diff --git a/.env.prod.enc b/.env.prod.enc
index 2454674..c0e320c 100644
--- a/.env.prod.enc
+++ b/.env.prod.enc
@@ -1,38 +1,38 @@
-#ENC[AES256_GCM,data:TS4j3twMFoZh,iv:67VeU7kyhgPK0TptCh60HYxLTe56pK2862zEboOr26M=,tag:4JiTyCGuL3fqU7LlqtYzkA==,type:comment]
-DATABASE_URL=ENC[AES256_GCM,data:9c2V8Ezkdb4sXC+mrz6BhrtesdQ7pnA5PjrffBIRBHNfPSkZft1HrIGAEvgde25jFeXt1Ck=,iv:LSzvRX/PSto7ROQ5TXCM3G5pg/Qm2RiQnX1ZOw2Gc3Y=,tag:OkYD9v2+pZpQBNQay1Cxyg==,type:str]
-SESSION_SECRET=ENC[AES256_GCM,data:W2tBSuCsF69dFbX+uYYa/5H6KKnVWYl3Bibez0btM8g=,iv:DE3NdgXvRJbd6Xvnu9ZVCmOhzbANvvw9X/DkcZAGGHw=,tag:gs+2u6AmFGISNW+3mCjSLQ==,type:str]
-PORT=ENC[AES256_GCM,data:ZbjWrQ==,iv:LNymntIzDLZO3Y4+ROk0StHRoD73LP5ympAFIeihC9s=,tag:PiiFCezINAJjqOAyOFM8Rg==,type:str]
-#ENC[AES256_GCM,data:T5oV,iv:rsC4Pk0F4XQ2lVXl+mKL+hrnBYQAMuWuaJPgvfleXPg=,tag:eC85ejuc/0YgfrrtIxCXSA==,type:comment]
-S3_BUCKET=ENC[AES256_GCM,data:uguPyh8NpEh5UQtgeBBd,iv:trAHyJZ0JDG4d4G2mudHLcvsq3Mimlw+GnGvf4DrbmU=,tag:Cs1RVRextKulmyknzr6qYg==,type:str]
-S3_ENDPOINT=ENC[AES256_GCM,data:XmbQiGK/QP7SEazjUrAZWX0daHnXNWNmWqzbSzh5goFBkR62aKB9IefC8wtQ9NTySQlNv+kuisVOHQJ8/SFvVx4=,iv:AIur7LSlRhHwcPYnuasW89dt/Zr6I/qtmwVJfy3gHdE=,tag:IuTmLbTUmIw8fKm2xCKXiQ==,type:str]
-S3_ACCESS_KEY=ENC[AES256_GCM,data:3pnGOvtCorluqErK6kZtUz7cYJQaUsJgl2X7mqZDgg0=,iv:L2D4WRE45Q2L7S6WY0tffaS9KRqNTvXZLtwJMU6tHSw=,tag:ZOpEFvpihR0tcsQ4WVSDsg==,type:str]
-S3_SECRET_KEY=ENC[AES256_GCM,data:e+wGR1nZbyDZ8J/inqOooffPYlFHxa7mS1XujmP45LZx704GIs6RLZ4v1WPkjuoq1NoGV3HPe3gk5u2vU3vz5w==,iv:6TtKzHjhQG5xCnhLFPmp/CEIlBGB6sZIEkDjeIU+OWE=,tag:O0biF8VDHRYz7YBy2OgDAg==,type:str]
-CF_ACCOUNT_ID=ENC[AES256_GCM,data:OO7KrYgpLwbj/VWx+6bSCL4qo7LhjcjNPFQfl0Gg0KA=,iv:h1vVwXbxdRBbU+FbGpdZrbFarKdYzDn+aUS8fvLhyyc=,tag:y80M9a7h45UIrCFDO8h/Ow==,type:str]
-CF_API_TOKEN=ENC[AES256_GCM,data:iJdQyRQScMxcrcU4CEQgW7+qKWmb7s93QRcYgh291Qzf3NC59ExxnOpBU++ZV6LFWjUDdUU=,iv:xztI5eMbEk1WNw3o9zrjbi8jJ8NtAuMJl9FbWTUsaTE=,tag:1lOSYrww6hZ/WjWzSTW04Q==,type:str]
-ARK_DEFAULT_NAAN=ENC[AES256_GCM,data:8xsRwK8=,iv:tCaPuOCVI5aoxnwxTKa7OMqGFQD+W8ll76Q8Srw9gt4=,tag:C03OWlm2jOOcSrCGNn2whA==,type:str]
-#ENC[AES256_GCM,data:+BWEFM6L6aD1rMG+g/Fypx73,iv:7ez6bhjdrh4suF7FnzeqbV9YaGWQjdzHwrg5C12POdA=,tag:lPwrgKv9U94oei4l9wnPsg==,type:comment]
-UNDERLAY_UPSTREAM_API_KEY=ENC[AES256_GCM,data:gg8Fm3ngcXfMSqnravyzd4F7nVaOfjF0kLq6akC4c41pqoc=,iv:3tjfQSU3RoapeTpZ/26b/cRyXEET1/plU/zAAZqBUek=,tag:SchlwcyYhcStKabyhHXHsA==,type:str]
-DEPLOY_HOST=ENC[AES256_GCM,data:R3wMJvEgnZLS2sUzJQ==,iv:ILujgHggz/XnjDQajRC5UPSdiKWGPqDtpG7MxbfycBI=,tag:gjmxSKYwdxKt0PZzoxE5Uw==,type:str]
-#ENC[AES256_GCM,data:kYe5O3MvtkE=,iv:SsygxrvIPlPYGwdmgghhWQEmhYXfHTqjYEcqQBwdBn8=,tag:c7IPDL4NUvHDY/HvALw4Qg==,type:comment]
-OIDC_ISSUER_URL=ENC[AES256_GCM,data:6EoGyzM6mMjE7gkG2VHCmf7wjfoUAebL2xNX2b4AlohZ,iv:J9UCzieBnS67x1SF99LQxNXRFtXnzAsx/nKgHZAsEtg=,tag:aXKXAXOhWUiqts1j/85y1A==,type:str]
-OIDC_CLIENT_ID=ENC[AES256_GCM,data:YJZQDDDbW3SCUsw=,iv:i02lGIh0O1Ni0pnQzFQwdA4yGW7DMaGBern62zEurdc=,tag:HyQbPDlIRPkodn9mMixrgw==,type:str]
-OIDC_CLIENT_SECRET=ENC[AES256_GCM,data:CKbYqzPEHYnffkosxGMzbaUQrjmAr1mbpkEObM/COucG+nr35sJ0eZCVUgq9rh4fSXh7XX8R5MUGrjSamTZBtg==,iv:2JwORSKnfi+7apoQKkxYAxwBK0WjWLSADDowRExcRik=,tag:AYwc/V95qREMocDAo7cMSA==,type:str]
-AUTH_INTERNAL_API_KEY=ENC[AES256_GCM,data:T80WuhiPSGm1FMNsvrM+4wRINOSvxhxoVMXeybBOjiNrKb4V6PxX54R3rweyqe2AJNdYlv2zaiQVYX3C3cvQ9Q==,iv:ycYFuwUGrSJGXw9gwxWQrG4Xj1DZfBW0SoUaBRopBAo=,tag:+FZQLFaWnwQSBZQUynAwxw==,type:str]
-OIDC_ACCOUNT_URL=ENC[AES256_GCM,data:bqv5vgziTgy55XFOdtYm+qPzmFNrs7Xn4kTxCPzcHy7ikbSJ,iv:+9jMnI8mQgZm9c2+5BQCpO8fkOdDoXj/4WifPjH8LHE=,tag:1fHxiv8ST6DOYCnw2kWn3g==,type:str]
-APP_URL=ENC[AES256_GCM,data:GgfRNwfNJ7O3mCanfl+EyvDT8bqH/qE=,iv:4soW9wM1vyXRMWSSU9ZuGKwwXWr0/BNQt9eU+K7Ahjc=,tag:PfFGv8qnIOufUXfORF5D3w==,type:str]
-sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGN01qQVdQTHlHcWJHbHNI\nUXVnaE1EcEUxRG12UGx4YTU3SmdBUmhuYmwwClkvaUZHelB6a1FTQ1YrbzJia2dR\nRkRaQUJJejhMeUJLMnpqUmRTTVBBbm8KLS0tIFZmNkcrTWVZUnpaMGU2N3VsOVc2\nNTYxemxzQmxxbDhDeTQybnRxd0NrQzgK6AwczPTgFWItfLq6+jc3d8AwHBJ6UfOo\nnJoEcNu1hjcXWxb3PLeEVer9ICR1VcYBZEtyOZ1dPKgb3OLOjTym7g==\n-----END AGE ENCRYPTED FILE-----\n
+#ENC[AES256_GCM,data:O+nchjkaQ9wK,iv:c0fbl/PM6wnYbj+HDT4d8mOuHCq9VngfpJsxQqYrmt4=,tag:mGQWYUJh0wZFcUcWS57f+Q==,type:comment]
+DATABASE_URL=ENC[AES256_GCM,data:nC9pqB4zDScCNkW/QdgTcvF19uhmuZm8WtrmQ0AtGO2vHaevdDx8EUAAuLF5hQWmGfW6LFQ=,iv:xo5W+yttEazn8AckWFnc9IoALdQ8uRM6TS/GFLrVNiQ=,tag:sjmfGbyejGCZDGxOxz+oBg==,type:str]
+SESSION_SECRET=ENC[AES256_GCM,data:AfAiynfkB7KFNpcs13IwUULNR4uJNvSA1sRcimBdXxe+k7rcozMk83fD/lMgNLclv8wv2qQ3EIKs/+Ar6UlB3g==,iv:CUtywxHxGTANbpPsoebYLWoWaUMnuuHThxxQdUnEaEY=,tag:Kpm2rU+4BmKCy6h05bPq5A==,type:str]
+PORT=ENC[AES256_GCM,data:EVfPrw==,iv:YI4epRUkR0+1ejKcBIja+CrPu/HuCjgeg8mN4djU4+0=,tag:JVlgeXZ4x6gSOWAdjO8/lQ==,type:str]
+#ENC[AES256_GCM,data:+sXw,iv:jL1yf95M/jAyYcPcJagLa7gAURDw3HdhPQ8lAmY5AN4=,tag:5D9nLPujVjks9fCqieYbZg==,type:comment]
+S3_BUCKET=ENC[AES256_GCM,data:4vG/sXkvLEKbq88Sd9/K,iv:T7tyAHgcMeFP7BvW9Xbq5nRUtw4imj4+qZLWDe6QhuM=,tag:P3dlKD6FMP0MBQTUz1HwIQ==,type:str]
+S3_ENDPOINT=ENC[AES256_GCM,data:mbSEK3wkiUuxg3ETQtVIg8fLfODrc0QFjl1WX0x1YFHu9md1T5/Yn7ibq1QaOI1db3okrwnBTBn6tEmgU5QSWjg=,iv:4j9Q1fquwwcCeCC6kyOf7ZkfRDxanBrDnC7CVVlavrU=,tag:Tt8fsgbzn/DBaoA9Vn/IYw==,type:str]
+S3_ACCESS_KEY=ENC[AES256_GCM,data:A+prb2tXs2GMeIDYRY3+bcSdn12JoSZ77QHeXQIXKYI=,iv:7Nix4bEZh/uSRNJDiDE0oiYJFZ/tGTBSi0Nn7+ZL6NU=,tag:E1RpsL61fnXaC5C02KZbZQ==,type:str]
+S3_SECRET_KEY=ENC[AES256_GCM,data:cyRoknQkJi5xabRdE1NovpibJJFpIb0JQsX00Jrd/2m7kRrbu056KqWdW+QXcVNdokXunbz1wTP+3dyP8DgwhQ==,iv:wXh6W76thveWGu0Iq2Fe9cxJJrMRzrpg/4cGWGC/8ro=,tag:kXn7sCPU04LYuOSWz78+rg==,type:str]
+CF_ACCOUNT_ID=ENC[AES256_GCM,data:FHIDA3WRC7/t+NHQgGqULG6a5xI+A+e4pPeMz5ZvbMs=,iv:1Vk0BSWIqZGhA5og0nVGxZDFI4ylEm+XuzxbGltwpLA=,tag:kAUpABomnLzd3VKWR7/R4g==,type:str]
+CF_API_TOKEN=ENC[AES256_GCM,data:bB4adE2h8VyRDzv6kXpBa0IoCiRY3aMWYAMtHeWYxjZbyMuvyeGfeoX4symD05H4BCm1oDs=,iv:hVwnSPZjjIDbOnaUN8ggbWuQ7PqrxzzpSiaTospY5Qc=,tag:HwoZBW1cehaPDcHwzVKAXw==,type:str]
+ARK_DEFAULT_NAAN=ENC[AES256_GCM,data:TzSzgMI=,iv:aue3Wv7kPd7d1U745YalEjV//rTq0BtzYXzPOJPfync=,tag:sgbJapnwMSaNaxlXXmPBEA==,type:str]
+#ENC[AES256_GCM,data:bm0c2TWxwFykuTIMW/2YLesr,iv:H1vQLauzzMMGndOsh2AHIhNAlH2VV+FlN0l7bOjv5SY=,tag:8hvh877Rl0zh1FeL0kDxDQ==,type:comment]
+UNDERLAY_UPSTREAM_API_KEY=ENC[AES256_GCM,data:gHG8XChBFKsZwySUsIsmbwmRqPCOj5dJ4Rj0mu1i1Iuz0Cw=,iv:WCPG3HIUrraUdaLUZ/EotGbpcXTtkncWYA4KBck/QqU=,tag:CknwtSknBCNmQIrzdjQaVw==,type:str]
+DEPLOY_HOST=ENC[AES256_GCM,data:LAyqgvv86wbjaZfI1w==,iv:Bo647hzSqyvJDQ+r1zWjWEWY5PQ1yXd396rIaZzLC+g=,tag:qCiRHP9gUpn3bf4AWYs/Og==,type:str]
+#ENC[AES256_GCM,data:YQpq1XCNqmk=,iv:mhg6Kldq246GC5Qh0peXp7xOOa7LjCpaGauBkzIrP3A=,tag:rmMCKHxrEX3SByAnBJh+UA==,type:comment]
+OIDC_ISSUER_URL=ENC[AES256_GCM,data:Wi31C6exKWScoJpohcQ9FVnNIB0RwPczf6XNt+5skQaO,iv:ZFRHNXVBuNBJkrLoePKPpQB+awzWvKPrujcuF9uc0lY=,tag:hAikIZJTvfRriZ3JecVaew==,type:str]
+OIDC_CLIENT_ID=ENC[AES256_GCM,data:8tjJVzF7aH796rw=,iv:od+vi7jOtMjBe8oFZqtuODNeQS7QISxMJMUd/X9yrJA=,tag:upZ0nyb1pNTYEsy1lNEOjQ==,type:str]
+OIDC_CLIENT_SECRET=ENC[AES256_GCM,data:51ggvZnGCb568LUFmXvp15pRo52yKUwxc8VVoaM2AYUdikxsinkUvL1FsESfO9j4a6cTaxMIZUkUhQ6nNNQAXQ==,iv:8wVy9lJZhe+3u9rPf6lcDIS1JnkyNxUGt6bq17TIhyY=,tag:gtBQie5BFm2sgPlbYpBvCQ==,type:str]
+AUTH_INTERNAL_API_KEY=ENC[AES256_GCM,data:Eqt1KQyxlZ4JEMN1RBdcwzogqQ6eyUEljj6FFIULjQ1wV5tE1ZgxrOKp4inyx1Mfdz6kpKhf8nH/vX3S4P9xJg==,iv:L4VBSArsYDoPmQHDi7Mo4qjItJlV8AdfTaP097y4laQ=,tag:oEuGjoPRE5BUNxmO+lpjqA==,type:str]
+OIDC_ACCOUNT_URL=ENC[AES256_GCM,data:joXmwqCkLkvlF/2tDN0i03R1vzcseoskA+eznd9PGzKiwnyI,iv:ibZJXcxCKIm185jIg42p8sk0q2Y0GvCJi4FKfrICYK4=,tag:i6ny1ZdCRsaqNil+CX76Lg==,type:str]
+APP_URL=ENC[AES256_GCM,data:0Cc7cFdS5esZGYQXPISblLRNuvIvBe1r,iv:nmjOnMgLcojCOElb7ZT97NZO4YAOWoQB2fxOzwm8Vgw=,tag:IqFinV59tu8kaTfR0Tj5DA==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOVmpOUHpjV1AvbDY0eVpZ\nV3htMzB6SU43eHRtNDlmUW92NjR0Yk5CWVdFCmxzRDNZQXFLY3hMVXQ4WkFwNWtD\nYmx0STY5QjgzeUlYL0xpcnlKRmk2UXMKLS0tIGpuQ29QaVdPSFM1bktBb3VnbHI0\naVBSeGViSWRFcHE5VHF3UVFoK2E4WGMKo0o66lKkVKBrw5QAvZRjplj4ySIdn021\nS494v7X+emlBKfDCD4XHnSfyktgitSu5KTDVaeViix+EeiXLfsDeAQ==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_0__map_recipient=age1wravpjmed26772xfjhawmnsnc4933htapg6y5xseqml0jdv8z9hqemzhcr
-sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjWEN5L1BtRloyWHNzZklN\nL05uazJLTWRGS0pXQVMvQU5kd1p6K0RDQVM0ClJBd0lsQ1N4bmp0OTMwRmpNQXAr\ndTd1ZEZqaFhoYzU2RzRYN1Y0aHNXSEkKLS0tIG1uMDZvRWF3VnN3ZXZwb1VwVGNm\nMmd6TmxxeUkxdi9CQkQ4Wm5qQVVya2MK9TRB9XCAtavdWC+rQnGd9MAfn4KenAQI\nludEN39eo296ZzAUE6WJ5/7y4U4CcpCyKBPILKdCjpeNRYQ6pmR8wg==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHZGI0NnpoY3VrelFrZjZw\nWStqK2VIU0NPMGs3Mk8ySU5uQS9saVFmQ0JFCnkvZjczWkQvKzdFdG5lTThyNTJr\nbGd0dzVsZlp5U0M4ZG92TUtteXFSR00KLS0tIGY0OGJteHBjN1A3MkV0aGpUS3M3\nRXZYbng1MVVITXJEQ0lpY1lJdllLa2MKHzX1gXYmdiMyid18xDUtdk8jej7DYG4W\nwbum7nH+/KmJbCS0NZDIpPkAUmDth1AZUUnFujMqtkLZ7YNChWmIAg==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_1__map_recipient=age1ysddqggsx3h8zkv7xn3z26sjak5pqms6pyqhnky9ukrvpk7es5jsayz8w7
-sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCcCtkYTNvUm51TmV2YWZ1\nRitKQkw2RUJwdkltYlhvUWpNazI5TUJwcnpjCjNrTms3ZFVXUGhlaXBlamRETXBE\nN0Vud20wbU1FUXNmQVp5YnFVZncwalkKLS0tIDdPQk5KbUo4ZmRpa1AzWk9pRlFB\nNU8zN3lLRnNpQ3RMRnBXWGlOTTBWQzQKXtQDtLS0TNZiW46EsrW6tnbxXc773oMW\nH8BWDxRavEpiRyqkH1EKjEBzTA3xKfwaG3RT6d6tUY6g9PnuL0BkoA==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDSkl2eVJXV3FGMkZ2S1c4\nOGlneUdERTFCTkJpTE92WVBXWW5qR2RLTkRRCmFxTkVlMVJ3RDk3N0VQb2ZuV0Qy\nYmlvcDdNei9mdUQxcnhjdXgxYWtBem8KLS0tIFJ0WkRDM25nL04wNFpCOTVMZFpN\ncWNlTTdFNXEvQzE4b1VaY3IyUVIyTmcKtk/miVOnklKdwunwSK3teaU2zVQzFOjW\n0e5FEBfMfs4Th840y62f594v6z8/rRnYeH6vYEk4Tj0Rjr2ISIqXGQ==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_2__map_recipient=age1pgxk292zq30wafwg03gge7hu5dlu3h7yfldp2y8kqekfaljjky7s752uwy
-sops_age__list_3__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbU9wVnlZUjBDQTVQT21i\ndU01TTEvUzlPTzZGMFVwc0M1bkkvNUU0YkNvCm91NHdGWTVvU1JaOWRmQVJ3cHBo\nMXdmc0syVncvZzNKMlBCbHJDdm5ZblEKLS0tIE5lOWJvMDhyM01VbU0wbGNEc2xI\nVkZrbER1LzhWQ2swS0ZTV1FiWGx3K0EKIoezkGxEUfWDjlkeAnKH20UxsDFQJ+1b\nzdcghmt6gnzIxR3FWSCFHHKAzfi3rL8QlkW3Ro5UBoAEEDWy7nvz2w==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_3__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQQUNGd0daLzFsYVFiMGhk\nY1dJMHZQcjBqTTVpM29XS1NnbmdEMnUzNUZvCnh0bDFIcWtWWGdvRGhOV0RTdkY2\nTkVPTENGeUdjb0d2TjRxVXVxd04wbVUKLS0tIGdWRGFZTU5tWU1nbEd5Zkl5anVr\naUhuWTRhRURCZDYySkczSUJaRFozUkkKzkr5HK5nmEsLcCLmSEILCAlE/773tboY\nS8ZuKoHds2NmWrZGDbodwVD7kYQ9l89rQa4WTjrgFwprOayp7e/P1g==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_3__map_recipient=age1qn0x93jhqjpqwvx5tgxnrwq5e3vuzur9whrkdnrvapd58esm45rqfkuxqh
-sops_age__list_4__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWU1drSWRUbEVYSVNUTzFy\nM1JJbSthM3VpU1Y0ejgzbjNUSEhYMENGRUNZCmowZE13TUtYclVmMS9VenBVQXp0\nd09hM0lsa01Cd0lzTDlCRDduOWd0aFEKLS0tIHI0M0xOSFhndW5XdUJJV3cwV09X\nWUx4T05INWRvU01OU3UwSUFxcC9nM00Keb2AeDtqamChWI3PAYxLDT3qZhmCf8Q9\nZi8Qe6LJ6a8C6wsFN+auPy7bIJdmVYcfoHFgsRVdyEXx9bcj1+hIGg==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_4__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwbnFuZ2JKbFpZalRWeUQ0\nbkJKZk1IVkovOW5jLzdUSzNkRmVQeHpNeGs0ClcwcnZFWGpiQWpIT0N6bnRkQXlx\nWDVPUUJ6cDRyckNxL3J0UXAxVUdnL1kKLS0tIHFVN0pzVXVUUUREOW0ycndoUVV5\nWUJNblhoa2ZOU0VoTGFoZzZGRlZwVW8K30qpBsvJHwWeLiiNTb0Yn41mkr2GZo58\nlSn9w97P9+vsK98izcZhSEp5CSJDQEH67ltCcR1LUuGNc2ILRphX6g==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_4__map_recipient=age1h86dek80u5t677tsparz395uk3zvz4yuj9m5t2v2nsdfsvyjmafsra5yt7
-sops_age__list_5__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSclNPdDJGeWlCSzJtQi92\nYVlaVFhGd2krM2J1VEVqVSt0REJwRnI2ZmlJClBzTCtSZFBvMWdBcU1IeXFzaThz\nMFRCazJmTFQ4WkNPRU5xU0VqOEJZbkUKLS0tIFF5eitRekJUSDBhZmhsZHpMdHpi\nK0N4L1FqazJOVUNYaUIxL0dMMm9kZjgKr3PaMpDWqnt0J3yMZxuD0hvCVDnSuX+G\nhSSLmO0gaXuiw2/m7ehzkTtcl8BlN6o8iVPfdbA09lOAl0U9vOPSaA==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_5__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYUVN1OFRMQlFuT05IbnVx\nZitFblpoenNEQ1lBSjUrbWhqVXN4TVU5SXhFClh1WnptaUNiQjVNMXdRVkVvS09m\nbkoxRkI4MHNGajRxNnpwZ1FCV3ZXb28KLS0tIHBnaTBXUUcyQlB5WWpBaDY0MVA5\na0Jjd2xpMDhOeG9EVzUxRUl5KythOUEKENX9NZo03ACFxom+yNFyf3Ywzvxc92w9\nwSodCz2+yJiTbFlInSj8bmNy2tsTI5KKfTEl2Qh58uTQXDTMCotWRg==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_5__map_recipient=age1vfhyk6wmt993dezz5wjf6n3ynkd6xptv2dr0qdl6kmttev9lh5dsfjfs3h
-sops_lastmodified=2026-05-20T17:24:41Z
-sops_mac=ENC[AES256_GCM,data:JUtXxPbs16EWlzLgiPArQMZWlIhixP9KQyBnHSW9vAbApSzop+MCAhVcBXrbBsozhn+EPej+br3r3zfAjR9gof+lSh1WBqSKkAw9sR1gMcfV8T4eOKVk7nCUZRuKVhoSHyDvAv6gJZF0LKhvwBc1TR0A4msZaecDDG5jNSaMsDw=,iv:RbmNhPgiPozA3WGpZAqk5xTMhuFtSOk2bsbollKT174=,tag:UTGqsTB8uMcMV7esNHQS3w==,type:str]
+sops_lastmodified=2026-06-12T03:40:05Z
+sops_mac=ENC[AES256_GCM,data:z6RsG4cEMF0LmGGRCYgrMTYn0plJMbSitgTqOKY5xumVOagyWpzH1RF8rTknRj/91QdecWmso0fISkHnDyFO/vPYixKY54eaYMPVTlLCrUH3Ywqyd00z5KxKIQqQWtQR/z/PFP+K65Wl4i/NmP2Mx5WCGIjszT2T+SwkfxZcjJQ=,iv:c16LMsP/cf09kzz9e6WFZ3PCA3DHlGfqPze0ojqMZew=,tag:5aR1cM6kOR8X0ebv2ebHXA==,type:str]
 sops_unencrypted_suffix=_unencrypted
 sops_version=3.11.0
diff --git a/README.md b/README.md
index 4d7a94f..47de1d6 100644
--- a/README.md
+++ b/README.md
@@ -207,11 +207,11 @@ tools/
 
 The protocol and the platform are documented together:
 
-| Resource      | URL                                                            | Purpose                                                             |
-| ------------- | -------------------------------------------------------------- | ------------------------------------------------------------------- |
-| Protocol spec | [/protocol](https://underlay.org/protocol)                     | Full protocol: data model, hashing, push, pull, provenance, privacy |
-| User docs     | [/docs](https://underlay.org/docs)                             | Concepts, integration guide, API reference, quickstart              |
-| llms.txt      | [/llms.txt](https://underlay.org/llms.txt)                     | Machine-readable API docs for LLMs and bots                         |
+| Resource      | URL                                        | Purpose                                                             |
+| ------------- | ------------------------------------------ | ------------------------------------------------------------------- |
+| Protocol spec | [/protocol](https://underlay.org/protocol) | Full protocol: data model, hashing, push, pull, provenance, privacy |
+| User docs     | [/docs](https://underlay.org/docs)         | Concepts, integration guide, API reference, quickstart              |
+| llms.txt      | [/llms.txt](https://underlay.org/llms.txt) | Machine-readable API docs for LLMs and bots                         |
 
 ### Key API endpoints
 
@@ -329,19 +329,28 @@ Required GitHub secrets: `SSH_PRIVATE_KEY`, `SSH_USER`, `GHCR_USER`, `GHCR_TOKEN
 | ----------------------------- | ---------------------------------------------- |
 | `docker-compose.yml`          | Deployed stacks (prod & dev via Swarm)         |
 | `docker-compose.local.yml`    | Local development (source-mounted, hot reload) |
-| `docker-compose.withauth.yml` | Self-hosted: app + bundled KF Auth stack       |
+| `docker-compose.withauth.yml` | Self-hosted: app + KF Auth + MinIO + Caddy     |
 
 ### Self-Hosting
 
 Run the Underlay with a bundled auth server (no external auth provider needed):
 
 ```bash
-DOMAIN=https://my-instance.com docker compose -f docker-compose.withauth.yml up
+DOMAIN=https://my-instance.com docker compose -f docker-compose.withauth.yml up -d
 ```
 
-This starts Postgres, KF Auth (auth + account), the Underlay app, and Caddy with TLS. On first boot, secrets are auto-generated. Set `SMTP_*` vars for email delivery.
+This starts Postgres, KF Auth (auth + account), MinIO (S3-compatible storage), the Underlay app, and Caddy with automatic TLS. On first boot, an init container auto-generates all secrets (session keys, OAuth client credentials, S3 credentials).
 
-Supporting files live in `selfhost/` (Caddyfile, Postgres init script).
+Optional configuration (via environment variables or `.env` file):
+
+- `SMTP_*` vars for email delivery (password resets, invitations)
+- `GITHUB_CLIENT_ID`/`GITHUB_CLIENT_SECRET` for GitHub login
+- `GOOGLE_CLIENT_ID`/`GOOGLE_CLIENT_SECRET` for Google login
+- `ORCID_CLIENT_ID`/`ORCID_CLIENT_SECRET` for ORCID login
+
+To use external S3 (AWS, Cloudflare R2, etc.) instead of bundled MinIO, remove the `minio` and `minio-init` services and set `S3_BUCKET`, `S3_REGION`, `S3_ENDPOINT`, `S3_ACCESS_KEY`, `S3_SECRET_KEY` in the app environment.
+
+Supporting files live in `selfhost/` (Caddyfile, Postgres init script). See [/docs/self-host](https://underlay.org/docs/self-host) for full details.
 
 ## Environment Variables
 
diff --git a/docker-compose.withauth.yml b/docker-compose.withauth.yml
index 6a848c5..701dd51 100644
--- a/docker-compose.withauth.yml
+++ b/docker-compose.withauth.yml
@@ -1,10 +1,15 @@
 # docker-compose.withauth.yml — Self-hosted Underlay with bundled auth.
 #
-# Runs: Underlay app + KF Auth (auth + account) + Postgres + Caddy
+# Runs: Underlay app + KF Auth (auth + account) + Postgres + MinIO (S3) + Caddy
 # One command: docker compose -f docker-compose.withauth.yml up
 #
 # First run generates secrets automatically via the init container.
 # Set DOMAIN=https://your-domain.com in your shell or .env file.
+#
+# To use external S3 instead of bundled MinIO, remove the minio service and set
+# S3_BUCKET, S3_REGION, S3_ENDPOINT, S3_ACCESS_KEY, S3_SECRET_KEY in the app
+# environment block (or pass them as env vars that the init container writes
+# into .env.app).
 
 name: underlay-withauth
 
@@ -22,8 +27,11 @@ services:
         fi
         apk add --no-cache openssl
         AUTH_SECRET=$$(openssl rand -hex 32)
+        SESSION_SECRET=$$(openssl rand -hex 32)
         CLIENT_SECRET=$$(openssl rand -hex 32)
         INTERNAL_KEY=$$(openssl rand -hex 32)
+        MINIO_ACCESS=$$(openssl rand -hex 16)
+        MINIO_SECRET=$$(openssl rand -hex 32)
         printf '%s\n' \
           "BETTER_AUTH_SECRET=$$AUTH_SECRET" \
           "BETTER_AUTH_URL=$${DOMAIN:-http://localhost}/auth" \
@@ -49,19 +57,30 @@ services:
           "- client_id: underlay" \
           "  client_secret: $$CLIENT_SECRET" \
           "  redirect_uris:" \
-          "    - $${DOMAIN:-http://localhost}/auth/callback" \
+          "    - $${DOMAIN:-http://localhost}/api/auth/oauth2/callback/kf-auth" \
           "  skip_consent: true" \
           "  display_name: \"Underlay\"" \
           "  allow_sign_up: true" \
           > /config/apps.withauth.yaml
         printf '%s\n' \
+          "SESSION_SECRET=$$SESSION_SECRET" \
           "OIDC_ISSUER_URL=$${DOMAIN:-http://localhost}/auth" \
           "OIDC_ISSUER_INTERNAL_URL=http://auth:3000" \
+          "OIDC_ACCOUNT_URL=$${DOMAIN:-http://localhost}/account" \
           "OIDC_CLIENT_ID=underlay" \
           "OIDC_CLIENT_SECRET=$$CLIENT_SECRET" \
           "AUTH_INTERNAL_API_KEY=$$INTERNAL_KEY" \
           "DATABASE_URL=postgres://kfauth:kfauth@postgres:5432/app" \
+          "S3_BUCKET=underlay" \
+          "S3_REGION=us-east-1" \
+          "S3_ENDPOINT=http://minio:9000" \
+          "S3_ACCESS_KEY=$$MINIO_ACCESS" \
+          "S3_SECRET_KEY=$$MINIO_SECRET" \
           > /config/.env.app
+        printf '%s\n' \
+          "MINIO_ROOT_USER=$$MINIO_ACCESS" \
+          "MINIO_ROOT_PASSWORD=$$MINIO_SECRET" \
+          > /config/.env.minio
         echo "Init complete."
     volumes:
       - withauth-config:/config
@@ -96,6 +115,47 @@ services:
       timeout: 5s
       retries: 10
 
+  # --- MinIO (S3-compatible object storage) ---
+  # Remove this service if using external S3/R2 — set S3_* vars in app environment instead.
+  minio:
+    image: minio/minio:latest
+    depends_on:
+      withauth-init:
+        condition: service_completed_successfully
+    volumes:
+      - minio-data:/data
+      - withauth-config:/config:ro
+    entrypoint: /bin/sh
+    command:
+      - -c
+      - |
+        set -a && . /config/.env.minio && set +a
+        exec minio server /data --console-address ":9001"
+    healthcheck:
+      test: ['CMD', 'mc', 'ready', 'local']
+      interval: 5s
+      timeout: 5s
+      retries: 10
+
+  # Create the default bucket on first run
+  minio-init:
+    image: minio/mc:latest
+    depends_on:
+      minio:
+        condition: service_healthy
+      withauth-init:
+        condition: service_completed_successfully
+    volumes:
+      - withauth-config:/config:ro
+    entrypoint: /bin/sh
+    command:
+      - -c
+      - |
+        set -a && . /config/.env.minio && set +a
+        mc alias set local http://minio:9000 "$$MINIO_ROOT_USER" "$$MINIO_ROOT_PASSWORD"
+        mc mb --ignore-existing local/underlay
+        echo "Bucket ready."
+
   # --- Auth server (kf-auth) ---
   auth:
     image: ghcr.io/knowledgefutures/kf-auth:latest
@@ -136,13 +196,15 @@ services:
         condition: service_completed_successfully
       auth:
         condition: service_started
+      minio-init:
+        condition: service_completed_successfully
     environment:
       NODE_ENV: production
       PORT: 4100
       APP_URL: ${DOMAIN:-http://localhost}
     volumes:
       - withauth-config:/config:ro
-    command: sh -c "set -a && . /config/.env.app && set +a && node dist/server.js"
+    command: sh -c "set -a && . /config/.env.app && set +a && node --import tsx/esm server.ts"
 
   # --- Caddy reverse proxy ---
   caddy:
@@ -164,6 +226,7 @@ services:
 
 volumes:
   pgdata:
+  minio-data:
   withauth-config:
   caddy-data:
   caddy-config:
diff --git a/public/logoLight.svg b/public/logoLight.svg
new file mode 100644
index 0000000..6c64b24
--- /dev/null
+++ b/public/logoLight.svg
@@ -0,0 +1,9 @@
+<svg viewBox="0 0 333.65332 298.54666" height="298.54666" width="333.65332" xmlns="http://www.w3.org/2000/svg">
+	<g transform="matrix(1.3333333,0,0,-1.3333333,0,298.54667)" id="g18">
+		<g transform="scale(0.1)" id="g20">
+			<path id="path22" style="fill: #211c1c;fill-opacity:1;fill-rule:nonzero;stroke:none" d="m 1102.21,531.461 c 51.56,-10.66 104.9,-16.391 159.57,-16.391 h 17.82 L 854.953,181.609 H 656.691 Z M 617.941,1301.98 v 225.5 c 0,181.37 147.551,328.91 328.922,328.91 h 46.41 C 883.156,1748.47 814.391,1598.62 814.391,1432.54 c 0,-328.39 267.169,-595.56 595.549,-595.56 h 450.88 l 227.75,-178.839 h -826.79 c -355.014,0 -643.839,288.82 -643.839,643.839 z M 1511.27,515.07 h 991.15 L 1025.37,1674.93 c 36.82,61.42 86.9,113.97 146.08,152.11 40.69,26.21 87.46,41.51 135.67,45.76 l 366,32.25 v 47.76 l -409.16,79.58 v 0.07 c -63.23,16.69 -123.65,59.1 -178.87,96.03 l -50.47,33.75 -6.18,3.69 c -12.61,6.72 -23.76,12.91 -33.944,18.59 -56.992,31.7 -98.183,54.6 -192.496,54.6 H 221.625 l 268.559,-220.59 c -9.895,-32.9 -15.313,-68.53 -15.313,-106.54 v -384.51 -225.5 -44.71 h 1.352 C 493.09,957.73 678.273,702.551 938.43,584.762 L 425.027,181.609 H 0.00390625 V 0 L 2502.42,0 v 181.609 h -1415.8 l 424.65,333.461" />
+			<path id="path24" style="fill: #211c1c;fill-opacity:1;fill-rule:nonzero;stroke:none" d="m 1678.62,980.059 h -268.68 c -249.5,0 -452.471,202.971 -452.471,452.481 0,35.56 4.219,70.52 12.031,104.35 l 709.12,-556.831" />
+			<path id="path26" style="fill:#e62224;fill-opacity:1;fill-rule:nonzero;stroke:none" d="m 924.953,2059.48 c 10.02,-5.58 20.891,-11.61 33.07,-18.14 l 47.517,-31.78 c 5.43,-3.63 11.16,-6.62 16.65,-10.09 h -75.327 c -127.863,0 -243.832,-51.29 -328.922,-134.15 v 46.67 c 0,135.7 95.082,184.06 184.059,184.06 57.203,0 72.445,-8.48 122.953,-36.57" />
+		</g>
+	</g>
+</svg>
\ No newline at end of file
diff --git a/server.ts b/server.ts
index 6e9760a..cf25029 100644
--- a/server.ts
+++ b/server.ts
@@ -98,9 +98,9 @@ app.get('/agent/:token', agentHandlers.agentPage)
 app.use('/api/*', authMiddleware)
 app.use('/api/*', rateLimitMiddleware)
 
-// --- Mirror mode guard for admin routes ---
-// Operator-only: admin-scoped API key, or a session user listed in MIRROR_ADMIN_EMAILS
-app.use('/api/admin/*', async (c, next) => {
+// --- Admin route guards ---
+// Mirror admin: requires mirror mode + admin API key or MIRROR_ADMIN_EMAILS
+app.use('/api/admin/mirror/*', async (c, next) => {
   const config = getMirrorConfig()
   if (!config.enabled) {
     return c.json({ error: 'Not found', statusCode: 404 }, 404)
@@ -122,6 +122,18 @@ app.use('/api/admin/*', async (c, next) => {
   )
 })
 
+// Steward admin: requires kfRole === 'admin'
+// Steward admin: requires kfRole === 'admin'
+app.use('/api/admin/explore-*', async (c, next) => {
+  const userId = c.get('userId')
+  if (!userId) return c.json({ error: 'Unauthorized', statusCode: 401 }, 401)
+  const sessionUser = await getSessionUser(c.req.raw)
+  if (sessionUser?.kfRole !== 'admin') {
+    return c.json({ error: 'Forbidden', statusCode: 403 }, 403)
+  }
+  return next()
+})
+
 // --- ARK resolution middleware ---
 app.use('/ark\\:*', arkMiddleware)
 
@@ -145,31 +157,62 @@ if (!isProd) {
 
 // --- Better-auth handler (OIDC login, sessions, API keys) ---
 app.on(['GET', 'POST'], '/api/auth/*', async (c) => {
-  return auth.handler(c.req.raw)
+  const url = new URL(c.req.url)
+  const isCallback = url.pathname.includes('/callback/')
+  if (isCallback) {
+    console.log('[auth callback] incoming:', {
+      method: c.req.method,
+      path: url.pathname,
+      hasCode: url.searchParams.has('code'),
+      hasState: url.searchParams.has('state'),
+      hasError: url.searchParams.has('error'),
+      error: url.searchParams.get('error'),
+      rawUrl: c.req.url,
+      cookieHeader: c.req.header('cookie')?.substring(0, 200),
+    })
+  }
+  const res = await auth.handler(c.req.raw)
+  if (isCallback) {
+    console.log('[auth callback] response:', {
+      status: res.status,
+      location: res.headers.get('location'),
+      setCookies: res.headers.getSetCookie?.()?.map((s: string) => s.substring(0, 80)),
+    })
+  }
+  return res
 })
 
 // /login redirect — fall through to React route only when there's an error to display
 app.get('/login', async (c, next) => {
   const url = new URL(c.req.url)
+  const appOrigin = new URL(process.env.APP_URL ?? 'http://localhost:4100').origin
   if (!url.searchParams.has('error')) {
-    const signInUrl = new URL('/api/auth/sign-in/oauth2', url.origin)
+    const signInUrl = new URL('/api/auth/sign-in/oauth2', appOrigin)
+    const headers = new Headers({
+      'Content-Type': 'application/json',
+      Cookie: c.req.header('cookie') ?? '',
+      Origin: appOrigin,
+    })
+    const xff = c.req.header('x-forwarded-for')
+    if (xff) headers.set('X-Forwarded-For', xff)
     const authRes = await auth.handler(
       new Request(signInUrl, {
         method: 'POST',
-        headers: new Headers({
-          'Content-Type': 'application/json',
-          Cookie: c.req.header('cookie') ?? '',
-          Origin: url.origin,
-        }),
+        headers,
         body: JSON.stringify({ providerId: 'kf-auth', callbackURL: '/dashboard' }),
       }),
     )
     const body = await authRes.json()
+    console.log('[login] auth sign-in response:', { status: authRes.status, body })
     if (body.url) {
       const redirect = new Response(null, { status: 302, headers: { Location: body.url } })
-      for (const [key, value] of authRes.headers.entries()) {
-        if (key.toLowerCase() === 'set-cookie') redirect.headers.append(key, value)
+      for (const cookie of authRes.headers.getSetCookie()) {
+        redirect.headers.append('set-cookie', cookie)
       }
+      console.log(
+        '[login] forwarding cookies:',
+        authRes.headers.getSetCookie().map((s: string) => s.substring(0, 80)),
+      )
       return redirect
     }
   }
@@ -204,6 +247,68 @@ app.get('/api/admin/mirror/sync/progress', admin.mirrorSyncProgress)
 app.get('/api/admin/mirror/sync/active', admin.mirrorSyncActive)
 app.get('/api/admin/mirror/history', admin.mirrorHistory)
 
+// Steward-only: explore featured tags
+app.get('/api/admin/explore-tags', async (c) => {
+  const { db, schema } = await import('~/db/client.server')
+  const { eq } = await import('drizzle-orm')
+  const [row] = await db
+    .select({ value: schema.instanceSettings.value })
+    .from(schema.instanceSettings)
+    .where(eq(schema.instanceSettings.key, 'explore_featured_tags'))
+    .limit(1)
+  return c.json({ tags: Array.isArray(row?.value) ? row.value : [] })
+})
+
+app.put('/api/admin/explore-tags', async (c) => {
+  const body = await c.req.json<{ tags: string[] }>()
+  if (!Array.isArray(body.tags) || !body.tags.every((t: unknown) => typeof t === 'string')) {
+    return c.json({ error: 'tags must be an array of strings', statusCode: 422 }, 422)
+  }
+  const { db, schema } = await import('~/db/client.server')
+  await db
+    .insert(schema.instanceSettings)
+    .values({ key: 'explore_featured_tags', value: body.tags, updatedAt: new Date() })
+    .onConflictDoUpdate({
+      target: schema.instanceSettings.key,
+      set: { value: body.tags, updatedAt: new Date() },
+    })
+  return c.json({ ok: true, tags: body.tags })
+})
+
+// Steward-only: explore featured collections
+app.get('/api/admin/explore-collections', async (c) => {
+  const { db, schema } = await import('~/db/client.server')
+  const { eq } = await import('drizzle-orm')
+  const [row] = await db
+    .select({ value: schema.instanceSettings.value })
+    .from(schema.instanceSettings)
+    .where(eq(schema.instanceSettings.key, 'explore_featured_collections'))
+    .limit(1)
+  return c.json({ collections: Array.isArray(row?.value) ? row.value : [] })
+})
+
+app.put('/api/admin/explore-collections', async (c) => {
+  const body = await c.req.json<{ collections: string[] }>()
+  if (
+    !Array.isArray(body.collections) ||
+    !body.collections.every((s: unknown) => typeof s === 'string')
+  ) {
+    return c.json(
+      { error: 'collections must be an array of "owner/slug" strings', statusCode: 422 },
+      422,
+    )
+  }
+  const { db, schema } = await import('~/db/client.server')
+  await db
+    .insert(schema.instanceSettings)
+    .values({ key: 'explore_featured_collections', value: body.collections, updatedAt: new Date() })
+    .onConflictDoUpdate({
+      target: schema.instanceSettings.key,
+      set: { value: body.collections, updatedAt: new Date() },
+    })
+  return c.json({ ok: true, collections: body.collections })
+})
+
 // Query
 app.get('/api/query/sqlite/:owner/:slug/:version', query.sqlite)
 app.get('/api/query/ddl/:owner/:slug/:version', query.ddl)
diff --git a/src/App.tsx b/src/App.tsx
index 8c21d97..edfd22b 100644
--- a/src/App.tsx
+++ b/src/App.tsx
@@ -1,6 +1,7 @@
 import type { LoaderFunctionArgs, RouteObject } from 'react-router'
 
 import Root from '~/components/Root'
+import { fetchBase } from '~/lib/fetch-base'
 import { buildDataRoutes } from '~/route-gen'
 
 const components = import.meta.glob<{ default: React.ComponentType }>('./routes/**/[!_]*.tsx')
@@ -11,7 +12,7 @@ const dataModules = import.meta.glob<{
 }>('./routes/**/*.data.ts', { eager: true })
 
 async function rootLoader({ request }: LoaderFunctionArgs) {
-  const res = await fetch(new URL('/api/context', request.url), {
+  const res = await fetch(`${fetchBase(request.url)}/api/context`, {
     headers: { Cookie: request.headers.get('Cookie') ?? '' },
   })
   if (!res.ok) {
diff --git a/src/api/accounts.ts b/src/api/accounts.ts
index 1d8adf4..70d94d6 100644
--- a/src/api/accounts.ts
+++ b/src/api/accounts.ts
@@ -123,17 +123,9 @@ const app = new Hono<AuthEnv>()
     }),
     async (c) => {
       const userId = c.get('userId')!
-
-      const [acct] = await db
-        .select({ accountId: schema.account.accountId })
-        .from(schema.account)
-        .where(and(eq(schema.account.userId, userId), eq(schema.account.providerId, 'kf-auth')))
-        .limit(1)
-
-      if (!acct) return c.json([])
-
-      const { fetchAuthOrgs } = await import('../lib/auth-internal.server.js')
-      return c.json(await fetchAuthOrgs(acct.accountId))
+      const { resolveUserKfOrgs } = await import('../lib/auth-internal.server.js')
+      const orgs = await resolveUserKfOrgs(userId, db, schema)
+      return c.json(orgs)
     },
   )
   .get(
diff --git a/src/api/collections.ts b/src/api/collections.ts
index 9d4ae05..8a61444 100644
--- a/src/api/collections.ts
+++ b/src/api/collections.ts
@@ -26,6 +26,7 @@ const app = new Hono<AuthEnv>()
     async (c) => {
       const q = c.req.query('q')
       const owner = c.req.query('owner')
+      const tag = c.req.query('tag')
       const sort = c.req.query('sort')
       const take = Math.min(parseInt(c.req.query('limit') ?? '50', 10), 100)
       const skip = parseInt(c.req.query('offset') ?? '0', 10)
@@ -54,7 +55,7 @@ const app = new Hono<AuthEnv>()
           eq(schema.collections.organizationId, schema.organization.id),
         )
         .where(and(...conditions))
-        .limit(take)
+        .limit(take + 200)
         .offset(skip)
         .orderBy(sort === 'name' ? schema.collections.name : desc(schema.collections.updatedAt))
 
@@ -98,6 +99,36 @@ const app = new Hono<AuthEnv>()
         }
       }
 
+      // Build enriched results with tags, then apply tag filter
+      const enriched = results.map((r) => {
+        const stats = statsMap.get(r.id)
+        const meta = stats?.metadata as Record<string, unknown> | null | undefined
+        const tags = Array.isArray(meta?.tags) ? (meta.tags as string[]) : []
+        return {
+          ...r,
+          description: (meta?.description as string) ?? null,
+          tags,
+          latestVersion: stats?.semver ?? null,
+          recordCount: stats?.recordCount ?? null,
+          fileCount: stats?.fileCount ?? null,
+          totalBytes: stats?.totalBytes ?? null,
+          lastPushAt: stats?.lastPushAt ?? null,
+        }
+      })
+
+      const filtered = tag ? enriched.filter((c) => c.tags.includes(tag)) : enriched
+
+      // Compute tag facets from all visible collections (before tag filter, after search/owner)
+      const tagCounts = new Map<string, number>()
+      for (const c of enriched) {
+        for (const t of c.tags) {
+          tagCounts.set(t, (tagCounts.get(t) ?? 0) + 1)
+        }
+      }
+      const tagFacets = [...tagCounts.entries()]
+        .map(([name, count]) => ({ name, count }))
+        .sort((a, b) => b.count - a.count)
+
       const facetConditions = [eq(schema.collections.public, true)]
       if (q) {
         facetConditions.push(ilike(schema.collections.name, `%${q}%`))
@@ -118,21 +149,49 @@ const app = new Hono<AuthEnv>()
         .groupBy(schema.organization.slug, schema.organization.name)
         .orderBy(sql`count(*) DESC`)
 
+      // Load instance settings for explore page
+      const settingsRows = await db
+        .select({ key: schema.instanceSettings.key, value: schema.instanceSettings.value })
+        .from(schema.instanceSettings)
+        .where(
+          inArray(schema.instanceSettings.key, [
+            'explore_featured_tags',
+            'explore_featured_collections',
+          ]),
+        )
+      const settingsMap = new Map(settingsRows.map((r) => [r.key, r.value]))
+      const featuredTags = Array.isArray(settingsMap.get('explore_featured_tags'))
+        ? (settingsMap.get('explore_featured_tags') as string[])
+        : []
+      const featuredSlugs = Array.isArray(settingsMap.get('explore_featured_collections'))
+        ? (settingsMap.get('explore_featured_collections') as string[])
+        : []
+
+      // Apply sort to the full filtered set, then slice for pagination
+      if (sort === 'records') {
+        filtered.sort((a, b) => (b.recordCount ?? 0) - (a.recordCount ?? 0))
+      } else if (sort === 'featured') {
+        const featuredSet = new Set(featuredSlugs)
+        filtered.sort((a, b) => {
+          const aFeat = featuredSet.has(`${a.ownerSlug}/${a.slug}`) ? 0 : 1
+          const bFeat = featuredSet.has(`${b.ownerSlug}/${b.slug}`) ? 0 : 1
+          if (aFeat !== bFeat) return aFeat - bFeat
+          return (a.name ?? '').localeCompare(b.name ?? '')
+        })
+      }
+
+      const page = filtered.slice(0, take)
+
+      // Build featured collections list from the enriched set
+      const featuredCollections = featuredSlugs
+        .map((s) => enriched.find((c) => `${c.ownerSlug}/${c.slug}` === s))
+        .filter(Boolean)
+
       return c.json({
-        collections: results.map((r) => {
-          const stats = statsMap.get(r.id)
-          const meta = stats?.metadata as Record<string, unknown> | null | undefined
-          return {
-            ...r,
-            description: (meta?.description as string) ?? null,
-            latestVersion: stats?.semver ?? null,
-            recordCount: stats?.recordCount ?? null,
-            fileCount: stats?.fileCount ?? null,
-            totalBytes: stats?.totalBytes ?? null,
-            lastPushAt: stats?.lastPushAt ?? null,
-          }
-        }),
-        facets: { owners: ownerFacets },
+        collections: page,
+        facets: { owners: ownerFacets, tags: tagFacets },
+        featuredTags,
+        featuredCollections,
       })
     },
   )
@@ -145,13 +204,18 @@ const app = new Hono<AuthEnv>()
       summary: 'Create a collection',
       request: {
         param: z.object({ owner: z.string() }),
-        json: z.object({ slug: z.string(), name: z.string(), public: z.boolean().optional() }),
+        json: z.object({
+          slug: z.string(),
+          name: z.string().optional(),
+          public: z.boolean().optional(),
+        }),
       },
       responses: { 200: z.any() },
     }),
     async (c) => {
       const { owner } = c.req.valid('param')
-      const { slug, name, public: isPublic } = c.req.valid('json')
+      const { slug, name: rawName, public: isPublic } = c.req.valid('json')
+      const name = rawName || slug
 
       // Resolve owner org
       const [org] = await db
diff --git a/src/components/BaseLayout.tsx b/src/components/BaseLayout.tsx
index d07acd4..b3004d7 100644
--- a/src/components/BaseLayout.tsx
+++ b/src/components/BaseLayout.tsx
@@ -1,5 +1,6 @@
 import { Link } from 'react-router'
 
+import CreateMenu from '~/components/CreateMenu'
 import UserMenu from '~/components/UserMenu'
 import { useAppContext } from '~/lib/app-context'
 
@@ -12,7 +13,7 @@ export default function BaseLayout({ children }: { children: React.ReactNode })
       <header className="border-rule border-b">
         <nav className="mx-auto flex max-w-5xl items-center justify-between px-4 py-3">
           <Link to="/" className="flex items-center gap-2.5 no-underline">
-            <img src="https://docs.underlay.org/logoLight.svg" alt="Underlay" className="h-6" />
+            <img src="/logoLight.svg" alt="Underlay" className="h-6" />
             <span className="text-ink text-base font-semibold tracking-tight">Underlay</span>
             {mirrorConfig?.enabled && (
               <span className="text-ink-muted ml-1 self-center text-sm font-medium">
@@ -24,9 +25,6 @@ export default function BaseLayout({ children }: { children: React.ReactNode })
             <Link to="/explore" className="hover:text-ink transition-colors">
               Explore
             </Link>
-            <Link to="/schemas" className="hover:text-ink transition-colors">
-              Schemas
-            </Link>
             <Link to="/docs" className="hover:text-ink transition-colors">
               Docs
             </Link>
@@ -46,12 +44,16 @@ export default function BaseLayout({ children }: { children: React.ReactNode })
                 </a>
               )
             ) : currentUser ? (
-              <UserMenu
-                slug={currentUser.slug}
-                displayName={currentUser.displayName}
-                orgs={currentUser.orgs ?? []}
-                isSteward={isSteward}
-              />
+              <>
+                <CreateMenu />
+                <UserMenu
+                  slug={currentUser.slug}
+                  displayName={currentUser.displayName}
+                  avatarUrl={currentUser.avatarUrl}
+                  orgs={currentUser.orgs ?? []}
+                  isSteward={isSteward}
+                />
+              </>
             ) : (
               <a href="/login" className="hover:text-ink transition-colors">
                 Log in
@@ -71,12 +73,10 @@ export default function BaseLayout({ children }: { children: React.ReactNode })
               Knowledge Futures
             </a>
           </div>
-          <div className="flex items-center gap-4">
+          <div>
             <a href="https://github.com/knowledgefutures/underlay" className="hover:text-ink">
               GitHub
             </a>
-            <span className="text-rule">&middot;</span>
-            <span className="font-mono">v0.1.0</span>
           </div>
         </div>
       </footer>
diff --git a/src/components/CollectionExplorer.tsx b/src/components/CollectionExplorer.tsx
index 3c8a98d..0de2fee 100644
--- a/src/components/CollectionExplorer.tsx
+++ b/src/components/CollectionExplorer.tsx
@@ -1,11 +1,12 @@
 import { useEffect, useRef, useState } from 'react'
-import { Link } from 'react-router'
+import { Link, useSearchParams } from 'react-router'
 
 interface Collection {
   id: string
   slug: string
   name: string
   description?: string
+  tags?: string[]
   ownerSlug: string
   ownerName?: string
   createdAt: string
@@ -24,6 +25,11 @@ interface OwnerFacet {
   count: number
 }
 
+interface TagFacet {
+  name: string
+  count: number
+}
+
 function formatBytes(bytes: number): string {
   if (bytes < 1024) return `${bytes} B`
   if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`
@@ -51,100 +57,146 @@ function timeAgo(dateStr: string): string {
   return `${Math.floor(months / 12)}y ago`
 }
 
+type SortKey = 'featured' | 'updated' | 'name' | 'records'
+
 export default function CollectionExplorer() {
-  const [query, setQuery] = useState('')
-  const [selectedOwner, setSelectedOwner] = useState<string | null>(null)
-  const [sort, setSort] = useState<'updated' | 'name'>('updated')
+  const [searchParams, setSearchParams] = useSearchParams()
+  const initQuery = searchParams.get('q') ?? ''
+  const initOwner = searchParams.get('owner')
+  const initTag = searchParams.get('tag')
+  const initSort = searchParams.get('sort')
+  const initSortKey: SortKey =
+    initSort === 'updated' || initSort === 'name' || initSort === 'records' ? initSort : 'featured'
+  const [query, setQuery] = useState(initQuery)
+  const [selectedOwner, setSelectedOwner] = useState<string | null>(initOwner)
+  const [selectedTag, setSelectedTag] = useState<string | null>(initTag)
+  const [sort, setSort] = useState<SortKey>(initSortKey)
   const [collections, setCollections] = useState<Collection[]>([])
   const [owners, setOwners] = useState<OwnerFacet[]>([])
+  const [tagFacets, setTagFacets] = useState<TagFacet[]>([])
+  const [featuredTags, setFeaturedTags] = useState<string[]>([])
+  const [featuredCollections, setFeaturedCollections] = useState<Collection[]>([])
   const [loading, setLoading] = useState(true)
   const timerRef = useRef<ReturnType<typeof setTimeout>>(undefined)
 
-  async function load(q = '', owner: string | null = null, sortBy = sort) {
+  const isFiltered = !!(query || selectedOwner || selectedTag)
+
+  function syncUrl(q: string, owner: string | null, sortBy: SortKey, tag: string | null) {
+    const next = new URLSearchParams()
+    if (q) next.set('q', q)
+    if (owner) next.set('owner', owner)
+    if (tag) next.set('tag', tag)
+    if (sortBy !== 'featured') next.set('sort', sortBy)
+    setSearchParams(next, { replace: true })
+  }
+
+  async function load(
+    q = '',
+    owner: string | null = null,
+    sortBy: SortKey = sort,
+    tag: string | null = selectedTag,
+  ) {
     setLoading(true)
+    syncUrl(q, owner, sortBy, tag)
     const params = new URLSearchParams()
     if (q) params.set('q', q)
     if (owner) params.set('owner', owner)
+    if (tag) params.set('tag', tag)
     params.set('sort', sortBy)
     try {
       const res = await fetch(`/api/collections?${params}`)
       const data = await res.json()
       setCollections(data.collections)
       setOwners(data.facets.owners)
+      setTagFacets(data.facets.tags ?? [])
+      if (data.featuredTags) setFeaturedTags(data.featuredTags)
+      if (data.featuredCollections) setFeaturedCollections(data.featuredCollections)
     } catch {
       setCollections([])
       setOwners([])
+      setTagFacets([])
     }
     setLoading(false)
   }
 
   useEffect(() => {
-    load()
+    load(initQuery, initOwner, initSortKey, initTag)
   }, [])
 
   function handleInput(value: string) {
     setQuery(value)
     clearTimeout(timerRef.current)
-    timerRef.current = setTimeout(() => load(value, selectedOwner), 300)
+    timerRef.current = setTimeout(() => load(value, selectedOwner, sort, selectedTag), 300)
   }
 
   function handleOwnerClick(ownerSlug: string | null) {
     setSelectedOwner(ownerSlug)
-    load(query, ownerSlug)
+    load(query, ownerSlug, sort, selectedTag)
+  }
+
+  function handleTagClick(tag: string | null) {
+    setSelectedTag(tag)
+    load(query, selectedOwner, sort, tag)
   }
 
   function handleSortChange(value: string) {
-    const s = value as 'updated' | 'name'
+    const s = value as SortKey
     setSort(s)
-    load(query, selectedOwner, s)
+    load(query, selectedOwner, s, selectedTag)
   }
 
-  const totalCount = owners.reduce((sum, o) => sum + o.count, 0)
+  const visibleTags =
+    featuredTags.length > 0
+      ? featuredTags.filter((t) => tagFacets.some((f) => f.name === t))
+      : tagFacets.slice(0, 12).map((f) => f.name)
 
   return (
     <div className="flex gap-8">
       {/* Sidebar facets */}
-      {owners.length > 0 && (
-        <aside className="hidden w-44 shrink-0 md:block">
-          <h3 className="text-ink-muted mb-3 text-xs font-semibold tracking-wide uppercase">
-            Organizations
-          </h3>
-          <ul className="space-y-0.5">
-            <li>
-              <button
-                onClick={() => handleOwnerClick(null)}
-                className={`flex w-full items-center justify-between rounded-sm px-2.5 py-1.5 text-left text-sm transition-colors ${
-                  !selectedOwner
-                    ? 'bg-parchment-dark text-ink font-medium'
-                    : 'text-ink-muted hover:bg-parchment-dark/50 hover:text-ink'
-                }`}
-              >
-                <span>All</span>
-                <span className="text-ink-muted text-xs">{totalCount}</span>
-              </button>
-            </li>
-            {owners.map((o) => (
-              <li key={o.slug}>
-                <button
-                  onClick={() => handleOwnerClick(o.slug)}
-                  className={`flex w-full items-center justify-between rounded-sm px-2.5 py-1.5 text-left text-sm transition-colors ${
-                    selectedOwner === o.slug
-                      ? 'bg-parchment-dark text-ink font-medium'
-                      : 'text-ink-muted hover:bg-parchment-dark/50 hover:text-ink'
-                  }`}
-                >
-                  <span className="truncate">{o.name ?? o.slug}</span>
-                  <span className="text-ink-muted ml-2 shrink-0 text-xs">{o.count}</span>
-                </button>
-              </li>
-            ))}
-          </ul>
+      {visibleTags.length > 0 && (
+        <aside className="hidden w-44 shrink-0 space-y-6 md:block">
+          {/* Tags */}
+          {visibleTags.length > 0 && (
+            <div>
+              <h3 className="text-ink-muted mb-3 text-xs font-semibold tracking-wide uppercase">
+                Topics
+              </h3>
+              <ul className="space-y-0.5">
+                <li>
+                  <button
+                    onClick={() => handleTagClick(null)}
+                    className={`w-full rounded-sm px-2.5 py-1.5 text-left text-sm transition-colors ${
+                      !selectedTag
+                        ? 'bg-parchment-dark text-ink font-medium'
+                        : 'text-ink-muted hover:bg-parchment-dark/50 hover:text-ink'
+                    }`}
+                  >
+                    All
+                  </button>
+                </li>
+                {visibleTags.map((tag) => (
+                  <li key={tag}>
+                    <button
+                      onClick={() => handleTagClick(tag)}
+                      className={`w-full rounded-sm px-2.5 py-1.5 text-left text-sm transition-colors ${
+                        selectedTag === tag
+                          ? 'bg-parchment-dark text-ink font-medium'
+                          : 'text-ink-muted hover:bg-parchment-dark/50 hover:text-ink'
+                      }`}
+                    >
+                      {tag}
+                    </button>
+                  </li>
+                ))}
+              </ul>
+            </div>
+          )}
         </aside>
       )}
 
       {/* Main content */}
       <div className="min-w-0 flex-1">
-        {/* Search + sort bar */}
+        {/* Search + sort bar (always at top, never moves) */}
         <div className="mb-5 flex gap-3">
           <div className="relative flex-1">
             <svg
@@ -170,11 +222,49 @@ export default function CollectionExplorer() {
             onChange={(e) => handleSortChange(e.target.value)}
             className="bg-parchment border-rule text-ink-muted rounded-sm border px-3 py-2 text-sm focus:outline-none"
           >
+            <option value="featured">Featured</option>
+            <option value="records">Most records</option>
             <option value="updated">Recent</option>
             <option value="name">Name</option>
           </select>
         </div>
 
+        {/* Featured collections hero */}
+        {featuredCollections.length > 0 && !isFiltered && (
+          <div className="mb-6">
+            <h3 className="text-ink-muted mb-3 text-xs font-semibold tracking-wide uppercase">
+              Featured
+            </h3>
+            <div className="grid grid-cols-1 gap-3 sm:grid-cols-2 lg:grid-cols-3">
+              {featuredCollections.map((c) => (
+                <Link
+                  key={`feat-${c.ownerSlug}/${c.slug}`}
+                  to={`/${c.ownerSlug}/${c.slug}`}
+                  className="border-rule hover:border-ink-muted/50 group rounded-sm border p-4 transition-all hover:shadow-sm"
+                >
+                  <div className="flex items-baseline gap-1.5">
+                    <span className="text-ink-muted text-xs">{c.ownerSlug}/</span>
+                    <span className="text-sm font-semibold">{c.slug}</span>
+                  </div>
+                  {c.description && (
+                    <p className="text-ink-muted mt-1.5 line-clamp-2 text-xs leading-relaxed">
+                      {c.description}
+                    </p>
+                  )}
+                  <div className="text-ink-muted mt-3 flex items-center gap-3 text-xs tabular-nums">
+                    {c.recordCount != null && <span>{formatCount(c.recordCount)} records</span>}
+                    {c.tags && c.tags.length > 0 && (
+                      <span className="bg-parchment-dark rounded px-1.5 py-0.5 text-[10px] leading-none">
+                        {c.tags[0]}
+                      </span>
+                    )}
+                  </div>
+                </Link>
+              ))}
+            </div>
+          </div>
+        )}
+
         {/* Mobile owner filter */}
         {owners.length > 0 && (
           <div className="mb-4 flex flex-wrap gap-1.5 md:hidden">
@@ -209,8 +299,8 @@ export default function CollectionExplorer() {
         ) : collections.length === 0 ? (
           <div className="py-12 text-center">
             <p className="text-ink-muted text-sm">
-              {query || selectedOwner
-                ? 'No collections match your search.'
+              {query || selectedOwner || selectedTag
+                ? 'No collections match your filters.'
                 : 'No public collections yet.'}
             </p>
           </div>
@@ -218,6 +308,7 @@ export default function CollectionExplorer() {
           <>
             <p className="text-ink-muted mb-3 text-xs">
               {collections.length} collection{collections.length !== 1 ? 's' : ''}
+              {selectedTag && ` in ${selectedTag}`}
               {selectedOwner && ` from ${selectedOwner}`}
               {query && ` matching "${query}"`}
             </p>
@@ -232,6 +323,18 @@ export default function CollectionExplorer() {
                     <div className="flex items-baseline gap-1.5">
                       <span className="text-ink-muted text-xs">{c.ownerSlug}/</span>
                       <span className="text-sm font-semibold">{c.slug}</span>
+                      {c.tags && c.tags.length > 0 && (
+                        <span className="flex gap-1">
+                          {c.tags.slice(0, 2).map((tag) => (
+                            <span
+                              key={tag}
+                              className="bg-parchment-dark text-ink-muted rounded px-1.5 py-0.5 text-[10px] leading-none"
+                            >
+                              {tag}
+                            </span>
+                          ))}
+                        </span>
+                      )}
                     </div>
                     {c.description && (
                       <p className="text-ink-muted mt-0.5 line-clamp-1 text-xs leading-relaxed">
diff --git a/src/components/CreateMenu.tsx b/src/components/CreateMenu.tsx
new file mode 100644
index 0000000..20d4577
--- /dev/null
+++ b/src/components/CreateMenu.tsx
@@ -0,0 +1,46 @@
+import { useEffect, useRef, useState } from 'react'
+import { Link } from 'react-router'
+
+export default function CreateMenu() {
+  const [open, setOpen] = useState(false)
+  const ref = useRef<HTMLDivElement>(null)
+
+  useEffect(() => {
+    if (!open) return
+    function handleClick(e: MouseEvent) {
+      if (ref.current && !ref.current.contains(e.target as Node)) setOpen(false)
+    }
+    document.addEventListener('mousedown', handleClick)
+    return () => document.removeEventListener('mousedown', handleClick)
+  }, [open])
+
+  return (
+    <div ref={ref} className="relative">
+      <button
+        type="button"
+        onClick={() => setOpen((v) => !v)}
+        className="border-rule bg-parchment-dark hover:bg-rule/30 cursor-pointer rounded border px-2.5 py-1 text-xs transition-colors"
+      >
+        New +
+      </button>
+      {open && (
+        <div className="bg-parchment border-rule absolute top-full right-0 z-50 mt-1.5 min-w-[10rem] overflow-hidden rounded border shadow-sm">
+          <Link
+            to="/new"
+            onClick={() => setOpen(false)}
+            className="text-ink hover:bg-parchment-dark block px-3 py-2 text-sm transition-colors"
+          >
+            New collection
+          </Link>
+          <Link
+            to="/new-org"
+            onClick={() => setOpen(false)}
+            className="text-ink hover:bg-parchment-dark block px-3 py-2 text-sm transition-colors"
+          >
+            New organization
+          </Link>
+        </div>
+      )}
+    </div>
+  )
+}
diff --git a/src/components/ExploreTagsAdmin.tsx b/src/components/ExploreTagsAdmin.tsx
new file mode 100644
index 0000000..eca81da
--- /dev/null
+++ b/src/components/ExploreTagsAdmin.tsx
@@ -0,0 +1,134 @@
+import { useEffect, useState } from 'react'
+
+export default function ExploreTagsAdmin() {
+  const [tags, setTags] = useState<string[]>([])
+  const [newTag, setNewTag] = useState('')
+  const [saving, setSaving] = useState(false)
+  const [loading, setLoading] = useState(true)
+  const [message, setMessage] = useState<string | null>(null)
+
+  useEffect(() => {
+    fetch('/api/admin/explore-tags')
+      .then((r) => r.json())
+      .then((data) => setTags(data.tags ?? []))
+      .catch(() => {})
+      .finally(() => setLoading(false))
+  }, [])
+
+  async function save(updated: string[]) {
+    setSaving(true)
+    setMessage(null)
+    try {
+      const res = await fetch('/api/admin/explore-tags', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ tags: updated }),
+      })
+      if (res.ok) {
+        setTags(updated)
+        setMessage('Saved')
+      } else {
+        const data = await res.json()
+        setMessage(data.error ?? 'Failed to save')
+      }
+    } catch {
+      setMessage('Failed to save')
+    }
+    setSaving(false)
+  }
+
+  function addTag() {
+    const tag = newTag.trim()
+    if (!tag || tags.includes(tag)) return
+    const updated = [...tags, tag]
+    setNewTag('')
+    save(updated)
+  }
+
+  function removeTag(tag: string) {
+    save(tags.filter((t) => t !== tag))
+  }
+
+  function moveTag(index: number, direction: -1 | 1) {
+    const target = index + direction
+    if (target < 0 || target >= tags.length) return
+    const updated = [...tags]
+    ;[updated[index], updated[target]] = [updated[target]!, updated[index]!]
+    save(updated)
+  }
+
+  if (loading) {
+    return <p className="text-ink-muted text-sm">Loading...</p>
+  }
+
+  return (
+    <div className="space-y-6">
+      <div>
+        <h2 className="mb-1 text-lg font-semibold">Explore Page Tags</h2>
+        <p className="text-ink-muted text-sm">
+          These tags appear as filter chips on the explore page. Collections set their own tags in
+          version metadata; this list controls which tags are featured.
+        </p>
+      </div>
+
+      <div className="space-y-1.5">
+        {tags.length === 0 && (
+          <p className="text-ink-muted text-sm">
+            No featured tags yet. The explore page will show the most common tags automatically.
+          </p>
+        )}
+        {tags.map((tag, i) => (
+          <div key={tag} className="border-rule flex items-center gap-2 rounded border px-3 py-2">
+            <span className="flex-1 text-sm">{tag}</span>
+            <button
+              onClick={() => moveTag(i, -1)}
+              disabled={i === 0 || saving}
+              className="text-ink-muted hover:text-ink text-xs disabled:opacity-30"
+            >
+              &uarr;
+            </button>
+            <button
+              onClick={() => moveTag(i, 1)}
+              disabled={i === tags.length - 1 || saving}
+              className="text-ink-muted hover:text-ink text-xs disabled:opacity-30"
+            >
+              &darr;
+            </button>
+            <button
+              onClick={() => removeTag(tag)}
+              disabled={saving}
+              className="text-ink-muted text-xs hover:text-red-600"
+            >
+              Remove
+            </button>
+          </div>
+        ))}
+      </div>
+
+      <form
+        onSubmit={(e) => {
+          e.preventDefault()
+          addTag()
+        }}
+        className="flex gap-2"
+      >
+        <input
+          type="text"
+          value={newTag}
+          onChange={(e) => setNewTag(e.target.value)}
+          placeholder="New tag name..."
+          className="bg-parchment border-rule placeholder:text-ink-muted flex-1 rounded border px-3 py-2 text-sm focus:outline-none"
+        />
+        <button
+          type="submit"
+          disabled={!newTag.trim() || saving}
+          className="bg-ink text-parchment disabled:bg-ink/50 rounded px-4 py-2 text-sm"
+        >
+          Add
+        </button>
+      </form>
+
+      {message && <p className="text-ink-muted text-xs">{message}</p>}
+    </div>
+  )
+}
diff --git a/src/components/FeaturedCollectionsAdmin.tsx b/src/components/FeaturedCollectionsAdmin.tsx
new file mode 100644
index 0000000..b3490f1
--- /dev/null
+++ b/src/components/FeaturedCollectionsAdmin.tsx
@@ -0,0 +1,162 @@
+import { useEffect, useState } from 'react'
+
+interface CollectionOption {
+  ownerSlug: string
+  slug: string
+  name: string
+  description: string | null
+  recordCount: number | null
+}
+
+export default function FeaturedCollectionsAdmin() {
+  const [featured, setFeatured] = useState<string[]>([])
+  const [allCollections, setAllCollections] = useState<CollectionOption[]>([])
+  const [saving, setSaving] = useState(false)
+  const [loading, setLoading] = useState(true)
+  const [message, setMessage] = useState<string | null>(null)
+
+  useEffect(() => {
+    Promise.all([
+      fetch('/api/admin/explore-collections')
+        .then((r) => r.json())
+        .then((data) => data.collections ?? []),
+      fetch('/api/collections?limit=100&sort=name')
+        .then((r) => r.json())
+        .then((data) => data.collections ?? []),
+    ])
+      .then(([feat, all]) => {
+        setFeatured(feat)
+        setAllCollections(all)
+      })
+      .catch(() => {})
+      .finally(() => setLoading(false))
+  }, [])
+
+  async function save(updated: string[]) {
+    setSaving(true)
+    setMessage(null)
+    try {
+      const res = await fetch('/api/admin/explore-collections', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ collections: updated }),
+      })
+      if (res.ok) {
+        setFeatured(updated)
+        setMessage('Saved')
+      } else {
+        const data = await res.json()
+        setMessage(data.error ?? 'Failed to save')
+      }
+    } catch {
+      setMessage('Failed to save')
+    }
+    setSaving(false)
+  }
+
+  function addCollection(slug: string) {
+    if (featured.includes(slug)) return
+    save([...featured, slug])
+  }
+
+  function removeCollection(slug: string) {
+    save(featured.filter((s) => s !== slug))
+  }
+
+  function moveCollection(index: number, direction: -1 | 1) {
+    const target = index + direction
+    if (target < 0 || target >= featured.length) return
+    const updated = [...featured]
+    ;[updated[index], updated[target]] = [updated[target]!, updated[index]!]
+    save(updated)
+  }
+
+  const available = allCollections.filter((c) => !featured.includes(`${c.ownerSlug}/${c.slug}`))
+
+  if (loading) {
+    return <p className="text-ink-muted text-sm">Loading...</p>
+  }
+
+  return (
+    <div className="space-y-6">
+      <div>
+        <h2 className="mb-1 text-lg font-semibold">Featured Collections</h2>
+        <p className="text-ink-muted text-sm">
+          These collections appear in a hero row at the top of the explore page. Pick 3-6 that
+          showcase diversity.
+        </p>
+      </div>
+
+      <div className="space-y-1.5">
+        {featured.length === 0 && (
+          <p className="text-ink-muted text-sm">
+            No featured collections yet. The hero row won't appear.
+          </p>
+        )}
+        {featured.map((slug, i) => {
+          const col = allCollections.find((c) => `${c.ownerSlug}/${c.slug}` === slug)
+          return (
+            <div
+              key={slug}
+              className="border-rule flex items-center gap-2 rounded border px-3 py-2"
+            >
+              <div className="flex-1">
+                <span className="text-sm font-medium">{slug}</span>
+                {col?.description && (
+                  <p className="text-ink-muted line-clamp-1 text-xs">{col.description}</p>
+                )}
+              </div>
+              <button
+                onClick={() => moveCollection(i, -1)}
+                disabled={i === 0 || saving}
+                className="text-ink-muted hover:text-ink text-xs disabled:opacity-30"
+              >
+                &uarr;
+              </button>
+              <button
+                onClick={() => moveCollection(i, 1)}
+                disabled={i === featured.length - 1 || saving}
+                className="text-ink-muted hover:text-ink text-xs disabled:opacity-30"
+              >
+                &darr;
+              </button>
+              <button
+                onClick={() => removeCollection(slug)}
+                disabled={saving}
+                className="text-ink-muted text-xs hover:text-red-600"
+              >
+                Remove
+              </button>
+            </div>
+          )
+        })}
+      </div>
+
+      {available.length > 0 && (
+        <div>
+          <label className="text-ink-muted mb-1 block text-xs font-medium">Add a collection</label>
+          <select
+            onChange={(e) => {
+              if (e.target.value) addCollection(e.target.value)
+              e.target.value = ''
+            }}
+            disabled={saving}
+            className="bg-parchment border-rule text-ink-muted w-full rounded border px-3 py-2 text-sm focus:outline-none"
+            defaultValue=""
+          >
+            <option value="" disabled>
+              Select a collection...
+            </option>
+            {available.map((c) => (
+              <option key={`${c.ownerSlug}/${c.slug}`} value={`${c.ownerSlug}/${c.slug}`}>
+                {c.ownerSlug}/{c.slug} — {c.name}
+              </option>
+            ))}
+          </select>
+        </div>
+      )}
+
+      {message && <p className="text-ink-muted text-xs">{message}</p>}
+    </div>
+  )
+}
diff --git a/src/components/UserMenu.tsx b/src/components/UserMenu.tsx
index 4323cb0..c45bb11 100644
--- a/src/components/UserMenu.tsx
+++ b/src/components/UserMenu.tsx
@@ -4,11 +4,13 @@ import { Link } from 'react-router'
 interface Org {
   slug: string
   displayName: string
+  isDefault?: boolean
 }
 
 interface UserMenuProps {
   slug: string
   displayName?: string | null
+  avatarUrl?: string | null
   orgs?: Org[]
   isSteward?: boolean
 }
@@ -16,21 +18,12 @@ interface UserMenuProps {
 export default function UserMenu({
   slug,
   displayName,
+  avatarUrl,
   orgs = [],
   isSteward = false,
 }: UserMenuProps) {
   const [open, setOpen] = useState(false)
   const rootRef = useRef<HTMLDivElement>(null)
-  const hideTimeout = useRef<ReturnType<typeof setTimeout>>(undefined)
-
-  function show() {
-    clearTimeout(hideTimeout.current)
-    setOpen(true)
-  }
-
-  function scheduleHide() {
-    hideTimeout.current = setTimeout(() => setOpen(false), 150)
-  }
 
   useEffect(() => {
     function handleClickOutside(e: MouseEvent) {
@@ -42,33 +35,35 @@ export default function UserMenu({
     return () => document.removeEventListener('click', handleClickOutside)
   }, [])
 
+  const initial = (displayName || slug || '?').charAt(0).toUpperCase()
+
   return (
-    <div ref={rootRef} className="relative" onMouseEnter={show} onMouseLeave={scheduleHide}>
+    <div ref={rootRef} className="relative">
       <button
-        className="hover:text-ink text-ink cursor-pointer font-medium transition-colors"
+        className="bg-ink text-parchment flex h-7 w-7 cursor-pointer items-center justify-center overflow-hidden rounded-full text-xs font-semibold transition-opacity hover:opacity-80"
         type="button"
         onClick={() => setOpen((v) => !v)}
       >
-        {displayName || slug} ▾
+        {avatarUrl ? (
+          <img src={avatarUrl} alt="" className="h-full w-full object-cover" />
+        ) : (
+          initial
+        )}
       </button>
       {open && (
         <div className="absolute top-full right-0 z-50 pt-1">
           <div className="bg-parchment border-rule min-w-48 border shadow-sm">
-            <Link
-              to={`/${slug}`}
-              className="text-ink-light hover:bg-parchment-dark block px-3 py-2 text-sm transition-colors"
-            >
-              Your Profile
-            </Link>
             <Link
               to="/dashboard"
               className="text-ink-light hover:bg-parchment-dark block px-3 py-2 text-sm transition-colors"
+              onClick={() => setOpen(false)}
             >
               Dashboard
             </Link>
             <Link
               to="/settings"
               className="text-ink-light hover:bg-parchment-dark block px-3 py-2 text-sm transition-colors"
+              onClick={() => setOpen(false)}
             >
               Settings
             </Link>
@@ -76,6 +71,7 @@ export default function UserMenu({
               <Link
                 to="/superadmin"
                 className="text-ink-light hover:bg-parchment-dark block px-3 py-2 text-sm transition-colors"
+                onClick={() => setOpen(false)}
               >
                 Admin
               </Link>
@@ -91,8 +87,12 @@ export default function UserMenu({
                     key={org.slug}
                     to={`/${org.slug}`}
                     className="text-ink-light hover:bg-parchment-dark block px-3 py-1.5 text-sm transition-colors"
+                    onClick={() => setOpen(false)}
                   >
                     {org.displayName}
+                    {org.isDefault && (
+                      <span className="text-ink-muted ml-1 text-xs">(personal)</span>
+                    )}
                   </Link>
                 ))}
               </>
@@ -101,6 +101,7 @@ export default function UserMenu({
             <Link
               to="/logout"
               className="text-ink-muted hover:bg-parchment-dark block px-3 py-2 text-sm transition-colors"
+              onClick={() => setOpen(false)}
             >
               Sign out
             </Link>
diff --git a/src/db/migrations/0005_instance_settings.sql b/src/db/migrations/0005_instance_settings.sql
new file mode 100644
index 0000000..a0abd33
--- /dev/null
+++ b/src/db/migrations/0005_instance_settings.sql
@@ -0,0 +1,5 @@
+CREATE TABLE IF NOT EXISTS "instance_settings" (
+	"key" text PRIMARY KEY NOT NULL,
+	"value" jsonb NOT NULL,
+	"updated_at" timestamp with time zone DEFAULT now() NOT NULL
+);
diff --git a/src/db/migrations/meta/0005_snapshot.json b/src/db/migrations/meta/0005_snapshot.json
new file mode 100644
index 0000000..a450c23
--- /dev/null
+++ b/src/db/migrations/meta/0005_snapshot.json
@@ -0,0 +1,2315 @@
+{
+  "id": "d572506e-2ebc-4aa5-9838-44abbc70e395",
+  "prevId": "c7cee44e-06b1-4f1f-a5c5-c9bcd999d546",
+  "version": "7",
+  "dialect": "postgresql",
+  "tables": {
+    "public.account": {
+      "name": "account",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "account_id": {
+          "name": "account_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "provider_id": {
+          "name": "provider_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "access_token": {
+          "name": "access_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "refresh_token": {
+          "name": "refresh_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "id_token": {
+          "name": "id_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "access_token_expires_at": {
+          "name": "access_token_expires_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "refresh_token_expires_at": {
+          "name": "refresh_token_expires_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "scope": {
+          "name": "scope",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "account_user_id_idx": {
+          "name": "account_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "account_user_id_user_id_fk": {
+          "name": "account_user_id_user_id_fk",
+          "tableFrom": "account",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.apikey": {
+      "name": "apikey",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "config_id": {
+          "name": "config_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'default'"
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "start": {
+          "name": "start",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "reference_id": {
+          "name": "reference_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "prefix": {
+          "name": "prefix",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "refill_interval": {
+          "name": "refill_interval",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "refill_amount": {
+          "name": "refill_amount",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_refill_at": {
+          "name": "last_refill_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "rate_limit_enabled": {
+          "name": "rate_limit_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "rate_limit_time_window": {
+          "name": "rate_limit_time_window",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 86400000
+        },
+        "rate_limit_max": {
+          "name": "rate_limit_max",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 10
+        },
+        "request_count": {
+          "name": "request_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 0
+        },
+        "remaining": {
+          "name": "remaining",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_request": {
+          "name": "last_request",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "permissions": {
+          "name": "permissions",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {
+        "apikey_config_id_idx": {
+          "name": "apikey_config_id_idx",
+          "columns": [
+            {
+              "expression": "config_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "apikey_reference_id_idx": {
+          "name": "apikey_reference_id_idx",
+          "columns": [
+            {
+              "expression": "reference_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "apikey_key_idx": {
+          "name": "apikey_key_idx",
+          "columns": [
+            {
+              "expression": "key",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.ark_collections": {
+      "name": "ark_collections",
+      "schema": "",
+      "columns": {
+        "collection_id": {
+          "name": "collection_id",
+          "type": "uuid",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "ark_id": {
+          "name": "ark_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "custom_url": {
+          "name": "custom_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "ark_collections_collection_id_collections_id_fk": {
+          "name": "ark_collections_collection_id_collections_id_fk",
+          "tableFrom": "ark_collections",
+          "tableTo": "collections",
+          "columnsFrom": ["collection_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "ark_collections_ark_id_unique": {
+          "name": "ark_collections_ark_id_unique",
+          "nullsNotDistinct": false,
+          "columns": ["ark_id"]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.ark_record_types": {
+      "name": "ark_record_types",
+      "schema": "",
+      "columns": {
+        "collection_id": {
+          "name": "collection_id",
+          "type": "uuid",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "record_type": {
+          "name": "record_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "redirect_url_field": {
+          "name": "redirect_url_field",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "ark_record_types_collection_id_collections_id_fk": {
+          "name": "ark_record_types_collection_id_collections_id_fk",
+          "tableFrom": "ark_record_types",
+          "tableTo": "collections",
+          "columnsFrom": ["collection_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {
+        "ark_record_types_collection_id_record_type_pk": {
+          "name": "ark_record_types_collection_id_record_type_pk",
+          "columns": ["collection_id", "record_type"]
+        }
+      },
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.ark_shoulders": {
+      "name": "ark_shoulders",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "uuid",
+          "primaryKey": true,
+          "notNull": true,
+          "default": "gen_random_uuid()"
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "shoulder": {
+          "name": "shoulder",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "ark_shoulders_organization_id_organization_id_fk": {
+          "name": "ark_shoulders_organization_id_organization_id_fk",
+          "tableFrom": "ark_shoulders",
+          "tableTo": "organization",
+          "columnsFrom": ["organization_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "ark_shoulders_organization_id_unique": {
+          "name": "ark_shoulders_organization_id_unique",
+          "nullsNotDistinct": false,
+          "columns": ["organization_id"]
+        },
+        "ark_shoulders_shoulder_unique": {
+          "name": "ark_shoulders_shoulder_unique",
+          "nullsNotDistinct": false,
+          "columns": ["shoulder"]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.collections": {
+      "name": "collections",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "uuid",
+          "primaryKey": true,
+          "notNull": true,
+          "default": "gen_random_uuid()"
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "slug": {
+          "name": "slug",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "public": {
+          "name": "public",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "forked_from": {
+          "name": "forked_from",
+          "type": "uuid",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "collections_organization_id_idx": {
+          "name": "collections_organization_id_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "collections_organization_id_organization_id_fk": {
+          "name": "collections_organization_id_organization_id_fk",
+          "tableFrom": "collections",
+          "tableTo": "organization",
+          "columnsFrom": ["organization_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "collections_forked_from_collections_id_fk": {
+          "name": "collections_forked_from_collections_id_fk",
+          "tableFrom": "collections",
+          "tableTo": "collections",
+          "columnsFrom": ["forked_from"],
+          "columnsTo": ["id"],
+          "onDelete": "no action",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "collections_organization_id_slug_unique": {
+          "name": "collections_organization_id_slug_unique",
+          "nullsNotDistinct": false,
+          "columns": ["organization_id", "slug"]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.files": {
+      "name": "files",
+      "schema": "",
+      "columns": {
+        "hash": {
+          "name": "hash",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "size": {
+          "name": "size",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "mime_type": {
+          "name": "mime_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "storage_key": {
+          "name": "storage_key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.instance_settings": {
+      "name": "instance_settings",
+      "schema": "",
+      "columns": {
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "value": {
+          "name": "value",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.invitation": {
+      "name": "invitation",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "email": {
+          "name": "email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "role": {
+          "name": "role",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "status": {
+          "name": "status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'pending'"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "inviter_id": {
+          "name": "inviter_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {
+        "invitation_organization_id_idx": {
+          "name": "invitation_organization_id_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "invitation_email_idx": {
+          "name": "invitation_email_idx",
+          "columns": [
+            {
+              "expression": "email",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "invitation_organization_id_organization_id_fk": {
+          "name": "invitation_organization_id_organization_id_fk",
+          "tableFrom": "invitation",
+          "tableTo": "organization",
+          "columnsFrom": ["organization_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "invitation_inviter_id_user_id_fk": {
+          "name": "invitation_inviter_id_user_id_fk",
+          "tableFrom": "invitation",
+          "tableTo": "user",
+          "columnsFrom": ["inviter_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.member": {
+      "name": "member",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "role": {
+          "name": "role",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'member'"
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "member_organization_id_idx": {
+          "name": "member_organization_id_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "member_user_id_idx": {
+          "name": "member_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "member_organization_id_organization_id_fk": {
+          "name": "member_organization_id_organization_id_fk",
+          "tableFrom": "member",
+          "tableTo": "organization",
+          "columnsFrom": ["organization_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "member_user_id_user_id_fk": {
+          "name": "member_user_id_user_id_fk",
+          "tableFrom": "member",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.negotiate_session_manifest": {
+      "name": "negotiate_session_manifest",
+      "schema": "",
+      "columns": {
+        "session_id": {
+          "name": "session_id",
+          "type": "uuid",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "record_id": {
+          "name": "record_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "type": {
+          "name": "type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "hash": {
+          "name": "hash",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "private": {
+          "name": "private",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "needed": {
+          "name": "needed",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        }
+      },
+      "indexes": {
+        "nsm_session_needed_idx": {
+          "name": "nsm_session_needed_idx",
+          "columns": [
+            {
+              "expression": "session_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "needed",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "negotiate_session_manifest_session_id_negotiate_sessions_id_fk": {
+          "name": "negotiate_session_manifest_session_id_negotiate_sessions_id_fk",
+          "tableFrom": "negotiate_session_manifest",
+          "tableTo": "negotiate_sessions",
+          "columnsFrom": ["session_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {
+        "negotiate_session_manifest_session_id_hash_pk": {
+          "name": "negotiate_session_manifest_session_id_hash_pk",
+          "columns": ["session_id", "hash"]
+        }
+      },
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.negotiate_sessions": {
+      "name": "negotiate_sessions",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "uuid",
+          "primaryKey": true,
+          "notNull": true,
+          "default": "gen_random_uuid()"
+        },
+        "collection_id": {
+          "name": "collection_id",
+          "type": "uuid",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "base_semver": {
+          "name": "base_semver",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "schemas": {
+          "name": "schemas",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "file_hashes": {
+          "name": "file_hashes",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'[]'::jsonb"
+        },
+        "needed_files": {
+          "name": "needed_files",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'[]'::jsonb"
+        },
+        "message": {
+          "name": "message",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "app_id": {
+          "name": "app_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "actor_id": {
+          "name": "actor_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "strip_unknown_fields": {
+          "name": "strip_unknown_fields",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "status": {
+          "name": "status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'open'"
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "negotiate_sessions_collection_id_collections_id_fk": {
+          "name": "negotiate_sessions_collection_id_collections_id_fk",
+          "tableFrom": "negotiate_sessions",
+          "tableTo": "collections",
+          "columnsFrom": ["collection_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "negotiate_sessions_user_id_user_id_fk": {
+          "name": "negotiate_sessions_user_id_user_id_fk",
+          "tableFrom": "negotiate_sessions",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.organization": {
+      "name": "organization",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "slug": {
+          "name": "slug",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "logo": {
+          "name": "logo",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bio": {
+          "name": "bio",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "website": {
+          "name": "website",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "avatar_url": {
+          "name": "avatar_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ark_naan": {
+          "name": "ark_naan",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "kf_org_id": {
+          "name": "kf_org_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "is_default": {
+          "name": "is_default",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        }
+      },
+      "indexes": {
+        "organization_slug_uidx": {
+          "name": "organization_slug_uidx",
+          "columns": [
+            {
+              "expression": "slug",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "organization_slug_unique": {
+          "name": "organization_slug_unique",
+          "nullsNotDistinct": false,
+          "columns": ["slug"]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.page_comments": {
+      "name": "page_comments",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "uuid",
+          "primaryKey": true,
+          "notNull": true,
+          "default": "gen_random_uuid()"
+        },
+        "page": {
+          "name": "page",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "anchor": {
+          "name": "anchor",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "quote": {
+          "name": "quote",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "quote_context": {
+          "name": "quote_context",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "parent_id": {
+          "name": "parent_id",
+          "type": "uuid",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "body": {
+          "name": "body",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "approved_at": {
+          "name": "approved_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "approved_by": {
+          "name": "approved_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "status": {
+          "name": "status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'open'"
+        },
+        "resolution_note": {
+          "name": "resolution_note",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "edited_at": {
+          "name": "edited_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "deleted_at": {
+          "name": "deleted_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {
+        "page_comments_page_anchor_idx": {
+          "name": "page_comments_page_anchor_idx",
+          "columns": [
+            {
+              "expression": "page",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "anchor",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "page_comments_user_id_idx": {
+          "name": "page_comments_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "page_comments_user_id_user_id_fk": {
+          "name": "page_comments_user_id_user_id_fk",
+          "tableFrom": "page_comments",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.record_objects": {
+      "name": "record_objects",
+      "schema": "",
+      "columns": {
+        "hash": {
+          "name": "hash",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "record_id": {
+          "name": "record_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "type": {
+          "name": "type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "data": {
+          "name": "data",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "private": {
+          "name": "private",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "size": {
+          "name": "size",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "record_objects_record_id_idx": {
+          "name": "record_objects_record_id_idx",
+          "columns": [
+            {
+              "expression": "record_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.schema_labels": {
+      "name": "schema_labels",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "uuid",
+          "primaryKey": true,
+          "notNull": true,
+          "default": "gen_random_uuid()"
+        },
+        "schema_id": {
+          "name": "schema_id",
+          "type": "uuid",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "label": {
+          "name": "label",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "schema_labels_label_idx": {
+          "name": "schema_labels_label_idx",
+          "columns": [
+            {
+              "expression": "label",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "schema_labels_schema_id_schemas_id_fk": {
+          "name": "schema_labels_schema_id_schemas_id_fk",
+          "tableFrom": "schema_labels",
+          "tableTo": "schemas",
+          "columnsFrom": ["schema_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "schema_labels_schema_id_label_unique": {
+          "name": "schema_labels_schema_id_label_unique",
+          "nullsNotDistinct": false,
+          "columns": ["schema_id", "label"]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.schemas": {
+      "name": "schemas",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "uuid",
+          "primaryKey": true,
+          "notNull": true,
+          "default": "gen_random_uuid()"
+        },
+        "schema": {
+          "name": "schema",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "schema_hash": {
+          "name": "schema_hash",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "schemas_schema_hash_unique": {
+          "name": "schemas_schema_hash_unique",
+          "nullsNotDistinct": false,
+          "columns": ["schema_hash"]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.session": {
+      "name": "session",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "token": {
+          "name": "token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "ip_address": {
+          "name": "ip_address",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "user_agent": {
+          "name": "user_agent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "active_organization_id": {
+          "name": "active_organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {
+        "session_user_id_idx": {
+          "name": "session_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "session_user_id_user_id_fk": {
+          "name": "session_user_id_user_id_fk",
+          "tableFrom": "session",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "session_token_unique": {
+          "name": "session_token_unique",
+          "nullsNotDistinct": false,
+          "columns": ["token"]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.sync_runs": {
+      "name": "sync_runs",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "uuid",
+          "primaryKey": true,
+          "notNull": true,
+          "default": "gen_random_uuid()"
+        },
+        "trigger": {
+          "name": "trigger",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "status": {
+          "name": "status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "started_at": {
+          "name": "started_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "finished_at": {
+          "name": "finished_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "collections_synced": {
+          "name": "collections_synced",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "collections_created": {
+          "name": "collections_created",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "collections_failed": {
+          "name": "collections_failed",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "versions_pulled": {
+          "name": "versions_pulled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "files_downloaded": {
+          "name": "files_downloaded",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "files_skipped": {
+          "name": "files_skipped",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "errors": {
+          "name": "errors",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'[]'::jsonb"
+        },
+        "logs": {
+          "name": "logs",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'[]'::jsonb"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.user": {
+      "name": "user",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "email": {
+          "name": "email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "email_verified": {
+          "name": "email_verified",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "image": {
+          "name": "image",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "user_email_unique": {
+          "name": "user_email_unique",
+          "nullsNotDistinct": false,
+          "columns": ["email"]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.verification": {
+      "name": "verification",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "identifier": {
+          "name": "identifier",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "value": {
+          "name": "value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "verification_identifier_idx": {
+          "name": "verification_identifier_idx",
+          "columns": [
+            {
+              "expression": "identifier",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.version_files": {
+      "name": "version_files",
+      "schema": "",
+      "columns": {
+        "version_id": {
+          "name": "version_id",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "file_hash": {
+          "name": "file_hash",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {
+        "version_files_file_hash_idx": {
+          "name": "version_files_file_hash_idx",
+          "columns": [
+            {
+              "expression": "file_hash",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "version_files_version_id_versions_id_fk": {
+          "name": "version_files_version_id_versions_id_fk",
+          "tableFrom": "version_files",
+          "tableTo": "versions",
+          "columnsFrom": ["version_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "version_files_file_hash_files_hash_fk": {
+          "name": "version_files_file_hash_files_hash_fk",
+          "tableFrom": "version_files",
+          "tableTo": "files",
+          "columnsFrom": ["file_hash"],
+          "columnsTo": ["hash"],
+          "onDelete": "no action",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {
+        "version_files_version_id_file_hash_pk": {
+          "name": "version_files_version_id_file_hash_pk",
+          "columns": ["version_id", "file_hash"]
+        }
+      },
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.version_records": {
+      "name": "version_records",
+      "schema": "",
+      "columns": {
+        "version_id": {
+          "name": "version_id",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "record_hash": {
+          "name": "record_hash",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "public_record_hash": {
+          "name": "public_record_hash",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {
+        "version_records_record_hash_idx": {
+          "name": "version_records_record_hash_idx",
+          "columns": [
+            {
+              "expression": "record_hash",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "version_records_public_record_hash_idx": {
+          "name": "version_records_public_record_hash_idx",
+          "columns": [
+            {
+              "expression": "public_record_hash",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "where": "public_record_hash IS NOT NULL",
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "version_records_version_id_versions_id_fk": {
+          "name": "version_records_version_id_versions_id_fk",
+          "tableFrom": "version_records",
+          "tableTo": "versions",
+          "columnsFrom": ["version_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "version_records_record_hash_record_objects_hash_fk": {
+          "name": "version_records_record_hash_record_objects_hash_fk",
+          "tableFrom": "version_records",
+          "tableTo": "record_objects",
+          "columnsFrom": ["record_hash"],
+          "columnsTo": ["hash"],
+          "onDelete": "no action",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {
+        "version_records_version_id_record_hash_pk": {
+          "name": "version_records_version_id_record_hash_pk",
+          "columns": ["version_id", "record_hash"]
+        }
+      },
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.version_schemas": {
+      "name": "version_schemas",
+      "schema": "",
+      "columns": {
+        "version_id": {
+          "name": "version_id",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "slug": {
+          "name": "slug",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "schema_id": {
+          "name": "schema_id",
+          "type": "uuid",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {
+        "version_schemas_schema_id_idx": {
+          "name": "version_schemas_schema_id_idx",
+          "columns": [
+            {
+              "expression": "schema_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "version_schemas_version_id_versions_id_fk": {
+          "name": "version_schemas_version_id_versions_id_fk",
+          "tableFrom": "version_schemas",
+          "tableTo": "versions",
+          "columnsFrom": ["version_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "version_schemas_schema_id_schemas_id_fk": {
+          "name": "version_schemas_schema_id_schemas_id_fk",
+          "tableFrom": "version_schemas",
+          "tableTo": "schemas",
+          "columnsFrom": ["schema_id"],
+          "columnsTo": ["id"],
+          "onDelete": "no action",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {
+        "version_schemas_version_id_slug_pk": {
+          "name": "version_schemas_version_id_slug_pk",
+          "columns": ["version_id", "slug"]
+        }
+      },
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.versions": {
+      "name": "versions",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "bigserial",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "collection_id": {
+          "name": "collection_id",
+          "type": "uuid",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "semver": {
+          "name": "semver",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "major": {
+          "name": "major",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "minor": {
+          "name": "minor",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "patch": {
+          "name": "patch",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "hash": {
+          "name": "hash",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "public_hash": {
+          "name": "public_hash",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "base_semver": {
+          "name": "base_semver",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "message": {
+          "name": "message",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "pushed_by": {
+          "name": "pushed_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "app_id": {
+          "name": "app_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "actor_id": {
+          "name": "actor_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "signature": {
+          "name": "signature",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "record_count": {
+          "name": "record_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "file_count": {
+          "name": "file_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "total_bytes": {
+          "name": "total_bytes",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "status": {
+          "name": "status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'ready'"
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp with time zone",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "versions_ordering_idx": {
+          "name": "versions_ordering_idx",
+          "columns": [
+            {
+              "expression": "collection_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "major",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "minor",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "patch",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "versions_collection_id_collections_id_fk": {
+          "name": "versions_collection_id_collections_id_fk",
+          "tableFrom": "versions",
+          "tableTo": "collections",
+          "columnsFrom": ["collection_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "versions_pushed_by_user_id_fk": {
+          "name": "versions_pushed_by_user_id_fk",
+          "tableFrom": "versions",
+          "tableTo": "user",
+          "columnsFrom": ["pushed_by"],
+          "columnsTo": ["id"],
+          "onDelete": "no action",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "versions_collection_id_semver_unique": {
+          "name": "versions_collection_id_semver_unique",
+          "nullsNotDistinct": false,
+          "columns": ["collection_id", "semver"]
+        },
+        "versions_collection_id_hash_unique": {
+          "name": "versions_collection_id_hash_unique",
+          "nullsNotDistinct": false,
+          "columns": ["collection_id", "hash"]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    }
+  },
+  "enums": {},
+  "schemas": {},
+  "sequences": {},
+  "roles": {},
+  "policies": {},
+  "views": {},
+  "_meta": {
+    "columns": {},
+    "schemas": {},
+    "tables": {}
+  }
+}
diff --git a/src/db/migrations/meta/_journal.json b/src/db/migrations/meta/_journal.json
index 4d4a76a..aefbb5a 100644
--- a/src/db/migrations/meta/_journal.json
+++ b/src/db/migrations/meta/_journal.json
@@ -36,6 +36,13 @@
       "when": 1781195924011,
       "tag": "0004_fancy_nightcrawler",
       "breakpoints": true
+    },
+    {
+      "idx": 5,
+      "version": "7",
+      "when": 1781223203253,
+      "tag": "0005_instance_settings",
+      "breakpoints": true
     }
   ]
 }
diff --git a/src/db/schema.ts b/src/db/schema.ts
index de2992c..f2102c9 100644
--- a/src/db/schema.ts
+++ b/src/db/schema.ts
@@ -483,3 +483,11 @@ export const arkRecordTypes = pgTable(
   },
   (t) => [primaryKey({ columns: [t.collectionId, t.recordType] })],
 )
+
+// --- Instance-wide settings (key-value) ---
+
+export const instanceSettings = pgTable('instance_settings', {
+  key: text('key').primaryKey(),
+  value: jsonb('value').notNull(),
+  updatedAt: timestamp('updated_at', { withTimezone: true }).defaultNow().notNull(),
+})
diff --git a/src/lib/auth-internal.server.ts b/src/lib/auth-internal.server.ts
index 4003985..3c843a8 100644
--- a/src/lib/auth-internal.server.ts
+++ b/src/lib/auth-internal.server.ts
@@ -119,4 +119,67 @@ export async function getAuthUserWithEmail(
   }
 }
 
+/**
+ * Resolve a kf-auth user ID by email address using the search endpoint.
+ * Returns the first matching user's ID, or null.
+ */
+export async function resolveKfUserByEmail(email: string): Promise<string | null> {
+  if (!hasInternalApi) return null
+
+  try {
+    const res = await fetch(
+      `${AUTH_INTERNAL_API_URL}/api/internal/users/search?q=${encodeURIComponent(email)}`,
+      { headers: { Authorization: `Bearer ${AUTH_INTERNAL_API_KEY}` } },
+    )
+    if (!res.ok) return null
+    const data = (await res.json()) as { users: { id: string; name: string | null }[] }
+    return data.users?.[0]?.id ?? null
+  } catch {
+    return null
+  }
+}
+
+/**
+ * Resolve a user's KF Auth orgs given their Underlay userId.
+ * Tries the account's OIDC subject first, falls back to email-based lookup.
+ */
+export async function resolveUserKfOrgs(userId: string, db: any, schema: any): Promise<AuthOrg[]> {
+  if (!hasInternalApi) return []
+
+  const { and, eq } = await import('drizzle-orm')
+  const [acct] = await db
+    .select({ accountId: schema.account.accountId })
+    .from(schema.account)
+    .where(and(eq(schema.account.userId, userId), eq(schema.account.providerId, 'kf-auth')))
+    .limit(1)
+  if (!acct) return []
+
+  let orgs = await fetchAuthOrgs(acct.accountId)
+  if (orgs.length === 0) {
+    const [u] = await db
+      .select({ email: schema.user.email })
+      .from(schema.user)
+      .where(eq(schema.user.id, userId))
+      .limit(1)
+    if (u?.email) {
+      const kfUserId = await resolveKfUserByEmail(u.email)
+      if (kfUserId) orgs = await fetchAuthOrgs(kfUserId)
+    }
+  }
+  return orgs
+}
+
+/**
+ * Resolve the personal KF org ID for a user. Returns null if unavailable.
+ */
+export async function resolveDefaultKfOrgId(
+  userId: string,
+  db: any,
+  schema: any,
+): Promise<string | null> {
+  const orgs = await resolveUserKfOrgs(userId, db, schema)
+  const personal = orgs.find((o) => o.type === 'personal')
+  return personal?.id ?? orgs[0]?.id ?? null
+}
+
 export { AUTH_INTERNAL_API_URL, AUTH_INTERNAL_API_KEY, OIDC_ISSUER_INTERNAL_URL }
diff --git a/src/lib/auth-middleware.ts b/src/lib/auth-middleware.ts
index 6e629ec..4e8d9fd 100644
--- a/src/lib/auth-middleware.ts
+++ b/src/lib/auth-middleware.ts
@@ -1,7 +1,9 @@
 import { redirect, type MiddlewareFunction } from 'react-router'
 
+import { fetchBase } from '~/lib/fetch-base'
+
 export const requireAuth: MiddlewareFunction = async ({ request }, next) => {
-  const res = await fetch(new URL('/api/context', request.url), {
+  const res = await fetch(`${fetchBase(request.url)}/api/context`, {
     headers: { Cookie: request.headers.get('Cookie') ?? '' },
   })
   const { currentUser } = await res.json()
diff --git a/src/lib/auth.server.ts b/src/lib/auth.server.ts
index 990f57b..49d8a01 100644
--- a/src/lib/auth.server.ts
+++ b/src/lib/auth.server.ts
@@ -1,4 +1,4 @@
-import { eq } from 'drizzle-orm'
+import { and, eq } from 'drizzle-orm'
 
 import { db, schema } from '../db/client.server.js'
 import { auth, KF_AUTH_INTERNAL_URL } from './auth.js'
@@ -19,20 +19,80 @@ export interface SessionUser {
   }>
 }
 
-async function fetchKfRole(userId: string): Promise<string | null> {
+async function refreshAccessToken(acct: {
+  refreshToken: string | null
+  accessToken: string | null
+  accessTokenExpiresAt: Date | null
+}): Promise<string | null> {
+  if (
+    acct.accessToken &&
+    acct.accessTokenExpiresAt &&
+    acct.accessTokenExpiresAt.getTime() > Date.now() + 30_000
+  ) {
+    return acct.accessToken
+  }
+  if (!acct.refreshToken) return null
+  try {
+    const tokenUrl = `${KF_AUTH_INTERNAL_URL}/api/auth/oauth2/token`
+    const res = await fetch(tokenUrl, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams({
+        grant_type: 'refresh_token',
+        refresh_token: acct.refreshToken,
+        client_id: process.env.OIDC_CLIENT_ID ?? 'kf_underlay',
+        client_secret: process.env.OIDC_CLIENT_SECRET ?? '',
+      }),
+    })
+    if (!res.ok) return null
+    const tokens = await res.json()
+    if (!tokens.access_token) return null
+    await db
+      .update(schema.account)
+      .set({
+        accessToken: tokens.access_token,
+        refreshToken: tokens.refresh_token ?? acct.refreshToken,
+        accessTokenExpiresAt: tokens.expires_in
+          ? new Date(Date.now() + tokens.expires_in * 1000)
+          : null,
+      })
+      .where(eq(schema.account.accessToken, acct.accessToken!))
+    return tokens.access_token
+  } catch {
+    return null
+  }
+}
+
+interface KfProfile {
+  name: string | null
+  image: string | null
+  role: string | null
+}
+
+async function fetchKfProfile(userId: string): Promise<KfProfile | null> {
   try {
     const [acct] = await db
-      .select({ accessToken: schema.account.accessToken })
+      .select({
+        accessToken: schema.account.accessToken,
+        refreshToken: schema.account.refreshToken,
+        accessTokenExpiresAt: schema.account.accessTokenExpiresAt,
+      })
       .from(schema.account)
-      .where(eq(schema.account.userId, userId))
+      .where(and(eq(schema.account.userId, userId), eq(schema.account.providerId, 'kf-auth')))
       .limit(1)
-    if (!acct?.accessToken) return null
+    if (!acct) return null
+    const token = await refreshAccessToken(acct)
+    if (!token) return null
     const res = await fetch(`${KF_AUTH_INTERNAL_URL}/api/auth/oauth2/userinfo`, {
-      headers: { Authorization: `Bearer ${acct.accessToken}` },
+      headers: { Authorization: `Bearer ${token}` },
     })
     if (!res.ok) return null
     const profile = await res.json()
-    return profile.role ?? null
+    return {
+      name: profile.name ?? null,
+      image: profile.picture ?? null,
+      role: profile['https://knowledgefutures.org/role'] ?? profile.role ?? null,
+    }
   } catch {
     return null
   }
@@ -49,7 +109,7 @@ export async function getSessionUser(request: Request): Promise<SessionUser | nu
 
   const u = session.user
 
-  const [memberships, kfRole] = await Promise.all([
+  const [memberships, kfProfile] = await Promise.all([
     db
       .select({
         orgId: schema.organization.id,
@@ -61,7 +121,7 @@ export async function getSessionUser(request: Request): Promise<SessionUser | nu
       .from(schema.member)
       .innerJoin(schema.organization, eq(schema.member.organizationId, schema.organization.id))
       .where(eq(schema.member.userId, u.id)),
-    fetchKfRole(u.id),
+    fetchKfProfile(u.id),
   ])
 
   const defaultOrg = memberships.find((m) => m.isDefault) ?? null
@@ -69,9 +129,9 @@ export async function getSessionUser(request: Request): Promise<SessionUser | nu
   return {
     id: u.id,
     slug: defaultOrg?.orgSlug ?? null,
-    displayName: defaultOrg?.orgName ?? u.name,
-    avatarUrl: u.image ?? null,
-    kfRole,
+    displayName: kfProfile?.name ?? defaultOrg?.orgName ?? u.name,
+    avatarUrl: kfProfile?.image ?? u.image ?? null,
+    kfRole: kfProfile?.role ?? null,
     defaultOrg: defaultOrg ? { slug: defaultOrg.orgSlug, displayName: defaultOrg.orgName } : null,
     orgs: memberships.map((m) => ({
       organizationId: m.orgId,
diff --git a/src/lib/auth.ts b/src/lib/auth.ts
index b0a57ae..126f628 100644
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -3,7 +3,7 @@ import { betterAuth } from 'better-auth'
 import { drizzleAdapter } from 'better-auth/adapters/drizzle'
 import { genericOAuth } from 'better-auth/plugins'
 import { organization } from 'better-auth/plugins/organization'
-import { eq } from 'drizzle-orm'
+import { and, eq, ne } from 'drizzle-orm'
 
 import { db, schema } from '../db/client.server.js'
 
@@ -14,11 +14,14 @@ if (process.env.NODE_ENV === 'production' && !process.env.SESSION_SECRET) {
   throw new Error('SESSION_SECRET must be set in production')
 }
 
+const APP_URL = process.env.APP_URL ?? 'http://localhost:4100'
+
 export const auth = betterAuth({
   database: drizzleAdapter(db, { provider: 'pg' }),
-  baseURL: process.env.APP_URL ?? 'http://localhost:4100',
+  baseURL: APP_URL,
   basePath: '/api/auth',
   secret: process.env.SESSION_SECRET ?? 'dev-secret-change-me',
+  trustedOrigins: [APP_URL, new URL(APP_URL).origin.replace('https://', 'http://')],
 
   advanced: {
     database: {
@@ -36,7 +39,7 @@ export const auth = betterAuth({
           userInfoUrl: `${KF_AUTH_INTERNAL_URL}/api/auth/oauth2/userinfo`,
           clientId: process.env.OIDC_CLIENT_ID ?? 'kf_underlay',
           clientSecret: process.env.OIDC_CLIENT_SECRET ?? '',
-          scopes: ['openid', 'profile', 'email'],
+          scopes: ['openid', 'profile', 'email', 'offline_access'],
           pkce: true,
           mapProfileToUser: (profile) => ({
             name: profile.name ?? profile.email?.split('@')[0] ?? 'User',
@@ -59,6 +62,18 @@ export const auth = betterAuth({
           },
         },
       },
+      organizationHooks: {
+        beforeCreateOrganization: async ({ organization: orgData, user }) => {
+          if (orgData.kfOrgId) return
+          try {
+            const { resolveDefaultKfOrgId } = await import('./auth-internal.server.js')
+            const kfOrgId = await resolveDefaultKfOrgId(user.id, db, schema)
+            if (kfOrgId) return { data: { kfOrgId } }
+          } catch (err) {
+            console.error('[org hook] failed to resolve kfOrgId:', err)
+          }
+        },
+      },
     }),
     apiKey({
       defaultPrefix: 'ul',
@@ -85,42 +100,101 @@ export const auth = betterAuth({
   ],
 
   databaseHooks: {
+    account: {
+      create: {
+        after: async (account) => {
+          try {
+            await db
+              .delete(schema.account)
+              .where(
+                and(
+                  eq(schema.account.userId, account.userId),
+                  eq(schema.account.providerId, account.providerId),
+                  ne(schema.account.id, account.id),
+                ),
+              )
+          } catch (err) {
+            console.error('[auth hook] account.create.after cleanup failed:', err)
+          }
+          if (account.providerId === 'kf-auth' && account.accessToken) {
+            try {
+              const res = await fetch(`${KF_AUTH_INTERNAL_URL}/api/auth/oauth2/userinfo`, {
+                headers: { Authorization: `Bearer ${account.accessToken}` },
+              })
+              if (res.ok) {
+                const profile = await res.json()
+                const updates: Record<string, string> = {}
+                if (profile.name) updates.name = profile.name
+                if (profile.picture) updates.image = profile.picture
+                if (Object.keys(updates).length > 0) {
+                  await db
+                    .update(schema.user)
+                    .set(updates)
+                    .where(eq(schema.user.id, account.userId))
+                }
+              }
+            } catch (err) {
+              console.error('[auth hook] profile sync failed:', err)
+            }
+          }
+        },
+      },
+    },
     user: {
       create: {
         after: async (user) => {
-          const baseSlug = (user.email.split('@')[0] ?? 'user')
-            .toLowerCase()
-            .replace(/[^a-z0-9-]/g, '-')
-            .replace(/-+/g, '-')
-            .slice(0, 30)
+          console.log('[auth hook] user.create.after starting for:', user.email)
+          try {
+            const baseSlug = (user.email.split('@')[0] ?? 'user')
+              .toLowerCase()
+              .replace(/[^a-z0-9-]/g, '-')
+              .replace(/-+/g, '-')
+              .slice(0, 30)
 
-          let slug = baseSlug
-          let attempt = 0
-          while (true) {
-            const [conflict] = await db
-              .select({ id: schema.organization.id })
-              .from(schema.organization)
-              .where(eq(schema.organization.slug, slug))
-              .limit(1)
-            if (!conflict) break
-            attempt++
-            slug = `${baseSlug}-${attempt}`
-          }
+            let slug = baseSlug
+            let attempt = 0
+            while (true) {
+              const [conflict] = await db
+                .select({ id: schema.organization.id })
+                .from(schema.organization)
+                .where(eq(schema.organization.slug, slug))
+                .limit(1)
+              if (!conflict) break
+              attempt++
+              slug = `${baseSlug}-${attempt}`
+            }
+
+            let kfOrgId: string | null = null
+            try {
+              const { resolveDefaultKfOrgId } = await import('./auth-internal.server.js')
+              kfOrgId = await resolveDefaultKfOrgId(user.id, db, schema)
+            } catch (err) {
+              console.error('[auth hook] failed to resolve kfOrgId for default org:', err)
+            }
 
-          const orgId = crypto.randomUUID()
-          await db.insert(schema.organization).values({
-            id: orgId,
-            name: user.name,
-            slug,
-            isDefault: true,
-          })
+            const orgId = crypto.randomUUID()
+            await db.insert(schema.organization).values({
+              id: orgId,
+              name: user.name,
+              slug,
+              isDefault: true,
+              ...(kfOrgId ? { kfOrgId } : {}),
+            })
 
-          await db.insert(schema.member).values({
-            id: crypto.randomUUID(),
-            organizationId: orgId,
-            userId: user.id,
-            role: 'owner',
-          })
+            await db.insert(schema.member).values({
+              id: crypto.randomUUID(),
+              organizationId: orgId,
+              userId: user.id,
+              role: 'owner',
+            })
+            console.log(
+              '[auth hook] default org created:',
+              slug,
+              kfOrgId ? `kfOrgId=${kfOrgId}` : '(no kfOrgId)',
+            )
+          } catch (err) {
+            console.error('[auth hook] user.create.after failed:', err)
+          }
         },
       },
     },
diff --git a/src/lib/fetch-base.ts b/src/lib/fetch-base.ts
new file mode 100644
index 0000000..40349c7
--- /dev/null
+++ b/src/lib/fetch-base.ts
@@ -0,0 +1,9 @@
+// During SSR, fetches to the app's own API must go through localhost to avoid
+// TLS/DNS issues behind reverse proxies (Caddy tls internal, Docker networking).
+// On the client, use the page origin so the browser handles cookies and TLS normally.
+export function fetchBase(requestUrl: string): string {
+  if (import.meta.env.SSR) {
+    return `http://127.0.0.1:${process.env.PORT || 3000}`
+  }
+  return new URL(requestUrl).origin
+}
diff --git a/src/routes/[owner]/[collection]/diff.data.ts b/src/routes/[owner]/[collection]/diff.data.ts
index 11bd6fd..00022b8 100644
--- a/src/routes/[owner]/[collection]/diff.data.ts
+++ b/src/routes/[owner]/[collection]/diff.data.ts
@@ -1,12 +1,14 @@
 import type { LoaderFunctionArgs } from 'react-router'
 
+import { fetchBase } from '~/lib/fetch-base'
+
 export const handle = {
   title: (params: Record<string, string>) =>
     `Diff — ${params.owner}/${params.collection} · Underlay`,
 }
 
 export async function loader({ params, request }: LoaderFunctionArgs) {
-  const base = new URL(request.url).origin
+  const base = fetchBase(request.url)
   const headers = { Cookie: request.headers.get('Cookie') ?? '' }
   const prefix = `/api/collections/${params.owner}/${params.collection}`
 
diff --git a/src/routes/[owner]/[collection]/index.data.ts b/src/routes/[owner]/[collection]/index.data.ts
index 147eae4..c770b31 100644
--- a/src/routes/[owner]/[collection]/index.data.ts
+++ b/src/routes/[owner]/[collection]/index.data.ts
@@ -1,12 +1,14 @@
 import type { LoaderFunctionArgs } from 'react-router'
 
+import { fetchBase } from '~/lib/fetch-base'
+
 export const handle = {
   title: (params: Record<string, string>) => `${params.owner}/${params.collection} · Underlay`,
 }
 
 export async function loader({ params, request }: LoaderFunctionArgs) {
   const res = await fetch(
-    new URL(`/api/collections/${params.owner}/${params.collection}`, request.url),
+    new URL(`/api/collections/${params.owner}/${params.collection}`, fetchBase(request.url)),
     { headers: { Cookie: request.headers.get('Cookie') ?? '' } },
   )
   if (!res.ok) throw new Response('Not Found', { status: 404 })
diff --git a/src/routes/[owner]/[collection]/index.tsx b/src/routes/[owner]/[collection]/index.tsx
index da37c29..0d19f03 100644
--- a/src/routes/[owner]/[collection]/index.tsx
+++ b/src/routes/[owner]/[collection]/index.tsx
@@ -143,6 +143,50 @@ export default function CollectionPage() {
           </div>
         )}
 
+        {/* Empty state for new collections */}
+        {!data.latestVersion && isOwner && (
+          <div className="border-rule mb-6 rounded border px-6 py-10 text-center">
+            <h2 className="mb-2 text-base font-semibold">Get started with {collection}</h2>
+            <p className="text-ink-muted mx-auto mb-6 max-w-md text-sm leading-relaxed">
+              This collection is empty. Push your first version using the CLI or API.
+            </p>
+            <div className="bg-ink text-parchment mx-auto max-w-md overflow-hidden rounded text-left font-mono text-[13px] leading-relaxed">
+              <div className="p-4">
+                <div className="text-ink-muted mb-1 text-[11px] select-none">
+                  # initialize and push
+                </div>
+                <div>
+                  <span className="text-parchment-dark">$</span> underlay init --remote {owner}/
+                  {collection}
+                </div>
+                <div>
+                  <span className="text-parchment-dark">$</span> underlay add --schema ./schema.json
+                  ./records.jsonl
+                </div>
+                <div>
+                  <span className="text-parchment-dark">$</span> underlay commit -m &quot;Initial
+                  version&quot;
+                </div>
+                <div>
+                  <span className="text-parchment-dark">$</span> underlay push
+                </div>
+              </div>
+            </div>
+            <div className="mt-4 flex items-center justify-center gap-4 text-xs">
+              <Link to="/docs/quickstart" className="text-link hover:underline">
+                Read the quickstart
+              </Link>
+              <span className="text-rule">&middot;</span>
+              <span className="text-ink-muted">
+                API:{' '}
+                <code className="bg-parchment-dark rounded px-1.5 py-0.5 text-[11px]">
+                  POST /api/collections/{owner}/{collection}/versions/negotiate
+                </code>
+              </span>
+            </div>
+          </div>
+        )}
+
         {/* Two-column layout */}
         <div className="grid grid-cols-[1fr_260px] gap-8">
           {/* Main column */}
@@ -267,6 +311,26 @@ export default function CollectionPage() {
                   {data.ownerName}
                 </Link>
               </div>
+              {(() => {
+                const meta = data.latestVersion?.metadata as
+                  | Record<string, unknown>
+                  | null
+                  | undefined
+                const tags = Array.isArray(meta?.tags) ? (meta.tags as string[]) : []
+                return tags.length > 0 ? (
+                  <div className="mt-3 flex flex-wrap gap-1.5">
+                    {tags.map((tag: string) => (
+                      <Link
+                        key={tag}
+                        to={`/explore?tag=${encodeURIComponent(tag)}`}
+                        className="bg-parchment-dark text-ink-muted hover:text-ink rounded px-2 py-0.5 text-xs transition-colors"
+                      >
+                        {tag}
+                      </Link>
+                    ))}
+                  </div>
+                ) : null
+              })()}
             </div>
 
             {/* Stats */}
@@ -469,14 +533,17 @@ function AgentShareSection({
     <>
       <div className="mb-6">
         <h3 className="text-ink-muted mb-2 text-xs font-semibold tracking-wide uppercase">
-          Share via Agent
+          Update via Agent
         </h3>
+        <p className="text-ink-muted mb-1.5 text-xs leading-relaxed">
+          Generate a temporary link that lets an AI agent push updates to this collection.
+        </p>
         <button
           onClick={generate}
           disabled={loading}
-          className="bg-parchment border-rule hover:bg-parchment-dark w-full border px-3 py-1.5 text-xs font-medium transition-colors"
+          className="text-link text-xs font-medium hover:underline"
         >
-          {loading ? 'Generating...' : 'Generate agent link'}
+          {loading ? 'Generating...' : 'Generate agent link →'}
         </button>
       </div>
 
@@ -489,7 +556,7 @@ function AgentShareSection({
         >
           <div className="bg-parchment border-rule mx-4 w-full max-w-2xl rounded border p-6 shadow-lg">
             <div className="mb-4 flex items-center justify-between">
-              <h2 className="text-sm font-semibold">Agent Share Link</h2>
+              <h2 className="text-sm font-semibold">Agent Update Link</h2>
               <button
                 onClick={() => setShowModal(false)}
                 className="text-ink-muted hover:text-ink text-lg leading-none"
diff --git a/src/routes/[owner]/[collection]/schemas.data.ts b/src/routes/[owner]/[collection]/schemas.data.ts
index ce275df..2fd5b1a 100644
--- a/src/routes/[owner]/[collection]/schemas.data.ts
+++ b/src/routes/[owner]/[collection]/schemas.data.ts
@@ -1,12 +1,14 @@
 import type { LoaderFunctionArgs } from 'react-router'
 
+import { fetchBase } from '~/lib/fetch-base'
+
 export const handle = {
   title: (params: Record<string, string>) =>
     `Schemas — ${params.owner}/${params.collection} · Underlay`,
 }
 
 export async function loader({ params, request }: LoaderFunctionArgs) {
-  const base = new URL(request.url).origin
+  const base = fetchBase(request.url)
   const headers = { Cookie: request.headers.get('Cookie') ?? '' }
   const prefix = `/api/collections/${params.owner}/${params.collection}`
 
diff --git a/src/routes/[owner]/[collection]/settings.data.ts b/src/routes/[owner]/[collection]/settings.data.ts
index 42d17b0..8b47da8 100644
--- a/src/routes/[owner]/[collection]/settings.data.ts
+++ b/src/routes/[owner]/[collection]/settings.data.ts
@@ -1,12 +1,14 @@
 import type { LoaderFunctionArgs } from 'react-router'
 
+import { fetchBase } from '~/lib/fetch-base'
+
 export const handle = {
   title: (params: Record<string, string>) =>
     `Settings — ${params.owner}/${params.collection} · Underlay`,
 }
 
 export async function loader({ params, request }: LoaderFunctionArgs) {
-  const base = new URL(request.url).origin
+  const base = fetchBase(request.url)
   const headers = { Cookie: request.headers.get('Cookie') ?? '' }
   const prefix = `/api/collections/${params.owner}/${params.collection}`
 
diff --git a/src/routes/[owner]/[collection]/settings.tsx b/src/routes/[owner]/[collection]/settings.tsx
index bccfa47..43e5f8e 100644
--- a/src/routes/[owner]/[collection]/settings.tsx
+++ b/src/routes/[owner]/[collection]/settings.tsx
@@ -27,6 +27,10 @@ export default function CollectionSettingsPage() {
   const [description, setDescription] = useState((meta?.description as string) ?? '')
   const [readme, setReadme] = useState((meta?.readme as string) ?? '')
   const [license, setLicense] = useState((meta?.license as string) ?? '')
+  const [tags, setTags] = useState<string[]>(
+    Array.isArray(meta?.tags) ? (meta.tags as string[]) : [],
+  )
+  const [tagInput, setTagInput] = useState('')
 
   // ARK form
   const [arkEnabled, setArkEnabled] = useState(arkSettings.enabled)
@@ -98,6 +102,7 @@ export default function CollectionSettingsPage() {
       else payload.readme = null
       if (license.trim()) payload.license = license.trim()
       else payload.license = null
+      payload.tags = tags.length > 0 ? tags : null
 
       const res = await fetch(`/api/collections/${owner}/${collection}/metadata`, {
         method: 'PATCH',
@@ -309,6 +314,60 @@ export default function CollectionSettingsPage() {
                   className="bg-parchment border-rule focus:border-ink w-full border px-3 py-2 text-sm focus:outline-none"
                 />
               </div>
+              <div>
+                <label className="mb-1 block text-sm font-medium">Tags</label>
+                {tags.length > 0 && (
+                  <div className="mb-2 flex flex-wrap gap-1.5">
+                    {tags.map((tag) => (
+                      <span
+                        key={tag}
+                        className="bg-parchment-dark text-ink-muted flex items-center gap-1 rounded px-2 py-0.5 text-xs"
+                      >
+                        {tag}
+                        <button
+                          type="button"
+                          onClick={() => setTags(tags.filter((t) => t !== tag))}
+                          className="text-ink-muted hover:text-ink cursor-pointer text-sm leading-none"
+                        >
+                          &times;
+                        </button>
+                      </span>
+                    ))}
+                  </div>
+                )}
+                <div className="flex gap-2">
+                  <input
+                    type="text"
+                    value={tagInput}
+                    onChange={(e) => setTagInput(e.target.value)}
+                    onKeyDown={(e) => {
+                      if (e.key === 'Enter') {
+                        e.preventDefault()
+                        const val = tagInput.trim().toLowerCase()
+                        if (val && !tags.includes(val)) {
+                          setTags([...tags, val])
+                        }
+                        setTagInput('')
+                      }
+                    }}
+                    placeholder="Add a tag and press Enter"
+                    className="bg-parchment border-rule focus:border-ink min-w-0 flex-1 border px-3 py-2 text-sm focus:outline-none"
+                  />
+                  <button
+                    type="button"
+                    onClick={() => {
+                      const val = tagInput.trim().toLowerCase()
+                      if (val && !tags.includes(val)) {
+                        setTags([...tags, val])
+                      }
+                      setTagInput('')
+                    }}
+                    className="border-rule bg-parchment hover:bg-parchment-dark border px-3 py-2 text-sm transition-colors"
+                  >
+                    Add
+                  </button>
+                </div>
+              </div>
               <div className="pt-2">
                 <button
                   type="submit"
diff --git a/src/routes/[owner]/[collection]/v/[n].data.ts b/src/routes/[owner]/[collection]/v/[n].data.ts
index c2e65d6..2dd2ca2 100644
--- a/src/routes/[owner]/[collection]/v/[n].data.ts
+++ b/src/routes/[owner]/[collection]/v/[n].data.ts
@@ -1,12 +1,14 @@
 import type { LoaderFunctionArgs } from 'react-router'
 
+import { fetchBase } from '~/lib/fetch-base'
+
 export const handle = {
   title: (params: Record<string, string>) =>
     `Version ${params.n} — ${params.owner}/${params.collection} · Underlay`,
 }
 
 export async function loader({ params, request }: LoaderFunctionArgs) {
-  const base = new URL(request.url).origin
+  const base = fetchBase(request.url)
   const headers = { Cookie: request.headers.get('Cookie') ?? '' }
   const prefix = `/api/collections/${params.owner}/${params.collection}`
 
diff --git a/src/routes/[owner]/[collection]/versions.data.ts b/src/routes/[owner]/[collection]/versions.data.ts
index 0c0501c..251fdeb 100644
--- a/src/routes/[owner]/[collection]/versions.data.ts
+++ b/src/routes/[owner]/[collection]/versions.data.ts
@@ -1,12 +1,14 @@
 import type { LoaderFunctionArgs } from 'react-router'
 
+import { fetchBase } from '~/lib/fetch-base'
+
 export const handle = {
   title: (params: Record<string, string>) =>
     `Versions — ${params.owner}/${params.collection} · Underlay`,
 }
 
 export async function loader({ params, request }: LoaderFunctionArgs) {
-  const base = new URL(request.url).origin
+  const base = fetchBase(request.url)
   const headers = { Cookie: request.headers.get('Cookie') ?? '' }
   const prefix = `/api/collections/${params.owner}/${params.collection}`
 
diff --git a/src/routes/[owner]/index.data.ts b/src/routes/[owner]/index.data.ts
index ae95727..aa7bf14 100644
--- a/src/routes/[owner]/index.data.ts
+++ b/src/routes/[owner]/index.data.ts
@@ -1,11 +1,13 @@
 import type { LoaderFunctionArgs } from 'react-router'
 
+import { fetchBase } from '~/lib/fetch-base'
+
 export const handle = {
   title: (params: Record<string, string>) => `${params.owner} · Underlay`,
 }
 
 export async function loader({ params, request }: LoaderFunctionArgs) {
-  const base = new URL(request.url).origin
+  const base = fetchBase(request.url)
   const headers = { Cookie: request.headers.get('Cookie') ?? '' }
 
   const [account, collections, members] = await Promise.all([
diff --git a/src/routes/[owner]/index.tsx b/src/routes/[owner]/index.tsx
index fb88ac3..52a8583 100644
--- a/src/routes/[owner]/index.tsx
+++ b/src/routes/[owner]/index.tsx
@@ -3,6 +3,20 @@ import { Link, useLoaderData, useParams } from 'react-router'
 import BaseLayout from '~/components/BaseLayout'
 import { useAppContext } from '~/lib/app-context'
 
+function timeAgo(dateStr: string): string {
+  const seconds = Math.floor((Date.now() - new Date(dateStr).getTime()) / 1000)
+  if (seconds < 60) return 'just now'
+  const minutes = Math.floor(seconds / 60)
+  if (minutes < 60) return `${minutes}m ago`
+  const hours = Math.floor(minutes / 60)
+  if (hours < 24) return `${hours}h ago`
+  const days = Math.floor(hours / 24)
+  if (days < 30) return `${days}d ago`
+  const months = Math.floor(days / 30)
+  if (months < 12) return `${months}mo ago`
+  return `${Math.floor(months / 12)}y ago`
+}
+
 export default function OwnerPage() {
   const { owner } = useParams()
   const { currentUser } = useAppContext()
@@ -13,52 +27,56 @@ export default function OwnerPage() {
   }
 
   const isMember = currentUser?.orgs?.some((o: any) => o.slug === owner) ?? false
-  const totalVersions = collections.reduce((sum: number, c: any) => sum + (c.versionCount ?? 0), 0)
+  const isOwner = currentUser?.slug === owner
 
   return (
     <BaseLayout>
       <div className="mx-auto max-w-5xl px-4 py-8">
-        <div className="mb-8 flex gap-6">
-          {/* Avatar */}
+        {/* Full-width header */}
+        <div className="mb-8 flex items-start gap-4">
           {account.avatarUrl ? (
             <img
               src={account.avatarUrl}
               alt={account.displayName}
-              className="border-rule h-20 w-20 flex-shrink-0 rounded-full border object-cover"
+              className="border-rule h-14 w-14 shrink-0 rounded-full border object-cover"
             />
           ) : (
-            <div className="bg-parchment-dark border-rule text-ink-muted flex h-20 w-20 flex-shrink-0 items-center justify-center rounded-full border text-2xl font-semibold">
+            <div className="bg-parchment-dark border-rule text-ink-muted flex h-14 w-14 shrink-0 items-center justify-center rounded-full border text-xl font-semibold">
               {account.displayName?.charAt(0)?.toUpperCase() ?? '?'}
             </div>
           )}
 
           <div className="min-w-0 flex-1">
             <div className="flex items-center justify-between">
-              <h1 className="text-xl font-semibold tracking-tight">{account.displayName}</h1>
-              {isMember && (
-                <Link
-                  to={`/${owner}/settings`}
-                  className="text-ink-muted hover:text-ink text-sm transition-colors"
-                >
-                  Settings
-                </Link>
-              )}
+              <div className="flex items-baseline gap-2">
+                <h1 className="text-xl font-semibold tracking-tight">{account.displayName}</h1>
+                <span className="text-ink-muted font-mono text-sm">@{account.slug}</span>
+              </div>
+              <div className="flex items-center gap-3">
+                {(isMember || isOwner) && (
+                  <Link
+                    to={`/${owner}/settings`}
+                    className="text-ink-muted hover:text-ink text-sm transition-colors"
+                  >
+                    Settings
+                  </Link>
+                )}
+              </div>
             </div>
-            <p className="text-ink-muted mt-1 font-mono text-sm">@{account.slug}</p>
 
-            {account.bio && <p className="text-ink mt-2 text-sm">{account.bio}</p>}
+            {account.bio && <p className="text-ink mt-1 text-sm leading-snug">{account.bio}</p>}
 
-            <div className="text-ink-muted mt-2 flex flex-wrap items-center gap-4 text-xs">
+            <div className="text-ink-muted mt-2 flex flex-wrap items-center gap-x-4 gap-y-1 text-xs">
               {account.location && <span>{account.location}</span>}
               {account.website && (
-                <Link
-                  to={account.website}
+                <a
+                  href={account.website}
                   target="_blank"
                   rel="noopener noreferrer"
                   className="text-link hover:underline"
                 >
                   {account.website.replace(/^https?:\/\//, '')}
-                </Link>
+                </a>
               )}
               <span>
                 Joined{' '}
@@ -67,20 +85,10 @@ export default function OwnerPage() {
                   year: 'numeric',
                 })}
               </span>
-            </div>
-
-            {/* Activity summary */}
-            <div className="text-ink-muted mt-2 flex items-center gap-3 text-xs">
               <span>
                 <strong className="text-ink">{collections.length}</strong> collection
                 {collections.length !== 1 ? 's' : ''}
               </span>
-              {totalVersions > 0 && (
-                <span>
-                  <strong className="text-ink">{totalVersions}</strong> version
-                  {totalVersions !== 1 ? 's' : ''}
-                </span>
-              )}
               {members.length > 0 && (
                 <span>
                   <strong className="text-ink">{members.length}</strong> member
@@ -88,88 +96,130 @@ export default function OwnerPage() {
                 </span>
               )}
             </div>
-
-            <div className="mt-3 flex items-center gap-2">
-              <div className="group relative">
-                <button className="border-rule hover:bg-parchment-dark flex items-center gap-1 border px-3 py-1.5 text-xs font-medium transition-colors">
-                  Subscribe ▾
-                </button>
-                <div className="bg-parchment border-rule absolute top-full left-0 z-10 mt-1 hidden min-w-[16rem] border shadow-sm group-hover:block">
-                  <div className="border-rule border-b p-3">
-                    <p className="mb-1 text-xs font-medium">AT Protocol</p>
-                    <code className="text-ink-muted bg-parchment-dark block px-2 py-1 text-[11px] break-all">
-                      {`at://did:web:underlay.org:${owner}`}
-                    </code>
-                    <p className="text-ink-muted mt-1 text-[10px]">Follow in any AT Proto app</p>
-                  </div>
-                  <div className="p-3">
-                    <p className="mb-1 text-xs font-medium">API</p>
-                    <code className="text-ink-muted bg-parchment-dark block px-2 py-1 text-[11px] break-all">
-                      {`GET /api/accounts/${owner}/collections`}
-                    </code>
-                    <p className="text-ink-muted mt-1 text-[10px]">
-                      Poll for new collections and versions
-                    </p>
-                  </div>
-                </div>
-              </div>
-            </div>
           </div>
         </div>
 
-        <div className="flex flex-col gap-8 md:flex-row">
+        {/* Two-column body */}
+        <div className="flex gap-6">
+          {/* Main: collections table */}
           <div className="min-w-0 flex-1">
-            <h2 className="text-ink-muted mb-3 text-sm font-semibold tracking-wide uppercase">
-              Collections ({collections.length})
-            </h2>
+            <div className="mb-3 flex items-center justify-between">
+              <h2 className="text-ink-muted text-[11px] font-semibold tracking-wide uppercase">
+                Collections
+              </h2>
+              {isMember && (
+                <Link
+                  to="/new"
+                  className="bg-ink text-parchment visited:text-parchment rounded px-3 py-1.5 text-sm font-medium transition-opacity hover:opacity-90"
+                >
+                  New collection
+                </Link>
+              )}
+            </div>
 
             {collections.length === 0 ? (
-              <p className="text-ink-muted text-sm">No public collections yet.</p>
+              <div className="text-ink-muted border-rule rounded border px-4 py-8 text-center text-sm">
+                No public collections yet.
+              </div>
             ) : (
-              <div className="space-y-2">
-                {collections.map((c: any) => (
-                  <Link
-                    key={c.id}
-                    to={`/${owner}/${c.slug}`}
-                    className="border-rule hover:bg-parchment-dark block rounded border p-4 transition-colors"
-                  >
-                    <div className="mb-1 flex items-center gap-2">
-                      <span className="text-link text-sm font-semibold">{c.name}</span>
-                      <span className="text-ink-muted border-rule border px-1.5 py-0.5 text-xs">
-                        {c.public ? 'public' : 'private'}
-                      </span>
-                    </div>
-                    {c.description && (
-                      <p className="text-ink-muted mt-1 line-clamp-2 text-xs">{c.description}</p>
-                    )}
-                  </Link>
-                ))}
+              <div className="border-rule overflow-hidden rounded border">
+                <table className="w-full text-sm">
+                  <thead>
+                    <tr className="bg-ink/5 text-ink-muted text-left text-xs">
+                      <th className="py-2 pr-2 pl-3 font-medium">Collection</th>
+                      <th className="px-2 py-2 font-medium">Visibility</th>
+                      <th className="px-2 py-2 font-medium">Created</th>
+                      <th className="py-2 pr-3 pl-2 text-right font-medium">Updated</th>
+                    </tr>
+                  </thead>
+                  <tbody>
+                    {collections.map((c: any, i: number) => (
+                      <tr
+                        key={c.id}
+                        className={`hover:bg-parchment-dark transition-colors ${
+                          i < collections.length - 1 ? 'border-rule border-b' : ''
+                        }`}
+                      >
+                        <td className="py-2 pr-2 pl-3">
+                          <Link
+                            to={`/${owner}/${c.slug}`}
+                            className="text-link font-medium hover:underline"
+                          >
+                            {c.slug}
+                          </Link>
+                          {c.description && (
+                            <p className="text-ink-muted mt-0.5 line-clamp-1 text-xs">
+                              {c.description}
+                            </p>
+                          )}
+                        </td>
+                        <td className="px-2 py-2">
+                          <span className="text-ink-muted text-xs">
+                            {c.public ? 'public' : 'private'}
+                          </span>
+                        </td>
+                        <td className="px-2 py-2">
+                          <span className="text-ink-muted text-xs">
+                            {c.createdAt ? timeAgo(c.createdAt) : '--'}
+                          </span>
+                        </td>
+                        <td className="py-2 pr-3 pl-2 text-right">
+                          <span className="text-ink-muted text-xs">
+                            {c.updatedAt ? timeAgo(c.updatedAt) : '--'}
+                          </span>
+                        </td>
+                      </tr>
+                    ))}
+                  </tbody>
+                </table>
               </div>
             )}
           </div>
 
-          {members.length > 0 && (
-            <div className="flex-shrink-0 md:w-56">
-              <h2 className="text-ink-muted mb-3 text-sm font-semibold tracking-wide uppercase">
-                Members
-              </h2>
-              <div className="space-y-1.5">
-                {members.map((m: any) => (
-                  <Link
-                    key={m.slug}
-                    to={`/${m.slug}`}
-                    className="hover:bg-parchment-dark flex items-center gap-2 rounded px-2 py-1.5 transition-colors"
-                    title={m.displayName}
-                  >
-                    <span className="text-sm font-medium">{m.slug}</span>
-                    <span className="text-ink-muted border-rule border px-1 py-0.5 text-[10px]">
-                      {m.role}
-                    </span>
-                  </Link>
-                ))}
+          {/* Right sidebar */}
+          <div className="hidden w-52 shrink-0 md:block">
+            {/* Members */}
+            {members.length > 0 && (
+              <div className="mb-5">
+                <h3 className="text-ink-muted mb-2 text-[11px] font-semibold tracking-wide uppercase">
+                  Members
+                </h3>
+                <div className="space-y-0.5">
+                  {members.map((m: any) => (
+                    <Link
+                      key={m.slug}
+                      to={`/${m.slug}`}
+                      className="hover:bg-parchment-dark flex items-center gap-2 rounded px-2 py-1 transition-colors"
+                    >
+                      <span className="text-sm font-medium">{m.slug}</span>
+                      <span className="text-ink-muted text-[10px]">{m.role}</span>
+                    </Link>
+                  ))}
+                </div>
+              </div>
+            )}
+
+            {/* Subscribe */}
+            <div>
+              <h3 className="text-ink-muted mb-2 text-[11px] font-semibold tracking-wide uppercase">
+                Subscribe
+              </h3>
+              <div className="space-y-2">
+                <div>
+                  <p className="text-ink-muted mb-0.5 text-[10px] font-medium">AT Protocol</p>
+                  <code className="text-ink-muted bg-parchment-dark block rounded px-2 py-1 text-[10px] break-all">
+                    at://did:web:underlay.org:{owner}
+                  </code>
+                </div>
+                <div>
+                  <p className="text-ink-muted mb-0.5 text-[10px] font-medium">API</p>
+                  <code className="text-ink-muted bg-parchment-dark block rounded px-2 py-1 text-[10px] break-all">
+                    GET /api/accounts/{owner}/collections
+                  </code>
+                </div>
               </div>
             </div>
-          )}
+          </div>
         </div>
       </div>
     </BaseLayout>
diff --git a/src/routes/[owner]/settings/index.data.ts b/src/routes/[owner]/settings/index.data.ts
index 802509e..907687d 100644
--- a/src/routes/[owner]/settings/index.data.ts
+++ b/src/routes/[owner]/settings/index.data.ts
@@ -1,11 +1,13 @@
 import type { LoaderFunctionArgs } from 'react-router'
 
+import { fetchBase } from '~/lib/fetch-base'
+
 export const handle = {
   title: (params: Record<string, string>) => `Settings — ${params.owner} · Underlay`,
 }
 
 export async function loader({ params, request }: LoaderFunctionArgs) {
-  const base = new URL(request.url).origin
+  const base = fetchBase(request.url)
   const headers = { Cookie: request.headers.get('Cookie') ?? '' }
 
   const [orgData, kfOrgs] = await Promise.all([
diff --git a/src/routes/[owner]/settings/keys.data.ts b/src/routes/[owner]/settings/keys.data.ts
index c47f9f0..738facb 100644
--- a/src/routes/[owner]/settings/keys.data.ts
+++ b/src/routes/[owner]/settings/keys.data.ts
@@ -1,11 +1,13 @@
 import type { LoaderFunctionArgs } from 'react-router'
 
+import { fetchBase } from '~/lib/fetch-base'
+
 export const handle = {
   title: (params: Record<string, string>) => `API Keys — ${params.owner} · Underlay`,
 }
 
 export async function loader({ params, request }: LoaderFunctionArgs) {
-  const base = new URL(request.url).origin
+  const base = fetchBase(request.url)
   const headers = { Cookie: request.headers.get('Cookie') ?? '' }
 
   const [orgData, collections] = await Promise.all([
diff --git a/src/routes/[owner]/settings/members.data.ts b/src/routes/[owner]/settings/members.data.ts
index 18693fd..e54bd7a 100644
--- a/src/routes/[owner]/settings/members.data.ts
+++ b/src/routes/[owner]/settings/members.data.ts
@@ -1,11 +1,13 @@
 import type { LoaderFunctionArgs } from 'react-router'
 
+import { fetchBase } from '~/lib/fetch-base'
+
 export const handle = {
   title: (params: Record<string, string>) => `Members — ${params.owner} · Underlay`,
 }
 
 export async function loader({ params, request }: LoaderFunctionArgs) {
-  const base = new URL(request.url).origin
+  const base = fetchBase(request.url)
   const headers = { Cookie: request.headers.get('Cookie') ?? '' }
 
   const res = await fetch(new URL(`/api/accounts/${params.owner}`, base), { headers })
diff --git a/src/routes/admin/explore-tags.tsx b/src/routes/admin/explore-tags.tsx
new file mode 100644
index 0000000..aa73fe7
--- /dev/null
+++ b/src/routes/admin/explore-tags.tsx
@@ -0,0 +1,31 @@
+import BaseLayout from '~/components/BaseLayout'
+import ExploreTagsAdmin from '~/components/ExploreTagsAdmin'
+import FeaturedCollectionsAdmin from '~/components/FeaturedCollectionsAdmin'
+import { useAppContext } from '~/lib/app-context'
+
+export default function AdminExploreTags() {
+  const { currentUser } = useAppContext()
+
+  if (currentUser?.kfRole !== 'admin') {
+    if (typeof window !== 'undefined') {
+      window.location.href = '/'
+    }
+    return null
+  }
+
+  return (
+    <BaseLayout>
+      <div className="mx-auto max-w-2xl px-4 py-8">
+        <h1 className="mb-2 text-2xl font-semibold">Explore Page</h1>
+        <p className="text-ink-muted mb-8 text-sm">
+          Configure what appears on the explore page — featured collections and tag filters.
+        </p>
+
+        <div className="space-y-12">
+          <FeaturedCollectionsAdmin />
+          <ExploreTagsAdmin />
+        </div>
+      </div>
+    </BaseLayout>
+  )
+}
diff --git a/src/routes/blog/[slug].data.ts b/src/routes/blog/[slug].data.ts
index c36c154..ba3a773 100644
--- a/src/routes/blog/[slug].data.ts
+++ b/src/routes/blog/[slug].data.ts
@@ -1,5 +1,7 @@
 import type { LoaderFunctionArgs } from 'react-router'
 
+import { fetchBase } from '~/lib/fetch-base'
+
 export const posts: Record<string, { title: string; subtitle: string; date: string }> = {
   '2024-04-27-underlay-revived': {
     title: 'Underlay, Revived',
@@ -42,7 +44,7 @@ export const handle = {
 }
 
 export async function loader({ params, request }: LoaderFunctionArgs) {
-  const base = new URL(request.url).origin
+  const base = fetchBase(request.url)
   const res = await fetch(new URL(`/api/blog/${params.slug}`, base))
   return { content: res.ok ? await res.text() : '' }
 }
diff --git a/src/routes/dashboard.tsx b/src/routes/dashboard.tsx
index 69b7681..f7ffb47 100644
--- a/src/routes/dashboard.tsx
+++ b/src/routes/dashboard.tsx
@@ -1,30 +1,41 @@
-import { type FormEvent, useEffect, useState } from 'react'
+import { useEffect, useState } from 'react'
 import { Link } from 'react-router'
 
 import BaseLayout from '~/components/BaseLayout'
 import { useAppContext } from '~/lib/app-context'
-import { authClient } from '~/lib/auth-client'
 
 interface Collection {
   id: string
   slug: string
   name: string
   public: boolean
+  description?: string
+  semver?: string
+  lastPushAt?: string
+  createdAt?: string
+  updatedAt?: string
 }
 
 interface Org {
   slug: string
   displayName: string
   role: string
+  isDefault: boolean
   collections: Collection[]
 }
 
-interface KfOrg {
-  id: string
-  name: string
-  slug: string
-  type: string
-  role: string
+function timeAgo(dateStr: string): string {
+  const seconds = Math.floor((Date.now() - new Date(dateStr).getTime()) / 1000)
+  if (seconds < 60) return 'just now'
+  const minutes = Math.floor(seconds / 60)
+  if (minutes < 60) return `${minutes}m ago`
+  const hours = Math.floor(minutes / 60)
+  if (hours < 24) return `${hours}h ago`
+  const days = Math.floor(hours / 24)
+  if (days < 30) return `${days}d ago`
+  const months = Math.floor(days / 30)
+  if (months < 12) return `${months}mo ago`
+  return `${Math.floor(months / 12)}y ago`
 }
 
 export default function Dashboard() {
@@ -32,29 +43,9 @@ export default function Dashboard() {
   const [orgs, setOrgs] = useState<Org[]>([])
   const [filter, setFilter] = useState('')
 
-  // Org creation state
-  const [orgSlug, setOrgSlug] = useState('')
-  const [orgDisplayName, setOrgDisplayName] = useState('')
-  const [orgKfOrgId, setOrgKfOrgId] = useState('')
-  const [orgError, setOrgError] = useState('')
-  const [submitting, setSubmitting] = useState(false)
-  const [availableKfOrgs, setAvailableKfOrgs] = useState<KfOrg[]>([])
-
-  // Collection creation state
-  const [showCreateCollection, setShowCreateCollection] = useState(false)
-  const [colSlug, setColSlug] = useState('')
-  const [colName, setColName] = useState('')
-  const [colPublic, setColPublic] = useState(false)
-  const [colOwner, setColOwner] = useState('')
-  const [colError, setColError] = useState('')
-  const [colSubmitting, setColSubmitting] = useState(false)
-
   useEffect(() => {
     if (!currentUser) return
 
-    const defaultOrg = currentUser.orgs?.find((o: any) => o.isDefault) ?? currentUser.orgs?.[0]
-    setColOwner(defaultOrg?.slug ?? currentUser.slug)
-
     if (currentUser.orgs?.length) {
       Promise.all(
         currentUser.orgs.map(async (org: any) => {
@@ -65,348 +56,180 @@ export default function Dashboard() {
             slug: org.slug,
             displayName: org.name ?? org.displayName,
             role: org.role,
+            isDefault: !!org.isDefault,
             collections: res.ok ? await res.json() : [],
           }
         }),
       ).then(setOrgs)
     }
-
-    // Fetch available KF orgs for the org creation dropdown
-    fetch('/api/accounts/available-kf-orgs', { credentials: 'include' })
-      .then((r) => (r.ok ? r.json() : []))
-      .then((orgs: KfOrg[]) => {
-        setAvailableKfOrgs(orgs)
-        // Auto-select if only one KF org available
-        if (orgs.length === 1) {
-          setOrgKfOrgId(orgs[0]!.id)
-        }
-      })
   }, [currentUser])
 
-  async function handleCreateOrg(e: FormEvent) {
-    e.preventDefault()
-    setOrgError('')
-    setSubmitting(true)
-    try {
-      const { data, error } = await authClient.organization.create({
-        name: orgDisplayName,
-        slug: orgSlug,
-        kfOrgId: orgKfOrgId || undefined,
-      } as any)
-      if (error) {
-        setOrgError(error.message ?? 'Failed to create organization')
-      } else if (data) {
-        window.location.reload()
-      }
-    } finally {
-      setSubmitting(false)
-    }
-  }
-
-  async function handleCreateCollection(e: FormEvent) {
-    e.preventDefault()
-    setColError('')
-    setColSubmitting(true)
-    try {
-      const res = await fetch(`/api/accounts/${colOwner}/collections`, {
-        method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
-        credentials: 'include',
-        body: JSON.stringify({
-          slug: colSlug,
-          name: colName,
-          public: colPublic,
-        }),
+  const allCollections = orgs
+    .flatMap((org) =>
+      org.collections.map((c) => ({ ...c, orgSlug: org.slug, orgName: org.displayName })),
+    )
+    .sort((a, b) => {
+      if (a.updatedAt && b.updatedAt)
+        return new Date(b.updatedAt).getTime() - new Date(a.updatedAt).getTime()
+      if (a.updatedAt) return -1
+      if (b.updatedAt) return 1
+      return a.slug.localeCompare(b.slug)
+    })
+
+  const filtered = filter
+    ? allCollections.filter((c) => {
+        const term = filter.toLowerCase()
+        return (
+          `${c.orgSlug}/${c.slug}`.includes(term) ||
+          (c.description ?? '').toLowerCase().includes(term)
+        )
       })
-      if (res.ok) {
-        window.location.reload()
-      } else {
-        const err = await res.json()
-        setColError(err.error ?? 'Failed to create collection')
-      }
-    } finally {
-      setColSubmitting(false)
-    }
-  }
-
-  const ownerOptions = orgs.map((o) => ({ slug: o.slug, label: o.displayName }))
-
-  function matchesFilter(text: string) {
-    return text.toLowerCase().includes(filter.toLowerCase())
-  }
+    : allCollections
 
   return (
     <BaseLayout>
-      <div className="mx-auto max-w-5xl px-4 py-10">
-        <div className="mb-6 flex items-center justify-between">
-          <h1 className="text-xl font-semibold tracking-tight">Dashboard</h1>
-          <Link to="/settings" className="text-ink-muted hover:text-ink text-sm transition-colors">
-            Settings
-          </Link>
-        </div>
-
-        <div className="flex flex-col gap-8 lg:flex-row">
-          {/* Main content area */}
-          <div className="min-w-0 flex-1">
-            {/* Search/filter */}
-            <div className="mb-4">
-              <input
-                type="text"
-                placeholder="Filter collections…"
-                value={filter}
-                onChange={(e) => setFilter(e.target.value)}
-                className="bg-parchment border-rule focus:border-ink w-full border px-3 py-2 text-sm focus:outline-none"
-              />
-            </div>
-
-            {/* Collections by org */}
+      <div className="mx-auto flex max-w-5xl gap-6 px-4 py-8">
+        {/* Left sidebar */}
+        <div className="hidden w-52 shrink-0 md:block">
+          <div className="mb-1 flex items-center justify-between">
+            <h3 className="text-ink-muted text-[11px] font-semibold tracking-wide uppercase">
+              Organizations
+            </h3>
+            <Link
+              to="/new-org"
+              className="text-ink-muted hover:text-ink text-[11px] transition-colors"
+            >
+              + New
+            </Link>
+          </div>
+          <div className="mb-5 space-y-0.5">
             {orgs.map((org) => (
-              <div key={org.slug} className="mb-6">
-                <div className="mb-2 flex items-center justify-between">
-                  <h2 className="text-ink-muted text-xs font-semibold tracking-wide uppercase">
-                    <Link to={`/${org.slug}`} className="hover:text-ink transition-colors">
-                      {org.displayName}
-                    </Link>
-                    <span className="border-rule ml-1.5 border px-1 py-0.5 text-[10px] font-normal normal-case">
-                      {org.role}
-                    </span>
-                  </h2>
-                  <Link
-                    to={`/${org.slug}/settings`}
-                    className="text-ink-muted hover:text-ink text-[10px]"
-                  >
-                    settings
-                  </Link>
-                </div>
-
-                {org.collections.length === 0 ? (
-                  <p className="text-ink-muted pl-1 text-xs">No collections yet.</p>
-                ) : (
-                  <div className="space-y-1">
-                    {org.collections
-                      .filter((c) => matchesFilter(`${org.slug}/${c.slug} ${c.name}`))
-                      .map((c) => (
-                        <Link
-                          key={c.slug}
-                          to={`/${org.slug}/${c.slug}`}
-                          className="border-rule hover:bg-parchment-dark flex items-center justify-between border px-3 py-2 transition-colors"
-                        >
-                          <div className="min-w-0">
-                            <span className="text-sm font-medium">
-                              {org.slug}/{c.slug}
-                            </span>
-                          </div>
-                          <span className="text-ink-muted border-rule ml-2 flex-shrink-0 border px-1.5 py-0.5 text-[10px]">
-                            {c.public ? 'public' : 'private'}
-                          </span>
-                        </Link>
-                      ))}
-                  </div>
-                )}
-              </div>
+              <Link
+                key={org.slug}
+                to={`/${org.slug}`}
+                className="hover:bg-parchment-dark flex items-center gap-2 rounded px-2 py-1.5 transition-colors"
+              >
+                <span className="bg-parchment-dark text-ink-muted flex h-5 w-5 items-center justify-center rounded-full text-[10px] font-semibold">
+                  {org.displayName.charAt(0).toUpperCase()}
+                </span>
+                <span className="min-w-0 truncate text-sm font-medium">
+                  {org.displayName}
+                  {org.isDefault && (
+                    <span className="text-ink-muted ml-1 font-normal">(personal)</span>
+                  )}
+                </span>
+                <span className="text-ink-muted ml-auto text-[10px]">{org.collections.length}</span>
+              </Link>
             ))}
           </div>
 
-          {/* Right sidebar */}
-          <div className="flex-shrink-0 space-y-6 lg:w-64">
-            {/* Create collection */}
-            <div className="border-rule border p-4">
-              <div className="mb-2 flex items-center justify-between">
-                <h3 className="text-ink-muted text-xs font-semibold tracking-wide uppercase">
-                  New Collection
-                </h3>
-                {!showCreateCollection && (
-                  <button
-                    type="button"
-                    onClick={() => setShowCreateCollection(true)}
-                    className="text-link cursor-pointer border-none bg-transparent text-xs hover:underline"
-                  >
-                    + Create
-                  </button>
-                )}
-              </div>
-
-              {showCreateCollection ? (
-                <form onSubmit={handleCreateCollection} className="space-y-2">
-                  {colError && <p className="text-xs text-red-600">{colError}</p>}
+          <h3 className="text-ink-muted mb-2 text-[11px] font-semibold tracking-wide uppercase">
+            Tools
+          </h3>
+          <div className="space-y-0.5 text-sm">
+            <Link to="/new" className="text-link block px-2 py-1 hover:underline">
+              New collection
+            </Link>
+            <Link to="/new-org" className="text-link block px-2 py-1 hover:underline">
+              New organization
+            </Link>
+            <Link to="/settings/keys" className="text-link block px-2 py-1 hover:underline">
+              API keys
+            </Link>
+            <Link to="/settings" className="text-link block px-2 py-1 hover:underline">
+              Settings
+            </Link>
+            <Link to="/explore" className="text-link block px-2 py-1 hover:underline">
+              Explore
+            </Link>
+          </div>
+        </div>
 
-                  {/* Owner picker — only show if user has orgs */}
-                  {ownerOptions.length > 1 && (
-                    <div>
-                      <label className="text-ink-muted mb-0.5 block text-[10px]">Owner</label>
-                      <select
-                        value={colOwner}
-                        onChange={(e) => setColOwner(e.target.value)}
-                        className="border-rule bg-parchment focus:border-ink w-full border px-2 py-1 text-xs focus:outline-none"
-                      >
-                        {ownerOptions.map((o) => (
-                          <option key={o.slug} value={o.slug}>
-                            {o.label} ({o.slug})
-                          </option>
-                        ))}
-                      </select>
-                    </div>
-                  )}
+        {/* Main: collections table */}
+        <div className="min-w-0 flex-1">
+          <div className="mb-3 flex items-center gap-3">
+            <input
+              type="text"
+              placeholder="Find a collection..."
+              value={filter}
+              onChange={(e) => setFilter(e.target.value)}
+              className="bg-parchment border-rule focus:border-ink min-w-0 flex-1 rounded border px-3 py-1.5 text-sm focus:outline-none"
+            />
+            <Link
+              to="/new"
+              className="bg-ink text-parchment visited:text-parchment shrink-0 rounded px-3 py-1.5 text-sm font-medium transition-opacity hover:opacity-90"
+            >
+              New collection
+            </Link>
+          </div>
 
-                  <div>
-                    <label className="text-ink-muted mb-0.5 block text-[10px]">Name</label>
-                    <input
-                      type="text"
-                      required
-                      placeholder="My Dataset"
-                      value={colName}
-                      onChange={(e) => setColName(e.target.value)}
-                      className="border-rule bg-parchment focus:border-ink w-full border px-2 py-1 text-xs focus:outline-none"
-                    />
-                  </div>
-                  <div>
-                    <label className="text-ink-muted mb-0.5 block text-[10px]">Slug</label>
-                    <input
-                      type="text"
-                      required
-                      pattern="[a-z0-9][-a-z0-9]*[a-z0-9]"
-                      minLength={2}
-                      placeholder="my-dataset"
-                      value={colSlug}
-                      onChange={(e) => setColSlug(e.target.value)}
-                      className="border-rule bg-parchment focus:border-ink w-full border px-2 py-1 text-xs focus:outline-none"
-                    />
-                  </div>
-                  <label className="text-ink-muted flex items-center gap-1.5 text-xs">
-                    <input
-                      type="checkbox"
-                      checked={colPublic}
-                      onChange={(e) => setColPublic(e.target.checked)}
-                    />
-                    Public
-                  </label>
-                  <div className="flex gap-2">
-                    <button
-                      type="submit"
-                      disabled={colSubmitting}
-                      className="bg-ink text-parchment flex-1 px-3 py-1 text-xs font-medium transition-opacity hover:opacity-90"
-                    >
-                      {colSubmitting ? 'Creating…' : 'Create'}
-                    </button>
-                    <button
-                      type="button"
-                      onClick={() => setShowCreateCollection(false)}
-                      className="text-ink-muted border-rule hover:text-ink cursor-pointer border bg-transparent px-3 py-1 text-xs"
-                    >
-                      Cancel
-                    </button>
-                  </div>
-                </form>
-              ) : (
-                <div className="text-ink-muted space-y-2 text-xs">
-                  <div>
-                    <p className="text-ink mb-0.5 text-[11px] font-medium">Via API</p>
-                    <code className="bg-parchment-dark block px-1.5 py-1 text-[10px] break-all">
-                      POST /api/accounts/{currentUser.slug}/collections
-                    </code>
-                  </div>
-                  <Link
-                    to="/docs/quickstart"
-                    className="text-link mt-2 block text-[11px] hover:underline"
-                  >
-                    Quickstart guide →
+          {filtered.length === 0 ? (
+            <div className="text-ink-muted border-rule rounded border px-4 py-8 text-center text-sm">
+              {allCollections.length === 0 ? (
+                <span>
+                  No collections yet.{' '}
+                  <Link to="/new" className="text-link hover:underline">
+                    Create your first collection
                   </Link>
-                </div>
+                </span>
+              ) : (
+                'No collections match your search.'
               )}
             </div>
-
-            {/* Create org — requires at least one available KF org */}
-            {availableKfOrgs.length > 0 && (
-              <div className="border-rule border p-4">
-                <h3 className="text-ink-muted mb-2 text-xs font-semibold tracking-wide uppercase">
-                  New Organization
-                </h3>
-                {orgError && <p className="mb-2 text-xs text-red-600">{orgError}</p>}
-                <form onSubmit={handleCreateOrg} className="space-y-2">
-                  {availableKfOrgs.length > 1 ? (
-                    <div>
-                      <label className="text-ink-muted mb-0.5 block text-[10px]">
-                        KF Organization
-                      </label>
-                      <select
-                        required
-                        value={orgKfOrgId}
-                        onChange={(e) => {
-                          setOrgKfOrgId(e.target.value)
-                          // Auto-fill display name from KF org
-                          const kfOrg = availableKfOrgs.find((o) => o.id === e.target.value)
-                          if (kfOrg && !orgDisplayName) setOrgDisplayName(kfOrg.name)
-                        }}
-                        className="border-rule bg-parchment focus:border-ink w-full border px-2 py-1 text-xs focus:outline-none"
-                      >
-                        <option value="">Select…</option>
-                        {availableKfOrgs.map((o) => (
-                          <option key={o.id} value={o.id}>
-                            {o.name}
-                          </option>
-                        ))}
-                      </select>
-                    </div>
-                  ) : (
-                    <p className="text-ink-muted text-[10px]">
-                      Linked to:{' '}
-                      <span className="text-ink font-medium">{availableKfOrgs[0]?.name}</span>
-                    </p>
-                  )}
-                  <div>
-                    <label className="text-ink-muted mb-0.5 block text-[10px]">Slug</label>
-                    <input
-                      type="text"
-                      required
-                      pattern="[a-z0-9][-a-z0-9]*[a-z0-9]"
-                      minLength={2}
-                      placeholder="my-org"
-                      value={orgSlug}
-                      onChange={(e) => setOrgSlug(e.target.value)}
-                      className="border-rule bg-parchment focus:border-ink w-full border px-2 py-1 text-xs focus:outline-none"
-                    />
-                  </div>
-                  <div>
-                    <label className="text-ink-muted mb-0.5 block text-[10px]">Display Name</label>
-                    <input
-                      type="text"
-                      required
-                      placeholder="My Organization"
-                      value={orgDisplayName}
-                      onChange={(e) => setOrgDisplayName(e.target.value)}
-                      className="border-rule bg-parchment focus:border-ink w-full border px-2 py-1 text-xs focus:outline-none"
-                    />
-                  </div>
-                  <button
-                    type="submit"
-                    disabled={submitting}
-                    className="bg-ink text-parchment w-full px-3 py-1 text-xs font-medium transition-opacity hover:opacity-90"
-                  >
-                    {submitting ? 'Creating…' : 'Create'}
-                  </button>
-                </form>
-              </div>
-            )}
-
-            {/* Links */}
-            <div className="space-y-1.5 text-xs">
-              <Link
-                to={`/${currentUser.slug}`}
-                className="text-ink-muted hover:text-ink block transition-colors"
-              >
-                Your profile →
-              </Link>
-              <Link
-                to="/settings/keys"
-                className="text-ink-muted hover:text-ink block transition-colors"
-              >
-                API keys →
-              </Link>
-              <Link to="/explore" className="text-ink-muted hover:text-ink block transition-colors">
-                Explore collections →
-              </Link>
+          ) : (
+            <div className="border-rule overflow-hidden rounded border">
+              <table className="w-full text-sm">
+                <thead>
+                  <tr className="bg-ink/5 text-ink-muted text-left text-xs">
+                    <th className="py-2 pr-2 pl-3 font-medium">Collection</th>
+                    <th className="px-2 py-2 font-medium">Visibility</th>
+                    <th className="px-2 py-2 font-medium">Created</th>
+                    <th className="py-2 pr-3 pl-2 text-right font-medium">Updated</th>
+                  </tr>
+                </thead>
+                <tbody>
+                  {filtered.map((c, i) => (
+                    <tr
+                      key={`${c.orgSlug}/${c.slug}`}
+                      className={`hover:bg-parchment-dark transition-colors ${
+                        i < filtered.length - 1 ? 'border-rule border-b' : ''
+                      }`}
+                    >
+                      <td className="py-2 pr-2 pl-3">
+                        <Link
+                          to={`/${c.orgSlug}/${c.slug}`}
+                          className="text-link font-medium hover:underline"
+                        >
+                          <span className="text-ink-muted font-normal">{c.orgSlug}/</span>
+                          {c.slug}
+                        </Link>
+                        {c.description && (
+                          <p className="text-ink-muted mt-0.5 line-clamp-1 text-xs">
+                            {c.description}
+                          </p>
+                        )}
+                      </td>
+                      <td className="px-2 py-2">
+                        <span className="text-ink-muted text-xs">
+                          {c.public ? 'public' : 'private'}
+                        </span>
+                      </td>
+                      <td className="px-2 py-2">
+                        <span className="text-ink-muted text-xs">
+                          {c.createdAt ? timeAgo(c.createdAt) : '--'}
+                        </span>
+                      </td>
+                      <td className="py-2 pr-3 pl-2 text-right">
+                        <span className="text-ink-muted text-xs">
+                          {c.updatedAt ? timeAgo(c.updatedAt) : '--'}
+                        </span>
+                      </td>
+                    </tr>
+                  ))}
+                </tbody>
+              </table>
             </div>
-          </div>
+          )}
         </div>
       </div>
     </BaseLayout>
diff --git a/src/routes/docs/quickstart.tsx b/src/routes/docs/quickstart.tsx
index 455089d..0c960cc 100644
--- a/src/routes/docs/quickstart.tsx
+++ b/src/routes/docs/quickstart.tsx
@@ -148,6 +148,19 @@ export default function DocsQuickstart() {
         Underlay instance.
       </p>
 
+      <div className="border-rule bg-parchment-dark/30 mb-6 rounded border p-4">
+        <p className="mt-0 mb-2 text-sm font-semibold">Fastest path: use an AI agent</p>
+        <p className="text-ink-muted mb-0 text-sm">
+          Point your coding agent at{' '}
+          <Link to="/llms.txt" className="text-link underline">
+            llms.txt
+          </Link>{' '}
+          and tell it what data you want to push. It has everything it needs to create a collection,
+          write the push script, and handle hashing and negotiation for you. The steps below explain
+          the same flow manually.
+        </p>
+      </div>
+
       <h2>1. Sign in and create an API key</h2>
       <p>
         Sign in at{' '}
diff --git a/src/routes/docs/self-host.tsx b/src/routes/docs/self-host.tsx
index db3e86d..ff0cb17 100644
--- a/src/routes/docs/self-host.tsx
+++ b/src/routes/docs/self-host.tsx
@@ -1,186 +1,222 @@
+import { Link } from 'react-router'
+
 import DocsLayout from '~/components/DocsLayout'
 
-const devShCode = `git clone https://github.com/knowledgefutures/underlay.git
-cd underlay
-./dev.sh`
+const quickStart = `DOMAIN=https://your-domain.com docker compose -f docker-compose.withauth.yml up -d`
+
+const localStart = `docker compose -f docker-compose.withauth.yml up -d`
 
-const secretsCode = `# Generate a keypair
-age-keygen -o key.txt
+const envExample = `# Required
+DOMAIN=https://your-domain.com
 
-# Add the public key to .sops.yaml, then:
-npm run secrets:encrypt       # .env → .env.enc
-npm run secrets:decrypt       # .env.enc → .env
-npm run secrets:encrypt:dev   # .env.dev → .env.dev.enc
-npm run secrets:decrypt:dev   # .env.dev.enc → .env.dev`
+# Optional: email delivery (for password resets, invitations)
+SMTP_HOST=smtp.example.com
+SMTP_PORT=587
+SMTP_FROM=noreply@your-domain.com
+SMTP_USER=apikey
+SMTP_PASS=your-smtp-password
 
-const backupCode = `# Manual backup
-npm run tool:backup
+# Optional: social login providers
+GITHUB_CLIENT_ID=...
+GITHUB_CLIENT_SECRET=...
+GOOGLE_CLIENT_ID=...
+GOOGLE_CLIENT_SECRET=...
+ORCID_CLIENT_ID=...
+ORCID_CLIENT_SECRET=...`
 
-# Backups are stored at:
-# s3://{bucket}/{BACKUP_S3_PREFIX}{timestamp}/underlay.sql.gz`
+const externalS3 = `# In docker-compose.withauth.yml, remove the minio and minio-init services,
+# then add these to the app service's environment block:
+S3_BUCKET: your-bucket-name
+S3_REGION: us-east-1
+S3_ENDPOINT: https://your-account-id.r2.cloudflarestorage.com  # omit for AWS S3
+S3_ACCESS_KEY: your-access-key
+S3_SECRET_KEY: your-secret-key`
+
+const resetCmd = `docker compose -f docker-compose.withauth.yml down -v
+docker compose -f docker-compose.withauth.yml up -d`
 
 export default function DocsSelfHost() {
   return (
     <DocsLayout title="Self-Hosting">
       <p>
-        Underlay is designed to be self-hosted. You need three things: a Node.js runtime, a
-        PostgreSQL database, and S3-compatible object storage.
+        The Underlay{' '}
+        <Link to="/protocol" className="text-link underline">
+          protocol
+        </Link>{' '}
+        is an open specification. This repository is the reference implementation, but anyone can
+        build an Underlay-compatible server tailored to their infrastructure, language, or use case
+        — as long as it implements the protocol (content-addressed records, hash negotiation,
+        immutable versioning). The protocol is the contract; the implementation is yours.
+      </p>
+      <p>
+        What follows is how to self-host <em>this</em> implementation. It ships with a
+        self-contained Docker Compose setup that bundles everything you need: the app, auth server,
+        PostgreSQL, S3-compatible storage, and a reverse proxy. One command, no external
+        dependencies.
       </p>
 
-      <h2>Requirements</h2>
+      <h2>What gets deployed</h2>
       <ul>
         <li>
-          <strong>Node.js</strong> ≥ 22.12
+          <strong>Underlay app</strong> — the main application (API + web UI)
+        </li>
+        <li>
+          <strong>KF Auth</strong> — authentication server (OAuth2/OIDC) + account management UI
         </li>
         <li>
-          <strong>PostgreSQL</strong> 16+
+          <strong>PostgreSQL 16</strong> — two databases: one for auth, one for the app
         </li>
         <li>
-          <strong>S3-compatible storage</strong> — AWS S3, MinIO, Cloudflare R2, etc.
+          <strong>MinIO</strong> — S3-compatible object storage for file uploads (replaceable with
+          external S3)
         </li>
         <li>
-          <strong>Docker</strong> (recommended) — or run directly with Node
+          <strong>Caddy</strong> — reverse proxy with automatic TLS
         </li>
       </ul>
+      <p>
+        On first boot, an init container auto-generates all secrets (session keys, OAuth client
+        credentials, S3 credentials). No manual secret management required.
+      </p>
 
-      <h2>Quick start with Docker</h2>
+      <h2>Requirements</h2>
+      <ul>
+        <li>
+          <strong>Docker</strong> and <strong>Docker Compose</strong> (v2)
+        </li>
+        <li>
+          A server with at least <strong>2 GB RAM</strong> and <strong>10 GB disk</strong>
+        </li>
+        <li>
+          A domain name pointed at your server (for TLS) — or <code>localhost</code> for local
+          testing
+        </li>
+      </ul>
+
+      <h2>Quick start</h2>
       <p>Clone the repo and run:</p>
       <pre className="bg-ink text-parchment overflow-x-auto p-3 text-xs">
-        <code>{devShCode}</code>
+        <code>{quickStart}</code>
+      </pre>
+      <p>
+        That's it. Caddy handles TLS automatically via Let's Encrypt. Visit your domain to create
+        your first account.
+      </p>
+      <p>
+        For local testing without a domain, omit <code>DOMAIN</code> — it defaults to{' '}
+        <code>http://localhost</code>:
+      </p>
+      <pre className="bg-ink text-parchment overflow-x-auto p-3 text-xs">
+        <code>{localStart}</code>
+      </pre>
+
+      <h2>Configuration</h2>
+      <p>
+        Set environment variables in your shell or create a <code>.env</code> file next to the
+        compose file. Only <code>DOMAIN</code> is required — everything else has sensible defaults
+        or is auto-generated.
+      </p>
+      <pre className="bg-ink text-parchment overflow-x-auto p-3 text-xs">
+        <code>{envExample}</code>
       </pre>
+
+      <h3>Social login</h3>
       <p>
-        This starts Postgres, MinIO (S3), and the Underlay app in development mode. The dev script
-        auto-creates a <code>.env.dev</code> from defaults if one doesn't exist.
+        Without social login configured, users sign up and log in with email/password. To enable
+        GitHub, Google, or ORCID login, set the corresponding client ID and secret. You'll need to
+        register an OAuth app with each provider — use{' '}
+        <code>{'https://your-domain.com/auth/callback/<provider>'}</code> as the callback URL.
       </p>
 
-      <h2>Environment variables</h2>
-      <table>
-        <tbody>
-          <tr>
-            <td>
-              <code>DATABASE_URL</code>
-            </td>
-            <td>PostgreSQL connection string</td>
-          </tr>
-          <tr>
-            <td>
-              <code>SESSION_SECRET</code>
-            </td>
-            <td>Secret for signing session cookies</td>
-          </tr>
-          <tr>
-            <td>
-              <code>PORT</code>
-            </td>
-            <td>Server port (default: 3000)</td>
-          </tr>
-          <tr>
-            <td>
-              <code>S3_BUCKET</code>
-            </td>
-            <td>S3 bucket name</td>
-          </tr>
-          <tr>
-            <td>
-              <code>S3_REGION</code>
-            </td>
-            <td>S3 region</td>
-          </tr>
-          <tr>
-            <td>
-              <code>S3_ENDPOINT</code>
-            </td>
-            <td>S3 endpoint URL (for MinIO, R2, etc.)</td>
-          </tr>
-          <tr>
-            <td>
-              <code>S3_ACCESS_KEY</code>
-            </td>
-            <td>S3 access key</td>
-          </tr>
-          <tr>
-            <td>
-              <code>S3_SECRET_KEY</code>
-            </td>
-            <td>S3 secret key</td>
-          </tr>
-          <tr>
-            <td>
-              <code>BACKUP_S3_PREFIX</code>
-            </td>
-            <td>S3 key prefix for database backups</td>
-          </tr>
-        </tbody>
-      </table>
-
-      <h2>Production deployment</h2>
-      <p>The recommended production setup:</p>
-      <ol>
-        <li>
-          Build the Docker image: <code>docker build -t underlay .</code>
-        </li>
-        <li>
-          Create a <code>.env</code> with production values (or use SOPS encryption)
-        </li>
-        <li>
-          Run with <code>docker compose up -d</code>
-        </li>
-      </ol>
+      <h2>Using external S3</h2>
+      <p>
+        The bundled MinIO service works out of the box, but you can replace it with any
+        S3-compatible storage (AWS S3, Cloudflare R2, DigitalOcean Spaces, etc.):
+      </p>
+      <pre className="bg-ink text-parchment overflow-x-auto p-3 text-xs">
+        <code>{externalS3}</code>
+      </pre>
       <p>
-        The production <code>docker-compose.yml</code> includes:
+        Also remove the <code>minio-init</code> service dependency from the <code>app</code>{' '}
+        service. The <code>S3_ENDPOINT</code> variable is only needed for non-AWS providers — omit
+        it for standard AWS S3.
       </p>
+
+      <h2>Data and persistence</h2>
+      <p>All state is in Docker volumes:</p>
       <ul>
         <li>
-          <strong>postgres</strong> — PostgreSQL 16 with a named volume
+          <code>pgdata</code> — PostgreSQL databases (auth + app)
         </li>
         <li>
-          <strong>app</strong> — Runs migrations, then starts the Hono server
+          <code>minio-data</code> — uploaded files (if using bundled MinIO)
         </li>
         <li>
-          <strong>cron</strong> — Scheduled tasks (database backups)
+          <code>withauth-config</code> — auto-generated secrets and config (created once on first
+          boot)
+        </li>
+        <li>
+          <code>caddy-data</code> — TLS certificates
         </li>
       </ul>
-
-      <h2>Secrets management</h2>
       <p>
-        We use <a href="https://github.com/getsops/sops">SOPS</a> with{' '}
-        <a href="https://github.com/FiloSottile/age">age</a> encryption. Encrypted{' '}
-        <code>.env.enc</code> files are committed to the repo; plaintext <code>.env</code> files are
-        gitignored.
+        To completely reset and start fresh, remove all volumes and re-run. The init container will
+        regenerate secrets:
       </p>
       <pre className="bg-ink text-parchment overflow-x-auto p-3 text-xs">
-        <code>{secretsCode}</code>
+        <code>{resetCmd}</code>
       </pre>
 
-      <h2>CI/CD</h2>
+      <h2>Updating</h2>
       <p>
-        The included GitHub Actions workflow (<code>.github/workflows/deploy.yml</code>) handles the
-        full pipeline:
+        Pull new images and restart. The app runs database migrations automatically on startup — no
+        manual migration step needed.
       </p>
-      <ol>
+      <pre className="bg-ink text-parchment overflow-x-auto p-3 text-xs">
+        <code>
+          {`docker compose -f docker-compose.withauth.yml pull\ndocker compose -f docker-compose.withauth.yml up -d`}
+        </code>
+      </pre>
+
+      <h2>Architecture</h2>
+      <p>Caddy listens on ports 80 and 443 and routes requests by path:</p>
+      <ul>
         <li>
-          Push to <code>main</code>
+          <code>/auth/*</code> → KF Auth server (authentication, OAuth2)
         </li>
-        <li>Build Docker image → push to GHCR</li>
         <li>
-          SSH to server → pull image → decrypt secrets → <code>docker compose up</code>
+          <code>/account/*</code> → KF Auth account UI (profile, password, sessions)
         </li>
-      </ol>
+        <li>
+          Everything else → Underlay app (API at <code>/api/*</code>, web UI for all other paths)
+        </li>
+      </ul>
       <p>
-        Required GitHub secrets: <code>SSH_PRIVATE_KEY</code>, <code>SSH_HOST</code>,{' '}
-        <code>SSH_USER</code>, <code>GHCR_USER</code>, <code>GHCR_TOKEN</code>.
+        The app server handles both the JSON API and server-side rendered React UI on a single port.
+        All services communicate internally over a Docker network — only Caddy is exposed to the
+        internet.
       </p>
 
-      <h2>Backups</h2>
-      <p>The cron container runs daily Postgres backups to S3:</p>
-      <pre className="bg-ink text-parchment overflow-x-auto p-3 text-xs">
-        <code>{backupCode}</code>
-      </pre>
-
-      <h2>Reverse proxy</h2>
+      <h2>Source code</h2>
+      <p>The self-hosting setup lives in the main repo:</p>
+      <ul>
+        <li>
+          <code>docker-compose.withauth.yml</code> — the compose file
+        </li>
+        <li>
+          <code>selfhost/Caddyfile</code> — Caddy reverse proxy config
+        </li>
+        <li>
+          <code>selfhost/init-db.sh</code> — Postgres init script (creates the app database)
+        </li>
+      </ul>
       <p>
-        Put Caddy, nginx, or Cloudflare in front. The app exposes a single port (default 3000)
-        serving both the API and SSR.
+        Report issues at{' '}
+        <a href="https://github.com/knowledgefutures/underlay">
+          github.com/knowledgefutures/underlay
+        </a>
+        . Built by <a href="https://www.knowledgefutures.org">Knowledge Futures</a>, a 501(c)(3)
+        public charity.
       </p>
     </DocsLayout>
   )
diff --git a/src/routes/index.data.ts b/src/routes/index.data.ts
index 083a7a9..11991bf 100644
--- a/src/routes/index.data.ts
+++ b/src/routes/index.data.ts
@@ -1 +1,24 @@
+import type { LoaderFunctionArgs } from 'react-router'
+
+import { fetchBase } from '~/lib/fetch-base'
+
 export const handle = { title: 'Underlay' }
+
+export async function loader({ request }: LoaderFunctionArgs) {
+  const base = fetchBase(request.url)
+  const res = await fetch(new URL('/api/collections?sort=featured&take=6', base), {
+    headers: { Cookie: request.headers.get('Cookie') ?? '' },
+  })
+  if (!res.ok) return { featured: [] }
+  const data = await res.json()
+  const collections = (data.collections ?? []).slice(0, 6).map((c: any) => ({
+    slug: c.slug,
+    ownerSlug: c.ownerSlug,
+    description: c.description,
+    semver: c.semver,
+    recordCount: c.recordCount,
+    totalBytes: c.totalBytes,
+    lastPushAt: c.lastPushAt,
+  }))
+  return { featured: collections }
+}
diff --git a/src/routes/index.tsx b/src/routes/index.tsx
index e52934b..1b519a5 100644
--- a/src/routes/index.tsx
+++ b/src/routes/index.tsx
@@ -1,10 +1,127 @@
-import { Link } from 'react-router'
+import { useEffect, useRef } from 'react'
+import { Link, useLoaderData } from 'react-router'
 
 import BaseLayout from '~/components/BaseLayout'
 import { useAppContext } from '~/lib/app-context'
 
+function HeroBackground() {
+  const containerRef = useRef<HTMLDivElement>(null)
+  const rafRef = useRef<number>(0)
+  const boxesRef = useRef<HTMLDivElement[]>([])
+
+  useEffect(() => {
+    const container = containerRef.current
+    if (!container) return
+
+    const w = container.offsetWidth
+    const h = container.offsetHeight
+    const count = 14
+
+    const rng = (i: number) => {
+      let s = (i * 2654435761 + 17) >>> 0
+      s = ((s ^ (s >> 16)) * 0x45d9f3b) >>> 0
+      s = ((s ^ (s >> 16)) * 0x45d9f3b) >>> 0
+      return (s >>> 0) / 0xffffffff
+    }
+
+    const boxes = Array.from({ length: count }, (_, i) => {
+      const el = document.createElement('div')
+      const size = 20 + rng(i * 7) * 120
+      const aspect = 0.5 + rng(i * 7 + 5) * 1.0
+      el.style.cssText = `
+        position:absolute;
+        width:${size}px;
+        height:${size * aspect}px;
+        background:rgba(235,228,214,${0.25 + rng(i * 7 + 6) * 0.3});
+        border-radius:${2 + rng(i * 7 + 4) * 4}px;
+        pointer-events:none;
+      `
+      container.appendChild(el)
+      return {
+        el,
+        x: rng(i * 7 + 1) * w,
+        y: rng(i * 7 + 2) * h,
+        vx: (rng(i * 7 + 3) - 0.5) * 0.35,
+        vy: (rng(i * 7 + 4) - 0.5) * 0.3,
+        rot: rng(i * 7 + 5) * 360,
+        vr: (rng(i * 7 + 6) - 0.5) * 0.08,
+        size,
+      }
+    })
+
+    const animate = () => {
+      for (const b of boxes) {
+        b.x += b.vx
+        b.y += b.vy
+        b.rot += b.vr
+        if (b.x < -b.size) b.x = w + b.size
+        if (b.x > w + b.size) b.x = -b.size
+        if (b.y < -b.size) b.y = h + b.size
+        if (b.y > h + b.size) b.y = -b.size
+        b.el.style.transform = `translate(${b.x}px,${b.y}px) rotate(${b.rot}deg)`
+      }
+      rafRef.current = requestAnimationFrame(animate)
+    }
+
+    rafRef.current = requestAnimationFrame(animate)
+    boxesRef.current = boxes.map((b) => b.el)
+
+    return () => {
+      cancelAnimationFrame(rafRef.current)
+      for (const el of boxesRef.current) el.remove()
+    }
+  }, [])
+
+  return (
+    <div
+      ref={containerRef}
+      className="pointer-events-none absolute inset-0 overflow-hidden"
+      aria-hidden="true"
+    />
+  )
+}
+
+function formatBytes(bytes: number): string {
+  if (bytes < 1024) return `${bytes} B`
+  if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`
+  if (bytes < 1024 * 1024 * 1024) return `${(bytes / (1024 * 1024)).toFixed(1)} MB`
+  return `${(bytes / (1024 * 1024 * 1024)).toFixed(1)} GB`
+}
+
+function formatCount(n: number): string {
+  if (n < 1000) return String(n)
+  if (n < 1_000_000) return `${(n / 1000).toFixed(n < 10_000 ? 1 : 0)}k`
+  return `${(n / 1_000_000).toFixed(1)}M`
+}
+
+function timeAgo(dateStr: string): string {
+  const seconds = Math.floor((Date.now() - new Date(dateStr).getTime()) / 1000)
+  if (seconds < 60) return 'just now'
+  const minutes = Math.floor(seconds / 60)
+  if (minutes < 60) return `${minutes}m ago`
+  const hours = Math.floor(minutes / 60)
+  if (hours < 24) return `${hours}h ago`
+  const days = Math.floor(hours / 24)
+  if (days < 30) return `${days}d ago`
+  const months = Math.floor(days / 30)
+  if (months < 12) return `${months}mo ago`
+  return `${Math.floor(months / 12)}y ago`
+}
+
+interface RegistryCollection {
+  slug: string
+  ownerSlug: string
+  description?: string
+  semver: string | null
+  recordCount: number | null
+  totalBytes: number | null
+  lastPushAt: string | null
+}
+
 export default function Home() {
   const { mirrorConfig } = useAppContext()
+  const data = useLoaderData() as { featured?: RegistryCollection[] } | undefined
+  const collections: RegistryCollection[] = data?.featured ?? []
 
   if (mirrorConfig?.enabled) {
     return (
@@ -36,12 +153,6 @@ export default function Home() {
                 >
                   Explore collections
                 </Link>
-                <Link
-                  to="/schemas"
-                  className="border-ink hover:bg-parchment-dark visited:text-ink inline-block rounded border px-4 py-2 text-sm font-medium transition-colors"
-                >
-                  Browse schemas
-                </Link>
               </div>
             </div>
           </section>
@@ -101,18 +212,23 @@ export default function Home() {
 
   return (
     <BaseLayout>
-      <div className="mx-auto max-w-5xl px-4">
-        {/* Hero */}
-        <section className="py-16">
+      {/* Hero */}
+      <section className="relative overflow-hidden">
+        <HeroBackground />
+        <div className="relative mx-auto max-w-5xl px-4 py-16">
           <div className="max-w-2xl">
-            <h1 className="mb-4 font-sans text-3xl font-semibold tracking-tight">
-              Knowledge that lasts.
+            <h1 className="mb-4 font-sans text-3xl leading-tight font-semibold tracking-tight md:text-4xl">
+              A protocol for radically accessible structured knowledge.
             </h1>
-            <p className="text-ink-light mb-8 text-base leading-relaxed">
-              Underlay is a public registry where organizations publish versioned snapshots of their
-              structured data — making it permanently discoverable, verifiable, and citable.
-              Research datasets, publication archives, open knowledge: published once, preserved
-              indefinitely.
+            <p className="text-ink-light mb-3 max-w-xl text-sm leading-relaxed">
+              Publish structured data as versioned, permanent collections with schemas, provenance,
+              and content addressing built in. Whether you're a research lab, a newsroom, a
+              community archive, or a single developer, Underlay makes the knowledge you hold
+              discoverable, verifiable, and easy to build on.
+            </p>
+            <p className="text-ink-muted mb-8 max-w-xl text-xs leading-relaxed">
+              Stewarded by Knowledge Futures, a 501(c)(3) public charity dedicated to building
+              open-source knowledge infrastructure.
             </p>
             <div className="flex gap-3">
               <Link
@@ -125,129 +241,176 @@ export default function Home() {
                 to="/docs/quickstart"
                 className="border-ink hover:bg-parchment-dark visited:text-ink inline-block rounded border px-5 py-2.5 text-sm font-medium transition-colors"
               >
-                Start publishing
+                Get started
               </Link>
             </div>
           </div>
-        </section>
+        </div>
+      </section>
 
-        {/* Value propositions */}
-        <section className="border-rule border-t py-12">
-          <div className="grid grid-cols-1 gap-8 md:grid-cols-3">
-            <div>
-              <h3 className="mb-2 font-sans text-base font-semibold">Permanent</h3>
-              <p className="text-ink-muted text-sm leading-relaxed">
-                Every version of your data is stored immutably. Research doesn't disappear when a
-                project ends or a server goes down. Once published, it's preserved.
-              </p>
+      {/* In the registry */}
+      {collections.length > 0 && (
+        <section className="bg-parchment-dark border-rule border-y">
+          <div className="mx-auto max-w-5xl px-4 py-16">
+            <div className="mb-4 flex items-center justify-between">
+              <h2 className="text-ink-muted text-xs font-semibold tracking-widest uppercase">
+                In the registry
+              </h2>
+              <Link
+                to="/explore"
+                className="text-ink-muted hover:text-ink text-xs transition-colors"
+              >
+                Explore all collections →
+              </Link>
             </div>
-            <div>
-              <h3 className="mb-2 font-sans text-base font-semibold">Verifiable</h3>
-              <p className="text-ink-muted text-sm leading-relaxed">
-                Content-addressed storage means anyone can confirm that data hasn't been altered.
-                Cryptographic hashes at every level make tampering evident and trust auditable.
-              </p>
-            </div>
-            <div>
-              <h3 className="mb-2 font-sans text-base font-semibold">Discoverable</h3>
-              <p className="text-ink-muted text-sm leading-relaxed">
-                Structured data with shared schemas across collections. Browse, search, and export —
-                every dataset is openly accessible through both the web and a REST API.
-              </p>
+            <div className="border-rule overflow-hidden rounded border">
+              <table className="w-full text-sm">
+                <thead>
+                  <tr className="bg-ink/5 text-ink-muted text-left text-xs">
+                    <th className="px-3 py-2 font-medium">Collection</th>
+                    <th className="px-3 py-2 font-medium">Records</th>
+                    <th className="px-3 py-2 font-medium">Latest</th>
+                    <th className="px-3 py-2 text-right font-medium">Size</th>
+                    <th className="px-3 py-2 text-right font-medium">Updated</th>
+                  </tr>
+                </thead>
+                <tbody>
+                  {collections.map((c, i) => (
+                    <tr
+                      key={`${c.ownerSlug}/${c.slug}`}
+                      className={`bg-parchment hover:bg-parchment/80 transition-colors ${i < collections.length - 1 ? 'border-rule border-b' : ''}`}
+                    >
+                      <td className="px-3 py-2.5">
+                        <Link
+                          to={`/${c.ownerSlug}/${c.slug}`}
+                          className="text-link font-medium hover:underline"
+                        >
+                          {c.ownerSlug}/{c.slug}
+                        </Link>
+                      </td>
+                      <td className="text-ink-muted px-3 py-2.5 font-mono text-xs">
+                        {c.recordCount != null ? formatCount(c.recordCount) : '—'}
+                      </td>
+                      <td className="text-ink-muted px-3 py-2.5 font-mono text-xs">
+                        {c.semver ?? '—'}
+                      </td>
+                      <td className="text-ink-muted px-3 py-2.5 text-right font-mono text-xs">
+                        {c.totalBytes != null ? formatBytes(c.totalBytes) : '—'}
+                      </td>
+                      <td className="text-ink-muted px-3 py-2.5 text-right text-xs">
+                        {c.lastPushAt ? timeAgo(c.lastPushAt) : '—'}
+                      </td>
+                    </tr>
+                  ))}
+                </tbody>
+              </table>
             </div>
           </div>
         </section>
+      )}
 
-        {/* Who it's for */}
-        <section className="border-rule border-t py-12">
-          <h2 className="text-ink-muted mb-6 text-xs font-semibold tracking-widest uppercase">
-            Built for
-          </h2>
-          <div className="grid grid-cols-1 gap-4 md:grid-cols-2">
-            <div className="border-rule rounded border p-5">
-              <h3 className="mb-1 font-sans font-semibold">Research institutions</h3>
-              <p className="text-ink-muted text-sm leading-relaxed">
-                Preserve datasets beyond the life of a grant. Publish versioned snapshots that are
-                citable and independently verifiable.
-              </p>
-            </div>
-            <div className="border-rule rounded border p-5">
-              <h3 className="mb-1 font-sans font-semibold">Academic publishers</h3>
-              <p className="text-ink-muted text-sm leading-relaxed">
-                Archive publication metadata, review data, and supplementary materials in a format
-                that's structured, searchable, and open.
-              </p>
-            </div>
-            <div className="border-rule rounded border p-5">
-              <h3 className="mb-1 font-sans font-semibold">Open data organizations</h3>
-              <p className="text-ink-muted text-sm leading-relaxed">
-                Share curated datasets with the public. Underlay handles versioning, integrity, and
-                access — so you can focus on the data itself.
+      {/* The workflow */}
+      <section className="border-rule border-t">
+        <div className="mx-auto max-w-5xl px-4 py-16">
+          <div className="grid grid-cols-1 gap-8 md:grid-cols-[1fr_1fr]">
+            <div>
+              <h2 className="text-ink-muted mb-4 text-xs font-semibold tracking-widest uppercase">
+                The workflow
+              </h2>
+              <p className="text-ink-light mb-4 text-sm leading-relaxed">
+                An agent, an app, a scraper, a researcher — any tool that can push JSON records and
+                pull versions. Five commands from JSON to a permanent version.
               </p>
+              <Link to="/docs/quickstart" className="text-link text-sm hover:underline">
+                Read the quickstart →
+              </Link>
             </div>
-            <div className="border-rule rounded border p-5">
-              <h3 className="mb-1 font-sans font-semibold">Developers</h3>
-              <p className="text-ink-muted text-sm leading-relaxed">
-                Build on open knowledge. Pull snapshots via API, integrate with existing workflows,
-                or run your own Underlay instance.
-              </p>
+            <div className="bg-ink text-parchment overflow-hidden rounded font-mono text-[13px] leading-relaxed">
+              <div className="p-5">
+                <div className="text-ink-muted mb-1 text-[11px] select-none">
+                  # point at a collection
+                </div>
+                <div>
+                  <span className="text-parchment-dark">$</span> underlay init --schema
+                  ./schema.json
+                </div>
+                <div className="text-ink-muted mt-3 mb-1 text-[11px] select-none">
+                  # stage and push records
+                </div>
+                <div>
+                  <span className="text-parchment-dark">$</span> underlay add ./records.jsonl
+                </div>
+                <div>
+                  <span className="text-parchment-dark">$</span> underlay commit -m &quot;Q2 article
+                  refresh&quot;
+                </div>
+                <div className="text-ink-muted mt-3 mb-1 text-[11px] select-none">
+                  # done — versioned and permanent
+                </div>
+                <div>
+                  <span className="text-parchment-dark">$</span> underlay push
+                </div>
+                <div className="text-accent-light mt-1">
+                  published v1.2.0 &middot; 4,218 records &middot; immutable
+                </div>
+              </div>
             </div>
           </div>
-        </section>
+        </div>
+      </section>
 
-        {/* How it works */}
-        <section className="border-rule border-t py-12">
-          <h2 className="text-ink-muted mb-6 text-xs font-semibold tracking-widest uppercase">
-            How it works
+      {/* Bottom dark section */}
+      <section className="bg-ink text-parchment">
+        <div className="mx-auto max-w-5xl px-4 py-16">
+          <h2 className="mb-4 font-sans text-2xl leading-snug font-semibold tracking-tight md:max-w-2xl md:text-3xl">
+            Push what you have. The schemas make it legible. The models make it interoperable.
           </h2>
-          <div className="grid grid-cols-1 gap-8 md:grid-cols-3">
-            <div>
-              <div className="text-ink-muted mb-2 font-mono text-xs">01</div>
-              <h3 className="mb-1 font-sans font-semibold">Publish</h3>
-              <p className="text-ink-muted text-sm leading-relaxed">
-                Push structured data via a simple REST API. Define your schema, add records and
-                files, and create a versioned snapshot.
-              </p>
-            </div>
-            <div>
-              <div className="text-ink-muted mb-2 font-mono text-xs">02</div>
-              <h3 className="mb-1 font-sans font-semibold">Preserve</h3>
-              <p className="text-ink-muted text-sm leading-relaxed">
-                Each version is validated, deduplicated, and stored immutably. Files are
-                content-addressed. Every byte is accounted for.
-              </p>
-            </div>
+          <p className="text-parchment-dark mb-10 max-w-xl text-sm leading-relaxed">
+            Aligning structured data across organizations used to require everyone to agree on a
+            common schema upfront. Modern tooling has changed that. Schemas travel with the data,
+            and alignment can happen at the point of use rather than at the point of publication.
+            All you need to do is publish what you have, in whatever structure you already have it.
+          </p>
+          <div className="grid grid-cols-1 gap-8 text-sm md:grid-cols-3">
             <div>
-              <div className="text-ink-muted mb-2 font-mono text-xs">03</div>
-              <h3 className="mb-1 font-sans font-semibold">Discover</h3>
-              <p className="text-ink-muted text-sm leading-relaxed">
-                Anyone can browse collections, inspect schemas, view diffs between versions, and
-                export full archives. The data is the interface.
+              <h3 className="mb-1 font-sans font-semibold">Explore collections</h3>
+              <p className="text-parchment-dark mb-2 text-xs leading-relaxed">
+                Browse the public registry.
               </p>
+              <Link
+                to="/explore"
+                className="text-parchment-dark hover:text-parchment text-xs underline"
+              >
+                Explore →
+              </Link>
             </div>
-          </div>
-        </section>
-
-        {/* Bottom */}
-        <section className="border-rule border-t py-10">
-          <div className="flex flex-col gap-8 text-sm md:flex-row md:gap-16">
             <div>
-              <h3 className="mb-1 font-sans font-semibold">Open source</h3>
-              <p className="text-ink-muted leading-relaxed">
-                MIT licensed. Run your own instance, contribute, or push data to the canonical host
-                at underlay.org.
+              <h3 className="mb-1 font-sans font-semibold">Read the docs</h3>
+              <p className="text-parchment-dark mb-2 text-xs leading-relaxed">
+                Quickstart, concepts, API.
               </p>
+              <Link
+                to="/docs"
+                className="text-parchment-dark hover:text-parchment text-xs underline"
+              >
+                Docs →
+              </Link>
             </div>
             <div>
-              <h3 className="mb-1 font-sans font-semibold">Built by Knowledge Futures</h3>
-              <p className="text-ink-muted leading-relaxed">
-                A 501(c)(3) nonprofit building open infrastructure for the production, curation, and
-                preservation of knowledge.
+              <h3 className="mb-1 font-sans font-semibold">Read the protocol</h3>
+              <p className="text-parchment-dark mb-2 text-xs leading-relaxed">
+                The reference-grade spec.
               </p>
+              <Link
+                to="/protocol"
+                className="text-parchment-dark hover:text-parchment text-xs underline"
+              >
+                Protocol →
+              </Link>
             </div>
           </div>
-        </section>
-      </div>
+        </div>
+      </section>
     </BaseLayout>
   )
 }
diff --git a/src/routes/new-org.tsx b/src/routes/new-org.tsx
new file mode 100644
index 0000000..85c1473
--- /dev/null
+++ b/src/routes/new-org.tsx
@@ -0,0 +1,164 @@
+import { type FormEvent, useEffect, useState } from 'react'
+import { useNavigate } from 'react-router'
+
+import BaseLayout from '~/components/BaseLayout'
+import { useAppContext } from '~/lib/app-context'
+import { authClient } from '~/lib/auth-client'
+
+interface KfAccount {
+  id: string
+  name: string
+  slug: string
+}
+
+function slugify(value: string) {
+  return value
+    .toLowerCase()
+    .replace(/\s+/g, '-')
+    .replace(/[^a-z0-9-]/g, '')
+    .replace(/-{2,}/g, '-')
+}
+
+export default function NewOrg() {
+  const { currentUser } = useAppContext()
+  const navigate = useNavigate()
+
+  const [kfAccounts, setKfAccounts] = useState<KfAccount[]>([])
+  const [kfOrgId, setKfOrgId] = useState('')
+  const [slug, setSlug] = useState('')
+  const [displayName, setDisplayName] = useState('')
+  const [error, setError] = useState('')
+  const [submitting, setSubmitting] = useState(false)
+  const [loaded, setLoaded] = useState(false)
+
+  useEffect(() => {
+    fetch('/api/accounts/available-kf-orgs', { credentials: 'include' })
+      .then((r) => (r.ok ? r.json() : []))
+      .then((accounts: KfAccount[]) => {
+        setKfAccounts(accounts)
+        if (accounts.length === 1 && accounts[0]) setKfOrgId(accounts[0].id)
+        setLoaded(true)
+      })
+  }, [])
+
+  async function handleSubmit(e: FormEvent) {
+    e.preventDefault()
+    setError('')
+    setSubmitting(true)
+    try {
+      const { data, error: err } = await authClient.organization.create({
+        name: displayName,
+        slug,
+        kfOrgId: kfOrgId || undefined,
+      } as any)
+      if (err) {
+        setError(err.message ?? 'Failed to create organization')
+      } else if (data) {
+        navigate(`/${slug}`)
+      }
+    } finally {
+      setSubmitting(false)
+    }
+  }
+
+  useEffect(() => {
+    if (!currentUser) navigate('/login')
+  }, [currentUser, navigate])
+
+  if (!currentUser) return null
+
+  return (
+    <BaseLayout>
+      <div className="mx-auto max-w-lg px-4 py-10">
+        <h1 className="mb-1 text-xl font-semibold tracking-tight">Create a new organization</h1>
+        <p className="text-ink-muted mb-8 text-sm">
+          Organizations let you publish collections and manage members under a shared account.
+        </p>
+
+        {!loaded ? (
+          <p className="text-ink-muted text-sm">Loading...</p>
+        ) : (
+          <form onSubmit={handleSubmit} className="space-y-5">
+            {error && (
+              <div className="rounded border border-red-200 bg-red-50 px-3 py-2 text-xs text-red-700">
+                {error}
+              </div>
+            )}
+
+            {/* Display Name */}
+            <div>
+              <label className="text-ink mb-1.5 block text-sm font-medium">Display name</label>
+              <input
+                type="text"
+                required
+                placeholder="My Organization"
+                value={displayName}
+                onChange={(e) => setDisplayName(e.target.value)}
+                className="bg-parchment border-rule focus:border-ink w-full rounded border px-3 py-2 text-sm focus:outline-none"
+              />
+            </div>
+
+            {/* Slug */}
+            <div>
+              <label className="text-ink mb-1.5 block text-sm font-medium">URL slug</label>
+              <input
+                type="text"
+                required
+                pattern="[a-z0-9][-a-z0-9]*[a-z0-9]"
+                minLength={2}
+                placeholder="my-org"
+                value={slug}
+                onChange={(e) => setSlug(slugify(e.target.value))}
+                className="bg-parchment border-rule focus:border-ink w-full rounded border px-3 py-2 text-sm focus:outline-none"
+              />
+              <p className="text-ink-muted mt-1 text-xs">
+                Lowercase letters, numbers, and hyphens. This becomes the URL:{' '}
+                <span className="font-mono">underlay.org/{slug || '...'}</span>
+              </p>
+            </div>
+
+            {/* KF Account — only shown when user has multiple */}
+            {kfAccounts.length > 1 && (
+              <div>
+                <label className="text-ink mb-1.5 block text-sm font-medium">KF Account</label>
+                <select
+                  required
+                  value={kfOrgId}
+                  onChange={(e) => {
+                    setKfOrgId(e.target.value)
+                    const acct = kfAccounts.find((a) => a.id === e.target.value)
+                    if (acct) {
+                      if (!displayName) setDisplayName(acct.name)
+                      if (!slug) setSlug(slugify(acct.name))
+                    }
+                  }}
+                  className="bg-parchment border-rule focus:border-ink w-full rounded border px-3 py-2 text-sm focus:outline-none"
+                >
+                  <option value="">Select a KF account...</option>
+                  {kfAccounts.map((a) => (
+                    <option key={a.id} value={a.id}>
+                      {a.name}
+                    </option>
+                  ))}
+                </select>
+                <p className="text-ink-muted mt-1 text-xs">
+                  Choose which Knowledge Futures account this organization belongs to.
+                </p>
+              </div>
+            )}
+
+            <hr className="border-rule" />
+
+            <button
+              type="submit"
+              disabled={submitting || !slug || !displayName || !kfOrgId}
+              className="bg-ink text-parchment w-full rounded px-4 py-2.5 text-sm font-medium transition-opacity hover:opacity-90 disabled:opacity-50"
+            >
+              {submitting ? 'Creating...' : 'Create organization'}
+            </button>
+          </form>
+        )}
+      </div>
+    </BaseLayout>
+  )
+}
diff --git a/src/routes/new.data.ts b/src/routes/new.data.ts
new file mode 100644
index 0000000..cba7dc1
--- /dev/null
+++ b/src/routes/new.data.ts
@@ -0,0 +1,4 @@
+import { requireAuth } from '~/lib/auth-middleware'
+
+export const middleware = [requireAuth]
+export const handle = { title: 'New Collection · Underlay' }
diff --git a/src/routes/new.tsx b/src/routes/new.tsx
new file mode 100644
index 0000000..57829a1
--- /dev/null
+++ b/src/routes/new.tsx
@@ -0,0 +1,181 @@
+import { type FormEvent, useState } from 'react'
+import { useNavigate } from 'react-router'
+
+import BaseLayout from '~/components/BaseLayout'
+import { useAppContext } from '~/lib/app-context'
+
+export default function NewCollection() {
+  const { currentUser } = useAppContext()
+  const navigate = useNavigate()
+
+  const ownerOptions = (currentUser?.orgs ?? []).map((o: any) => ({
+    slug: o.slug,
+    label: `${o.name ?? o.displayName ?? o.slug}${o.isDefault ? ' (personal)' : ''}`,
+  }))
+  const defaultOwner = currentUser?.orgs?.find((o: any) => o.isDefault) ?? currentUser?.orgs?.[0]
+
+  const [owner, setOwner] = useState(defaultOwner?.slug ?? '')
+  const [slug, setSlug] = useState('')
+
+  function slugify(value: string) {
+    return value
+      .toLowerCase()
+      .replace(/\s+/g, '-')
+      .replace(/[^a-z0-9-]/g, '')
+      .replace(/-{2,}/g, '-')
+  }
+  const [isPublic, setIsPublic] = useState(false)
+  const [description, setDescription] = useState('')
+  const [error, setError] = useState('')
+  const [submitting, setSubmitting] = useState(false)
+
+  async function handleSubmit(e: FormEvent) {
+    e.preventDefault()
+    setError('')
+    setSubmitting(true)
+    try {
+      const res = await fetch(`/api/accounts/${owner}/collections`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        credentials: 'include',
+        body: JSON.stringify({
+          slug,
+          name: slug,
+          public: isPublic,
+          description: description || undefined,
+        }),
+      })
+      if (res.ok) {
+        navigate(`/${owner}/${slug}`)
+      } else {
+        const err = await res.json()
+        setError(err.error ?? 'Failed to create collection')
+      }
+    } finally {
+      setSubmitting(false)
+    }
+  }
+
+  return (
+    <BaseLayout>
+      <div className="mx-auto max-w-lg px-4 py-10">
+        <h1 className="mb-1 text-xl font-semibold tracking-tight">Create a new collection</h1>
+        <p className="text-ink-muted mb-8 text-sm">
+          A collection holds versioned, structured data. You can push records via the API or CLI.
+        </p>
+
+        <form onSubmit={handleSubmit} className="space-y-5">
+          {error && (
+            <div className="rounded border border-red-200 bg-red-50 px-3 py-2 text-xs text-red-700">
+              {error}
+            </div>
+          )}
+
+          {/* Owner */}
+          <div>
+            <label className="text-ink mb-1.5 block text-sm font-medium">Owner</label>
+            {ownerOptions.length > 1 ? (
+              <select
+                value={owner}
+                onChange={(e) => setOwner(e.target.value)}
+                className="bg-parchment border-rule focus:border-ink w-full rounded border px-3 py-2 text-sm focus:outline-none"
+              >
+                {ownerOptions.map((o: any) => (
+                  <option key={o.slug} value={o.slug}>
+                    {o.label}
+                  </option>
+                ))}
+              </select>
+            ) : (
+              <div className="bg-parchment-dark border-rule rounded border px-3 py-2 text-sm">
+                {ownerOptions[0]?.label ?? owner}
+              </div>
+            )}
+          </div>
+
+          {/* Slug */}
+          <div>
+            <label className="text-ink mb-1.5 block text-sm font-medium">Collection name</label>
+            <input
+              type="text"
+              required
+              pattern="[a-z0-9][-a-z0-9]*[a-z0-9]"
+              minLength={2}
+              placeholder="my-dataset"
+              value={slug}
+              onChange={(e) => setSlug(slugify(e.target.value))}
+              className="bg-parchment border-rule focus:border-ink w-full rounded border px-3 py-2 text-sm focus:outline-none"
+            />
+            <p className="text-ink-muted mt-1 text-xs">
+              Lowercase letters, numbers, and hyphens. This becomes the URL:{' '}
+              <span className="font-mono">
+                {owner}/{slug || '...'}
+              </span>
+            </p>
+          </div>
+
+          {/* Description */}
+          <div>
+            <label className="text-ink mb-1.5 block text-sm font-medium">
+              Description <span className="text-ink-muted font-normal">(optional)</span>
+            </label>
+            <input
+              type="text"
+              placeholder="A short description of this collection"
+              value={description}
+              onChange={(e) => setDescription(e.target.value)}
+              className="bg-parchment border-rule focus:border-ink w-full rounded border px-3 py-2 text-sm focus:outline-none"
+            />
+          </div>
+
+          {/* Visibility */}
+          <fieldset>
+            <legend className="text-ink mb-2 text-sm font-medium">Visibility</legend>
+            <div className="space-y-2">
+              <label className="flex items-start gap-2.5">
+                <input
+                  type="radio"
+                  name="visibility"
+                  checked={!isPublic}
+                  onChange={() => setIsPublic(false)}
+                  className="mt-0.5"
+                />
+                <div>
+                  <div className="text-sm font-medium">Private</div>
+                  <div className="text-ink-muted text-xs">
+                    Only you and organization members can see this collection.
+                  </div>
+                </div>
+              </label>
+              <label className="flex items-start gap-2.5">
+                <input
+                  type="radio"
+                  name="visibility"
+                  checked={isPublic}
+                  onChange={() => setIsPublic(true)}
+                  className="mt-0.5"
+                />
+                <div>
+                  <div className="text-sm font-medium">Public</div>
+                  <div className="text-ink-muted text-xs">
+                    Anyone can see this collection. It will appear in Explore.
+                  </div>
+                </div>
+              </label>
+            </div>
+          </fieldset>
+
+          <hr className="border-rule" />
+
+          <button
+            type="submit"
+            disabled={submitting || !slug || !owner}
+            className="bg-ink text-parchment w-full rounded px-4 py-2.5 text-sm font-medium transition-opacity hover:opacity-90 disabled:opacity-50"
+          >
+            {submitting ? 'Creating...' : 'Create collection'}
+          </button>
+        </form>
+      </div>
+    </BaseLayout>
+  )
+}
diff --git a/src/routes/protocol.data.ts b/src/routes/protocol.data.ts
index 169bb40..fc15059 100644
--- a/src/routes/protocol.data.ts
+++ b/src/routes/protocol.data.ts
@@ -1,9 +1,11 @@
 import type { LoaderFunctionArgs } from 'react-router'
 
+import { fetchBase } from '~/lib/fetch-base'
+
 export const handle = { title: 'Protocol · Underlay' }
 
 export async function loader({ request }: LoaderFunctionArgs) {
-  const base = new URL(request.url).origin
+  const base = fetchBase(request.url)
   const res = await fetch(new URL('/api/pages/protocol/comments', base), {
     headers: { Cookie: request.headers.get('Cookie') ?? '' },
   })
diff --git a/src/routes/records/[hash].data.ts b/src/routes/records/[hash].data.ts
index 9e03c1f..0b6ee11 100644
--- a/src/routes/records/[hash].data.ts
+++ b/src/routes/records/[hash].data.ts
@@ -1,11 +1,13 @@
 import type { LoaderFunctionArgs } from 'react-router'
 
+import { fetchBase } from '~/lib/fetch-base'
+
 export const handle = {
   title: () => `Record · Underlay`,
 }
 
 export async function loader({ params, request }: LoaderFunctionArgs) {
-  const base = new URL(request.url).origin
+  const base = fetchBase(request.url)
   const headers = { Cookie: request.headers.get('Cookie') ?? '' }
   const res = await fetch(new URL(`/api/records/${params.hash}/provenance`, base), { headers })
   if (!res.ok) throw new Response('Not Found', { status: 404 })
diff --git a/src/routes/schemas/[id].data.ts b/src/routes/schemas/[id].data.ts
index 2845e28..26d870e 100644
--- a/src/routes/schemas/[id].data.ts
+++ b/src/routes/schemas/[id].data.ts
@@ -1,11 +1,13 @@
 import type { LoaderFunctionArgs } from 'react-router'
 
+import { fetchBase } from '~/lib/fetch-base'
+
 export const handle = {
   title: () => `Schema · Underlay`,
 }
 
 export async function loader({ params, request }: LoaderFunctionArgs) {
-  const base = new URL(request.url).origin
+  const base = fetchBase(request.url)
   const headers = { Cookie: request.headers.get('Cookie') ?? '' }
   const res = await fetch(new URL(`/api/schemas/${params.id}`, base), { headers })
   if (!res.ok) throw new Response('Not Found', { status: 404 })
diff --git a/src/routes/superadmin.tsx b/src/routes/superadmin.tsx
index e995b63..117667a 100644
--- a/src/routes/superadmin.tsx
+++ b/src/routes/superadmin.tsx
@@ -4,6 +4,12 @@ import BaseLayout from '~/components/BaseLayout'
 import { useAppContext } from '~/lib/app-context'
 
 const tools = [
+  {
+    name: 'Explore Page',
+    href: '/admin/explore-tags',
+    description: 'Manage featured collections and tag filters on the explore page.',
+    stewardOnly: true,
+  },
   {
     name: 'Discussion Review',
     href: '/admin/discussion',
@@ -40,7 +46,7 @@ export default function Superadmin() {
     return (
       <BaseLayout>
         <div className="mx-auto max-w-2xl px-4 py-16 text-center">
-          <p className="text-ink-muted text-sm">This page is only available to stewards.</p>
+          <p className="text-ink-muted text-sm">This page is only available to admins.</p>
         </div>
       </BaseLayout>
     )