diff --git a/.env.example b/.env.example
deleted file mode 100644
index f522353..0000000
--- a/.env.example
+++ /dev/null
@@ -1,50 +0,0 @@
-# This is the only local env file BigSet expects.
-# Copy this file to .env and fill in your values.
-
-# TinyFish (required) — web search + dataset population.
-# Generate at https://agent.tinyfish.ai/api-keys?utm_source=github&utm_medium=organic&utm_campaign=bigset-developer-2026q2
-TINYFISH_API_KEY=
-
-# OpenRouter (required) — schema inference + AI agents.
-# Generate at https://openrouter.ai/settings/keys
-OPENROUTER_API_KEY=sk-or-...
-
-# OpenRouter model slugs for each AI task.
-# Defaults (used when no user preference is saved):
-#   SCHEMA_INFERENCE_MODEL:        anthropic/claude-sonnet-4.6  (powerful for schema inference)
-#   POPULATE_ORCHESTRATOR_MODEL:   qwen/qwen3.7-max            (cost-effective orchestrator)
-#   INVESTIGATE_SUBAGENT_MODEL:    qwen/qwen3.7-max            (cost-effective subagent)
-# Find model IDs at https://openrouter.ai/models — any OpenRouter model slug is valid.
-SCHEMA_INFERENCE_MODEL=anthropic/claude-sonnet-4.6
-POPULATE_ORCHESTRATOR_MODEL=qwen/qwen3.7-max
-INVESTIGATE_SUBAGENT_MODEL=qwen/qwen3.7-max
-
-# Clerk (required) — user authentication.
-# Create a free app at https://dashboard.clerk.com
-# Enable the Clerk JWT Templates -> Convex template, then set your issuer URL.
-NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=pk_test_...
-CLERK_SECRET_KEY=sk_test_...
-CLERK_JWT_ISSUER_DOMAIN=https://your-app.clerk.accounts.dev
-
-# Auto-generated by `make dev` on first run. Do not fill in manually.
-CONVEX_SELF_HOSTED_ADMIN_KEY=
-
-# Local service URLs
-CLIENT_ORIGIN=http://localhost:3500
-CONVEX_URL=http://localhost:3210
-NEXT_PUBLIC_CONVEX_URL=http://127.0.0.1:3210
-CONVEX_SELF_HOSTED_URL=http://127.0.0.1:3210
-NEXT_PUBLIC_BACKEND_URL=http://localhost:3501
-PORT=3501
-
-# Optional — the following keys are not required to run BigSet.
-
-# Resend (optional — transactional emails when a populate workflow finishes).
-# Unset → email module logs and no-ops. Generate at https://resend.com/api-keys
-RESEND_API_KEY=
-EMAIL_FROM="BigSet <simantak@tinyfish.ai>"
-
-# PostHog (optional — leave blank to disable analytics entirely in local dev).
-# Get from https://us.posthog.com/project/settings/general.
-NEXT_PUBLIC_POSTHOG_KEY=
-NEXT_PUBLIC_POSTHOG_HOST=https://us.i.posthog.com
diff --git a/.github/workflows/build-release-artifacts.yml b/.github/workflows/build-release-artifacts.yml
new file mode 100644
index 0000000..53877f9
--- /dev/null
+++ b/.github/workflows/build-release-artifacts.yml
@@ -0,0 +1,101 @@
+---
+name: Build Release Artifacts
+
+on:  # yamllint disable-line rule:truthy
+  workflow_dispatch:
+    inputs:
+      release_tag:
+        description: Existing release tag to upload assets to. Leave empty to only upload workflow artifacts.
+        required: false
+        type: string
+  release:
+    types: [published]
+
+permissions:
+  contents: write
+
+jobs:
+  build:
+    name: Build ${{ matrix.platform }}
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - platform: darwin-arm64
+            runner: macos-15
+          - platform: darwin-x64
+            runner: macos-15-intel
+          - platform: linux-arm64
+            runner: ubuntu-24.04-arm
+          - platform: linux-x64
+            runner: ubuntu-24.04
+          - platform: win32-arm64
+            runner: windows-11-arm
+          - platform: win32-x64
+            runner: windows-2025
+
+    env:
+      ARTIFACT_NAME: bigset-build-${{ matrix.platform }}.zip
+      RELEASE_TAG: ${{ github.event.release.tag_name || inputs.release_tag }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+        with:
+          persist-credentials: false
+
+      - name: Setup Node
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+        with:
+          node-version: "24"
+
+      - name: Install frontend dependencies
+        working-directory: frontend
+        run: npm install --silent
+
+      - name: Install backend dependencies
+        working-directory: backend
+        run: npm install --silent
+
+      - name: Build release
+        run: node scripts/build-release.mjs
+
+      - name: Rename artifact
+        run: node -e "const fs = require('fs'); fs.renameSync('dist/bigset-build.zip', 'dist/' + process.env.ARTIFACT_NAME);"
+
+      - name: Upload workflow artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        with:
+          name: ${{ matrix.platform }}
+          path: dist/${{ env.ARTIFACT_NAME }}
+          if-no-files-found: error
+
+      - name: Validate release tag
+        if: github.event_name == 'release' || inputs.release_tag != ''
+        shell: bash
+        run: |
+          if [[ -z "$RELEASE_TAG" ]]; then
+            echo "Release tag is required when uploading release assets." >&2
+            exit 1
+          fi
+          if [[ ! "$RELEASE_TAG" =~ ^[A-Za-z0-9][A-Za-z0-9._/@+-]*$ ]]; then
+            echo "Release tag contains unsupported characters." >&2
+            exit 1
+          fi
+
+      - name: Upload release asset
+        if: github.event_name == 'release' || inputs.release_tag != ''
+        shell: bash
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: gh release upload "$RELEASE_TAG" "dist/$ARTIFACT_NAME" --clobber
+
+      - name: Upload legacy release asset
+        if: (github.event_name == 'release' || inputs.release_tag != '') && matrix.platform == 'darwin-arm64'
+        shell: bash
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          node -e "const fs = require('fs'); fs.copyFileSync('dist/' + process.env.ARTIFACT_NAME, 'dist/bigset-build.zip');"
+          gh release upload "$RELEASE_TAG" "dist/bigset-build.zip" --clobber
diff --git a/.gitignore b/.gitignore
index 60e55f6..65cd7ef 100644
--- a/.gitignore
+++ b/.gitignore
@@ -18,6 +18,8 @@ yarn-debug.log*
 
 # Local-only files
 *.bak
+.local/
+dist/
 tmp/
 temp/
 
diff --git a/AGENTS.md b/AGENTS.md
index fae66c0..d821a46 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -8,7 +8,6 @@
 
 ## What not to do
 
-- Do not add Clerk, Auth0, or any third-party auth service. We use Better Auth (self-hosted).
 - Do not add API routes to the frontend. All API logic belongs in the backend.
 - Do not hardcode ports. Read from env vars (`PORT`, `CLIENT_ORIGIN`, `BETTER_AUTH_URL`).
 - Do not commit `.env` files or secrets.
diff --git a/README.md b/README.md
index f63efee..25802f1 100644
--- a/README.md
+++ b/README.md
@@ -67,63 +67,72 @@ Any dataset. Any source. Always fresh. That's the idea.
 
 ## 🚀 Quick Start
 
-**Prerequisites:** [Docker](https://docs.docker.com/get-docker/) and [Make](https://www.gnu.org/software/make/)
+**Prerequisites:** [Node.js](https://nodejs.org/) 22+ with npm.
 
-You'll also need API keys from three services (all free to set up):
+```bash
+npm install --global @adamexu/bigset
+bigset
+```
+
+That's it. The `bigset` command downloads the current local BigSet release,
+starts Convex, the backend, the frontend, and the local credential bridge, then
+prints the app URL. Open [127.0.0.1:3500](http://127.0.0.1:3500) in your web browser to use it.
+
+The first run caches release files under `~/.bigset`; after that, starting
+BigSet is designed to take only a few seconds.
+
+On first launch, BigSet sends you to setup. You'll connect two services:
 
 | Service | What it's for | Get your key |
 |---------|--------------|-------------|
 | **TinyFish** | Web search + page fetching | [tinyfish.ai/api-keys](https://agent.tinyfish.ai/api-keys?utm_source=github&utm_medium=organic&utm_campaign=bigset-developer-2026q2) |
 | **OpenRouter** | LLM calls (schema inference + agents) | [openrouter.ai/settings/keys](https://openrouter.ai/settings/keys) |
-| **Clerk** | User authentication | [dashboard.clerk.com](https://dashboard.clerk.com) |
 
-### Step 1: Clone the repo
+Local API keys are stored in your OS keychain.
+
+For a one-off run without installing globally:
 
 ```bash
-git clone https://github.com/tinyfish-io/bigset.git
-cd bigset
-cp .env.example .env
+npx @adamexu/bigset
 ```
 
-### Step 2: Set up TinyFish (web access)
+Useful local options:
 
-TinyFish powers all web search and page fetching. Search and Fetch have generous rate limits.
-
-1. Go to [tinyfish.ai](https://www.tinyfish.ai?utm_source=github&utm_medium=organic&utm_campaign=bigset-developer-2026q2) and create an account
-2. Go to [API Keys](https://agent.tinyfish.ai/api-keys?utm_source=github&utm_medium=organic&utm_campaign=bigset-developer-2026q2) and create a key
-3. Paste it as `TINYFISH_API_KEY` in `.env`
+| Command | What it does |
+|---------|-------------|
+| `bigset --force` | Redownload the latest cached release |
+| `bigset --app-port 4500 --backend-port 4501` | Use alternate app/backend ports |
+| `bigset --home ~/.bigset-dev` | Use a separate local cache directory |
 
-### Step 3: Set up OpenRouter (LLM)
+---
 
-OpenRouter routes LLM calls to Claude Sonnet (schema inference) and Qwen (agents). It's pay-as-you-go; a dataset costs a few dollars in LLM usage.
+## Developing From Source
 
-1. Go to [openrouter.ai](https://openrouter.ai) and create an account
-2. Go to [Settings → Keys](https://openrouter.ai/settings/keys) and create an API key
-3. Paste it as `OPENROUTER_API_KEY` in `.env`
-4. Add some credits; $5-10 is plenty to start
+Use this path when you're changing BigSet itself. The supported development
+workflow is still `make dev`.
 
-### Step 4: Set up Clerk (auth)
+**Prerequisites:** [Node.js](https://nodejs.org/) 22+ with npm,
+[Docker](https://docs.docker.com/get-docker/), and
+[Make](https://www.gnu.org/software/make/).
 
-Clerk handles user sign-in. The setup takes ~2 minutes:
+### Step 1: Clone the repo
 
-1. Go to [dashboard.clerk.com](https://dashboard.clerk.com) and create a new application
-2. Pick a sign-in method (email, Google, GitHub, whatever you prefer)
-3. Once created, go to **Configure → API Keys** in the sidebar
-   - Copy **Publishable Key** → paste as `NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY` in `.env`
-   - Copy **Secret Key** → paste as `CLERK_SECRET_KEY` in `.env`
-4. Go to **Configure → JWT Templates** in the sidebar
-   - Click **New template** → select the **Convex** template → click **Save**
-5. Go to **Configure → Settings** (or **Domains**)
-   - Find your **Issuer URL** (looks like `https://your-app-name.clerk.accounts.dev`)
-   - Paste it as `CLERK_JWT_ISSUER_DOMAIN` in `.env`
+```bash
+git clone https://github.com/tinyfish-io/bigset.git
+cd bigset
+```
 
-### Step 5: Start everything
+### Step 2: Start everything
 
 ```bash
 make dev
 ```
 
-This installs dependencies, builds and starts all Docker services (Postgres, Convex, frontend, backend, Mastra), and deploys the Convex schema. On first run, it automatically generates the Convex admin key — no manual steps needed. See [How `make dev` Works](#how-make-dev-works) for the full breakdown.
+`make dev` creates a local `.env` if needed, installs dependencies, builds and
+starts all Docker services (Postgres, Convex, frontend, backend, Mastra), and
+deploys the Convex schema. On first run, it automatically generates the Convex
+admin key. See [How `make dev` Works](#how-make-dev-works) for the full
+breakdown.
 
 Once everything is ready, you'll see:
 
@@ -133,13 +142,26 @@ Once everything is ready, you'll see:
 | **Convex dashboard** | [localhost:6791](http://localhost:6791) |
 | **Mastra Studio** (workflow inspector) | [localhost:4111](http://localhost:4111) |
 
-Open [localhost:3500](http://localhost:3500) and click **Get started** to sign in.
+Open [localhost:3500](http://localhost:3500). The setup screen will ask for
+TinyFish and OpenRouter credentials and save them to your OS keychain for this
+workspace.
+
+### Step 3: Connect TinyFish and OpenRouter
+
+TinyFish powers web search and page fetching. OpenRouter routes LLM calls to
+the models BigSet uses for schema inference and agents.
+
+1. Create a TinyFish key at [agent.tinyfish.ai/api-keys](https://agent.tinyfish.ai/api-keys?utm_source=github&utm_medium=organic&utm_campaign=bigset-developer-2026q2)
+2. Create an OpenRouter key at [openrouter.ai/settings/keys](https://openrouter.ai/settings/keys)
+3. Paste both into BigSet's setup screen
+
+OpenRouter is pay-as-you-go; $5-10 is plenty to start.
 
 > **Note:** root `.env` is the only local env file. If you edit Convex functions in `frontend/convex/`, run `make convex-push` to deploy the changes.
 
-> **Free tier:** each signed-in account gets **2,500 row operations per calendar month** (resets on the 1st, UTC). The header shows a live usage badge; system-owned curated datasets bypass the quota.
+> **Free tier:** cloud signed-in accounts get **2,500 row operations per calendar month** (resets on the 1st, UTC). Local mode bypasses the cloud quota and uses your TinyFish/OpenRouter accounts directly.
 
-### Step 6 (optional): Load curated datasets
+### Step 4 (optional): Load curated datasets
 
 BigSet includes 9 curated public datasets (AI companies hiring, GPU prices, model pricing, etc.) that show on the landing page:
 
@@ -155,15 +177,16 @@ This is idempotent; safe to run multiple times.
 
 `make dev` is designed to handle everything — first run, subsequent runs, and recovery from bad state. You should never need to run any other setup command. Here's what it does, in order:
 
-1. **Validates your `.env`** — checks that all required API keys are set (Clerk, OpenRouter, TinyFish). Stops with a clear error if anything is missing.
+1. **Validates your `.env`** — creates local keychain bridge settings automatically.
 2. **Installs dependencies** — runs `npm install` in both `frontend/` and `backend/`. Silent if already up to date.
-3. **Starts the database layer** — brings up Postgres and Convex (self-hosted) first, since other services depend on them.
-4. **Waits for Convex** — polls the Convex health endpoint until it's ready (up to 120s).
-5. **Ensures the admin key** — if `CONVEX_SELF_HOSTED_ADMIN_KEY` is empty in `.env`, generates one automatically and writes it. If a key exists, validates it against the running Convex instance. If the key is stale (e.g. you ran `make clean` and wiped the database), it detects the mismatch and regenerates.
-6. **Pushes Convex config** — sets the Clerk JWT issuer URL in Convex so auth tokens are validated correctly.
-7. **Deploys Convex schema** — pushes the table schema and functions from `frontend/convex/` to the running instance.
-8. **Starts remaining services** — brings up the frontend, backend, and Mastra. These read the now-populated `.env` including the admin key.
-9. **Streams logs** — tails all container logs so you can see what's happening. `Ctrl+C` to stop watching (containers keep running).
+3. **Starts the local keychain bridge** — runs a host-side helper so Docker services can read/write this workspace's OS keychain entries.
+4. **Starts the database layer** — brings up Postgres and Convex (self-hosted) first, since other services depend on them.
+5. **Waits for Convex** — polls the Convex health endpoint until it's ready (up to 120s).
+6. **Ensures the admin key** — if `CONVEX_SELF_HOSTED_ADMIN_KEY` is empty in `.env`, generates one automatically and writes it. If a key exists, validates it against the running Convex instance. If the key is stale (e.g. you ran `make clean` and wiped the database), it detects the mismatch and regenerates.
+7. **Configures Convex auth** — sets `BIGSET_LOCAL_MODE=1` for the local app.
+8. **Deploys Convex schema** — pushes the table schema and functions from `frontend/convex/` to the running instance.
+9. **Starts remaining services** — brings up the frontend, backend, and Mastra. These read the now-populated `.env` including the admin key.
+10. **Streams logs** — tails all container logs so you can see what's happening. `Ctrl+C` to stop watching (containers keep running).
 
 ### Commands
 
@@ -188,8 +211,7 @@ Other commands you might use during development:
 
 | Problem | What happens |
 |---------|-------------|
-| Missing `.env` | Error: "Run: cp .env.example .env" |
-| Missing API key | Error tells you exactly which key to set |
+| Missing `.env` | `make dev` creates a local one automatically |
 | Stale admin key (after `make clean`) | Detected automatically, regenerated |
 | Containers already running | No-op for running services, starts any that are missing |
 | Convex won't start | Error after 120s timeout — check Docker is running |
@@ -202,12 +224,10 @@ If you want a completely fresh start: `make clean` then `make dev`.
 
 | Variable | Required | Where to get it |
 |----------|----------|----------------|
-| `TINYFISH_API_KEY` | ✅ | [tinyfish.ai](https://agent.tinyfish.ai/api-keys?utm_source=github&utm_medium=organic&utm_campaign=bigset-developer-2026q2) → API Keys |
-| `OPENROUTER_API_KEY` | ✅ | openrouter.ai → Settings → Keys |
-| `NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY` | ✅ | Clerk dashboard → API Keys |
-| `CLERK_SECRET_KEY` | ✅ | Clerk dashboard → API Keys |
-| `CLERK_JWT_ISSUER_DOMAIN` | ✅ | Clerk dashboard → Settings/Domains |
+| `TINYFISH_API_KEY` | Optional | Usually entered in setup and stored in your OS keychain |
+| `OPENROUTER_API_KEY` | Optional | Usually entered in setup and stored in your OS keychain |
 | `CONVEX_SELF_HOSTED_ADMIN_KEY` | Auto | Auto-generated by `make dev` on first run |
+| `LOCAL_KEYCHAIN_PORT`, `LOCAL_KEYCHAIN_TOKEN`, `BIGSET_LOCAL_WORKSPACE_ID` | Auto | Auto-generated by `make dev` for local OS keychain access |
 | `RESEND_API_KEY` | Optional | For "dataset ready" emails. Leave blank to skip. |
 | `NEXT_PUBLIC_POSTHOG_KEY` | Optional | For product analytics. Leave blank to disable. |
 
@@ -219,7 +239,7 @@ If you want a completely fresh start: `make clean` then `make dev`.
 |-------|------|
 | Frontend | Next.js 16, React 19, Tailwind 4 |
 | Backend | Fastify, TypeScript (agent runner) |
-| Auth | [Clerk](https://clerk.com) |
+| Auth | Local auth |
 | Database | [Convex](https://convex.dev) (self-hosted) |
 | Data Collection | [TinyFish](https://www.tinyfish.ai?utm_source=github&utm_medium=organic&utm_campaign=bigset-developer-2026q2) APIs (Search, Fetch, Browser) |
 | AI orchestration | [Mastra](https://mastra.ai) workflows + [Vercel AI SDK](https://sdk.vercel.ai) + [OpenRouter](https://openrouter.ai) → Claude Sonnet (schema inference + populate agent) |
diff --git a/backend/package-lock.json b/backend/package-lock.json
index a95de5a..e231b48 100644
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@@ -11,6 +11,7 @@
         "@clerk/backend": "^3.4.11",
         "@fastify/cors": "^11.0.0",
         "@mastra/core": "^1.36.0",
+        "@napi-rs/keyring": "^1.3.0",
         "@openrouter/ai-sdk-provider": "^2.9.0",
         "ai": "^6.0.0",
         "convex": "^1.39.1",
@@ -1802,6 +1803,240 @@
         }
       }
     },
+    "node_modules/@napi-rs/keyring": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/@napi-rs/keyring/-/keyring-1.3.0.tgz",
+      "integrity": "sha512-WrOw/bcXm0f9qHkumlT1QlArXSTWqaY9sunsDpOk+yCCorCKMxvWT/a3xko4EYHVdeZoh00yI2TydXn6eyICDA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 10"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/Brooooooklyn"
+      },
+      "optionalDependencies": {
+        "@napi-rs/keyring-darwin-arm64": "1.3.0",
+        "@napi-rs/keyring-darwin-x64": "1.3.0",
+        "@napi-rs/keyring-freebsd-x64": "1.3.0",
+        "@napi-rs/keyring-linux-arm-gnueabihf": "1.3.0",
+        "@napi-rs/keyring-linux-arm64-gnu": "1.3.0",
+        "@napi-rs/keyring-linux-arm64-musl": "1.3.0",
+        "@napi-rs/keyring-linux-riscv64-gnu": "1.3.0",
+        "@napi-rs/keyring-linux-x64-gnu": "1.3.0",
+        "@napi-rs/keyring-linux-x64-musl": "1.3.0",
+        "@napi-rs/keyring-win32-arm64-msvc": "1.3.0",
+        "@napi-rs/keyring-win32-ia32-msvc": "1.3.0",
+        "@napi-rs/keyring-win32-x64-msvc": "1.3.0"
+      }
+    },
+    "node_modules/@napi-rs/keyring-darwin-arm64": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/@napi-rs/keyring-darwin-arm64/-/keyring-darwin-arm64-1.3.0.tgz",
+      "integrity": "sha512-pl76hJvdYUBn6I24bXiOBMA9nbDapo3I5B+f3OorjDU4dUMSypXeKbOVehJe8fhgTiH24flMyTS3aAIy43xegQ==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@napi-rs/keyring-darwin-x64": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/@napi-rs/keyring-darwin-x64/-/keyring-darwin-x64-1.3.0.tgz",
+      "integrity": "sha512-YcJtEV5LA3cvA4z3BurgxH5IhTsW1JfIvcAAcqcecwk06Si9F9NqkxbZVIfDwQ8oRHgaBmT3zZJnLAotCrVahw==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@napi-rs/keyring-freebsd-x64": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/@napi-rs/keyring-freebsd-x64/-/keyring-freebsd-x64-1.3.0.tgz",
+      "integrity": "sha512-vlLf31TGhfRAaxLDBhg8b89ss0HHD/lyNmL5F3UjSaz5CUXElsJmKYq9fqA/B+cZKUEUcLHHGhF0I/CqcFdaVw==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@napi-rs/keyring-linux-arm-gnueabihf": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/@napi-rs/keyring-linux-arm-gnueabihf/-/keyring-linux-arm-gnueabihf-1.3.0.tgz",
+      "integrity": "sha512-KiWdMMu/Inz/bHHIAGrnF7r54FZDYXuHO6UFF/rhIrshUsxbMG1Rl9lEymNtqqsVo927G0VYcb02FzWQ3iBQRQ==",
+      "cpu": [
+        "arm"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@napi-rs/keyring-linux-arm64-gnu": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/@napi-rs/keyring-linux-arm64-gnu/-/keyring-linux-arm64-gnu-1.3.0.tgz",
+      "integrity": "sha512-eyKGpY40lm9Jvs1aD294XRH4y7+TlJM0YVAryZeXA6TX0mb4gMkxVXwSQv7MCwgah7raeUd0dKUb4BPAYIgcMg==",
+      "cpu": [
+        "arm64"
+      ],
+      "libc": [
+        "glibc"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@napi-rs/keyring-linux-arm64-musl": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/@napi-rs/keyring-linux-arm64-musl/-/keyring-linux-arm64-musl-1.3.0.tgz",
+      "integrity": "sha512-iIK6JWHXAJqDrEyLY3TmswwloVyt2vj+04TZnew+uSJ9gnDO8EwRbp3/iw3LpWaXiDO7VomGO6y8I0Id8uBZSw==",
+      "cpu": [
+        "arm64"
+      ],
+      "libc": [
+        "musl"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@napi-rs/keyring-linux-riscv64-gnu": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/@napi-rs/keyring-linux-riscv64-gnu/-/keyring-linux-riscv64-gnu-1.3.0.tgz",
+      "integrity": "sha512-/PGqrwn6EwgtK6vccASSXJRfOSP4vN1F4ASsIQ+7MdrK6hNvAJ1FZPrIuD5gGGdxezo3F++To2Wq7DbuGIeuNQ==",
+      "cpu": [
+        "riscv64"
+      ],
+      "libc": [
+        "glibc"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@napi-rs/keyring-linux-x64-gnu": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/@napi-rs/keyring-linux-x64-gnu/-/keyring-linux-x64-gnu-1.3.0.tgz",
+      "integrity": "sha512-2PDK1WKWTu9lBGq9VvNEkSlQD3O7YwVpmnyN2M3cy4v7NJ/8gDMd9GXv3G+FVXN13uhp4gnnPBS+ScefmEeD2A==",
+      "cpu": [
+        "x64"
+      ],
+      "libc": [
+        "glibc"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@napi-rs/keyring-linux-x64-musl": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/@napi-rs/keyring-linux-x64-musl/-/keyring-linux-x64-musl-1.3.0.tgz",
+      "integrity": "sha512-oJ2HkX8YUo46QBkn0pG+HuIKQNqr523q6vBobCn+P95s4C4K6/kLBqHY/1bg5J4ap31DzsznhnFKcfBNBsjCnw==",
+      "cpu": [
+        "x64"
+      ],
+      "libc": [
+        "musl"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@napi-rs/keyring-win32-arm64-msvc": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/@napi-rs/keyring-win32-arm64-msvc/-/keyring-win32-arm64-msvc-1.3.0.tgz",
+      "integrity": "sha512-tOd3c/uAaeoE4ycVlmAdSvygz0Zt3zdca6Y7gokBeIbaRDWpjDIUOpU3MvML59XAaqyuKGsVVu0F/DZb1lHPmw==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@napi-rs/keyring-win32-ia32-msvc": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/@napi-rs/keyring-win32-ia32-msvc/-/keyring-win32-ia32-msvc-1.3.0.tgz",
+      "integrity": "sha512-sPSqeAFZMGqP1R++M2JTza7GQJJ/TpCo6JU6Vcd4jnebvOaEDs9b7eipakU1PJdSvhpC2yXMCNRk9gXfrhuwHQ==",
+      "cpu": [
+        "ia32"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@napi-rs/keyring-win32-x64-msvc": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/@napi-rs/keyring-win32-x64-msvc/-/keyring-win32-x64-msvc-1.3.0.tgz",
+      "integrity": "sha512-4DnCWXwDc0HRKwyRlG5y0VhKZW2tNRQfKKfyj6IX/KWfDNyq9hn4n+GL1auyDcOO/v8PwnhmYo2+rOOqCkvvOg==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
     "node_modules/@nodelib/fs.scandir": {
       "version": "2.1.5",
       "resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz",
diff --git a/backend/package.json b/backend/package.json
index 433c853..11df78b 100644
--- a/backend/package.json
+++ b/backend/package.json
@@ -13,6 +13,7 @@
     "@clerk/backend": "^3.4.11",
     "@fastify/cors": "^11.0.0",
     "@mastra/core": "^1.36.0",
+    "@napi-rs/keyring": "^1.3.0",
     "@openrouter/ai-sdk-provider": "^2.9.0",
     "ai": "^6.0.0",
     "convex": "^1.39.1",
diff --git a/backend/src/clerk-auth.ts b/backend/src/clerk-auth.ts
index 0a046ae..de28dca 100644
--- a/backend/src/clerk-auth.ts
+++ b/backend/src/clerk-auth.ts
@@ -8,6 +8,7 @@ import fp from "fastify-plugin";
 import { createClerkClient, type ClerkClient } from "@clerk/backend";
 
 import { env } from "./env.js";
+import { LOCAL_USER_ID } from "./local-credentials.js";
 
 /**
  * Clerk JWT verification for the Fastify backend.
@@ -41,7 +42,7 @@ declare module "fastify" {
 }
 
 const clerkPlugin: FastifyPluginAsync = async (fastify: FastifyInstance) => {
-  if (!env.CLERK_SECRET_KEY) {
+  if (env.IS_PROD && !env.CLERK_SECRET_KEY) {
     fastify.log.warn(
       "CLERK_SECRET_KEY not set — protected routes will reject all requests. " +
         "Set it before adding routes that require auth.",
@@ -66,6 +67,7 @@ export async function getUserEmail(
   clerk: ClerkClient,
   userId: string,
 ): Promise<string | null> {
+  if (env.IS_LOCAL_MODE) return null;
   try {
     const user = await clerk.users.getUser(userId);
     return user.primaryEmailAddress?.emailAddress ?? null;
@@ -87,6 +89,11 @@ export async function requireAuth(
   req: FastifyRequest,
   reply: FastifyReply,
 ): Promise<void> {
+  if (env.IS_LOCAL_MODE) {
+    req.auth = { userId: LOCAL_USER_ID };
+    return;
+  }
+
   if (!env.CLERK_SECRET_KEY) {
     req.log.error("CLERK_SECRET_KEY is not set; cannot verify request");
     await reply.code(500).send({ error: "Auth not configured" });
diff --git a/backend/src/config/models.ts b/backend/src/config/models.ts
index f63b419..1d28cbf 100644
--- a/backend/src/config/models.ts
+++ b/backend/src/config/models.ts
@@ -6,6 +6,7 @@
 
 import { api, internal, convex } from "../convex.js";
 import { env } from "../env.js";
+import { requireOpenRouterApiKey } from "../local-credentials.js";
 
 export interface OpenRouterModel {
   modelName: string;
@@ -130,20 +131,19 @@ export async function getModelConfig(
  * for Convex storage.
  */
 export async function fetchModelsFromOpenRouter(): Promise<OpenRouterModel[]> {
-  const apiKey = env.OPENROUTER_API_KEY;
-  if (!apiKey) {
-    throw new Error("OPENROUTER_API_KEY is not set");
-  }
+  const apiKey = await requireOpenRouterApiKey();
+
+  const baseUrl = (process.env.OPENROUTER_BASE_URL || "https://openrouter.ai/api/v1").replace(/\/+$/, "");
+  const url = new URL(`${baseUrl}/models`);
+  url.searchParams.set("output_modalities", "text");
+  url.searchParams.set("supported_parameters", "tools");
 
   // Only text-based models that support tools
-  const response = await fetch(
-    "https://openrouter.ai/api/v1/models?output_modalities=text&supported_parameters=tools",
-    {
-      headers: {
-        Authorization: `Bearer ${apiKey}`,
-      },
-    }
-  );
+  const response = await fetch(url, {
+    headers: {
+      Authorization: `Bearer ${apiKey}`,
+    },
+  });
 
   if (!response.ok) {
     throw new Error(`OpenRouter API failed: ${response.status} ${response.statusText}`);
@@ -152,8 +152,8 @@ export async function fetchModelsFromOpenRouter(): Promise<OpenRouterModel[]> {
   const json = (await response.json()) as {
     data: Array<{
       id: string;
-      name: string;
-      context_length: number;
+      name?: string;
+      context_length?: number;
       pricing?: { completion?: string; prompt?: string };
     }>;
   };
@@ -163,7 +163,7 @@ export async function fetchModelsFromOpenRouter(): Promise<OpenRouterModel[]> {
   const models = json.data
     .filter((m) => !EXCLUDED_MODEL_SLUGS.includes(m.id))
     .map((model) => ({
-      modelName: model.name,
+      modelName: model.name ?? model.id,
       canonicalSlug: model.id,
       contextLength: model.context_length ?? 0,
       promptCost: parseFloat(model.pricing?.prompt ?? "0") * 1_000_000,
@@ -171,4 +171,4 @@ export async function fetchModelsFromOpenRouter(): Promise<OpenRouterModel[]> {
     }));
 
   return models;
-}
\ No newline at end of file
+}
diff --git a/backend/src/env.ts b/backend/src/env.ts
index f1fbf17..97c410f 100644
--- a/backend/src/env.ts
+++ b/backend/src/env.ts
@@ -19,6 +19,9 @@ function numberFromEnv(name: string, fallback: number): number {
 }
 
 export const env = {
+  PROD: process.env.PROD,
+  IS_PROD: process.env.PROD === "1",
+  IS_LOCAL_MODE: process.env.PROD !== "1",
   CLIENT_ORIGIN: process.env.CLIENT_ORIGIN || "http://localhost:3500",
   CONVEX_URL: required("CONVEX_URL"),
   PORT: numberFromEnv("PORT", 3501),
@@ -36,6 +39,10 @@ export const env = {
     process.env.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY,
 
   OPENROUTER_API_KEY: process.env.OPENROUTER_API_KEY,
+  BIGSET_LOCAL_WORKSPACE_ID: required("BIGSET_LOCAL_WORKSPACE_ID"),
+  LOCAL_KEYCHAIN_URL: process.env.LOCAL_KEYCHAIN_URL,
+  LOCAL_KEYCHAIN_TOKEN: process.env.LOCAL_KEYCHAIN_TOKEN,
+  LOCAL_KEYCHAIN_TIMEOUT_MS: numberFromEnv("LOCAL_KEYCHAIN_TIMEOUT_MS", 5_000),
 
   // Default models — used when a user has not saved a preference.
   // Each must be a valid OpenRouter model slug.
diff --git a/backend/src/fetch-timeout.ts b/backend/src/fetch-timeout.ts
new file mode 100644
index 0000000..ebd4816
--- /dev/null
+++ b/backend/src/fetch-timeout.ts
@@ -0,0 +1 @@
+export const FETCH_TIMEOUT_MS = 30_000;
diff --git a/backend/src/index.ts b/backend/src/index.ts
index 26c72ac..cb57cd1 100644
--- a/backend/src/index.ts
+++ b/backend/src/index.ts
@@ -1,4 +1,4 @@
-import Fastify, { type FastifyBaseLogger } from "fastify";
+import Fastify, { type FastifyBaseLogger, type FastifyReply } from "fastify";
 import fastifyCors from "@fastify/cors";
 import type { ClerkClient } from "@clerk/backend";
 
@@ -14,6 +14,15 @@ import { datasetReadyTemplate } from "./email/templates/dataset-ready.js";
 import { capture, shutdown as shutdownAnalytics } from "./analytics/posthog.js";
 import { EVENTS } from "./analytics/events.js";
 import { registerDataset, deregisterDataset, abortDataset } from "./abort-registry.js";
+import {
+  clearLegacyPlaintextLocalCredentials,
+  exchangeOpenRouterOAuthCode,
+  getLocalSetupStatus,
+  requireLocalSetupComplete,
+  saveLocalCredential,
+  verifyOpenRouterApiKey,
+  verifyTinyFishApiKey,
+} from "./local-credentials.js";
 
 /** Domain part of an email, for analytics (we never log full addresses). */
 function emailDomain(email: string): string {
@@ -84,6 +93,8 @@ async function sendDatasetReadyNotification({
   rowCount: number;
   workflowType?: "populate" | "update";
 }): Promise<void> {
+  if (env.IS_LOCAL_MODE) return;
+
   const baseProps = {
     datasetId,
     datasetName,
@@ -142,6 +153,18 @@ async function sendDatasetReadyNotification({
   }
 }
 
+async function ensureLocalSetupReady(reply: FastifyReply): Promise<boolean> {
+  try {
+    await requireLocalSetupComplete();
+    return true;
+  } catch {
+    await reply.code(428).send({
+      error: "Local setup is incomplete. Connect TinyFish and OpenRouter first.",
+    });
+    return false;
+  }
+}
+
 /**
  * Shared stop-success path: set the dataset live, send the ready email.
  *
@@ -523,6 +546,11 @@ function startLocalRefreshScheduler(
     ticking = true;
 
     try {
+      if (env.IS_LOCAL_MODE) {
+        const setup = await getLocalSetupStatus();
+        if (!setup.complete) return;
+      }
+
       const now = Date.now();
       const dueDatasets = await convex.query(
         internal.datasets.listDueForRefreshInternal,
@@ -601,8 +629,28 @@ function startLocalRefreshScheduler(
 
 const fastify = Fastify({ logger: true });
 
+const allowedCorsOrigins = new Set([env.CLIENT_ORIGIN]);
+if (env.IS_LOCAL_MODE) {
+  try {
+    const clientOrigin = new URL(env.CLIENT_ORIGIN);
+    if (
+      clientOrigin.hostname === "localhost" ||
+      clientOrigin.hostname === "127.0.0.1"
+    ) {
+      allowedCorsOrigins.add(
+        `${clientOrigin.protocol}//localhost${clientOrigin.port ? `:${clientOrigin.port}` : ""}`,
+      );
+      allowedCorsOrigins.add(
+        `${clientOrigin.protocol}//127.0.0.1${clientOrigin.port ? `:${clientOrigin.port}` : ""}`,
+      );
+    }
+  } catch {
+    // Keep the configured origin only if CLIENT_ORIGIN is not URL-shaped.
+  }
+}
+
 await fastify.register(fastifyCors, {
-  origin: env.CLIENT_ORIGIN,
+  origin: Array.from(allowedCorsOrigins),
   methods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
   allowedHeaders: ["Content-Type", "Authorization", "Cookie"],
   credentials: true,
@@ -614,6 +662,10 @@ await fastify.register(fastifyCors, {
 // protected routes — see the example block below.
 await fastify.register(clerkAuthPlugin);
 
+await clearLegacyPlaintextLocalCredentials().catch((err) => {
+  fastify.log.warn({ err }, "Failed to clear legacy local credential plaintext");
+});
+
 await backfillDatasetRefreshSettings(fastify.log);
 const refreshScheduler = startLocalRefreshScheduler(fastify.log);
 
@@ -630,6 +682,81 @@ fastify.addHook("onClose", async () => {
 
 fastify.get("/health", async () => ({ status: "ok" }));
 
+fastify.get("/local-setup/status", async (_req, reply) => {
+  if (!env.IS_LOCAL_MODE) {
+    return reply.code(404).send({ error: "Not found" });
+  }
+  return await getLocalSetupStatus();
+});
+
+fastify.post("/local-setup/tinyfish", async (req, reply) => {
+  if (!env.IS_LOCAL_MODE) {
+    return reply.code(404).send({ error: "Not found" });
+  }
+
+  const body = req.body as { apiKey?: string };
+  const apiKey = body?.apiKey?.trim();
+  if (!apiKey) {
+    return reply.code(400).send({ error: "TinyFish API key is required" });
+  }
+
+  try {
+    await verifyTinyFishApiKey(apiKey);
+    await saveLocalCredential("tinyfish", apiKey, "api_key");
+    return await getLocalSetupStatus();
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "TinyFish verification failed";
+    req.log.warn({ err }, "TinyFish local setup verification failed");
+    return reply.code(400).send({ error: message });
+  }
+});
+
+fastify.post("/local-setup/openrouter-key", async (req, reply) => {
+  if (!env.IS_LOCAL_MODE) {
+    return reply.code(404).send({ error: "Not found" });
+  }
+
+  const body = req.body as { apiKey?: string };
+  const apiKey = body?.apiKey?.trim();
+  if (!apiKey) {
+    return reply.code(400).send({ error: "OpenRouter API key is required" });
+  }
+
+  try {
+    await verifyOpenRouterApiKey(apiKey);
+    await saveLocalCredential("openrouter", apiKey, "api_key");
+    return await getLocalSetupStatus();
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "OpenRouter verification failed";
+    req.log.warn({ err }, "OpenRouter local setup verification failed");
+    return reply.code(400).send({ error: message });
+  }
+});
+
+fastify.post("/local-setup/openrouter-oauth", async (req, reply) => {
+  if (!env.IS_LOCAL_MODE) {
+    return reply.code(404).send({ error: "Not found" });
+  }
+
+  const body = req.body as { code?: string; codeVerifier?: string };
+  const code = body?.code?.trim();
+  const codeVerifier = body?.codeVerifier?.trim();
+  if (!code || !codeVerifier) {
+    return reply.code(400).send({ error: "OpenRouter OAuth code is required" });
+  }
+
+  try {
+    const apiKey = await exchangeOpenRouterOAuthCode({ code, codeVerifier });
+    await verifyOpenRouterApiKey(apiKey);
+    await saveLocalCredential("openrouter", apiKey, "oauth");
+    return await getLocalSetupStatus();
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "OpenRouter OAuth failed";
+    req.log.warn({ err }, "OpenRouter OAuth setup failed");
+    return reply.code(400).send({ error: message });
+  }
+});
+
 
 fastify.post("/openrouter/refresh", { preHandler: requireAuth }, async (req, reply) => {
   const { fetchModelsFromOpenRouter, upsertModelBatch } = await import("./config/models.js");
@@ -715,6 +842,7 @@ await fastify.register(async (instance) => {
     if (!body?.prompt || typeof body.prompt !== "string" || !body.prompt.trim()) {
       return reply.code(400).send({ error: "prompt is required" });
     }
+    if (!(await ensureLocalSetupReady(reply))) return;
 
     try {
       const auth = req.auth;
@@ -744,6 +872,7 @@ await fastify.register(async (instance) => {
         details: parsed.error.flatten().fieldErrors,
       });
     }
+    if (!(await ensureLocalSetupReady(reply))) return;
 
     try {
       const auth = req.auth;
@@ -826,6 +955,7 @@ await fastify.register(async (instance) => {
         details: parsed.error.flatten().fieldErrors,
       });
     }
+    if (!(await ensureLocalSetupReady(reply))) return;
 
     try {
       const auth = req.auth;
diff --git a/backend/src/keychain-server.ts b/backend/src/keychain-server.ts
new file mode 100644
index 0000000..fc10630
--- /dev/null
+++ b/backend/src/keychain-server.ts
@@ -0,0 +1,174 @@
+import { createServer, type IncomingMessage, type ServerResponse } from "node:http";
+import { randomUUID } from "node:crypto";
+import { existsSync } from "node:fs";
+import { resolve } from "node:path";
+import { config as loadDotenv } from "dotenv";
+import { Entry } from "@napi-rs/keyring";
+
+import {
+  isLocalCredentialService,
+  localKeychainAccount,
+} from "./local-credential-types.js";
+
+const rootEnvPath = resolve(process.cwd(), "../.env");
+if (existsSync(rootEnvPath)) {
+  loadDotenv({ path: rootEnvPath });
+}
+
+const KEYCHAIN_SERVICE = "ai.bigset.local-credentials";
+const MAX_BODY_BYTES = 64 * 1024;
+
+function requiredEnv(name: string): string {
+  const value = process.env[name];
+  if (!value) {
+    throw new Error(`${name} is required for the local keychain bridge.`);
+  }
+  return value;
+}
+
+function numberEnv(name: string): number {
+  const raw = requiredEnv(name);
+  const value = Number(raw);
+  if (!Number.isInteger(value) || value <= 0) {
+    throw new Error(`${name} must be a positive integer.`);
+  }
+  return value;
+}
+
+const bindHost = process.env.LOCAL_KEYCHAIN_BIND_HOST || "127.0.0.1";
+const port = numberEnv("LOCAL_KEYCHAIN_PORT");
+const token = requiredEnv("LOCAL_KEYCHAIN_TOKEN");
+const workspaceId = requiredEnv("BIGSET_LOCAL_WORKSPACE_ID");
+
+interface CredentialBody {
+  service?: unknown;
+  apiKey?: unknown;
+}
+
+function writeJson(
+  res: ServerResponse,
+  statusCode: number,
+  body: Record<string, unknown>,
+): void {
+  res.writeHead(statusCode, { "Content-Type": "application/json" });
+  res.end(JSON.stringify(body));
+}
+
+function credentialEntry(service: unknown): { entry: Entry; account: string } {
+  if (!isLocalCredentialService(service)) {
+    throw new Error("Unsupported credential service.");
+  }
+
+  const account = localKeychainAccount(workspaceId, service);
+  return {
+    account,
+    entry: new Entry(KEYCHAIN_SERVICE, account),
+  };
+}
+
+async function readBody(req: IncomingMessage): Promise<CredentialBody> {
+  const chunks: Buffer[] = [];
+  let totalBytes = 0;
+
+  for await (const chunk of req) {
+    const buffer = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+    totalBytes += buffer.byteLength;
+    if (totalBytes > MAX_BODY_BYTES) {
+      throw new Error("Request body is too large.");
+    }
+    chunks.push(buffer);
+  }
+
+  if (chunks.length === 0) return {};
+  const raw = Buffer.concat(chunks).toString("utf8");
+  const parsed = JSON.parse(raw) as CredentialBody;
+  if (!parsed || typeof parsed !== "object") {
+    throw new Error("Request body must be a JSON object.");
+  }
+  return parsed;
+}
+
+function isAuthorized(req: IncomingMessage): boolean {
+  return req.headers.authorization === `Bearer ${token}`;
+}
+
+async function handleRequest(
+  req: IncomingMessage,
+  res: ServerResponse,
+): Promise<void> {
+  const requestId = randomUUID();
+  const url = new URL(req.url || "/", `http://${bindHost}:${port}`);
+
+  if (req.method === "GET" && url.pathname === "/health") {
+    writeJson(res, 200, { status: "ok", workspaceId });
+    return;
+  }
+
+  if (!isAuthorized(req)) {
+    writeJson(res, 401, { error: "Unauthorized" });
+    return;
+  }
+
+  if (req.method !== "POST") {
+    writeJson(res, 405, { error: "Method not allowed" });
+    return;
+  }
+
+  try {
+    const body = await readBody(req);
+
+    if (url.pathname === "/credentials/get") {
+      const { entry, account } = credentialEntry(body.service);
+      writeJson(res, 200, {
+        apiKey: entry.getPassword(),
+        keychainAccount: account,
+      });
+      return;
+    }
+
+    if (url.pathname === "/credentials/set") {
+      if (typeof body.apiKey !== "string" || !body.apiKey.trim()) {
+        writeJson(res, 400, { error: "API key is required." });
+        return;
+      }
+
+      const apiKey = body.apiKey.trim();
+      const { entry, account } = credentialEntry(body.service);
+      entry.setPassword(apiKey);
+      writeJson(res, 200, { keychainAccount: account });
+      return;
+    }
+
+    if (url.pathname === "/credentials/delete") {
+      const { entry } = credentialEntry(body.service);
+      writeJson(res, 200, { deleted: entry.deletePassword() });
+      return;
+    }
+
+    writeJson(res, 404, { error: "Not found" });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "Keychain bridge failed.";
+    console.warn({ requestId, err }, "Local keychain bridge request failed");
+    writeJson(res, 400, { error: message, requestId });
+  }
+}
+
+const server = createServer((req, res) => {
+  void handleRequest(req, res).catch((err) => {
+    const message = err instanceof Error ? err.message : "Keychain bridge failed.";
+    console.error({ err }, "Local keychain bridge crashed during request");
+    writeJson(res, 500, { error: message });
+  });
+});
+
+server.listen(port, bindHost, () => {
+  console.log(
+    `Local keychain bridge listening on http://${bindHost}:${port} (${workspaceId})`,
+  );
+});
+
+for (const signal of ["SIGINT", "SIGTERM"] as const) {
+  process.on(signal, () => {
+    server.close(() => process.exit(0));
+  });
+}
diff --git a/backend/src/local-credential-types.ts b/backend/src/local-credential-types.ts
new file mode 100644
index 0000000..bcb4235
--- /dev/null
+++ b/backend/src/local-credential-types.ts
@@ -0,0 +1,20 @@
+export const LOCAL_CREDENTIAL_SERVICES = ["tinyfish", "openrouter"] as const;
+
+export type LocalCredentialService = (typeof LOCAL_CREDENTIAL_SERVICES)[number];
+export type ConnectionMethod = "api_key" | "oauth";
+
+export function isLocalCredentialService(
+  value: unknown,
+): value is LocalCredentialService {
+  return (
+    typeof value === "string" &&
+    (LOCAL_CREDENTIAL_SERVICES as readonly string[]).includes(value)
+  );
+}
+
+export function localKeychainAccount(
+  workspaceId: string,
+  service: LocalCredentialService,
+): string {
+  return `${workspaceId}:${service}`;
+}
diff --git a/backend/src/local-credentials.ts b/backend/src/local-credentials.ts
new file mode 100644
index 0000000..a6a5b4b
--- /dev/null
+++ b/backend/src/local-credentials.ts
@@ -0,0 +1,309 @@
+import { convex, internal } from "./convex.js";
+import { env } from "./env.js";
+import { FETCH_TIMEOUT_MS } from "./fetch-timeout.js";
+import {
+  getKeychainCredential,
+  setKeychainCredential,
+} from "./local-keychain-client.js";
+import type {
+  ConnectionMethod,
+  LocalCredentialService,
+} from "./local-credential-types.js";
+
+export const LOCAL_USER_ID = "local_user_default";
+
+export interface ServiceSetupStatus {
+  configured: boolean;
+  source: "local" | "env" | null;
+  connectionMethod: ConnectionMethod | null;
+  verifiedAt: number | null;
+}
+
+export interface LocalSetupStatus {
+  mode: "local" | "production";
+  required: boolean;
+  complete: boolean;
+  services: Record<LocalCredentialService, ServiceSetupStatus>;
+}
+
+function isPlaceholder(value: string, service: LocalCredentialService): boolean {
+  if (!value.trim()) return true;
+  if (value.includes("...")) return true;
+  if (service === "openrouter" && value === "sk-or-...") return true;
+  return false;
+}
+
+function envCredential(service: LocalCredentialService): string | undefined {
+  const value =
+    service === "tinyfish" ? process.env.TINYFISH_API_KEY : env.OPENROUTER_API_KEY;
+  if (!value || isPlaceholder(value, service)) return undefined;
+  return value;
+}
+
+async function localCredential(service: LocalCredentialService): Promise<{
+  apiKey: string;
+  connectionMethod: ConnectionMethod;
+  verifiedAt: number | null;
+  keychainAccount: string;
+} | null> {
+  if (!env.IS_LOCAL_MODE) return null;
+  const keychain = await getKeychainCredential(service);
+  if (!keychain?.apiKey) return null;
+
+  const row = await convex.query(internal.localCredentials.getInternal, {
+    service,
+  });
+
+  return {
+    apiKey: keychain.apiKey,
+    connectionMethod: row?.connectionMethod ?? "api_key",
+    verifiedAt: row?.verifiedAt ?? null,
+    keychainAccount: keychain.keychainAccount,
+  };
+}
+
+async function localCredentialForStatus(
+  service: LocalCredentialService,
+): Promise<Awaited<ReturnType<typeof localCredential>>> {
+  try {
+    return await localCredential(service);
+  } catch {
+    return null;
+  }
+}
+
+export async function resolveCredential(
+  service: LocalCredentialService,
+): Promise<{ apiKey: string; source: "local" | "env" } | null> {
+  if (env.IS_LOCAL_MODE) {
+    const local = await localCredential(service);
+    return local ? { apiKey: local.apiKey, source: "local" } : null;
+  }
+
+  const fromEnv = envCredential(service);
+  if (fromEnv) return { apiKey: fromEnv, source: "env" };
+
+  return null;
+}
+
+export async function getOpenRouterApiKey(): Promise<string | undefined> {
+  return (await resolveCredential("openrouter"))?.apiKey;
+}
+
+export async function requireOpenRouterApiKey(): Promise<string> {
+  const apiKey = await getOpenRouterApiKey();
+  if (!apiKey) {
+    throw new Error("OpenRouter is not configured. Complete local setup first.");
+  }
+  return apiKey;
+}
+
+export async function getTinyFishApiKey(): Promise<string | undefined> {
+  return (await resolveCredential("tinyfish"))?.apiKey;
+}
+
+export function tinyFishHeaders(apiKey: string): Record<string, string> {
+  return {
+    "X-API-Key": apiKey,
+    "X-TF-ORIGIN": "BigSet",
+    "X-TF-Request-Origin": "BigSet",
+  };
+}
+
+async function withFetchTimeout<T>(
+  operation: (signal: AbortSignal) => Promise<T>,
+  timeoutMessage: string,
+): Promise<T> {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS);
+
+  try {
+    return await operation(controller.signal);
+  } catch (err) {
+    if (err instanceof Error && err.name === "AbortError") {
+      throw new Error(timeoutMessage);
+    }
+    throw err;
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+
+export async function requireLocalSetupComplete(): Promise<void> {
+  if (!env.IS_LOCAL_MODE) return;
+  const status = await getLocalSetupStatus();
+  if (!status.complete) {
+    throw new Error("Local setup is incomplete.");
+  }
+}
+
+export async function getLocalSetupStatus(): Promise<LocalSetupStatus> {
+  if (!env.IS_LOCAL_MODE) {
+    const tinyfish = envCredential("tinyfish");
+    const openrouter = envCredential("openrouter");
+    return {
+      mode: "production",
+      required: false,
+      complete: true,
+      services: {
+        tinyfish: {
+          configured: !!tinyfish,
+          source: tinyfish ? "env" : null,
+          connectionMethod: tinyfish ? "api_key" : null,
+          verifiedAt: null,
+        },
+        openrouter: {
+          configured: !!openrouter,
+          source: openrouter ? "env" : null,
+          connectionMethod: openrouter ? "api_key" : null,
+          verifiedAt: null,
+        },
+      },
+    };
+  }
+
+  const tinyfishLocal = await localCredentialForStatus("tinyfish");
+  const openrouterLocal = await localCredentialForStatus("openrouter");
+
+  const tinyfish: ServiceSetupStatus = tinyfishLocal
+    ? {
+        configured: true,
+        source: "local",
+        connectionMethod: tinyfishLocal.connectionMethod,
+        verifiedAt: tinyfishLocal.verifiedAt,
+      }
+    : {
+        configured: false,
+        source: null,
+        connectionMethod: null,
+        verifiedAt: null,
+      };
+
+  const openrouter: ServiceSetupStatus = openrouterLocal
+    ? {
+        configured: true,
+        source: "local",
+        connectionMethod: openrouterLocal.connectionMethod,
+        verifiedAt: openrouterLocal.verifiedAt,
+      }
+    : {
+        configured: false,
+        source: null,
+        connectionMethod: null,
+        verifiedAt: null,
+      };
+
+  return {
+    mode: "local",
+    required: true,
+    complete: tinyfish.configured && openrouter.configured,
+    services: { tinyfish, openrouter },
+  };
+}
+
+export async function saveLocalCredential(
+  service: LocalCredentialService,
+  apiKey: string,
+  connectionMethod: ConnectionMethod,
+): Promise<void> {
+  if (!env.IS_LOCAL_MODE) {
+    throw new Error("Local credential storage is disabled when PROD=1.");
+  }
+  const { keychainAccount } = await setKeychainCredential(service, apiKey);
+  await convex.mutation(internal.localCredentials.upsertInternal, {
+    service,
+    keychainAccount,
+    connectionMethod,
+    verifiedAt: Date.now(),
+  });
+}
+
+export async function clearLegacyPlaintextLocalCredentials(): Promise<void> {
+  if (!env.IS_LOCAL_MODE) return;
+  await convex.mutation(internal.localCredentials.clearLegacyPlaintextInternal, {});
+}
+
+export async function verifyTinyFishApiKey(apiKey: string): Promise<void> {
+  const url = new URL("https://api.search.tinyfish.ai");
+  url.searchParams.set("query", "BigSet");
+
+  await withFetchTimeout(
+    async (signal) => {
+      const response = await fetch(url, {
+        headers: tinyFishHeaders(apiKey),
+        signal,
+      });
+
+      if (!response.ok) {
+        if (response.status === 401) {
+          throw new Error("TinyFish rejected that API key.");
+        }
+        throw new Error(
+          `TinyFish verification failed with HTTP ${response.status}.`,
+        );
+      }
+    },
+    `TinyFish verification timed out after ${FETCH_TIMEOUT_MS / 1000} seconds.`,
+  );
+}
+
+export async function verifyOpenRouterApiKey(apiKey: string): Promise<void> {
+  const baseUrl = (
+    process.env.OPENROUTER_BASE_URL || "https://openrouter.ai/api/v1"
+  ).replace(/\/+$/, "");
+
+  await withFetchTimeout(
+    async (signal) => {
+      const response = await fetch(`${baseUrl}/key`, {
+        headers: { Authorization: `Bearer ${apiKey}` },
+        signal,
+      });
+
+      if (!response.ok) {
+        if (response.status === 401 || response.status === 403) {
+          throw new Error("OpenRouter rejected that API key.");
+        }
+        throw new Error(
+          `OpenRouter verification failed with HTTP ${response.status}.`,
+        );
+      }
+    },
+    `OpenRouter verification timed out after ${FETCH_TIMEOUT_MS / 1000} seconds.`,
+  );
+}
+
+export async function exchangeOpenRouterOAuthCode({
+  code,
+  codeVerifier,
+}: {
+  code: string;
+  codeVerifier: string;
+}): Promise<string> {
+  return await withFetchTimeout(
+    async (signal) => {
+      const response = await fetch("https://openrouter.ai/api/v1/auth/keys", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          code,
+          code_verifier: codeVerifier,
+          code_challenge_method: "S256",
+        }),
+        signal,
+      });
+
+      if (!response.ok) {
+        throw new Error(
+          `OpenRouter OAuth exchange failed with HTTP ${response.status}.`,
+        );
+      }
+
+      const body = (await response.json()) as { key?: string };
+      if (!body.key) {
+        throw new Error("OpenRouter OAuth exchange did not return an API key.");
+      }
+      return body.key;
+    },
+    `OpenRouter OAuth exchange timed out after ${FETCH_TIMEOUT_MS / 1000} seconds.`,
+  );
+}
diff --git a/backend/src/local-keychain-client.ts b/backend/src/local-keychain-client.ts
new file mode 100644
index 0000000..480b167
--- /dev/null
+++ b/backend/src/local-keychain-client.ts
@@ -0,0 +1,148 @@
+import { env } from "./env.js";
+import {
+  type LocalCredentialService,
+  localKeychainAccount,
+} from "./local-credential-types.js";
+
+interface KeychainGetResponse {
+  apiKey: string | null;
+  keychainAccount: string;
+}
+
+interface KeychainSetResponse {
+  keychainAccount: string;
+}
+
+type KeychainResponseValidator<T> = (payload: unknown) => payload is T;
+
+function isJsonObject(payload: unknown): payload is Record<string, unknown> {
+  return (
+    payload !== null && typeof payload === "object" && !Array.isArray(payload)
+  );
+}
+
+function isKeychainGetResponse(
+  payload: unknown,
+): payload is KeychainGetResponse {
+  return (
+    isJsonObject(payload) &&
+    (typeof payload.apiKey === "string" || payload.apiKey === null) &&
+    typeof payload.keychainAccount === "string"
+  );
+}
+
+function isKeychainSetResponse(
+  payload: unknown,
+): payload is KeychainSetResponse {
+  return isJsonObject(payload) && typeof payload.keychainAccount === "string";
+}
+
+function requireKeychainConfig(): { url: string; token: string } {
+  if (!env.LOCAL_KEYCHAIN_URL || !env.LOCAL_KEYCHAIN_TOKEN) {
+    throw new Error(
+      "Local keychain bridge is not configured. Run `make dev` to start it.",
+    );
+  }
+  return { url: env.LOCAL_KEYCHAIN_URL, token: env.LOCAL_KEYCHAIN_TOKEN };
+}
+
+function keychainUrl(path: string): string {
+  const { url } = requireKeychainConfig();
+  return new URL(path, url).toString();
+}
+
+async function keychainRequest<T>(
+  path: string,
+  body: Record<string, unknown>,
+  validatePayload: KeychainResponseValidator<T>,
+): Promise<T> {
+  const { token } = requireKeychainConfig();
+  const controller = new AbortController();
+  const timeout = setTimeout(
+    () => controller.abort(),
+    env.LOCAL_KEYCHAIN_TIMEOUT_MS,
+  );
+
+  try {
+    const response = await fetch(keychainUrl(path), {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify(body),
+      signal: controller.signal,
+    });
+
+    const payload: unknown = await response.json().catch(() => null);
+
+    if (!response.ok) {
+      const bridgeError =
+        isJsonObject(payload) && typeof payload.error === "string"
+          ? payload.error
+          : null;
+      throw new Error(
+        bridgeError || `Keychain bridge error (${response.status})`,
+      );
+    }
+
+    if (!isJsonObject(payload)) {
+      throw new Error(
+        `Keychain bridge returned an invalid response for ${path}: expected a JSON object.`,
+      );
+    }
+
+    if (!validatePayload(payload)) {
+      throw new Error(
+        `Keychain bridge returned an invalid response for ${path}.`,
+      );
+    }
+
+    return payload;
+  } catch (err) {
+    if (err instanceof Error && err.name === "AbortError") {
+      throw new Error("Local keychain bridge timed out.");
+    }
+    throw err;
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+
+export function expectedKeychainAccount(
+  service: LocalCredentialService,
+): string {
+  return localKeychainAccount(env.BIGSET_LOCAL_WORKSPACE_ID, service);
+}
+
+export async function getKeychainCredential(
+  service: LocalCredentialService,
+): Promise<{ apiKey: string; keychainAccount: string } | null> {
+  const result = await keychainRequest<KeychainGetResponse>(
+    "/credentials/get",
+    {
+      service,
+    },
+    isKeychainGetResponse,
+  );
+
+  if (!result.apiKey) return null;
+  return {
+    apiKey: result.apiKey,
+    keychainAccount: result.keychainAccount,
+  };
+}
+
+export async function setKeychainCredential(
+  service: LocalCredentialService,
+  apiKey: string,
+): Promise<{ keychainAccount: string }> {
+  return await keychainRequest<KeychainSetResponse>(
+    "/credentials/set",
+    {
+      service,
+      apiKey,
+    },
+    isKeychainSetResponse,
+  );
+}
diff --git a/backend/src/mastra/agents/investigate.ts b/backend/src/mastra/agents/investigate.ts
index 4cdc32e..63a7b8c 100644
--- a/backend/src/mastra/agents/investigate.ts
+++ b/backend/src/mastra/agents/investigate.ts
@@ -5,10 +5,6 @@ import { searchWebTool, fetchPageTool } from "../tools/web-tools.js";
 import type { AuthContext } from "../workflows/populate.js";
 import type { PopulateColumn } from "../../pipeline/populate.js";
 
-const openrouter = createOpenRouter({
-  apiKey: process.env.OPENROUTER_API_KEY!,
-});
-
 function buildInvestigateInstructions(columns: PopulateColumn[]): string {
   const columnNames = columns.map((c) => c.name);
   const columnsDesc = columns
@@ -59,8 +55,13 @@ export function buildInvestigateAgent(
   authorizedDatasetId: string,
   authContext: AuthContext,
   columns: PopulateColumn[],
+  openRouterApiKey: string,
 ): Agent {
   const modelSlug = authContext.modelConfig!.investigateSubagent;
+  const openrouter = createOpenRouter({
+    apiKey: openRouterApiKey,
+    baseURL: process.env.OPENROUTER_BASE_URL,
+  });
 
   const { insert_row } = buildPopulateTools(
     authorizedDatasetId,
diff --git a/backend/src/mastra/agents/populate.ts b/backend/src/mastra/agents/populate.ts
index 155492a..eb9b26f 100644
--- a/backend/src/mastra/agents/populate.ts
+++ b/backend/src/mastra/agents/populate.ts
@@ -6,10 +6,6 @@ import type { AuthContext } from "../workflows/populate.js";
 import type { PopulateColumn } from "../../pipeline/populate.js";
 import type { RunMetrics } from "../run-metrics.js";
 
-const openrouter = createOpenRouter({
-  apiKey: process.env.OPENROUTER_API_KEY!,
-});
-
 function buildInstructions(maxRowCount: number): string {
   return `You are an expert dataset builder. You conduct research using your web tools.
 You do broad research to see which rows to add, and then you spin up sub-agents that can do the deep research and fill in each row for you.
@@ -44,10 +40,15 @@ export function buildPopulateAgent(
   authorizedDatasetId: string,
   authContext: AuthContext,
   columns: PopulateColumn[],
+  openRouterApiKey: string,
   maxRowCount: number,
   metrics?: RunMetrics,
 ): Agent {
   const modelSlug = authContext.modelConfig!.populateOrchestrator;
+  const openrouter = createOpenRouter({
+    apiKey: openRouterApiKey,
+    baseURL: process.env.OPENROUTER_BASE_URL,
+  });
 
   return new Agent({
     id: "populate-agent",
@@ -61,6 +62,7 @@ export function buildPopulateAgent(
         authorizedDatasetId,
         authContext,
         columns,
+        openRouterApiKey,
         maxRowCount,
         metrics,
       ),
diff --git a/backend/src/mastra/agents/refresh.ts b/backend/src/mastra/agents/refresh.ts
index 2215686..144065a 100644
--- a/backend/src/mastra/agents/refresh.ts
+++ b/backend/src/mastra/agents/refresh.ts
@@ -5,10 +5,6 @@ import { searchWebTool, fetchPageTool } from "../tools/web-tools.js";
 import type { AuthContext } from "../workflows/populate.js";
 import type { PopulateColumn } from "../../pipeline/populate.js";
 
-const openrouter = createOpenRouter({
-  apiKey: process.env.OPENROUTER_API_KEY!,
-});
-
 function buildRefreshInstructions(columns: PopulateColumn[]): string {
   const columnNames = columns.map((c) => c.name);
   const columnsDesc = columns
@@ -55,7 +51,13 @@ export function buildRefreshAgent(
   authorizedDatasetId: string,
   authContext: AuthContext,
   columns: PopulateColumn[],
+  openRouterApiKey: string,
 ): Agent {
+  const modelSlug = authContext.modelConfig!.investigateSubagent;
+  const openrouter = createOpenRouter({
+    apiKey: openRouterApiKey,
+    baseURL: process.env.OPENROUTER_BASE_URL,
+  });
   const { update_row } = buildPopulateTools(
     authorizedDatasetId,
     authContext,
@@ -64,7 +66,7 @@ export function buildRefreshAgent(
     id: "refresh-agent",
     name: "Dataset Refresh Agent",
     instructions: buildRefreshInstructions(columns),
-    model: openrouter("qwen/qwen3.7-max"),
+    model: openrouter(modelSlug),
     tools: {
       update_row,
       search_web: searchWebTool,
diff --git a/backend/src/mastra/tools/investigate-tool.ts b/backend/src/mastra/tools/investigate-tool.ts
index c1d6b18..0139aa4 100644
--- a/backend/src/mastra/tools/investigate-tool.ts
+++ b/backend/src/mastra/tools/investigate-tool.ts
@@ -75,6 +75,7 @@ export function buildSubagentTool(
   authorizedDatasetId: string,
   authContext: AuthContext,
   columns: PopulateColumn[],
+  openRouterApiKey: string,
   maxRowCount: number,
   metrics?: RunMetrics,
 ) {
@@ -107,6 +108,7 @@ export function buildSubagentTool(
           authorizedDatasetId,
           authContext,
           columns,
+          openRouterApiKey,
         );
 
         const pkBlock = Object.entries(primary_keys)
diff --git a/backend/src/mastra/tools/web-tools.ts b/backend/src/mastra/tools/web-tools.ts
index 961897e..245ee43 100644
--- a/backend/src/mastra/tools/web-tools.ts
+++ b/backend/src/mastra/tools/web-tools.ts
@@ -1,7 +1,7 @@
 import { createTool } from "@mastra/core/tools";
 import { z } from "zod";
-
-const FETCH_TIMEOUT_MS = 30_000;
+import { FETCH_TIMEOUT_MS } from "../../fetch-timeout.js";
+import { getTinyFishApiKey, tinyFishHeaders } from "../../local-credentials.js";
 
 const searchResultSchema = z.object({
   title: z.string(),
@@ -24,7 +24,7 @@ export const searchWebTool = createTool({
     if (!query?.trim())
       return { error: "query is required and cannot be empty." };
 
-    const apiKey = process.env.TINYFISH_API_KEY;
+    const apiKey = await getTinyFishApiKey();
     if (!apiKey)
       return { error: "TINYFISH_API_KEY is not configured. Web search is unavailable — use synthetic data instead." };
 
@@ -35,7 +35,7 @@ export const searchWebTool = createTool({
     const timeout = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS);
     try {
       const res = await fetch(url, {
-        headers: { "X-API-Key": apiKey, "X-TF-Request-Origin": "bigset" },
+        headers: tinyFishHeaders(apiKey),
         signal: controller.signal,
       });
       clearTimeout(timeout);
@@ -90,7 +90,7 @@ export const fetchPageTool = createTool({
     if (!targetUrl.startsWith("http://") && !targetUrl.startsWith("https://"))
       return { error: `Invalid URL "${targetUrl}". Must start with http:// or https://.` };
 
-    const apiKey = process.env.TINYFISH_API_KEY;
+    const apiKey = await getTinyFishApiKey();
     if (!apiKey)
       return { error: "TINYFISH_API_KEY is not configured. Page fetch is unavailable — use data from search snippets instead." };
 
@@ -103,8 +103,7 @@ export const fetchPageTool = createTool({
         method: "POST",
         headers: {
           "Content-Type": "application/json",
-          "X-API-Key": apiKey,
-          "X-TF-Request-Origin": "bigset",
+          ...tinyFishHeaders(apiKey),
         },
         body: JSON.stringify({ urls: [targetUrl], format: "markdown" }),
         signal: controller.signal,
diff --git a/backend/src/mastra/workflows/populate.ts b/backend/src/mastra/workflows/populate.ts
index 35db3b1..e07ed8e 100644
--- a/backend/src/mastra/workflows/populate.ts
+++ b/backend/src/mastra/workflows/populate.ts
@@ -5,6 +5,7 @@ import { createOpenRouter } from "@openrouter/ai-sdk-provider";
 import { datasetContextSchema, populateColumnSchema } from "../../pipeline/populate.js";
 import { convex, internal } from "../../convex.js";
 import { DEFAULT_MODEL_IDS } from "../../config/models.js";
+import { requireOpenRouterApiKey } from "../../local-credentials.js";
 import { buildPopulateAgent } from "../agents/populate.js";
 import { RunMetrics } from "../run-metrics.js";
 import { saveRunMetrics } from "../save-run-metrics.js";
@@ -108,8 +109,10 @@ Respond with EXACTLY one word: scraper or search`;
 
     let classification: "scraper" | "search" = "search";
     try {
+      const apiKey = await requireOpenRouterApiKey();
       const openrouter = createOpenRouter({
-        apiKey: process.env.OPENROUTER_API_KEY!,
+        apiKey,
+        baseURL: process.env.OPENROUTER_BASE_URL,
       });
       const modelSlug =
         inputData.authContext?.modelConfig?.schemaInference ?? DEFAULT_MODEL_IDS.SCHEMA_INFERENCE;
@@ -248,6 +251,7 @@ const agentStep = createStep({
         inputData.authorizedDatasetId,
         inputData.authContext,
         inputData.columns,
+        await requireOpenRouterApiKey(),
         inputData.maxRowCount,
         metrics,
       );
diff --git a/backend/src/mastra/workflows/update.ts b/backend/src/mastra/workflows/update.ts
index 45e3421..28aadee 100644
--- a/backend/src/mastra/workflows/update.ts
+++ b/backend/src/mastra/workflows/update.ts
@@ -4,6 +4,7 @@ import { datasetContextSchema, populateColumnSchema } from "../../pipeline/popul
 import { convex, internal } from "../../convex.js";
 import { buildRefreshAgent } from "../agents/refresh.js";
 import { authContextSchema } from "./populate.js";
+import { requireOpenRouterApiKey } from "../../local-credentials.js";
 import { RunMetrics } from "../run-metrics.js";
 import { saveRunMetrics } from "../save-run-metrics.js";
 import { getSignal } from "../../abort-registry.js";
@@ -99,12 +100,18 @@ const refreshRowsStep = createStep({
 
     const metrics = new RunMetrics();
     const startedAt = Date.now();
+    const openRouterApiKey = await requireOpenRouterApiKey();
 
     const pkColumns = columns.filter((c) => c.isPrimaryKey);
 
     async function processRow(row: z.infer<typeof rowSchema>) {
       try {
-        const agent = buildRefreshAgent(datasetId, authContext, columns);
+        const agent = buildRefreshAgent(
+          datasetId,
+          authContext,
+          columns,
+          openRouterApiKey,
+        );
 
         const pkBlock =
           pkColumns.length > 0
diff --git a/backend/src/pipeline/schema-inference.ts b/backend/src/pipeline/schema-inference.ts
index 1f1ea2a..467a393 100644
--- a/backend/src/pipeline/schema-inference.ts
+++ b/backend/src/pipeline/schema-inference.ts
@@ -2,6 +2,7 @@ import { generateText, Output, NoObjectGeneratedError } from "ai";
 import { createOpenRouter } from "@openrouter/ai-sdk-provider";
 
 import { DEFAULT_MODEL_IDS } from "../config/models.js";
+import { requireOpenRouterApiKey } from "../local-credentials.js";
 import { datasetSchemaSchema, type DatasetSchema } from "./types.js";
 
 const SYSTEM_PROMPT = `You are a data engineering assistant that converts natural-language prompts into structured dataset schemas. Given a user prompt describing a dataset they want to build, you produce a precise schema definition.
@@ -26,18 +27,18 @@ Rules:
 - Prefer concrete column choices over speculative ones — better to omit a column than guess wildly.
 - When a column is a scalar numeric rating (e.g. average score like 4.3/5 for restaurants, cafes, hotels, products, apps): name it generically (e.g. "rating" not "yelp_rating") and write a retrieval_hint explaining that review sites (Yelp, TripAdvisor, Google Maps) block direct page fetches, so the agent must extract ratings from **search result snippets**. The hint should say: "Search for \\"<entity name> rating reviews\\" and include location terms only when location is part of the entity identity. Look for ratings in snippets from TripAdvisor (\\"rated X.X of 5\\"), Yelp search listings (\\"X.X (N reviews)\\"), or aggregator sites (Birdeye, joe.coffee, giftly, Uber Eats, menufyy). Do NOT try to fetch yelp.com or tripadvisor.com directly — they block automated access. Accept ratings from any reputable source." If including a rating column, also add a "rating_source" text column so the agent records where the rating came from. Do not rename review-count or review-text fields to "rating" — keep those as distinct columns (e.g. "review_count") when the user explicitly asks for them.`;
 
-function getModel(modelSlug?: string) {
-  const apiKey = process.env.OPENROUTER_API_KEY;
-  if (!apiKey) {
-    throw new Error("Missing required environment variable: OPENROUTER_API_KEY");
-  }
-  const openrouter = createOpenRouter({ apiKey });
+async function getModel(modelSlug?: string) {
+  const apiKey = await requireOpenRouterApiKey();
+  const openrouter = createOpenRouter({
+    apiKey,
+    baseURL: process.env.OPENROUTER_BASE_URL,
+  });
   const resolvedSlug = modelSlug ?? DEFAULT_MODEL_IDS.SCHEMA_INFERENCE;
   return openrouter(resolvedSlug);
 }
 
 export async function inferSchema(prompt: string, modelSlug?: string): Promise<DatasetSchema> {
-  const model = getModel(modelSlug);
+  const model = await getModel(modelSlug);
   try {
     return await callOnce(model, prompt);
   } catch (error) {
diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
index 1a12432..3506ef9 100644
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -31,11 +31,16 @@ services:
       CLIENT_ORIGIN: http://localhost:3500
       CONVEX_URL: http://convex:3210
       PORT: 3501
+      PROD: ${PROD:-}
       CONVEX_SELF_HOSTED_ADMIN_KEY: ${CONVEX_SELF_HOSTED_ADMIN_KEY:-}
       CLERK_SECRET_KEY: ${CLERK_SECRET_KEY:-}
       CLERK_PUBLISHABLE_KEY: ${NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY:-}
       OPENROUTER_API_KEY: ${OPENROUTER_API_KEY:-}
       TINYFISH_API_KEY: ${TINYFISH_API_KEY:-}
+      BIGSET_LOCAL_WORKSPACE_ID: ${BIGSET_LOCAL_WORKSPACE_ID:-}
+      LOCAL_KEYCHAIN_URL: http://host.docker.internal:${LOCAL_KEYCHAIN_PORT:-3502}
+      LOCAL_KEYCHAIN_TOKEN: ${LOCAL_KEYCHAIN_TOKEN:-}
+      LOCAL_KEYCHAIN_TIMEOUT_MS: ${LOCAL_KEYCHAIN_TIMEOUT_MS:-5000}
       # Transactional email — when unset, the email module no-ops.
       RESEND_API_KEY: ${RESEND_API_KEY:-}
       EMAIL_FROM: ${EMAIL_FROM:-BigSet <simantak@tinyfish.ai>}
@@ -47,6 +52,8 @@ services:
       REFRESH_SCHEDULER_POLL_MS: ${REFRESH_SCHEDULER_POLL_MS:-60000}
       REFRESH_SCHEDULER_BATCH_SIZE: ${REFRESH_SCHEDULER_BATCH_SIZE:-5}
       REFRESH_SCHEDULER_STALE_AFTER_MS: ${REFRESH_SCHEDULER_STALE_AFTER_MS:-21600000}
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
     depends_on:
       convex:
         condition: service_healthy
@@ -65,10 +72,17 @@ services:
     environment:
       HOST: 0.0.0.0
       PORT: 4111
+      PROD: ${PROD:-}
       OPENROUTER_API_KEY: ${OPENROUTER_API_KEY:-}
       CONVEX_URL: http://convex:3210
       CONVEX_SELF_HOSTED_ADMIN_KEY: ${CONVEX_SELF_HOSTED_ADMIN_KEY:-}
       TINYFISH_API_KEY: ${TINYFISH_API_KEY:-}
+      BIGSET_LOCAL_WORKSPACE_ID: ${BIGSET_LOCAL_WORKSPACE_ID:-}
+      LOCAL_KEYCHAIN_URL: http://host.docker.internal:${LOCAL_KEYCHAIN_PORT:-3502}
+      LOCAL_KEYCHAIN_TOKEN: ${LOCAL_KEYCHAIN_TOKEN:-}
+      LOCAL_KEYCHAIN_TIMEOUT_MS: ${LOCAL_KEYCHAIN_TIMEOUT_MS:-5000}
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
     depends_on:
       convex:
         condition: service_healthy
@@ -95,8 +109,10 @@ services:
       - ./scripts:/scripts:ro
     environment:
       NEXT_PUBLIC_CONVEX_URL: http://localhost:3210
-      NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: ${NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY}
-      CLERK_SECRET_KEY: ${CLERK_SECRET_KEY}
+      NEXT_PUBLIC_PROD: ${PROD:-}
+      PROD: ${PROD:-}
+      NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: ${NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY:-}
+      CLERK_SECRET_KEY: ${CLERK_SECRET_KEY:-}
       NEXT_PUBLIC_CLERK_SIGN_IN_URL: /sign-in
       NEXT_PUBLIC_CLERK_SIGN_UP_URL: /sign-up
       NEXT_PUBLIC_CLERK_SIGN_IN_FALLBACK_REDIRECT_URL: /dashboard
diff --git a/frontend/.gitignore b/frontend/.gitignore
index 598418e..995cb8f 100644
--- a/frontend/.gitignore
+++ b/frontend/.gitignore
@@ -38,9 +38,6 @@ yarn-error.log*
 package-lock.json
 yarn.lock
 
-# convex generated
-convex/_generated/
-
 # vercel
 .vercel
 
diff --git a/frontend/app/convex-provider.tsx b/frontend/app/convex-provider.tsx
index 7d876e0..be33d3e 100644
--- a/frontend/app/convex-provider.tsx
+++ b/frontend/app/convex-provider.tsx
@@ -1,15 +1,21 @@
 "use client";
 
 import { ConvexReactClient } from "convex/react";
+import { ConvexProvider } from "convex/react";
 import { ConvexProviderWithClerk } from "convex/react-clerk";
-import { useAuth } from "@clerk/nextjs";
 import { type ReactNode } from "react";
+import { useAuth } from "@clerk/nextjs";
+import { isLocalMode } from "@/lib/app-mode";
 
 const convex = new ConvexReactClient(
-  process.env.NEXT_PUBLIC_CONVEX_URL as string
+  process.env.NEXT_PUBLIC_CONVEX_URL || "http://127.0.0.1:3210"
 );
 
 export function ConvexClientProvider({ children }: { children: ReactNode }) {
+  if (isLocalMode) {
+    return <ConvexProvider client={convex}>{children}</ConvexProvider>;
+  }
+
   return (
     <ConvexProviderWithClerk client={convex} useAuth={useAuth}>
       {children}
diff --git a/frontend/app/dashboard/page.tsx b/frontend/app/dashboard/page.tsx
index 747e5c0..7c3ca80 100644
--- a/frontend/app/dashboard/page.tsx
+++ b/frontend/app/dashboard/page.tsx
@@ -3,8 +3,7 @@
 import { useEffect, useMemo, useRef, useState } from "react";
 import Link from "next/link";
 import { useRouter } from "next/navigation";
-import { useQuery, useConvexAuth } from "convex/react";
-import { useUser, useClerk } from "@clerk/nextjs";
+import { useQuery } from "convex/react";
 import { api } from "@/convex/_generated/api";
 import {
   DatasetCard,
@@ -12,29 +11,34 @@ import {
 } from "@/components/dataset/DatasetCard";
 import { useTheme } from "@/components/ThemeToggle";
 import { QuotaBadge } from "@/components/QuotaBadge";
+import { LocalUtilityMenu } from "@/components/LocalUtilityMenu";
 import { EVENTS, track } from "@/lib/analytics";
 import type { ProfileUser } from "@/lib/profile-user";
+import { useAppClerk, useAppConvexAuth, useAppUser } from "@/lib/app-auth";
+import { isLocalMode } from "@/lib/app-mode";
 
 export default function DashboardPage() {
-  const { isAuthenticated, isLoading } = useConvexAuth();
-  const { user } = useUser();
-  const { signOut } = useClerk();
+  const { isAuthenticated, isLoading } = useAppConvexAuth();
+  const { user } = useAppUser();
+  const { signOut } = useAppClerk();
   const [search, setSearch] = useState("");
 
   const mine = useQuery(
     api.datasets.listMine,
     isAuthenticated ? {} : "skip",
   );
-  // Public datasets are open to anonymous users too, so no `skip` gate.
-  const curated = useQuery(api.datasets.listPublic, {});
+  const showCurated = !isLocalMode;
+  const curated = useQuery(
+    api.datasets.listPublic,
+    showCurated ? {} : "skip",
+  );
 
-  // Quota state drives the "+ New Dataset" button — disabled when the
-  // user is at their free-tier limit. `undefined` while loading.
+  // Quota limits are cloud-only. Local mode can create datasets without this gate.
   const usage = useQuery(
     api.quota.getMy,
-    isAuthenticated ? {} : "skip",
+    !isLocalMode && isAuthenticated ? {} : "skip",
   );
-  const atLimit = usage !== undefined && usage.remaining === 0;
+  const atLimit = !isLocalMode && usage !== undefined && usage.remaining === 0;
 
   // Fire dashboard_viewed once per mount when both queries have resolved,
   // so we attach accurate counts. `dashboardFired` prevents the effect
@@ -45,15 +49,15 @@ export default function DashboardPage() {
       !dashboardFired.current &&
       isAuthenticated &&
       mine !== undefined &&
-      curated !== undefined
+      (!showCurated || curated !== undefined)
     ) {
       dashboardFired.current = true;
       track(EVENTS.DASHBOARD_VIEWED, {
         owned_count: mine.length,
-        curated_count: curated.length,
+        curated_count: showCurated ? (curated?.length ?? 0) : 0,
       });
     }
-  }, [isAuthenticated, mine, curated]);
+  }, [isAuthenticated, mine, curated, showCurated]);
 
   const { filteredMine, filteredCurated } = useMemo(() => {
     const q = search.trim().toLowerCase();
@@ -85,9 +89,15 @@ export default function DashboardPage() {
         <img src="/BigSetLogo.png" alt="BigSet" className="h-[30px] dark:hidden" />
         <img src="/BigSetLogoDarkBG.png" alt="BigSet" className="h-[30px] hidden dark:block" />
         <div className="flex items-center gap-4">
-          <QuotaBadge />
-          <div className="w-px h-4 bg-border" />
-          <ProfileMenu user={user} onSignOut={() => signOut()} />
+          {isLocalMode ? (
+            <LocalUtilityMenu />
+          ) : (
+            <>
+              <QuotaBadge />
+              <div className="w-px h-4 bg-border" />
+              <ProfileMenu user={user} onSignOut={() => signOut()} />
+            </>
+          )}
         </div>
       </header>
 
@@ -187,19 +197,23 @@ export default function DashboardPage() {
           }
         />
 
-        <div className="h-12" />
+        {!isLocalMode && (
+          <>
+            <div className="h-12" />
 
-        <Section
-          eyebrow="Curated by BigSet"
-          heading="Explore live datasets"
-          isLoading={curated === undefined}
-          datasets={filteredCurated as unknown as DatasetCardData[]}
-          emptyState={
-            search
-              ? `No curated datasets match "${search}".`
-              : "Curated datasets coming soon."
-          }
-        />
+            <Section
+              eyebrow="Curated by BigSet"
+              heading="Explore live datasets"
+              isLoading={curated === undefined}
+              datasets={filteredCurated as unknown as DatasetCardData[]}
+              emptyState={
+                search
+                  ? `No curated datasets match "${search}".`
+                  : "Curated datasets coming soon."
+              }
+            />
+          </>
+        )}
       </main>
     </div>
   );
@@ -300,14 +314,16 @@ function ProfileMenu({
 
       {open && (
         <div id="profile-menu" role="menu" className="absolute right-0 top-full mt-1.5 w-52 rounded-xl border border-border bg-surface shadow-xl ring-1 ring-black/[0.04] z-50 overflow-hidden">
-          <div className="px-3 py-2 border-b border-border">
-            <p className="text-xs font-medium text-foreground truncate">{name}</p>
-            {email && (
-              <p data-ph-mask-text="true" className="text-[11px] text-muted truncate mt-0.5">
-                {email}
-              </p>
-            )}
-          </div>
+          {!isLocalMode && (
+            <div className="px-3 py-2 border-b border-border">
+              <p className="text-xs font-medium text-foreground truncate">{name}</p>
+              {email && (
+                <p data-ph-mask-text="true" className="text-[11px] text-muted truncate mt-0.5">
+                  {email}
+                </p>
+              )}
+            </div>
+          )}
           <div className="p-1">
             <button
               onClick={toggleTheme}
@@ -335,20 +351,22 @@ function ProfileMenu({
               </svg>
               Settings
             </button>
-            <button
-              onClick={() => {
-                setOpen(false);
-                onSignOut();
-              }}
-              className="w-full flex items-center gap-2 px-2 py-1.5 rounded-lg text-xs text-red-500 hover:bg-red-500/[0.08] transition-colors"
-            >
-              <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="1.75" strokeLinecap="round" strokeLinejoin="round" aria-hidden="true">
-                <path d="M9 21H5a2 2 0 0 1-2-2V5a2 2 0 0 1 2-2h4" />
-                <polyline points="16 17 21 12 16 7" />
-                <line x1="21" y1="12" x2="9" y2="12" />
-              </svg>
-              Sign out
-            </button>
+            {!isLocalMode && (
+              <button
+                onClick={() => {
+                  setOpen(false);
+                  onSignOut();
+                }}
+                className="w-full flex items-center gap-2 px-2 py-1.5 rounded-lg text-xs text-red-500 hover:bg-red-500/[0.08] transition-colors"
+              >
+                <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="1.75" strokeLinecap="round" strokeLinejoin="round" aria-hidden="true">
+                  <path d="M9 21H5a2 2 0 0 1-2-2V5a2 2 0 0 1 2-2h4" />
+                  <polyline points="16 17 21 12 16 7" />
+                  <line x1="21" y1="12" x2="9" y2="12" />
+                </svg>
+                Sign out
+              </button>
+            )}
           </div>
         </div>
       )}
diff --git a/frontend/app/dashboard/settings/layout.tsx b/frontend/app/dashboard/settings/layout.tsx
index 5073466..1a4c0bf 100644
--- a/frontend/app/dashboard/settings/layout.tsx
+++ b/frontend/app/dashboard/settings/layout.tsx
@@ -1,17 +1,19 @@
 "use client";
 
 import Link from "next/link";
-import { useUser, useClerk } from "@clerk/nextjs";
 import { useTheme } from "@/components/ThemeToggle";
+import { LocalUtilityMenu } from "@/components/LocalUtilityMenu";
 import { useEffect, useRef, useState } from "react";
+import { useAppClerk, useAppUser } from "@/lib/app-auth";
+import { isLocalMode } from "@/lib/app-mode";
 
 export default function SettingsLayout({
   children,
 }: {
   children: React.ReactNode;
 }) {
-  const { user } = useUser();
-  const { signOut } = useClerk();
+  const { user } = useAppUser();
+  const { signOut } = useAppClerk();
   const [profileOpen, setProfileOpen] = useState(false);
   const profileRef = useRef<HTMLDivElement>(null);
   const { theme, toggle: toggleTheme } = useTheme();
@@ -31,7 +33,7 @@ export default function SettingsLayout({
   const imageUrl = user?.imageUrl;
 
   return (
-    <div className="flex flex-col h-screen">
+    <div className="flex h-screen flex-col overflow-hidden">
       <header className="border-b border-border px-6 py-3 flex items-center justify-between bg-surface shrink-0">
         <Link href="/dashboard" className="flex items-center gap-2">
           <img src="/BigSetLogo.png" alt="BigSet" className="h-6.5 dark:hidden" />
@@ -46,58 +48,62 @@ export default function SettingsLayout({
             ← Back to Dashboard
           </Link>
           <div className="w-px h-4 bg-border" />
-          <div ref={profileRef} className="relative">
-            <button
-              type="button"
-              onClick={() => setProfileOpen((o) => !o)}
-              className="flex items-center gap-1.5 rounded-full py-0.5 pl-0.5 pr-2 hover:bg-foreground/5 transition-colors"
-            >
-              {imageUrl ? (
-                <img src={imageUrl} alt="" className="h-6 w-6 rounded-full object-cover" />
-              ) : (
-                <div className="h-6 w-6 rounded-full bg-foreground/10 flex items-center justify-center text-[11px] font-medium text-foreground">
-                  {name[0]?.toUpperCase()}
-                </div>
-              )}
-              <span className="text-xs font-medium text-foreground">{name}</span>
-            </button>
+          {isLocalMode ? (
+            <LocalUtilityMenu showSettingsLink={false} />
+          ) : (
+            <div ref={profileRef} className="relative">
+              <button
+                type="button"
+                onClick={() => setProfileOpen((o) => !o)}
+                className="flex items-center gap-1.5 rounded-full py-0.5 pl-0.5 pr-2 hover:bg-foreground/5 transition-colors"
+              >
+                {imageUrl ? (
+                  <img src={imageUrl} alt="" className="h-6 w-6 rounded-full object-cover" />
+                ) : (
+                  <div className="h-6 w-6 rounded-full bg-foreground/10 flex items-center justify-center text-[11px] font-medium text-foreground">
+                    {name[0]?.toUpperCase()}
+                  </div>
+                )}
+                <span className="text-xs font-medium text-foreground">{name}</span>
+              </button>
 
-            {profileOpen && (
-              <div className="absolute right-0 top-full mt-1.5 w-52 rounded-xl border border-border bg-surface shadow-xl ring-1 ring-black/4 z-50 overflow-hidden">
-                <div className="px-3 py-2 border-b border-border">
-                  <p className="text-xs font-medium text-foreground truncate">{name}</p>
-                  {email && (
-                    <p data-ph-mask-text="true" className="text-[11px] text-muted truncate mt-0.5">
-                      {email}
-                    </p>
-                  )}
+              {profileOpen && (
+                <div className="absolute right-0 top-full mt-1.5 w-52 rounded-xl border border-border bg-surface shadow-xl ring-1 ring-black/4 z-50 overflow-hidden">
+                  <div className="px-3 py-2 border-b border-border">
+                    <p className="text-xs font-medium text-foreground truncate">{name}</p>
+                    {email && (
+                      <p data-ph-mask-text="true" className="text-[11px] text-muted truncate mt-0.5">
+                        {email}
+                      </p>
+                    )}
+                  </div>
+                  <div className="p-1">
+                    <button
+                      onClick={toggleTheme}
+                      className="w-full flex items-center justify-between px-2 py-1.5 rounded-lg text-xs text-foreground hover:bg-foreground/5 transition-colors"
+                    >
+                      <span>Dark mode</span>
+                      <span className={`relative inline-flex h-4 w-7 shrink-0 items-center rounded-full transition-colors ${theme === "dark" ? "bg-foreground" : "bg-foreground/20"}`}>
+                        <span className={`inline-block h-3 w-3 rounded-full bg-surface transition-transform ${theme === "dark" ? "translate-x-3.5" : "translate-x-0.5"}`} />
+                      </span>
+                    </button>
+                    <button
+                      onClick={() => { setProfileOpen(false); signOut(); }}
+                      className="w-full flex items-center gap-2 px-2 py-1.5 rounded-lg text-xs text-red-500 hover:bg-red-500/8 transition-colors"
+                    >
+                      Sign out
+                    </button>
+                  </div>
                 </div>
-                <div className="p-1">
-                  <button
-                    onClick={toggleTheme}
-                    className="w-full flex items-center justify-between px-2 py-1.5 rounded-lg text-xs text-foreground hover:bg-foreground/5 transition-colors"
-                  >
-                    <span>Dark mode</span>
-                    <span className={`relative inline-flex h-4 w-7 shrink-0 items-center rounded-full transition-colors ${theme === "dark" ? "bg-foreground" : "bg-foreground/20"}`}>
-                      <span className={`inline-block h-3 w-3 rounded-full bg-surface transition-transform ${theme === "dark" ? "translate-x-3.5" : "translate-x-0.5"}`} />
-                    </span>
-                  </button>
-                  <button
-                    onClick={() => { setProfileOpen(false); signOut(); }}
-                    className="w-full flex items-center gap-2 px-2 py-1.5 rounded-lg text-xs text-red-500 hover:bg-red-500/8 transition-colors"
-                  >
-                    Sign out
-                  </button>
-                </div>
-              </div>
-            )}
-          </div>
+              )}
+            </div>
+          )}
         </div>
       </header>
 
-      <div className="flex flex-1 overflow-hidden">
+      <div className="flex min-h-0 flex-1 overflow-hidden">
         {children}
       </div>
     </div>
   );
-}
\ No newline at end of file
+}
diff --git a/frontend/app/dashboard/settings/models/page.tsx b/frontend/app/dashboard/settings/models/page.tsx
index 5531f9e..6a3acb4 100644
--- a/frontend/app/dashboard/settings/models/page.tsx
+++ b/frontend/app/dashboard/settings/models/page.tsx
@@ -2,18 +2,19 @@
 
 import { useState, useEffect } from "react";
 import { useQuery } from "convex/react";
-import { useAuth } from "@clerk/nextjs";
 import { api } from "@/convex/_generated/api";
 import { getModelConfig, saveModelConfig, getOpenRouterModels, refreshOpenRouterModels, type EffectiveModelConfig, type OpenRouterModel } from "@/lib/backend";
 import { SettingsPageLayout } from "@/components/settings/SettingsPageLayout";
 import { SettingsHeader } from "@/components/settings/SettingsHeader";
 import { SettingsTile } from "@/components/settings/SettingsTile";
+import { LocalCredentialsPanel } from "@/components/settings/LocalCredentialsPanel";
 import { ModelSideSheet } from "@/components/settings/ModelSideSheet";
 import { MODEL_ROLES, type ModelRole } from "@/components/settings/types";
 import { SkeletonList } from "@/components/settings/Skeleton";
+import { useAppAuth } from "@/lib/app-auth";
 
 export default function ModelSettingsPage() {
-  const { getToken } = useAuth();
+  const { getToken } = useAppAuth();
   const convexModels = useQuery(api.openRouterModels.list, {});
 
   const [effectiveConfig, setEffectiveConfig] = useState<EffectiveModelConfig | null>(null);
@@ -115,25 +116,29 @@ export default function ModelSettingsPage() {
 
   return (
     <SettingsPageLayout navItems={navItems}>
-      <SettingsHeader
-        title="Model Settings"
-        subtitle="Configure AI models for different tasks. Models are fetched from OpenRouter."
-      />
+      <div className="w-full max-w-4xl">
+        <LocalCredentialsPanel />
 
-      <div className="space-y-2">
-        {isLoading ? (
-          <SkeletonList count={MODEL_ROLES.length} />
-        ) : (
-          MODEL_ROLES.map((role) => (
-            <SettingsTile
-              key={role.key}
-              label={role.label}
-              description={role.description}
-              value={getSelectedModel(role)}
-              onClick={() => openSideSheet(role)}
-            />
-          ))
-        )}
+        <SettingsHeader
+          title="Model Settings"
+          subtitle="Configure AI models for different tasks. Models are fetched from OpenRouter."
+        />
+
+        <div className="space-y-2">
+          {isLoading ? (
+            <SkeletonList count={MODEL_ROLES.length} />
+          ) : (
+            MODEL_ROLES.map((role) => (
+              <SettingsTile
+                key={role.key}
+                label={role.label}
+                description={role.description}
+                value={getSelectedModel(role)}
+                onClick={() => openSideSheet(role)}
+              />
+            ))
+          )}
+        </div>
       </div>
 
       {activeSheet && (
diff --git a/frontend/app/dataset/[id]/page.tsx b/frontend/app/dataset/[id]/page.tsx
index d28abda..697addd 100644
--- a/frontend/app/dataset/[id]/page.tsx
+++ b/frontend/app/dataset/[id]/page.tsx
@@ -3,8 +3,7 @@
 import { useParams } from "next/navigation";
 import Link from "next/link";
 import { useCallback, useEffect, useMemo, useRef, useState } from "react";
-import { useMutation, useQuery, useConvexAuth } from "convex/react";
-import { useAuth, useUser, useClerk } from "@clerk/nextjs";
+import { useMutation, useQuery } from "convex/react";
 import { api } from "@/convex/_generated/api";
 import type { Id } from "@/convex/_generated/dataModel";
 import { DatasetTable } from "@/components/table";
@@ -22,13 +21,14 @@ import {
   type RefreshCadence,
 } from "@/lib/refresh-cadence";
 import type { ProfileUser } from "@/lib/profile-user";
+import { useAppAuth, useAppClerk, useAppConvexAuth, useAppUser } from "@/lib/app-auth";
 
 export default function DatasetPage() {
   const params = useParams();
-  const { isLoading: authLoading, isAuthenticated } = useConvexAuth();
-  const { userId, getToken } = useAuth();
-  const { user } = useUser();
-  const { signOut } = useClerk();
+  const { isLoading: authLoading, isAuthenticated } = useAppConvexAuth();
+  const { userId, getToken } = useAppAuth();
+  const { user } = useAppUser();
+  const { signOut } = useAppClerk();
   const [exporting, setExporting] = useState<"csv" | "xlsx" | null>(null);
   const [populating, setPopulating] = useState(false);
   const [updating, setUpdating] = useState(false);
@@ -624,7 +624,10 @@ function SettingsDropdown({
   }, [open, onClose]);
 
   useEffect(() => {
-    if (!open) setMaxRowCountInput(String(maxRowCount));
+    if (!open) {
+      const id = setTimeout(() => setMaxRowCountInput(String(maxRowCount)), 0);
+      return () => clearTimeout(id);
+    }
   }, [maxRowCount, open]);
 
   return (
diff --git a/frontend/app/dataset/new/page.tsx b/frontend/app/dataset/new/page.tsx
index bb4dded..63b8ebf 100644
--- a/frontend/app/dataset/new/page.tsx
+++ b/frontend/app/dataset/new/page.tsx
@@ -3,11 +3,11 @@
 import { useEffect, useState, useRef } from "react";
 import { useRouter } from "next/navigation";
 import Link from "next/link";
-import { useAuth } from "@clerk/nextjs";
-import { useMutation, useQuery, useConvexAuth } from "convex/react";
+import { useMutation, useQuery } from "convex/react";
 import { api } from "@/convex/_generated/api";
 import { EVENTS, track } from "@/lib/analytics";
 import { inferSchema, type InferredColumn } from "@/lib/backend";
+import { useAppAuth, useAppConvexAuth } from "@/lib/app-auth";
 import {
   REFRESH_CADENCE_OPTIONS,
   type RefreshCadence,
@@ -78,7 +78,7 @@ function TypeSelector({ value, onChange }: { value: ColumnType; onChange: (v: Co
 
 export default function NewDatasetPage() {
   const router = useRouter();
-  const { isAuthenticated, isLoading } = useConvexAuth();
+  const { isAuthenticated, isLoading } = useAppConvexAuth();
 
   const [step, setStep] = useState<Step>("describe");
   const [prompt, setPrompt] = useState("");
@@ -94,7 +94,7 @@ export default function NewDatasetPage() {
     "search_fetch" | "browser" | "hybrid" | null
   >(null);
   const [sourceHint, setSourceHint] = useState("");
-  const { getToken } = useAuth();
+  const { getToken } = useAppAuth();
 
   const createDataset = useMutation(api.datasets.create);
   const usage = useQuery(
diff --git a/frontend/app/layout.tsx b/frontend/app/layout.tsx
index c4955a3..d035ee2 100644
--- a/frontend/app/layout.tsx
+++ b/frontend/app/layout.tsx
@@ -1,8 +1,10 @@
 import type { Metadata } from "next";
 import { Geist, Geist_Mono } from "next/font/google";
-import { ClerkProvider } from "@clerk/nextjs";
 import { ConvexClientProvider } from "./convex-provider";
+import { AppAuthProvider } from "@/lib/app-auth";
 import { AnalyticsProvider } from "@/lib/analytics-provider";
+import { LocalSetupGate } from "./local-setup-gate";
+import { ThemeSync } from "@/components/ThemeToggle";
 import "./globals.css";
 
 const geistSans = Geist({
@@ -46,14 +48,14 @@ export default function RootLayout({
         <script dangerouslySetInnerHTML={{ __html: themeInitScript }} />
       </head>
       <body className="min-h-full flex flex-col theme-transition">
-        <ClerkProvider
-          signInForceRedirectUrl="/dashboard"
-          signUpForceRedirectUrl="/dashboard"
-        >
+        <ThemeSync />
+        <AppAuthProvider>
           <ConvexClientProvider>
-            <AnalyticsProvider>{children}</AnalyticsProvider>
+            <AnalyticsProvider>
+              <LocalSetupGate>{children}</LocalSetupGate>
+            </AnalyticsProvider>
           </ConvexClientProvider>
-        </ClerkProvider>
+        </AppAuthProvider>
       </body>
     </html>
   );
diff --git a/frontend/app/local-setup-gate.tsx b/frontend/app/local-setup-gate.tsx
new file mode 100644
index 0000000..ee9d323
--- /dev/null
+++ b/frontend/app/local-setup-gate.tsx
@@ -0,0 +1,63 @@
+"use client";
+
+import { usePathname, useRouter } from "next/navigation";
+import { type ReactNode, useEffect, useState } from "react";
+import { getLocalSetupStatus, type LocalSetupStatus } from "@/lib/backend";
+import { isLocalMode } from "@/lib/app-mode";
+
+function isSetupPath(pathname: string): boolean {
+  return pathname === "/setup" || pathname.startsWith("/setup/");
+}
+
+export function LocalSetupGate({ children }: { children: ReactNode }) {
+  const pathname = usePathname();
+  const router = useRouter();
+  const [statusState, setStatusState] = useState<{
+    pathname: string;
+    status: LocalSetupStatus;
+  } | null>(null);
+  const [failed, setFailed] = useState(false);
+
+  useEffect(() => {
+    if (!isLocalMode) return;
+    if (isSetupPath(pathname)) return;
+    let cancelled = false;
+    getLocalSetupStatus()
+      .then((next) => {
+        if (!cancelled) {
+          setFailed(false);
+          setStatusState({ pathname, status: next });
+        }
+      })
+      .catch(() => {
+        if (!cancelled) setFailed(true);
+      });
+    return () => {
+      cancelled = true;
+    };
+  }, [pathname]);
+
+  const status =
+    statusState?.pathname === pathname ? statusState.status : null;
+
+  useEffect(() => {
+    if (!isLocalMode || !status || status.complete || isSetupPath(pathname)) {
+      return;
+    }
+    router.replace("/setup");
+  }, [pathname, router, status]);
+
+  if (!isLocalMode || isSetupPath(pathname)) return <>{children}</>;
+
+  if (failed) return <>{children}</>;
+
+  if (!status || !status.complete) {
+    return (
+      <div className="flex flex-1 items-center justify-center">
+        <p className="text-sm text-muted">Loading...</p>
+      </div>
+    );
+  }
+
+  return <>{children}</>;
+}
diff --git a/frontend/app/page.tsx b/frontend/app/page.tsx
index 5eb0167..95ce812 100644
--- a/frontend/app/page.tsx
+++ b/frontend/app/page.tsx
@@ -1,27 +1,21 @@
 "use client";
 
 import Link from "next/link";
-import { useRouter } from "next/navigation";
+import { redirect } from "next/navigation";
 import { useEffect } from "react";
-import { useQuery, useConvexAuth } from "convex/react";
+import { useQuery } from "convex/react";
 import { api } from "@/convex/_generated/api";
 import { DatasetCard, type DatasetCardData } from "@/components/dataset/DatasetCard";
 import { ThemeToggle } from "@/components/ThemeToggle";
 import { EVENTS, track } from "@/lib/analytics";
+import { useAppConvexAuth } from "@/lib/app-auth";
 
 const PUBLIC_GRID_COUNT = 9;
 
 export default function Home() {
-  const { isAuthenticated, isLoading } = useConvexAuth();
-  const router = useRouter();
+  const { isAuthenticated, isLoading } = useAppConvexAuth();
   const publicDatasets = useQuery(api.datasets.listPublic, {});
 
-  useEffect(() => {
-    if (isAuthenticated) {
-      router.replace("/dashboard");
-    }
-  }, [isAuthenticated, router]);
-
   // Fire once when the landing page actually displays to an anonymous
   // visitor. Skip if we'll immediately redirect them to the dashboard.
   useEffect(() => {
@@ -30,7 +24,11 @@ export default function Home() {
     }
   }, [isLoading, isAuthenticated]);
 
-  if (isLoading || isAuthenticated) {
+  if (isAuthenticated) {
+    redirect("/dashboard");
+  }
+
+  if (isLoading) {
     return (
       <div className="flex flex-1 items-center justify-center">
         <p className="text-muted">Loading...</p>
diff --git a/frontend/app/setup/openrouter/callback/page.tsx b/frontend/app/setup/openrouter/callback/page.tsx
new file mode 100644
index 0000000..5d73140
--- /dev/null
+++ b/frontend/app/setup/openrouter/callback/page.tsx
@@ -0,0 +1,64 @@
+"use client";
+
+import { useEffect, useState } from "react";
+import { useRouter } from "next/navigation";
+import { Loader2 } from "lucide-react";
+import { exchangeOpenRouterOAuth } from "@/lib/backend";
+import {
+  clearOpenRouterOAuthState,
+  getOpenRouterOAuthReturnTo,
+  OPENROUTER_VERIFIER_KEY,
+} from "@/lib/openrouter-oauth";
+
+export default function OpenRouterCallbackPage() {
+  const router = useRouter();
+  const [error, setError] = useState<string | null>(null);
+
+  useEffect(() => {
+    const searchParams = new URLSearchParams(window.location.search);
+    const code = searchParams.get("code");
+    const verifier = sessionStorage.getItem(OPENROUTER_VERIFIER_KEY);
+
+    if (!code || !verifier) {
+      setTimeout(() => {
+        setError("OpenRouter did not return the expected OAuth values.");
+      }, 0);
+      return;
+    }
+
+    const returnTo = getOpenRouterOAuthReturnTo();
+    exchangeOpenRouterOAuth(code, verifier)
+      .then(() => {
+        clearOpenRouterOAuthState();
+        router.replace(returnTo);
+      })
+      .catch((err) => {
+        setError(err instanceof Error ? err.message : "OpenRouter OAuth failed");
+      });
+  }, [router]);
+
+  return (
+    <div className="flex flex-1 items-center justify-center px-4">
+      <div className="w-full max-w-md border border-border bg-surface p-5 text-center">
+        {error ? (
+          <>
+            <h1 className="text-sm font-semibold">OpenRouter connection failed</h1>
+            <p className="mt-2 text-xs leading-5 text-muted">{error}</p>
+            <button
+              type="button"
+              onClick={() => router.replace(getOpenRouterOAuthReturnTo())}
+              className="mt-4 rounded-lg border border-border px-3 py-2 text-xs font-medium hover:bg-foreground/[0.04]"
+            >
+              Back
+            </button>
+          </>
+        ) : (
+          <div className="flex items-center justify-center gap-3 text-sm text-muted">
+            <Loader2 className="size-4 animate-spin" />
+            Connecting OpenRouter...
+          </div>
+        )}
+      </div>
+    </div>
+  );
+}
diff --git a/frontend/app/setup/page.tsx b/frontend/app/setup/page.tsx
new file mode 100644
index 0000000..9e6bd71
--- /dev/null
+++ b/frontend/app/setup/page.tsx
@@ -0,0 +1,366 @@
+"use client";
+
+import { useEffect, useMemo, useState, type ReactNode } from "react";
+import { useRouter } from "next/navigation";
+import {
+  CheckCircle2,
+  ExternalLink,
+  KeyRound,
+  Loader2,
+  X,
+} from "lucide-react";
+import {
+  getLocalSetupStatus,
+  saveOpenRouterApiKey,
+  saveTinyFishApiKey,
+  type LocalSetupStatus,
+  type ServiceSetupStatus,
+} from "@/lib/backend";
+import { isLocalMode } from "@/lib/app-mode";
+
+export default function SetupPage() {
+  const router = useRouter();
+  const [status, setStatus] = useState<LocalSetupStatus | null>(null);
+  const [loading, setLoading] = useState(true);
+  const [modal, setModal] = useState<"tinyfish" | "openrouter" | null>(null);
+
+  useEffect(() => {
+    if (!isLocalMode) {
+      router.replace("/dashboard");
+      return;
+    }
+
+    getLocalSetupStatus()
+      .then(setStatus)
+      .finally(() => setLoading(false));
+  }, [router]);
+
+  const complete = status?.complete ?? false;
+
+  if (loading) {
+    return (
+      <div className="flex flex-1 items-center justify-center">
+        <p className="text-sm text-muted">Loading...</p>
+      </div>
+    );
+  }
+
+  return (
+    <div className="flex flex-1 flex-col">
+      <header className="border-b border-border bg-surface px-6 py-3">
+        <img src="/BigSetLogo.png" alt="BigSet" className="h-[30px] dark:hidden" />
+        <img src="/BigSetLogoDarkBG.png" alt="BigSet" className="h-[30px] hidden dark:block" />
+      </header>
+
+      <main className="flex-1 px-5 py-10 sm:px-6 sm:py-12">
+        <div className="mx-auto w-full max-w-4xl">
+          <div className="mb-8 max-w-2xl">
+            <h1 className="text-[32px] font-bold leading-none tracking-tight sm:text-[38px]">
+              Connect your services
+            </h1>
+            <p className="mt-3 text-base leading-7 text-muted">
+              Add TinyFish and OpenRouter access to start building live
+              datasets.
+            </p>
+          </div>
+
+          <div className="grid gap-4">
+            <ServiceCard
+              brand={
+                <>
+                  <img
+                    src="https://www.tinyfish.ai/TF-Logos/Horizontal%20Logo/SVG/TF_Horizontal.svg"
+                    alt="TinyFish"
+                    className="h-8 w-auto dark:hidden"
+                  />
+                  <img
+                    src="/logos/engines/tinyfish-wordmark-dark.svg"
+                    alt="TinyFish"
+                    className="hidden h-8 w-auto dark:block"
+                  />
+                </>
+              }
+              description="BigSet uses TinyFish's best-in-class search API to unlock real-time information."
+              status={status?.services.tinyfish}
+              primaryLabel={
+                status?.services.tinyfish.configured ? "Update key" : "Add API key"
+              }
+              onPrimary={() => setModal("tinyfish")}
+              helperHref="https://agent.tinyfish.ai/api-keys?utm_source=github&utm_medium=organic&utm_campaign=bigset-developer-2026q2"
+              helperLabel="Need a TinyFish key?"
+              helperDescription="Open the TinyFish API keys page"
+            />
+
+            <ServiceCard
+              brand={<OpenRouterBrand />}
+              description="BigSet uses OpenRouter's API to power BigSet with AI model access."
+              status={status?.services.openrouter}
+              primaryLabel={
+                status?.services.openrouter.configured
+                  ? "Update key"
+                  : "Add API key"
+              }
+              onPrimary={() => setModal("openrouter")}
+              helperHref="https://openrouter.ai/settings/keys"
+              helperLabel="Need an OpenRouter key?"
+              helperDescription="Open the OpenRouter keys page"
+            />
+          </div>
+
+          <div className="mt-8 flex flex-col gap-4 border-t border-border pt-6 sm:flex-row sm:items-center sm:justify-between">
+            <p className="text-sm leading-6 text-muted sm:text-base">
+              {complete
+                ? "Everything is connected. You can start building datasets."
+                : "Complete both connections to continue."}
+            </p>
+            <button
+              type="button"
+              disabled={!complete}
+              onClick={() => router.replace("/dashboard")}
+              className="inline-flex items-center gap-2 rounded-lg border border-accent bg-accent px-5 py-2.5 text-sm font-semibold text-accent-text transition-opacity hover:opacity-90 disabled:cursor-not-allowed disabled:opacity-30"
+            >
+              Complete setup
+              <CheckCircle2 className="size-4" />
+            </button>
+          </div>
+        </div>
+      </main>
+
+      {modal && (
+        <ApiKeyModal
+          service={modal}
+          onClose={() => setModal(null)}
+          onSaved={(next) => {
+            setStatus(next);
+            setModal(null);
+          }}
+        />
+      )}
+    </div>
+  );
+}
+
+function ServiceCard({
+  brand,
+  description,
+  status,
+  primaryLabel,
+  onPrimary,
+  secondaryLabel,
+  onSecondary,
+  helperHref,
+  helperLabel,
+  helperDescription,
+}: {
+  brand: ReactNode;
+  description: string;
+  status?: ServiceSetupStatus;
+  primaryLabel: string;
+  onPrimary: () => void;
+  secondaryLabel?: string;
+  onSecondary?: () => void;
+  helperHref: string;
+  helperLabel: string;
+  helperDescription: string;
+}) {
+  const connected = status?.configured ?? false;
+  const detail = useMemo(() => {
+    if (!connected) return "Not connected";
+    if (status?.connectionMethod === "oauth") return "Connected through OAuth";
+    if (status?.source === "env") return "Connected through .env";
+    return "Connected through API key";
+  }, [connected, status?.connectionMethod, status?.source]);
+
+  return (
+    <section className="border border-border bg-surface p-5 sm:p-6">
+      <div className="flex flex-col gap-3 sm:flex-row sm:items-start sm:justify-between">
+        <div>
+          <div className="flex h-9 items-center">{brand}</div>
+          <p className="mt-2 text-sm text-muted">{detail}</p>
+        </div>
+        {connected && (
+          <span className="inline-flex items-center gap-1.5 text-sm font-medium text-green-700 dark:text-green-400">
+            <CheckCircle2 className="size-4" />
+            Connected
+          </span>
+        )}
+      </div>
+
+      <p className="mt-6 max-w-2xl text-base leading-7 text-foreground/80">
+        {description}
+      </p>
+
+      <div className="mt-6 flex flex-col gap-3">
+        <div className="flex flex-wrap items-center gap-2">
+          <button
+            type="button"
+            onClick={onPrimary}
+            className="inline-flex items-center gap-2 rounded-lg border border-accent bg-accent px-4 py-2.5 text-sm font-semibold text-accent-text transition-opacity hover:opacity-90"
+          >
+            <KeyRound className="size-4" />
+            {primaryLabel}
+          </button>
+          {secondaryLabel && onSecondary && (
+            <button
+              type="button"
+              onClick={onSecondary}
+              className="rounded-lg border border-border px-4 py-2.5 text-sm font-medium text-foreground hover:bg-foreground/[0.04]"
+            >
+              {secondaryLabel}
+            </button>
+          )}
+        </div>
+        <a
+          href={helperHref}
+          target="_blank"
+          rel="noreferrer"
+          className="inline-flex w-fit items-center gap-1.5 text-sm font-semibold text-foreground underline decoration-border underline-offset-4 hover:decoration-foreground"
+        >
+          {helperLabel} {helperDescription}
+          <ExternalLink className="size-4 shrink-0" />
+        </a>
+      </div>
+    </section>
+  );
+}
+
+function OpenRouterBrand() {
+  return (
+    <div className="flex items-center gap-2 text-black dark:invert">
+      <svg
+        width="24"
+        height="24"
+        viewBox="0 0 512 512"
+        xmlns="http://www.w3.org/2000/svg"
+        fill="currentColor"
+        stroke="currentColor"
+        aria-hidden="true"
+      >
+        <path
+          d="M3 248.945C18 248.945 76 236 106 219C136 202 136 202 198 158C276.497 102.293 332 120.945 423 120.945"
+          strokeWidth="90"
+        />
+        <path d="M511 121.5L357.25 210.268L357.25 32.7324L511 121.5Z" />
+        <path
+          d="M0 249C15 249 73 261.945 103 278.945C133 295.945 133 295.945 195 339.945C273.497 395.652 329 377 420 377"
+          strokeWidth="90"
+        />
+        <path d="M508 376.445L354.25 287.678L354.25 465.213L508 376.445Z" />
+      </svg>
+      <span className="text-xl font-semibold tracking-tight">OpenRouter</span>
+    </div>
+  );
+}
+
+function ApiKeyModal({
+  service,
+  onClose,
+  onSaved,
+}: {
+  service: "tinyfish" | "openrouter";
+  onClose: () => void;
+  onSaved: (status: LocalSetupStatus) => void;
+}) {
+  const [apiKey, setApiKey] = useState("");
+  const [saving, setSaving] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+  const isTinyFish = service === "tinyfish";
+
+  async function handleSubmit() {
+    if (!apiKey.trim() || saving) return;
+    setSaving(true);
+    setError(null);
+    try {
+      const next = isTinyFish
+        ? await saveTinyFishApiKey(apiKey.trim())
+        : await saveOpenRouterApiKey(apiKey.trim());
+      onSaved(next);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Verification failed");
+    } finally {
+      setSaving(false);
+    }
+  }
+
+  return (
+    <div className="fixed inset-0 z-50 flex items-center justify-center p-4">
+      <button
+        type="button"
+        className="absolute inset-0 bg-foreground/20 backdrop-blur-sm"
+        onClick={onClose}
+        aria-label="Close"
+      />
+      <div
+        role="dialog"
+        aria-modal="true"
+        className="relative w-full max-w-lg border border-border bg-surface shadow-2xl"
+      >
+        <div className="flex items-center justify-between border-b border-border px-5 py-4">
+          <div>
+            <h2 className="text-sm font-semibold">
+              {isTinyFish ? "TinyFish API key" : "OpenRouter API key"}
+            </h2>
+            <p className="mt-1 text-xs text-muted">
+              {isTinyFish
+                ? "BigSet verifies the key and stores it in your OS keychain."
+                : "BigSet verifies the key and stores it in your OS keychain."}
+            </p>
+          </div>
+          <button
+            type="button"
+            onClick={onClose}
+            className="inline-flex size-8 items-center justify-center rounded-lg text-muted hover:bg-foreground/[0.05] hover:text-foreground"
+            aria-label="Close"
+          >
+            <X className="size-4" />
+          </button>
+        </div>
+
+        <div className="space-y-4 px-5 py-5">
+          <label className="block text-xs font-medium text-muted">
+            API key
+            <input
+              value={apiKey}
+              onChange={(event) => setApiKey(event.target.value)}
+              type="password"
+              autoFocus
+              className="mt-2 w-full rounded-lg border border-border bg-background px-3 py-2.5 text-sm text-foreground outline-none focus:border-foreground/30"
+              placeholder={isTinyFish ? "tf_..." : "sk-or-..."}
+            />
+          </label>
+
+          {error && (
+            <div className="border border-red-500/30 bg-red-500/[0.06] px-3 py-2 text-xs text-red-700 dark:text-red-300">
+              {error}
+            </div>
+          )}
+
+          <div className="flex items-center justify-between gap-3 pt-2">
+            <a
+              href={
+                isTinyFish
+                  ? "https://agent.tinyfish.ai/api-keys?utm_source=github&utm_medium=organic&utm_campaign=bigset-developer-2026q2"
+                  : "https://openrouter.ai/settings/keys"
+              }
+              target="_blank"
+              rel="noreferrer"
+              className="inline-flex items-center gap-1.5 text-xs text-muted hover:text-foreground"
+            >
+              Get a key
+              <ExternalLink className="size-3" />
+            </a>
+            <button
+              type="button"
+              onClick={handleSubmit}
+              disabled={!apiKey.trim() || saving}
+              className="inline-flex items-center gap-2 rounded-lg border border-accent bg-accent px-4 py-2 text-xs font-semibold text-accent-text transition-opacity hover:opacity-90 disabled:cursor-not-allowed disabled:opacity-30"
+            >
+              {saving && <Loader2 className="size-3.5 animate-spin" />}
+              Verify and save to keychain
+            </button>
+          </div>
+        </div>
+      </div>
+    </div>
+  );
+}
diff --git a/frontend/app/sign-in/[[...sign-in]]/page.tsx b/frontend/app/sign-in/[[...sign-in]]/page.tsx
index 6efd41b..8aee67f 100644
--- a/frontend/app/sign-in/[[...sign-in]]/page.tsx
+++ b/frontend/app/sign-in/[[...sign-in]]/page.tsx
@@ -1,14 +1,20 @@
 "use client";
 
 import { useEffect } from "react";
+import { redirect } from "next/navigation";
 import { SignIn } from "@clerk/nextjs";
 import { EVENTS, track } from "@/lib/analytics";
+import { isLocalMode } from "@/lib/app-mode";
 
 export default function SignInPage() {
   useEffect(() => {
     track(EVENTS.SIGN_IN_VIEWED);
   }, []);
 
+  if (isLocalMode) {
+    redirect("/dashboard");
+  }
+
   return (
     <div className="flex flex-1 items-center justify-center px-4">
       <SignIn forceRedirectUrl="/dashboard" />
diff --git a/frontend/app/sign-up/[[...sign-up]]/page.tsx b/frontend/app/sign-up/[[...sign-up]]/page.tsx
index 464e454..877b2e0 100644
--- a/frontend/app/sign-up/[[...sign-up]]/page.tsx
+++ b/frontend/app/sign-up/[[...sign-up]]/page.tsx
@@ -1,14 +1,20 @@
 "use client";
 
 import { useEffect } from "react";
+import { redirect } from "next/navigation";
 import { SignUp } from "@clerk/nextjs";
 import { EVENTS, track } from "@/lib/analytics";
+import { isLocalMode } from "@/lib/app-mode";
 
 export default function SignUpPage() {
   useEffect(() => {
     track(EVENTS.SIGN_UP_VIEWED);
   }, []);
 
+  if (isLocalMode) {
+    redirect("/dashboard");
+  }
+
   return (
     <div className="flex flex-1 items-center justify-center px-4">
       <SignUp forceRedirectUrl="/dashboard" />
diff --git a/frontend/components/LocalUtilityMenu.tsx b/frontend/components/LocalUtilityMenu.tsx
new file mode 100644
index 0000000..31888e9
--- /dev/null
+++ b/frontend/components/LocalUtilityMenu.tsx
@@ -0,0 +1,84 @@
+"use client";
+
+import Link from "next/link";
+import { useEffect, useRef, useState } from "react";
+import { Settings, SlidersHorizontal } from "lucide-react";
+import { useTheme } from "@/components/ThemeToggle";
+
+export function LocalUtilityMenu({
+  showSettingsLink = true,
+}: {
+  showSettingsLink?: boolean;
+}) {
+  const [open, setOpen] = useState(false);
+  const menuRef = useRef<HTMLDivElement>(null);
+  const { theme, toggle: toggleTheme } = useTheme();
+
+  useEffect(() => {
+    if (!open) return;
+    function handleClick(event: MouseEvent) {
+      if (menuRef.current && !menuRef.current.contains(event.target as Node)) {
+        setOpen(false);
+      }
+    }
+    document.addEventListener("mousedown", handleClick);
+    return () => document.removeEventListener("mousedown", handleClick);
+  }, [open]);
+
+  return (
+    <div ref={menuRef} className="relative">
+      <button
+        type="button"
+        onClick={() => setOpen((next) => !next)}
+        aria-haspopup="menu"
+        aria-expanded={open}
+        aria-controls="local-utility-menu"
+        aria-label="Open local menu"
+        title="Local menu"
+        className="inline-flex size-8 items-center justify-center rounded-lg border border-border bg-surface text-muted transition-colors hover:bg-foreground/[0.04] hover:text-foreground"
+      >
+        <SlidersHorizontal className="size-4" />
+      </button>
+
+      {open && (
+        <div
+          id="local-utility-menu"
+          role="menu"
+          className="absolute right-0 top-full z-50 mt-1.5 w-48 overflow-hidden rounded-xl border border-border bg-surface shadow-xl ring-1 ring-black/[0.04]"
+        >
+          <div className="p-1">
+            <button
+              type="button"
+              onClick={toggleTheme}
+              className="flex w-full items-center justify-between rounded-lg px-2 py-1.5 text-xs text-foreground transition-colors hover:bg-foreground/[0.05]"
+            >
+              <span>Dark mode</span>
+              <span
+                className={`relative inline-flex h-4 w-7 shrink-0 items-center rounded-full transition-colors ${
+                  theme === "dark" ? "bg-foreground" : "bg-foreground/20"
+                }`}
+              >
+                <span
+                  className={`inline-block h-3 w-3 rounded-full bg-surface transition-transform ${
+                    theme === "dark" ? "translate-x-3.5" : "translate-x-0.5"
+                  }`}
+                />
+              </span>
+            </button>
+
+            {showSettingsLink && (
+              <Link
+                href="/dashboard/settings/models"
+                onClick={() => setOpen(false)}
+                className="flex w-full items-center gap-2 rounded-lg px-2 py-1.5 text-xs text-foreground transition-colors hover:bg-foreground/[0.05]"
+              >
+                <Settings className="size-3.5" />
+                Settings
+              </Link>
+            )}
+          </div>
+        </div>
+      )}
+    </div>
+  );
+}
diff --git a/frontend/components/QuotaBadge.tsx b/frontend/components/QuotaBadge.tsx
index 3317ac7..9ed1723 100644
--- a/frontend/components/QuotaBadge.tsx
+++ b/frontend/components/QuotaBadge.tsx
@@ -1,7 +1,9 @@
 "use client";
 
-import { useQuery, useConvexAuth } from "convex/react";
+import { useQuery } from "convex/react";
 import { api } from "@/convex/_generated/api";
+import { useAppConvexAuth } from "@/lib/app-auth";
+import { isLocalMode } from "@/lib/app-mode";
 
 /**
  * Compact usage indicator in the dashboard header.
@@ -16,13 +18,13 @@ import { api } from "@/convex/_generated/api";
  * Hidden for anonymous viewers — the badge is account-scoped.
  */
 export function QuotaBadge() {
-  const { isAuthenticated } = useConvexAuth();
+  const { isAuthenticated } = useAppConvexAuth();
   const usage = useQuery(
     api.quota.getMy,
-    isAuthenticated ? {} : "skip",
+    !isLocalMode && isAuthenticated ? {} : "skip",
   );
 
-  if (!isAuthenticated || !usage) return null;
+  if (isLocalMode || !isAuthenticated || !usage) return null;
 
   const exhausted = usage.remaining === 0;
   const warning = !exhausted && usage.fractionUsed >= 0.8;
diff --git a/frontend/components/ThemeToggle.tsx b/frontend/components/ThemeToggle.tsx
index c185991..6709f48 100644
--- a/frontend/components/ThemeToggle.tsx
+++ b/frontend/components/ThemeToggle.tsx
@@ -1,6 +1,6 @@
 "use client";
 
-import { useSyncExternalStore } from "react";
+import { useEffect, useSyncExternalStore } from "react";
 import { EVENTS, track } from "@/lib/analytics";
 
 type Theme = "light" | "dark";
@@ -72,6 +72,16 @@ export function useTheme() {
   return { theme, toggle } as const;
 }
 
+export function ThemeSync() {
+  const { theme } = useTheme();
+
+  useEffect(() => {
+    applyTheme(theme);
+  }, [theme]);
+
+  return null;
+}
+
 export function ThemeToggle({ className = "" }: { className?: string }) {
   const { theme, toggle } = useTheme();
   const label = theme === "dark" ? "Switch to light mode" : "Switch to dark mode";
diff --git a/frontend/components/settings/LocalCredentialsPanel.tsx b/frontend/components/settings/LocalCredentialsPanel.tsx
new file mode 100644
index 0000000..42a31ed
--- /dev/null
+++ b/frontend/components/settings/LocalCredentialsPanel.tsx
@@ -0,0 +1,383 @@
+"use client";
+
+import { useEffect, useMemo, useState } from "react";
+import {
+  CheckCircle2,
+  ExternalLink,
+  KeyRound,
+  Loader2,
+  X,
+} from "lucide-react";
+import {
+  getLocalSetupStatus,
+  saveOpenRouterApiKey,
+  saveTinyFishApiKey,
+  type LocalSetupStatus,
+  type ServiceSetupStatus,
+} from "@/lib/backend";
+import { isLocalMode } from "@/lib/app-mode";
+
+type ServiceName = "tinyfish" | "openrouter";
+
+const SERVICE_COPY = {
+  tinyfish: {
+    modalTitle: "TinyFish API key",
+    description:
+      "BigSet uses TinyFish's best-in-class search API to unlock real-time information.",
+    inputPlaceholder: "tf_...",
+    modalDescription: "BigSet verifies the key and stores it in your OS keychain.",
+    helperHref:
+      "https://agent.tinyfish.ai/api-keys?utm_source=github&utm_medium=organic&utm_campaign=bigset-developer-2026q2",
+    helperLabel: "Need a TinyFish key?",
+    helperDescription: "Open the TinyFish API keys page",
+  },
+  openrouter: {
+    modalTitle: "OpenRouter API key",
+    description:
+      "BigSet uses OpenRouter's API to power BigSet with AI model access.",
+    inputPlaceholder: "sk-or-...",
+    modalDescription:
+      "BigSet verifies the key and stores it in your OS keychain.",
+    helperHref: "https://openrouter.ai/settings/keys",
+    helperLabel: "Need an OpenRouter key?",
+    helperDescription: "Open the OpenRouter keys page",
+  },
+} satisfies Record<
+  ServiceName,
+  {
+    modalTitle: string;
+    description: string;
+    inputPlaceholder: string;
+    modalDescription: string;
+    helperHref: string;
+    helperLabel: string;
+    helperDescription: string;
+  }
+>;
+
+export function LocalCredentialsPanel() {
+  const [status, setStatus] = useState<LocalSetupStatus | null>(null);
+  const [loading, setLoading] = useState(true);
+  const [loadError, setLoadError] = useState<string | null>(null);
+  const [modal, setModal] = useState<ServiceName | null>(null);
+
+  useEffect(() => {
+    if (!isLocalMode) return;
+
+    let active = true;
+    getLocalSetupStatus()
+      .then((next) => {
+        if (active) setStatus(next);
+      })
+      .catch((err) => {
+        if (active) {
+          setLoadError(
+            err instanceof Error
+              ? err.message
+              : "Could not load local credentials",
+          );
+        }
+      })
+      .finally(() => {
+        if (active) setLoading(false);
+      });
+
+    return () => {
+      active = false;
+    };
+  }, []);
+
+  if (!isLocalMode) return null;
+
+  return (
+    <section className="mb-10">
+      <div className="mb-4 max-w-2xl">
+        <h2 className="text-sm font-semibold text-foreground">
+          Service credentials
+        </h2>
+        <p className="mt-1 text-sm leading-6 text-muted">
+          Add TinyFish and OpenRouter access for live datasets. Local keys stay
+          in your OS keychain.
+        </p>
+      </div>
+
+      {loadError ? (
+        <div className="border border-red-500/30 bg-red-500/[0.06] px-4 py-3 text-sm text-red-700 dark:text-red-300">
+          {loadError}
+        </div>
+      ) : (
+        <div className="grid gap-4">
+          <CredentialCard
+            service="tinyfish"
+            status={status?.services.tinyfish}
+            loading={loading}
+            onApiKey={() => setModal("tinyfish")}
+          />
+          <CredentialCard
+            service="openrouter"
+            status={status?.services.openrouter}
+            loading={loading}
+            onApiKey={() => setModal("openrouter")}
+          />
+        </div>
+      )}
+
+      {modal && (
+        <ApiKeyModal
+          service={modal}
+          onClose={() => setModal(null)}
+          onSaved={(next) => {
+            setStatus(next);
+            setModal(null);
+          }}
+        />
+      )}
+    </section>
+  );
+}
+
+function CredentialCard({
+  service,
+  status,
+  loading,
+  onApiKey,
+}: {
+  service: ServiceName;
+  status?: ServiceSetupStatus;
+  loading: boolean;
+  onApiKey: () => void;
+}) {
+  const copy = SERVICE_COPY[service];
+  const connected = status?.configured ?? false;
+  const detail = useCredentialDetail(status, loading);
+
+  return (
+    <section className="border border-border bg-surface p-5 sm:p-6">
+      <div className="flex flex-col gap-3 sm:flex-row sm:items-start sm:justify-between">
+        <div>
+          <div className="flex h-9 items-center">
+            <ServiceBrand service={service} />
+          </div>
+          <p className="mt-2 text-sm text-muted">{detail}</p>
+        </div>
+        <StatusLabel connected={connected} loading={loading} />
+      </div>
+
+      <p className="mt-6 max-w-2xl text-base leading-7 text-foreground/80">
+        {copy.description}
+      </p>
+
+      <div className="mt-6 flex flex-col gap-3">
+        <button
+          type="button"
+          onClick={onApiKey}
+          className="inline-flex w-fit items-center gap-2 rounded-lg border border-accent bg-accent px-4 py-2.5 text-sm font-semibold text-accent-text transition-opacity hover:opacity-90"
+        >
+          <KeyRound className="size-4" />
+          {connected ? "Update key" : "Add API key"}
+        </button>
+        <a
+          href={copy.helperHref}
+          target="_blank"
+          rel="noreferrer"
+          className="inline-flex w-fit items-center gap-1.5 text-sm font-semibold text-foreground underline decoration-border underline-offset-4 hover:decoration-foreground"
+        >
+          {copy.helperLabel} {copy.helperDescription}
+          <ExternalLink className="size-4 shrink-0" />
+        </a>
+      </div>
+    </section>
+  );
+}
+
+function ServiceBrand({ service }: { service: ServiceName }) {
+  if (service === "tinyfish") {
+    return (
+      <>
+        <img
+          src="https://www.tinyfish.ai/TF-Logos/Horizontal%20Logo/SVG/TF_Horizontal.svg"
+          alt="TinyFish"
+          className="h-8 w-auto dark:hidden"
+        />
+        <img
+          src="/logos/engines/tinyfish-wordmark-dark.svg"
+          alt="TinyFish"
+          className="hidden h-8 w-auto dark:block"
+        />
+      </>
+    );
+  }
+
+  return <OpenRouterBrand />;
+}
+
+function OpenRouterBrand() {
+  return (
+    <div className="flex items-center gap-2 text-black dark:invert">
+      <svg
+        width="24"
+        height="24"
+        viewBox="0 0 512 512"
+        xmlns="http://www.w3.org/2000/svg"
+        fill="currentColor"
+        stroke="currentColor"
+        aria-hidden="true"
+      >
+        <path
+          d="M3 248.945C18 248.945 76 236 106 219C136 202 136 202 198 158C276.497 102.293 332 120.945 423 120.945"
+          strokeWidth="90"
+        />
+        <path d="M511 121.5L357.25 210.268L357.25 32.7324L511 121.5Z" />
+        <path
+          d="M0 249C15 249 73 261.945 103 278.945C133 295.945 133 295.945 195 339.945C273.497 395.652 329 377 420 377"
+          strokeWidth="90"
+        />
+        <path d="M508 376.445L354.25 287.678L354.25 465.213L508 376.445Z" />
+      </svg>
+      <span className="text-xl font-semibold tracking-tight">OpenRouter</span>
+    </div>
+  );
+}
+
+function StatusLabel({
+  connected,
+  loading,
+}: {
+  connected: boolean;
+  loading: boolean;
+}) {
+  if (loading) {
+    return (
+      <span className="inline-flex items-center gap-1.5 text-sm font-medium text-muted">
+        <Loader2 className="size-4 animate-spin" />
+        Checking
+      </span>
+    );
+  }
+
+  if (!connected) return null;
+
+  return (
+    <span className="inline-flex items-center gap-1.5 text-sm font-medium text-green-700 dark:text-green-400">
+      <CheckCircle2 className="size-4" />
+      Connected
+    </span>
+  );
+}
+
+function useCredentialDetail(
+  status: ServiceSetupStatus | undefined,
+  loading: boolean,
+) {
+  return useMemo(() => {
+    if (loading) return "Checking connection...";
+    if (!status?.configured) return "Not connected";
+    if (status.connectionMethod === "oauth") return "Connected through OAuth";
+    if (status.source === "env") return "Connected through .env";
+    return "Connected through API key";
+  }, [loading, status?.configured, status?.connectionMethod, status?.source]);
+}
+
+function ApiKeyModal({
+  service,
+  onClose,
+  onSaved,
+}: {
+  service: ServiceName;
+  onClose: () => void;
+  onSaved: (status: LocalSetupStatus) => void;
+}) {
+  const [apiKey, setApiKey] = useState("");
+  const [saving, setSaving] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+  const copy = SERVICE_COPY[service];
+  const isTinyFish = service === "tinyfish";
+
+  async function handleSubmit() {
+    if (!apiKey.trim() || saving) return;
+    setSaving(true);
+    setError(null);
+    try {
+      const next = isTinyFish
+        ? await saveTinyFishApiKey(apiKey.trim())
+        : await saveOpenRouterApiKey(apiKey.trim());
+      onSaved(next);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Verification failed");
+    } finally {
+      setSaving(false);
+    }
+  }
+
+  return (
+    <div className="fixed inset-0 z-50 flex items-center justify-center p-4">
+      <button
+        type="button"
+        className="absolute inset-0 bg-foreground/20 backdrop-blur-sm"
+        onClick={onClose}
+        aria-label="Close"
+      />
+      <div
+        role="dialog"
+        aria-modal="true"
+        className="relative w-full max-w-lg border border-border bg-surface shadow-2xl"
+      >
+        <div className="flex items-center justify-between border-b border-border px-5 py-4">
+          <div>
+            <h2 className="text-sm font-semibold">{copy.modalTitle}</h2>
+            <p className="mt-1 text-xs text-muted">{copy.modalDescription}</p>
+          </div>
+          <button
+            type="button"
+            onClick={onClose}
+            className="inline-flex size-8 items-center justify-center rounded-lg text-muted hover:bg-foreground/[0.05] hover:text-foreground"
+            aria-label="Close"
+          >
+            <X className="size-4" />
+          </button>
+        </div>
+
+        <div className="space-y-4 px-5 py-5">
+          <label className="block text-xs font-medium text-muted">
+            API key
+            <input
+              value={apiKey}
+              onChange={(event) => setApiKey(event.target.value)}
+              type="password"
+              autoFocus
+              className="mt-2 w-full rounded-lg border border-border bg-background px-3 py-2.5 text-sm text-foreground outline-none focus:border-foreground/30"
+              placeholder={copy.inputPlaceholder}
+            />
+          </label>
+
+          {error && (
+            <div className="border border-red-500/30 bg-red-500/[0.06] px-3 py-2 text-xs text-red-700 dark:text-red-300">
+              {error}
+            </div>
+          )}
+
+          <div className="flex items-center justify-between gap-3 pt-2">
+            <a
+              href={copy.helperHref}
+              target="_blank"
+              rel="noreferrer"
+              className="inline-flex items-center gap-1.5 text-xs text-muted hover:text-foreground"
+            >
+              Get a key
+              <ExternalLink className="size-3" />
+            </a>
+            <button
+              type="button"
+              onClick={handleSubmit}
+              disabled={!apiKey.trim() || saving}
+              className="inline-flex items-center gap-2 rounded-lg border border-accent bg-accent px-4 py-2 text-xs font-semibold text-accent-text transition-opacity hover:opacity-90 disabled:cursor-not-allowed disabled:opacity-30"
+            >
+              {saving && <Loader2 className="size-3.5 animate-spin" />}
+              Verify and save to keychain
+            </button>
+          </div>
+        </div>
+      </div>
+    </div>
+  );
+}
diff --git a/frontend/components/settings/SettingsPageLayout.tsx b/frontend/components/settings/SettingsPageLayout.tsx
index ed34933..275982b 100644
--- a/frontend/components/settings/SettingsPageLayout.tsx
+++ b/frontend/components/settings/SettingsPageLayout.tsx
@@ -112,14 +112,14 @@ export function SettingsPageLayout({ children, navItems }: SettingsPageLayoutPro
   const [sidebarOpen, setSidebarOpen] = useState(false);
 
   return (
-    <div className="flex flex-1 h-screen">
+    <div className="flex min-h-0 flex-1">
       <SettingsSidebar
         items={navItems}
         open={sidebarOpen}
         onClose={() => setSidebarOpen(false)}
       />
 
-      <main className="flex-1 overflow-auto">
+      <main className="min-h-0 flex-1 overflow-y-auto">
         <div className="flex items-center gap-4 p-4 border-b border-border sm:hidden">
           <button
             onClick={() => setSidebarOpen(true)}
@@ -131,10 +131,10 @@ export function SettingsPageLayout({ children, navItems }: SettingsPageLayoutPro
           <span className="text-sm font-semibold text-foreground">Settings</span>
         </div>
 
-        <div style={{ padding: "32px 24px" }}>
+        <div className="px-4 pb-20 pt-8 sm:px-6">
           {children}
         </div>
       </main>
     </div>
   );
-}
\ No newline at end of file
+}
diff --git a/frontend/components/table/use-row-change-detection.ts b/frontend/components/table/use-row-change-detection.ts
index 49ce219..7b9ac9b 100644
--- a/frontend/components/table/use-row-change-detection.ts
+++ b/frontend/components/table/use-row-change-detection.ts
@@ -9,9 +9,10 @@ export function useRowChangeDetection(rows: DatasetRow[]) {
   const [flashingCells, setFlashingCells] = useState<Set<string>>(new Set());
 
   useEffect(() => {
+    const timers = flashTimersRef.current;
     return () => {
-      for (const timer of flashTimersRef.current) clearTimeout(timer);
-      flashTimersRef.current.clear();
+      for (const timer of timers) clearTimeout(timer);
+      timers.clear();
     };
   }, []);
 
@@ -53,21 +54,25 @@ export function useRowChangeDetection(rows: DatasetRow[]) {
     prevRowsRef.current = nextMap;
 
     if (newFlashes.size > 0) {
-      setFlashingCells((prev) => {
-        const merged = new Set(prev);
-        for (const key of newFlashes) merged.add(key);
-        return merged;
-      });
-
-      const timer = setTimeout(() => {
+      const startTimer = setTimeout(() => {
         setFlashingCells((prev) => {
-          const next = new Set(prev);
-          for (const key of newFlashes) next.delete(key);
-          return next;
+          const merged = new Set(prev);
+          for (const key of newFlashes) merged.add(key);
+          return merged;
         });
-        flashTimersRef.current.delete(timer);
-      }, FLASH_DURATION_MS);
-      flashTimersRef.current.add(timer);
+        flashTimersRef.current.delete(startTimer);
+
+        const clearTimer = setTimeout(() => {
+          setFlashingCells((prev) => {
+            const next = new Set(prev);
+            for (const key of newFlashes) next.delete(key);
+            return next;
+          });
+          flashTimersRef.current.delete(clearTimer);
+        }, FLASH_DURATION_MS);
+        flashTimersRef.current.add(clearTimer);
+      }, 0);
+      flashTimersRef.current.add(startTimer);
     }
   }, [rows]);
 
diff --git a/frontend/convex/_generated/api.d.ts b/frontend/convex/_generated/api.d.ts
new file mode 100644
index 0000000..bc8dc15
--- /dev/null
+++ b/frontend/convex/_generated/api.d.ts
@@ -0,0 +1,69 @@
+/* eslint-disable */
+/**
+ * Generated `api` utility.
+ *
+ * THIS CODE IS AUTOMATICALLY GENERATED.
+ *
+ * To regenerate, run `npx convex dev`.
+ * @module
+ */
+
+import type * as datasetRows from "../datasetRows.js";
+import type * as datasets from "../datasets.js";
+import type * as lib_authz from "../lib/authz.js";
+import type * as lib_quota from "../lib/quota.js";
+import type * as lib_refreshScheduling from "../lib/refreshScheduling.js";
+import type * as localCredentials from "../localCredentials.js";
+import type * as modelConfig from "../modelConfig.js";
+import type * as openRouterModels from "../openRouterModels.js";
+import type * as publicSeed from "../publicSeed.js";
+import type * as quota from "../quota.js";
+import type * as runStats from "../runStats.js";
+
+import type {
+  ApiFromModules,
+  FilterApi,
+  FunctionReference,
+} from "convex/server";
+
+declare const fullApi: ApiFromModules<{
+  datasetRows: typeof datasetRows;
+  datasets: typeof datasets;
+  "lib/authz": typeof lib_authz;
+  "lib/quota": typeof lib_quota;
+  "lib/refreshScheduling": typeof lib_refreshScheduling;
+  localCredentials: typeof localCredentials;
+  modelConfig: typeof modelConfig;
+  openRouterModels: typeof openRouterModels;
+  publicSeed: typeof publicSeed;
+  quota: typeof quota;
+  runStats: typeof runStats;
+}>;
+
+/**
+ * A utility for referencing Convex functions in your app's public API.
+ *
+ * Usage:
+ * ```js
+ * const myFunctionReference = api.myModule.myFunction;
+ * ```
+ */
+export declare const api: FilterApi<
+  typeof fullApi,
+  FunctionReference<any, "public">
+>;
+
+/**
+ * A utility for referencing Convex functions in your app's internal API.
+ *
+ * Usage:
+ * ```js
+ * const myFunctionReference = internal.myModule.myFunction;
+ * ```
+ */
+export declare const internal: FilterApi<
+  typeof fullApi,
+  FunctionReference<any, "internal">
+>;
+
+export declare const components: {};
diff --git a/frontend/convex/_generated/api.js b/frontend/convex/_generated/api.js
new file mode 100644
index 0000000..44bf985
--- /dev/null
+++ b/frontend/convex/_generated/api.js
@@ -0,0 +1,23 @@
+/* eslint-disable */
+/**
+ * Generated `api` utility.
+ *
+ * THIS CODE IS AUTOMATICALLY GENERATED.
+ *
+ * To regenerate, run `npx convex dev`.
+ * @module
+ */
+
+import { anyApi, componentsGeneric } from "convex/server";
+
+/**
+ * A utility for referencing Convex functions in your app's API.
+ *
+ * Usage:
+ * ```js
+ * const myFunctionReference = api.myModule.myFunction;
+ * ```
+ */
+export const api = anyApi;
+export const internal = anyApi;
+export const components = componentsGeneric();
diff --git a/frontend/convex/_generated/dataModel.d.ts b/frontend/convex/_generated/dataModel.d.ts
new file mode 100644
index 0000000..f97fd19
--- /dev/null
+++ b/frontend/convex/_generated/dataModel.d.ts
@@ -0,0 +1,60 @@
+/* eslint-disable */
+/**
+ * Generated data model types.
+ *
+ * THIS CODE IS AUTOMATICALLY GENERATED.
+ *
+ * To regenerate, run `npx convex dev`.
+ * @module
+ */
+
+import type {
+  DataModelFromSchemaDefinition,
+  DocumentByName,
+  TableNamesInDataModel,
+  SystemTableNames,
+} from "convex/server";
+import type { GenericId } from "convex/values";
+import schema from "../schema.js";
+
+/**
+ * The names of all of your Convex tables.
+ */
+export type TableNames = TableNamesInDataModel<DataModel>;
+
+/**
+ * The type of a document stored in Convex.
+ *
+ * @typeParam TableName - A string literal type of the table name (like "users").
+ */
+export type Doc<TableName extends TableNames> = DocumentByName<
+  DataModel,
+  TableName
+>;
+
+/**
+ * An identifier for a document in Convex.
+ *
+ * Convex documents are uniquely identified by their `Id`, which is accessible
+ * on the `_id` field. To learn more, see [Document IDs](https://docs.convex.dev/using/document-ids).
+ *
+ * Documents can be loaded using `db.get(tableName, id)` in query and mutation functions.
+ *
+ * IDs are just strings at runtime, but this type can be used to distinguish them from other
+ * strings when type checking.
+ *
+ * @typeParam TableName - A string literal type of the table name (like "users").
+ */
+export type Id<TableName extends TableNames | SystemTableNames> =
+  GenericId<TableName>;
+
+/**
+ * A type describing your Convex data model.
+ *
+ * This type includes information about what tables you have, the type of
+ * documents stored in those tables, and the indexes defined on them.
+ *
+ * This type is used to parameterize methods like `queryGeneric` and
+ * `mutationGeneric` to make them type-safe.
+ */
+export type DataModel = DataModelFromSchemaDefinition<typeof schema>;
diff --git a/frontend/convex/_generated/server.d.ts b/frontend/convex/_generated/server.d.ts
new file mode 100644
index 0000000..bec05e6
--- /dev/null
+++ b/frontend/convex/_generated/server.d.ts
@@ -0,0 +1,143 @@
+/* eslint-disable */
+/**
+ * Generated utilities for implementing server-side Convex query and mutation functions.
+ *
+ * THIS CODE IS AUTOMATICALLY GENERATED.
+ *
+ * To regenerate, run `npx convex dev`.
+ * @module
+ */
+
+import {
+  ActionBuilder,
+  HttpActionBuilder,
+  MutationBuilder,
+  QueryBuilder,
+  GenericActionCtx,
+  GenericMutationCtx,
+  GenericQueryCtx,
+  GenericDatabaseReader,
+  GenericDatabaseWriter,
+} from "convex/server";
+import type { DataModel } from "./dataModel.js";
+
+/**
+ * Define a query in this Convex app's public API.
+ *
+ * This function will be allowed to read your Convex database and will be accessible from the client.
+ *
+ * @param func - The query function. It receives a {@link QueryCtx} as its first argument.
+ * @returns The wrapped query. Include this as an `export` to name it and make it accessible.
+ */
+export declare const query: QueryBuilder<DataModel, "public">;
+
+/**
+ * Define a query that is only accessible from other Convex functions (but not from the client).
+ *
+ * This function will be allowed to read from your Convex database. It will not be accessible from the client.
+ *
+ * @param func - The query function. It receives a {@link QueryCtx} as its first argument.
+ * @returns The wrapped query. Include this as an `export` to name it and make it accessible.
+ */
+export declare const internalQuery: QueryBuilder<DataModel, "internal">;
+
+/**
+ * Define a mutation in this Convex app's public API.
+ *
+ * This function will be allowed to modify your Convex database and will be accessible from the client.
+ *
+ * @param func - The mutation function. It receives a {@link MutationCtx} as its first argument.
+ * @returns The wrapped mutation. Include this as an `export` to name it and make it accessible.
+ */
+export declare const mutation: MutationBuilder<DataModel, "public">;
+
+/**
+ * Define a mutation that is only accessible from other Convex functions (but not from the client).
+ *
+ * This function will be allowed to modify your Convex database. It will not be accessible from the client.
+ *
+ * @param func - The mutation function. It receives a {@link MutationCtx} as its first argument.
+ * @returns The wrapped mutation. Include this as an `export` to name it and make it accessible.
+ */
+export declare const internalMutation: MutationBuilder<DataModel, "internal">;
+
+/**
+ * Define an action in this Convex app's public API.
+ *
+ * An action is a function which can execute any JavaScript code, including non-deterministic
+ * code and code with side-effects, like calling third-party services.
+ * They can be run in Convex's JavaScript environment or in Node.js using the "use node" directive.
+ * They can interact with the database indirectly by calling queries and mutations using the {@link ActionCtx}.
+ *
+ * @param func - The action. It receives an {@link ActionCtx} as its first argument.
+ * @returns The wrapped action. Include this as an `export` to name it and make it accessible.
+ */
+export declare const action: ActionBuilder<DataModel, "public">;
+
+/**
+ * Define an action that is only accessible from other Convex functions (but not from the client).
+ *
+ * @param func - The function. It receives an {@link ActionCtx} as its first argument.
+ * @returns The wrapped function. Include this as an `export` to name it and make it accessible.
+ */
+export declare const internalAction: ActionBuilder<DataModel, "internal">;
+
+/**
+ * Define an HTTP action.
+ *
+ * The wrapped function will be used to respond to HTTP requests received
+ * by a Convex deployment if the requests matches the path and method where
+ * this action is routed. Be sure to route your httpAction in `convex/http.js`.
+ *
+ * @param func - The function. It receives an {@link ActionCtx} as its first argument
+ * and a Fetch API `Request` object as its second.
+ * @returns The wrapped function. Import this function from `convex/http.js` and route it to hook it up.
+ */
+export declare const httpAction: HttpActionBuilder;
+
+/**
+ * A set of services for use within Convex query functions.
+ *
+ * The query context is passed as the first argument to any Convex query
+ * function run on the server.
+ *
+ * This differs from the {@link MutationCtx} because all of the services are
+ * read-only.
+ */
+export type QueryCtx = GenericQueryCtx<DataModel>;
+
+/**
+ * A set of services for use within Convex mutation functions.
+ *
+ * The mutation context is passed as the first argument to any Convex mutation
+ * function run on the server.
+ */
+export type MutationCtx = GenericMutationCtx<DataModel>;
+
+/**
+ * A set of services for use within Convex action functions.
+ *
+ * The action context is passed as the first argument to any Convex action
+ * function run on the server.
+ */
+export type ActionCtx = GenericActionCtx<DataModel>;
+
+/**
+ * An interface to read from the database within Convex query functions.
+ *
+ * The two entry points are {@link DatabaseReader.get}, which fetches a single
+ * document by its {@link Id}, or {@link DatabaseReader.query}, which starts
+ * building a query.
+ */
+export type DatabaseReader = GenericDatabaseReader<DataModel>;
+
+/**
+ * An interface to read from and write to the database within Convex mutation
+ * functions.
+ *
+ * Convex guarantees that all writes within a single mutation are
+ * executed atomically, so you never have to worry about partial writes leaving
+ * your data in an inconsistent state. See [the Convex Guide](https://docs.convex.dev/understanding/convex-fundamentals/functions#atomicity-and-optimistic-concurrency-control)
+ * for the guarantees Convex provides your functions.
+ */
+export type DatabaseWriter = GenericDatabaseWriter<DataModel>;
diff --git a/frontend/convex/_generated/server.js b/frontend/convex/_generated/server.js
new file mode 100644
index 0000000..bf3d25a
--- /dev/null
+++ b/frontend/convex/_generated/server.js
@@ -0,0 +1,93 @@
+/* eslint-disable */
+/**
+ * Generated utilities for implementing server-side Convex query and mutation functions.
+ *
+ * THIS CODE IS AUTOMATICALLY GENERATED.
+ *
+ * To regenerate, run `npx convex dev`.
+ * @module
+ */
+
+import {
+  actionGeneric,
+  httpActionGeneric,
+  queryGeneric,
+  mutationGeneric,
+  internalActionGeneric,
+  internalMutationGeneric,
+  internalQueryGeneric,
+} from "convex/server";
+
+/**
+ * Define a query in this Convex app's public API.
+ *
+ * This function will be allowed to read your Convex database and will be accessible from the client.
+ *
+ * @param func - The query function. It receives a {@link QueryCtx} as its first argument.
+ * @returns The wrapped query. Include this as an `export` to name it and make it accessible.
+ */
+export const query = queryGeneric;
+
+/**
+ * Define a query that is only accessible from other Convex functions (but not from the client).
+ *
+ * This function will be allowed to read from your Convex database. It will not be accessible from the client.
+ *
+ * @param func - The query function. It receives a {@link QueryCtx} as its first argument.
+ * @returns The wrapped query. Include this as an `export` to name it and make it accessible.
+ */
+export const internalQuery = internalQueryGeneric;
+
+/**
+ * Define a mutation in this Convex app's public API.
+ *
+ * This function will be allowed to modify your Convex database and will be accessible from the client.
+ *
+ * @param func - The mutation function. It receives a {@link MutationCtx} as its first argument.
+ * @returns The wrapped mutation. Include this as an `export` to name it and make it accessible.
+ */
+export const mutation = mutationGeneric;
+
+/**
+ * Define a mutation that is only accessible from other Convex functions (but not from the client).
+ *
+ * This function will be allowed to modify your Convex database. It will not be accessible from the client.
+ *
+ * @param func - The mutation function. It receives a {@link MutationCtx} as its first argument.
+ * @returns The wrapped mutation. Include this as an `export` to name it and make it accessible.
+ */
+export const internalMutation = internalMutationGeneric;
+
+/**
+ * Define an action in this Convex app's public API.
+ *
+ * An action is a function which can execute any JavaScript code, including non-deterministic
+ * code and code with side-effects, like calling third-party services.
+ * They can be run in Convex's JavaScript environment or in Node.js using the "use node" directive.
+ * They can interact with the database indirectly by calling queries and mutations using the {@link ActionCtx}.
+ *
+ * @param func - The action. It receives an {@link ActionCtx} as its first argument.
+ * @returns The wrapped action. Include this as an `export` to name it and make it accessible.
+ */
+export const action = actionGeneric;
+
+/**
+ * Define an action that is only accessible from other Convex functions (but not from the client).
+ *
+ * @param func - The function. It receives an {@link ActionCtx} as its first argument.
+ * @returns The wrapped function. Include this as an `export` to name it and make it accessible.
+ */
+export const internalAction = internalActionGeneric;
+
+/**
+ * Define an HTTP action.
+ *
+ * The wrapped function will be used to respond to HTTP requests received
+ * by a Convex deployment if the requests matches the path and method where
+ * this action is routed. Be sure to route your httpAction in `convex/http.js`.
+ *
+ * @param func - The function. It receives an {@link ActionCtx} as its first argument
+ * and a Fetch API `Request` object as its second.
+ * @returns The wrapped function. Import this function from `convex/http.js` and route it to hook it up.
+ */
+export const httpAction = httpActionGeneric;
diff --git a/frontend/convex/auth.config.ts b/frontend/convex/auth.config.ts
index 59fcbd7..c7b2b6d 100644
--- a/frontend/convex/auth.config.ts
+++ b/frontend/convex/auth.config.ts
@@ -1,10 +1,19 @@
 import type { AuthConfig } from "convex/server";
 
+const isLocalMode = process.env.BIGSET_LOCAL_MODE === "1";
+const clerkIssuer = process.env.CLERK_JWT_ISSUER_DOMAIN;
+
+if (!isLocalMode && !clerkIssuer) {
+  throw new Error("CLERK_JWT_ISSUER_DOMAIN is required outside local mode");
+}
+
 export default {
-  providers: [
-    {
-      domain: process.env.CLERK_JWT_ISSUER_DOMAIN!,
-      applicationID: "convex",
-    },
-  ],
+  providers: !isLocalMode && clerkIssuer
+    ? [
+        {
+          domain: clerkIssuer,
+          applicationID: "convex",
+        },
+      ]
+    : [],
 } satisfies AuthConfig;
diff --git a/frontend/convex/lib/authz.ts b/frontend/convex/lib/authz.ts
index 95ade37..a96c5ea 100644
--- a/frontend/convex/lib/authz.ts
+++ b/frontend/convex/lib/authz.ts
@@ -34,6 +34,19 @@ type AnyCtx =
 const DATASET_NOT_FOUND = "Dataset not found";
 const ROW_NOT_FOUND = "Row not found";
 const UNAUTHENTICATED = "Not authenticated";
+const LOCAL_USER_ID = "local_user_default";
+
+function isLocalMode(): boolean {
+  return process.env.BIGSET_LOCAL_MODE === "1";
+}
+
+function localIdentity(): UserIdentity {
+  return {
+    subject: LOCAL_USER_ID,
+    issuer: "bigset-local",
+    tokenIdentifier: `bigset-local|${LOCAL_USER_ID}`,
+  };
+}
 
 /**
  * Owner-id values reserved for system-managed datasets (e.g. curated
@@ -93,6 +106,7 @@ function logDeny(
 export async function requireIdentity(ctx: AnyCtx): Promise<UserIdentity> {
   const identity = await ctx.auth.getUserIdentity();
   if (!identity) {
+    if (isLocalMode()) return localIdentity();
     logDeny("unauthenticated", { op: "write" });
     throw new Error(UNAUTHENTICATED);
   }
@@ -102,7 +116,9 @@ export async function requireIdentity(ctx: AnyCtx): Promise<UserIdentity> {
 export async function getIdentity(
   ctx: AnyCtx,
 ): Promise<UserIdentity | null> {
-  return await ctx.auth.getUserIdentity();
+  const identity = await ctx.auth.getUserIdentity();
+  if (!identity && isLocalMode()) return localIdentity();
+  return identity;
 }
 
 function isPublic(dataset: Doc<"datasets">): boolean {
diff --git a/frontend/convex/lib/quota.ts b/frontend/convex/lib/quota.ts
index 2c502b9..61dbc2f 100644
--- a/frontend/convex/lib/quota.ts
+++ b/frontend/convex/lib/quota.ts
@@ -13,6 +13,7 @@ import { isReservedOwnerId } from "./authz.js";
  * Charging model:
  *   - 1 row inserted, updated, or replaced = 1 unit consumed this period
  *   - System-owned datasets (ownerId === "system") bypass quota entirely
+ *   - Local OSS mode bypasses quota entirely
  *   - Deletes do NOT refund; the counter tracks WORK in the period, not
  *     current row count. Deletion is just cleanup.
  *   - Period rolls over on the 1st (UTC) of each calendar month
@@ -50,6 +51,7 @@ type WriteCtx = GenericMutationCtx<DataModel>;
  * row (`plan` field + lookup table) when paid tiers exist.
  */
 export const FREE_TIER_MONTHLY_QUOTA = 2500;
+const LOCAL_MODE_QUOTA_LIMIT = Number.MAX_SAFE_INTEGER;
 
 export class QuotaExceededError extends Error {
   constructor(consumed: number, limit: number, requested: number) {
@@ -87,12 +89,20 @@ function getNextMonthStartUTC(ts: number): number {
   return Date.UTC(d.getUTCFullYear(), d.getUTCMonth() + 1, 1);
 }
 
-function snapshotOf(consumed: number, periodStart: number): UsageSnapshot {
-  const remaining = Math.max(0, FREE_TIER_MONTHLY_QUOTA - consumed);
-  const fractionUsed = Math.min(1, consumed / FREE_TIER_MONTHLY_QUOTA);
+function isLocalMode(): boolean {
+  return process.env.BIGSET_LOCAL_MODE === "1";
+}
+
+function snapshotOf(
+  consumed: number,
+  periodStart: number,
+  limit = FREE_TIER_MONTHLY_QUOTA,
+): UsageSnapshot {
+  const remaining = Math.max(0, limit - consumed);
+  const fractionUsed = Math.min(1, consumed / limit);
   return {
     consumed,
-    limit: FREE_TIER_MONTHLY_QUOTA,
+    limit,
     remaining,
     fractionUsed,
     periodStart,
@@ -110,13 +120,16 @@ export async function getUsageFor(
   ctx: AnyCtx,
   userId: string,
 ): Promise<UsageSnapshot> {
+  const monthStart = getMonthStartUTC(Date.now());
+  if (isLocalMode()) {
+    return snapshotOf(0, monthStart, LOCAL_MODE_QUOTA_LIMIT);
+  }
+
   const row = await ctx.db
     .query("usage")
     .withIndex("by_user", (q) => q.eq("userId", userId))
     .unique();
 
-  const monthStart = getMonthStartUTC(Date.now());
-
   // Either no row yet, or row belongs to a previous period → show 0.
   // (The DB row is left alone here; the next write rolls it over.)
   if (!row || (row.periodStart ?? 0) < monthStart) {
@@ -136,6 +149,8 @@ export async function requireQuotaRemaining(
   userId: string,
   atLeast: number = 1,
 ): Promise<void> {
+  if (isLocalMode()) return;
+
   const usage = await getUsageFor(ctx, userId);
   if (usage.remaining < atLeast) {
     throw new QuotaExceededError(usage.consumed, usage.limit, atLeast);
@@ -157,6 +172,7 @@ export async function consumeQuota(
   n: number,
 ): Promise<void> {
   if (n <= 0) return;
+  if (isLocalMode()) return;
   if (isReservedOwnerId(dataset.ownerId)) return;
 
   const userId = dataset.ownerId;
diff --git a/frontend/convex/localCredentials.ts b/frontend/convex/localCredentials.ts
new file mode 100644
index 0000000..d8e8c97
--- /dev/null
+++ b/frontend/convex/localCredentials.ts
@@ -0,0 +1,71 @@
+import { internalMutation, internalQuery } from "./_generated/server.js";
+import { v } from "convex/values";
+
+const serviceValidator = v.union(
+  v.literal("tinyfish"),
+  v.literal("openrouter"),
+);
+
+const connectionMethodValidator = v.union(
+  v.literal("api_key"),
+  v.literal("oauth"),
+);
+
+export const getInternal = internalQuery({
+  args: { service: serviceValidator },
+  handler: async (ctx, args) => {
+    return await ctx.db
+      .query("localCredentials")
+      .withIndex("by_service", (q) => q.eq("service", args.service))
+      .unique();
+  },
+});
+
+export const upsertInternal = internalMutation({
+  args: {
+    service: serviceValidator,
+    keychainAccount: v.string(),
+    connectionMethod: connectionMethodValidator,
+    verifiedAt: v.number(),
+  },
+  handler: async (ctx, args) => {
+    const existing = await ctx.db
+      .query("localCredentials")
+      .withIndex("by_service", (q) => q.eq("service", args.service))
+      .unique();
+
+    const update = {
+      keychainAccount: args.keychainAccount,
+      connectionMethod: args.connectionMethod,
+      verifiedAt: args.verifiedAt,
+      updatedAt: Date.now(),
+    };
+
+    if (existing) {
+      await ctx.db.patch(existing._id, { ...update, apiKey: undefined });
+      return existing._id;
+    }
+
+    return await ctx.db.insert("localCredentials", {
+      service: args.service,
+      ...update,
+    });
+  },
+});
+
+export const clearLegacyPlaintextInternal = internalMutation({
+  args: {},
+  handler: async (ctx) => {
+    const rows = await ctx.db.query("localCredentials").collect();
+    let cleared = 0;
+
+    for (const row of rows) {
+      if (row.apiKey !== undefined) {
+        await ctx.db.patch(row._id, { apiKey: undefined });
+        cleared += 1;
+      }
+    }
+
+    return { cleared };
+  },
+});
diff --git a/frontend/convex/schema.ts b/frontend/convex/schema.ts
index 4e7b5f4..83ea007 100644
--- a/frontend/convex/schema.ts
+++ b/frontend/convex/schema.ts
@@ -140,6 +140,17 @@ export default defineSchema({
     investigateSubagent: v.optional(v.string()),
   }).index("by_user", ["userId"]),
 
+  localCredentials: defineTable({
+    service: v.union(v.literal("tinyfish"), v.literal("openrouter")),
+    keychainAccount: v.optional(v.string()),
+    connectionMethod: v.union(v.literal("api_key"), v.literal("oauth")),
+    verifiedAt: v.number(),
+    updatedAt: v.number(),
+    // Legacy only: accepted so the migration can deploy, then cleared by the
+    // backend startup purge. New code never writes this field.
+    apiKey: v.optional(v.string()),
+  }).index("by_service", ["service"]),
+
   // One row per populate workflow run. Written once at the end of each run
   // (success or error) by the backend agent runner — never by the frontend.
   // Tracks tool-call counts, token usage, and timing so runs can be
diff --git a/frontend/lib/analytics-provider.tsx b/frontend/lib/analytics-provider.tsx
index 169dd20..a33817e 100644
--- a/frontend/lib/analytics-provider.tsx
+++ b/frontend/lib/analytics-provider.tsx
@@ -1,7 +1,7 @@
 "use client";
 
 import { useEffect, useRef, type ReactNode } from "react";
-import { useUser } from "@clerk/nextjs";
+import { useAppUser } from "./app-auth";
 import { identify, initAnalytics, reset } from "./analytics";
 
 /**
@@ -24,7 +24,7 @@ import { identify, initAnalytics, reset } from "./analytics";
  * and break anonymous-event attribution.
  */
 export function AnalyticsProvider({ children }: { children: ReactNode }) {
-  const { isLoaded, isSignedIn, user } = useUser();
+  const { isLoaded, isSignedIn, user } = useAppUser();
   const wasSignedIn = useRef<boolean>(false);
 
   useEffect(() => {
diff --git a/frontend/lib/app-auth.tsx b/frontend/lib/app-auth.tsx
new file mode 100644
index 0000000..54aef26
--- /dev/null
+++ b/frontend/lib/app-auth.tsx
@@ -0,0 +1,77 @@
+"use client";
+
+import {
+  ClerkProvider,
+  useAuth as useClerkAuth,
+  useClerk as useRealClerk,
+  useUser as useRealUser,
+} from "@clerk/nextjs";
+import { useConvexAuth as useRealConvexAuth } from "convex/react";
+import type { ReactNode } from "react";
+import { isLocalMode, LOCAL_USER_ID } from "./app-mode";
+
+const localUser = {
+  id: LOCAL_USER_ID,
+  fullName: "BigSet local",
+  firstName: "BigSet",
+  primaryEmailAddress: null,
+  imageUrl: null,
+};
+
+const localAuth = {
+  isLoaded: true,
+  isSignedIn: true,
+  userId: LOCAL_USER_ID,
+  getToken: async () => "bigset-local",
+};
+
+const localUserState = {
+  isLoaded: true,
+  isSignedIn: true,
+  user: localUser,
+};
+
+const localClerk = {
+  signOut: async () => {},
+};
+
+const localConvexAuth = {
+  isLoading: false,
+  isAuthenticated: true,
+};
+
+function useLocalAuth() {
+  return localAuth;
+}
+
+function useLocalUser() {
+  return localUserState;
+}
+
+function useLocalClerk() {
+  return localClerk;
+}
+
+function useLocalConvexAuth() {
+  return localConvexAuth;
+}
+
+export const useAppAuth = isLocalMode ? useLocalAuth : useClerkAuth;
+export const useAppUser = isLocalMode ? useLocalUser : useRealUser;
+export const useAppClerk = isLocalMode ? useLocalClerk : useRealClerk;
+export const useAppConvexAuth = isLocalMode
+  ? useLocalConvexAuth
+  : useRealConvexAuth;
+
+export function AppAuthProvider({ children }: { children: ReactNode }) {
+  if (isLocalMode) return <>{children}</>;
+
+  return (
+    <ClerkProvider
+      signInForceRedirectUrl="/dashboard"
+      signUpForceRedirectUrl="/dashboard"
+    >
+      {children}
+    </ClerkProvider>
+  );
+}
diff --git a/frontend/lib/app-mode.ts b/frontend/lib/app-mode.ts
new file mode 100644
index 0000000..5cce5fd
--- /dev/null
+++ b/frontend/lib/app-mode.ts
@@ -0,0 +1,2 @@
+export const isLocalMode = process.env.NEXT_PUBLIC_PROD !== "1";
+export const LOCAL_USER_ID = "local_user_default";
diff --git a/frontend/lib/backend.ts b/frontend/lib/backend.ts
index f023a35..f5ea3e5 100644
--- a/frontend/lib/backend.ts
+++ b/frontend/lib/backend.ts
@@ -63,9 +63,92 @@ export interface OpenRouterModel {
   promptCost: number;
 }
 
+export interface ServiceSetupStatus {
+  configured: boolean;
+  source: "local" | "env" | null;
+  connectionMethod: "api_key" | "oauth" | null;
+  verifiedAt: number | null;
+}
+
+export interface LocalSetupStatus {
+  mode: "local" | "production";
+  required: boolean;
+  complete: boolean;
+  services: {
+    tinyfish: ServiceSetupStatus;
+    openrouter: ServiceSetupStatus;
+  };
+}
+
 const BACKEND_URL =
   process.env.NEXT_PUBLIC_BACKEND_URL || "http://localhost:3501";
 
+async function errorMessage(res: Response): Promise<string> {
+  const body = await res.json().catch(() => null);
+  return body?.error || `Backend error (${res.status})`;
+}
+
+export async function getLocalSetupStatus(): Promise<LocalSetupStatus> {
+  const res = await fetch(`${BACKEND_URL}/local-setup/status`, {
+    method: "GET",
+  });
+
+  if (!res.ok) {
+    throw new Error(await errorMessage(res));
+  }
+
+  return res.json();
+}
+
+export async function saveTinyFishApiKey(
+  apiKey: string,
+): Promise<LocalSetupStatus> {
+  const res = await fetch(`${BACKEND_URL}/local-setup/tinyfish`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ apiKey }),
+  });
+
+  if (!res.ok) {
+    throw new Error(await errorMessage(res));
+  }
+
+  return res.json();
+}
+
+export async function saveOpenRouterApiKey(
+  apiKey: string,
+): Promise<LocalSetupStatus> {
+  const res = await fetch(`${BACKEND_URL}/local-setup/openrouter-key`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ apiKey }),
+  });
+
+  if (!res.ok) {
+    throw new Error(await errorMessage(res));
+  }
+
+  return res.json();
+}
+
+export async function exchangeOpenRouterOAuth(
+  code: string,
+  codeVerifier: string,
+): Promise<LocalSetupStatus> {
+  const res = await fetch(`${BACKEND_URL}/local-setup/openrouter-oauth`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ code, codeVerifier }),
+  });
+
+  if (!res.ok) {
+    throw new Error(await errorMessage(res));
+  }
+
+  return res.json();
+}
+
 /**
  * Fetch the current user's effective (resolved) model config from the backend.
  *
diff --git a/frontend/lib/openrouter-oauth.ts b/frontend/lib/openrouter-oauth.ts
new file mode 100644
index 0000000..14dc14c
--- /dev/null
+++ b/frontend/lib/openrouter-oauth.ts
@@ -0,0 +1,55 @@
+export const OPENROUTER_VERIFIER_KEY = "bigset:openrouter-code-verifier";
+export const OPENROUTER_RETURN_TO_KEY = "bigset:openrouter-return-to";
+
+function base64Url(bytes: ArrayBuffer): string {
+  let binary = "";
+  for (const byte of new Uint8Array(bytes)) {
+    binary += String.fromCharCode(byte);
+  }
+  return btoa(binary)
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_")
+    .replace(/=+$/g, "");
+}
+
+async function sha256(value: string): Promise<ArrayBuffer> {
+  return await crypto.subtle.digest(
+    "SHA-256",
+    new TextEncoder().encode(value),
+  );
+}
+
+function randomVerifier(): string {
+  const bytes = new Uint8Array(32);
+  crypto.getRandomValues(bytes);
+  return base64Url(bytes.buffer);
+}
+
+function safeReturnTo(returnTo: string): string {
+  if (!returnTo.startsWith("/") || returnTo.startsWith("//")) return "/setup";
+  return returnTo;
+}
+
+export async function beginOpenRouterOAuth(returnTo = "/setup") {
+  const verifier = randomVerifier();
+  const challenge = base64Url(await sha256(verifier));
+  sessionStorage.setItem(OPENROUTER_VERIFIER_KEY, verifier);
+  sessionStorage.setItem(OPENROUTER_RETURN_TO_KEY, safeReturnTo(returnTo));
+
+  const callbackUrl = `${window.location.origin}/setup/openrouter/callback`;
+  const url = new URL("https://openrouter.ai/auth");
+  url.searchParams.set("callback_url", callbackUrl);
+  url.searchParams.set("code_challenge", challenge);
+  url.searchParams.set("code_challenge_method", "S256");
+  window.location.href = url.toString();
+}
+
+export function getOpenRouterOAuthReturnTo(): string {
+  const returnTo = sessionStorage.getItem(OPENROUTER_RETURN_TO_KEY);
+  return returnTo ? safeReturnTo(returnTo) : "/setup";
+}
+
+export function clearOpenRouterOAuthState() {
+  sessionStorage.removeItem(OPENROUTER_VERIFIER_KEY);
+  sessionStorage.removeItem(OPENROUTER_RETURN_TO_KEY);
+}
diff --git a/frontend/next.config.ts b/frontend/next.config.ts
index cb651cd..6c1915e 100644
--- a/frontend/next.config.ts
+++ b/frontend/next.config.ts
@@ -1,5 +1,12 @@
 import type { NextConfig } from "next";
 
-const nextConfig: NextConfig = {};
+const nextConfig: NextConfig = {
+  output: "standalone",
+  allowedDevOrigins: ["127.0.0.1"],
+  env: {
+    NEXT_PUBLIC_PROD: process.env.NEXT_PUBLIC_PROD ?? process.env.PROD ?? "",
+  },
+  devIndicators: false,
+};
 
 export default nextConfig;
diff --git a/frontend/proxy.ts b/frontend/proxy.ts
index 11a3aed..3e25634 100644
--- a/frontend/proxy.ts
+++ b/frontend/proxy.ts
@@ -1,6 +1,8 @@
 import { clerkMiddleware } from "@clerk/nextjs/server";
 import type { NextRequest } from "next/server";
 
+const isLocalMode = process.env.PROD !== "1";
+
 /**
  * Public routes (Clerk middleware lets these through without auth):
  *   /                  — landing page with curated datasets
@@ -33,12 +35,14 @@ function isPublicPath(req: NextRequest): boolean {
   return false;
 }
 
-export default clerkMiddleware(async (auth, request) => {
+const clerkProxy = clerkMiddleware(async (auth, request) => {
   if (!isPublicPath(request)) {
     await auth.protect();
   }
 });
 
+export default isLocalMode ? function localProxy() {} : clerkProxy;
+
 export const config = {
   matcher: [
     "/((?!_next|[^?]*\\.(?:html?|css|js(?!on)|jpe?g|webp|png|gif|svg|ttf|woff2?|ico|csv|docx?|xlsx?|zip|webmanifest)).*)",
diff --git a/frontend/public/logos/engines/tinyfish-wordmark-dark.svg b/frontend/public/logos/engines/tinyfish-wordmark-dark.svg
new file mode 100644
index 0000000..fa7991a
--- /dev/null
+++ b/frontend/public/logos/engines/tinyfish-wordmark-dark.svg
@@ -0,0 +1,33 @@
+<svg width="731" height="166" viewBox="0 0 731 166" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M447.549 103.878L463.651 60.6904H486.394L464.567 116.259C459.823 128.234 455.822 137.231 452.572 143.276C449.323 149.312 445.042 154.085 439.72 157.595C434.407 161.105 427.415 162.859 418.747 162.859C415.749 162.859 413.483 162.647 411.94 162.242V142.428C413.801 142.63 415.402 142.736 416.742 142.736C421.592 142.736 425.517 141.829 428.506 140.026C431.495 138.223 434.079 135.408 436.248 131.59L406.993 60.6904H430.521L447.549 103.878ZM617.558 58.6748C623.642 58.6748 628.935 59.9087 633.429 62.3867C637.922 64.8648 641.248 68.2685 643.418 72.6074L627.778 81.1221C625.406 77.9208 622.147 76.3193 618.029 76.3193C615.446 76.3194 613.44 76.9177 611.994 78.1035C610.548 79.2895 609.824 80.7068 609.824 82.3652C609.824 84.3225 610.827 85.7495 612.842 86.627C614.857 87.5044 618.078 88.4113 622.514 89.3369C629.427 90.6772 635.029 93.2609 639.311 97.0791C643.592 100.897 645.732 106.057 645.732 112.565C645.732 120.202 642.945 126.295 637.372 130.837C631.799 135.378 624.683 137.645 616.005 137.645C610.846 137.645 605.813 136.739 600.915 134.936L600.925 134.916C596.027 133.113 591.658 130.143 587.84 126.016L600.066 112.7C602.13 115.072 604.559 116.933 607.346 118.273C610.132 119.614 613.074 120.288 616.169 120.288C619.264 120.288 621.53 119.643 623.295 118.351C625.05 117.059 625.927 115.332 625.927 113.163C625.927 110.994 625.001 109.576 623.141 108.593C621.28 107.609 618.29 106.654 614.163 105.729C607.558 104.186 601.802 101.804 596.903 98.6123C592.005 95.411 589.547 90.1463 589.547 82.8184C589.547 78.2769 590.684 74.1786 592.95 70.5146C595.216 66.8508 598.466 63.9583 602.698 61.8467C606.931 59.735 611.888 58.6748 617.558 58.6748ZM290.227 47.6729H263.132V135.61H240.839V47.6729H213.754V27.2412H290.227V47.6729ZM316.897 135.61H295.838V60.6807H316.897V135.61ZM582.603 135.61H561.544V60.6807H582.603V135.61ZM556.623 47.6729H517.263V74.3047C523.665 70.6889 531.292 68.8857 540.173 68.8857H547.453V89.627H541.108C525.218 89.627 517.263 96.3859 517.263 109.904V135.602H494.97V27.2412H556.623V47.6729ZM675.749 67.8066C681.322 61.9249 688.699 58.9834 697.888 58.9834C704.387 58.9834 710.143 60.4007 715.147 63.2451L715.167 63.2354C720.171 66.0702 724.038 70.0237 726.776 75.0762C729.505 80.1383 730.874 85.9143 730.874 92.4131V135.602H709.815V96.2803C709.815 90.8132 708.263 86.4255 705.168 83.1182C702.073 79.8205 697.946 78.1621 692.777 78.1621C687.609 78.1621 683.492 79.8109 680.396 83.1182C677.301 86.4255 675.749 90.8132 675.749 96.2803V135.602H654.69V27.2412H675.749V67.8066ZM372.216 58.9697C378.927 58.9697 384.732 60.4449 389.63 63.3857H389.649C394.548 66.3266 398.318 70.3283 400.95 75.3809C403.583 80.443 404.894 86.1128 404.894 92.4092V135.597H383.835V96.2754C383.835 90.5963 382.263 86.1611 379.11 82.96C375.957 79.7587 371.859 78.1582 366.807 78.1582C361.754 78.1583 357.646 79.7588 354.503 82.96C351.35 86.1611 349.778 90.5964 349.778 96.2754V135.597H328.72V60.667H349.152V68.7178C354.832 62.2192 362.516 58.9698 372.216 58.9697ZM486.407 60.6904H486.394L486.397 60.6807L486.407 60.6904ZM306.427 26.9785C309.261 26.9785 311.595 27.991 313.658 30.0156C315.722 32.0405 316.764 34.471 316.764 37.3154C316.764 40.1598 315.75 42.6085 313.726 44.6719C311.701 46.7353 309.271 47.7773 306.427 47.7773C303.582 47.7773 301.133 46.745 299.069 44.6719C297.006 42.6086 295.965 40.15 295.965 37.3154C295.965 34.4806 296.996 32.0501 299.069 30.0156C301.133 27.9908 303.592 26.9785 306.427 26.9785ZM572.132 26.9785C574.967 26.9785 577.301 27.9908 579.364 30.0156C581.428 32.0405 582.469 34.471 582.469 37.3154C582.469 40.1597 581.456 42.6085 579.432 44.6719C577.407 46.7353 574.976 47.7773 572.132 47.7773C569.288 47.7772 566.839 46.7448 564.775 44.6719C562.712 42.6085 561.671 40.1501 561.671 37.3154C561.671 34.4806 562.702 32.0501 564.775 30.0156C566.839 27.991 569.297 26.9786 572.132 26.9785Z" fill="white"/>
+<path d="M447.549 103.878L463.651 60.6904H486.394L464.567 116.259C459.823 128.234 455.822 137.231 452.572 143.276C449.323 149.312 445.042 154.085 439.72 157.595C434.407 161.105 427.415 162.859 418.747 162.859C415.749 162.859 413.483 162.647 411.94 162.242V142.428C413.801 142.63 415.402 142.736 416.742 142.736C421.592 142.736 425.517 141.829 428.506 140.026C431.495 138.223 434.079 135.408 436.248 131.59L406.993 60.6904H430.521L447.549 103.878ZM617.558 58.6748C623.642 58.6748 628.935 59.9087 633.429 62.3867C637.922 64.8648 641.248 68.2685 643.418 72.6074L627.778 81.1221C625.406 77.9208 622.147 76.3193 618.029 76.3193C615.446 76.3194 613.44 76.9177 611.994 78.1035C610.548 79.2895 609.824 80.7068 609.824 82.3652C609.824 84.3225 610.827 85.7495 612.842 86.627C614.857 87.5044 618.078 88.4113 622.514 89.3369C629.427 90.6772 635.029 93.2609 639.311 97.0791C643.592 100.897 645.732 106.057 645.732 112.565C645.732 120.202 642.945 126.295 637.372 130.837C631.799 135.378 624.683 137.645 616.005 137.645C610.846 137.645 605.813 136.739 600.915 134.936L600.925 134.916C596.027 133.113 591.658 130.143 587.84 126.016L600.066 112.7C602.13 115.072 604.559 116.933 607.346 118.273C610.132 119.614 613.074 120.288 616.169 120.288C619.264 120.288 621.53 119.643 623.295 118.351C625.05 117.059 625.927 115.332 625.927 113.163C625.927 110.994 625.001 109.576 623.141 108.593C621.28 107.609 618.29 106.654 614.163 105.729C607.558 104.186 601.802 101.804 596.903 98.6123C592.005 95.411 589.547 90.1463 589.547 82.8184C589.547 78.2769 590.684 74.1786 592.95 70.5146C595.216 66.8508 598.466 63.9583 602.698 61.8467C606.931 59.735 611.888 58.6748 617.558 58.6748ZM290.227 47.6729H263.132V135.61H240.839V47.6729H213.754V27.2412H290.227V47.6729ZM316.897 135.61H295.838V60.6807H316.897V135.61ZM582.603 135.61H561.544V60.6807H582.603V135.61ZM556.623 47.6729H517.263V74.3047C523.665 70.6889 531.292 68.8857 540.173 68.8857H547.453V89.627H541.108C525.218 89.627 517.263 96.3859 517.263 109.904V135.602H494.97V27.2412H556.623V47.6729ZM675.749 67.8066C681.322 61.9249 688.699 58.9834 697.888 58.9834C704.387 58.9834 710.143 60.4007 715.147 63.2451L715.167 63.2354C720.171 66.0702 724.038 70.0237 726.776 75.0762C729.505 80.1383 730.874 85.9143 730.874 92.4131V135.602H709.815V96.2803C709.815 90.8132 708.263 86.4255 705.168 83.1182C702.073 79.8205 697.946 78.1621 692.777 78.1621C687.609 78.1621 683.492 79.8109 680.396 83.1182C677.301 86.4255 675.749 90.8132 675.749 96.2803V135.602H654.69V27.2412H675.749V67.8066ZM372.216 58.9697C378.927 58.9697 384.732 60.4449 389.63 63.3857H389.649C394.548 66.3266 398.318 70.3283 400.95 75.3809C403.583 80.443 404.894 86.1128 404.894 92.4092V135.597H383.835V96.2754C383.835 90.5963 382.263 86.1611 379.11 82.96C375.957 79.7587 371.859 78.1582 366.807 78.1582C361.754 78.1583 357.646 79.7588 354.503 82.96C351.35 86.1611 349.778 90.5964 349.778 96.2754V135.597H328.72V60.667H349.152V68.7178C354.832 62.2192 362.516 58.9698 372.216 58.9697ZM486.407 60.6904H486.394L486.397 60.6807L486.407 60.6904ZM306.427 26.9785C309.261 26.9785 311.595 27.991 313.658 30.0156C315.722 32.0405 316.764 34.471 316.764 37.3154C316.764 40.1598 315.75 42.6085 313.726 44.6719C311.701 46.7353 309.271 47.7773 306.427 47.7773C303.582 47.7773 301.133 46.745 299.069 44.6719C297.006 42.6086 295.965 40.15 295.965 37.3154C295.965 34.4806 296.996 32.0501 299.069 30.0156C301.133 27.9908 303.592 26.9785 306.427 26.9785ZM572.132 26.9785C574.967 26.9785 577.301 27.9908 579.364 30.0156C581.428 32.0405 582.469 34.471 582.469 37.3154C582.469 40.1597 581.456 42.6085 579.432 44.6719C577.407 46.7353 574.976 47.7773 572.132 47.7773C569.288 47.7772 566.839 46.7448 564.775 44.6719C562.712 42.6085 561.671 40.1501 561.671 37.3154C561.671 34.4806 562.702 32.0501 564.775 30.0156C566.839 27.991 569.297 26.9786 572.132 26.9785Z" fill="white" fill-opacity="0.2"/>
+<path d="M44.2862 68.3682C39.1131 58.5589 27.678 40.8695 12.4467 41.0562C-8.61106 41.3051 15.9006 88.8815 15.9006 88.8815C15.9006 88.8815 -3.97477 127.847 13.3568 131.962C30.6885 136.077 45.313 111.658 45.313 111.658" fill="#FF6700"/>
+<path d="M128.403 150.523C136.842 142.224 139.466 131.208 134.264 125.918C129.062 120.628 118.003 123.067 109.564 131.366C101.125 139.665 98.5005 150.681 103.703 155.971C108.905 161.262 119.964 158.822 128.403 150.523Z" fill="black"/>
+<path d="M128.403 150.523C136.842 142.224 139.466 131.208 134.264 125.918C129.062 120.628 118.003 123.067 109.564 131.366C101.125 139.665 98.5005 150.681 103.703 155.971C108.905 161.262 119.964 158.822 128.403 150.523Z" fill="black" fill-opacity="0.2"/>
+<path d="M137.119 44.6362C137.119 44.6362 123 17.5186 91.9308 5.38338C76.9873 -0.450869 70.9197 8.65057 79.531 20.1013C90.5072 34.6869 48.9051 5.96681 75.6104 53.4343L137.127 44.6362H137.119Z" fill="#FF6700"/>
+<path d="M113.513 33.8229L126.854 29.8633L104.054 11.2793L83.0042 3.57031L75.8242 8.55665C75.8242 8.55665 106.279 18.7005 113.513 33.8229Z" fill="#FECB8B"/>
+<path d="M133.396 42.723C132.735 43.672 132.743 45.4301 133.334 46.2936L133.326 46.2625L133.279 46.1458C131.342 41.0505 128.246 36.4531 124.785 32.2525C116.967 23.1044 107.072 15.7143 96.1579 10.728C92.1517 9.12549 87.282 6.82291 83.1125 7.20408C78.3051 7.45301 79.1296 11.3814 80.8955 14.5864C82.918 18.2192 87.9277 22.2876 84.7616 26.8461C82.0079 30.58 76.5548 28.6819 72.9687 28.9153C71.8952 28.9308 71.1017 29.2264 71.1639 29.2809C71.1717 29.3042 71.2962 29.1875 71.304 29.1798C70.9383 32.517 72.8442 36.5309 74.1355 39.767C74.54 40.716 75.3646 42.6374 75.8002 43.5787C76.9515 46.138 78.1495 48.7206 79.2619 51.381L75.0223 49.2885C94.6021 46.4025 113.575 44.5744 133.404 42.723H133.396ZM140.848 46.5503C119.682 50.5876 97.6359 54.6015 76.1736 57.5809C74.4233 57.8298 72.7664 56.9352 71.9574 55.4806C67.5078 49.094 63.8361 42.1085 62.1947 34.3372C60.0166 22.7776 66.9555 18.3436 77.7061 20.2417C78.3906 20.3273 79.0519 20.3973 79.433 20.4051C79.6042 20.4206 79.7131 20.3817 79.4252 20.4595C78.1339 20.8407 77.0915 22.2331 77.0915 23.5944C77.0682 23.8589 77.1149 24.1623 77.2004 24.3957C76.2358 22.4276 74.5089 20.4906 73.5832 18.2892C71.9341 14.7653 70.915 10.7902 72.3464 6.72178C75.4813 -1.67954 86.0452 -0.878303 92.6962 2.0466C94.7732 2.91785 96.9047 3.99135 98.9428 4.90928C100.779 5.96722 103.112 7.13407 104.901 8.23869L108.737 10.6657C118.818 17.3635 127.274 26.1304 134.991 35.3719C136.453 37.0599 137.947 38.9891 139.347 40.7394L140.078 41.6728L140.444 42.1551L140.537 42.2796C141.307 43.4309 141.408 45.2901 140.856 46.5425L140.848 46.5503Z" fill="black"/>
+<path d="M133.396 42.723C132.735 43.672 132.743 45.4301 133.334 46.2936L133.326 46.2625L133.279 46.1458C131.342 41.0505 128.246 36.4531 124.785 32.2525C116.967 23.1044 107.072 15.7143 96.1579 10.728C92.1517 9.12549 87.282 6.82291 83.1125 7.20408C78.3051 7.45301 79.1296 11.3814 80.8955 14.5864C82.918 18.2192 87.9277 22.2876 84.7616 26.8461C82.0079 30.58 76.5548 28.6819 72.9687 28.9153C71.8952 28.9308 71.1017 29.2264 71.1639 29.2809C71.1717 29.3042 71.2962 29.1875 71.304 29.1798C70.9383 32.517 72.8442 36.5309 74.1355 39.767C74.54 40.716 75.3646 42.6374 75.8002 43.5787C76.9515 46.138 78.1495 48.7206 79.2619 51.381L75.0223 49.2885C94.6021 46.4025 113.575 44.5744 133.404 42.723H133.396ZM140.848 46.5503C119.682 50.5876 97.6359 54.6015 76.1736 57.5809C74.4233 57.8298 72.7664 56.9352 71.9574 55.4806C67.5078 49.094 63.8361 42.1085 62.1947 34.3372C60.0166 22.7776 66.9555 18.3436 77.7061 20.2417C78.3906 20.3273 79.0519 20.3973 79.433 20.4051C79.6042 20.4206 79.7131 20.3817 79.4252 20.4595C78.1339 20.8407 77.0915 22.2331 77.0915 23.5944C77.0682 23.8589 77.1149 24.1623 77.2004 24.3957C76.2358 22.4276 74.5089 20.4906 73.5832 18.2892C71.9341 14.7653 70.915 10.7902 72.3464 6.72178C75.4813 -1.67954 86.0452 -0.878303 92.6962 2.0466C94.7732 2.91785 96.9047 3.99135 98.9428 4.90928C100.779 5.96722 103.112 7.13407 104.901 8.23869L108.737 10.6657C118.818 17.3635 127.274 26.1304 134.991 35.3719C136.453 37.0599 137.947 38.9891 139.347 40.7394L140.078 41.6728L140.444 42.1551L140.537 42.2796C141.307 43.4309 141.408 45.2901 140.856 46.5425L140.848 46.5503Z" fill="black" fill-opacity="0.2"/>
+<path d="M45.3042 111.651L45.4986 108.049C58.264 124.548 83.3202 140.021 108.439 140.021C144.308 140.021 173.385 115.711 173.385 85.7311C173.385 55.7508 144.308 31.4414 108.439 31.4414C83.9892 31.4414 57.0271 50.111 44.2773 68.3761" fill="#FECB8B"/>
+<path d="M106.02 128.301C112.554 131.825 126.509 133.264 136.933 131.023C146.431 128.978 127.171 142.319 106.937 141.727L106.027 128.301H106.02Z" fill="#FF6700"/>
+<path d="M35.7668 75.6834C26.0586 54.5245 11.6597 47.0567 8.14355 56.2515C5.98099 23.2763 34.1488 53.9333 39.6952 66.652L35.7668 75.6834Z" fill="#FECB8B"/>
+<path d="M15.6191 128.133C29.9325 127.666 36.2646 105.441 36.2102 98.1836L44.2459 110.949C35.3856 122.874 25.9263 129.385 15.6191 128.133Z" fill="black"/>
+<path d="M15.6191 128.133C29.9325 127.666 36.2646 105.441 36.2102 98.1836L44.2459 110.949C35.3856 122.874 25.9263 129.385 15.6191 128.133Z" fill="black" fill-opacity="0.2"/>
+<path d="M41.5418 96.317C44.3344 99.0863 35.8086 84.1895 40.5616 74.4502C64.941 24.5479 118.538 31.938 113.505 33.8205C71.8488 49.4174 67.9204 94.2322 88.6436 122.649L73.9802 129.098C66.6368 130.016 39.1147 106.609 41.534 96.3248L41.5418 96.317Z" fill="#FF6700"/>
+<path d="M48.8984 113.807C41.5083 125.234 29.3031 138.241 14.3596 136.405C9.00767 135.736 4.52696 132.585 2.92449 126.953C-0.381591 115.121 7.07069 97.6575 12.1659 86.977C12.1659 86.977 12.1737 90.812 12.1659 90.7964C6.68174 79.2213 -1.88294 59.7971 0.512995 47.0162C2.55109 36.9813 12.2437 35.8534 20.3728 38.6927C29.1319 41.8354 35.4252 48.6265 40.606 55.8376C43.0875 59.3615 45.2734 63.0332 47.2337 66.8138C49.124 70.7811 43.5153 73.6982 41.3372 69.9254C35.9386 60.2794 28.7274 49.4744 18.0469 45.6238C14.9197 44.5736 10.7268 44.4491 9.50552 45.6082C5.68603 49.1632 8.95321 60.1316 10.3612 64.869C12.7571 72.3913 16.0399 79.9525 19.6182 86.9692C20.2561 88.2138 20.2172 89.6296 19.626 90.7887C16.5611 97.0352 13.8306 103.795 12.0259 110.508C10.8902 115.176 8.72762 124.021 12.7105 127.226C14.7797 128.377 17.3623 128.392 19.7116 128.019C27.5528 126.518 33.9783 119.882 38.8246 113.651C39.8203 112.344 40.8782 110.843 41.7339 109.458C44.76 104.822 51.6133 108.968 48.8906 113.807H48.8984Z" fill="black"/>
+<path d="M48.8984 113.807C41.5083 125.234 29.3031 138.241 14.3596 136.405C9.00767 135.736 4.52696 132.585 2.92449 126.953C-0.381591 115.121 7.07069 97.6575 12.1659 86.977C12.1659 86.977 12.1737 90.812 12.1659 90.7964C6.68174 79.2213 -1.88294 59.7971 0.512995 47.0162C2.55109 36.9813 12.2437 35.8534 20.3728 38.6927C29.1319 41.8354 35.4252 48.6265 40.606 55.8376C43.0875 59.3615 45.2734 63.0332 47.2337 66.8138C49.124 70.7811 43.5153 73.6982 41.3372 69.9254C35.9386 60.2794 28.7274 49.4744 18.0469 45.6238C14.9197 44.5736 10.7268 44.4491 9.50552 45.6082C5.68603 49.1632 8.95321 60.1316 10.3612 64.869C12.7571 72.3913 16.0399 79.9525 19.6182 86.9692C20.2561 88.2138 20.2172 89.6296 19.626 90.7887C16.5611 97.0352 13.8306 103.795 12.0259 110.508C10.8902 115.176 8.72762 124.021 12.7105 127.226C14.7797 128.377 17.3623 128.392 19.7116 128.019C27.5528 126.518 33.9783 119.882 38.8246 113.651C39.8203 112.344 40.8782 110.843 41.7339 109.458C44.76 104.822 51.6133 108.968 48.8906 113.807H48.8984Z" fill="black" fill-opacity="0.2"/>
+<path d="M37.2301 72.7093C49.6454 50.3758 76.9731 31.2939 102.403 28.299C129.302 25.8875 158.653 38.8551 171.091 63.6546C186.486 95.0973 166.603 128.244 135.658 139.617C125.04 143.623 113.565 145.14 102.286 144.198C81.3682 141.966 61.7029 131.433 47.5762 115.992C46.4094 114.802 44.8925 112.795 43.8267 111.503C40.8007 107.614 38.2959 103.359 36.3978 98.7223C35.7521 97.1976 36.4678 95.4396 37.9925 94.7939C39.4471 94.1794 41.1119 94.7939 41.8197 96.1786C44.9625 102.355 49.521 107.948 54.7951 112.771C70.1042 126.781 91.2009 136.536 112.204 135.431C139.431 134.545 169.574 116.015 170.383 86.4237C171.099 56.4279 141.352 36.2958 113.682 35.059C99.6022 33.7988 85.74 38.8162 73.5814 46.3152C61.7184 53.7908 50.5089 63.9035 43.8812 76.241C41.423 80.5739 35.0287 77.1978 37.2457 72.7171L37.2301 72.7093Z" fill="black"/>
+<path d="M37.2301 72.7093C49.6454 50.3758 76.9731 31.2939 102.403 28.299C129.302 25.8875 158.653 38.8551 171.091 63.6546C186.486 95.0973 166.603 128.244 135.658 139.617C125.04 143.623 113.565 145.14 102.286 144.198C81.3682 141.966 61.7029 131.433 47.5762 115.992C46.4094 114.802 44.8925 112.795 43.8267 111.503C40.8007 107.614 38.2959 103.359 36.3978 98.7223C35.7521 97.1976 36.4678 95.4396 37.9925 94.7939C39.4471 94.1794 41.1119 94.7939 41.8197 96.1786C44.9625 102.355 49.521 107.948 54.7951 112.771C70.1042 126.781 91.2009 136.536 112.204 135.431C139.431 134.545 169.574 116.015 170.383 86.4237C171.099 56.4279 141.352 36.2958 113.682 35.059C99.6022 33.7988 85.74 38.8162 73.5814 46.3152C61.7184 53.7908 50.5089 63.9035 43.8812 76.241C41.423 80.5739 35.0287 77.1978 37.2457 72.7171L37.2301 72.7093Z" fill="black" fill-opacity="0.2"/>
+<path d="M95.0231 152.869C105.492 145.879 110.416 134.877 106.022 128.296C101.628 121.714 89.5789 122.045 79.11 129.035C68.641 136.025 63.7166 147.027 68.1109 153.608C72.5051 160.19 84.5542 159.859 95.0231 152.869Z" fill="#FECB8B"/>
+<path d="M106.692 131.999C105.907 130.366 104.592 126.912 102.997 125.924C104.67 132.637 98.5321 142.47 88.4816 147.332C80.1425 151.361 72.239 147.962 69.6175 140.486C69.7653 141.077 66.8482 150.583 67.1127 151.136C70.4343 158.004 81.9861 159.288 92.9078 154.006C103.837 148.724 110.006 138.868 106.684 131.999H106.692Z" fill="#FF6700"/>
+<path d="M89.4844 125.441C83.1445 129.774 76.7735 134.799 73.2651 141.435C70.5736 146.678 69.7879 152.683 77.0691 153.625C82.2265 154.262 87.6796 152.442 92.2148 149.891C97.0067 147.222 100.779 142.983 102.786 137.841C104.008 134.512 104.529 130.645 103.028 127.355C102.592 126.53 102.942 125.496 103.79 125.107C106.419 123.878 108.364 130.428 108.558 132.232C109.546 139.412 106.637 146.577 101.923 151.937C93.4361 161.489 74.1908 168.568 64.5993 156.837C57.2171 146.188 66.3807 132.769 75.6066 127.059C79.4339 124.57 83.5723 122.796 87.8196 121.692C88.932 121.404 90.0678 122.073 90.3556 123.185C90.5812 124.072 90.2078 124.967 89.4844 125.441Z" fill="black"/>
+<path d="M89.4844 125.441C83.1445 129.774 76.7735 134.799 73.2651 141.435C70.5736 146.678 69.7879 152.683 77.0691 153.625C82.2265 154.262 87.6796 152.442 92.2148 149.891C97.0067 147.222 100.779 142.983 102.786 137.841C104.008 134.512 104.529 130.645 103.028 127.355C102.592 126.53 102.942 125.496 103.79 125.107C106.419 123.878 108.364 130.428 108.558 132.232C109.546 139.412 106.637 146.577 101.923 151.937C93.4361 161.489 74.1908 168.568 64.5993 156.837C57.2171 146.188 66.3807 132.769 75.6066 127.059C79.4339 124.57 83.5723 122.796 87.8196 121.692C88.932 121.404 90.0678 122.073 90.3556 123.185C90.5812 124.072 90.2078 124.967 89.4844 125.441Z" fill="black" fill-opacity="0.2"/>
+<path d="M122.923 85.0701C126.982 83.9214 128.717 77.4909 126.798 70.7071C124.878 63.9234 120.031 59.3553 115.971 60.504C111.912 61.6528 110.177 68.0833 112.097 74.867C114.016 81.6508 118.863 86.2189 122.923 85.0701Z" fill="black"/>
+<path d="M122.923 85.0701C126.982 83.9214 128.717 77.4909 126.798 70.7071C124.878 63.9234 120.031 59.3553 115.971 60.504C111.912 61.6528 110.177 68.0833 112.097 74.867C114.016 81.6508 118.863 86.2189 122.923 85.0701Z" fill="black" fill-opacity="0.2"/>
+<path d="M114.012 78.4176C115.6 77.9684 116.344 75.6874 115.675 73.3228C115.006 70.9582 113.177 69.4054 111.589 69.8546C110.002 70.3038 109.257 72.5849 109.926 74.9494C110.595 77.314 112.425 78.8668 114.012 78.4176Z" fill="white"/>
+<path d="M144.486 80.2072C148.301 79.1275 149.932 73.0847 148.128 66.7102C146.325 60.3357 141.769 56.0434 137.954 57.1231C134.138 58.2028 132.507 64.2457 134.311 70.6201C136.115 76.9946 140.67 81.2869 144.486 80.2072Z" fill="black"/>
+<path d="M144.486 80.2072C148.301 79.1275 149.932 73.0847 148.128 66.7102C146.325 60.3357 141.769 56.0434 137.954 57.1231C134.138 58.2028 132.507 64.2457 134.311 70.6201C136.115 76.9946 140.67 81.2869 144.486 80.2072Z" fill="black" fill-opacity="0.2"/>
+<path d="M136.11 73.9515C137.602 73.5292 138.302 71.3839 137.673 69.1598C137.043 66.9358 135.323 65.4752 133.831 65.8975C132.339 66.3198 131.639 68.4651 132.268 70.6891C132.898 72.9131 134.618 74.3737 136.11 73.9515Z" fill="white"/>
+<path d="M116.951 98.9895C116.951 98.9895 117.045 112.735 127.92 111.669C144.302 110.059 160.272 79.1997 130.277 95.5979C122.326 99.9463 116.959 98.9895 116.959 98.9895H116.951Z" fill="black"/>
+<path d="M116.951 98.9895C116.951 98.9895 117.045 112.735 127.92 111.669C144.302 110.059 160.272 79.1997 130.277 95.5979C122.326 99.9463 116.959 98.9895 116.959 98.9895H116.951Z" fill="black" fill-opacity="0.2"/>
+</svg>
diff --git a/makefiles/Makefile b/makefiles/Makefile
index 81c3d6b..cd7ef5e 100644
--- a/makefiles/Makefile
+++ b/makefiles/Makefile
@@ -1,6 +1,9 @@
 SHELL := /usr/bin/env bash
 
-.PHONY: all dev validate-dev-env down clean convex-push convex-env seed-public-datasets ensure-admin-key install-deps
+CONVEX_CLI_URL := http://convex:3210
+CONVEX_CLI_RUN := docker compose -f docker-compose.dev.yml run --rm --build --no-deps
+
+.PHONY: all dev validate-dev-env start-local-keychain stop-local-keychain down clean convex-push convex-env seed-public-datasets ensure-admin-key install-deps build-release
 
 all: dev
 
@@ -8,7 +11,10 @@ install-deps:
 	@cd frontend && npm install --silent
 	@cd backend && npm install --silent
 
-dev: validate-dev-env install-deps
+build-release: install-deps
+	node scripts/build-release.mjs
+
+dev: validate-dev-env install-deps start-local-keychain
 	docker compose -f docker-compose.dev.yml up --build -d db convex convex-dashboard
 	@echo "Waiting for Convex..."
 	@for i in $$(seq 1 120); do \
@@ -30,8 +36,37 @@ dev: validate-dev-env install-deps
 	docker compose -f docker-compose.dev.yml logs -f
 
 validate-dev-env:
-	@test -f .env || { echo "Error: .env not found. Run: cp .env.example .env"; exit 1; }
-	@missing=""; \
+	@if [ ! -f .env ]; then \
+		printf "# Auto-created by make dev. Leave PROD unset for local mode.\n" > .env; \
+		echo "Created local .env"; \
+	fi
+	@prod="$$(grep '^PROD=' .env | cut -d= -f2-)"; \
+	if [[ "$$prod" != "1" ]]; then \
+		ensure_env_var() { \
+			key="$$1"; value="$$2"; \
+			if grep -q "^$$key=" .env; then \
+				current="$$(grep "^$$key=" .env | tail -n1 | cut -d= -f2-)"; \
+				if [[ -z "$$current" ]]; then \
+					sed -i.bak "s#^$$key=.*#$$key=$$value#" .env && rm -f .env.bak; \
+				fi; \
+			else \
+				echo "$$key=$$value" >> .env; \
+			fi; \
+		}; \
+		workspace_id="$$(node -e 'const { createHash } = require("node:crypto"); process.stdout.write(createHash("sha256").update(process.cwd()).digest("hex").slice(0, 16));')"; \
+		token="$$(node -e 'const { randomBytes } = require("node:crypto"); process.stdout.write(randomBytes(32).toString("hex"));')"; \
+		ensure_env_var LOCAL_KEYCHAIN_PORT 3502; \
+		ensure_env_var LOCAL_KEYCHAIN_TIMEOUT_MS 5000; \
+		ensure_env_var BIGSET_LOCAL_WORKSPACE_ID "$$workspace_id"; \
+		ensure_env_var LOCAL_KEYCHAIN_TOKEN "$$token"; \
+	fi
+	@prod="$$(grep '^PROD=' .env | cut -d= -f2-)"; \
+	if [[ "$$prod" != "1" ]]; then \
+		echo "Local mode: Clerk, TinyFish, and OpenRouter env validation skipped."; \
+	fi
+	@prod="$$(grep '^PROD=' .env | cut -d= -f2-)"; \
+	if [[ "$$prod" != "1" ]]; then exit 0; fi; \
+	missing=""; \
 	check_env() { \
 		key="$$1"; placeholder="$$2"; \
 		value="$$(grep "^$$key=" .env | cut -d= -f2-)"; \
@@ -83,6 +118,45 @@ validate-dev-env:
 		exit 1; \
 	fi
 
+start-local-keychain:
+	@prod="$$(grep '^PROD=' .env | cut -d= -f2-)"; \
+	if [[ "$$prod" == "1" ]]; then \
+		echo "Production mode: local keychain bridge skipped."; \
+		exit 0; \
+	fi
+	@mkdir -p .local
+	@if [ -f .local/keychain.pid ]; then \
+		pid="$$(cat .local/keychain.pid)"; \
+		if [[ -n "$$pid" ]] && kill -0 "$$pid" > /dev/null 2>&1; then \
+			kill "$$pid" > /dev/null 2>&1 || true; \
+		fi; \
+		rm -f .local/keychain.pid; \
+	fi
+	@port="$$(grep '^LOCAL_KEYCHAIN_PORT=' .env | tail -n1 | cut -d= -f2-)"; \
+	echo "Starting local keychain bridge on 127.0.0.1:$$port..."; \
+	LOCAL_KEYCHAIN_BIND_HOST=127.0.0.1 WITH_ROOT_ENV_CHILD_PID_FILE=.local/keychain.pid bash -lc 'cd backend && exec node ../scripts/with-root-env.mjs npx tsx src/keychain-server.ts' \
+		> .local/keychain.log 2>&1 & \
+	for i in $$(seq 1 30); do \
+		if curl -sf "http://127.0.0.1:$$port/health" > /dev/null 2>&1; then \
+			echo "Local keychain bridge is up."; \
+			exit 0; \
+		fi; \
+		sleep 1; \
+	done; \
+	echo "Error: local keychain bridge did not start. Last log lines:"; \
+	tail -40 .local/keychain.log; \
+	exit 1
+
+stop-local-keychain:
+	@if [ -f .local/keychain.pid ]; then \
+		pid="$$(cat .local/keychain.pid)"; \
+		if [[ -n "$$pid" ]] && kill -0 "$$pid" > /dev/null 2>&1; then \
+			echo "Stopping local keychain bridge..."; \
+			kill "$$pid" > /dev/null 2>&1 || true; \
+		fi; \
+		rm -f .local/keychain.pid; \
+	fi
+
 ensure-admin-key:
 	@admin_key="$$(grep '^CONVEX_SELF_HOSTED_ADMIN_KEY=' .env | cut -d= -f2-)"; \
 	needs_gen=false; \
@@ -90,8 +164,8 @@ ensure-admin-key:
 		needs_gen=true; \
 	else \
 		echo "Validating Convex admin key..."; \
-		if ! (cd frontend && node ../scripts/with-root-env.mjs npx convex env list \
-			--url http://127.0.0.1:3210 --admin-key "$$admin_key") > /dev/null 2>&1; then \
+		if ! $(CONVEX_CLI_RUN) -e CONVEX_SELF_HOSTED_ADMIN_KEY="$$admin_key" frontend sh -lc \
+			'npx convex env list --url $(CONVEX_CLI_URL) --admin-key "$$CONVEX_SELF_HOSTED_ADMIN_KEY"' > /dev/null 2>&1; then \
 			echo "Admin key is stale (volumes were probably wiped). Regenerating..."; \
 			needs_gen=true; \
 		fi; \
@@ -115,41 +189,47 @@ ensure-admin-key:
 
 convex-env:
 	@test -f .env || { echo "Error: .env not found. Run: cp .env.example .env"; exit 1; }
-	@issuer="$$(grep '^CLERK_JWT_ISSUER_DOMAIN=' .env | cut -d= -f2-)"; \
-		admin_key="$$(grep '^CONVEX_SELF_HOSTED_ADMIN_KEY=' .env | cut -d= -f2-)"; \
-		if [[ -z "$$issuer" || "$$issuer" == "https://your-app.clerk.accounts.dev" ]]; then \
-			echo "Error: CLERK_JWT_ISSUER_DOMAIN must be your Clerk issuer URL in root .env"; \
-			exit 1; \
-		fi; \
-		if [[ -z "$$admin_key" ]]; then \
-			echo "Error: CONVEX_SELF_HOSTED_ADMIN_KEY is missing in root .env"; \
-			echo "Run make dev to generate it automatically."; \
-			exit 1; \
-		fi; \
-		cd frontend && node ../scripts/with-root-env.mjs npx convex env set CLERK_JWT_ISSUER_DOMAIN "$$issuer" \
-		--url http://127.0.0.1:3210 \
-		--admin-key "$$admin_key"
+	@prod="$$(grep '^PROD=' .env | cut -d= -f2-)"; \
+	admin_key="$$(grep '^CONVEX_SELF_HOSTED_ADMIN_KEY=' .env | cut -d= -f2-)"; \
+	if [[ -z "$$admin_key" ]]; then \
+		echo "Error: CONVEX_SELF_HOSTED_ADMIN_KEY is missing in root .env"; \
+		echo "Run make dev to generate it automatically."; \
+		exit 1; \
+	fi; \
+	if [[ "$$prod" != "1" ]]; then \
+		$(CONVEX_CLI_RUN) -e CONVEX_SELF_HOSTED_ADMIN_KEY="$$admin_key" frontend sh -lc \
+		'npx convex env set BIGSET_LOCAL_MODE 1 --url $(CONVEX_CLI_URL) --admin-key "$$CONVEX_SELF_HOSTED_ADMIN_KEY"'; \
+		exit 0; \
+	fi; \
+	issuer="$$(grep '^CLERK_JWT_ISSUER_DOMAIN=' .env | cut -d= -f2-)"; \
+	if [[ -z "$$issuer" || "$$issuer" == "https://your-app.clerk.accounts.dev" ]]; then \
+		echo "Error: CLERK_JWT_ISSUER_DOMAIN must be your Clerk issuer URL in root .env"; \
+		exit 1; \
+	fi; \
+	$(CONVEX_CLI_RUN) -e CONVEX_SELF_HOSTED_ADMIN_KEY="$$admin_key" frontend sh -lc \
+	'npx convex env set BIGSET_LOCAL_MODE 0 --url $(CONVEX_CLI_URL) --admin-key "$$CONVEX_SELF_HOSTED_ADMIN_KEY"'; \
+	$(CONVEX_CLI_RUN) -e CONVEX_SELF_HOSTED_ADMIN_KEY="$$admin_key" -e CLERK_JWT_ISSUER_DOMAIN="$$issuer" frontend sh -lc \
+	'npx convex env set CLERK_JWT_ISSUER_DOMAIN "$$CLERK_JWT_ISSUER_DOMAIN" --url $(CONVEX_CLI_URL) --admin-key "$$CONVEX_SELF_HOSTED_ADMIN_KEY"'
 
 convex-push:
 	@test -f .env || { echo "Error: .env not found. Run: cp .env.example .env"; exit 1; }
 	@admin_key="$$(grep '^CONVEX_SELF_HOSTED_ADMIN_KEY=' .env | cut -d= -f2-)"; \
-		if [[ -z "$$admin_key" ]]; then \
-			echo "Error: CONVEX_SELF_HOSTED_ADMIN_KEY is missing in root .env"; \
-			echo "Run make dev to generate it automatically."; \
-			exit 1; \
-		fi; \
-		cd frontend && node ../scripts/with-root-env.mjs npx convex deploy \
-		--url http://127.0.0.1:3210 \
-		--admin-key "$$admin_key"
+	if [[ -z "$$admin_key" ]]; then \
+		echo "Error: CONVEX_SELF_HOSTED_ADMIN_KEY is missing in root .env"; \
+		echo "Run make dev to generate it automatically."; \
+		exit 1; \
+	fi; \
+	$(CONVEX_CLI_RUN) -e CONVEX_SELF_HOSTED_ADMIN_KEY="$$admin_key" frontend sh -lc \
+	'npx convex deploy --url $(CONVEX_CLI_URL) --admin-key "$$CONVEX_SELF_HOSTED_ADMIN_KEY"'
 
 seed-public-datasets:
 	@test -f .env || { echo "Error: .env not found. Run: cp .env.example .env"; exit 1; }
 	@cd frontend && node ../scripts/with-root-env.mjs npx convex run publicSeed:seedPublicDatasets
 
-down:
+down: stop-local-keychain
 	docker compose -f docker-compose.dev.yml down
 
-clean:
+clean: stop-local-keychain
 	docker compose -f docker-compose.dev.yml down -v --rmi local
 	@if [ -f .env ]; then \
 		sed -i.bak 's|^CONVEX_SELF_HOSTED_ADMIN_KEY=.*|CONVEX_SELF_HOSTED_ADMIN_KEY=|' .env && rm -f .env.bak; \
diff --git a/scripts/build-release.mjs b/scripts/build-release.mjs
new file mode 100644
index 0000000..45e3ea3
--- /dev/null
+++ b/scripts/build-release.mjs
@@ -0,0 +1,282 @@
+#!/usr/bin/env node
+import { spawnSync } from "node:child_process";
+import { existsSync } from "node:fs";
+import {
+  cp,
+  mkdir,
+  rm,
+  stat,
+  writeFile,
+} from "node:fs/promises";
+import { createRequire } from "node:module";
+import { dirname, join, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+
+const repoRoot = resolve(dirname(fileURLToPath(import.meta.url)), "..");
+const frontendDir = join(repoRoot, "frontend");
+const backendDir = join(repoRoot, "backend");
+const distDir = join(repoRoot, "dist");
+const workDir = join(distDir, "release-work");
+const packageRoot = join(workDir, "bigset");
+const artifactPath = join(distDir, "bigset-build.zip");
+const sizeLimitBytes = 50 * 1024 * 1024;
+const convexRuntimePackages = ["convex", "esbuild", "@esbuild", "prettier", "ws"];
+
+function run(command, args, options = {}) {
+  const result = spawnSync(command, args, {
+    cwd: options.cwd ?? repoRoot,
+    env: { ...process.env, ...options.env },
+    shell: options.shell ?? false,
+    stdio: "inherit",
+  });
+  if (result.status !== 0) {
+    process.exit(result.status ?? 1);
+  }
+}
+
+async function assertExists(path, message) {
+  if (!existsSync(path)) {
+    throw new Error(message);
+  }
+}
+
+async function fileSize(path) {
+  return (await stat(path)).size;
+}
+
+function formatBytes(bytes) {
+  const mb = bytes / 1024 / 1024;
+  return `${mb.toFixed(mb >= 10 ? 1 : 2)} MB`;
+}
+
+function powerShellQuote(value) {
+  return `'${value.replaceAll("'", "''")}'`;
+}
+
+function createZipArtifact() {
+  if (process.platform === "win32") {
+    run("powershell.exe", [
+      "-NoProfile",
+      "-NonInteractive",
+      "-Command",
+      `Compress-Archive -LiteralPath ${powerShellQuote(join(workDir, "bigset"))} -DestinationPath ${powerShellQuote(artifactPath)} -CompressionLevel Optimal -Force`,
+    ], { shell: false });
+    return;
+  }
+
+  run("zip", ["-qry", "-9", artifactPath, "bigset"], { cwd: workDir });
+}
+
+async function writeStartScript() {
+  await writeFile(
+    join(packageRoot, "start.mjs"),
+    `#!/usr/bin/env node
+import { spawn } from "node:child_process";
+import { fileURLToPath } from "node:url";
+
+const root = new URL(".", import.meta.url);
+const fromRoot = (path) => fileURLToPath(new URL(path, root));
+const backendPort = process.env.BIGSET_BACKEND_PORT || "3501";
+const frontendPort = process.env.BIGSET_FRONTEND_PORT || "3500";
+const backendUrl = process.env.NEXT_PUBLIC_BACKEND_URL || \`http://127.0.0.1:\${backendPort}\`;
+const frontendUrl = \`http://127.0.0.1:\${frontendPort}\`;
+const convexUrl = process.env.NEXT_PUBLIC_CONVEX_URL || process.env.CONVEX_URL || "http://127.0.0.1:3210";
+
+const children = [];
+
+function start(name, command, args, env, cwd) {
+  const child = spawn(command, args, {
+    cwd,
+    env,
+    stdio: ["ignore", "pipe", "pipe"],
+  });
+  children.push(child);
+  child.stdout.on("data", (chunk) => process.stdout.write(\`[\${name}] \${chunk}\`));
+  child.stderr.on("data", (chunk) => process.stderr.write(\`[\${name}] \${chunk}\`));
+  child.on("error", (err) => {
+    if (shuttingDown) return;
+    console.error(\`\\n\${name} failed to start: \${err.message}\`);
+    shutdown(1);
+  });
+  child.on("exit", (code, signal) => {
+    if (shuttingDown) return;
+    console.error(\`\\n\${name} exited unexpectedly\${signal ? \` with signal \${signal}\` : \` with code \${code}\`}\`);
+    shutdown(code ?? 1);
+  });
+  return child;
+}
+
+let shuttingDown = false;
+function shutdown(code = 0) {
+  shuttingDown = true;
+  process.exitCode = code;
+  for (const child of children) {
+    if (child.pid && !child.killed) child.kill("SIGTERM");
+  }
+  setTimeout(() => process.exit(code), 250).unref();
+}
+
+process.on("SIGINT", () => shutdown(0));
+process.on("SIGTERM", () => shutdown(0));
+
+start(
+  "backend",
+  process.execPath,
+  [fromRoot("./backend/backend.mjs")],
+  {
+    ...process.env,
+    PORT: backendPort,
+    CLIENT_ORIGIN: frontendUrl,
+    CONVEX_URL: convexUrl,
+    NEXT_PUBLIC_CONVEX_URL: convexUrl,
+    NEXT_PUBLIC_BACKEND_URL: backendUrl,
+    REFRESH_SCHEDULER_ENABLED: process.env.REFRESH_SCHEDULER_ENABLED ?? "false",
+  },
+  fromRoot("./backend"),
+);
+
+start(
+  "frontend",
+  process.execPath,
+  [fromRoot("./frontend/server.js")],
+  {
+    ...process.env,
+    PORT: frontendPort,
+    HOSTNAME: process.env.HOSTNAME || "127.0.0.1",
+    NEXT_PUBLIC_BACKEND_URL: backendUrl,
+    NEXT_PUBLIC_CONVEX_URL: convexUrl,
+    NEXT_PUBLIC_PROD: process.env.NEXT_PUBLIC_PROD || "",
+    PROD: process.env.PROD || "",
+  },
+  fromRoot("./frontend"),
+);
+
+console.log("");
+console.log("BigSet release build is starting.");
+console.log(\`  App:     \${frontendUrl}\`);
+console.log(\`  Backend: \${backendUrl}\`);
+console.log(\`  Convex:  \${convexUrl}\`);
+console.log("");
+console.log("Convex is provided by the CLI launcher or another local Convex process.");
+console.log("Press Ctrl+C to stop.");
+`,
+    { mode: 0o755 },
+  );
+}
+
+async function writeReadme() {
+  await writeFile(
+    join(packageRoot, "README.txt"),
+    `BigSet local release build
+
+Run:
+  node start.mjs
+
+Ports:
+  App:     http://127.0.0.1:3500
+  Backend: http://127.0.0.1:3501
+
+Overrides:
+  BIGSET_FRONTEND_PORT=4500 BIGSET_BACKEND_PORT=4501 node start.mjs
+
+This artifact does not bundle the Convex binary. Start it with the BigSet CLI,
+or run Convex locally and set CONVEX_URL/NEXT_PUBLIC_CONVEX_URL. The Convex app
+source and CLI runtime are included so the BigSet CLI can deploy functions to a
+fresh local Convex backend.
+`,
+  );
+}
+
+async function bundleBackend() {
+  const requireFromBackend = createRequire(join(backendDir, "package.json"));
+  const esbuild = requireFromBackend("esbuild");
+
+  await esbuild.build({
+    absWorkingDir: backendDir,
+    entryPoints: ["src/index.ts"],
+    bundle: true,
+    platform: "node",
+    format: "esm",
+    target: "node22",
+    outfile: join(packageRoot, "backend", "backend.mjs"),
+    banner: {
+      js: `import { createRequire as __bigsetCreateRequire } from "node:module"; const require = __bigsetCreateRequire(import.meta.url);`,
+    },
+    packages: "bundle",
+    logLevel: "warning",
+  });
+}
+
+async function copyConvexRuntime() {
+  await cp(join(frontendDir, "convex"), join(packageRoot, "frontend", "convex"), {
+    recursive: true,
+  });
+
+  for (const packageName of convexRuntimePackages) {
+    const source = join(frontendDir, "node_modules", packageName);
+    if (!existsSync(source)) continue;
+    await cp(source, join(packageRoot, "frontend", "node_modules", packageName), {
+      recursive: true,
+    });
+  }
+}
+
+async function main() {
+  await rm(workDir, { recursive: true, force: true });
+  await rm(artifactPath, { force: true });
+  await mkdir(join(packageRoot, "backend"), { recursive: true });
+  await mkdir(join(packageRoot, "frontend"), { recursive: true });
+
+  console.log("Building frontend standalone output...");
+  run("npm", ["run", "build"], {
+    cwd: frontendDir,
+    shell: process.platform === "win32",
+    env: {
+      NEXT_PUBLIC_BACKEND_URL: "http://127.0.0.1:3501",
+      NEXT_PUBLIC_CONVEX_URL: "http://127.0.0.1:3210",
+      NEXT_PUBLIC_PROD: "",
+      PROD: "",
+    },
+  });
+
+  console.log("Bundling backend...");
+  await bundleBackend();
+
+  const standaloneDir = join(frontendDir, ".next", "standalone");
+  await assertExists(
+    standaloneDir,
+    "Next standalone output was not found. Make sure frontend/next.config.ts has output: \"standalone\".",
+  );
+
+  console.log("Assembling release directory...");
+  await cp(standaloneDir, join(packageRoot, "frontend"), { recursive: true });
+  await cp(join(frontendDir, "public"), join(packageRoot, "frontend", "public"), {
+    recursive: true,
+  });
+  await cp(
+    join(frontendDir, ".next", "static"),
+    join(packageRoot, "frontend", ".next", "static"),
+    { recursive: true },
+  );
+  await copyConvexRuntime();
+  await writeStartScript();
+  await writeReadme();
+
+  console.log("Creating zip artifact...");
+  createZipArtifact();
+
+  const artifactSize = await fileSize(artifactPath);
+  console.log("");
+  console.log(`Artifact: ${artifactPath}`);
+  console.log(`Size:     ${formatBytes(artifactSize)}`);
+  if (artifactSize > sizeLimitBytes) {
+    console.warn(
+      `Warning: artifact is above the ${formatBytes(sizeLimitBytes)} target.`,
+    );
+  }
+}
+
+main().catch((err) => {
+  console.error(err instanceof Error ? err.message : err);
+  process.exit(1);
+});
diff --git a/scripts/with-root-env.mjs b/scripts/with-root-env.mjs
index 238000d..c04c3e7 100644
--- a/scripts/with-root-env.mjs
+++ b/scripts/with-root-env.mjs
@@ -1,11 +1,14 @@
 #!/usr/bin/env node
 import { spawn } from "node:child_process";
-import { existsSync, readFileSync } from "node:fs";
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import { dirname, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
 
 const repoRoot = resolve(dirname(fileURLToPath(import.meta.url)), "..");
 const rootEnvPath = resolve(repoRoot, ".env");
+const childPidFile = process.env.WITH_ROOT_ENV_CHILD_PID_FILE
+  ? resolve(repoRoot, process.env.WITH_ROOT_ENV_CHILD_PID_FILE)
+  : null;
 
 if (existsSync(rootEnvPath)) {
   for (const line of readFileSync(rootEnvPath, "utf8").split(/\r?\n/)) {
@@ -26,6 +29,9 @@ if (existsSync(rootEnvPath)) {
   }
 }
 
+const childEnv = { ...process.env };
+delete childEnv.WITH_ROOT_ENV_CHILD_PID_FILE;
+
 const [command, ...args] = process.argv.slice(2);
 if (!command) {
   console.error("Usage: node scripts/with-root-env.mjs <command> [...args]");
@@ -33,14 +39,57 @@ if (!command) {
 }
 
 const child = spawn(command, args, {
-  env: process.env,
+  env: childEnv,
   shell: process.platform === "win32",
   stdio: "inherit",
 });
 
+if (childPidFile && child.pid) {
+  mkdirSync(dirname(childPidFile), { recursive: true });
+  writeFileSync(childPidFile, `${child.pid}\n`);
+}
+
+let forwardingSignal = null;
+const signalHandlers = new Map();
+
+function childHasExited() {
+  return child.exitCode !== null || child.signalCode !== null;
+}
+
+function waitForChildExit() {
+  if (childHasExited()) return Promise.resolve();
+  return new Promise((resolveExit) => {
+    child.once("exit", () => resolveExit());
+  });
+}
+
+function exitWithSignal(signal) {
+  for (const [registeredSignal, handler] of signalHandlers) {
+    process.off(registeredSignal, handler);
+  }
+  process.kill(process.pid, signal);
+}
+
+async function forwardSignal(signal) {
+  if (forwardingSignal) return;
+  forwardingSignal = signal;
+  if (!childHasExited()) child.kill(signal);
+  await waitForChildExit();
+  exitWithSignal(signal);
+}
+
+for (const signal of ["SIGINT", "SIGTERM"]) {
+  const handler = () => {
+    void forwardSignal(signal);
+  };
+  signalHandlers.set(signal, handler);
+  process.on(signal, handler);
+}
+
 child.on("exit", (code, signal) => {
+  if (forwardingSignal) return;
   if (signal) {
-    process.kill(process.pid, signal);
+    exitWithSignal(signal);
     return;
   }
   process.exit(code ?? 1);