writes:
+  - `app.certified.actor.profile` — Certified profile (display name, avatar, banner, etc.).
+  - `app.certified.actor.organization` — group metadata (org type, urls, founded date).
+  - `app.certified.actor.membership` — user-side record of group memberships.
+  - `app.bsky.actor.profile` — fallback profile (for Bluesky discoverability).
+  - `org.impactindexer.link.attestation` — EIP-712 wallet attestation linking an EVM address to a DID.
+- **Group service** — a separate atproto service (currently `atproto-group-gate-staging.up.railway.app`) that manages multi-user organizations. The app proxies all group operations through the user's PDS using a custom `certified_group` proxy pattern with custom NSIDs (`app.certified.group.*`).
+
+## 2. Tech Stack
+
+| Concern | Choice |
+|---|---|
+| Framework | Next.js **16.x** (App Router, React Server Components) |
+| React | 19.x |
+| Language | TypeScript 5 (strict, `paths: { "@/*": ["./src/*"] }`) |
+| Styling | Tailwind CSS 3.4 (utilities only) + custom CSS in `globals.css` (BEM-like) |
+| Atproto SDK | `@atproto/api` 0.13, `@atproto/oauth-client-node` 0.3, `@atproto/jwk-jose` 0.1 |
+| Session/State store | Upstash Redis (`@upstash/redis`) — REST-based, serverless-safe |
+| Server actions | None — all server work is in route handlers (`src/app/api/**`) |
+| Wallets | `wagmi` 2.x + `viem` 2.x + `@tanstack/react-query` (mounted only on `/settings/wallet`) |
+| Email | `resend` 6.x (feedback only; OTP emails are sent by the PDS) |
+| Analytics | `@vercel/analytics` |
+| Icons | `lucide-react` |
+| Fonts | Inter (sans), Noto Serif (headline), Instrument Serif (alt) — via `next/font/google` |
+| Hosting | Vercel |
+| Lint | ESLint flat config extending `next/core-web-vitals` and `next/typescript` |
+| Test runner | **None.** The "quality gate" is `next build` + `tsc --noEmit`. A behavioral plan lives at `tests/groups.test-plan.md`. |
+
+> Note: Next.js 16 renamed `middleware.ts` to `proxy.ts`. The proxy handler is at `src/proxy.ts`.
+
+## 3. Quick Reference
 
 ```bash
-npm run dev              # Start dev server
-npm run build            # Production build (quality gate)
-npx tsc --noEmit         # Type check only
-npm run lint             # ESLint
+npm run dev              # next dev — http://localhost:3000
+npm run build            # next build — production build (quality gate)
+npm start                # next start — run production build locally
+npm run lint             # eslint src/ --ext .ts,.tsx
+npx tsc --noEmit         # type check only
 ```
 
-## Coding Conventions
+When the user asks for a dev server, run `npm run dev` from the repo root. When verifying changes before reporting done, run `npm run build` — it is the only automated quality signal in the repo.
+
+## 4. Environment Variables
+
+Source: `.env.local.example` and `src/lib/utils/config.ts`.
+
+| Variable | Required | Purpose |
+|---|---|---|
+| `NEXT_PUBLIC_PDS_URL` | yes | PDS / handle resolver URL. Defaults to `https://certified.one`. |
+| `PUBLIC_URL` | production | Public URL of this app. Used to derive OAuth `client_id`, `redirect_uris`, and the CSRF Origin allowlist. Falls back to `http://localhost:3000` in dev. **For local atproto OAuth sign-in to actually complete, set this to `http://127.0.0.1:3000`** — see [§22 Common Pitfalls](#22-common-pitfalls) #3. |
+| `COOKIE_SECRET` | production | HMAC secret for the `certified_session` cookie. Generate with `openssl rand -hex 32`. In dev a fallback string is used. |
+| `UPSTASH_REDIS_REST_URL` | yes | Upstash REST URL. |
+| `UPSTASH_REDIS_REST_TOKEN` | yes | Upstash REST token. |
+| `ATPROTO_PRIVATE_KEY` | optional | EC P-256 private key. If set, the OAuth client switches to confidential (`private_key_jwt` with `ES256`) and exposes a JWKS at `/.well-known/jwks.json`. |
+| `RESEND_API_KEY` | optional | Resend key for `/api/feedback`. |
+| `RESEND_FROM_EMAIL` | optional | Override "from" header. Defaults to `Certified <no-reply@certified.one>`. |
+| `NEXT_PUBLIC_WALLETCONNECT_PROJECT_ID` | optional | Adds WalletConnect connector to the wagmi config when set. |
+| `NEXT_PUBLIC_GROUP_SERVICE_URL` | optional | Group service base URL. Defaults to the staging Railway deployment. |
+| `NEXT_PUBLIC_GROUP_SERVICE_DID` | optional | Group service DID (for `getServiceAuth` `aud`). Defaults to `did:web:atproto-group-gate-staging.up.railway.app`. |
+
+`PUBLIC_URL` is the most consequential variable — it is checked against the `Origin` header on every CSRF-protected route, baked into the OAuth client metadata, and used to build the `redirect_uris` array. If it does not match the deployed domain, sign-in and every POST will fail.
+
+## 5. Architecture & Data Flow
+
+```
+┌─────────────────┐     authFetch        ┌──────────────────────┐
+│ Client (React)  │ ───────────────────▶ │ /api/xrpc/[...method]│
+│ - useProfile    │   /api/auth/session  │   (BFF / proxy)      │
+│ - useOrg        │ ◀─────────────────── │                      │
+│ - useSession    │                      │   uses session DID   │
+└─────────────────┘                      │   restores OAuth     │
+                                         │   session via Redis  │
+                                         └──────────┬───────────┘
+                                                    │
+                                                    │ DPoP-bound
+                                                    │ atproto agent
+                                                    ▼
+                              ┌─────────────────────────────┐
+                              │ User's PDS (e.g. certified.one)│
+                              └──────────────┬──────────────┘
+                                             │
+                              ┌──────────────┴──────────────┐
+                              │ DID document → service ep    │
+                              │ plc.directory or did:web     │
+                              └─────────────────────────────┘
+```
 
-### CSS
-- All custom CSS lives in `src/app/globals.css` — BEM-like classes with component prefixes
-- CSS variables defined in `:root` for colors, borders, radius, transitions
-- Warning colors use `--color-warning-bg`, `--color-warning-border`, `--color-warning-text`
-- Transitions use `--transition-fast`, `--transition-base`, `--transition-slow`
-- New components: use BEM classes in globals.css, not Tailwind for layout
-- No `100vw` (causes horizontal overflow with scrollbar) — use `100%` instead
+Key principles:
+
+1. **Browser never holds tokens.** The OAuth tokens / DPoP keys live in Upstash Redis under `oauth:session:<did>` (30-day TTL). The browser only has the `certified_session` cookie, which is an HMAC-signed random session id mapping to a DID via `session:did:<sid>` in Redis (30-day TTL).
+2. **All XRPC calls go through `/api/xrpc/[...method]`.** Never call the PDS from the browser directly with credentials — there are none. Use `authFetch()` from `src/lib/auth/fetch.ts`. It detects 401 and triggers the global `onUnauthorized` handler registered by `AuthProvider`, which clears auth state and asks the user to sign in again.
+3. **Group operations** use a parallel set of routes under `/api/groups/**` because they require the AtpAgent's `withProxy("certified_group", groupDid)` pattern + custom NSID lexicons (`app.certified.group.*`). They do not share the `/api/xrpc/[...method]` handler.
+4. **DID resolution is direct.** `resolvePdsUrl` and `resolveHandle` (in `src/lib/atproto/did.ts`) hit `plc.directory` or the `did:web` host with a 5s timeout; results are not cached server-side.
+
+## 6. Provider Tree & Layout System
+
+`src/app/layout.tsx` mounts the global tree:
+
+```
+<html>
+  <head>… JSON-LD: Organization + WebSite …</head>
+  <body>
+    <Providers>                        // src/lib/providers.tsx (currently a passthrough)
+      <AuthProvider>                   // OAuth state, modal, redirect overlay
+        <OrgProvider>                  // Active group + memberships, persisted to localStorage
+          <NavbarProvider>             // "default" | "transparent" navbar variant
+            <a class="skip-nav">       // Skip-to-main link
+            <Navbar />
+            <main id="main-content">
+              <AppShell>{children}</AppShell>   // .app-shell wrapper, skipped on /welcome
+            </main>
+            <Footer />                 // Single global footer on every page
+            <FeedbackModal />          // Floating feedback button + modal
+          </NavbarProvider>
+        </OrgProvider>
+      </AuthProvider>
+    </Providers>
+    <Analytics />
+  </body>
+</html>
+```
+
+Scoped providers (mounted only where used):
+
+- `WagmiProvider` + `QueryClientProvider` — only in `src/app/settings/wallet/layout.tsx`. **Do not** lift these to the root; wagmi is heavy and only the wallet linking flow needs it.
+- `AuthGuard` — in `settings/layout.tsx`, `connected-apps/layout.tsx`, and `groups/layout.tsx`. Redirects to `/welcome` when unauthenticated; renders a centered loading spinner while auth is initializing.
+- `WelcomeLayout` (`src/app/welcome/layout.tsx`) — sets navbar variant to `"transparent"` while the user is on `/welcome`, and resets to `"default"` on unmount.
+
+## 7. Routing Map
+
+| Route | Type | Auth | Notes |
+|---|---|---|---|
+| `/` | client redirector (`HomeClient`) | mixed | Sends unauth → `/welcome`; sends auth → `/profile/{did}` (or `{activeOrg.groupDid}` if a group is active). The middleware (`src/proxy.ts`) also redirects unauth → `/welcome` at the edge so a noscript browser still bounces correctly. |
+| `/welcome` | server | public | Landing page. Sets transparent navbar variant. JSON-LD: SoftwareApplication + FAQPage. |
+| `/about` | server | public | About page. |
+| `/terms` | server | public | Terms of Service. |
+| `/privacy` | server | public | Privacy Policy. |
+| `/dsa` | server | public | DSA compliance. |
+| `/profile/[did]` | client | open (renders any DID) | Canonical profile URL. Handles both personal and group DIDs. |
+| `/settings` | client | gated (AuthGuard) | If `activeOrg`, renders `OrgSettings`; otherwise account settings (handle, email, password, app-passwords placeholder, 2FA placeholder). |
+| `/settings/edit-profile` | client | gated | Edit personal profile. |
+| `/settings/my-data` | client | gated | Data export / view. |
+| `/settings/wallet` | client | gated + Wagmi | EIP-712 wallet linking. The only route that loads wagmi/viem. |
+| `/connected-apps` | client | gated | Lists `CONNECTED_APPS` from `src/lib/constants/apps.ts`. |
+| `/groups` | client | gated | List groups, accept/leave/remove public membership. |
+| `/groups/create` | client | gated | Register a new group. Enforces `MAX_SELF_CREATED_ORGS = 5`. |
+| `/groups/[groupDid]` | client | gated | Group profile view. |
+| `/groups/[groupDid]/edit-profile` | client | gated | Edit group profile + metadata. |
+| `/groups/[groupDid]/apps` | client | gated | Apps view scoped to a group. |
+| `/groups/[groupDid]/settings` | client | gated | Member management + audit log. |
+| `/oauth/callback` | client | — | Receives the OAuth redirect. POSTs query string to `/api/auth/callback-handler`, then either `postMessage`s the parent window (iframe flow) or `window.location.replace("/")`. |
+| `/.well-known/oauth-client-metadata` | server | public | Generated from `getOAuthClient().clientMetadata` + extras (`brand_color`, `tos_uri`, etc.). Cached `public, max-age=600`. |
+| `/.well-known/jwks.json` | server | public | Generated from `getOAuthClient().jwks`. Cached `public, max-age=600`. |
+| `/sitemap.xml`, `/robots.txt`, `/manifest.webmanifest` | server | public | See `src/app/sitemap.ts`, `robots.ts`, `manifest.ts`. |
+
+Permanent redirects (in `next.config.ts`):
+- `/settings/security` → `/settings`
+- `/settings/account` → `/settings`
+- `/settings/connected-apps` → `/connected-apps`
+
+**Edge proxy / middleware** — `src/proxy.ts`:
+
+```ts
+export const config = { matcher: ["/"] }
+```
+
+Only `/` runs through the proxy. If `certified_session` cookie is missing it 307-redirects to `/welcome`. All other auth-gated pages rely on `AuthGuard` client-side. The redirect happens before React renders, so SSR / SEO crawlers always see `/welcome` for unauthenticated visits.
+
+## 8. Authentication Flow
 
 ### Components
-- Use `next/link` for internal navigation, raw `<img>` for SVG buttons (not `next/image`)
-- `aria-describedby` + `aria-invalid` on form inputs — see `input.tsx` and `textarea.tsx` for pattern
-- `aria-haspopup` + `aria-expanded` on dropdown triggers — see `navbar.tsx`
-- Focus trapping in modals — use `useFocusTrap` hook from `src/hooks/use-focus-trap.ts`
-- Skip nav link exists in `layout.tsx` — `<main id="main-content">`
+
+- **OAuth client** — `src/lib/auth/oauth-client.ts` builds a `NodeOAuthClient` (singleton). It registers Redis-backed state and session stores, leaves `handleResolver` at the SDK default (`AtprotoHandleResolverNode`, which does DNS-TXT + HTTPS `.well-known/atproto-did` resolution and works for any atproto handle, not just Certified-rooted ones), and conditionally enables `private_key_jwt` when `ATPROTO_PRIVATE_KEY` is set. In **loopback dev mode** (`NODE_ENV !== "production"` AND `PUBLIC_URL` is missing or `http://`) it skips the normal `${PUBLIC_URL}/.well-known/oauth-client-metadata` `client_id` and uses `buildAtprotoLoopbackClientMetadata` instead, because the spec only allows `https://` or the literal `http://localhost` (no port) as a `client_id`.
+- **Stores** — `src/lib/auth/stores.ts` wraps Upstash Redis. `RedisStateStore` (10 min TTL) is for the short-lived OAuth flow. `RedisSessionStore` (30 day TTL) holds long-lived atproto sessions (tokens + DPoP key). Both key by `oauth:state:<key>` / `oauth:session:<key>`. **Dev fallback:** when Upstash creds are missing AND `NODE_ENV !== "production"`, the module switches to a process-local `InMemoryRedis` so a fresh clone can sign in locally without provisioning an Upstash database. State doesn't survive a server restart and isn't shared across workers — acceptable for dev only. A console warning fires on first use.
+- **App session** — `src/lib/auth/session.ts` issues the `certified_session` cookie:
+  - Cookie value = `<32-byte hex sessionId>.<HMAC-SHA256 signature>`.
+  - Cookie attributes: `httpOnly`, `secure` in production, `sameSite=lax`, `path=/`, `maxAge=30 days`.
+  - Server side, the session id maps to a DID in Redis (`session:did:<sid>`).
+  - HMAC verification uses `crypto.timingSafeEqual` to avoid timing attacks.
+- **CSRF** — `src/lib/auth/csrf.ts` checks `Origin` header against `new URL(PUBLIC_URL).origin`. If `Origin` is absent (some same-origin no-CORS posts) the request is allowed; if present it must match exactly. Wraps URL parsing in try/catch — any malformed origin returns 403.
+- **authFetch** — `src/lib/auth/fetch.ts` wraps `fetch` and calls a registered `onUnauthorized()` listener on 401. `AuthProvider` registers this listener to clear `isAuthenticated`/`did`/`pdsUrl` and surface "Your session has expired."
+
+### Sign-in (email or handle)
+
+1. UI submits to `POST /api/auth/login` with `{ input, mode: "email" | "handle", prompt? }`.
+2. Server CSRF-checks, sanitizes input (`sanitizeEmail` / `sanitizeHandle`), then calls `client.authorize(...)`. For `mode: "email"` it points at `PDS_URL` and adds `login_hint`. For `mode: "handle"` it calls `client.authorize(input, …)` and falls back to `https://` + input if the bare input fails.
+3. Returns `{ url }`. The client `safeRedirect()`s — only `https:` URLs are allowed (and `http:` in dev). This intentionally allows cross-origin since OAuth bounces to external authorization servers.
+4. The PDS UI may post a `switch-provider` message back to the modal (used when an existing user enters a handle on the wrong PDS). `AuthProvider` listens for it and re-runs the handle login flow.
+
+### Callback
+
+1. The PDS redirects to `/oauth/callback?code=…&state=…`. The page is rendered in the modal iframe; if not in an iframe it falls through to `window.location.replace("/")`.
+2. The page client-fetches `GET /api/auth/callback-handler?<query>`, which:
+   - calls `client.callback(params)` to complete the OAuth exchange,
+   - **invalidates the existing `certified_session`** before creating a new one (defense against session fixation),
+   - calls `createSession(did)` which writes to Redis and sets the cookie,
+   - best-effort seeds `app.certified.actor.profile` and `app.bsky.actor.profile` with empty `self` records so other apps see the user immediately,
+   - returns `{ did }`.
+3. If the page is in an iframe, it `postMessage`s `{ type: "oauth-callback-complete", sub: did }` to the parent. `AuthProvider` listens, validates `event.origin`, and calls `refreshSession()`.
+
+### Session lookup & sign-out
+
+- `GET /api/auth/session` — reads cookie, looks up DID in Redis, calls `client.restore(did)` to confirm the upstream session is still valid; if `restore` throws, deletes both the local session and returns `{ did: null }`. The browser uses this on app load.
+- `POST /api/auth/logout` — CSRF-checked. Calls `oauthSession.signOut()` upstream (best-effort), deletes the local session, returns `{ success: true }`. The client also calls `clearSessionCache()` for `useSession` and clears Auth state immediately (optimistic logout).
+
+### `safeRedirect` in `auth-context.tsx`
+
+Validates returned URLs to prevent protocol-injection (e.g. `javascript:`). Allows only `https:` (and `http:` in dev). Cross-origin is permitted on purpose — the OAuth flow lands on external authorization servers.
+
+## 9. API Routes Catalog
 
 ### Auth
-- OAuth via `@atproto/oauth-client-node` (server-side only)
-- Session cookie: `certified_session` (httpOnly, HMAC-signed)
-- All API calls go through `authFetch()` → `/api/xrpc/[...method]` proxy
-- CSRF Origin check on all POST routes (`src/lib/auth/csrf.ts`)
-- Sanitize input: strip invisible Unicode chars client-side AND server-side (defense in depth)
-- Sanitize error messages: never return raw `err.message` from auth routes to clients
-
-### Routing
-- Middleware (`src/middleware.ts`) redirects `/` → `/welcome` when no session cookie
-- `/welcome` — landing page (server-rendered, transparent navbar)
-- `/` — profile dashboard (authenticated only)
-- `HomeClient` redirects to `/welcome` via useEffect if auth check fails (expired session)
-- `AuthGuard` in `settings/layout.tsx` protects settings routes
-
-### Layout System
-- Root `layout.tsx` → Providers → AuthProvider → OrgProvider → NavbarProvider → Navbar + AppShell + Footer + FeedbackModal
-- `/welcome` has its own `layout.tsx` that sets navbar variant to `"transparent"`
-- `AppShell` wraps children in `.app-shell` div (skipped on `/welcome`)
-- `Footer` renders on all pages (single footer, no duplicates)
-- Feedback button avoids footer overlap via scroll listener on `.landing-footer`
-
-### SEO / GEO
-- JSON-LD: Organization (schema.org) + WebSite in `layout.tsx`, SoftwareApplication + FAQPage in `welcome/page.tsx`
-- OG/Twitter meta: defaults in `layout.tsx`, overrides per page
-- Title template: `"%s — Certified"` (layout), pages export specific titles
-- `robots.ts`, `sitemap.ts`, `manifest.ts` in `src/app/`
-- `public/llms.txt` for AI crawlers
-- All public pages need `canonical` URL in `alternates`
-
-## Security Rules
-
-- Redis operations must be wrapped in try/catch (see `session.ts`)
-- CSRF URL parsing is wrapped in try/catch (see `csrf.ts`)
-- Invalidate existing session before creating new one in callback handler
-- Collection allowlist for writes in XRPC proxy
-- Blob uploads: 1MB max, allowed types: jpeg, png, webp, gif, svg+xml
-- 5xx errors sanitized — never leak upstream error details
-
-## Git & Deployment
-
-- **Branches:** `main` (production), `staging` (preview/testing)
-- **Quality gate:** `npm run build` must pass before pushing
-- **Production:** `certified.app` — deploys from `main` via Vercel
-- **Staging:** `staging.certified.app` — deploys from `staging` via Vercel
-- **PR workflow:** push to `staging`, create PR to `main`
-- **`PUBLIC_URL`** must match the deployed domain — OAuth client_id, redirect_uris, and CSRF check all derive from it
-
-## File Map
 
+| Route | Method | CSRF | Auth | Description |
+|---|---|---|---|---|
+| `/api/auth/login` | POST | yes | none | Build authorization URL for email or handle login. Sanitizes input. Returns `{ url }`. |
+| `/api/auth/callback-handler` | GET | n/a | none | Server-side OAuth code exchange. Invalidates old session, creates new one, seeds profile records. |
+| `/api/auth/session` | GET | n/a | cookie | Returns `{ did }` or `{ did: null }`. Calls `client.restore(did)` to detect upstream invalidation. |
+| `/api/auth/logout` | POST | yes | cookie | Calls upstream `signOut`, deletes Redis session and cookie. |
+
+### XRPC proxy
+
+| Route | Method | CSRF | Auth | Description |
+|---|---|---|---|---|
+| `/api/xrpc/[...method]` | GET | n/a | cookie | Whitelisted query methods (see [§10](#10-xrpc-proxy)). |
+| `/api/xrpc/[...method]` | POST | yes | cookie | Whitelisted procedure methods. Enforces collection allowlist + repo ownership. |
+
+### Groups
+
+| Route | Method | CSRF | Auth | Description |
+|---|---|---|---|---|
+| `/api/groups/register` | POST | yes | cookie | Direct call to group service `app.certified.group.register` with service-auth JWT (`getServiceAuth` `lxm: "app.certified.group.register"`). Enforces `MAX_SELF_CREATED_ORGS = 5` by counting groups where the caller's member entry has `addedBy === ownerDid`. Sanitizes 5xx errors. |
+| `/api/groups/memberships` | GET | n/a | cookie | Lists remote memberships from the group service. Server-side service-auth using `lxm: "app.certified.groups.membership.list"`. |
+| `/api/groups/[groupDid]/profile` | GET | n/a | none | Reads `app.certified.actor.profile` from the group's PDS (resolved via DID document). Reads are public. |
+| `/api/groups/[groupDid]/profile` | PUT | yes | cookie | Writes the org profile via `createGroupAgent(...).call("app.certified.group.repo.putRecord", …)`. |
+| `/api/groups/[groupDid]/metadata` | GET / PUT | PUT yes | open / cookie | Same pattern for `app.certified.actor.organization`. |
+| `/api/groups/[groupDid]/bsky-profile` | POST | yes | cookie | Creates an empty `app.bsky.actor.profile` record for discoverability. |
+| `/api/groups/[groupDid]/handle` | PUT | yes | cookie | Calls `groupAgent.com.atproto.identity.updateHandle({ handle })` — proxied through PDS to group service. |
+| `/api/groups/[groupDid]/members` | GET / POST / DELETE | POST/DELETE yes | cookie | List, add, remove members. |
+| `/api/groups/[groupDid]/role` | PUT | yes | cookie | Set member role. Validates role is one of `member`, `admin`, `owner`. |
+| `/api/groups/[groupDid]/audit` | GET | n/a | cookie | Query audit log. Filters: `actorDid`, `action`, `collection`, `limit`, `cursor`. |
+| `/api/groups/[groupDid]/upload-blob` | POST | yes | cookie | 5MB cap, allowed types `image/jpeg|png|webp`. |
+
+### Discovery
+
+| Route | Method | CSRF | Auth | Description |
+|---|---|---|---|---|
+| `/api/resolve-handle` | GET | n/a | cookie | Calls `com.atproto.identity.resolveHandle`. Returns `{ did, handle }`. |
+| `/api/resolve-did` | GET | n/a | cookie | Calls `resolveHandle(did)` (DID doc) + `app.bsky.actor.getProfile` for display name. Returns `{ did, handle, displayName }`. |
+| `/api/search-actors` | GET | n/a | cookie | Calls `app.bsky.actor.searchActors`. `limit` clamped to 25. |
+
+### Other
+
+| Route | Method | CSRF | Auth | Description |
+|---|---|---|---|---|
+| `/api/feedback` | POST | yes | none | Resend email to `support@hypercerts.org`. Strips invisible Unicode from `message` and `email`. Validates email format. Sends a confirmation email to the user if they provided one. |
+| `/.well-known/oauth-client-metadata` | GET | n/a | none | OAuth client metadata. `Cache-Control: public, max-age=600`. |
+| `/.well-known/jwks.json` | GET | n/a | none | JWKS (only meaningful when `ATPROTO_PRIVATE_KEY` is set). |
+
+## 10. XRPC Proxy
+
+`src/app/api/xrpc/[...method]/route.ts` is the central proxy from the client to the user's PDS.
+
+### Allowed GET methods
+
+- `com.atproto.repo.getRecord`
+- `com.atproto.repo.listRecords` (limit clamped to `[LIMIT_MIN=1, LIMIT_MAX=100]`)
+- `com.atproto.server.getSession`
+- `com.atproto.sync.getBlob` — returns binary; sets `Content-Type` from upstream
+
+Anything else returns 400 `Unknown method`.
+
+### Allowed POST methods
+
+- `com.atproto.repo.createRecord`
+- `com.atproto.repo.putRecord`
+- `com.atproto.repo.deleteRecord`
+- `com.atproto.repo.uploadBlob`
+- `com.atproto.identity.updateHandle`
+- `com.atproto.server.requestPasswordReset`
+- `com.atproto.server.resetPassword`
+- `com.atproto.server.requestEmailUpdate`
+- `com.atproto.server.updateEmail`
+
+For `createRecord` / `putRecord` / `deleteRecord`:
+- `body.repo` must equal the session DID — cross-repo writes are 403.
+- `body.collection` must be one of:
+  - `org.impactindexer.link.attestation`
+  - `app.certified.actor.profile`
+  - `app.certified.actor.membership`
+  - `app.certified.actor.organization`
+
+If you need to write a new collection, **add it to `ALLOWED_WRITE_COLLECTIONS`** in `src/app/api/xrpc/[...method]/route.ts`. The proxy will silently 403 otherwise.
+
+### Blob uploads
+
+- `MAX_BLOB_SIZE = 4 * 1024 * 1024` (4 MB) — Vercel serverless has a ~4.5 MB request body cap.
+- `ALLOWED_BLOB_CONTENT_TYPES = ["image/jpeg", "image/png", "image/webp", "image/gif", "image/svg+xml"]`.
+- Both `Content-Length` (when present) and the actual `arrayBuffer().byteLength` are checked.
+- The group blob route (`/api/groups/[groupDid]/upload-blob`) uses **5 MB** and disallows GIF/SVG (only JPEG/PNG/WEBP).
+- Client-side, `src/lib/atproto/profile.ts` enforces 4 MB on avatar/banner uploads; 4 MB matches the proxy cap.
+
+### Error sanitization
+
+`xrpcError(err)` extracts `status` (or `statusCode`) and `message`. **For status ≥ 500, `message` is replaced with `"Internal server error"`** to avoid leaking PDS internals. Stick to this pattern in any new BFF routes.
+
+## 11. CSS Conventions
+
+### Where styles live
+
+- `src/app/globals.css` — single 4,700-line file containing all custom CSS (BEM-like classes with component prefixes: `.dashboard__topbar`, `.signin-modal__backdrop`, `.org-list__item`, etc.).
+- Tailwind utilities are used freely *inside* JSX for one-off layout (`flex`, `mt-4`, `max-w-3xl`, etc.).
+- Tailwind theme overrides live in `tailwind.config.ts` (custom colors `navy`, `accent`, `sky`, `deep`; custom font sizes `display`, `h1`–`h4`; custom shadows `elevation-1` through `elevation-4`; custom radii `button: 6px`, `card: 4px`, `sm: 2px`).
+
+### CSS variables (declared in `:root`)
+
+- Colors: `--color-primary`, `--color-navy`, `--color-accent`, `--color-off-white`, `--color-gray-100`, `--color-light-gray`, `--color-mid-gray`, `--color-dark-gray`, `--color-surface`, `--color-surface-container`, `--color-surface-container-low`, `--color-surface-container-high`, `--color-accent-hover`.
+- Borders: `--border-subtle`, `--border-light`, `--border-default`, `--border-medium`, `--border-hover`, `--border-hover-soft`, `--border-strong`.
+- Overlays: `--navy-overlay-30`, `--navy-overlay-70`, `--navy-overlay-85`.
+- Semantic: `--color-success`, `--color-success-text`, `--color-warning`, `--color-error`, `--color-outline-variant`.
+- Warning surface: `--color-warning-bg`, `--color-warning-border`, `--color-warning-text`.
+- Focus / success accents: `--color-focus-green`, `--color-success-icon`.
+- Transitions: `--transition-fast` (150 ms), `--transition-base` (250 ms), `--transition-slow` (400 ms cubic-bezier).
+- Geometry: `--radius` (2px), `--navbar-height` (64px).
+
+### Rules
+
+1. **No `100vw`.** It triggers horizontal overflow when a scrollbar is present. Use `100%` with the parent providing the layout context. (Confirmed: globals.css contains zero `100vw` rules.)
+2. **New components use BEM classes in `globals.css` for layout/structure**, Tailwind for in-component micro-adjustments. Don't reach for Tailwind utilities to recreate something a BEM class already covers.
+3. **Reuse the CSS variables** above; don't hard-code colors or transitions in new rules.
+4. **Skip-nav styles** are at the top of `globals.css`. Don't duplicate.
+
+## 12. Component Conventions
+
+- **Internal links:** `next/link`. Don't use `<a href>` for in-app routes.
+- **SVG icons / button graphics:** raw `<img>` (not `next/image`) for SVG assets. `next/image` is reserved for raster assets where the optimizer adds value (see `partner-apps.tsx` for an example using `Image`).
+- **Icons:** `lucide-react`. Don't import individual SVG icon files for new code.
+- **Form inputs:** Use the `Input` and `Textarea` components in `src/components/ui/`. They wire up `aria-describedby` + `aria-invalid` + `id` + `useId()`-derived label associations automatically. If you need a bare input, replicate the pattern from `input.tsx` line for line.
+- **Dropdown triggers:** `aria-haspopup` + `aria-expanded` (`navbar.tsx` has the canonical pattern).
+- **Modals:** wrap the panel with `useFocusTrap<HTMLElement>(active)` from `src/hooks/use-focus-trap.ts`. It both traps Tab/Shift+Tab and restores focus to the previously focused element on close. The trap selector is `a[href], button:not([disabled]), textarea:not([disabled]), input:not([disabled]), select:not([disabled]), [tabindex]:not([tabindex="-1"])`.
+- **Skip-nav:** already wired in root layout (`<a href="#main-content" class="skip-nav">`). `<main id="main-content">` exists. Don't reintroduce.
+- **External user-controlled URLs (e.g. `profile.website`):** validate the scheme before using as an `href`. Only allow `http:`, `https:`, `mailto:`, `tel:`; reject anything else (including `javascript:`, `data:`, `vbscript:`, malformed). A shared helper for this is tracked as a follow-up.
+- **Avatars:** use `Avatar` from `src/components/ui/avatar.tsx` with `fallbackInitials={getInitials(name)}` from `src/lib/utils/initials.ts`.
+
+## 13. Hooks Catalog
+
+Located in `src/hooks/`:
+
+| Hook | Purpose |
+|---|---|
+| `useSession()` | Cached session data (handle, email) from `com.atproto.server.getSession`. Module-level promise + result cache shared across all instances. `clearSessionCache()` exported for sign-out. Returns `{ handle, email, isLoading, error }`. |
+| `useProfile()` | Loads the user's `app.certified.actor.profile`; if empty, falls back to `app.bsky.actor.profile`. Sets `isFallback: true` when using Bluesky. Returns `profile`, `isLoading`, `error`, `refetch`, `avatarUrl`, `bannerUrl`, `isFallback`. Uses `AbortController` per fetch. |
+| `useOrgProfile()` | Loads the active group's profile + metadata via `useOrg().activeOrg`. Returns `orgProfile`, `orgMetadata`, `orgAvatarUrl`, `orgBannerUrl`, `isLoading`, `refetch`. |
+| `useIdentityLinks(did)` | Fetches all attestations from the user's PDS, EIP-712-verifies EOA signatures with `viem.verifyTypedData`, marks ERC-1271 / ERC-6492 as `verified: false` ("On-chain verification not yet supported"). |
+| `useAttestationSigning(did)` | Wagmi-based signer. Builds the EIP-712 message, calls `signTypedDataAsync`, then `storeAttestation` to persist. Returns `signAndStore`, `isSigning`, `isStoring`, `error`, `reset`. **Only valid inside `/settings/wallet` because it depends on the WagmiProvider.** |
+| `useFocusTrap<T>(active)` | Focus trap for modals (see [§12](#12-component-conventions)). |
+
+Group-creation limit hook is at `src/lib/groups/use-org-limit.ts` (`useOrgCreationLimit()`).
+
+## 14. State Management
+
+- **Auth state:** `AuthProvider` in `src/lib/auth/auth-context.tsx`. Holds `isLoading`, `isAuthenticated`, `did`, `pdsUrl`, `error`, `isModalOpen`, `isRedirectingToProvider`, plus actions `openSignIn`, `closeModal`, `submitEmail`, `submitHandle`, `signOut`. Also owns the `SignInModal` and `ProviderRedirectOverlay` components.
+- **Active group:** `OrgProvider` in `src/lib/groups/org-context.tsx`. Persists the active org to `localStorage` under key `certified_active_org`. Initializes synchronously on first render (`getInitialOrg`) so the navbar avatar doesn't flicker. Refetches groups on auth change. When the auth state turns to "logged out", the active org is cleared.
+- **Navbar variant:** `NavbarProvider` (`src/lib/navbar-context.tsx`). Two variants: `default` (opaque) and `transparent` (used on `/welcome`).
+- **Wagmi:** scoped to `/settings/wallet/layout.tsx`. Mounts `WagmiProvider` with `config` from `src/lib/wagmi.ts` (chains: mainnet, base, optimism, arbitrum; connectors: injected, coinbaseWallet smart-wallet-only, walletConnect when `NEXT_PUBLIC_WALLETCONNECT_PROJECT_ID` is set; `ssr: true`).
+- **No Redux / Zustand / Jotai.** Local component state + the three contexts above is the entire state model.
+
+## 15. Groups Feature
+
+### Mental model
+
+A "group" = an atproto identity (its own DID + PDS) operated through the **group service** at `GROUP_SERVICE` (default Railway staging). Membership has three roles: `owner`, `admin`, `member`.
+
+The **source of truth for "who is a member of what"** is the group service (queried via `app.certified.groups.membership.list`). The **user-side acceptance bit** is a record in the user's own PDS at `app.certified.actor.membership`. A user can be a member without an accepted record (private/pending) or be an accepted member (public).
+
+### Routes & files
+
+- UI: `src/app/groups/**` and `src/components/groups/**`.
+- API: `src/app/api/groups/**` (see [§9](#9-api-routes-catalog)).
+- Library: `src/lib/groups/`:
+  - `constants.ts` — `GROUP_SERVICE`, `GROUP_SERVICE_DID`, NSIDs, `MAX_SELF_CREATED_ORGS = 5`.
+  - `types.ts` — `Group`, `OrgRole`, `OrgMember`, `OrgProfile`, `GroupMetadata`, `OrgUrlItem`, `MembershipRecord`, `AuditEntry`, `RemoteMembership`, `CreateOrgParams`, `VerifiedAttestation`.
+  - `api.ts` — client-side functions (`listMemberships`, `putMembership`, `deleteMembership`, `uploadOrgBlob`, `createBskyProfile`, `registerGroup`, `getOrgProfile`, `putOrgProfile`, `getOrgMetadata`, `putOrgMetadata`, `listOrgMembers`, `addOrgMember`, `removeOrgMember`, `setOrgMemberRole`, `queryOrgAuditLog`, `fetchRemoteMemberships`, `getSelfCreatedOrgCount`, `resolveGroups`).
+  - `proxy-agent.ts` — server-side. Defines `GROUP_LEXICONS` (10 custom NSIDs under `app.certified.group.*`), exports `getAuthenticatedAgent()`, `createGroupAgent(agent, groupDid)` (uses `agent.withProxy("certified_group", groupDid)` and registers the lexicons), and `getServiceAuthToken(agent, lxm)` for the rare direct-call case (registration only).
+  - `org-context.tsx` — provider/context.
+  - `use-org-limit.ts` — group-creation limit hook.
+
+### Custom NSIDs (lexicons)
+
+Defined in `src/lib/groups/proxy-agent.ts`:
+
+| NSID | Type | Purpose |
+|---|---|---|
+| `app.certified.group.register` | procedure | Register a new group (direct call). |
+| `app.certified.group.repo.createRecord` | procedure | Proxied write. |
+| `app.certified.group.repo.putRecord` | procedure | Proxied write. |
+| `app.certified.group.repo.deleteRecord` | procedure | Proxied write. |
+| `app.certified.group.repo.uploadBlob` | procedure | Proxied blob upload. |
+| `app.certified.group.member.add` | procedure | Add member. |
+| `app.certified.group.member.remove` | procedure | Remove member. |
+| `app.certified.group.member.list` | query | List members. |
+| `app.certified.group.role.set` | procedure | Set member role. |
+| `app.certified.group.audit.query` | query | Query audit log. |
+
+### Group creation limit
+
+`MAX_SELF_CREATED_ORGS = 5`. Enforced both server-side (in `/api/groups/register`) and client-side (in `useOrgCreationLimit()`). A group is "self-created" when the user's member entry has `addedBy === ownerDid`. The server-side check fetches all memberships and member lists for those groups, then counts.
+
+## 16. Identity-Link / Wallet Attestation
+
+**Goal:** prove a DID controls an EVM address (and vice versa) by signing an EIP-712 message with the wallet and storing the attestation in the user's PDS.
+
+### EIP-712 schema
+
+Defined in `src/lib/identity-link/attestation.ts`:
+
+```ts
+ATTESTATION_DOMAIN = { name: "ATProto EVM Attestation", version: "1" }
+ATTESTATION_TYPES = {
+  Attestation: [
+    { name: "did", type: "string" },
+    { name: "evmAddress", type: "address" },
+    { name: "chainId", type: "uint256" },
+    { name: "timestamp", type: "uint256" },
+    { name: "nonce", type: "uint256" },
+  ],
+}
 ```
-src/
-├── middleware.ts                       # Redirect / → /welcome when no session
-├── app/
-│   ├── layout.tsx                      # Root layout, providers, JSON-LD, skip nav
-│   ├── page.tsx                        # Profile dashboard (auth only)
-│   ├── globals.css                     # All custom CSS
-│   ├── icon.png                        # Favicon
-│   ├── manifest.ts                     # PWA manifest
-│   ├── robots.ts                       # Robots.txt
-│   ├── sitemap.ts                      # Sitemap
-│   ├── error.tsx                       # Global error boundary
-│   ├── not-found.tsx                   # 404 page
-│   ├── welcome/                        # Landing page
-│   │   ├── layout.tsx                  # Transparent navbar variant
-│   │   └── page.tsx                    # Landing content + JSON-LD
-│   ├── about/page.tsx                  # About page
-│   ├── terms/page.tsx                  # Terms of Service
-│   ├── privacy/page.tsx                # Privacy Policy
-│   ├── dsa/page.tsx                    # DSA compliance
-│   ├── settings/
-│   │   ├── layout.tsx                  # AuthGuard for all settings
-│   │   ├── page.tsx                    # Settings index
-│   │   ├── edit-profile/page.tsx
-│   │   ├── my-data/page.tsx
-│   │   └── wallet/
-│   │       ├── layout.tsx              # WagmiProvider (scoped here only)
-│   │       └── page.tsx
-│   ├── connected-apps/
-│   │   ├── layout.tsx                  # AuthGuard
-│   │   └── page.tsx
-│   ├── groups/                         # Group management routes
-│   ├── oauth/callback/page.tsx         # OAuth redirect handler
-│   ├── api/
-│   │   ├── auth/                       # login, logout, session, callback-handler
-│   │   ├── xrpc/[...method]/route.ts   # XRPC proxy with security
-│   │   ├── groups/                     # Group API routes
-│   │   ├── feedback/route.ts           # Feedback email via Resend
-│   │   ├── resolve-handle/route.ts
-│   │   ├── resolve-did/route.ts
-│   │   └── search-actors/route.ts
-│   └── .well-known/                    # OAuth client metadata, JWKS
-│
-├── components/
-│   ├── landing/
-│   │   ├── landing-page.tsx            # Server-rendered landing sections
-│   │   ├── home-client.tsx             # Profile dashboard (client component)
-│   │   ├── hero-signin-button.tsx      # Client island for hero CTA
-│   │   ├── orbiting-logos.tsx           # Animated logo orbit (IntersectionObserver)
-│   │   └── sections/                   # Landing sections (server + client islands)
-│   ├── layout/
-│   │   ├── app-shell.tsx               # App wrapper (skipped on /welcome)
-│   │   ├── navbar.tsx                  # Top nav with account switcher
-│   │   ├── footer.tsx                  # Global footer (all pages)
-│   │   ├── sidebar.tsx                 # Left nav for settings
-│   │   └── auth-guard.tsx              # Auth redirect with returnTo
-│   ├── dashboard/                      # Dashboard cards and lists
-│   ├── groups/                         # Group management components
-│   ├── profile/                        # Profile editing
-│   ├── identity-link/                  # Wallet attestation
-│   ├── account/                        # Email and password sections
-│   └── ui/                             # Shared primitives (button, input, modal, etc.)
-│
-├── hooks/
-│   ├── use-session.ts                  # Cached session data (handle, email)
-│   ├── use-profile.ts                  # Profile data with AbortController
-│   ├── use-org-profile.ts              # Group profile
-│   ├── use-identity-links.ts           # Wallet attestations
-│   ├── use-attestation-signing.ts      # EIP-712 signing
-│   └── use-focus-trap.ts              # Modal focus trapping
-│
-└── lib/
-    ├── auth/                           # OAuth client, session, CSRF, fetch wrapper
-    ├── groups/                         # Group API, context, constants, types
-    ├── identity-link/                  # EIP-712 attestation, PDS read/write
-    ├── atproto/                        # DID resolution, profile fetch/update
-    ├── constants/apps.ts               # CONNECTED_APPS (single source of truth)
-    ├── types/api.ts                    # API response types
-    ├── utils/initials.ts               # getInitials() utility
-    ├── navbar-context.tsx              # Navbar variant state
-    ├── providers.tsx                   # Root provider (no wagmi)
-    └── wagmi.ts                        # Wagmi config (wallet page only)
-
-public/
-├── llms.txt                            # AI crawler description
-├── assets/
-│   ├── partners/                       # Partner app logos
-│   ├── certified_brandmark*.svg/png    # Brand assets
-│   ├── certified_wordmark*.svg/png     # Wordmarks
-│   ├── certified-hero-1200x630.png     # OG image
-│   ├── certified_signin_black.svg/png     # Sign-in button assets
-│   ├── certified_signinwith_black.svg/png # Sign-in-with button assets
-│   └── guilloche_02.svg                # Decorative background (SVGO optimized)
-└── email/
-    └── otp-email-template.html         # Branded OTP email
+
+`buildAttestationMessage(did, address, chainId)` returns both the typed-form (with bigints, for `signTypedData`) and the stored-form (with strings, for JSON serialization in the PDS record).
+
+### Storage
+
+- Collection: `org.impactindexer.link.attestation` (allowlisted in the XRPC proxy).
+- rkey: `${address.toLowerCase()}-${chainId}` so the same wallet on the same chain overwrites itself.
+- Record shape (`Attestation` type in `src/lib/identity-link/types.ts`): `{ $type, address, chainId, signature, message, signatureType: "eoa" | "erc1271" | "erc6492", createdAt }`.
+
+### Verification
+
+`useIdentityLinks(did)`:
+- Lists all attestations from the PDS.
+- For `signatureType === "eoa"`, verifies the signature client-side with `viem.verifyTypedData`. The recovered address must match `address` in the record.
+- For `erc1271` / `erc6492`, returns `verified: false` with `verificationError: "On-chain verification not yet supported"`. **This is a known limitation.** The signing path can produce these signature types (smart contract wallets), but the verifier can't validate them yet — it would need a JSON-RPC eth_call to the contract's `isValidSignature(bytes32 hash, bytes signature)` per ERC-1271, plus ERC-6492 unwrapping for not-yet-deployed accounts.
+
+### Wallet flow
+
+`useAttestationSigning(did)`:
+1. Checks `isAuthenticated` and wallet `isConnected`.
+2. Builds the message.
+3. `signTypedDataAsync(domain, types, message)`.
+4. `storeAttestation(did, address, chainId, signature, storedMessage, "eoa")`.
+
+This hook depends on `WagmiProvider`, so it only works under `/settings/wallet/`. If you want wallet linking elsewhere, lift the provider — but think hard before doing so (wagmi + viem are heavy).
+
+## 17. Security Rules
+
+These rules are mandatory. Treat any deviation as a regression.
+
+### Server-side
+
+1. **CSRF on every POST/PUT/DELETE** — call `checkCsrf(request)` at the top of any state-changing route handler. The check compares the `Origin` header against `PUBLIC_URL`. URL parsing is wrapped in try/catch; malformed origins return 403.
+2. **Cookie verification uses `timingSafeEqual`** (`src/lib/auth/session.ts`). Don't replace it with `===`.
+3. **HMAC every session id.** The cookie value is `<sessionId>.<HMAC>`. Truncating to "just sessionId" would let attackers forge any session.
+4. **Invalidate the existing session before creating a new one** in `callback-handler/route.ts`. This prevents session fixation if the user reuses a tab where another session was active.
+5. **Wrap Redis ops in try/catch.** Both `session.ts` and `stores.ts` do this; new BFF code must too. A Redis blip should not 500 the request unless absolutely necessary.
+6. **Sanitize input twice** — client AND server (defense in depth). Use `stripInvisible`, `sanitizeEmail`, `sanitizeHandle` from `src/lib/utils/sanitize.ts`. The regex is `/[​-‏
- ⁠-­͏؜᠎]/g`.
+7. **Sanitize 5xx errors.** Never echo `err.message` from upstream PDS errors when status ≥ 500 — return `"Internal server error"` (or a route-specific generic). The XRPC proxy and `/api/groups/register` both do this; copy the pattern. (4xx errors *can* echo upstream messages — those are usually validation errors a user can act on.)
+8. **Repo ownership on writes** — for `createRecord`/`putRecord`/`deleteRecord`, `body.repo` must equal the session DID. Cross-repo writes are 403.
+9. **Collection allowlist** — only the four `ALLOWED_WRITE_COLLECTIONS` can be written through the XRPC proxy. Add to that array consciously, not implicitly.
+10. **Blob limits** — 4 MB cap (image MIME types only) on `/api/xrpc/[...method]` for `uploadBlob`; 5 MB on the group blob route. Both check `Content-Length` and the actual buffer size. Vercel has a hard ~4.5 MB body cap that constrains the XRPC proxy.
+11. **Service-auth tokens are short-lived and per-LXM** — `getServiceAuthToken(agent, lxm)` issues a token bound to a single method. Don't cache or reuse.
+
+### Client-side
+
+12. **`safeRedirect()`** in `auth-context.tsx` — only `https:` (and `http:` in dev). Never call `window.location.href = serverProvidedUrl` directly.
+13. **Validate `event.origin` on `postMessage`.** Both message listeners in `auth-context.tsx` do this. Copy the pattern.
+14. **`authFetch()` for every authenticated XRPC call**, not raw `fetch`. The 401 interceptor is what surfaces session expiry.
+
+### HTTP headers
+
+`next.config.ts` sets these on every response:
+
+- `X-Content-Type-Options: nosniff`
+- `Referrer-Policy: strict-origin-when-cross-origin`
+- `X-Frame-Options: DENY` (the OAuth callback iframe is same-origin, so this is fine)
+- `Permissions-Policy: camera=(), microphone=(), geolocation=()`
+- `Strict-Transport-Security: max-age=63072000; includeSubDomains; preload`
+
+Don't override these per-route unless you have a specific reason.
+
+## 18. SEO / GEO
+
+- **JSON-LD:**
+  - `Organization` (Hypercerts Foundation) and `WebSite` in `src/app/layout.tsx`. Includes legal address, contact point, `sameAs` for social profiles.
+  - `SoftwareApplication` and `FAQPage` in `src/app/welcome/page.tsx`. The FAQPage entries are derived from `FAQ_ITEMS` in `src/components/landing/sections/faq-content.tsx`.
+- **Title template:** `default: "Certified"`, `template: "%s — Certified"`. Pages export their own `title` via `metadata`.
+- **OG / Twitter:** root defaults in `layout.tsx` (`/assets/certified-hero-1200x630.png`, `@hypercerts`). Pages override per-route. `metadataBase` is `https://certified.app`.
+- **Canonical URLs:** every public page exports `alternates: { canonical: "https://certified.app/<path>" }`. Authenticated pages set `robots: { index: false, follow: false }` and don't bother with canonicals.
+- **`robots.ts`** — allows `/`, `/welcome`, `/about`, `/terms`, `/privacy`, `/dsa`; disallows `/settings/*`, `/groups/*`, `/connected-apps`, `/oauth/*`, `/api/*`. Sitemap pointer at `https://certified.app/sitemap.xml`.
+- **`sitemap.ts`** — five public URLs with `lastModified` dates (currently 2026-03-15 / 2026-04-01 / 2026-04-07).
+- **`manifest.ts`** — PWA manifest. `start_url: "/welcome"`, `theme_color: "#f9f9f6"`, brandmark icons at 192/512.
+- **`public/llms.txt`** — Markdown index for AI crawlers (similar to robots/sitemap but in prose).
+- **`/.well-known/oauth-client-metadata`** — also an SEO-adjacent contract: changing `client_id` or `redirect_uris` invalidates existing OAuth sessions.
+
+When adding a new public page: set `metadata.title`, `description`, `alternates.canonical`, and OG `url` + `images`. Add it to `sitemap.ts` and `robots.ts` (allow). Consider whether it deserves a JSON-LD entry.
+
+## 19. Git & Deployment
+
+- **ALWAYS work from a git worktree, never directly in the main checkout** at `/Users/sharfy/Code/certified-app`. At the start of any work session:
+  1. Check current state: `pwd && git worktree list && git branch --show-current`.
+  2. If you're sitting in the main checkout, create a worktree for the task before making any edits:
+     ```bash
+     # New branch off the current HEAD (or off origin/main / origin/staging as appropriate)
+     git worktree add ../certified-app-<short-task-slug> -b <branch-name>
+     # Or check out an existing branch into a new worktree:
+     git worktree add ../certified-app-<short-task-slug> <existing-branch>
+     ```
+  3. `cd` into the new worktree path and do all reads/edits/commands from there. Tell the user the new path so they can follow along.
+  4. When the task is done, leave the worktree in place until the user confirms it can be removed; clean up with `git worktree remove ../certified-app-<short-task-slug>` (and `git branch -d <branch-name>` if the branch is merged).
+- **Why:** the main checkout is the user's working tree — switching branches there clobbers their in-flight changes. Worktrees keep each task isolated and let multiple sessions / dev servers run in parallel without stepping on each other.
+- **Branches:**
+  - `main` → production (`certified.app`)
+  - `staging` → preview (`staging.certified.app`)
+- **Workflow:** push to `staging`, open a PR to `main`. Vercel deploys both branches automatically.
+- **Quality gate:** `npm run build` must succeed before pushing. There is no test suite to run; `tsc --noEmit` is implicit in `next build`.
+- **`PUBLIC_URL`** must match the deployed domain on each environment, since `client_id`, `redirect_uris`, and the CSRF allowlist all derive from it.
+- Don't commit secrets (`.env.local` is gitignored). `COOKIE_SECRET`, `UPSTASH_*`, `ATPROTO_PRIVATE_KEY`, `RESEND_API_KEY` live in Vercel envs.
+
+## 20. File Map
+
 ```
+certified-app/
+├── AGENTS.md                           # Short pointer to README + this draft
+├── README.md                           # Public README
+├── next.config.ts                      # Headers, redirects, image remotePatterns, serverExternalPackages
+├── tsconfig.json                       # strict, paths { "@/*": ["./src/*"] }, ES2017, react-jsx
+├── tailwind.config.ts                  # Theme: navy/accent/sky/deep colors, h1-h4, elevation shadows
+├── eslint.config.mjs                   # next/core-web-vitals + next/typescript
+├── postcss.config.mjs                  # tailwindcss + autoprefixer
+├── .env.local.example                  # Env var template
+├── tests/
+│   └── groups.test-plan.md             # Manual behavioral test plan (no automated tests)
+├── public/
+│   ├── llms.txt                        # AI crawler description
+│   ├── assets/
+│   │   ├── partners/                   # Partner app logos (maearth, gainforest, simocracy, hyperboards)
+│   │   ├── certified_brandmark_black.{svg,png}
+│   │   ├── certified_brandmark_black_{192,512}.png
+│   │   ├── certified_wordmark_black.{svg,png}
+│   │   ├── certified_signin_black.{svg,png}
+│   │   ├── certified_signinwith_black.{svg,png}
+│   │   ├── certified_poweredby_*.{svg,png}
+│   │   ├── certified-hero-1200x630.png # OG image
+│   │   └── guilloche_02.svg            # Decorative background, SVGO-optimized
+│   ├── brand/                          # Partner-facing brand assets (brandmark, poweredby, signin, wordmark variants)
+│   └── email/
+│       └── otp-email-template.html     # Branded OTP email (referenced from oauth-client-metadata)
+└── src/
+    ├── proxy.ts                        # Next 16 proxy (was middleware.ts in 15) — redirects `/` → `/welcome` when no session cookie
+    ├── app/
+    │   ├── layout.tsx                  # Root layout: providers, JSON-LD, fonts, skip-nav, navbar/main/footer/feedback
+    │   ├── globals.css                 # ALL custom CSS (~4.7k lines, BEM-like)
+    │   ├── icon.png                    # Favicon
+    │   ├── apple-icon.png              # Apple touch icon
+    │   ├── manifest.ts                 # PWA manifest
+    │   ├── robots.ts                   # robots.txt
+    │   ├── sitemap.ts                  # sitemap.xml
+    │   ├── error.tsx                   # Global error boundary
+    │   ├── not-found.tsx               # 404 page
+    │   ├── page.tsx                    # `/` — renders <HomeClient /> (redirector)
+    │   ├── welcome/
+    │   │   ├── layout.tsx              # Sets navbar variant to "transparent"
+    │   │   └── page.tsx                # Landing + JSON-LD (SoftwareApplication, FAQPage)
+    │   ├── about/page.tsx
+    │   ├── terms/page.tsx
+    │   ├── privacy/page.tsx
+    │   ├── dsa/page.tsx
+    │   ├── profile/[did]/page.tsx      # Canonical profile URL — renders <ProfileClient />
+    │   ├── settings/
+    │   │   ├── layout.tsx              # AuthGuard
+    │   │   ├── page.tsx                # If activeOrg → OrgSettings; else handle/email/password/2FA placeholder
+    │   │   ├── edit-profile/page.tsx   # Edit personal profile
+    │   │   ├── my-data/page.tsx        # Data export view
+    │   │   └── wallet/
+    │   │       ├── layout.tsx          # WagmiProvider + QueryClientProvider (scoped here ONLY)
+    │   │       └── page.tsx            # Wallet linking UI
+    │   ├── connected-apps/
+    │   │   ├── layout.tsx              # AuthGuard
+    │   │   └── page.tsx
+    │   ├── groups/
+    │   │   ├── layout.tsx              # AuthGuard
+    │   │   ├── page.tsx                # List groups (accept/leave/remove public)
+    │   │   ├── create/page.tsx         # Register new group
+    │   │   └── [groupDid]/
+    │   │       ├── page.tsx            # Group profile view
+    │   │       ├── edit-profile/page.tsx
+    │   │       ├── apps/page.tsx
+    │   │       └── settings/page.tsx   # Members + audit log
+    │   ├── oauth/callback/page.tsx     # OAuth redirect target — postMessages parent or window.replace("/")
+    │   ├── api/
+    │   │   ├── auth/
+    │   │   │   ├── login/route.ts             # POST {input,mode,prompt} → {url}
+    │   │   │   ├── callback-handler/route.ts  # GET — completes OAuth, creates session, seeds profile records
+    │   │   │   ├── session/route.ts           # GET — returns {did} or {did:null}
+    │   │   │   └── logout/route.ts            # POST — signOut + delete session
+    │   │   ├── xrpc/[...method]/route.ts      # The XRPC proxy
+    │   │   ├── feedback/route.ts              # POST → Resend
+    │   │   ├── resolve-handle/route.ts        # GET ?handle=
+    │   │   ├── resolve-did/route.ts           # GET ?did=
+    │   │   ├── search-actors/route.ts         # GET ?q=
+    │   │   └── groups/
+    │   │       ├── register/route.ts          # POST — register new group (enforces MAX_SELF_CREATED_ORGS)
+    │   │       ├── memberships/route.ts       # GET — list user's group memberships
+    │   │       └── [groupDid]/
+    │   │           ├── audit/route.ts         # GET — audit log
+    │   │           ├── bsky-profile/route.ts  # POST — create empty bsky profile
+    │   │           ├── handle/route.ts        # PUT — update handle
+    │   │           ├── members/route.ts       # GET/POST/DELETE
+    │   │           ├── metadata/route.ts      # GET/PUT — app.certified.actor.organization
+    │   │           ├── profile/route.ts       # GET/PUT — app.certified.actor.profile
+    │   │           ├── role/route.ts          # PUT — set member role
+    │   │           └── upload-blob/route.ts   # POST — 5MB image upload
+    │   └── .well-known/
+    │       ├── oauth-client-metadata/route.ts # OAuth client metadata
+    │       └── jwks.json/route.ts             # JWKS (when ATPROTO_PRIVATE_KEY set)
+    │
+    ├── components/
+    │   ├── landing/
+    │   │   ├── landing-page.tsx           # Server-rendered landing assembly
+    │   │   ├── home-client.tsx            # `/` redirector (auth → /profile/{did}, unauth → /welcome)
+    │   │   ├── hero-signin-button.tsx     # Client island for hero CTA
+    │   │   ├── orbiting-logos.tsx         # Animated logo orbit (IntersectionObserver-gated)
+    │   │   └── sections/
+    │   │       ├── built-for-trust.tsx
+    │   │       ├── faq-accordion.tsx
+    │   │       ├── faq-content.tsx        # FAQ_ITEMS array — also used by FAQPage JSON-LD
+    │   │       ├── how-it-works.tsx
+    │   │       ├── partner-apps.tsx
+    │   │       ├── ready-cta-button.tsx
+    │   │       ├── ready-cta-content.tsx
+    │   │       └── what-you-get.tsx
+    │   ├── layout/
+    │   │   ├── app-shell.tsx              # .app-shell wrapper, skipped on /welcome
+    │   │   ├── auth-guard.tsx             # Auth redirect with loading spinner
+    │   │   ├── footer.tsx                 # Global footer (single instance, in root layout)
+    │   │   └── navbar.tsx                 # Top nav with account switcher, mobile bottom sheet
+    │   ├── dashboard/
+    │   │   ├── connected-apps-list.tsx
+    │   │   ├── custom-domain-modal.tsx
+    │   │   ├── identity-overview-card.tsx
+    │   │   ├── recent-activity-card.tsx
+    │   │   ├── sign-in-preview-card.tsx
+    │   │   └── username-card.tsx
+    │   ├── groups/
+    │   │   ├── add-org-modal.tsx
+    │   │   ├── handle-search.tsx
+    │   │   ├── membership-sync-modal.tsx
+    │   │   └── org-settings.tsx
+    │   ├── profile/
+    │   │   ├── avatar-upload.tsx
+    │   │   ├── banner-upload.tsx
+    │   │   ├── profile-client.tsx
+    │   │   └── profile-edit-form.tsx
+    │   ├── identity-link/
+    │   │   ├── identity-link-card.tsx
+    │   │   └── link-wallet-flow.tsx
+    │   ├── account/
+    │   │   ├── email-section.tsx
+    │   │   └── password-section.tsx
+    │   └── ui/
+    │       ├── avatar.tsx
+    │       ├── badge.tsx
+    │       ├── button.tsx
+    │       ├── card.tsx
+    │       ├── error-message.tsx
+    │       ├── feedback-modal.tsx         # Floating feedback button + modal (avoids footer overlap via scroll listener on .landing-footer)
+    │       ├── input.tsx                  # Canonical aria-describedby/aria-invalid pattern
+    │       ├── loading-spinner.tsx
+    │       ├── provider-redirect-overlay.tsx
+    │       ├── sign-in-modal.tsx
+    │       └── textarea.tsx
+    │
+    ├── hooks/
+    │   ├── use-attestation-signing.ts     # Wagmi-only — must be inside /settings/wallet
+    │   ├── use-focus-trap.ts              # Generic Tab/Shift+Tab trap + focus restore
+    │   ├── use-identity-links.ts          # Lists + verifies wallet attestations
+    │   ├── use-org-profile.ts             # Active org's profile + metadata
+    │   ├── use-profile.ts                 # User's profile with bsky fallback (AbortController)
+    │   └── use-session.ts                 # Cached handle+email (module-level promise cache)
+    │
+    └── lib/
+        ├── auth/
+        │   ├── auth-context.tsx           # AuthProvider, useAuth, sign-in modal, postMessage listeners
+        │   ├── csrf.ts                    # checkCsrf — Origin === PUBLIC_URL check
+        │   ├── fetch.ts                   # authFetch — 401 interceptor
+        │   ├── oauth-client.ts            # NodeOAuthClient singleton, PDS_URL constant
+        │   ├── session.ts                 # createSession/getSessionDid/deleteSession (HMAC + Redis)
+        │   ├── stores.ts                  # RedisStateStore (10min) + RedisSessionStore (30day) + getRedis()
+        │   └── types.ts                   # AuthState interface
+        ├── atproto/
+        │   ├── did.ts                     # resolveHandle + resolvePdsUrl (5s timeout, plc.directory + did:web)
+        │   ├── profile.ts                 # getProfile/putProfile, uploadAvatar/uploadBanner, getAvatarUrl/getBannerUrl
+        │   └── types.ts                   # CertifiedProfile, BlueskyProfile, hypercerts defs
+        ├── groups/
+        │   ├── api.ts                     # All client-side group API calls
+        │   ├── constants.ts               # GROUP_SERVICE, GROUP_SERVICE_DID, MAX_SELF_CREATED_ORGS
+        │   ├── index.ts                   # Re-exports
+        │   ├── org-context.tsx            # OrgProvider, useOrg, localStorage persistence
+        │   ├── proxy-agent.ts             # GROUP_LEXICONS, getAuthenticatedAgent, createGroupAgent
+        │   ├── types.ts                   # Group, OrgRole, OrgMember, etc.
+        │   └── use-org-limit.ts           # useOrgCreationLimit hook
+        ├── identity-link/
+        │   ├── attestation.ts             # ATTESTATION_DOMAIN/TYPES, buildAttestationMessage, buildRecordKey
+        │   ├── pds.ts                     # listAttestations/storeAttestation/deleteAttestation (client-side)
+        │   └── types.ts                   # Attestation, AttestationRecord, asHex helper
+        ├── constants/
+        │   └── apps.ts                    # CONNECTED_APPS — single source of truth for partner list
+        ├── types/
+        │   └── api.ts                     # Shared response types (SessionResponse, ListRecordsResponse, PutRecordResponse)
+        ├── utils/
+        │   ├── api.ts                     # extractError(res, fallback)
+        │   ├── config.ts                  # PUBLIC_URL + PUBLIC_URL_STRICT
+        │   ├── constants.ts               # LIMIT_MIN/MAX/DEFAULT, debounce timings
+        │   ├── initials.ts                # getInitials()
+        │   └── sanitize.ts                # stripInvisible/sanitizeEmail/sanitizeHandle
+        ├── navbar-context.tsx             # NavbarProvider — "default" | "transparent" variant
+        ├── providers.tsx                  # Currently a passthrough — placeholder for cross-cutting providers
+        └── wagmi.ts                       # wagmi config (mainnet/base/optimism/arbitrum) + SUPPORTED_CHAINS
+```
+
+## 21. Known Limitations
+
+- **No automated tests.** `tests/groups.test-plan.md` is a manual behavioral plan, not runnable. The quality gates are `npm run build` and `npx tsc --noEmit`.
+- **2FA / TOTP** — not implemented on the ePDS. The `/settings` page shows a "This will be available soon" placeholder.
+- **App passwords** — same status: placeholder card on `/settings`.
+- **ERC-1271 / ERC-6492 verification** — `useIdentityLinks` returns `verified: false` for smart-contract-wallet signatures with `verificationError: "On-chain verification not yet supported"`. The signing path can produce these (the `signatureType` field exists), but the verifier doesn't make on-chain `isValidSignature` calls yet.
+- **TypeScript `as` casts** — widespread on API request/response bodies (e.g. the XRPC proxy and most route handlers cast through `as`). Improving this requires pulling in the official atproto SDK input/output types per method; tracked separately.
+- **Group service is staging-only** — default `GROUP_SERVICE` points at a Railway staging deployment. The groups page shows a "Heads up: Groups are in beta" banner. Don't rely on group data for production-critical flows.
+- **No avatar / banner CDN** — image URLs are direct PDS `getBlob` calls. Heavy traffic would put load on the PDS.
+- **No rate limiting** in the BFF beyond what Vercel and Upstash provide.
+- **No structured logging** — `console.error("[Auth] …", err)` is the convention. Logs end up in Vercel's serverless logs.
+
+## 22. Common Pitfalls
+
+1. **`useAttestationSigning` outside `/settings/wallet`** — it depends on `WagmiProvider` which is mounted only in `src/app/settings/wallet/layout.tsx`. Calling it elsewhere will throw "useConfig must be used within WagmiConfig".
+2. **Using `fetch` instead of `authFetch`** — the 401 interceptor is the only thing surfacing session expiry to the user. Raw `fetch` will silently fail.
+3. **Origin check failures in dev** — if you set `PUBLIC_URL=https://certified.app` in `.env.local` and run `npm run dev` on localhost, every POST will 403. Match `PUBLIC_URL` to whatever host your browser actually hits (use `http://127.0.0.1:3000` if you want sign-in to work — see next pitfall).
+
+3a. **atproto OAuth in dev requires the loopback metadata helper, not just `PUBLIC_URL`.** The spec only accepts a `client_id` that is either a real `https://` URL or the literal `http://localhost` origin (no port, no path). Pointing `client_id` at `http://localhost:3000/...` or `http://127.0.0.1:3000/...` makes `NodeOAuthClient` throw `URL must use the "https:" protocol` (Zod). The fix — already wired into `src/lib/auth/oauth-client.ts` — is to detect dev mode (`NODE_ENV !== "production"` AND `PUBLIC_URL` missing or `http://`) and swap to `buildAtprotoLoopbackClientMetadata({ scope, redirect_uris: ["http://127.0.0.1:<port>/oauth/callback"] })`. Notes:
+   - The `client_id` becomes a virtual `http://localhost?redirect_uri=...&scope=...`, which is what the AS expects for loopback dev.
+   - The `redirect_uri` host must be `127.0.0.1` (or `[::1]`); `localhost` is NOT allowed there even though it IS the only allowed `client_id` host. Yes, this is inverted from intuition; it's the spec.
+   - Cookies don't cross `localhost` ↔ `127.0.0.1`. Pick one host for the whole flow. Since the redirect comes back on `127.0.0.1`, navigate to `http://127.0.0.1:3000/welcome`.
+   - The PDS will show "atproto loopback client" on the consent screen instead of Certified branding. To get real branding in dev, run a tunnel (e.g. `cloudflared`, `ngrok`) and set `PUBLIC_URL=https://<tunnel>.example.com` so the production code path runs.
+   - `ATPROTO_PRIVATE_KEY` is ignored in loopback dev mode — the helper hard-codes `token_endpoint_auth_method: "none"`.
+4. **Wrong cookie name** — it's `certified_session`. Anything else (`session`, `sid`) is wrong.
+5. **Forgetting to add a new write collection to `ALLOWED_WRITE_COLLECTIONS`** — `createRecord`/`putRecord`/`deleteRecord` will silently 403 with `Collection not allowed`.
+6. **Cross-repo writes** — `body.repo` must equal session DID. If you need to write to another repo (e.g. a group's repo), use the `createGroupAgent` proxy pattern, not the XRPC proxy.
+7. **OAuth callback in iframe vs. top window** — the page detects `window.parent !== window`. If you change the modal/iframe architecture, update both branches of `handleCallback`.
+8. **`postMessage` without origin check** — both listeners in `auth-context.tsx` validate `event.origin === window.location.origin`. Don't drop this check.
+9. **Lifting wagmi to root** — every page would pull in viem and wagmi (~hundreds of KB). Keep it scoped.
+10. **Caching `getServiceAuth` tokens** — they're scoped per-LXM and short-lived. Always re-issue.
+11. **Rendering user-controlled URLs as `href` without scheme validation** — `javascript:alert(1)` becomes a one-click XSS. Always allowlist schemes (`http:`, `https:`, `mailto:`, `tel:`) before assigning user-controlled values to `href`.
+12. **`sitemap.ts` / `robots.ts` drift** — when you add a new public page, both must be updated. There is no automation.
+13. **`100vw` in CSS** — causes horizontal scroll when a vertical scrollbar is present. Use `100%`.
+14. **Treating `next.config.ts`'s `serverExternalPackages: ["@atproto/oauth-client-node"]` as optional** — it's not. Without it, the OAuth client fails to bundle correctly for serverless.
+15. **`ATPROTO_PRIVATE_KEY` / JWKS coupling** — if you set `ATPROTO_PRIVATE_KEY`, the OAuth client switches to confidential auth and the published `oauth-client-metadata` includes a `jwks_uri`. Removing the var without updating the registered metadata can desync clients.
+
+## 23. Adding a New Feature — Checklist
+
+When adding any non-trivial feature:
+
+1. **Decide the route.** Public or gated? Personal or group context (most pages must handle both — see how `/settings` checks `activeOrg`)?
+2. **Layout & providers.** Does it need a layout? AuthGuard? Any new provider? If a new provider would only be used by one route, scope it locally (see `settings/wallet/layout.tsx`).
+3. **API surface.** Will it call XRPC methods already supported by the proxy? If not, add them — and add their collection to `ALLOWED_WRITE_COLLECTIONS` if writing.
+4. **Security:**
+   - CSRF on POST/PUT/DELETE (`checkCsrf(req)`).
+   - Sanitize user input client + server (`sanitizeEmail`, `sanitizeHandle`, `stripInvisible`).
+   - Sanitize 5xx errors before returning.
+   - Allowlist URL schemes (`http:`, `https:`, `mailto:`, `tel:`) before rendering any user-controlled URL as `href`.
+   - `safeRedirect()` for any redirect target returned from the server.
+5. **A11y:**
+   - Form inputs: use `Input` / `Textarea` (they wire up `aria-describedby`/`aria-invalid` for you).
+   - Modals: `useFocusTrap`.
+   - Dropdowns: `aria-haspopup` + `aria-expanded`.
+   - Skip-nav already present.
+6. **CSS:** prefer adding BEM classes to `globals.css` for layout, Tailwind utilities for fine-grained tweaks. Reuse CSS variables.
+7. **SEO (public pages only):**
+   - `metadata.title`, `description`, `alternates.canonical`, OG `url`+`images`.
+   - Add to `src/app/sitemap.ts`.
+   - Update `src/app/robots.ts` allow-list.
+   - Consider JSON-LD if it semantically fits (Article, BreadcrumbList, etc.).
+   - Authenticated pages: set `robots: { index: false, follow: false }`.
+8. **Observability:** if the feature can fail, log with `console.error("[Feature] …", err)` so it shows up in Vercel logs.
+9. **Quality gate:** `npm run build` must pass. Manual smoke-test in the browser (sign in, exercise the feature, sign out — re-test in incognito for a clean session).
+10. **Update this file** if the feature changes architecture, conventions, or security posture.
+
+## 24. Adding a New API Route — Checklist
+
+Use this for any new `src/app/api/**` route handler:
+
+1. **Method-appropriate handler.** GET for reads, POST/PUT/DELETE for writes.
+2. **CSRF check first** for mutating methods:
+   ```ts
+   const csrfError = checkCsrf(request); if (csrfError) return csrfError;
+   ```
+3. **Auth check second:**
+   ```ts
+   const did = await getSessionDid();
+   if (!did) return NextResponse.json({ error: "Not authenticated" }, { status: 401 });
+   ```
+   For routes that need the atproto agent, prefer `getAuthenticatedAgent()` from `src/lib/groups/proxy-agent.ts` — it handles `client.restore` failures by deleting the session and returning `null`.
+4. **Validate body shape** — typeof checks, allowlists for enums (see `role/route.ts` validating role ∈ `{member, admin, owner}`).
+5. **Sanitize input** at the boundary even if the client also sanitized.
+6. **Respect allowlists** — collection allowlist for XRPC, scheme allowlist for URLs, MIME-type allowlist for blobs.
+7. **Try/catch the body** — handle malformed JSON explicitly:
+   ```ts
+   try { body = await req.json() } catch { return NextResponse.json({ error: "Invalid JSON" }, { status: 400 }) }
+   ```
+8. **Sanitize errors:**
+   - 4xx errors can echo upstream messages (they're usually validation-shaped).
+   - 5xx errors must return a generic message — never echo upstream `err.message`.
+9. **Log on the server side** with a route-tagged prefix: `console.error("[Route] …", err)`.
+10. **Return shape consistency** — successful operations return `{ success: true }` for void operations, the upstream `data` object for queries, or domain-shaped JSON. Errors always return `{ error: string }`.
+11. **Update `AGENTS.md` / this draft** if the route adds an endpoint to the public surface.
+
+## 25. Conventions: Errors, Loading, A11y
+
+### Error handling
+
+- **Server side** — return `NextResponse.json({ error: "..." }, { status })`. Use `extractError(res, fallback)` from `src/lib/utils/api.ts` to pull error messages out of nested upstream responses on the client.
+- **Client side** — store error in local component state, render via `<ErrorMessage>` component (`src/components/ui/error-message.tsx`). Don't `alert()`.
+- **Auth errors** — surfaced through `AuthProvider.error` and the sign-in modal. Don't write a parallel auth-error system.
+- **AbortController** — every long-running fetch in a hook should accept an `AbortSignal` and check `signal.aborted` before setting state. See `useProfile`, `useOrgProfile`, `OrgProvider` for the canonical pattern.
+- **Catch and ignore** is fine for best-effort operations (avatar fetch, profile seeding). Catch and re-throw with a useful message for things the user must know about (sign-in failure, save failure).
+
+### Loading states
+
+- **Initial auth load** — `AuthProvider` exposes `isLoading`. Pages gated by `AuthGuard` show a centered spinner while it's true.
+- **Per-card loading** — use the `LoadingSpinner` component (`src/components/ui/loading-spinner.tsx`).
+- **Don't gate the navbar on `isLoading`** — render placeholders / skeletons so the layout is stable.
+- **Optimistic state on sign-out** — `signOut` clears local state immediately, then fires the server cleanup in the background (best-effort).
 
-## Known Limitations
+### Accessibility
 
-- **No test suite** — quality gates are `tsc --noEmit` + `next build`
-- **2FA/TOTP** — not implemented on the ePDS, settings page shows placeholder
-- **ERC-1271** — smart contract wallet signatures return `verified: false` (no on-chain verification)
-- **TypeScript** — widespread `as` casts on API request/response bodies (improvement tracked separately)
+- `<a class="skip-nav">` and `<main id="main-content">` are wired up in the root layout.
+- Form inputs use `Input` / `Textarea` which wire up `aria-describedby` + `aria-invalid` + label associations via `useId`.
+- Modals trap focus with `useFocusTrap` and restore focus to the previously focused element on close.
+- Dropdowns have `aria-haspopup` + `aria-expanded`.
+- Buttons that purely contain icons need `aria-label` (or `title`) — see the small action buttons in `groups/page.tsx` (`title="Leave group"`, `title="Accept membership publicly"`).
+- Decorative images have `alt=""` + `aria-hidden="true"` — see `home-client.tsx` for the loading screen logo.
+- Color is never the sole signal — error states pair red with text, success pairs green with an icon.
diff --git a/public/assets/partners/bluesky_logo.svg b/public/assets/partners/bluesky_logo.svg
new file mode 100644
index 00000000..2754efed
--- /dev/null
+++ b/public/assets/partners/bluesky_logo.svg
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 600 535" aria-hidden="true">
+  <path d="m299.75 238.48c-26.326-51.007-97.736-146.28-164.21-193.17-63.677-44.919-88.028-37.186-103.82-29.946-18.428 8.3915-21.719 36.692-21.719 53.311s9.0496 136.57 15.138 156.48c19.745 66.145 89.674 88.522 154.17 81.282 3.2908-0.49362 6.5816-0.98723 10.037-1.3163-3.2908 0.49362-6.7461 0.98723-10.037 1.3163-94.445 13.986-178.52 48.374-68.284 170.96 121.1 125.38 166.02-26.82 189.06-104.15 23.035 77.169 49.526 223.94 186.75 104.15 103.17-104.15 28.301-156.97-66.145-170.96-3.2908-0.32908-6.7461-0.82269-10.037-1.3163 3.4553 0.49362 6.7461 0.82269 10.037 1.3163 64.499 7.2397 134.59-15.138 154.17-81.282 5.9234-20.074 15.138-139.86 15.138-156.48s-3.2908-44.919-21.719-53.311c-15.96-7.2397-40.148-14.973-103.82 29.946-66.967 47.058-138.38 142.16-164.7 193.17z" fill="#1185fe"/>
+</svg>
diff --git a/public/assets/watercolor-blue-circle.png b/public/assets/watercolor-blue-circle.png
new file mode 100644
index 00000000..49344dc0
Binary files /dev/null and b/public/assets/watercolor-blue-circle.png differ
diff --git a/src/app/about/page.tsx b/src/app/about/page.tsx
index 43264aa7..1b2657af 100644
--- a/src/app/about/page.tsx
+++ b/src/app/about/page.tsx
@@ -18,40 +18,43 @@ export const metadata: Metadata = {
 
 export default function AboutPage() {
   return (
-    <div className="app-page">
-      <div className="app-page__inner max-w-3xl">
-        <h1 className="font-mono text-h1 text-navy tracking-tight mb-8">
-          About Certified
-        </h1>
+    <div className="prose-page">
+      <div className="prose-page__inner">
+        <header className="prose-page__header">
+          <span className="landing-label">About</span>
+          <h1 className="prose-page__title">
+            Identity, <span className="prose-page__title-italic">portable</span>.
+          </h1>
+          <p className="prose-page__lede">
+            Certified is a passwordless identity platform built on AT Protocol — one
+            account that travels across every partner app, with full data portability
+            and no vendor lock-in.
+          </p>
+        </header>
 
-        <div className="prose prose-navy max-w-none space-y-8">
+        <article className="prose-page__body">
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">What is Certified?</h2>
+            <h2>What is Certified?</h2>
             <p>
               Certified is a passwordless identity platform built on{" "}
-              <a
-                href="https://atproto.com"
-                target="_blank"
-                rel="noopener noreferrer"
-                className="text-blue-600 underline hover:text-blue-800"
-              >
+              <a href="https://atproto.com" target="_blank" rel="noopener noreferrer">
                 AT Protocol
               </a>
               , the open standard behind Bluesky and a growing ecosystem of decentralized
               applications. It lets you create a single account that works across every partner
               app — no passwords, no vendor lock-in, and full control over your data.
             </p>
-            <p className="mt-4">
+            <p>
               When you sign up for Certified, you get an AT Protocol identity and a Personal Data
               Server (PDS) hosted at <strong>certified.one</strong>. Your profile, preferences,
-              and activity travel with you to every app that supports AT Protocol — and
-              if the app supports Certified directly, you can sign in with just your email,
-              no password needed.
+              and activity travel with you to every app that supports AT Protocol — and if the
+              app supports Certified directly, you can sign in with just your email, no password
+              needed.
             </p>
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">How does it work?</h2>
+            <h2>How does it work?</h2>
             <p>
               Sign-in is passwordless: you enter your email, receive a one-time code, and
               you&apos;re in. Behind the scenes, Certified issues an AT Protocol identity tied to
@@ -59,14 +62,15 @@ export default function AboutPage() {
               the same whether you&apos;re on certified.app, a partner application, or any future
               service that speaks AT Protocol.
             </p>
-            <p className="mt-4">
-              Your data lives on your Personal Data Server. If you ever want to leave, you can export everything or migrate your
-              identity to a different PDS provider — no data is locked inside Certified.
+            <p>
+              Your data lives on your Personal Data Server. If you ever want to leave, you can
+              export everything or migrate your identity to a different PDS provider — no data is
+              locked inside Certified.
             </p>
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">What is AT Protocol?</h2>
+            <h2>What is AT Protocol?</h2>
             <p>
               AT Protocol (Authenticated Transfer Protocol) is an open, federated protocol for
               building social and identity applications. Unlike centralized platforms where one
@@ -74,7 +78,7 @@ export default function AboutPage() {
               layer. Your identity is yours — verifiable, portable, and independent of any single
               service.
             </p>
-            <p className="mt-4">
+            <p>
               Certified builds on AT Protocol to provide a managed, user-friendly entry point: you
               get the benefits of decentralized identity without needing to understand the
               underlying protocol or run your own infrastructure.
@@ -82,24 +86,17 @@ export default function AboutPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
-              Who operates Certified?
-            </h2>
+            <h2>Who operates Certified?</h2>
             <p>
               Certified is operated by the{" "}
-              <a
-                href="https://hypercerts.org"
-                target="_blank"
-                rel="noopener noreferrer"
-                className="text-blue-600 underline hover:text-blue-800"
-              >
+              <a href="https://hypercerts.org" target="_blank" rel="noopener noreferrer">
                 Hypercerts Foundation
               </a>
               , a Delaware nonstock corporation founded in February 2023. The Foundation develops
               open infrastructure for the hypercerts ecosystem — tools and protocols that help
               track, fund, and reward positive impact.
             </p>
-            <p className="mt-4">
+            <p>
               Certified was created because the hypercerts ecosystem needed a portable identity
               layer: a way for users to move between applications while keeping their profile,
               contributions, and reputation intact. Rather than build a proprietary login system,
@@ -109,71 +106,57 @@ export default function AboutPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
-              How is Certified different from &quot;Sign in with Google&quot;?
-            </h2>
+            <h2>How is Certified different from &ldquo;Sign in with Google&rdquo;?</h2>
             <p>
-              Both Certified and &quot;Sign in with Google&quot; let you use one account across
+              Both Certified and &ldquo;Sign in with Google&rdquo; let you use one account across
               multiple apps. The key difference is ownership and portability:
             </p>
-            <ul className="list-disc pl-6 mt-4 space-y-2">
+            <ul>
               <li>
                 <strong>With Google:</strong> Google controls your identity. If Google suspends
                 your account or changes their terms, you lose access to every app you signed into.
                 Your data stays with each individual app.
               </li>
               <li>
-                <strong>With Certified:</strong> Your identity is an AT Protocol identity — it&apos;s
-                cryptographically yours. You can export your data, migrate to another provider, or
-                even self-host. No single company can revoke your identity.
+                <strong>With Certified:</strong> Your identity is an AT Protocol identity —
+                it&apos;s cryptographically yours. You can export your data, migrate to another
+                provider, or even self-host. No single company can revoke your identity.
               </li>
             </ul>
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">Open source</h2>
+            <h2>Open source</h2>
             <p>
               Every component of Certified is open source. The application code, the PDS
               infrastructure, and the protocol it builds on are all publicly auditable. You can
               review the source on{" "}
-              <a
-                href="https://github.com/hypercerts-org"
-                target="_blank"
-                rel="noopener noreferrer"
-                className="text-blue-600 underline hover:text-blue-800"
-              >
+              <a href="https://github.com/hypercerts-org" target="_blank" rel="noopener noreferrer">
                 GitHub
               </a>
               .
             </p>
-            <p className="mt-4">
+            <p>
               Security through transparency, not obscurity. If you find an issue, you can report
               it directly or submit a fix.
             </p>
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">Infrastructure</h2>
+            <h2>Infrastructure</h2>
             <p>
               The Personal Data Servers operated by Certified are hosted on cloud infrastructure
               located within the European Union. The service is designed to comply with GDPR and
               the Digital Services Act.
             </p>
-            <p className="mt-4">
-              For more details, see our{" "}
-              <Link href="/privacy" className="text-blue-600 underline hover:text-blue-800">
-                Privacy Policy
-              </Link>{" "}
-              and{" "}
-              <Link href="/dsa" className="text-blue-600 underline hover:text-blue-800">
-                DSA Compliance
-              </Link>{" "}
-              page.
+            <p>
+              For more details, see our <Link href="/privacy">Privacy Policy</Link> and{" "}
+              <Link href="/dsa">DSA Compliance</Link> page.
             </p>
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">Contact</h2>
+            <h2>Contact</h2>
             <p>
               <strong>Hypercerts Foundation</strong>
               <br />
@@ -183,54 +166,29 @@ export default function AboutPage() {
               <br />
               United States
             </p>
-            <p className="mt-4">
+            <p>
               Email:{" "}
-              <a
-                href="mailto:support@hypercerts.org"
-                className="text-blue-600 underline hover:text-blue-800"
-              >
-                support@hypercerts.org
-              </a>
+              <a href="mailto:support@hypercerts.org">support@hypercerts.org</a>
             </p>
-            <p className="mt-4">
-              <a
-                href="https://bsky.app/profile/hypercerts.org"
-                target="_blank"
-                rel="noopener noreferrer"
-                className="text-blue-600 underline hover:text-blue-800"
-              >
+            <p>
+              <a href="https://bsky.app/profile/hypercerts.org" target="_blank" rel="noopener noreferrer">
                 Bluesky
               </a>
               {" · "}
-              <a
-                href="https://x.com/hypercerts"
-                target="_blank"
-                rel="noopener noreferrer"
-                className="text-blue-600 underline hover:text-blue-800"
-              >
+              <a href="https://x.com/hypercerts" target="_blank" rel="noopener noreferrer">
                 Twitter/X
               </a>
               {" · "}
-              <a
-                href="https://www.linkedin.com/company/hypercerts"
-                target="_blank"
-                rel="noopener noreferrer"
-                className="text-blue-600 underline hover:text-blue-800"
-              >
+              <a href="https://www.linkedin.com/company/hypercerts" target="_blank" rel="noopener noreferrer">
                 LinkedIn
               </a>
               {" · "}
-              <a
-                href="https://github.com/hypercerts-org"
-                target="_blank"
-                rel="noopener noreferrer"
-                className="text-blue-600 underline hover:text-blue-800"
-              >
+              <a href="https://github.com/hypercerts-org" target="_blank" rel="noopener noreferrer">
                 GitHub
               </a>
             </p>
           </section>
-        </div>
+        </article>
       </div>
     </div>
   );
diff --git a/src/app/api/search-actors/route.ts b/src/app/api/search-actors/route.ts
index 121704a0..8e2c2272 100644
--- a/src/app/api/search-actors/route.ts
+++ b/src/app/api/search-actors/route.ts
@@ -1,44 +1,78 @@
 import { NextRequest, NextResponse } from "next/server"
-import { getAuthenticatedAgent } from "@/lib/groups/proxy-agent"
+
+const PUBLIC_BSKY_APPVIEW = "https://public.api.bsky.app"
+
+interface BskyActor {
+  did?: string
+  handle?: string
+  displayName?: string
+  avatar?: string
+}
+
+interface BskySearchResponse {
+  actors?: BskyActor[]
+}
 
 /**
  * GET /api/search-actors?q=<query>&limit=<n>
- * Search Bluesky actors by handle/name using typeahead.
+ *
+ * Searches atproto identities via the public Bluesky AppView. The endpoint is
+ * deliberately unauthenticated — `app.bsky.actor.searchActors` is a public read
+ * on the AppView, and we want the navbar typeahead to work for signed-out
+ * visitors too.
+ *
  * Returns: { actors: [{ did, handle, displayName, avatar }] }
  */
 export async function GET(request: NextRequest) {
-  try {
-    const auth = await getAuthenticatedAgent()
-    if (!auth)
-      return NextResponse.json({ error: "Not authenticated" }, { status: 401 })
+  const q = (request.nextUrl.searchParams.get("q") || "").trim()
+  const rawLimit = Number(request.nextUrl.searchParams.get("limit") || "8")
+  const limit = Math.min(Math.max(Number.isFinite(rawLimit) ? rawLimit : 8, 1), 25)
 
-    const q = request.nextUrl.searchParams.get("q") || ""
-    const limit = Math.min(Number(request.nextUrl.searchParams.get("limit") || "8"), 25)
+  if (!q) {
+    return NextResponse.json({ actors: [] })
+  }
 
-    if (!q.trim()) {
-      return NextResponse.json({ actors: [] })
-    }
+  try {
+    const url = new URL("/xrpc/app.bsky.actor.searchActors", PUBLIC_BSKY_APPVIEW)
+    url.searchParams.set("q", q)
+    url.searchParams.set("limit", String(limit))
 
-    // Use searchActors for comprehensive results (includes full profiles)
-    const result = await auth.agent.app.bsky.actor.searchActors({
-      q: q.trim(),
-      limit,
+    const res = await fetch(url.toString(), {
+      headers: { Accept: "application/json" },
+      // Reasonable upstream timeout — the AppView is normally fast.
+      signal: AbortSignal.timeout(5000),
     })
 
-    const actors = (result.data.actors || []).map((a) => ({
-      did: a.did,
-      handle: a.handle,
-      displayName: a.displayName || "",
-      avatar: a.avatar || null,
-    }))
+    if (!res.ok) {
+      // Sanitize 5xx upstream messages per AGENTS.md §17.
+      if (res.status >= 500) {
+        return NextResponse.json(
+          { error: "Search backend unavailable" },
+          { status: 502 }
+        )
+      }
+      const text = await res.text().catch(() => "")
+      return NextResponse.json(
+        { error: text || "Search failed" },
+        { status: res.status }
+      )
+    }
+
+    const data = (await res.json()) as BskySearchResponse
+    const actors = (data.actors ?? [])
+      .filter((a): a is BskyActor & { did: string; handle: string } =>
+        typeof a.did === "string" && typeof a.handle === "string"
+      )
+      .map((a) => ({
+        did: a.did,
+        handle: a.handle,
+        displayName: a.displayName || "",
+        avatar: a.avatar || null,
+      }))
 
     return NextResponse.json({ actors })
   } catch (err: unknown) {
-    console.error("Search actors error:", err)
-    const error = err as { message?: string }
-    return NextResponse.json(
-      { error: error?.message || "Search failed" },
-      { status: 500 }
-    )
+    console.error("[search-actors]", err)
+    return NextResponse.json({ error: "Internal server error" }, { status: 500 })
   }
 }
diff --git a/src/app/dsa/page.tsx b/src/app/dsa/page.tsx
index 8223481b..f538a6a5 100644
--- a/src/app/dsa/page.tsx
+++ b/src/app/dsa/page.tsx
@@ -17,23 +17,23 @@ export const metadata: Metadata = {
 
 export default function DsaPage() {
   return (
-    <div className="app-page">
-      <div className="app-page__inner max-w-3xl">
-        <h1 className="font-mono text-h1 text-navy tracking-tight mb-8">
+    <div className="prose-page">
+      <div className="prose-page__inner">
+        <h1 className="prose-page__title">
           Digital Services Act — Compliance Information
         </h1>
 
-        <p className="text-sm text-gray-500 mb-8">Last updated: March 15, 2026</p>
+        <p className="prose-page__meta">Last updated: March 15, 2026</p>
 
-        <div className="prose prose-navy max-w-none space-y-8">
+        <div className="prose-page__body">
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">1. About this page</h2>
+            <h2>1. About this page</h2>
             <p>
               This page provides information required under the Digital Services Act (Regulation
               (EU) 2022/2065) (&quot;DSA&quot;) regarding the hosting services operated by the
               Hypercerts Foundation in connection with Certified.
             </p>
-            <p className="mt-4">
+            <p>
               Certified operates AT Protocol Personal Data Servers (PDS) that store and serve
               identity records and associated user data. Under the DSA, this qualifies as a{" "}
               <strong>hosting service</strong> as defined in Article 3(g)(iii).
@@ -41,16 +41,16 @@ export default function DsaPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">2. Service provider</h2>
+            <h2>2. Service provider</h2>
             <p>
               <strong>Hypercerts Foundation</strong>
               <br />A Delaware nonstock corporation
             </p>
-            <p className="mt-4">
+            <p>
               Contact:{" "}
               <a
                 href="mailto:legal@hypercerts.org"
-                className="text-blue-600 underline hover:text-blue-800"
+               
               >
                 legal@hypercerts.org
               </a>
@@ -58,21 +58,21 @@ export default function DsaPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               3. Legal representative in the European Union
             </h2>
             <p>
               In accordance with Article 13 of the DSA, the Hypercerts Foundation has designated
               the following legal representative in the European Union:
             </p>
-            <p className="mt-4">
+            <p>
               Holke Brammer
               <br />
               Holzmarktstraße 25, 10243 Berlin, Germany
               <br />
               <a
                 href="mailto:legal@hypercerts.org"
-                className="text-blue-600 underline hover:text-blue-800"
+               
               >
                 legal@hypercerts.org
               </a>
@@ -80,29 +80,29 @@ export default function DsaPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">4. Point of contact</h2>
+            <h2>4. Point of contact</h2>
             <p>
               In accordance with Article 11 of the DSA, the single point of contact for
               communications with EU member state authorities, the European Commission, and the
               European Board for Digital Services is:
             </p>
-            <p className="mt-4">
+            <p>
               <a
                 href="mailto:legal@hypercerts.org"
-                className="text-blue-600 underline hover:text-blue-800"
+               
               >
                 legal@hypercerts.org
               </a>
             </p>
-            <p className="mt-4">Communications may be submitted in English.</p>
-            <p className="mt-4">
+            <p>Communications may be submitted in English.</p>
+            <p>
               The same address serves as the point of contact for recipients of the service in
               accordance with Article 12 of the DSA.
             </p>
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               5. Notice-and-action procedure
             </h2>
             <p>
@@ -115,18 +115,18 @@ export default function DsaPage() {
               How to submit a notice
             </h3>
             <p>Notices should be sent to:</p>
-            <p className="mt-2">
+            <p>
               <a
                 href="mailto:legal@hypercerts.org"
-                className="text-blue-600 underline hover:text-blue-800"
+               
               >
                 legal@hypercerts.org
               </a>
             </p>
-            <p className="mt-4">
+            <p>
               To enable effective processing, a notice should include:
             </p>
-            <ul className="list-disc pl-6 mt-2 space-y-2">
+            <ul>
               <li>
                 a sufficiently substantiated explanation of why the content is considered illegal
               </li>
@@ -163,14 +163,14 @@ export default function DsaPage() {
               </li>
               <li>Inform the notifier of the outcome of the notice.</li>
             </ol>
-            <p className="mt-4">Decisions are made on the basis of applicable law.</p>
-            <p className="mt-4">
+            <p>Decisions are made on the basis of applicable law.</p>
+            <p>
               The Hypercerts Foundation does not routinely monitor the information stored on
               Personal Data Servers and has{" "}
               <strong>no general obligation to monitor information</strong> stored through the
               services in accordance with Article 8 of the Digital Services Act.
             </p>
-            <p className="mt-4">
+            <p>
               The Hypercerts Foundation may take appropriate measures to address{" "}
               <strong>
                 manifestly unfounded notices or repeated abusive submissions
@@ -181,18 +181,18 @@ export default function DsaPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               6. Content restrictions
             </h2>
             <p>
               As described in the{" "}
-              <a href="/terms" className="text-blue-600 underline hover:text-blue-800">
+              <a href="/terms">
                 Terms of Service
               </a>
               , the Hypercerts Foundation may restrict access to content or suspend accounts in
               the following circumstances:
             </p>
-            <ul className="list-disc pl-6 mt-2 space-y-2">
+            <ul>
               <li>
                 to comply with legal obligations or respond to valid legal orders
               </li>
@@ -202,13 +202,13 @@ export default function DsaPage() {
                 in response to a valid notice submitted under this procedure
               </li>
             </ul>
-            <p className="mt-4">
+            <p>
               Certified operates as infrastructure within a federated network architecture.
               Content stored through Personal Data Servers may be replicated, cached, indexed, or
               displayed by independent servers or applications outside the control of the
               Hypercerts Foundation.
             </p>
-            <p className="mt-4">
+            <p>
               The Hypercerts Foundation does not apply editorial content policies, operate
               recommendation systems, or curate user content. Certified is infrastructure, not a
               social media platform.
@@ -216,7 +216,7 @@ export default function DsaPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               7. Statement of reasons
             </h2>
             <p>
@@ -224,7 +224,7 @@ export default function DsaPage() {
               access to content or suspends an account, it will provide the affected user with a
               clear and specific statement of reasons, including:
             </p>
-            <ul className="list-disc pl-6 mt-2 space-y-2">
+            <ul>
               <li>
                 the facts and circumstances relied on in making the decision
               </li>
@@ -240,29 +240,29 @@ export default function DsaPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               8. Internal complaint-handling
             </h2>
             <p>
               In accordance with Article 20 of the DSA, users who are affected by a content
               restriction or account suspension decision may submit a complaint to:
             </p>
-            <p className="mt-4">
+            <p>
               <a
                 href="mailto:legal@hypercerts.org"
-                className="text-blue-600 underline hover:text-blue-800"
+               
               >
                 legal@hypercerts.org
               </a>
             </p>
-            <p className="mt-4">
+            <p>
               Complaints will be processed in a timely and non-discriminatory manner. Users will
               be informed of the outcome and the reasoning behind the decision.
             </p>
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               9. Trusted flaggers
             </h2>
             <p>
@@ -273,13 +273,13 @@ export default function DsaPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">10. Transparency</h2>
+            <h2>10. Transparency</h2>
             <p>
               The Hypercerts Foundation will publish{" "}
               <strong>annual transparency reports</strong> in accordance with Article 15 of the
               DSA, including information on:
             </p>
-            <ul className="list-disc pl-6 mt-2 space-y-2">
+            <ul>
               <li>
                 the number of orders received from EU member state authorities
               </li>
@@ -291,12 +291,12 @@ export default function DsaPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">11. Limitation</h2>
+            <h2>11. Limitation</h2>
             <p>
               The Hypercerts Foundation is not responsible for content moderation decisions made by
               third-party applications that access data through the AT Protocol.
             </p>
-            <p className="mt-4">
+            <p>
               Moderation policies applied by other services are outside our control and do not
               reflect actions taken by the Hypercerts Foundation.
             </p>
diff --git a/src/app/globals.css b/src/app/globals.css
index 0392bf01..c4fd16a5 100644
--- a/src/app/globals.css
+++ b/src/app/globals.css
@@ -30,35 +30,51 @@
 
 :root {
   /* Core */
-  --color-primary: #111111;
-  --color-navy: #111111;
-  --color-accent: #5e5e5e;
+  --color-primary: #141413;
+  --color-navy: #141413;
+  --color-accent: #726a60;
   --color-white: #FFFFFF;
 
-  /* Neutrals */
-  --color-off-white: #f9f9f9;
-  --color-gray-100: #eeeeee;
-  --color-light-gray: #e2e2e2;
-  --color-mid-gray: #7e7576;
-  --color-dark-gray: #4c4546;
-
-  /* Surface hierarchy */
-  --color-surface: #f9f9f9;
-  --color-surface-container: #eeeeee;
-  --color-surface-container-low: #f3f3f3;
-  --color-surface-container-high: #e8e8e8;
+  /* Brand — "Certified editorial" palette (revised 2026-05, atproto-aligned).
+     Editorial vermillion red on near-white off-white. Inspired by classic
+     print and the open social internet. Sparingly applied: most surfaces
+     stay quiet, the red earns its place only on key affordances — italic
+     emphasis, eyebrow labels, numerals, dot accents, and the AT badge. */
+  --color-brand: #d04636;          /* editorial vermillion — the only accent */
+  --color-brand-hover: #b3382a;    /* darker for hover */
+  --color-brand-soft: #faeae5;     /* very soft tint background */
+  --color-brand-soft-hover: #f3d6cd;
+  --color-brand-tint: #f5dcd5;     /* badge / icon background */
+  --color-brand-text: #a3301f;     /* darker accent for text */
+
+  /* Neutrals — near-white page surface tuned to match the watercolor
+     blob PNG's #fefefe bounding box, so the hero diagram blends
+     seamlessly into the page. */
+  --color-off-white: #fefefe;      /* near-white page surface */
+  --color-gray-100: #f1efe8;       /* warm tonal step */
+  --color-light-gray: #e4e0d4;     /* warm hairline */
+  --color-mid-gray: #6e665c;       /* warm secondary text */
+  --color-dark-gray: #2a2622;      /* warm body text */
+
+  /* Surface hierarchy — page surface matches the watercolor PNG so its
+     rectangular bounds disappear; container tones above keep the warm
+     hierarchy for cards and inset surfaces. */
+  --color-surface: #fefefe;             /* page surface (near-white, matches blob bg) */
+  --color-surface-container: #f1efe8;   /* tonal step up */
+  --color-surface-container-low: #fdfdf9; /* lighter card */
+  --color-surface-container-high: #ebe7da;
 
   /* Accent Variations */
-  --color-accent-hover: #454747;
+  --color-accent-hover: #4a4540;
 
-  /* Borders */
-  --border-subtle: rgba(0, 0, 0, 0.04);
-  --border-light: rgba(0, 0, 0, 0.06);
-  --border-default: rgba(0, 0, 0, 0.08);
-  --border-medium: rgba(0, 0, 0, 0.1);
-  --border-hover: rgba(0, 0, 0, 0.15);
-  --border-hover-soft: rgba(0, 0, 0, 0.12);
-  --border-strong: rgba(0, 0, 0, 0.2);
+  /* Borders — warm-tinted to harmonize with the cream surface */
+  --border-subtle: rgba(50, 35, 20, 0.05);
+  --border-light: rgba(50, 35, 20, 0.07);
+  --border-default: rgba(50, 35, 20, 0.10);
+  --border-medium: rgba(50, 35, 20, 0.13);
+  --border-hover: rgba(50, 35, 20, 0.18);
+  --border-hover-soft: rgba(50, 35, 20, 0.14);
+  --border-strong: rgba(50, 35, 20, 0.22);
 
   /* Dark overlays */
   --navy-overlay-30: rgba(0, 0, 0, 0.3);
@@ -92,6 +108,25 @@
 
   /* Navbar */
   --navbar-height: 64px;
+
+  /* Shared landing container — single alignment line for navbar, hero,
+     hero pillars, all landing sections, and the footer. Slightly more
+     inset than the legacy 1480/1536 widths so the page reads as one
+     calm column on wide desktops. */
+  --container-max: 1280px;
+  --container-pad-x: 32px;
+}
+
+@media (max-width: 768px) {
+  :root {
+    --container-pad-x: 20px;
+  }
+}
+
+@media (max-width: 380px) {
+  :root {
+    --container-pad-x: 16px;
+  }
 }
 
 a:focus-visible,
@@ -112,7 +147,7 @@ button:focus-visible,
 body {
   font-family: var(--font-inter), system-ui, -apple-system, sans-serif;
   color: var(--color-dark-gray);
-  background: var(--color-primary); /* prevents white flash during auth loading transition */
+  background: var(--color-surface); /* warm cream — no flash, no cold white */
 }
 
 h1, h2, h3, h4, h5, h6 {
@@ -192,9 +227,9 @@ h1, h2, h3, h4, h5, h6 {
 }
 
 .navbar__inner {
-  max-width: 1536px;
+  max-width: var(--container-max);
   margin: 0 auto;
-  padding: 0 32px;
+  padding: 0 var(--container-pad-x);
   height: 100%;
   display: flex;
   align-items: center;
@@ -228,7 +263,7 @@ h1, h2, h3, h4, h5, h6 {
 .navbar__right {
   display: flex;
   align-items: center;
-  gap: 16px;
+  gap: 20px;
 }
 
 .navbar__signin {
@@ -239,22 +274,63 @@ h1, h2, h3, h4, h5, h6 {
   transition: opacity 200ms, transform 200ms;
 }
 
-.navbar__signin:hover {
-  opacity: 0.9;
-}
+.navbar__signin:hover { opacity: 0.9; }
+.navbar__signin:active { transform: scale(0.97); }
+.navbar__signin:focus-visible { outline: 2px solid var(--color-primary); outline-offset: 2px; }
+.navbar__signin-img { height: 36px; display: block; }
 
-.navbar__signin:active {
-  transform: scale(0.97);
+/* New: editorial "Sign in" text link + "Get started" CTA */
+.navbar__signin-link {
+  background: none;
+  border: none;
+  padding: 6px 4px;
+  font-family: var(--font-inter);
+  font-size: 0.9375rem;
+  font-weight: 500;
+  color: var(--color-primary);
+  cursor: pointer;
+  transition: color var(--transition-fast);
 }
-
-.navbar__signin:focus-visible {
+.navbar__signin-link:hover { color: var(--color-mid-gray); }
+.navbar__signin-link:focus-visible {
   outline: 2px solid var(--color-primary);
   outline-offset: 2px;
+  border-radius: 2px;
 }
+.navbar__cta { white-space: nowrap; }
 
-.navbar__signin-img {
-  height: 36px;
-  display: block;
+/* Centered editorial anchor nav (unauthenticated) */
+.navbar__public-links {
+  display: flex;
+  align-items: center;
+  gap: 32px;
+  flex: 1;
+  justify-content: center;
+  margin: 0 24px;
+}
+.navbar__public-link {
+  font-family: var(--font-inter);
+  font-size: 0.9375rem;
+  font-weight: 500;
+  color: var(--color-primary);
+  text-decoration: none;
+  padding: 6px 0;
+  transition: color var(--transition-fast);
+}
+.navbar__public-link:hover { color: var(--color-mid-gray); }
+@media (max-width: 900px) {
+  .navbar__public-links { display: none; }
+}
+@media (max-width: 520px) {
+  /* On small phones, drop the bare "Sign in" link in favour of just the
+     primary "Get started" CTA — saves horizontal room next to the logo. */
+  .navbar__signin-link { display: none; }
+  .navbar__cta { padding: 9px 14px; font-size: 0.8125rem; }
+  .navbar__beta-label { display: none; }
+}
+@media (max-width: 380px) {
+  /* .navbar__inner pad is owned by --container-pad-x at this breakpoint. */
+  .navbar__cta { padding: 8px 12px; font-size: 0.75rem; }
 }
 
 
@@ -388,31 +464,33 @@ h1, h2, h3, h4, h5, h6 {
   }
 }
 
-/* ========== Hero ========== */
+/* ========== Hero — editorial split ========== */
 .hero {
   position: relative;
-  min-height: 920px;
   display: flex;
-  align-items: center;
+  flex-direction: column;
   background: var(--color-surface);
   overflow: hidden;
-  padding: calc(var(--navbar-height) + 48px) 32px 48px;
+  padding: calc(var(--navbar-height) + 32px) 0 0;
 }
 
+.hero__glow { display: none; }
+
+/* Faded grid + concentric rings + corner diagonals — reads as a soft
+   architectural drawing behind the hero, echoing the original
+   certified.app/welcome backdrop. */
 .hero__pattern {
   position: absolute;
   inset: 0;
   z-index: 0;
-  opacity: 0.25;
+  opacity: 0.18;
   pointer-events: none;
   color: var(--color-primary);
 }
+.hero__pattern svg { width: 100%; height: 100%; }
 
-.hero__pattern svg {
-  width: 100%;
-  height: 100%;
-}
-
+/* Legacy centered layout — retained for backwards-compat in case any
+   sub-page uses .hero__inner. The landing page uses .hero__split. */
 .hero__inner {
   position: relative;
   z-index: 1;
@@ -422,6 +500,58 @@ h1, h2, h3, h4, h5, h6 {
   text-align: center;
 }
 
+.hero__split {
+  position: relative;
+  z-index: 1;
+  width: 100%;
+  max-width: var(--container-max);
+  margin: 0 auto;
+  padding: 24px var(--container-pad-x) 36px;
+  display: grid;
+  grid-template-columns: minmax(0, 0.95fr) minmax(0, 1.1fr);
+  gap: 32px;
+  align-items: center;
+}
+
+@media (max-width: 1024px) {
+  .hero__split {
+    grid-template-columns: 1fr;
+    gap: 56px;
+    padding: 32px var(--container-pad-x) 32px;
+  }
+}
+
+/* ── LEFT: typography column ───────────────────────────── */
+/* No internal left padding — the hero text aligns to the same vertical
+   line as the navbar, hero pillars, and every landing-section below. */
+.hero__copy {
+  position: relative;
+  display: flex;
+  align-items: stretch;
+  gap: 28px;
+}
+
+@media (max-width: 1024px) {
+  .hero__copy { gap: 20px; }
+}
+
+.hero__copy-inner {
+  flex: 1;
+  min-width: 0;
+  text-align: left;
+}
+
+.hero__eyebrow {
+  display: inline-block;
+  font-family: var(--font-headline), "IBM Plex Mono", ui-monospace, monospace;
+  font-size: 0.75rem;
+  font-weight: 500;
+  letter-spacing: 0.22em;
+  text-transform: uppercase;
+  color: var(--color-brand);
+  margin-bottom: 24px;
+}
+
 .hero__label {
   display: block;
   font-size: 0.875rem;
@@ -432,38 +562,149 @@ h1, h2, h3, h4, h5, h6 {
   margin-bottom: 24px;
 }
 
+/* Pill chip above the headline. MaEarth-style: cream surface with a
+   warm hairline border. The dot is the one place the sienna accent
+   appears in the hero. */
+.hero__chip {
+  display: inline-flex;
+  align-items: center;
+  gap: 10px;
+  padding: 7px 16px 7px 12px;
+  margin-bottom: 36px;
+  border-radius: 999px;
+  background: var(--color-surface-container-low);
+  color: var(--color-primary);
+  font-size: 0.8125rem;
+  font-weight: 500;
+  letter-spacing: 0.02em;
+  text-decoration: none;
+  border: 1px solid var(--color-light-gray);
+  transition: border-color var(--transition-base), background var(--transition-base);
+}
+.hero__chip:hover {
+  border-color: var(--border-medium);
+  background: var(--color-white);
+}
+.hero__chip-dot {
+  width: 6px;
+  height: 6px;
+  border-radius: 50%;
+  background: var(--color-brand);
+}
+.hero__chip-arrow {
+  font-size: 0.875rem;
+  color: var(--color-mid-gray);
+  transition: transform var(--transition-fast), color var(--transition-fast);
+}
+.hero__chip:hover .hero__chip-arrow {
+  transform: translateX(2px);
+  color: var(--color-primary);
+}
+
+/* Trust microcopy sitting under the primary CTA. Quiet: no badges,
+   no colored circles — just text with hairline separators. */
+.hero__trust {
+  list-style: none;
+  padding: 0;
+  margin: 28px 0 0;
+  display: flex;
+  gap: 0;
+  flex-wrap: wrap;
+  justify-content: center;
+  font-size: 0.8125rem;
+  color: var(--color-mid-gray);
+}
+.hero__trust li {
+  display: inline-flex;
+  align-items: center;
+  padding: 0 18px;
+  border-right: 1px solid var(--color-light-gray);
+}
+.hero__trust li:last-child {
+  border-right: none;
+}
+.hero__trust-check {
+  display: none; /* the hairline separators carry the rhythm now */
+}
+
+/* Hero headline — atproto.com-style: uppercase IBM Plex Mono with very
+   tight tracking. Mono glyphs are wider than the previous serif, so the
+   font-size is dialed down a touch and tracking is negative to keep the
+   block tight. */
 .hero__title {
-  font-family: var(--font-headline), 'Noto Serif', serif;
+  font-family: var(--font-headline), "IBM Plex Mono", ui-monospace, monospace;
   color: var(--color-primary);
-  font-size: clamp(5rem, 7vw + 1rem, 7rem);
-  font-weight: 700;
-  line-height: 0.9;
-  letter-spacing: -0.02em;
-  margin-bottom: 32px;
+  font-size: clamp(2.5rem, 4vw + 0.25rem, 4.25rem);
+  font-weight: 500;
+  line-height: 1.05;
+  letter-spacing: -0.045em;
+  text-transform: uppercase;
+  margin: 0 0 24px;
+  text-align: left;
 }
 
+/* Italic accent word — same Plex Mono family, italic, brand color. The
+   `lowercase` override lets the accent word read as a soft counterpoint
+   to the otherwise all-caps title. */
 .hero__title-accent {
-  font-family: var(--font-serif-alt), 'Instrument Serif', serif;
+  font-family: var(--font-serif-alt), "IBM Plex Mono", ui-monospace, monospace;
   font-style: italic;
   font-weight: 400;
+  color: var(--color-brand);
+  letter-spacing: -0.03em;
+  text-transform: lowercase;
 }
 
 .hero__subtitle {
   color: var(--color-dark-gray);
-  font-size: clamp(1.125rem, 1.5vw + 0.5rem, 1.5rem);
+  font-size: 1.0625rem;
   line-height: 1.6;
   font-weight: 400;
-  max-width: 640px;
-  margin-left: auto;
-  margin-right: auto;
-  margin-bottom: 48px;
+  max-width: 460px;
+  margin: 0 0 32px;
+  text-align: left;
 }
 
 .hero__actions {
-  display: flex;
-  gap: 24px;
+  display: inline-flex;
+  align-items: stretch;
+  gap: 0;
   flex-wrap: wrap;
+  margin-bottom: 28px;
+}
+
+/* Editorial AT Protocol footnote */
+.hero__footnote {
+  display: inline-flex;
+  align-items: center;
+  gap: 12px;
+  font-size: 0.875rem;
+  color: var(--color-mid-gray);
+  margin: 0;
+}
+.hero__footnote-mark {
+  display: inline-flex;
+  align-items: center;
   justify-content: center;
+  width: 22px;
+  height: 22px;
+  border-radius: 999px;
+  border: 1px solid var(--color-light-gray);
+  font-size: 0.75rem;
+  color: var(--color-mid-gray);
+  background: var(--color-surface-container-low);
+}
+.hero__footnote-link {
+  color: var(--color-brand);
+  text-decoration: none;
+  font-weight: 500;
+  transition: color var(--transition-fast);
+}
+.hero__footnote-link:hover { color: var(--color-brand-hover); }
+.hero__footnote-link:focus-visible {
+  outline: 2px solid var(--color-brand);
+  outline-offset: 2px;
+  border-radius: 2px;
 }
 
 .hero__btn-primary {
@@ -494,185 +735,710 @@ h1, h2, h3, h4, h5, h6 {
   outline: 2px solid var(--color-primary);
   outline-offset: 2px;
 }
-
-.hero__btn-arrow {
-  font-size: 1.25rem;
+
+.hero__btn-arrow {
+  font-size: 1.25rem;
+}
+
+.hero__btn-secondary {
+  display: inline-flex;
+  align-items: center;
+  gap: 8px;
+  padding: 18px 40px;
+  font-size: 1.125rem;
+  font-weight: 500;
+  color: var(--color-primary);
+  background: transparent;
+  border: none;
+  border-bottom: 2px solid transparent;
+  cursor: pointer;
+  transition: all var(--transition-fast);
+  text-decoration: none;
+}
+
+.hero__btn-secondary:hover {
+  border-bottom-color: var(--color-primary);
+}
+
+.hero__btn-secondary:focus-visible {
+  outline: 2px solid var(--color-primary);
+  outline-offset: 2px;
+}
+
+.hero__btn-signin {
+  background: none;
+  border: none;
+  padding: 0;
+  cursor: pointer;
+  transition: opacity 200ms, transform 200ms;
+}
+
+.hero__btn-signin:hover {
+  opacity: 0.9;
+}
+
+.hero__btn-signin:active {
+  transform: scale(0.97);
+}
+
+.hero__btn-signin-img {
+  height: 48px;
+  display: block;
+}
+
+.hero__btn-icon {
+  width: 28px;
+  height: 28px;
+  border-radius: var(--radius);
+  flex-shrink: 0;
+}
+
+/* Hero reveal animation */
+@keyframes fadeUp {
+  from {
+    opacity: 0;
+    transform: translateY(16px);
+  }
+  to {
+    opacity: 1;
+    transform: translateY(0);
+  }
+}
+
+.hero-reveal {
+  opacity: 0;
+  animation: fadeUp 500ms cubic-bezier(0.16, 1, 0.3, 1) forwards;
+}
+
+.hero__inner > .hero-reveal:nth-child(1) { animation-delay: 0ms; }
+.hero__inner > .hero-reveal:nth-child(2) { animation-delay: 80ms; }
+.hero__inner > .hero-reveal:nth-child(3) { animation-delay: 160ms; }
+.hero__inner > .hero-reveal:nth-child(4) { animation-delay: 240ms; }
+.hero__inner > .hero-reveal:nth-child(5) { animation-delay: 320ms; }
+.hero__inner > .hero__label { animation: fadeUp 500ms cubic-bezier(0.16, 1, 0.3, 1) forwards; }
+.hero__inner > .hero__title { animation: fadeUp 500ms 50ms cubic-bezier(0.16, 1, 0.3, 1) forwards; opacity: 0; }
+.hero__inner > .hero__subtitle { animation: fadeUp 500ms 150ms cubic-bezier(0.16, 1, 0.3, 1) forwards; opacity: 0; }
+
+@media (prefers-reduced-motion: reduce) {
+  .hero-reveal,
+  .hero__inner > .hero__label,
+  .hero__inner > .hero__title,
+  .hero__inner > .hero__subtitle {
+    animation: none;
+    opacity: 1;
+    transform: none;
+  }
+}
+
+/* Hero landing modifier — sized to roughly fit the editorial split + pillars
+   above-the-fold on a typical desktop. */
+.hero--landing {
+  min-height: auto;
+}
+
+@media (max-width: 768px) {
+  .hero {
+    padding: calc(var(--navbar-height) + 24px) 0 0;
+  }
+  .hero__split {
+    padding: 24px var(--container-pad-x);
+    gap: 40px;
+  }
+}
+
+/* ── RIGHT: identity diagram ───────────────────────────── */
+/* No internal right padding — the diagram column hugs the same shared
+   alignment line on the right that the typography column hugs on the
+   left, so the watercolor blob and the rail sit flush with the page
+   gutter. */
+.hero__visual {
+  position: relative;
+  width: 100%;
+  display: flex;
+  align-items: stretch;
+  justify-content: center;
+  gap: 20px;
+}
+
+.hero__rail--right {
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  justify-content: center;
+  flex-shrink: 0;
+  width: 32px;
+  padding: 4px 0;
+  gap: 18px;
+}
+.hero__rail-eyebrow {
+  writing-mode: vertical-rl;
+  transform: rotate(180deg);
+  font-family: var(--font-inter);
+  font-size: 0.6875rem;
+  font-weight: 600;
+  letter-spacing: 0.32em;
+  color: var(--color-primary);
+  text-transform: uppercase;
+}
+.hero__rail-redseal {
+  width: 7px;
+  height: 7px;
+  border-radius: 50%;
+  background: var(--color-brand);
+  flex-shrink: 0;
+}
+.hero__rail-text--right {
+  writing-mode: vertical-rl;
+  transform: rotate(180deg);
+  font-family: var(--font-headline), "IBM Plex Mono", ui-monospace, monospace;
+  font-size: 0.75rem;
+  color: var(--color-mid-gray);
+  letter-spacing: 0.04em;
+  font-style: italic;
+}
+@media (max-width: 1024px) {
+  .hero__visual { padding-right: 0; }
+  .hero__rail--right { display: none; }
+}
+
+.hero-diagram {
+  position: relative;
+  width: 100%;
+  max-width: 720px;
+  aspect-ratio: 1.2 / 1;
+  margin: 0 auto;
+}
+
+.hero-diagram__rail {
+  position: absolute;
+  top: 50%;
+  right: -16px;
+  transform: translateY(-50%);
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  gap: 14px;
+  z-index: 4;
+}
+.hero-diagram__rail-eyebrow {
+  writing-mode: vertical-rl;
+  font-family: var(--font-inter);
+  font-size: 0.6875rem;
+  font-weight: 600;
+  letter-spacing: 0.32em;
+  color: var(--color-primary);
+}
+.hero-diagram__rail-dot {
+  width: 6px;
+  height: 6px;
+  border-radius: 50%;
+  background: var(--color-brand);
+}
+.hero-diagram__rail-text {
+  writing-mode: vertical-rl;
+  font-family: var(--font-headline), "IBM Plex Mono", ui-monospace, monospace;
+  font-size: 0.75rem;
+  color: var(--color-mid-gray);
+  letter-spacing: 0.04em;
+}
+@media (max-width: 1024px) { .hero-diagram__rail { display: none; } }
+
+.hero-diagram__caption {
+  position: absolute;
+  bottom: 4%;
+  left: 50%;
+  transform: translateX(-50%);
+  margin: 0;
+  font-size: 0.8125rem;
+  color: var(--color-mid-gray);
+  text-align: center;
+  line-height: 1.5;
+  z-index: 3;
+}
+
+.hero-diagram__blob {
+  position: absolute;
+  top: 50%;
+  left: 50%;
+  transform: translate(-50%, -50%);
+  width: 58%;
+  height: auto;
+  aspect-ratio: 1 / 1;
+  z-index: 0;
+  pointer-events: none;
+  /* The PNG has a real alpha channel (white paper baked out via
+     `255 - min(r,g,b)`), so the cream surface and grid pattern show
+     through cleanly behind the blob — no blend mode needed.
+     Opacity tuned down so the circle reads as a quiet wash. */
+  opacity: 0.65;
+}
+
+.hero-diagram__card {
+  position: absolute;
+  top: 50%;
+  left: 50%;
+  transform: translate(-50%, -55%);
+  width: 36%;
+  min-width: 230px;
+  background: #ffffff;
+  border: 1px solid var(--color-light-gray);
+  border-radius: 4px;
+  padding: 22px 20px 24px;
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  z-index: 2;
+  box-shadow: 0 12px 32px rgba(20, 20, 19, 0.05), 0 1px 0 rgba(255,255,255,0.5) inset;
+}
+
+.hero-diagram__card-globe {
+  width: 56px;
+  height: 56px;
+  border-radius: 50%;
+  border: 1px solid var(--color-light-gray);
+  background: var(--color-surface-container-low);
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  color: #4a6fa5;
+  margin-bottom: 14px;
+}
+
+.hero-diagram__card-name {
+  font-family: var(--font-headline), "IBM Plex Mono", ui-monospace, monospace;
+  font-size: 1.0625rem;
+  font-weight: 600;
+  color: var(--color-primary);
+  margin: 0 0 4px;
+  letter-spacing: -0.01em;
+}
+.hero-diagram__card-uri {
+  font-family: var(--font-inter);
+  font-size: 0.6875rem;
+  color: var(--color-mid-gray);
+  margin: 0 0 14px;
+  letter-spacing: 0.04em;
+}
+.hero-diagram__card-did {
+  display: inline-flex;
+  align-items: center;
+  gap: 6px;
+  padding: 5px 10px;
+  background: var(--color-surface-container);
+  border-radius: 4px;
+  font-family: ui-monospace, "SF Mono", Menlo, monospace;
+  font-size: 0.6875rem;
+  color: var(--color-dark-gray);
+  margin-bottom: 14px;
+}
+.hero-diagram__card-did svg { color: var(--color-mid-gray); cursor: pointer; }
+
+.hero-diagram__lock {
+  position: absolute;
+  bottom: 14%;
+  left: 50%;
+  transform: translateX(-50%);
+  width: 36px;
+  height: 36px;
+  border-radius: 50%;
+  background: #2a2622;
+  color: var(--color-surface);
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  z-index: 3;
+  box-shadow: 0 4px 12px rgba(0,0,0,0.18);
+}
+
+/* Partner app cards */
+.hero-diagram__app {
+  position: absolute;
+  display: inline-flex;
+  align-items: center;
+  gap: 10px;
+  padding: 10px 14px;
+  background: #ffffff;
+  border: 1px solid var(--color-light-gray);
+  border-radius: 4px;
+  font-family: var(--font-inter);
+  font-size: 0.875rem;
+  color: var(--color-primary);
+  font-weight: 500;
+  z-index: 2;
+  white-space: nowrap;
+  box-shadow: 0 1px 0 rgba(255,255,255,0.6) inset;
+}
+.hero-diagram__app-icon {
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  color: var(--color-primary);
+}
+
+/* Bluesky butterfly logo — keep its native sky-blue fill instead of
+   inheriting the primary ink color the other inline icons use. */
+.hero-diagram__app-icon--bluesky img {
+  width: 16px;
+  height: 16px;
+  display: block;
+}
+
+/* Open "Your app" slot — visibly different from the named partner
+   cards: dashed warm hairline + muted text + sienna plus icon, so it
+   reads as an invitation rather than a real product card. */
+.hero-diagram__app--placeholder {
+  background: transparent;
+  border-style: dashed;
+  border-color: var(--border-medium);
+  color: var(--color-mid-gray);
+  box-shadow: none;
+  font-style: italic;
+}
+.hero-diagram__app--placeholder .hero-diagram__app-icon {
+  color: var(--color-brand);
+}
+
+.hero-diagram__app--lt { top: 24%; left: 2%; }
+.hero-diagram__app--lm { top: 47%; left: 2%; }
+.hero-diagram__app--lb { top: 70%; left: 2%; }
+.hero-diagram__app--rt { top: 24%; right: 2%; }
+.hero-diagram__app--rm { top: 47%; right: 2%; }
+.hero-diagram__app--rb { top: 70%; right: 2%; }
+
+/* Mobile diagram — simplified: hide partner cards + connector lines,
+   show just the central identity card + caption inside a softened blob. */
+@media (max-width: 768px) {
+  .hero-diagram {
+    max-width: 360px;
+    aspect-ratio: 1 / 1.1;
+    margin-top: 24px;
+  }
+  .hero-diagram__app { display: none; }
+  .hero-diagram__caption { bottom: 8%; font-size: 0.75rem; }
+  .hero-diagram__card {
+    width: 80%;
+    min-width: 0;
+    padding: 24px 20px 28px;
+    transform: translate(-50%, -55%);
+  }
+  .hero-diagram__card-globe { width: 52px; height: 52px; margin-bottom: 12px; }
+  .hero-diagram__card-name { font-size: 1rem; }
+  .hero-diagram__card-uri { font-size: 0.6875rem; margin-bottom: 10px; }
+  .hero-diagram__card-did { font-size: 0.625rem; padding: 4px 8px; margin-bottom: 12px; }
+  .hero-diagram__lock { bottom: 16%; width: 30px; height: 30px; }
+  .hero-diagram__blob { width: 90%; height: 80%; }
+}
+
+/* ── Three-pillar strip ─────────────────────────────── */
+.hero-pillars {
+  position: relative;
+  z-index: 1;
+  width: 100%;
+  border-top: 1px solid var(--color-light-gray);
+  background: var(--color-surface);
+}
+.hero-pillars__inner {
+  max-width: var(--container-max);
+  margin: 0 auto;
+  padding: 32px var(--container-pad-x);
+  display: grid;
+  grid-template-columns: repeat(3, 1fr);
+  gap: 0;
+}
+.hero-pillar {
+  position: relative;
+  display: grid;
+  grid-template-columns: auto auto 1fr;
+  align-items: start;
+  gap: 16px;
+  padding: 8px 32px;
+  border-right: 1px solid var(--color-light-gray);
+}
+/* First/last pillars hug the container edge so the leftmost icon and
+   the rightmost text both sit on the shared alignment line. */
+.hero-pillar:first-child { padding-left: 0; }
+.hero-pillar:last-child { padding-right: 0; border-right: none; }
+.hero-pillar__icon {
+  width: 44px;
+  height: 44px;
+  border-radius: 50%;
+  border: 1.25px solid var(--color-primary);
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  color: var(--color-primary);
+  flex-shrink: 0;
+}
+.hero-pillar__num {
+  font-family: var(--font-serif-alt), "IBM Plex Mono", ui-monospace, monospace;
+  font-style: italic;
+  font-size: 1.625rem;
+  font-weight: 400;
+  color: var(--color-brand);
+  line-height: 1;
+  margin-top: 4px;
+}
+.hero-pillar__body { min-width: 0; }
+.hero-pillar__body h3 {
+  font-family: var(--font-headline), "IBM Plex Mono", ui-monospace, monospace;
+  font-size: 1.0625rem;
+  font-weight: 600;
+  color: var(--color-primary);
+  margin: -2px 0 4px;
+  letter-spacing: -0.005em;
+}
+.hero-pillar__lede {
+  font-size: 0.8125rem;
+  font-weight: 500;
+  color: var(--color-primary);
+  margin: 0 0 4px;
+}
+.hero-pillar__body p:not(.hero-pillar__lede) {
+  font-size: 0.8125rem;
+  color: var(--color-mid-gray);
+  line-height: 1.5;
+  margin: 0;
+  max-width: 28ch;
+}
+@media (max-width: 1024px) {
+  .hero-pillars__inner { gap: 24px; }
+  .hero-pillar { padding: 8px 16px; }
+  .hero-pillar:first-child { padding-left: 0; }
+  .hero-pillar:last-child { padding-right: 0; }
+  .hero-pillar__num { font-size: 1.375rem; }
+}
+@media (max-width: 768px) {
+  .hero-pillars__inner {
+    grid-template-columns: 1fr;
+  }
+  .hero-pillar {
+    border-right: none;
+    border-bottom: 1px solid var(--color-light-gray);
+    padding: 16px 0;
+  }
+  .hero-pillar:first-child { padding-left: 0; padding-top: 8px; }
+  .hero-pillar:last-child { padding-right: 0; border-bottom: none; }
 }
 
-.hero__btn-secondary {
+/* ── Shared editorial buttons (used across the site) ─────────── */
+.btn {
   display: inline-flex;
   align-items: center;
-  gap: 8px;
-  padding: 18px 40px;
-  font-size: 1.125rem;
+  justify-content: center;
+  gap: 12px;
+  padding: 13px 22px;
+  font-family: var(--font-inter);
+  font-size: 0.9375rem;
   font-weight: 500;
-  color: var(--color-primary);
-  background: transparent;
-  border: none;
-  border-bottom: 2px solid transparent;
+  line-height: 1;
+  letter-spacing: -0.005em;
+  border-radius: 4px;
   cursor: pointer;
-  transition: all var(--transition-fast);
   text-decoration: none;
+  transition: background var(--transition-fast), border-color var(--transition-fast), color var(--transition-fast), transform var(--transition-fast), opacity var(--transition-fast);
+  border: 1px solid transparent;
+  white-space: nowrap;
 }
-
-.hero__btn-secondary:hover {
-  border-bottom-color: var(--color-primary);
-}
-
-.hero__btn-secondary:focus-visible {
-  outline: 2px solid var(--color-primary);
-  outline-offset: 2px;
-}
-
-.hero__btn-signin {
-  background: none;
-  border: none;
-  padding: 0;
-  cursor: pointer;
-  transition: opacity 200ms, transform 200ms;
-}
-
-.hero__btn-signin:hover {
-  opacity: 0.9;
-}
-
-.hero__btn-signin:active {
-  transform: scale(0.97);
+.btn .btn__arrow {
+  transition: transform var(--transition-fast);
 }
+.btn:hover .btn__arrow { transform: translateX(2px); }
+.btn:active { transform: scale(0.98); }
+.btn:focus-visible { outline: 2px solid var(--color-primary); outline-offset: 2px; }
 
-.hero__btn-signin-img {
-  height: 48px;
-  display: block;
+.btn--primary {
+  background: var(--color-primary);
+  color: var(--color-surface);
+  border-color: var(--color-primary);
 }
+.btn--primary:hover { background: #000; border-color: #000; }
+.btn--primary:disabled { opacity: 0.5; cursor: not-allowed; }
 
-.hero__btn-icon {
-  width: 28px;
-  height: 28px;
-  border-radius: var(--radius);
-  flex-shrink: 0;
+.btn--secondary {
+  background: transparent;
+  color: var(--color-primary);
+  border-color: var(--color-primary);
 }
-
-/* Hero reveal animation */
-@keyframes fadeUp {
-  from {
-    opacity: 0;
-    transform: translateY(16px);
-  }
-  to {
-    opacity: 1;
-    transform: translateY(0);
-  }
+.btn--secondary:hover {
+  background: var(--color-primary);
+  color: var(--color-surface);
 }
 
-.hero-reveal {
-  opacity: 0;
-  animation: fadeUp 500ms cubic-bezier(0.16, 1, 0.3, 1) forwards;
+.btn--ghost {
+  background: transparent;
+  color: var(--color-primary);
+  border-color: transparent;
 }
+.btn--ghost:hover { background: var(--color-surface-container); }
 
-.hero__inner > .hero-reveal:nth-child(1) { animation-delay: 0ms; }
-.hero__inner > .hero-reveal:nth-child(2) { animation-delay: 100ms; }
-.hero__inner > .hero-reveal:nth-child(3) { animation-delay: 200ms; }
-.hero__inner > .hero__label { animation: fadeUp 500ms cubic-bezier(0.16, 1, 0.3, 1) forwards; }
-.hero__inner > .hero__title { animation: fadeUp 500ms 50ms cubic-bezier(0.16, 1, 0.3, 1) forwards; opacity: 0; }
-.hero__inner > .hero__subtitle { animation: fadeUp 500ms 150ms cubic-bezier(0.16, 1, 0.3, 1) forwards; opacity: 0; }
-
-@media (prefers-reduced-motion: reduce) {
-  .hero-reveal,
-  .hero__inner > .hero__label,
-  .hero__inner > .hero__title,
-  .hero__inner > .hero__subtitle {
-    animation: none;
-    opacity: 1;
-    transform: none;
-  }
+.btn--brand {
+  background: var(--color-brand);
+  color: var(--color-surface);
+  border-color: var(--color-brand);
 }
+.btn--brand:hover { background: var(--color-brand-hover); border-color: var(--color-brand-hover); }
 
-/* Hero landing modifier — full-viewport */
-.hero--landing {
-  min-height: 100vh;
-}
+.btn--sm { padding: 9px 16px; font-size: 0.8125rem; gap: 8px; }
+.btn--lg { padding: 16px 28px; font-size: 1rem; gap: 14px; }
+.btn--block { display: flex; width: 100%; }
 
-@media (max-width: 768px) {
-  .hero {
-    padding: calc(var(--navbar-height) + 32px) 20px 32px;
-    min-height: auto;
-  }
-  .hero--landing {
-    min-height: 100vh;
-  }
+/* Spacing tweak when btn pair sits on the hero */
+.hero__actions .btn + .btn { margin-left: 12px; }
+@media (max-width: 480px) {
+  .hero__actions { flex-direction: column; align-items: stretch; }
+  .hero__actions .btn + .btn { margin-left: 0; margin-top: 12px; }
 }
 
-/* ========== Landing Footer ========== */
+/* ========== Landing Footer (multi-column redesign) ========== */
+/* Same pattern as the landing sections: outer keeps vertical padding
+   only, inner owns horizontal padding so the footer sits on the same
+   alignment line as everything above it. */
 .landing-footer {
   background: var(--color-surface-container-low);
-  padding: 24px 32px;
+  padding: 64px 0 24px;
+  border-top: 1px solid var(--border-light);
 }
 
-.landing-footer__bar {
-  max-width: 1536px;
+.landing-footer__inner {
+  max-width: var(--container-max);
   margin: 0 auto;
-  display: flex;
-  align-items: flex-end;
-  justify-content: space-between;
+  display: grid;
+  grid-template-columns: minmax(260px, 1.2fr) minmax(0, 2fr);
+  gap: 48px;
+  padding: 0 var(--container-pad-x) 48px;
+  border-bottom: 1px solid var(--border-light);
 }
 
-.landing-footer__left {
+.landing-footer__brand {
   display: flex;
   flex-direction: column;
   gap: 16px;
+  max-width: 320px;
 }
 
 .landing-footer__logo-img {
-  height: 18px;
+  height: 22px;
   width: auto;
   display: block;
   object-fit: contain;
   object-position: left;
 }
 
-.landing-footer__copy {
-  font-size: 0.6875rem;
+.landing-footer__tagline {
+  font-size: 0.875rem;
+  line-height: 1.6;
   color: var(--color-mid-gray);
+  margin: 0;
 }
 
-.landing-footer__links {
-  display: flex;
-  gap: 0;
+/* Subtle pill linking out to atproto.com. Cream surface, hairline
+   border, only the dot carries the sienna accent. */
+.landing-footer__atproto {
+  display: inline-flex;
+  align-items: center;
+  gap: 8px;
+  align-self: flex-start;
+  margin-top: 8px;
+  padding: 6px 14px;
+  border-radius: 999px;
+  background: transparent;
+  border: 1px solid var(--color-light-gray);
+  color: var(--color-mid-gray);
+  font-size: 0.75rem;
+  font-weight: 500;
+  text-decoration: none;
+  transition: border-color var(--transition-fast), color var(--transition-fast);
+}
+.landing-footer__atproto:hover {
+  border-color: var(--border-medium);
+  color: var(--color-primary);
+}
+.landing-footer__atproto-dot {
+  width: 5px;
+  height: 5px;
+  border-radius: 50%;
+  background: var(--color-brand);
+}
+
+.landing-footer__nav {
+  display: grid;
+  grid-template-columns: repeat(3, minmax(120px, 1fr));
+  gap: 32px;
 }
 
-.landing-footer__links a + a {
-  margin-left: 16px;
-  padding-left: 16px;
-  border-left: 1px solid var(--color-light-gray);
+.landing-footer__col {
+  display: flex;
+  flex-direction: column;
+  gap: 12px;
 }
 
-.landing-footer__links a {
+.landing-footer__heading {
   font-size: 0.6875rem;
+  font-weight: 600;
+  letter-spacing: 0.12em;
+  text-transform: uppercase;
+  color: var(--color-primary);
+  margin: 0 0 4px;
+}
+
+.landing-footer__col a {
+  font-size: 0.875rem;
   color: var(--color-mid-gray);
   text-decoration: none;
   transition: color var(--transition-fast);
 }
-
-.landing-footer__links a:hover {
+.landing-footer__col a:hover {
   color: var(--color-primary);
 }
 
+.landing-footer__bottom {
+  max-width: var(--container-max);
+  margin: 0 auto;
+  padding: 24px var(--container-pad-x) 0;
+  display: flex;
+  align-items: center;
+  gap: 16px;
+  font-size: 0.75rem;
+  color: var(--color-mid-gray);
+}
+
+.landing-footer__bottom-spacer {
+  flex: 1;
+}
+
+.landing-footer__bottom-meta {
+  font-size: 0.75rem;
+  color: var(--color-mid-gray);
+}
+
+.landing-footer__copy {
+  font-size: 0.75rem;
+  color: var(--color-mid-gray);
+}
+
 @media (max-width: 768px) {
   .landing-footer {
-    padding: 24px 20px;
+    padding: 48px 0 20px;
   }
-  .landing-footer__bar {
-    flex-direction: column;
-    align-items: center;
-    gap: 0;
+  .landing-footer__inner {
+    grid-template-columns: 1fr;
+    gap: 40px;
+    padding-bottom: 32px;
   }
-  .landing-footer__left {
-    align-items: center;
-    text-align: center;
-    margin-bottom: 12px;
+  .landing-footer__nav {
+    grid-template-columns: repeat(3, 1fr);
+    gap: 16px;
+  }
+  .landing-footer__bottom {
+    flex-direction: column;
+    align-items: flex-start;
+    gap: 8px;
   }
-  .landing-footer__links {
-    margin-top: 4px;
+}
+
+@media (max-width: 480px) {
+  .landing-footer__nav {
+    grid-template-columns: repeat(2, 1fr);
   }
 }
 
@@ -778,8 +1544,8 @@ h1, h2, h3, h4, h5, h6 {
 }
 
 .signin-modal__input:focus {
-  border-color: var(--color-focus-green);
-  box-shadow: 0 0 0 3px rgba(148, 187, 81, 0.15);
+  border-color: var(--color-brand);
+  box-shadow: 0 0 0 3px rgba(194, 57, 44, 0.12);
 }
 
 .signin-modal__input:disabled {
@@ -1173,11 +1939,123 @@ h1, h2, h3, h4, h5, h6 {
   }
 }
 
+/* ========== Editorial prose page (about, terms, privacy, dsa) ========== */
+.prose-page {
+  padding-top: var(--navbar-height);
+  min-height: 100vh;
+  background: var(--color-surface);
+}
+.prose-page__inner {
+  max-width: 720px;
+  margin: 0 auto;
+  padding: 80px 32px 96px;
+}
+.prose-page__header {
+  margin-bottom: 64px;
+  padding-bottom: 40px;
+  border-bottom: 1px solid var(--color-light-gray);
+}
+.prose-page__header .landing-label {
+  color: var(--color-brand);
+  margin-bottom: 16px;
+}
+.prose-page__title {
+  font-family: var(--font-headline), "IBM Plex Mono", ui-monospace, monospace;
+  font-size: clamp(2.5rem, 4vw + 0.5rem, 3.75rem);
+  font-weight: 700;
+  line-height: 1.0;
+  letter-spacing: -0.025em;
+  color: var(--color-primary);
+  margin: 0 0 24px;
+}
+.prose-page__title-italic {
+  font-family: var(--font-serif-alt), "IBM Plex Mono", ui-monospace, monospace;
+  font-style: italic;
+  font-weight: 400;
+  color: var(--color-brand);
+}
+.prose-page__lede {
+  font-size: 1.0625rem;
+  line-height: 1.6;
+  color: var(--color-mid-gray);
+  margin: 0;
+  max-width: 60ch;
+}
+.prose-page__meta {
+  font-size: 0.8125rem;
+  color: var(--color-mid-gray);
+  margin: 16px 0 32px;
+  letter-spacing: 0.04em;
+}
+.prose-page__body section {
+  margin-bottom: 56px;
+  padding-bottom: 40px;
+  border-bottom: 1px solid var(--color-light-gray);
+}
+.prose-page__body section:last-child {
+  border-bottom: none;
+  padding-bottom: 0;
+  margin-bottom: 0;
+}
+.prose-page__body h2 {
+  font-family: var(--font-headline), "IBM Plex Mono", ui-monospace, monospace;
+  font-size: 1.625rem;
+  font-weight: 600;
+  color: var(--color-primary);
+  margin: 0 0 20px;
+  letter-spacing: -0.015em;
+  line-height: 1.2;
+}
+.prose-page__body h3 {
+  font-family: var(--font-headline), "IBM Plex Mono", ui-monospace, monospace;
+  font-size: 1.25rem;
+  font-weight: 600;
+  color: var(--color-primary);
+  margin: 32px 0 12px;
+  letter-spacing: -0.01em;
+}
+.prose-page__body p,
+.prose-page__body li {
+  font-size: 1rem;
+  line-height: 1.7;
+  color: var(--color-dark-gray);
+  margin: 0 0 16px;
+}
+.prose-page__body ul,
+.prose-page__body ol {
+  padding-left: 1.5rem;
+  margin: 0 0 16px;
+}
+.prose-page__body ul li::marker { color: var(--color-mid-gray); }
+.prose-page__body strong { color: var(--color-primary); font-weight: 600; }
+.prose-page__body a {
+  color: var(--color-brand);
+  text-decoration: none;
+  border-bottom: 1px solid currentColor;
+  transition: color var(--transition-fast), border-color var(--transition-fast);
+}
+.prose-page__body a:hover {
+  color: var(--color-brand-hover);
+}
+.prose-page__body code,
+.prose-page__body pre {
+  font-family: ui-monospace, "SF Mono", Menlo, monospace;
+  font-size: 0.875em;
+  background: var(--color-surface-container);
+  padding: 2px 6px;
+  border-radius: 2px;
+}
+@media (max-width: 768px) {
+  .prose-page__inner { padding: 56px 20px 64px; }
+  .prose-page__header { margin-bottom: 40px; padding-bottom: 28px; }
+  .prose-page__body section { margin-bottom: 36px; padding-bottom: 24px; }
+}
+
 /* ========== App Pages (authenticated) ========== */
 .app-page {
   padding-top: var(--navbar-height);
   min-height: 100vh;
-  background: var(--color-off-white);
+  background: var(--color-surface);
 }
 
 .app-page__inner {
@@ -1249,24 +2127,48 @@ h1, h2, h3, h4, h5, h6 {
 /* ========== Landing CTA Section ========== */
 .landing-cta {
   text-align: center;
-  padding: 96px 32px;
+  padding: 0;
 }
 
-.landing-cta .landing-label {
-  justify-content: center;
+.landing-cta__headline {
+  font-family: var(--font-headline), 'IBM Plex Mono', ui-monospace, monospace;
+  font-size: clamp(2.5rem, 4vw + 0.5rem, 3.75rem);
+  font-weight: 700;
+  line-height: 1.05;
+  letter-spacing: -0.02em;
+  color: var(--color-primary);
+  margin: 0 auto 20px;
+  max-width: 720px;
+}
+
+.landing-cta__headline-italic {
+  font-family: var(--font-serif-alt), 'IBM Plex Mono', ui-monospace, monospace;
+  font-style: italic;
+  font-weight: 400;
+  color: var(--color-brand);
 }
 
-.landing-cta h2 {
+.landing-cta__eyebrow {
+  justify-content: center;
+  color: var(--color-brand);
   margin-bottom: 16px;
 }
 
-.landing-cta > p {
+.landing-cta__lede {
   font-size: 1.125rem;
   color: var(--color-mid-gray);
-  margin-bottom: 40px;
-  max-width: 480px;
-  margin-left: auto;
-  margin-right: auto;
+  margin: 0 auto 36px;
+  max-width: 520px;
+  line-height: 1.6;
+}
+
+/* Trust microcopy below the closing CTA button. Editorial: small,
+   warm-gray text with em-dash separators. */
+.landing-cta__micro {
+  margin: 24px 0 0;
+  font-size: 0.8125rem;
+  color: var(--color-mid-gray);
+  letter-spacing: 0.02em;
 }
 
 .landing-cta__actions {
@@ -1306,68 +2208,78 @@ h1, h2, h3, h4, h5, h6 {
 
 .landing-network {
   display: grid;
-  grid-template-columns: repeat(4, 1fr);
-  gap: 1px;
-  background: var(--color-surface-container-high);
-  margin-top: 32px;
-  margin-bottom: 24px;
+  grid-template-columns: repeat(4, 1fr);
+  gap: 0;
+  margin-top: 48px;
+  margin-bottom: 32px;
+  border-top: 1px solid var(--color-light-gray);
+  border-bottom: 1px solid var(--color-light-gray);
 }
 
 .landing-network__cell {
   display: flex;
   flex-direction: column;
   align-items: center;
-  justify-content: center;
-  gap: 12px;
-  padding: 40px 24px;
-  background: var(--color-off-white);
+  justify-content: flex-start;
+  gap: 14px;
+  padding: 40px 24px 36px;
+  background: transparent;
+  border-right: 1px solid var(--color-light-gray);
+  border-radius: 0;
   text-decoration: none;
-  transition: background var(--transition-fast);
+  transition: background var(--transition-base);
+}
+.landing-network__cell:last-child {
+  border-right: none;
 }
-
 .landing-network__cell:hover {
   background: var(--color-surface-container-low);
+  border-color: var(--color-light-gray);
+  box-shadow: none;
+  transform: none;
 }
 
+/* Logos always color, framed by a soft warm ring — no electric blue
+   on hover, just a subtle warm-up. */
 .landing-network__logo {
-  width: 40px;
-  height: 40px;
-  border-radius: 50%;
+  width: 52px;
+  height: 52px;
+  border-radius: 12px;
   object-fit: cover;
-  filter: grayscale(100%);
-  opacity: 0.7;
-  transition: all var(--transition-fast);
+  background: var(--color-white);
+  box-shadow: 0 0 0 1px var(--border-light);
+  transition: box-shadow var(--transition-fast);
 }
-
 .landing-network__cell:hover .landing-network__logo {
-  filter: grayscale(0%);
-  opacity: 1;
+  box-shadow: 0 0 0 1px var(--border-medium);
 }
 
 .landing-network__name {
-  font-family: var(--font-headline), 'Noto Serif', serif;
-  font-size: 1.125rem;
-  font-weight: 700;
-  color: var(--color-outline-variant);
-  transition: color var(--transition-fast);
-}
-
-.landing-network__cell:hover .landing-network__name {
+  font-family: var(--font-headline), 'IBM Plex Mono', ui-monospace, monospace;
+  font-size: 1.0625rem;
+  font-weight: 600;
   color: var(--color-primary);
+  letter-spacing: -0.01em;
 }
 
 .landing-network__desc {
-  font-size: 0.75rem;
+  font-size: 0.8125rem;
   color: var(--color-mid-gray);
   text-align: center;
-  line-height: 1.4;
-  max-width: 180px;
-  opacity: 0;
-  transition: opacity var(--transition-fast);
+  line-height: 1.55;
+  max-width: 200px;
 }
 
-.landing-network__cell:hover .landing-network__desc {
-  opacity: 1;
+@media (max-width: 768px) {
+  .landing-network {
+    grid-template-columns: repeat(2, 1fr);
+  }
+  .landing-network__cell:nth-child(2n) {
+    border-right: none;
+  }
+  .landing-network__cell:nth-child(-n+2) {
+    border-bottom: 1px solid var(--color-light-gray);
+  }
 }
 
 @media (max-width: 768px) {
@@ -1394,12 +2306,15 @@ h1, h2, h3, h4, h5, h6 {
 }
 
 /* ========== Landing Sections ========== */
+/* Vertical padding only — the horizontal padding lives on
+   .landing-section__inner so content lines up with the navbar, hero
+   typography column, and the hero pillars row. */
 .landing-section {
-  padding: 96px 32px;
+  padding: 96px 0;
 }
 
 .landing-section--light {
-  background: var(--color-off-white);
+  background: var(--color-surface);
   color: var(--color-dark-gray);
 }
 
@@ -1407,8 +2322,10 @@ h1, h2, h3, h4, h5, h6 {
   color: var(--color-primary);
 }
 
+/* Inverted section — deep ink instead of pure black. Cream-leaning
+   tone harmonizes better with the warm body palette. */
 .landing-section--dark {
-  background: var(--color-navy);
+  background: #1f1c19;
   color: var(--color-white);
 }
 
@@ -1416,9 +2333,14 @@ h1, h2, h3, h4, h5, h6 {
   color: var(--color-white);
 }
 
+/* Subtle: in the editorial system, sections share the same paper-white
+   background and rely on hairline borders for separation. The class is
+   kept (and now adds a top hairline) so sections still feel sequential
+   without changing colour. */
 .landing-section--subtle {
-  background: var(--color-surface-container-low);
+  background: var(--color-surface);
   color: var(--color-dark-gray);
+  border-top: 1px solid var(--color-light-gray);
 }
 
 .landing-section--subtle h2 {
@@ -1434,13 +2356,39 @@ h1, h2, h3, h4, h5, h6 {
   color: var(--color-primary);
 }
 
+/* Quiet variant for the closing CTA. Same off-white surface as the rest
+   of the page, only with extra vertical padding so it reads as a closing
+   moment. Horizontal padding is intentionally absent — it's owned by
+   .landing-section__inner so it stays on the shared alignment line. */
+.landing-section--cream {
+  background: var(--color-surface);
+  color: var(--color-dark-gray);
+  padding-top: 128px;
+  padding-bottom: 128px;
+  border-top: 1px solid var(--color-light-gray);
+}
+
+.landing-section--cream h2 {
+  color: var(--color-primary);
+}
+
+/* Legacy brand variant kept inert in the warm palette — if anything
+   still references it, it now renders as a quiet cream block. */
+.landing-section--brand {
+  background: var(--color-surface);
+  color: var(--color-dark-gray);
+}
+.landing-section--brand h2 { color: var(--color-primary); }
+.landing-section--brand p { color: var(--color-mid-gray); }
+
 .landing-section__inner {
-  max-width: 1536px;
+  max-width: var(--container-max);
+  padding: 0 var(--container-pad-x);
   margin: 0 auto;
 }
 
 .landing-section h2 {
-  font-family: var(--font-headline), 'Noto Serif', serif;
+  font-family: var(--font-headline), 'IBM Plex Mono', ui-monospace, monospace;
   font-size: clamp(2rem, 3vw + 0.5rem, 3rem);
   font-weight: 700;
   line-height: 1.1;
@@ -1485,15 +2433,17 @@ h1, h2, h3, h4, h5, h6 {
   z-index: 1;
 }
 
+/* Eyebrow label — quiet warm gray, no longer using the accent.
+   The accent is now reserved for hover affordances and the chip dot. */
 .landing-label {
   display: flex;
   align-items: center;
   font-size: 0.6875rem;
   font-weight: 500;
-  letter-spacing: 0.2em;
+  letter-spacing: 0.18em;
   text-transform: uppercase;
-  color: var(--color-accent);
-  margin-bottom: 12px;
+  color: var(--color-mid-gray);
+  margin-bottom: 14px;
 }
 
 .landing-label--light {
@@ -1502,15 +2452,16 @@ h1, h2, h3, h4, h5, h6 {
 
 @media (max-width: 768px) {
   .landing-section {
-    padding: 64px 20px;
+    padding: 64px 0;
   }
 }
 
-/* ── Bento Grid (What You Get) ───────────────────────────────────────── */
+/* ── Bento Grid (What You Get) — editorial 2×2 with hairline tops */
 .landing-bento {
   display: grid;
   grid-template-columns: repeat(2, 1fr);
-  gap: 24px;
+  column-gap: 64px;
+  row-gap: 48px;
 }
 
 @media (max-width: 768px) {
@@ -1520,56 +2471,92 @@ h1, h2, h3, h4, h5, h6 {
 }
 
 .landing-bento__card {
-  background: var(--color-white);
-  padding: 32px;
-  min-height: 200px;
+  position: relative;
+  background: transparent;
+  padding: 12px 0 0;
+  min-height: 0;
   display: flex;
   flex-direction: column;
   justify-content: flex-start;
-  transition: box-shadow 500ms;
+  border: 0;
+  border-top: 1px solid var(--color-light-gray);
+  border-radius: 0;
+  transition: border-color 300ms ease-out;
 }
 
 .landing-bento__card:hover {
-  box-shadow: 0 20px 60px rgba(0, 0, 0, 0.06);
+  border-top-color: var(--border-medium);
+  box-shadow: none;
+  transform: none;
 }
 
+/* Legacy brand-fill variants kept inert for back-compat. The new
+   minimal layout doesn't use them. */
+.landing-bento__card--brand,
 .landing-bento__card--highlight {
-  background: var(--color-primary);
-  color: var(--color-white);
+  background: transparent;
+  color: inherit;
+  border: 0;
+  border-top: 1px solid var(--color-light-gray);
 }
+.landing-bento__card--brand h3,
+.landing-bento__card--highlight h3 { color: var(--color-primary); }
+.landing-bento__card--brand p,
+.landing-bento__card--highlight p { color: var(--color-mid-gray); }
 
-.landing-bento__card--highlight h3 {
-  color: var(--color-white);
+/* Icon: monochrome stroke, sienna on hover. No tinted circle, no
+   filled background — stays editorial. */
+.landing-bento__icon-wrap {
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  width: 32px;
+  height: 32px;
+  margin-bottom: 20px;
+  border-radius: 0;
+  background: transparent;
+  color: var(--color-primary);
+  transition: color var(--transition-fast);
 }
-
-.landing-bento__card--highlight p {
-  color: rgba(255, 255, 255, 0.7);
+.landing-bento__card:hover .landing-bento__icon-wrap {
+  background: transparent;
+  color: var(--color-brand);
+  transform: none;
 }
-
-.landing-bento__card--highlight .landing-bento__icon {
-  color: var(--color-white);
+.landing-bento__icon-wrap--brand {
+  background: transparent;
+  color: var(--color-primary);
 }
 
+/* Legacy single-icon class kept so old markup still renders. */
 .landing-bento__icon {
   margin-bottom: 24px;
   color: var(--color-primary);
 }
 
 .landing-bento__card h3 {
-  font-family: var(--font-headline), 'Noto Serif', serif;
-  font-size: 1.375rem;
-  font-weight: 700;
+  font-family: var(--font-headline), 'IBM Plex Mono', ui-monospace, monospace;
+  font-size: 1.5rem;
+  font-weight: 600;
   color: var(--color-primary);
   margin-bottom: 12px;
+  letter-spacing: -0.015em;
+  line-height: 1.25;
 }
 
 .landing-bento__card p {
-  font-size: 1rem;
-  line-height: 1.6;
+  font-size: 0.9375rem;
+  line-height: 1.65;
   color: var(--color-mid-gray);
   margin: 0;
+  max-width: 36ch;
 }
 
+/* Legacy brand-card overrides — inert in the new minimal layout but
+   left here so old markup doesn't break. */
+.landing-bento__card--brand h3 { color: var(--color-primary); }
+.landing-bento__card--brand p { color: var(--color-mid-gray); }
+
 /* ============================================================
    FAQ section
    ============================================================ */
@@ -1612,7 +2599,7 @@ h1, h2, h3, h4, h5, h6 {
 
 .landing-faq-btn:focus-visible {
   outline: 2px solid var(--color-primary);
-  outline-offset: 2px;
+  outline-offset: -2px;
   border-radius: 2px;
 }
 
@@ -1660,45 +2647,62 @@ h1, h2, h3, h4, h5, h6 {
 }
 
 .landing-protocol__steps {
+  position: relative;
   display: flex;
   flex-direction: column;
-  gap: 32px;
-  max-width: 560px;
+  gap: 0;
+  max-width: 640px;
   margin: 0 auto;
 }
 
 .landing-protocol__step {
+  position: relative;
   display: flex;
-  gap: 24px;
+  gap: 32px;
   align-items: flex-start;
+  padding: 28px 0;
+  border-top: 1px solid var(--color-light-gray);
+}
+.landing-protocol__step:last-child {
+  border-bottom: 1px solid var(--color-light-gray);
 }
 
+/* Numerals are now flat editorial figures — monospaced look from the
+   serif, no circle, no ring, no fill. The accent shows only on hover. */
 .landing-protocol__num {
-  font-family: var(--font-serif-alt), 'Instrument Serif', serif;
+  display: inline-block;
+  width: 56px;
+  font-family: var(--font-serif-alt), 'IBM Plex Mono', ui-monospace, monospace;
   font-style: italic;
-  font-size: 2.25rem;
-  color: var(--color-outline-variant);
+  font-size: 1.875rem;
+  font-weight: 400;
+  color: var(--color-mid-gray);
   line-height: 1;
   flex-shrink: 0;
+  margin-top: 4px;
   transition: color var(--transition-fast);
 }
 
 .landing-protocol__step:hover .landing-protocol__num {
-  color: var(--color-primary);
+  color: var(--color-brand);
 }
 
 .landing-protocol__step h4 {
-  font-size: 1.125rem;
-  font-weight: 700;
+  font-family: var(--font-headline), 'IBM Plex Mono', ui-monospace, monospace;
+  font-size: 1.25rem;
+  font-weight: 600;
   color: var(--color-primary);
-  margin-bottom: 4px;
+  letter-spacing: -0.01em;
+  margin-bottom: 6px;
+  margin-top: 0;
 }
 
 .landing-protocol__step p {
   font-size: 0.9375rem;
-  line-height: 1.6;
+  line-height: 1.65;
   color: var(--color-mid-gray);
   margin: 0;
+  max-width: 48ch;
 }
 
 /* Protocol visual card */
@@ -1739,7 +2743,7 @@ h1, h2, h3, h4, h5, h6 {
 }
 
 .landing-protocol__card-logo {
-  font-family: var(--font-serif-alt), 'Instrument Serif', serif;
+  font-family: var(--font-serif-alt), 'IBM Plex Mono', ui-monospace, monospace;
   font-style: italic;
   font-size: 1.75rem;
   color: var(--color-primary);
@@ -1786,7 +2790,7 @@ h1, h2, h3, h4, h5, h6 {
 }
 
 .landing-protocol__card-sig {
-  font-family: var(--font-serif-alt), 'Instrument Serif', serif;
+  font-family: var(--font-serif-alt), 'IBM Plex Mono', ui-monospace, monospace;
   font-style: italic;
   font-size: 1.25rem;
   color: var(--color-primary);
@@ -1855,28 +2859,35 @@ h1, h2, h3, h4, h5, h6 {
   align-items: flex-start;
 }
 
+/* Trust icons — just the stroke, no filled circle. Same sienna accent
+   the rest of the page uses, so the page reads as one system. */
 .landing-trust__check {
   flex-shrink: 0;
-  width: 40px;
-  height: 40px;
+  width: 28px;
+  height: 28px;
   display: flex;
   align-items: center;
   justify-content: center;
-  color: rgba(255, 255, 255, 0.4);
+  background: transparent;
+  color: var(--color-brand);
+  margin-top: 2px;
 }
 
 .landing-trust__item h4 {
-  font-size: 1.0625rem;
+  font-family: var(--font-headline), 'IBM Plex Mono', ui-monospace, monospace;
+  font-size: 1.125rem;
   font-weight: 600;
   color: var(--color-white);
-  margin-bottom: 6px;
+  margin-bottom: 8px;
+  letter-spacing: -0.01em;
 }
 
 .landing-trust__item p {
   font-size: 0.9375rem;
-  line-height: 1.6;
-  color: rgba(255, 255, 255, 0.5);
+  line-height: 1.65;
+  color: rgba(255, 255, 255, 0.65);
   margin: 0;
+  max-width: 36ch;
 }
 
 /* ========== Dashboard Cards (right sidebar) ========== */
@@ -2953,7 +3964,7 @@ h1, h2, h3, h4, h5, h6 {
 }
 
 .dashboard__page-title {
-  font-family: var(--font-headline), 'Noto Serif', serif;
+  font-family: var(--font-headline), 'IBM Plex Mono', ui-monospace, monospace;
   font-size: clamp(2rem, 3vw + 1rem, 2.5rem);
   font-weight: 700;
   color: var(--color-primary);
@@ -2998,7 +4009,7 @@ h1, h2, h3, h4, h5, h6 {
 }
 
 .profile-card__name {
-  font-family: var(--font-headline), 'Noto Serif', serif;
+  font-family: var(--font-headline), 'IBM Plex Mono', ui-monospace, monospace;
   font-size: 1.75rem;
   font-weight: 700;
   color: var(--color-primary);
@@ -3978,6 +4989,190 @@ h1, h2, h3, h4, h5, h6 {
   white-space: nowrap;
 }
 
+/* ========== Navbar Search (top-bar typeahead) ========== */
+.navbar-search {
+  position: relative;
+  flex: 1 1 auto;
+  max-width: 420px;
+  min-width: 0;
+  margin: 0 24px;
+}
+
+.navbar-search__field {
+  position: relative;
+  display: flex;
+  align-items: center;
+  height: 38px;
+  padding: 0 12px;
+  /* Whisper-soft warm white — only a hair off the page surface (#fefefe),
+     so the fill barely registers and the hairline border carries the
+     shape. Reads like a pill of unbleached paper rather than a control. */
+  background: #fdfcf9;
+  border: 1px solid var(--border-light);
+  border-radius: 999px;
+  transition: background var(--transition-fast), border-color var(--transition-fast), box-shadow var(--transition-fast);
+}
+
+.navbar-search__field:hover {
+  border-color: var(--border-default);
+}
+
+.navbar-search__field:focus-within {
+  background: #ffffff;
+  border-color: var(--border-medium);
+  box-shadow: 0 0 0 3px rgba(50, 35, 20, 0.05);
+}
+
+.navbar-search__icon {
+  flex: 0 0 auto;
+  color: var(--color-mid-gray);
+  margin-right: 8px;
+}
+
+.navbar-search__input {
+  flex: 1 1 auto;
+  min-width: 0;
+  height: 100%;
+  border: none;
+  background: transparent;
+  outline: none;
+  font-size: 0.875rem;
+  color: var(--color-primary);
+  padding: 0;
+}
+
+.navbar-search__input::placeholder {
+  color: var(--color-mid-gray);
+}
+
+.navbar-search__clear {
+  flex: 0 0 auto;
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  width: 22px;
+  height: 22px;
+  margin-left: 4px;
+  padding: 0;
+  border: none;
+  background: transparent;
+  color: var(--color-mid-gray);
+  border-radius: 999px;
+  cursor: pointer;
+  transition: background var(--transition-fast), color var(--transition-fast);
+}
+
+.navbar-search__clear:hover {
+  background: var(--color-gray-100);
+  color: var(--color-primary);
+}
+
+.navbar-search__clear:focus-visible {
+  outline: 2px solid var(--color-primary);
+  outline-offset: 2px;
+}
+
+.navbar-search__dropdown {
+  position: absolute;
+  top: calc(100% + 6px);
+  left: 0;
+  right: 0;
+  margin: 0;
+  padding: 4px;
+  list-style: none;
+  background: var(--color-white, #ffffff);
+  border: 1px solid var(--border-default);
+  border-radius: 8px;
+  box-shadow: 0 12px 32px rgba(0, 0, 0, 0.10);
+  z-index: 60;
+  max-height: 360px;
+  overflow-y: auto;
+}
+
+.navbar-search__empty {
+  padding: 14px 12px;
+  font-size: 0.8125rem;
+  color: var(--color-mid-gray);
+  text-align: left;
+}
+
+.navbar-search__item {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+  width: 100%;
+  padding: 8px 10px;
+  border-radius: 6px;
+  cursor: pointer;
+  text-align: left;
+  transition: background var(--transition-fast), box-shadow var(--transition-fast);
+  user-select: none;
+  box-shadow: inset 2px 0 0 transparent;
+}
+
+.navbar-search__item:hover {
+  background: var(--color-gray-100);
+}
+
+.navbar-search__item--highlighted {
+  background: var(--color-gray-100);
+  box-shadow: inset 2px 0 0 var(--color-primary);
+}
+
+.navbar-search__item-info {
+  display: flex;
+  flex-direction: column;
+  min-width: 0;
+  flex: 1 1 auto;
+}
+
+.navbar-search__item-name {
+  font-size: 0.8125rem;
+  font-weight: 500;
+  color: var(--color-primary);
+  overflow: hidden;
+  text-overflow: ellipsis;
+  white-space: nowrap;
+}
+
+.navbar-search__item-handle {
+  font-size: 0.6875rem;
+  color: var(--color-mid-gray);
+  overflow: hidden;
+  text-overflow: ellipsis;
+  white-space: nowrap;
+}
+
+@media (max-width: 900px) {
+  .navbar-search { max-width: 320px; margin: 0 16px; }
+}
+
+@media (max-width: 768px) {
+  /* On tablet/mobile the app-links / public-links / desktop user cluster all
+     hide — letting the search expand into the freed middle space keeps it
+     usable next to the logo and the mobile actions (avatar + hamburger,
+     or sign-in / get-started). */
+  .navbar-search {
+    max-width: none;
+    margin: 0 12px;
+  }
+}
+
+@media (max-width: 480px) {
+  .navbar-search { margin: 0 8px; }
+  .navbar-search__field { padding: 0 10px; height: 36px; }
+  .navbar-search__icon { margin-right: 6px; }
+  .navbar-search__input { font-size: 0.8125rem; }
+  /* Drop the placeholder text on very narrow screens — the icon is enough
+     visual cue and the few extra pixels matter when the navbar is tight. */
+  .navbar-search__input::placeholder { color: transparent; }
+}
+
+@media (max-width: 380px) {
+  .navbar-search { margin: 0 6px; }
+  .navbar-search__field { padding: 0 8px; }
+}
+
 /* ========== Organizations ========== */
 
 /* Organization list page */
diff --git a/src/app/layout.tsx b/src/app/layout.tsx
index 938ee03b..19124035 100644
--- a/src/app/layout.tsx
+++ b/src/app/layout.tsx
@@ -1,5 +1,5 @@
 import type { Metadata, Viewport } from "next";
-import { Inter, Noto_Serif, Instrument_Serif } from "next/font/google";
+import { IBM_Plex_Sans, IBM_Plex_Mono } from "next/font/google";
 import "./globals.css";
 import { AuthProvider } from "@/lib/auth/auth-context";
 import { NavbarProvider } from "@/lib/navbar-context";
@@ -11,25 +11,39 @@ import { OrgProvider } from "@/lib/groups/org-context";
 import FeedbackModal from "@/components/ui/feedback-modal";
 import { Analytics } from "@vercel/analytics/next";
 
-const inter = Inter({
+/**
+ * Type system — atproto.com aligned.
+ *
+ * The site lives on two faces of the IBM Plex superfamily:
+ *  • IBM Plex Sans for body / UI copy
+ *  • IBM Plex Mono for display headlines, eyebrows, numerals, code
+ *
+ * Variable names are kept as `--font-inter` / `--font-headline` /
+ * `--font-serif-alt` for backwards compatibility with the existing
+ * BEM CSS in globals.css, but they now point at Plex Sans / Plex Mono.
+ */
+const plexSans = IBM_Plex_Sans({
   subsets: ["latin"],
   weight: ["300", "400", "500", "600", "700"],
+  style: ["normal", "italic"],
   variable: "--font-inter",
   display: "swap",
 });
 
-const notoSerif = Noto_Serif({
+const plexMono = IBM_Plex_Mono({
   subsets: ["latin"],
-  weight: ["400", "700"],
+  weight: ["300", "400", "500", "600", "700"],
   style: ["normal", "italic"],
   variable: "--font-headline",
   display: "swap",
 });
 
-const instrumentSerif = Instrument_Serif({
+// Italic-accent slot — same Plex Mono family, separate variable so any
+// CSS rule that wants to force italic via `--font-serif-alt` keeps working.
+const plexMonoItalic = IBM_Plex_Mono({
   subsets: ["latin"],
-  weight: ["400"],
-  style: ["normal", "italic"],
+  weight: ["400", "500"],
+  style: ["italic"],
   variable: "--font-serif-alt",
   display: "swap",
 });
@@ -139,7 +153,7 @@ export default function RootLayout({
           dangerouslySetInnerHTML={{ __html: JSON.stringify(websiteJsonLd) }}
         />
       </head>
-      <body className={`${inter.variable} ${notoSerif.variable} ${instrumentSerif.variable} min-h-screen flex flex-col`}>
+      <body className={`${plexSans.variable} ${plexMono.variable} ${plexMonoItalic.variable} min-h-screen flex flex-col`}>
         <Providers>
           <AuthProvider>
             <OrgProvider>
diff --git a/src/app/privacy/page.tsx b/src/app/privacy/page.tsx
index 0e2f3b0b..4a15aeec 100644
--- a/src/app/privacy/page.tsx
+++ b/src/app/privacy/page.tsx
@@ -17,24 +17,24 @@ export const metadata: Metadata = {
 
 export default function PrivacyPage() {
   return (
-    <div className="app-page">
-      <div className="app-page__inner max-w-3xl">
-        <h1 className="font-mono text-h1 text-navy tracking-tight mb-8">
+    <div className="prose-page">
+      <div className="prose-page__inner">
+        <h1 className="prose-page__title">
           Privacy Policy — Certified
         </h1>
 
-        <p className="text-sm text-gray-500 mb-8">Last updated: April 1, 2026</p>
+        <p className="prose-page__meta">Last updated: April 1, 2026</p>
 
-        <div className="prose prose-navy max-w-none space-y-8">
+        <div className="prose-page__body">
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">1. Introduction</h2>
+            <h2>1. Introduction</h2>
             <p>
               This Privacy Policy explains how the Hypercerts Foundation (&quot;Hypercerts
               Foundation&quot;, &quot;we&quot;, &quot;our&quot;, or &quot;us&quot;) processes
               personal data in connection with the Certified services.
             </p>
-            <p className="mt-4">Certified consists of:</p>
-            <ul className="list-disc pl-6 mt-2 space-y-2">
+            <p>Certified consists of:</p>
+            <ul>
               <li>
                 <strong>certified.app</strong> – a web application used to create and manage AT
                 Protocol identities and configure related services
@@ -44,12 +44,12 @@ export default function PrivacyPage() {
                 Servers (PDS)
               </li>
             </ul>
-            <p className="mt-4">
+            <p>
               The Hypercerts Foundation operates these services as identity and data hosting
               infrastructure for the AT Protocol ecosystem.
             </p>
-            <p className="mt-4">This Privacy Policy explains:</p>
-            <ul className="list-disc pl-6 mt-2 space-y-2">
+            <p>This Privacy Policy explains:</p>
+            <ul>
               <li>what personal data we process</li>
               <li>how we use that data</li>
               <li>how data is stored and shared</li>
@@ -58,12 +58,12 @@ export default function PrivacyPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">2. Data controller</h2>
+            <h2>2. Data controller</h2>
             <p>
               For the purposes of the EU General Data Protection Regulation (GDPR), the data
               controller is:
             </p>
-            <p className="mt-4">
+            <p>
               <strong>Hypercerts Foundation</strong>
               <br />
               1209 Orange St.
@@ -72,18 +72,18 @@ export default function PrivacyPage() {
               <br />
               United States
             </p>
-            <p className="mt-4">
+            <p>
               Phone: +1 302 658 7581
               <br />
               Contact:{" "}
               <a
                 href="mailto:legal@hypercerts.org"
-                className="text-blue-600 underline hover:text-blue-800"
+               
               >
                 legal@hypercerts.org
               </a>
             </p>
-            <p className="mt-4">
+            <p>
               For data stored on Personal Data Servers, the Hypercerts Foundation acts as an{" "}
               <strong>
                 infrastructure provider operating the server environment in which user-controlled
@@ -97,7 +97,7 @@ export default function PrivacyPage() {
               In accordance with Article 27 of the GDPR, the Hypercerts Foundation has designated
               the following representative in the European Union:
             </p>
-            <p className="mt-4">
+            <p>
               Holke Brammer
               <br />
               Holzmarktstraße 25
@@ -106,10 +106,10 @@ export default function PrivacyPage() {
               <br />
               Germany
             </p>
-            <p className="mt-4">
+            <p>
               <a
                 href="mailto:legal@hypercerts.org"
-                className="text-blue-600 underline hover:text-blue-800"
+               
               >
                 legal@hypercerts.org
               </a>
@@ -117,7 +117,7 @@ export default function PrivacyPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               3. Personal data we process
             </h2>
             <p>
@@ -128,7 +128,7 @@ export default function PrivacyPage() {
             <p>
               When you create or manage an account using certified.app, we may process:
             </p>
-            <ul className="list-disc pl-6 mt-2 space-y-2">
+            <ul>
               <li>email address</li>
               <li>account identifiers</li>
               <li>authentication information</li>
@@ -142,14 +142,14 @@ export default function PrivacyPage() {
               certified.one operates Personal Data Servers that store records associated with AT
               Protocol identities.
             </p>
-            <p className="mt-4">These records may include:</p>
-            <ul className="list-disc pl-6 mt-2 space-y-2">
+            <p>These records may include:</p>
+            <ul>
               <li>profile information</li>
               <li>user-generated content</li>
               <li>references to external resources</li>
               <li>metadata associated with AT Protocol records</li>
             </ul>
-            <p className="mt-4">
+            <p>
               This data is stored at the direction of users and may contain personal data depending
               on how the user uses the service.
             </p>
@@ -158,28 +158,28 @@ export default function PrivacyPage() {
               Technical and operational data
             </h3>
             <p>To operate the services, we may process:</p>
-            <ul className="list-disc pl-6 mt-2 space-y-2">
+            <ul>
               <li>IP addresses</li>
               <li>system logs</li>
               <li>device or browser information</li>
               <li>timestamps of service interactions</li>
               <li>security and abuse-prevention signals</li>
             </ul>
-            <p className="mt-4">
+            <p>
               System logs and security-related operational data may be retained for limited periods
               necessary to detect abuse, investigate incidents, and maintain service reliability.
             </p>
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               4. How we use personal data
             </h2>
             <p>
               We process personal data only where necessary for the operation of the services.
             </p>
-            <p className="mt-4">This may include processing necessary to:</p>
-            <ul className="list-disc pl-6 mt-2 space-y-2">
+            <p>This may include processing necessary to:</p>
+            <ul>
               <li>operate and maintain certified.app and certified.one</li>
               <li>authenticate users and manage accounts</li>
               <li>operate AT Protocol Personal Data Servers</li>
@@ -190,7 +190,7 @@ export default function PrivacyPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               5. Legal basis for processing
             </h2>
             <p>
@@ -202,7 +202,7 @@ export default function PrivacyPage() {
 
             <h3 className="font-mono text-lg text-navy mt-6 mb-3">Legitimate interests</h3>
             <p>Processing necessary to:</p>
-            <ul className="list-disc pl-6 mt-2 space-y-2">
+            <ul>
               <li>maintain service security</li>
               <li>prevent abuse</li>
               <li>operate and improve infrastructure</li>
@@ -224,7 +224,7 @@ export default function PrivacyPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               6. Data storage and infrastructure
             </h2>
             <p>
@@ -232,7 +232,7 @@ export default function PrivacyPage() {
               on cloud infrastructure located within the{" "}
               <strong>European Union</strong>.
             </p>
-            <p className="mt-4">
+            <p>
               Operational service providers may process limited data outside the European Union.
               Where this occurs, appropriate safeguards are implemented in accordance with
               applicable data protection laws.
@@ -240,26 +240,26 @@ export default function PrivacyPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               7. Federated network architecture
             </h2>
             <p>
               Certified operates within the <strong>AT Protocol</strong>, a federated network
               architecture.
             </p>
-            <p className="mt-4">
+            <p>
               When users publish records through their Personal Data Server, those records may be:
             </p>
-            <ul className="list-disc pl-6 mt-2 space-y-2">
+            <ul>
               <li>replicated</li>
               <li>cached</li>
               <li>indexed</li>
               <li>displayed</li>
             </ul>
-            <p className="mt-4">
+            <p>
               by independent servers or applications participating in the network.
             </p>
-            <p className="mt-4">
+            <p>
               Once data is shared through the federated network, the Hypercerts Foundation cannot
               control how third-party services process or store that information. Those services act
               as <strong>independent data controllers</strong> for any processing they perform.
@@ -267,12 +267,12 @@ export default function PrivacyPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">8. Data sharing</h2>
+            <h2>8. Data sharing</h2>
             <p>We do not sell personal data.</p>
-            <p className="mt-4">
+            <p>
               Personal data may be shared only in limited circumstances, including:
             </p>
-            <ul className="list-disc pl-6 mt-2 space-y-2">
+            <ul>
               <li>
                 with service providers that support the operation of the services and process data
                 on our behalf, including Vercel Inc. (hosting and anonymous web analytics)
@@ -288,69 +288,69 @@ export default function PrivacyPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               9. Cookies and tracking technologies
             </h2>
             <p>
               certified.app uses only cookies that are strictly necessary for the operation of the
               service, such as session management and authentication.
             </p>
-            <p className="mt-4">
+            <p>
               We do not use advertising cookies, third-party tracking pixels, or analytics cookies
               that track individual users across websites.
             </p>
-            <p className="mt-4">
+            <p>
               We use Vercel Web Analytics to collect anonymous, aggregated usage data such as page
               views, referrer information, and general device or browser type. Vercel Web Analytics
               does not use cookies and does not collect personal data or track individual users.
               This data is processed by Vercel Inc. (US) under Standard Contractual Clauses (SCCs)
               as the legal mechanism for international data transfers.
             </p>
-            <p className="mt-4">
+            <p>
               If our use of cookies or analytics changes in the future, we will update this policy
               and provide appropriate notice and controls.
             </p>
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">10. Data retention</h2>
+            <h2>10. Data retention</h2>
             <p>
               We retain personal data only for as long as necessary to operate the services and
               fulfill legal obligations.
             </p>
-            <p className="mt-4">
+            <p>
               Retention periods may vary depending on the type of data and applicable legal
               obligations.
             </p>
-            <p className="mt-4">
+            <p>
               To delete your account, contact us at{" "}
               <a
                 href="mailto:support@hypercerts.org"
-                className="text-blue-600 underline hover:text-blue-800"
+               
               >
                 support@hypercerts.org
               </a>
               . We will delete account-related data from our infrastructure
               within a reasonable period, subject to:
             </p>
-            <ul className="list-disc pl-6 mt-2 space-y-2">
+            <ul>
               <li>legal retention requirements</li>
               <li>system backups</li>
               <li>technical limitations related to federated data replication</li>
             </ul>
-            <p className="mt-4">
+            <p>
               As described above, data previously shared through the AT Protocol network may
               continue to exist on third-party systems.
             </p>
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">11. Security</h2>
+            <h2>11. Security</h2>
             <p>
               We implement reasonable technical and organizational measures to protect the security
               of the services and the data stored on them.
             </p>
-            <p className="mt-4">
+            <p>
               However, no system can guarantee complete security. Users are responsible for
               protecting their account credentials and cryptographic keys associated with their AT
               Protocol identities.
@@ -358,7 +358,7 @@ export default function PrivacyPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               12. Children&apos;s data
             </h2>
             <p>
@@ -367,7 +367,7 @@ export default function PrivacyPage() {
               age, or under the minimum age required to consent to data processing under applicable
               law in the user&apos;s jurisdiction.
             </p>
-            <p className="mt-4">
+            <p>
               If we become aware that personal data has been collected from an individual under the
               applicable minimum age without appropriate authorization, we will take steps to delete
               that data.
@@ -375,12 +375,12 @@ export default function PrivacyPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">13. Your rights</h2>
+            <h2>13. Your rights</h2>
             <p>
               Where applicable under data protection laws such as the GDPR, individuals may have
               the right to:
             </p>
-            <ul className="list-disc pl-6 mt-2 space-y-2">
+            <ul>
               <li>access their personal data</li>
               <li>request correction of inaccurate data</li>
               <li>request deletion of personal data</li>
@@ -388,30 +388,30 @@ export default function PrivacyPage() {
               <li>request portability of data they have provided</li>
               <li>withdraw consent, where processing is based on consent</li>
             </ul>
-            <p className="mt-4">Requests may be submitted to:</p>
-            <p className="mt-2">
+            <p>Requests may be submitted to:</p>
+            <p>
               <a
                 href="mailto:legal@hypercerts.org"
-                className="text-blue-600 underline hover:text-blue-800"
+               
               >
                 legal@hypercerts.org
               </a>
             </p>
-            <p className="mt-4">
+            <p>
               We will respond to requests within one month, or inform you if an extension is
               necessary in accordance with applicable law.
             </p>
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               14. International users
             </h2>
             <p>
               Certified is operated from infrastructure located primarily within the European Union
               but may be accessed globally.
             </p>
-            <p className="mt-4">
+            <p>
               If you access the services from outside the European Union, your data may be processed
               in jurisdictions outside your country of residence, subject to the safeguards
               described in Section 6.
@@ -419,27 +419,27 @@ export default function PrivacyPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               15. Changes to this policy
             </h2>
             <p>We may update this Privacy Policy from time to time.</p>
-            <p className="mt-4">
+            <p>
               When changes are material, we will provide notice through certified.app or other
               appropriate communication channels.
             </p>
-            <p className="mt-4">
+            <p>
               The most recent version of this policy will always be available on the Certified
               website.
             </p>
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">16. Contact</h2>
+            <h2>16. Contact</h2>
             <p>
               For privacy inquiries, data protection requests, or questions about this policy,
               contact:
             </p>
-            <p className="mt-4">
+            <p>
               <strong>Hypercerts Foundation</strong>
               <br />
               1209 Orange St.
@@ -448,13 +448,13 @@ export default function PrivacyPage() {
               <br />
               United States
             </p>
-            <p className="mt-4">
+            <p>
               Phone: +1 302 658 7581
               <br />
               Email:{" "}
               <a
                 href="mailto:legal@hypercerts.org"
-                className="text-blue-600 underline hover:text-blue-800"
+               
               >
                 legal@hypercerts.org
               </a>
diff --git a/src/app/terms/page.tsx b/src/app/terms/page.tsx
index 2c18cb91..6cbde9f5 100644
--- a/src/app/terms/page.tsx
+++ b/src/app/terms/page.tsx
@@ -17,25 +17,25 @@ export const metadata: Metadata = {
 
 export default function TermsPage() {
   return (
-    <div className="app-page">
-      <div className="app-page__inner max-w-3xl">
-        <h1 className="font-mono text-h1 text-navy tracking-tight mb-8">
+    <div className="prose-page">
+      <div className="prose-page__inner">
+        <h1 className="prose-page__title">
           Terms of Service — Certified
         </h1>
 
-        <p className="text-sm text-gray-500 mb-8">Last updated: April 1, 2026</p>
+        <p className="prose-page__meta">Last updated: April 1, 2026</p>
 
-        <div className="prose prose-navy max-w-none space-y-8">
+        <div className="prose-page__body">
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">1. About Certified</h2>
+            <h2>1. About Certified</h2>
             <p>
               Certified is operated by the Hypercerts Foundation (&quot;Hypercerts
               Foundation&quot;, &quot;we&quot;, &quot;our&quot;, or &quot;us&quot;), a Delaware
               nonstock corporation that develops and maintains open infrastructure for the
               hypercerts ecosystem.
             </p>
-            <p className="mt-4">The Certified services consist of two components:</p>
-            <ul className="list-disc pl-6 mt-2 space-y-2">
+            <p>The Certified services consist of two components:</p>
+            <ul>
               <li>
                 <strong>certified.app</strong> – a web application used to create and manage AT
                 Protocol identities and configure related services.
@@ -45,11 +45,11 @@ export default function TermsPage() {
                 Data Servers (PDS) that store and serve identity records and associated user data.
               </li>
             </ul>
-            <p className="mt-4">
+            <p>
               These services provide identity and data hosting infrastructure for the AT Protocol
               ecosystem.
             </p>
-            <p className="mt-4">
+            <p>
               Certified is not a social media platform. We do not operate feeds, rank content,
               recommend posts, or curate speech. Applications that display or process user data are
               operated independently by third parties.
@@ -57,30 +57,30 @@ export default function TermsPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               2. Nature of the services
             </h2>
             <p>
               Certified is part of an evolving technical ecosystem built on the AT Protocol, an
               open and developing standard.
             </p>
-            <p className="mt-4">
+            <p>
               Features, interoperability, and functionality may change as the protocol evolves. The
               Hypercerts Foundation does not guarantee that the services will remain compatible with
               all future versions or implementations of the protocol.
             </p>
-            <p className="mt-4">
+            <p>
               The services are provided as technical infrastructure for identity and data hosting,
               not as a platform for transactions or agreements between users.
             </p>
-            <p className="mt-4">
+            <p>
               The Hypercerts Foundation is not a party to any agreements, interactions, or
               transactions between users or between users and third-party applications.
             </p>
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               3. Agreement to these Terms
             </h2>
             <p>
@@ -88,50 +88,50 @@ export default function TermsPage() {
               be bound by these Terms of Service and the Certified Privacy Policy (together, the
               &quot;Agreement&quot;).
             </p>
-            <p className="mt-4">
+            <p>
               If you do not agree to these Terms, you may not use the services.
             </p>
-            <p className="mt-4">
+            <p>
               You must be at least 16 years old, or the minimum age required to consent to data
               processing under applicable law in your jurisdiction.
             </p>
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               4. AT Protocol identity and user responsibility
             </h2>
             <p>
               Certified provides tools and infrastructure that allow users to operate an AT Protocol
               identity.
             </p>
-            <p className="mt-4">
+            <p>
               You retain ownership of the content, records, and data associated with your account.
               The Hypercerts Foundation does not claim ownership of user content.
             </p>
-            <p className="mt-4">Users are solely responsible for:</p>
-            <ul className="list-disc pl-6 mt-2 space-y-2">
+            <p>Users are solely responsible for:</p>
+            <ul>
               <li>all data stored through their Personal Data Server</li>
               <li>any records published under their identity</li>
               <li>ensuring their use of the services complies with applicable laws</li>
             </ul>
-            <p className="mt-4">
+            <p>
               You determine which applications or services may access your data.
             </p>
-            <p className="mt-4">
+            <p>
               Because the AT Protocol operates as a federated network, data published through your
               Personal Data Server <strong>may be made available</strong> to other servers and
               applications as part of normal protocol operation. This includes replication, caching,
               indexing, and display by third-party services you interact with.
             </p>
-            <p className="mt-4">
+            <p>
               The Hypercerts Foundation is not responsible for how third-party services process,
               display, or use such data.
             </p>
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               5. Group and organization accounts
             </h2>
             <p>
@@ -148,7 +148,7 @@ export default function TermsPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               6. Intellectual property
             </h2>
             <p>
@@ -156,7 +156,7 @@ export default function TermsPage() {
               including all software, interfaces, trademarks, and other intellectual property
               associated with Certified.
             </p>
-            <p className="mt-4">
+            <p>
               Nothing in these Terms grants you any right, title, or interest in the Hypercerts
               Foundation&apos;s intellectual property, except the{" "}
               <strong>
@@ -165,19 +165,19 @@ export default function TermsPage() {
               </strong>
               .
             </p>
-            <p className="mt-4">
+            <p>
               User content remains the property of the user, as described in Section 4.
             </p>
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">7. Acceptable use</h2>
+            <h2>7. Acceptable use</h2>
             <p>
               You may use Certified only for lawful purposes and in a manner that does not
               interfere with the operation or stability of the services.
             </p>
-            <p className="mt-4">You agree not to:</p>
-            <ul className="list-disc pl-6 mt-2 space-y-2">
+            <p>You agree not to:</p>
+            <ul>
               <li>use the services in violation of applicable laws or regulations</li>
               <li>attempt unauthorized access to accounts, infrastructure, or systems</li>
               <li>introduce malware or otherwise disrupt network functionality</li>
@@ -192,12 +192,12 @@ export default function TermsPage() {
                 performance or stability
               </li>
             </ul>
-            <p className="mt-4">
+            <p>
               The Hypercerts Foundation may implement technical measures such as rate limiting,
               automated abuse detection, traffic filtering, or temporary access restrictions in
               order to protect the stability and security of the services.
             </p>
-            <p className="mt-4">
+            <p>
               Where necessary to comply with law or protect infrastructure integrity, the Hypercerts
               Foundation may restrict access to certain data, limit functionality, or suspend
               accounts.
@@ -205,29 +205,29 @@ export default function TermsPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               8. Infrastructure and service operation
             </h2>
             <p>
               certified.one hosts Personal Data Servers that store AT Protocol identity records and
               related user data.
             </p>
-            <p className="mt-4">
+            <p>
               The infrastructure supporting these servers is{" "}
               <strong>currently hosted</strong> on cloud infrastructure located within the European
               Union.
             </p>
-            <p className="mt-4">
+            <p>
               To operate the services, we may rely on specialized third-party providers for
               operational tasks such as:
             </p>
-            <ul className="list-disc pl-6 mt-2 space-y-2">
+            <ul>
               <li>system monitoring</li>
               <li>communications</li>
               <li>analytics</li>
               <li>technical support</li>
             </ul>
-            <p className="mt-4">
+            <p>
               Some of these providers may process limited data outside the European Union. Such
               processing occurs in accordance with applicable data protection laws and appropriate
               safeguards.
@@ -235,31 +235,31 @@ export default function TermsPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               9. Third-party services
             </h2>
             <p>
               The services may interact with or reference third-party applications, websites, or
               services.
             </p>
-            <p className="mt-4">
+            <p>
               These services are operated independently and governed by their own terms and
               policies. The Hypercerts Foundation does not control and is not responsible for the
               operation or content of third-party services.
             </p>
-            <p className="mt-4">Your use of such services is at your own discretion.</p>
+            <p>Your use of such services is at your own discretion.</p>
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               10. Privacy and data protection
             </h2>
             <p>
               Personal data is processed in accordance with applicable data protection laws,
               including the EU General Data Protection Regulation (GDPR) where applicable.
             </p>
-            <p className="mt-4">Our Privacy Policy explains:</p>
-            <ul className="list-disc pl-6 mt-2 space-y-2">
+            <p>Our Privacy Policy explains:</p>
+            <ul>
               <li>what personal data we process</li>
               <li>the purposes for processing</li>
               <li>where data is stored</li>
@@ -269,47 +269,47 @@ export default function TermsPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               11. Handling unlawful data and legal orders
             </h2>
             <p>
               The Hypercerts Foundation does not routinely monitor all information stored on Personal
               Data Servers.
             </p>
-            <p className="mt-4">However, we may take action where necessary to:</p>
-            <ul className="list-disc pl-6 mt-2 space-y-2">
+            <p>However, we may take action where necessary to:</p>
+            <ul>
               <li>comply with legal obligations</li>
               <li>respond to orders from competent authorities</li>
               <li>protect the stability or security of the infrastructure</li>
               <li>address clearly unlawful data when required by law</li>
             </ul>
-            <p className="mt-4">
+            <p>
               Such actions may include restricting access to specific records or suspending accounts.
             </p>
-            <p className="mt-4">
+            <p>
               The Hypercerts Foundation may rely on{" "}
               <strong>automated systems or third-party services</strong> to assist in identifying or
               responding to unlawful content, infrastructure abuse, or security threats.
             </p>
-            <p className="mt-4">
+            <p>
               The Hypercerts Foundation is not responsible for content moderation decisions made by
               third-party applications that access data through the AT Protocol. Moderation policies
               applied by other services are outside our control and do not reflect actions taken by
               the Hypercerts Foundation.
             </p>
-            <p className="mt-4">
+            <p>
               Reports of illegal content may be submitted in accordance with the notice-and-action
               procedure described in our{" "}
-              <a href="/dsa" className="text-blue-600 underline hover:text-blue-800">
+              <a href="/dsa">
                 DSA Compliance Page
               </a>
               .
             </p>
-            <p className="mt-4">
+            <p>
               Reports and legal notices may also be sent to:{" "}
               <a
                 href="mailto:legal@hypercerts.org"
-                className="text-blue-600 underline hover:text-blue-800"
+               
               >
                 legal@hypercerts.org
               </a>
@@ -317,14 +317,14 @@ export default function TermsPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               12. Availability, modification, and discontinuation
             </h2>
             <p>Certified services are provided on a best-effort basis.</p>
-            <p className="mt-4">
+            <p>
               Maintenance, system updates, or security work may result in temporary interruptions.
             </p>
-            <p className="mt-4">
+            <p>
               The Hypercerts Foundation may modify, suspend, or discontinue all or part of the
               services at any time. Where reasonably possible, we will provide advance notice of
               material changes or service discontinuation.
@@ -332,56 +332,56 @@ export default function TermsPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               13. Data persistence in federated systems
             </h2>
             <p>
               Because the AT Protocol operates as a federated network, data published through the
               services may be copied, cached, or stored by other servers or applications.
             </p>
-            <p className="mt-4">
+            <p>
               The Hypercerts Foundation cannot guarantee that data removed from its infrastructure
               will also be removed from third-party systems.
             </p>
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               14. Account security
             </h2>
             <p>
               You are responsible for protecting your account credentials and authentication
               information.
             </p>
-            <p className="mt-4">
+            <p>
               If you believe your account has been compromised, you must notify us promptly at{" "}
               <a
                 href="mailto:legal@hypercerts.org"
-                className="text-blue-600 underline hover:text-blue-800"
+               
               >
                 legal@hypercerts.org
               </a>
               .
             </p>
-            <p className="mt-4">
+            <p>
               Access to accounts may be temporarily restricted while security investigations are
               conducted.
             </p>
-            <p className="mt-4">
+            <p>
               Because AT Protocol identities rely on cryptographic credentials, recovery of accounts
               may not be possible if credentials are permanently lost.
             </p>
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">15. Termination</h2>
+            <h2>15. Termination</h2>
 
             <h3 className="font-mono text-lg text-navy mt-6 mb-3">Termination by you</h3>
             <p>
               To delete your account, contact us at{" "}
               <a
                 href="mailto:support@hypercerts.org"
-                className="text-blue-600 underline hover:text-blue-800"
+               
               >
                 support@hypercerts.org
               </a>
@@ -394,7 +394,7 @@ export default function TermsPage() {
             <p>
               The Hypercerts Foundation may suspend or terminate your account if:
             </p>
-            <ul className="list-disc pl-6 mt-2 space-y-2">
+            <ul>
               <li>you breach these Terms of Service</li>
               <li>
                 your use of the services poses a risk to the stability, security, or integrity of
@@ -405,7 +405,7 @@ export default function TermsPage() {
               </li>
               <li>the services are discontinued in accordance with Section 12</li>
             </ul>
-            <p className="mt-4">
+            <p>
               Where reasonably possible, we will provide notice before terminating an account. In
               cases involving security threats, legal obligations, or infrastructure abuse, immediate
               action may be taken without prior notice.
@@ -419,7 +419,7 @@ export default function TermsPage() {
               will delete your account data from its infrastructure within a reasonable period,
               subject to any legal retention obligations.
             </p>
-            <p className="mt-4">
+            <p>
               As described in Section 13, data previously published through the AT Protocol may
               continue to exist on third-party servers or applications. The Hypercerts Foundation
               cannot ensure deletion of such data from federated systems.
@@ -434,7 +434,7 @@ export default function TermsPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">16. Feedback</h2>
+            <h2>16. Feedback</h2>
             <p>
               If you provide suggestions, ideas, or feedback regarding the services, the Hypercerts
               Foundation may use such feedback{" "}
@@ -443,42 +443,42 @@ export default function TermsPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               17. Disclaimer of warranties
             </h2>
             <p>
               The services are provided &quot;as is&quot; and &quot;as available.&quot;
             </p>
-            <p className="mt-4">
+            <p>
               The Hypercerts Foundation makes no representations or warranties regarding the
               reliability, availability, or accuracy of the services.
             </p>
-            <p className="mt-4">
+            <p>
               To the maximum extent permitted by law, we disclaim all warranties, express or
               implied, including warranties of merchantability, fitness for a particular purpose, and
               non-infringement.
             </p>
-            <p className="mt-4">
+            <p>
               You understand that your use of the services is at your own discretion and risk.
             </p>
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               18. Limitation of liability
             </h2>
             <p>
               Nothing in these Terms limits liability where such limitation is prohibited by law.
             </p>
-            <p className="mt-4">
+            <p>
               To the maximum extent permitted by law, the Hypercerts Foundation is not liable for
               indirect, incidental, or consequential damages arising from the use of the services.
             </p>
-            <p className="mt-4">
+            <p>
               Where liability cannot be excluded, the Hypercerts Foundation&apos;s total liability{" "}
               <strong>arising out of or relating to the services</strong> is limited to:
             </p>
-            <ul className="list-disc pl-6 mt-2 space-y-2">
+            <ul>
               <li>
                 the amount paid by you for the services during the 12 months preceding the claim, or
               </li>
@@ -487,7 +487,7 @@ export default function TermsPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               19. Indemnification
             </h2>
             <p>
@@ -495,19 +495,19 @@ export default function TermsPage() {
               the Hypercerts Foundation from claims, damages, losses, and expenses (including
               reasonable legal fees) arising from:
             </p>
-            <ul className="list-disc pl-6 mt-2 space-y-2">
+            <ul>
               <li>your use of the services in violation of these Terms</li>
               <li>data you store or publish through the services</li>
               <li>your violation of applicable laws or the rights of third parties</li>
             </ul>
-            <p className="mt-4">
+            <p>
               This indemnification obligation does not apply to consumers where prohibited by
               applicable consumer protection law.
             </p>
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               20. Consumer protections
             </h2>
             <p>
@@ -517,21 +517,21 @@ export default function TermsPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               21. Validity and waiver
             </h2>
             <p>
               If any provision of these Terms is found unenforceable by a court of competent
               jurisdiction, the remaining provisions will continue to apply.
             </p>
-            <p className="mt-4">
+            <p>
               The failure of the Hypercerts Foundation to enforce any provision of these Terms does
               not constitute a waiver of that provision or any other provision.
             </p>
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               22. Changes to these Terms
             </h2>
             <p>
@@ -540,44 +540,44 @@ export default function TermsPage() {
               by email or other direct communication at least 30 days before the changes take
               effect.
             </p>
-            <p className="mt-4">
+            <p>
               The updated Terms will indicate the date of the most recent revision. Your continued
               use of the services after the effective date of the updated Terms constitutes
               acceptance of the changes,{" "}
               <strong>to the extent permitted by applicable law</strong>.
             </p>
-            <p className="mt-4">
+            <p>
               If you do not agree with the updated Terms, you may close your account in accordance
               with Section 15.
             </p>
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               23. Transfer of rights
             </h2>
             <p>
               Users may not transfer their rights or obligations under these Terms without the prior
               written consent of the Hypercerts Foundation.
             </p>
-            <p className="mt-4">
+            <p>
               The Hypercerts Foundation may assign or transfer its rights or obligations as part of
               organizational restructuring or transfer of the services.
             </p>
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">24. Governing law</h2>
+            <h2>24. Governing law</h2>
             <p>
               These Terms are governed by the laws of the State of California, regardless of
               conflict of laws rules.
             </p>
-            <p className="mt-4">
+            <p>
               Any disputes arising out of or relating to these Terms will be resolved exclusively in
               the federal or state courts located in San Francisco County, California, and you
               consent to the personal jurisdiction of those courts.
             </p>
-            <p className="mt-4">
+            <p>
               If you are a consumer in the European Union, this section does not affect any mandatory
               consumer protections or jurisdictional rights available to you under the laws of your
               country of residence.
@@ -585,7 +585,7 @@ export default function TermsPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">
+            <h2>
               25. Entire agreement
             </h2>
             <p>
@@ -597,15 +597,15 @@ export default function TermsPage() {
           </section>
 
           <section>
-            <h2 className="font-mono text-xl text-navy mb-4">26. Contact</h2>
+            <h2>26. Contact</h2>
             <p>
               For all inquiries — including support, legal notices, Digital Services Act
               communications, and privacy matters:
             </p>
-            <p className="mt-4">
+            <p>
               <a
                 href="mailto:legal@hypercerts.org"
-                className="text-blue-600 underline hover:text-blue-800"
+               
               >
                 legal@hypercerts.org
               </a>
diff --git a/src/components/landing/hero-actions.tsx b/src/components/landing/hero-actions.tsx
new file mode 100644
index 00000000..3d7eb714
--- /dev/null
+++ b/src/components/landing/hero-actions.tsx
@@ -0,0 +1,31 @@
+"use client";
+
+import Link from "next/link";
+import { ArrowRight } from "lucide-react";
+import { useAuth } from "@/lib/auth/auth-context";
+
+/**
+ * Hero CTA pair — primary "Create your account" (black, with arrow) and
+ * secondary "Explore apps" (outlined, with arrow). Mirrors the editorial
+ * layout in the reference with a quiet hairline border between them.
+ */
+export default function HeroActions() {
+  const { openSignIn } = useAuth();
+
+  return (
+    <div className="hero__actions">
+      <button
+        type="button"
+        className="btn btn--primary"
+        onClick={openSignIn}
+      >
+        Create your account
+        <ArrowRight size={18} strokeWidth={1.75} className="btn__arrow" />
+      </button>
+      <Link href="#partner-apps" className="btn btn--secondary">
+        Explore apps
+        <ArrowRight size={18} strokeWidth={1.75} className="btn__arrow" />
+      </Link>
+    </div>
+  );
+}
diff --git a/src/components/landing/hero-diagram.tsx b/src/components/landing/hero-diagram.tsx
new file mode 100644
index 00000000..ac23b4a2
--- /dev/null
+++ b/src/components/landing/hero-diagram.tsx
@@ -0,0 +1,102 @@
+/**
+ * Hero diagram — the right-hand visual on the landing hero.
+ *
+ * Editorial portrait of the Certified identity at the centre of the open
+ * web: a watercolor blue blob backdrop, a cream identity card with a
+ * globe, a handle, a DID, four pill chips, and a lock; six partner-app
+ * cards floating left/right; a caption at the bottom and a vertical
+ * "ONE ACCOUNT" rail at the right edge.
+ *
+ * Pure decoration — no inputs, no interactivity. Sized for a desktop
+ * 12-col split, collapses cleanly on tablet/mobile via CSS.
+ */
+
+import { Copy, Lock, Globe, Sprout, Trees, Vote, Trophy, Plus } from "lucide-react";
+
+export default function HeroDiagram() {
+  return (
+    <div className="hero-diagram" aria-hidden="true">
+      {/* Watercolor blue circle — a real painted PNG (generated via
+          openai_image, saved into the repo) rather than an SVG ellipse.
+          The PNG carries a real alpha channel (white paper matted out
+          via `255 - min(r,g,b)`), so the cream surface and the hero
+          grid pattern show through cleanly behind the blob. */}
+      <img
+        src="/assets/watercolor-blue-circle.png"
+        alt=""
+        className="hero-diagram__blob"
+        aria-hidden="true"
+      />
+
+      {/* Centre identity card */}
+      <div className="hero-diagram__card">
+        <div className="hero-diagram__card-globe" aria-hidden="true">
+          <Globe size={32} strokeWidth={1.25} />
+        </div>
+        <p className="hero-diagram__card-name">alexlee.dev</p>
+        <p className="hero-diagram__card-uri">at://alexlee.dev</p>
+        <div className="hero-diagram__card-did">
+          <span>did:plc:7c6u…xly7</span>
+          <Copy size={12} strokeWidth={1.5} />
+        </div>
+      </div>
+
+      {/* Lock badge (sits on the blob bottom edge) */}
+      <div className="hero-diagram__lock" aria-hidden="true">
+        <Lock size={18} strokeWidth={1.5} />
+      </div>
+
+      {/* Partner app cards (left column — Bluesky with the official
+         butterfly mark + first two Certified partner apps) */}
+      <div className="hero-diagram__app hero-diagram__app--lt">
+        <span className="hero-diagram__app-icon hero-diagram__app-icon--bluesky" aria-hidden="true">
+          <img src="/assets/partners/bluesky_logo.svg" alt="" width={16} height={16} />
+        </span>
+        Bluesky
+      </div>
+      <div className="hero-diagram__app hero-diagram__app--lm">
+        <span className="hero-diagram__app-icon" aria-hidden="true">
+          <Sprout size={16} strokeWidth={1.5} />
+        </span>
+        Ma Earth
+      </div>
+      <div className="hero-diagram__app hero-diagram__app--lb">
+        <span className="hero-diagram__app-icon" aria-hidden="true">
+          <Trees size={16} strokeWidth={1.5} />
+        </span>
+        GainForest
+      </div>
+
+      {/* Partner app cards (right column — remaining two Certified
+         partner apps + an open "Your app" slot that signals the
+         ecosystem is open to new partners) */}
+      <div className="hero-diagram__app hero-diagram__app--rt">
+        <span className="hero-diagram__app-icon" aria-hidden="true">
+          <Vote size={16} strokeWidth={1.5} />
+        </span>
+        Simocracy
+      </div>
+      <div className="hero-diagram__app hero-diagram__app--rm hero-diagram__app--placeholder">
+        <span className="hero-diagram__app-icon" aria-hidden="true">
+          <Plus size={16} strokeWidth={1.5} />
+        </span>
+        Your app
+      </div>
+      <div className="hero-diagram__app hero-diagram__app--rb">
+        <span className="hero-diagram__app-icon" aria-hidden="true">
+          <Trophy size={16} strokeWidth={1.5} />
+        </span>
+        Hyperboards
+      </div>
+
+      {/* Bottom caption */}
+      <p className="hero-diagram__caption">
+        Your data. Your control.
+        <br />
+        In every app you use.
+      </p>
+
+    </div>
+  );
+}
+
diff --git a/src/components/landing/hero-signin-button.tsx b/src/components/landing/hero-signin-button.tsx
deleted file mode 100644
index ba5aca4d..00000000
--- a/src/components/landing/hero-signin-button.tsx
+++ /dev/null
@@ -1,15 +0,0 @@
-"use client";
-
-import { useAuth } from "@/lib/auth/auth-context";
-
-export default function HeroSignInButton() {
-  const { openSignIn } = useAuth();
-
-  return (
-    <div className="hero__actions">
-      <button className="hero__btn-signin" onClick={openSignIn} aria-label="Sign in with Certified">
-        <img src="/assets/certified_signinwith_black.svg" alt="Sign in with Certified" className="hero__btn-signin-img" />
-      </button>
-    </div>
-  );
-}
diff --git a/src/components/landing/landing-page.tsx b/src/components/landing/landing-page.tsx
index c6429a9c..531eeaf5 100644
--- a/src/components/landing/landing-page.tsx
+++ b/src/components/landing/landing-page.tsx
@@ -4,13 +4,29 @@ import PartnerApps from "@/components/landing/sections/partner-apps";
 import BuiltForTrust from "@/components/landing/sections/built-for-trust";
 import FaqSection from "@/components/landing/sections/faq-content";
 import ReadyCtaSection from "@/components/landing/sections/ready-cta-content";
-import HeroSignInButton from "@/components/landing/hero-signin-button";
+import HeroActions from "@/components/landing/hero-actions";
+import HeroDiagram from "@/components/landing/hero-diagram";
+import { Shield, Lock, User } from "lucide-react";
 
+/**
+ * Landing page — editorial parchment-and-vermillion design.
+ *
+ * The hero is a 12-col split: an editorial typography block on the left
+ * (vertical rail + chop seal + eyebrow + serif headline with italic red
+ * emphasis + sub + dual buttons + AT Protocol footnote) and a hand-built
+ * identity diagram on the right (centre card, six partner apps, dotted
+ * connectors, watercolor blob, and an "AT / Protocol" badge).
+ *
+ * A pillared trust strip (01 Protect · 02 Connect · 03 Can choose) sits
+ * just below the hero as a closing beat. Everything below that retains
+ * the existing section rhythm but harmonized to the warm cream palette.
+ */
 export default function LandingPage() {
   return (
     <>
       <section className="hero hero--landing">
-        {/* Line-art pattern background */}
+        {/* Faded paper-grid texture, concentric rings, and corner-to-corner
+            diagonals — echoes the original certified.app/welcome backdrop. */}
         <div className="hero__pattern" aria-hidden="true">
           <svg width="100%" height="100%" xmlns="http://www.w3.org/2000/svg">
             <defs>
@@ -26,20 +42,86 @@ export default function LandingPage() {
           </svg>
         </div>
 
-        <div className="hero__inner">
-          <span className="hero__label">Built on AT Protocol</span>
-          <h1 className="hero__title hero-reveal">
-            One account.<br />
-            <span className="hero__title-accent">Any app.</span>
-          </h1>
-          <p className="hero__subtitle hero-reveal">
-            Your identity and data — everywhere you go.
-          </p>
-          <div className="hero-reveal">
-            <HeroSignInButton />
+        <div className="hero__split">
+          {/* LEFT — editorial typography */}
+          <div className="hero__copy">
+            <div className="hero__copy-inner">
+              <span className="hero__eyebrow">The universal identity</span>
+              <h1 className="hero__title">
+                Portable<br />
+                identity<br />
+                for the<br />
+                <span className="hero__title-accent">atmosphere</span>
+              </h1>
+              <p className="hero__subtitle">
+                One secure account. Sign in anywhere.
+                <br />
+                Your identity, your data, your control.
+              </p>
+
+              <HeroActions />
+
+              <p className="hero__footnote">
+                <span className="hero__footnote-mark" aria-hidden="true">@</span>
+                <span>Built on AT Protocol.</span>
+                <a className="hero__footnote-link" href="#built-for-trust">
+                  Learn more <span aria-hidden="true">→</span>
+                </a>
+              </p>
+            </div>
+          </div>
+
+          {/* RIGHT — identity diagram */}
+          <div className="hero__visual">
+            <HeroDiagram />
+            <aside className="hero__rail hero__rail--right" aria-hidden="true">
+              <span className="hero__rail-eyebrow">ONE ACCOUNT</span>
+              <span className="hero__rail-redseal" />
+              <span className="hero__rail-text hero__rail-text--right">Sign in anywhere.</span>
+            </aside>
+          </div>
+        </div>
+
+        {/* Three-pillar trust strip pinned under the hero */}
+        <div className="hero-pillars" aria-label="What Certified gives you">
+          <div className="hero-pillars__inner">
+            <article className="hero-pillar">
+              <div className="hero-pillar__icon" aria-hidden="true">
+                <Shield size={24} strokeWidth={1.4} />
+              </div>
+              <span className="hero-pillar__num">01</span>
+              <div className="hero-pillar__body">
+                <h3>Protect</h3>
+                <p className="hero-pillar__lede">Secure by design</p>
+                <p>End-to-end encryption and user-controlled data.</p>
+              </div>
+            </article>
+            <article className="hero-pillar">
+              <div className="hero-pillar__icon" aria-hidden="true">
+                <Lock size={24} strokeWidth={1.4} />
+              </div>
+              <span className="hero-pillar__num">02</span>
+              <div className="hero-pillar__body">
+                <h3>Connect</h3>
+                <p className="hero-pillar__lede">One sign-in, everywhere</p>
+                <p>Use your identity across every app you sign in to.</p>
+              </div>
+            </article>
+            <article className="hero-pillar">
+              <div className="hero-pillar__icon" aria-hidden="true">
+                <User size={24} strokeWidth={1.4} />
+              </div>
+              <span className="hero-pillar__num">03</span>
+              <div className="hero-pillar__body">
+                <h3>Can choose</h3>
+                <p className="hero-pillar__lede">You&apos;re in control</p>
+                <p>Share only what you choose. Revoke access anytime.</p>
+              </div>
+            </article>
           </div>
         </div>
       </section>
+
       <WhatYouGet />
       <HowItWorks />
       <PartnerApps />
diff --git a/src/components/landing/sections/ready-cta-button.tsx b/src/components/landing/sections/ready-cta-button.tsx
index 2a515a0d..a1575207 100644
--- a/src/components/landing/sections/ready-cta-button.tsx
+++ b/src/components/landing/sections/ready-cta-button.tsx
@@ -1,5 +1,7 @@
 "use client";
 
+import Link from "next/link";
+import { ArrowRight } from "lucide-react";
 import { useAuth } from "@/lib/auth/auth-context";
 
 export default function ReadyCtaButton() {
@@ -7,9 +9,18 @@ export default function ReadyCtaButton() {
 
   return (
     <div className="landing-cta__actions">
-      <button className="hero__btn-signin" onClick={openSignIn} aria-label="Sign in with Certified">
-        <img src="/assets/certified_signinwith_black.svg" alt="Sign in with Certified" className="hero__btn-signin-img" />
+      <button
+        type="button"
+        className="btn btn--primary btn--lg"
+        onClick={openSignIn}
+      >
+        Create your account
+        <ArrowRight size={18} strokeWidth={1.75} className="btn__arrow" />
       </button>
+      <Link href="#partner-apps" className="btn btn--secondary btn--lg">
+        Explore apps
+        <ArrowRight size={18} strokeWidth={1.75} className="btn__arrow" />
+      </Link>
     </div>
   );
 }
diff --git a/src/components/landing/sections/ready-cta-content.tsx b/src/components/landing/sections/ready-cta-content.tsx
index d96d32e7..4fe976cb 100644
--- a/src/components/landing/sections/ready-cta-content.tsx
+++ b/src/components/landing/sections/ready-cta-content.tsx
@@ -2,22 +2,19 @@ import ReadyCtaButton from "./ready-cta-button";
 
 export default function ReadyCtaSection() {
   return (
-    <section id="ready-cta" className="landing-section landing-section--light landing-section--pattern">
-      <div className="landing-section__pattern landing-section__pattern--dark" aria-hidden="true">
-        <svg width="100%" height="100%" xmlns="http://www.w3.org/2000/svg">
-          <defs>
-            <pattern id="grid-cta" width="100" height="100" patternUnits="userSpaceOnUse">
-              <path d="M 100 0 L 0 0 0 100" fill="none" stroke="currentColor" strokeWidth="0.5" />
-            </pattern>
-          </defs>
-          <rect width="100%" height="100%" fill="url(#grid-cta)" />
-        </svg>
-      </div>
+    <section id="ready-cta" className="landing-section landing-section--cream">
       <div className="landing-section__inner landing-cta">
-        <span className="landing-label">Get Started</span>
-        <h2>Ready to get started?</h2>
-        <p>Create your account in under a minute.</p>
+        <span className="landing-label landing-cta__eyebrow">One last thing</span>
+        <h2 className="landing-cta__headline">
+          Ready when <span className="landing-cta__headline-italic">you</span> are.
+        </h2>
+        <p className="landing-cta__lede">
+          One identity — every app you sign in to. Takes a minute.
+        </p>
         <ReadyCtaButton />
+        <p className="landing-cta__micro">
+          Free forever &nbsp;·&nbsp; No passwords &nbsp;·&nbsp; Walk away anytime
+        </p>
       </div>
     </section>
   );
diff --git a/src/components/landing/sections/what-you-get.tsx b/src/components/landing/sections/what-you-get.tsx
index aea26bbc..e784475f 100644
--- a/src/components/landing/sections/what-you-get.tsx
+++ b/src/components/landing/sections/what-you-get.tsx
@@ -7,33 +7,36 @@ export default function WhatYouGet() {
           <h2>What you get</h2>
         </div>
         <div className="landing-bento">
+          {/* All four cards are uniform — minimal cream surface, the
+              accent only shows up on the icon stroke. No highlight
+              card; let the typography carry the rhythm. */}
           <div className="landing-bento__card">
-            <div className="landing-bento__icon">
-              <svg width="32" height="32" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="1.5" strokeLinecap="round" strokeLinejoin="round"><path d="M16 21v-2a4 4 0 0 0-4-4H6a4 4 0 0 0-4 4v2"/><circle cx="9" cy="7" r="4"/><path d="M22 21v-2a4 4 0 0 0-3-3.87"/><path d="M16 3.13a4 4 0 0 1 0 7.75"/></svg>
+            <div className="landing-bento__icon-wrap">
+              <svg width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="1.75" strokeLinecap="round" strokeLinejoin="round" aria-hidden="true"><path d="M16 21v-2a4 4 0 0 0-4-4H6a4 4 0 0 0-4 4v2"/><circle cx="9" cy="7" r="4"/><path d="M22 21v-2a4 4 0 0 0-3-3.87"/><path d="M16 3.13a4 4 0 0 1 0 7.75"/></svg>
             </div>
             <h3>One account across apps</h3>
-            <p>Use the same account on every partner platform. No new logins.</p>
+            <p>Use the same account on every partner platform. No new logins, no juggling profiles.</p>
           </div>
           <div className="landing-bento__card">
-            <div className="landing-bento__icon">
-              <svg width="32" height="32" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="1.5" strokeLinecap="round" strokeLinejoin="round"><path d="M20 21v-2a4 4 0 0 0-4-4H8a4 4 0 0 0-4 4v2"/><circle cx="12" cy="7" r="4"/></svg>
+            <div className="landing-bento__icon-wrap">
+              <svg width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="1.75" strokeLinecap="round" strokeLinejoin="round" aria-hidden="true"><path d="M20 21v-2a4 4 0 0 0-4-4H8a4 4 0 0 0-4 4v2"/><circle cx="12" cy="7" r="4"/></svg>
             </div>
             <h3>Your profile travels with you</h3>
-            <p>Your data and activity appear when you sign in to a new app.</p>
+            <p>Your handle, avatar, and history appear automatically when you sign in to a new app.</p>
           </div>
           <div className="landing-bento__card">
-            <div className="landing-bento__icon">
-              <svg width="32" height="32" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="1.5" strokeLinecap="round" strokeLinejoin="round"><rect width="18" height="11" x="3" y="11" rx="2" ry="2"/><path d="M7 11V7a5 5 0 0 1 10 0v4"/></svg>
+            <div className="landing-bento__icon-wrap">
+              <svg width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="1.75" strokeLinecap="round" strokeLinejoin="round" aria-hidden="true"><rect width="18" height="11" x="3" y="11" rx="2" ry="2"/><path d="M7 11V7a5 5 0 0 1 10 0v4"/></svg>
             </div>
             <h3>You stay in control</h3>
-            <p>You can leave anytime. You&apos;re not locked in.</p>
+            <p>Export your data or walk away at any time. You&apos;re never locked in.</p>
           </div>
           <div className="landing-bento__card">
-            <div className="landing-bento__icon">
-              <svg width="32" height="32" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="1.5" strokeLinecap="round" strokeLinejoin="round"><path d="M15 3h4a2 2 0 0 1 2 2v14a2 2 0 0 1-2 2h-4"/><polyline points="10 17 15 12 10 7"/><line x1="15" y1="12" x2="3" y2="12"/></svg>
+            <div className="landing-bento__icon-wrap">
+              <svg width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="1.75" strokeLinecap="round" strokeLinejoin="round" aria-hidden="true"><rect x="3" y="5" width="18" height="14" rx="2"/><path d="m3 7 9 6 9-6"/></svg>
             </div>
             <h3>Simple sign-in</h3>
-            <p>No passwords. We email you a one-time code.</p>
+            <p>No passwords to remember. We email you a one-time code each time you sign in.</p>
           </div>
         </div>
       </div>
diff --git a/src/components/layout/footer.tsx b/src/components/layout/footer.tsx
index 837d06e7..2760bee8 100644
--- a/src/components/layout/footer.tsx
+++ b/src/components/layout/footer.tsx
@@ -5,16 +5,64 @@ import Link from "next/link";
 export default function Footer() {
   return (
     <footer className="landing-footer">
-      <div className="landing-footer__bar">
-        <div className="landing-footer__left">
-          <img src="/assets/certified_wordmark_black.svg" alt="Certified" className="landing-footer__logo-img" />
-          <span className="landing-footer__copy">&copy; 2026 Hypercerts Foundation</span>
-        </div>
-        <div className="landing-footer__links">
-          <Link href="/about">About</Link>
-          <Link href="/terms">Terms</Link>
-          <Link href="/privacy">Privacy</Link>
+      <div className="landing-footer__inner">
+        <div className="landing-footer__brand">
+          <img
+            src="/assets/certified_wordmark_black.svg"
+            alt="Certified"
+            className="landing-footer__logo-img"
+          />
+          <p className="landing-footer__tagline">
+            Passwordless identity for the open social internet. Built on AT Protocol.
+          </p>
+          <a
+            className="landing-footer__atproto"
+            href="https://atproto.com"
+            target="_blank"
+            rel="noopener noreferrer"
+          >
+            <span className="landing-footer__atproto-dot" aria-hidden="true" />
+            Powered by AT Protocol
+          </a>
         </div>
+
+        <nav className="landing-footer__nav" aria-label="Footer">
+          <div className="landing-footer__col">
+            <h5 className="landing-footer__heading">Product</h5>
+            <Link href="/welcome">Overview</Link>
+            <Link href="/welcome#what-you-get">Benefits</Link>
+            <Link href="/welcome#how-it-works">How it works</Link>
+            <Link href="/welcome#partner-apps">Partner apps</Link>
+          </div>
+          <div className="landing-footer__col">
+            <h5 className="landing-footer__heading">Company</h5>
+            <Link href="/about">About</Link>
+            <a
+              href="https://hypercerts.org"
+              target="_blank"
+              rel="noopener noreferrer"
+            >
+              Hypercerts Foundation
+            </a>
+            <Link href="/welcome#faq">FAQ</Link>
+          </div>
+          <div className="landing-footer__col">
+            <h5 className="landing-footer__heading">Legal</h5>
+            <Link href="/terms">Terms</Link>
+            <Link href="/privacy">Privacy</Link>
+            <Link href="/dsa">DSA</Link>
+          </div>
+        </nav>
+      </div>
+
+      <div className="landing-footer__bottom">
+        <span className="landing-footer__copy">
+          &copy; 2026 Hypercerts Foundation. All rights reserved.
+        </span>
+        <span className="landing-footer__bottom-spacer" aria-hidden="true" />
+        <span className="landing-footer__bottom-meta">
+          Made with care for an open identity layer.
+        </span>
       </div>
     </footer>
   );
diff --git a/src/components/layout/navbar-search.tsx b/src/components/layout/navbar-search.tsx
new file mode 100644
index 00000000..5996c108
--- /dev/null
+++ b/src/components/layout/navbar-search.tsx
@@ -0,0 +1,326 @@
+"use client";
+
+import React, { useState, useEffect, useRef, useCallback } from "react";
+import { useRouter } from "next/navigation";
+import { Search, X } from "lucide-react";
+import Avatar from "@/components/ui/avatar";
+import { getInitials } from "@/lib/utils/initials";
+
+interface Actor {
+  did: string;
+  handle: string;
+  displayName: string;
+  avatar: string | null;
+}
+
+interface NavbarSearchProps {
+  /** Optional className passed to the wrapping element. */
+  className?: string;
+  /** Override placeholder text. */
+  placeholder?: string;
+}
+
+/**
+ * Top-of-page user search.
+ *
+ * Behaviour:
+ * - Calls /api/search-actors (debounced, 250ms) to suggest matching atproto identities.
+ * - Up/Down arrows move the highlight through the dropdown (with wrap-around).
+ * - Enter selects the highlighted result; if nothing is highlighted, falls back to
+ *   the first result. Esc clears + closes the dropdown.
+ * - Cmd/Ctrl+K from anywhere on the page focuses the search input.
+ * - Selecting a result navigates to /profile/<did>.
+ */
+export default function NavbarSearch({
+  className = "",
+  placeholder = "Search people on atproto",
+}: NavbarSearchProps) {
+  const router = useRouter();
+  const [query, setQuery] = useState("");
+  const [results, setResults] = useState<Actor[]>([]);
+  const [isOpen, setIsOpen] = useState(false);
+  const [isSearching, setIsSearching] = useState(false);
+  const [highlight, setHighlight] = useState<number>(-1);
+
+  const inputRef = useRef<HTMLInputElement>(null);
+  const containerRef = useRef<HTMLDivElement>(null);
+  const listRef = useRef<HTMLUListElement>(null);
+  const debounceRef = useRef<ReturnType<typeof setTimeout> | null>(null);
+  // Lets us drop stale responses when the user keeps typing.
+  const requestSeq = useRef(0);
+  // Set when we update `query` programmatically after a selection so the
+  // debounced search effect skips the auto-fire for that one update — without
+  // this we'd immediately re-search for the selected user's display name.
+  const suppressNextSearchRef = useRef(false);
+
+  // Debounced fetch.
+  const search = useCallback(async (q: string, seq: number) => {
+    const trimmed = q.trim();
+    if (trimmed.length < 1) {
+      setResults([]);
+      setIsOpen(false);
+      setIsSearching(false);
+      return;
+    }
+    setIsSearching(true);
+    try {
+      // Plain fetch (not authFetch) — the route is unauthenticated, and we don't
+      // want a transient 5xx to trip the global 401 → sign-in interceptor.
+      const res = await fetch(
+        `/api/search-actors?q=${encodeURIComponent(trimmed)}&limit=8`,
+        { headers: { Accept: "application/json" } }
+      );
+      // If a newer request started while this one was in flight, drop the result.
+      if (seq !== requestSeq.current) return;
+      if (res.ok) {
+        const data = (await res.json()) as { actors?: Actor[] };
+        const next = data.actors ?? [];
+        setResults(next);
+        setHighlight(next.length > 0 ? 0 : -1);
+        setIsOpen(true);
+      } else {
+        setResults([]);
+        setHighlight(-1);
+        setIsOpen(true);
+      }
+    } catch {
+      // ignore — keep the previous results visible to avoid flicker
+    } finally {
+      if (seq === requestSeq.current) setIsSearching(false);
+    }
+  }, []);
+
+  // Run the debounced search whenever `query` changes.
+  useEffect(() => {
+    if (debounceRef.current) clearTimeout(debounceRef.current);
+    // Skip the search once when we set `query` programmatically after a
+    // selection — the user already picked someone, no need to re-query.
+    if (suppressNextSearchRef.current) {
+      suppressNextSearchRef.current = false;
+      return;
+    }
+    if (!query.trim()) {
+      setResults([]);
+      setIsOpen(false);
+      setIsSearching(false);
+      setHighlight(-1);
+      return;
+    }
+    const seq = ++requestSeq.current;
+    debounceRef.current = setTimeout(() => search(query, seq), 250);
+    return () => {
+      if (debounceRef.current) clearTimeout(debounceRef.current);
+    };
+  }, [query, search]);
+
+  // Close on outside click.
+  useEffect(() => {
+    if (!isOpen) return;
+    const handleClick = (e: MouseEvent) => {
+      if (containerRef.current && !containerRef.current.contains(e.target as Node)) {
+        setIsOpen(false);
+      }
+    };
+    document.addEventListener("mousedown", handleClick);
+    return () => document.removeEventListener("mousedown", handleClick);
+  }, [isOpen]);
+
+  // Cmd/Ctrl+K focus shortcut, scoped to keyboard events outside other inputs.
+  useEffect(() => {
+    const onKey = (e: KeyboardEvent) => {
+      if ((e.metaKey || e.ctrlKey) && e.key.toLowerCase() === "k") {
+        e.preventDefault();
+        inputRef.current?.focus();
+        inputRef.current?.select();
+      }
+    };
+    window.addEventListener("keydown", onKey);
+    return () => window.removeEventListener("keydown", onKey);
+  }, []);
+
+  // Keep the highlighted row visible when navigating with the keyboard.
+  useEffect(() => {
+    if (highlight < 0 || !listRef.current) return;
+    const el = listRef.current.querySelectorAll<HTMLLIElement>("[data-result-row]")[highlight];
+    el?.scrollIntoView({ block: "nearest" });
+  }, [highlight]);
+
+  const select = useCallback(
+    (actor: Actor) => {
+      // Keep the selected user visible in the search bar instead of clearing
+      // it — confirms the selection and matches what the user navigated to.
+      // Suppress the next debounced search so we don't immediately re-fire a
+      // request for the display name we just set.
+      suppressNextSearchRef.current = true;
+      setQuery(actor.displayName || actor.handle);
+      setResults([]);
+      setIsOpen(false);
+      setIsSearching(false);
+      setHighlight(-1);
+      // Blur so the dropdown doesn't reappear on the destination page.
+      inputRef.current?.blur();
+      router.push(`/profile/${encodeURIComponent(actor.did)}`);
+    },
+    [router]
+  );
+
+  const handleKeyDown = (e: React.KeyboardEvent<HTMLInputElement>) => {
+    // Open the dropdown on first arrow-down even before any results have loaded.
+    if (e.key === "ArrowDown") {
+      if (results.length === 0) return;
+      e.preventDefault();
+      setIsOpen(true);
+      setHighlight((h) => (h + 1) % results.length);
+      return;
+    }
+    if (e.key === "ArrowUp") {
+      if (results.length === 0) return;
+      e.preventDefault();
+      setIsOpen(true);
+      setHighlight((h) => (h <= 0 ? results.length - 1 : h - 1));
+      return;
+    }
+    if (e.key === "Enter") {
+      if (results.length === 0) return;
+      e.preventDefault();
+      const target = highlight >= 0 ? results[highlight] : results[0];
+      if (target) select(target);
+      return;
+    }
+    if (e.key === "Escape") {
+      e.preventDefault();
+      if (query) {
+        setQuery("");
+      } else {
+        setIsOpen(false);
+        inputRef.current?.blur();
+      }
+      return;
+    }
+    if (e.key === "Home") {
+      if (results.length === 0) return;
+      e.preventDefault();
+      setHighlight(0);
+      return;
+    }
+    if (e.key === "End") {
+      if (results.length === 0) return;
+      e.preventDefault();
+      setHighlight(results.length - 1);
+    }
+  };
+
+  const handleClear = () => {
+    setQuery("");
+    setResults([]);
+    setIsOpen(false);
+    setHighlight(-1);
+    inputRef.current?.focus();
+  };
+
+  const showDropdown =
+    isOpen && (isSearching || results.length > 0 || query.trim().length > 0);
+
+  // ARIA: tie input to listbox + active row for screen readers.
+  const listboxId = "navbar-search-listbox";
+  const activeId = highlight >= 0 ? `navbar-search-option-${highlight}` : undefined;
+
+  return (
+    <div
+      ref={containerRef}
+      className={`navbar-search ${className}`}
+      role="search"
+    >
+      <div className="navbar-search__field">
+        <Search size={16} className="navbar-search__icon" aria-hidden="true" />
+        <input
+          ref={inputRef}
+          type="text"
+          className="navbar-search__input"
+          value={query}
+          placeholder={placeholder}
+          onChange={(e) => setQuery(e.target.value)}
+          onKeyDown={handleKeyDown}
+          onFocus={() => {
+            // Only reopen if there are actual results to show. After a
+            // selection results is empty but the input still holds the picked
+            // user's name — refocusing in that state shouldn't pop a stale or
+            // empty dropdown.
+            if (results.length > 0) setIsOpen(true);
+          }}
+          role="combobox"
+          aria-label="Search people on atproto"
+          aria-autocomplete="list"
+          aria-expanded={showDropdown}
+          aria-controls={showDropdown ? listboxId : undefined}
+          aria-activedescendant={activeId}
+          autoComplete="off"
+          spellCheck={false}
+        />
+        {query ? (
+          <button
+            type="button"
+            className="navbar-search__clear"
+            onClick={handleClear}
+            aria-label="Clear search"
+          >
+            <X size={14} aria-hidden="true" />
+          </button>
+        ) : null}
+      </div>
+
+      {showDropdown && (
+        <ul
+          ref={listRef}
+          id={listboxId}
+          role="listbox"
+          className="navbar-search__dropdown"
+        >
+          {isSearching && results.length === 0 && (
+            <li className="navbar-search__empty" role="presentation">
+              Searching…
+            </li>
+          )}
+          {!isSearching && results.length === 0 && query.trim() && (
+            <li className="navbar-search__empty" role="presentation">
+              No people found for &ldquo;{query.trim()}&rdquo;.
+            </li>
+          )}
+          {results.map((actor, i) => {
+            const name = actor.displayName || actor.handle;
+            const isHighlighted = i === highlight;
+            return (
+              <li
+                key={actor.did}
+                id={`navbar-search-option-${i}`}
+                role="option"
+                aria-selected={isHighlighted}
+                data-result-row
+                className={`navbar-search__item ${
+                  isHighlighted ? "navbar-search__item--highlighted" : ""
+                }`}
+                onMouseEnter={() => setHighlight(i)}
+                // mouseDown (not click) — fires before the input's blur and avoids
+                // the dropdown disappearing before the navigation happens.
+                onMouseDown={(e) => {
+                  e.preventDefault();
+                  select(actor);
+                }}
+              >
+                <Avatar
+                  size="sm"
+                  src={actor.avatar || undefined}
+                  fallbackInitials={getInitials(name, actor.did)}
+                />
+                <div className="navbar-search__item-info">
+                  <span className="navbar-search__item-name">{name}</span>
+                  <span className="navbar-search__item-handle">@{actor.handle}</span>
+                </div>
+              </li>
+            );
+          })}
+        </ul>
+      )}
+    </div>
+  );
+}
diff --git a/src/components/layout/navbar.tsx b/src/components/layout/navbar.tsx
index 7698a403..35a934f1 100644
--- a/src/components/layout/navbar.tsx
+++ b/src/components/layout/navbar.tsx
@@ -13,6 +13,7 @@ import { getInitials } from "@/lib/utils/initials";
 import { useOrg } from "@/lib/groups/org-context";
 import { useOrgProfile } from "@/hooks/use-org-profile";
 import { Menu, X, ChevronDown, LogOut } from "lucide-react";
+import NavbarSearch from "./navbar-search";
 
 const PERSONAL_NAV_LINKS = (profileHref: string) => [
   { href: profileHref, label: "Profile" },
@@ -188,6 +189,9 @@ const Navbar: React.FC = () => {
 
         {isAuthenticated ? (
           <>
+            {/* Desktop: search bar */}
+            <NavbarSearch className="navbar__search" />
+
             {/* Desktop: nav links */}
             <div className="navbar__app-links">
               {navLinks.map((link) => (
@@ -403,14 +407,36 @@ const Navbar: React.FC = () => {
             </div>
           </>
         ) : (
-          <div className="navbar__right">
-            <button
-              onClick={openSignIn}
-              className="navbar__signin"
-            >
-              <img src="/assets/certified_signin_black.svg" alt="Sign in" className="navbar__signin-img" />
-            </button>
-          </div>
+          <>
+            {/* Desktop: search bar (works without auth via public Bluesky AppView) */}
+            <NavbarSearch className="navbar__search" />
+
+            {/* Center: editorial anchor nav (only on landing) */}
+            <div className="navbar__public-links" aria-label="Sections">
+              <Link href="/welcome#what-you-get" className="navbar__public-link">Benefits</Link>
+              <Link href="/welcome#how-it-works" className="navbar__public-link">How it works</Link>
+              <Link href="/welcome#partner-apps" className="navbar__public-link">Apps</Link>
+              <Link href="/welcome#faq" className="navbar__public-link">FAQ</Link>
+            </div>
+
+            {/* Right: Sign in (text) + Get started (black) */}
+            <div className="navbar__right">
+              <button
+                onClick={openSignIn}
+                className="navbar__signin-link"
+                type="button"
+              >
+                Sign in
+              </button>
+              <button
+                onClick={openSignIn}
+                className="btn btn--primary btn--sm navbar__cta"
+                type="button"
+              >
+                Get started
+              </button>
+            </div>
+          </>
         )}
       </div>
     </nav>
diff --git a/src/lib/auth/oauth-client.ts b/src/lib/auth/oauth-client.ts
index 274f087b..cc5d748c 100644
--- a/src/lib/auth/oauth-client.ts
+++ b/src/lib/auth/oauth-client.ts
@@ -1,6 +1,10 @@
 import { NodeOAuthClient } from "@atproto/oauth-client-node"
 import { JoseKey } from "@atproto/jwk-jose"
-import type { OAuthClientMetadataInput } from "@atproto/oauth-types"
+import {
+  buildAtprotoLoopbackClientMetadata,
+  type OAuthClientMetadataInput,
+  type OAuthLoopbackRedirectURI,
+} from "@atproto/oauth-types"
 import { RedisStateStore, RedisSessionStore } from "./stores"
 import { PUBLIC_URL_STRICT } from "@/lib/utils/config"
 
@@ -11,48 +15,116 @@ export const PDS_URL =
 
 let clientInstance: NodeOAuthClient | null = null
 
+/**
+ * True when we're running on a developer machine and there is no real
+ * https:// PUBLIC_URL to register as a client_id.
+ *
+ * The atproto OAuth spec only accepts client_ids that are either:
+ *   1. fully-qualified `https://` URLs, or
+ *   2. the literal `http://localhost` loopback origin (no port, no path,
+ *      optional query string carrying redirect_uris and scope).
+ *
+ * IP addresses (`127.0.0.1`, `[::1]`) are not allowed as the client_id
+ * origin — but they ARE the only allowed redirect_uri hosts in loopback
+ * mode. So in dev we use the standard loopback helper to build virtual
+ * metadata that satisfies both rules at once.
+ *
+ * Detected as: NODE_ENV !== "production" AND PUBLIC_URL is missing or
+ * starts with `http://` (i.e. you're not pointing at a real HTTPS host).
+ */
+function isLoopbackDev(): boolean {
+  if (process.env.NODE_ENV === "production") return false
+  const url = process.env.PUBLIC_URL
+  return !url || url.startsWith("http://")
+}
+
+/**
+ * Build the loopback redirect_uri. The host must be `127.0.0.1` (or
+ * `[::1]`) — `localhost` is explicitly NOT allowed by the atproto spec
+ * for redirect_uris, even though it IS the only allowed client_id host.
+ *
+ * The port is taken from PUBLIC_URL when present, else defaults to 3000
+ * (Next.js's default dev port).
+ */
+function loopbackRedirectUri(): OAuthLoopbackRedirectURI {
+  let port = "3000"
+  const url = process.env.PUBLIC_URL
+  if (url) {
+    try {
+      const parsed = new URL(url)
+      if (parsed.port) port = parsed.port
+    } catch {
+      /* keep default */
+    }
+  }
+  return `http://127.0.0.1:${port}/oauth/callback` as OAuthLoopbackRedirectURI
+}
+
+const SCOPE = "atproto transition:generic identity:handle account:email"
+
 export async function getOAuthClient(): Promise<NodeOAuthClient> {
   if (clientInstance) return clientInstance
 
-  const publicUrl = PUBLIC_URL_STRICT
+  let clientMetadata: OAuthClientMetadataInput
+  let keyset: Awaited<ReturnType<typeof JoseKey.fromImportable>>[] | undefined
 
-  if (!publicUrl) {
-    throw new Error("PUBLIC_URL environment variable is required in production")
-  }
+  if (isLoopbackDev()) {
+    // Dev: virtual `http://localhost?...` client_id with a 127.0.0.1
+    // redirect_uri. token_endpoint_auth_method is forced to "none" by the
+    // helper, so any ATPROTO_PRIVATE_KEY is ignored here on purpose.
+    clientMetadata = buildAtprotoLoopbackClientMetadata({
+      scope: SCOPE,
+      redirect_uris: [loopbackRedirectUri()],
+    })
+    keyset = undefined
+  } else {
+    // Production: real client_id pointing at /.well-known/oauth-client-metadata.
+    const publicUrl = PUBLIC_URL_STRICT
+    if (!publicUrl) {
+      throw new Error("PUBLIC_URL environment variable is required in production")
+    }
 
-  const isConfidential = Boolean(process.env.ATPROTO_PRIVATE_KEY)
-
-  const clientMetadata: OAuthClientMetadataInput = {
-    client_id: `${publicUrl}/.well-known/oauth-client-metadata`,
-    client_name: "Certified",
-    client_uri: publicUrl,
-    logo_uri: `${publicUrl}/assets/certified_brandmark_black.png`,
-    redirect_uris: [`${publicUrl}/oauth/callback`],
-    response_types: ["code"],
-    grant_types: ["authorization_code", "refresh_token"],
-    scope: "atproto transition:generic identity:handle account:email",
-    dpop_bound_access_tokens: true,
-    application_type: "web",
-    ...(isConfidential
-      ? {
-          token_endpoint_auth_method: "private_key_jwt",
-          token_endpoint_auth_signing_alg: "ES256",
-          jwks_uri: `${publicUrl}/.well-known/jwks.json`,
-        }
-      : {
-          token_endpoint_auth_method: "none",
-        }),
-  }
+    const isConfidential = Boolean(process.env.ATPROTO_PRIVATE_KEY)
 
-  const keyset = isConfidential
-    ? [await JoseKey.fromImportable(process.env.ATPROTO_PRIVATE_KEY!, "key-1")]
-    : undefined
+    clientMetadata = {
+      client_id: `${publicUrl}/.well-known/oauth-client-metadata`,
+      client_name: "Certified",
+      client_uri: publicUrl,
+      logo_uri: `${publicUrl}/assets/certified_brandmark_black.png`,
+      redirect_uris: [`${publicUrl}/oauth/callback`],
+      response_types: ["code"],
+      grant_types: ["authorization_code", "refresh_token"],
+      scope: SCOPE,
+      dpop_bound_access_tokens: true,
+      application_type: "web",
+      ...(isConfidential
+        ? {
+            token_endpoint_auth_method: "private_key_jwt",
+            token_endpoint_auth_signing_alg: "ES256",
+            jwks_uri: `${publicUrl}/.well-known/jwks.json`,
+          }
+        : {
+            token_endpoint_auth_method: "none",
+          }),
+    }
+
+    keyset = isConfidential
+      ? [await JoseKey.fromImportable(process.env.ATPROTO_PRIVATE_KEY!, "key-1")]
+      : undefined
+  }
 
+  // Note: we intentionally do NOT pass `handleResolver` here. The default
+  // `AtprotoHandleResolverNode` does proper DNS-TXT + HTTP-well-known
+  // resolution and works for any atproto handle (Certified, Bluesky,
+  // custom domain). Passing `handleResolver: PDS_URL` would force the
+  // OAuth client to call certified.one's resolveHandle XRPC for every
+  // input, which fails for handles certified.one doesn't host (e.g.
+  // any *.bsky.social handle). Email-mode logins pass `PDS_URL` directly
+  // to `client.authorize`, so this change doesn't affect them.
   clientInstance = new NodeOAuthClient({
     clientMetadata,
     stateStore: new RedisStateStore(),
     sessionStore: new RedisSessionStore(),
-    handleResolver: PDS_URL,
     ...(keyset ? { keyset } : {}),
   })
 
diff --git a/src/lib/auth/stores.ts b/src/lib/auth/stores.ts
index c567360a..28967f11 100644
--- a/src/lib/auth/stores.ts
+++ b/src/lib/auth/stores.ts
@@ -1,19 +1,74 @@
 import type { NodeSavedState, NodeSavedSession } from "@atproto/oauth-client-node"
 import { Redis } from "@upstash/redis"
 
+/**
+ * Minimal subset of the Upstash Redis client surface this app uses.
+ * Both the real `Redis` instance and the in-memory dev fallback satisfy it.
+ */
+type RedisLike = {
+  set(key: string, value: string, opts?: { ex?: number }): Promise<unknown>
+  get<T>(key: string): Promise<T | null>
+  del(key: string): Promise<unknown>
+}
+
+/**
+ * Process-local in-memory store with TTL semantics that match Upstash's
+ * `set(key, value, { ex })`. Used as a dev fallback so a fresh clone can
+ * sign in locally without provisioning an Upstash database.
+ *
+ * Caveats this is fine with for dev and NOT fine with for production:
+ *   - state is per-process, so it doesn't survive a server restart
+ *   - state isn't shared across Next.js workers / serverless invocations
+ *   - no eviction beyond TTL, but the store is bounded by sign-in volume
+ */
+class InMemoryRedis implements RedisLike {
+  private readonly store = new Map<string, { value: string; expiresAt?: number }>()
+
+  async set(key: string, value: string, opts?: { ex?: number }): Promise<"OK"> {
+    const expiresAt = opts?.ex ? Date.now() + opts.ex * 1000 : undefined
+    this.store.set(key, { value, expiresAt })
+    return "OK"
+  }
+
+  async get<T>(key: string): Promise<T | null> {
+    const entry = this.store.get(key)
+    if (!entry) return null
+    if (entry.expiresAt !== undefined && entry.expiresAt < Date.now()) {
+      this.store.delete(key)
+      return null
+    }
+    // Mirror Upstash's behaviour for `.get<string>(key)`: hand back the
+    // raw stored string. Callers JSON.parse where needed.
+    return entry.value as T
+  }
+
+  async del(key: string): Promise<number> {
+    return this.store.delete(key) ? 1 : 0
+  }
+}
+
 // Lazy singleton — created on first use so the module can be imported
 // without UPSTASH env vars being present at import time.
-let _redis: Redis | null = null
-function getRedis(): Redis {
+let _redis: RedisLike | null = null
+function getRedis(): RedisLike {
   if (!_redis) {
     const url = process.env.UPSTASH_REDIS_REST_URL
     const token = process.env.UPSTASH_REDIS_REST_TOKEN
-    if (!url || !token) {
+    if (url && token) {
+      _redis = new Redis({ url, token })
+    } else if (process.env.NODE_ENV !== "production") {
+      // Dev fallback — in-memory stores so sign-in works without Upstash.
+      console.warn(
+        "[stores] UPSTASH_REDIS_REST_URL/TOKEN not set \u2014 using in-memory store. " +
+          "OAuth state and sessions will be lost on every dev server restart. " +
+          "Set real Upstash creds in .env.local for persistent dev sessions."
+      )
+      _redis = new InMemoryRedis()
+    } else {
       throw new Error(
         "UPSTASH_REDIS_REST_URL and UPSTASH_REDIS_REST_TOKEN environment variables are required"
       )
     }
-    _redis = new Redis({ url, token })
   }
   return _redis
 }
diff --git a/tailwind.config.ts b/tailwind.config.ts
index 28e47f6e..ac15e52b 100644
--- a/tailwind.config.ts
+++ b/tailwind.config.ts
@@ -9,25 +9,63 @@ export default {
   theme: {
     extend: {
       colors: {
-        navy: "#0F2544",
-        accent: "#60A1E2",
-        sky: "#A3CDF2",
-        deep: "#1A3A6B",
+        // Editorial palette (parchment + vermillion)
+        navy: "#141413",        // dark warm ink (was navy)
+        accent: "#c2392c",      // editorial vermillion (was electric blue)
+        sky: "#f7e8e3",         // soft red tint (was light blue)
+        deep: "#2a2622",        // body text
+        cream: "#f6f1e8",       // page surface
+        parchment: "#ece5d8",   // tonal step
+        brand: "#c2392c",
+        "brand-soft": "#f7e8e3",
         gray: {
-          50: "#F7F8FA",
-          100: "#EEF0F4",
-          200: "#E2E5EB",
-          400: "#8A92A0",
-          600: "#525B6A",
-          700: "#3B4251",
+          50: "#fcfaf6",
+          100: "#ece5d8",
+          200: "#e1d8c8",
+          400: "#a8a092",
+          600: "#6a6258",
+          700: "#3b3733",
         },
         success: "#2ECC71",
         warning: "#F5A623",
-        error: "#E74C3C",
+        error: "#c2392c",
       },
       fontFamily: {
-        sans: ["Inter", "system-ui", "-apple-system", "sans-serif"],
-        mono: ["Inter", "system-ui", "-apple-system", "sans-serif"],
+        // atproto.com-aligned: Plex Sans for body, Plex Mono for display.
+        // The CSS variables come from next/font/google in src/app/layout.tsx.
+        sans: [
+          "var(--font-inter)",
+          "IBM Plex Sans",
+          "ui-sans-serif",
+          "system-ui",
+          "sans-serif",
+        ],
+        serif: [
+          // "serif" is retained as an alias for any legacy class that hasn't
+          // been migrated; it now points at the Plex Mono display face.
+          "var(--font-headline)",
+          "IBM Plex Mono",
+          "ui-monospace",
+          "SFMono-Regular",
+          "Menlo",
+          "monospace",
+        ],
+        "serif-italic": [
+          "var(--font-serif-alt)",
+          "IBM Plex Mono",
+          "ui-monospace",
+          "monospace",
+        ],
+        mono: [
+          "var(--font-headline)",
+          "IBM Plex Mono",
+          "ui-monospace",
+          "SFMono-Regular",
+          "Menlo",
+          "Monaco",
+          "Consolas",
+          "monospace",
+        ],
       },
       fontSize: {
         display: [