diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index 8bdb364..69eae4a 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -40,11 +40,11 @@ jobs:
         run: npm run build
         working-directory: apps/dashboard
         env:
-          VITE_AUTH0_DOMAIN:    ${{ secrets.VITE_AUTH0_DOMAIN }}
-          VITE_AUTH0_CLIENT_ID: ${{ secrets.VITE_AUTH0_CLIENT_ID }}
-          VITE_AUTH0_AUDIENCE:  ${{ secrets.VITE_AUTH0_AUDIENCE }}
-          VITE_BFF_URL:         ${{ secrets.E2E_BFF_URL }}
-          VITE_GATEWAY_URL:     ${{ secrets.E2E_GATEWAY_URL }}
+          VITE_AUTH0_DOMAIN:    e2e.auth0.local
+          VITE_AUTH0_CLIENT_ID: e2e-client-id
+          VITE_AUTH0_AUDIENCE:  https://api.grainguard.test
+          VITE_BFF_URL:         http://localhost:4000/graphql
+          VITE_GATEWAY_URL:     http://localhost:3000
 
       - name: Serve dashboard
         run: npx serve -s dist -l 5173 &
@@ -58,8 +58,8 @@ jobs:
         working-directory: tests/e2e
         env:
           E2E_BASE_URL:         http://localhost:5173
-          VITE_AUTH0_CLIENT_ID: ${{ secrets.VITE_AUTH0_CLIENT_ID }}
-          VITE_AUTH0_AUDIENCE:  ${{ secrets.VITE_AUTH0_AUDIENCE }}
+          VITE_AUTH0_CLIENT_ID: e2e-client-id
+          VITE_AUTH0_AUDIENCE:  https://api.grainguard.test
 
       - name: Upload Playwright report
         uses: actions/upload-artifact@v4
diff --git a/.github/workflows/perf.yml b/.github/workflows/perf.yml
index a7b0e9c..048740a 100644
--- a/.github/workflows/perf.yml
+++ b/.github/workflows/perf.yml
@@ -69,6 +69,8 @@ jobs:
         working-directory: apps/gateway
         env:
           PORT: 3000
+          BFF_HOST: localhost
+          BFF_PORT: "4000"
           NODE_ENV: test
           AUTH_ENABLED: "false"
           DATABASE_URL: postgres://grainguard:grainguard@localhost:5432/grainguard
@@ -168,8 +170,17 @@ jobs:
             --env BFF_URL=http://localhost:4000 \
             --env GATEWAY_AUTH_DISABLED=true \
             --env BFF_AUTH_DISABLED=true \
-            --env JWT=dummy-jwt \
+            --env GATEWAY_SAMPLE_PATH=/health \
             --env TEST_DEVICE_ID=00000000-0000-0000-0000-000000000001 \
+            --env BASELINE_RATE=20 \
+            --env BASELINE_DURATION=30s \
+            --env BASELINE_PREALLOCATED_VUS=20 \
+            --env BASELINE_MAX_VUS=40 \
+            --env SPIKE_TARGET=40 \
+            --env SPIKE_RAMP_UP=15s \
+            --env SPIKE_HOLD=15s \
+            --env SPIKE_RAMP_DOWN=15s \
+            --env THINK_TIME_SECONDS=0.05 \
             scripts/load-tests/performance-budget.js
 
       - name: Upload performance results
diff --git a/README.md b/README.md
index aa9556f..4c4fb08 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 
 > Production-grade, polyglot microservices SaaS platform for grain and agri operations.
 
-GrainGuard ingests high-volume device telemetry, computes spoilage risk scores, triggers automated alert workflows, and ships with full multi-tenant billing, SSO, team management, audit logging, observability, CI/CD, chaos testing, SLO monitoring, and operational runbooks.
+GrainGuard ingests high-volume device telemetry, computes spoilage risk scores, triggers automated alert workflows, and ships with multi-tenant billing, SSO, team management, audit logging, observability, CI/CD, load testing, and operational runbooks.
 
 ---
 
@@ -81,6 +81,18 @@ Risk Engine (Python) ── Workflow Alerts (Node.js) ── RabbitMQ ── Job
 
 ---
 
+## Current Deployment Status
+
+| Area | State |
+|------|-------|
+| Local Docker stack | ✅ Validated end-to-end |
+| GitOps apps in repo | ✅ `dev`, `staging`, and `prod` ArgoCD apps committed |
+| Terraform environments in repo | ✅ `dev` and `staging` committed |
+| Dedicated staging environment | 🟡 Scaffold committed; deploy/validate next |
+| Production rollout strategy | 🟡 Safe rolling deploys now; canary planned for production |
+
+---
+
 ## SaaS Features
 
 | Feature | Status |
@@ -172,18 +184,22 @@ go run tools/publish-telemetry/main.go
 # Go unit + integration tests
 go test -race -count=1 ./...
 
+# Go lint
+go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.0 run --timeout=5m
+
 # k6 load tests (requires running stack)
 k6 run tests/load/spike.js
 k6 run tests/load/soak.js
 k6 run tests/load/stress.js
 
-# Chaos tests (requires kubectl + live cluster)
-bash tests/chaos/run-all.sh
-
 # Replay + idempotency test
 ./scripts/replay/replay_test.sh
 ```
 
+Note:
+- The core load-test scripts above are committed in `tests/load/`.
+- Cluster-level chaos automation is not currently committed on `master`; add or restore it before relying on README-driven chaos drills.
+
 ## Code Review Automation
 
 This repository is preconfigured for CodeRabbit via [`/.coderabbit.yaml`](./.coderabbit.yaml).
@@ -215,35 +231,15 @@ Notes:
 
 ---
 
-## Chaos Testing
-
-Five experiments covering the critical failure modes:
-
-| Experiment | What it kills | Pass condition |
-|------------|--------------|----------------|
-| `pod-kill` | gateway, bff, telemetry-service pods | Respawns within 30s |
-| `kafka-consumer-pause` | read-model-builder + cdc-transformer | Lag ≤ 10 000 within 5 min |
-| `redis-outage` | Redis | BFF falls back to DB, no panics |
-| `projection-lag` | read-model-builder | Alert fires, lag recovers in 5 min |
-| `network-partition` | telemetry-service → Kafka egress | Messages buffered, delivered after heal |
-
-```bash
-# Run all experiments
-bash tests/chaos/run-all.sh
-
-# Or trigger via GitHub Actions (manual dispatch)
-# .github/workflows/chaos.yml — also runs weekly on Saturdays
-```
-
----
-
 ## Operational Runbooks
 
 | Runbook | Trigger |
 |---------|---------|
+| [Postgres Backup / Restore](docs/runbooks/postgres-backup-restore.md) | Backup verification, restore drill, data recovery |
 | [Postgres Failover](docs/runbooks/postgres-failover.md) | Primary down, replica lag high |
 | [Kafka Loss](docs/runbooks/kafka-loss.md) | Broker down, under-replicated partitions |
 | [DLQ Spike](docs/runbooks/dlq-spike.md) | `DLQMessagesAccumulating` alert |
+| [Redis Backup / Restore](docs/runbooks/redis-backup-restore.md) | Cache restore drill, persistence recovery |
 | [Redis Failover](docs/runbooks/redis-failover.md) | Cache miss 100%, lock timeouts |
 | [Projection Lag](docs/runbooks/projection-lag.md) | `ProjectionLagHigh` alert |
 | [gRPC Outage](docs/runbooks/grpc-outage.md) | Circuit breaker open, 503 upstream |
@@ -261,6 +257,8 @@ terraform apply -var="db_password=yourpassword"
 
 Provisions: VPC · EKS · RDS Postgres · Elasticache Redis · MSK Kafka · DynamoDB · ECR · Secrets Manager
 
+Today, `dev` and `staging` Terraform environments are committed in-repo. The next step is to deploy and validate `staging` before treating the rollout path as production-ready.
+
 ---
 
 ## Kubernetes (GitOps)
@@ -278,6 +276,14 @@ helm diff upgrade grainguard k8s/helm/grainguard \
 
 ArgoCD watches `k8s/argocd/apps/` and auto-syncs on every push to master.
 
+Committed applications today:
+- `grainguard-dev` -> `grainguard-dev`
+- `grainguard-staging` -> `grainguard-staging`
+- `grainguard-prod` -> `grainguard-prod`
+
+Recommended next environment:
+- `grainguard-staging` -> deploy and validate ingress, TLS, DNS, secrets, restore drills, and production-like auth/billing flows before first prod rollout
+
 ---
 
 ## Architecture Decision Records
@@ -303,21 +309,26 @@ ArgoCD watches `k8s/argocd/apps/` and auto-syncs on every push to master.
 |-------|------|--------|
 | R1 — Core loop | Ingest, CQRS, outbox, saga | ✅ Done |
 | R2 — CDC + Search | Debezium, Elasticsearch, RabbitMQ | ✅ Done |
-| R3 — Reliability | Helm, ArgoCD, k6 load tests, chaos tests | ✅ Done |
+| R3 — Reliability baseline | Helm, ArgoCD scaffolding, k6 load tests, runbooks | ✅ Done |
 | R4 — Observability | SLOs, burn-rate alerts, Grafana dashboard, runbooks | ✅ Done |
 | R5 — Security | CSRF, rate limiting, audit logging, RBAC, API keys | ✅ Done |
 | R6 — SaaS billing | Stripe, tenant onboarding, team management, SSO, webhooks | ✅ Done |
-| R7 — DB migrations | Flyway/Knex migration framework, schema versioning | 🔜 Next |
-| R8 — Secret management | HashiCorp Vault / AWS Secrets Manager integration | 🔜 Planned |
+| R7 — Staging environment | Dedicated Argo app, Terraform env, deployed validation | 🟡 Scaffolded |
+| R8 — Production hardening | Canary rollout, restore proof, deployed auth/webhook validation | 🔜 Next |
 
 ---
 
-## Load test results
+## Latest Local Validation
+
+Latest mixed read/write validation on `master` (local Docker stack):
 
-- Kafka ingest: **1,700 events/sec**
-- Gateway p95 latency: **5.89ms**
-- Read model builder: **2,500–3,000 events/sec** sustained
+- **35,077** total requests
+- **438 req/s** aggregate throughput
+- **0%** HTTP failure rate
+- Gateway GraphQL p95: **11.5 ms**
+- Ingest p95: **10.8 ms**
+- Kafka consumer groups drained back to **0 lag** after the run
 
 ---
 
-*Built to demonstrate end-to-end DDIA patterns, distributed systems, GitOps, SRE practices, and production multi-tenant SaaS architecture.*
+*Built to demonstrate end-to-end DDIA patterns, distributed systems, GitOps, SRE practices, and production-style multi-tenant SaaS architecture.*
diff --git a/apps/bff/src/datasources/postgres.ts b/apps/bff/src/datasources/postgres.ts
index 4edfeaf..3ee78aa 100644
--- a/apps/bff/src/datasources/postgres.ts
+++ b/apps/bff/src/datasources/postgres.ts
@@ -4,17 +4,38 @@ import { cache } from "./redis";
 
 const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 
+function shouldUseInsecureTls(connectionString: string | undefined): boolean {
+  if (!connectionString) return false;
+  return /sslmode=(require|verify-ca|verify-full)/i.test(connectionString);
+}
+
+function buildPoolOptions() {
+  const connectionString =
+    process.env.READ_DATABASE_URL ||
+    `postgres://${process.env.READ_DB_USER ?? "postgres"}:${process.env.READ_DB_PASSWORD ?? "postgres"}@${process.env.READ_DB_HOST ?? "postgres-read"}:${process.env.READ_DB_PORT ?? "5432"}/${process.env.READ_DB_NAME ?? "grainguard_read"}`;
+
+  const rejectUnauthorized =
+    process.env.READ_DB_SSL_REJECT_UNAUTHORIZED !== "false";
+
+  return {
+    connectionString,
+    max: 50,
+    ...(shouldUseInsecureTls(connectionString)
+      ? {
+          ssl: {
+            rejectUnauthorized,
+          },
+        }
+      : {}),
+  };
+}
+
 /** Returns true for valid UUID v4 strings — guards against bad JWT claims */
 export function isValidUuid(value: unknown): value is string {
   return typeof value === "string" && UUID_RE.test(value);
 }
 
-const pool = new Pool({
-  connectionString:
-    process.env.READ_DATABASE_URL ||
-    `postgres://${process.env.READ_DB_USER ?? "postgres"}:${process.env.READ_DB_PASSWORD ?? "postgres"}@${process.env.READ_DB_HOST ?? "postgres-read"}:${process.env.READ_DB_PORT ?? "5432"}/${process.env.READ_DB_NAME ?? "grainguard_read"}`,
-  max: 50,
-});
+const pool = new Pool(buildPoolOptions());
 
 type Row = Record<string, unknown>;
 type QueryResult = import("pg").QueryResult<Row>;
diff --git a/apps/bff/src/datasources/redis.ts b/apps/bff/src/datasources/redis.ts
index 69aa3fc..9400e6b 100644
--- a/apps/bff/src/datasources/redis.ts
+++ b/apps/bff/src/datasources/redis.ts
@@ -3,6 +3,7 @@ import { createClient, createCluster } from "redis";
 // REDIS_CLUSTER_NODES = "redis-cluster-0:6379,redis-cluster-1:6379,..."
 // When set, uses Redis Cluster. Otherwise falls back to single-node (local dev).
 const REDIS_CLUSTER_NODES = process.env.REDIS_CLUSTER_NODES;
+const REDIS_PASSWORD = process.env.REDIS_PASSWORD;
 
 const client = (() => {
   if (REDIS_CLUSTER_NODES) {
@@ -13,7 +14,10 @@ const client = (() => {
       };
     });
     console.log(`Redis cluster mode: ${rootNodes.length} nodes`);
-    return createCluster({ rootNodes });
+    return createCluster({
+      rootNodes,
+      defaults: REDIS_PASSWORD ? { password: REDIS_PASSWORD } : undefined,
+    });
   }
 
   // Single-node (local dev / docker-compose default)
@@ -23,6 +27,7 @@ const client = (() => {
       host: process.env.REDIS_HOST || "localhost",
       port: parseInt(process.env.REDIS_PORT || "6379", 10),
     },
+    password: REDIS_PASSWORD || undefined,
   });
 })();
 
diff --git a/apps/bff/src/server.ts b/apps/bff/src/server.ts
index 615eaef..476aa74 100644
--- a/apps/bff/src/server.ts
+++ b/apps/bff/src/server.ts
@@ -22,13 +22,27 @@ const ISSUER = process.env.JWT_ISSUER!;
 const AUDIENCE = process.env.JWT_AUDIENCE!;
 const ALLOWED_ORIGINS =
   (process.env.ALLOWED_ORIGINS ||
-    "http://localhost:5173,http://localhost:5174,http://localhost:8086").split(",");
+    "http://localhost:5173,http://localhost:5174,http://localhost:8086")
+    .split(",")
+    .map((origin) => origin.trim());
 if (!JWKS_URL || !ISSUER || !AUDIENCE) {
   throw new Error("JWKS_URL, JWT_ISSUER, JWT_AUDIENCE must be set");
 }
 
 const jwks = createRemoteJWKSet(new URL(JWKS_URL));
 
+function isAllowedOrigin(origin: string): boolean {
+  return ALLOWED_ORIGINS.some((allowedOrigin) => {
+    if (allowedOrigin === origin) return true;
+    if (!allowedOrigin.includes("*")) return false;
+
+    const pattern = new RegExp(
+      `^${allowedOrigin.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*")}$`
+    );
+    return pattern.test(origin);
+  });
+}
+
 async function verifyToken(token: string) {
   const { payload } = await jwtVerify(token, jwks, {
     issuer: ISSUER,
@@ -133,7 +147,7 @@ async function startServer() {
     cors<cors.CorsRequest>({
       origin: (origin, callback) => {
         if (!origin) return callback(null, true);
-        if (ALLOWED_ORIGINS.includes(origin)) return callback(null, true);
+        if (isAllowedOrigin(origin)) return callback(null, true);
         callback(new Error(`CORS: origin ${origin} not allowed`));
       },
       credentials: true,
diff --git a/apps/dashboard/Dockerfile b/apps/dashboard/Dockerfile
index b9a24a0..c157e8f 100644
--- a/apps/dashboard/Dockerfile
+++ b/apps/dashboard/Dockerfile
@@ -8,10 +8,21 @@ ARG VITE_AUTH0_CLIENT_ID
 ARG VITE_AUTH0_AUDIENCE
 ARG VITE_BFF_URL
 ARG VITE_GATEWAY_URL
+ARG VITE_ALLOW_INSECURE_AUTH
+ARG VITE_INSECURE_TENANT_ID
+ENV VITE_AUTH0_DOMAIN=$VITE_AUTH0_DOMAIN
+ENV VITE_AUTH0_CLIENT_ID=$VITE_AUTH0_CLIENT_ID
+ENV VITE_AUTH0_AUDIENCE=$VITE_AUTH0_AUDIENCE
+ENV VITE_BFF_URL=$VITE_BFF_URL
+ENV VITE_GATEWAY_URL=$VITE_GATEWAY_URL
+ENV VITE_ALLOW_INSECURE_AUTH=$VITE_ALLOW_INSECURE_AUTH
+ENV VITE_INSECURE_TENANT_ID=$VITE_INSECURE_TENANT_ID
 RUN npm run build
 
-FROM nginx:alpine
-COPY --from=builder /app/dist /usr/share/nginx/html
-COPY apps/dashboard/nginx.conf /etc/nginx/conf.d/default.conf
-EXPOSE 80
-CMD ["nginx", "-g", "daemon off;"]
+FROM node:20-alpine
+WORKDIR /app
+RUN npm install -g serve
+COPY --from=builder /app/dist ./dist
+USER node
+EXPOSE 8080
+CMD ["serve", "-s", "dist", "-l", "8080"]
diff --git a/apps/dashboard/src/features/billing/BillingPage.tsx b/apps/dashboard/src/features/billing/BillingPage.tsx
index 38c6602..98f5ecf 100644
--- a/apps/dashboard/src/features/billing/BillingPage.tsx
+++ b/apps/dashboard/src/features/billing/BillingPage.tsx
@@ -236,25 +236,32 @@ export function BillingPage() {
                   </li>
                 ))}
               </ul>
-              <button
-                onClick={() => handleUpgrade(plan.key)}
-                disabled={loading === plan.key || isCurrent}
-                className={`w-full py-2 px-4 rounded-lg text-sm font-medium transition-colors disabled:opacity-50 disabled:cursor-not-allowed ${
-                  isCurrent
-                    ? "bg-gray-100 dark:bg-gray-800 text-gray-400 dark:text-gray-500 cursor-default"
-                    : plan.highlighted
-                    ? "bg-green-600 text-white hover:bg-green-700"
-                    : "bg-gray-100 dark:bg-gray-800 text-gray-900 dark:text-white hover:bg-gray-200 dark:hover:bg-gray-700"
-                }`}
-              >
-                {loading === plan.key
-                  ? "Redirecting..."
-                  : isCurrent
-                  ? "Current plan"
-                  : plan.key === "enterprise"
-                  ? "Contact Sales"
-                  : "Upgrade"}
-              </button>
+              {plan.key === "enterprise" && !isCurrent ? (
+                <a
+                  href="mailto:sales@grainguard.com?subject=Enterprise Plan"
+                  className="block w-full py-2 px-4 rounded-lg text-sm font-medium text-center transition-colors bg-gray-100 dark:bg-gray-800 text-gray-900 dark:text-white hover:bg-gray-200 dark:hover:bg-gray-700"
+                >
+                  Contact Sales
+                </a>
+              ) : (
+                <button
+                  onClick={() => handleUpgrade(plan.key)}
+                  disabled={loading === plan.key || isCurrent}
+                  className={`w-full py-2 px-4 rounded-lg text-sm font-medium transition-colors disabled:opacity-50 disabled:cursor-not-allowed ${
+                    isCurrent
+                      ? "bg-gray-100 dark:bg-gray-800 text-gray-400 dark:text-gray-500 cursor-default"
+                      : plan.highlighted
+                      ? "bg-green-600 text-white hover:bg-green-700"
+                      : "bg-gray-100 dark:bg-gray-800 text-gray-900 dark:text-white hover:bg-gray-200 dark:hover:bg-gray-700"
+                  }`}
+                >
+                  {loading === plan.key
+                    ? "Redirecting..."
+                    : isCurrent
+                    ? "Current plan"
+                    : "Upgrade"}
+                </button>
+              )}
             </div>
           );
         })}
diff --git a/apps/dashboard/src/features/devices/components/RegisterDeviceModal.tsx b/apps/dashboard/src/features/devices/components/RegisterDeviceModal.tsx
index aadddf6..5cb976e 100644
--- a/apps/dashboard/src/features/devices/components/RegisterDeviceModal.tsx
+++ b/apps/dashboard/src/features/devices/components/RegisterDeviceModal.tsx
@@ -33,6 +33,14 @@ function RegisterDeviceModalContent({ onClose, onRegistered }: Omit<Props, "open
     return () => window.clearTimeout(focusTimer);
   }, [reset]);
 
+  useEffect(() => {
+    const onWindowKeyDown = (event: KeyboardEvent) => {
+      if (event.key === "Escape") onClose();
+    };
+    window.addEventListener("keydown", onWindowKeyDown);
+    return () => window.removeEventListener("keydown", onWindowKeyDown);
+  }, [onClose]);
+
   const validate = (value: string): string | null => {
     if (!value.trim()) return "Serial number is required";
     if (!SERIAL_REGEX.test(value.trim()))
@@ -100,8 +108,9 @@ function RegisterDeviceModalContent({ onClose, onRegistered }: Omit<Props, "open
             type="text"
             value={serial}
             onChange={(e) => {
-              setSerial(e.target.value);
-              setValidationError(null);
+              const nextSerial = e.target.value.toUpperCase();
+              setSerial(nextSerial);
+              setValidationError(nextSerial.trim() ? validate(nextSerial) : null);
             }}
             placeholder="e.g. GG-SILO-001"
             className="w-full px-3 py-2 border rounded-lg text-sm bg-white dark:bg-gray-800 text-gray-900 dark:text-white placeholder-gray-400 focus:outline-none focus:ring-2 focus:ring-green-500 border-gray-300 dark:border-gray-700"
@@ -110,7 +119,10 @@ function RegisterDeviceModalContent({ onClose, onRegistered }: Omit<Props, "open
           />
 
           {(validationError || error) && (
-            <p className="mt-2 text-sm text-red-600 dark:text-red-400">
+            <p
+              role="alert"
+              className="mt-2 text-sm text-red-600 dark:text-red-400"
+            >
               {validationError || error}
             </p>
           )}
@@ -130,7 +142,7 @@ function RegisterDeviceModalContent({ onClose, onRegistered }: Omit<Props, "open
             </button>
             <button
               type="submit"
-              disabled={loading || !serial.trim()}
+              disabled={loading || validate(serial) !== null}
               className="flex-1 px-4 py-2 text-sm bg-green-600 text-white rounded-lg hover:bg-green-700 disabled:opacity-50 disabled:cursor-not-allowed flex items-center justify-center gap-2"
             >
               {loading ? (
diff --git a/apps/dashboard/src/features/settings/SettingsPage.tsx b/apps/dashboard/src/features/settings/SettingsPage.tsx
index 462c341..b5d7da5 100644
--- a/apps/dashboard/src/features/settings/SettingsPage.tsx
+++ b/apps/dashboard/src/features/settings/SettingsPage.tsx
@@ -103,16 +103,24 @@ export function SettingsPage() {
       const res = await fetch(`${GW}/account/export`, {
         headers: { Authorization: `Bearer ${token}` },
       });
+      if (!res.ok) {
+        const body = await res.json().catch(() => ({}));
+        throw new Error(
+          typeof body?.error === "string" ? body.error : `HTTP ${res.status}`
+        );
+      }
       const blob = await res.blob();
       const url = URL.createObjectURL(blob);
       const a = document.createElement("a");
       a.href = url;
-      a.download = `grainguard-export-${new Date().toISOString().slice(0, 10)}.json`;
+      const disposition = res.headers.get("content-disposition") ?? "";
+      const filenameMatch = disposition.match(/filename="?([^"]+)"?/i);
+      a.download = filenameMatch?.[1] ?? `grainguard-export-${new Date().toISOString().slice(0, 10)}.json`;
       a.click();
       URL.revokeObjectURL(url);
       toast.success("Data exported");
-    } catch {
-      toast.error("Export failed");
+    } catch (e) {
+      toast.error(e instanceof Error ? e.message : "Export failed");
     }
   }
 
diff --git a/apps/dashboard/src/lib/apiFetch.ts b/apps/dashboard/src/lib/apiFetch.ts
index 209d090..2c22f0a 100644
--- a/apps/dashboard/src/lib/apiFetch.ts
+++ b/apps/dashboard/src/lib/apiFetch.ts
@@ -1,6 +1,8 @@
 import { getAccessTokenSilently } from "./auth0";
 
 const GW = import.meta.env.VITE_GATEWAY_URL ?? "";
+const INSECURE_AUTH_ENABLED = import.meta.env.VITE_ALLOW_INSECURE_AUTH === "true";
+const INSECURE_TENANT_ID = import.meta.env.VITE_INSECURE_TENANT_ID ?? "";
 const CSRF_COOKIE  = "_csrf";
 const CSRF_HEADER  = "x-csrf-token";
 const MUTATING     = new Set(["POST", "PUT", "PATCH", "DELETE"]);
@@ -35,6 +37,9 @@ export async function apiFetch(path: string, options: RequestInit = {}) {
       "Content-Type": "application/json",
       Authorization:  `Bearer ${token}`,
       ...(isMutating ? { [CSRF_HEADER]: getCsrfToken() } : {}),
+      ...(INSECURE_AUTH_ENABLED && INSECURE_TENANT_ID
+        ? { "x-tenant-id": INSECURE_TENANT_ID }
+        : {}),
       ...(options.headers as Record<string, string>),
     };
   }
diff --git a/apps/dashboard/src/lib/apollo.ts b/apps/dashboard/src/lib/apollo.ts
index 03b7dcf..c53e75c 100644
--- a/apps/dashboard/src/lib/apollo.ts
+++ b/apps/dashboard/src/lib/apollo.ts
@@ -16,6 +16,8 @@ import { getAccessTokenSilently } from "./auth0";
  */
 const BFF_URL =
   import.meta.env.VITE_BFF_URL || "http://localhost:4000/graphql";
+const INSECURE_AUTH_ENABLED = import.meta.env.VITE_ALLOW_INSECURE_AUTH === "true";
+const INSECURE_TENANT_ID = import.meta.env.VITE_INSECURE_TENANT_ID ?? "";
 
 /**
  * Build WS URL safely
@@ -30,23 +32,27 @@ const WS_URL = wsUrlObj.toString();
 const authLink = new ApolloLink((operation, forward) => {
   return new Observable((observer) => {
     (async () => {
+      let token = "";
       try {
-        const token = await getAccessTokenSilently({
+        token = await getAccessTokenSilently({
           authorizationParams: {
             audience: import.meta.env.VITE_AUTH0_AUDIENCE,
           },
         });
-
-        operation.setContext(({ headers = {} }) => ({
-          headers: {
-            ...headers,
-            authorization: token ? `Bearer ${token}` : "",
-          },
-        }));
       } catch {
         // silently continue without token
       }
 
+      operation.setContext(({ headers = {} }) => ({
+        headers: {
+          ...headers,
+          authorization: token ? `Bearer ${token}` : "",
+          ...(INSECURE_AUTH_ENABLED && INSECURE_TENANT_ID
+            ? { "x-tenant-id": INSECURE_TENANT_ID }
+            : {}),
+        },
+      }));
+
       forward(operation).subscribe(observer);
     })();
   });
@@ -74,9 +80,16 @@ const wsLink = new GraphQLWsLink(
             audience: import.meta.env.VITE_AUTH0_AUDIENCE,
           },
         });
-        return { authorization: token ? `Bearer ${token}` : "" };
+        return {
+          authorization: token ? `Bearer ${token}` : "",
+          ...(INSECURE_AUTH_ENABLED && INSECURE_TENANT_ID
+            ? { "x-tenant-id": INSECURE_TENANT_ID }
+            : {}),
+        };
       } catch {
-        return {};
+        return INSECURE_AUTH_ENABLED && INSECURE_TENANT_ID
+          ? { "x-tenant-id": INSECURE_TENANT_ID }
+          : {};
       }
     },
   })
diff --git a/apps/dashboard/src/providers/Auth0ProviderWithNavigate.tsx b/apps/dashboard/src/providers/Auth0ProviderWithNavigate.tsx
index 682fbd5..1aa9be7 100644
--- a/apps/dashboard/src/providers/Auth0ProviderWithNavigate.tsx
+++ b/apps/dashboard/src/providers/Auth0ProviderWithNavigate.tsx
@@ -1,5 +1,5 @@
 import type { ReactNode } from "react";
-import { Auth0Provider } from "@auth0/auth0-react";
+import { Auth0Context, Auth0Provider, initialContext } from "@auth0/auth0-react";
 import { useNavigate } from "react-router-dom";
 
 const domain = import.meta.env.VITE_AUTH0_DOMAIN;
@@ -10,13 +10,112 @@ const useRefreshTokensFallback =
   import.meta.env.VITE_AUTH0_USE_REFRESH_TOKENS_FALLBACK === "true";
 const scope =
   import.meta.env.VITE_AUTH0_SCOPE ?? "openid profile email offline_access";
+const allowInsecureAuth = import.meta.env.VITE_ALLOW_INSECURE_AUTH === "true";
+const insecureTenantId =
+  import.meta.env.VITE_INSECURE_TENANT_ID ??
+  "11111111-1111-1111-1111-111111111111";
 
 interface Props {
   children: ReactNode;
 }
 
+const E2E_TOKEN_KEY = "__e2e_access_token";
+const E2E_TENANT_ID = "00000000-0000-0000-0000-000000000001";
+const INSECURE_TOKEN_KEY = "__insecure_access_token";
+
+function getE2EContextValue() {
+  if (typeof window === "undefined") return null;
+
+  const token = window.localStorage.getItem(E2E_TOKEN_KEY);
+  if (!token) return null;
+
+  const user = {
+    sub: "auth0|e2e-test-user",
+    email: "e2e@grainguard.com",
+    name: "E2E Test User",
+    "https://grainguard.com/tenant_id": E2E_TENANT_ID,
+    "https://grainguard/tenant_id": E2E_TENANT_ID,
+    "https://grainguard.com/roles": ["admin"],
+    "https://grainguard/roles": ["admin"],
+  };
+
+  return {
+    ...initialContext,
+    isAuthenticated: true,
+    isLoading: false,
+    user,
+    getAccessTokenSilently: async () => token,
+    getAccessTokenWithPopup: async () => token,
+    getIdTokenClaims: async () => undefined,
+    loginWithRedirect: async () => undefined,
+    loginWithPopup: async () => undefined,
+    logout: async () => {
+      window.localStorage.removeItem(E2E_TOKEN_KEY);
+      window.location.assign("/");
+    },
+    handleRedirectCallback: async () => ({ appState: {} }),
+  };
+}
+
+function getInsecureContextValue() {
+  if (typeof window === "undefined") return null;
+  if (window.isSecureContext) return null;
+  if (!allowInsecureAuth) return null;
+
+  let token = window.localStorage.getItem(INSECURE_TOKEN_KEY);
+  if (!token) {
+    token = "insecure-dev-token";
+    window.localStorage.setItem(INSECURE_TOKEN_KEY, token);
+  }
+
+  const user = {
+    sub: "auth0|insecure-staging-user",
+    email: "staging@grainguard.local",
+    name: "Staging User",
+    "https://grainguard.com/tenant_id": insecureTenantId,
+    "https://grainguard/tenant_id": insecureTenantId,
+    "https://grainguard.com/roles": ["admin", "superadmin"],
+    "https://grainguard/roles": ["admin", "superadmin"],
+  };
+
+  return {
+    ...initialContext,
+    isAuthenticated: true,
+    isLoading: false,
+    user,
+    getAccessTokenSilently: async () => token!,
+    getAccessTokenWithPopup: async () => token!,
+    getIdTokenClaims: async () => undefined,
+    loginWithRedirect: async () => undefined,
+    loginWithPopup: async () => undefined,
+    logout: async () => {
+      window.localStorage.removeItem(INSECURE_TOKEN_KEY);
+      window.location.assign("/");
+    },
+    handleRedirectCallback: async () => ({ appState: {} }),
+  };
+}
+
 export function Auth0ProviderWithNavigate({ children }: Props) {
   const navigate = useNavigate();
+  const e2eContextValue = getE2EContextValue();
+  const insecureContextValue = getInsecureContextValue();
+
+  if (e2eContextValue) {
+    return (
+      <Auth0Context.Provider value={e2eContextValue as unknown as typeof initialContext}>
+        {children}
+      </Auth0Context.Provider>
+    );
+  }
+
+  if (insecureContextValue) {
+    return (
+      <Auth0Context.Provider value={insecureContextValue as unknown as typeof initialContext}>
+        {children}
+      </Auth0Context.Provider>
+    );
+  }
 
   return (
     <Auth0Provider
diff --git a/apps/gateway/src/cache/redis.ts b/apps/gateway/src/cache/redis.ts
index d9787d7..bedab9f 100644
--- a/apps/gateway/src/cache/redis.ts
+++ b/apps/gateway/src/cache/redis.ts
@@ -3,6 +3,7 @@ import Redis from "ioredis";
 export const redis = new Redis({
   host: process.env.REDIS_HOST || "redis",
   port: Number(process.env.REDIS_PORT) || 6379,
+  password: process.env.REDIS_PASSWORD || undefined,
 });
 
 redis.on("connect", () => {
diff --git a/apps/gateway/src/database/db.ts b/apps/gateway/src/database/db.ts
index 64e6f47..f6603b0 100644
--- a/apps/gateway/src/database/db.ts
+++ b/apps/gateway/src/database/db.ts
@@ -1,5 +1,25 @@
 import { Pool } from "pg";
 
+function shouldUseTls(connectionString: string | undefined): boolean {
+  if (!connectionString) return false;
+  return /sslmode=(require|verify-ca|verify-full)/i.test(connectionString);
+}
+
+function buildPoolConfig(connectionString: string | undefined, envVar: string) {
+  const rejectUnauthorized = process.env[envVar] !== "false";
+
+  return {
+    connectionString,
+    ...(shouldUseTls(connectionString)
+      ? {
+          ssl: {
+            rejectUnauthorized,
+          },
+        }
+      : {}),
+  };
+}
+
 function buildWriteConnectionString(): string {
   if (process.env.WRITE_DATABASE_URL) {
     return process.env.WRITE_DATABASE_URL;
@@ -19,13 +39,18 @@ function buildWriteConnectionString(): string {
 }
 
 export const pool = new Pool({
-  connectionString:
+  ...buildPoolConfig(
     process.env.READ_DATABASE_URL ||
-    "postgres://postgres:postgres@postgres-read:5432/grainguard_read",
+      "postgres://postgres:postgres@postgres-read:5432/grainguard_read",
+    "READ_DB_SSL_REJECT_UNAUTHORIZED"
+  ),
 });
 
 export const writePool = new Pool({
-  connectionString: buildWriteConnectionString(),
+  ...buildPoolConfig(
+    buildWriteConnectionString(),
+    "WRITE_DB_SSL_REJECT_UNAUTHORIZED"
+  ),
 });
 
 pool.on("connect", () => {
diff --git a/apps/gateway/src/routes/__tests__/account.test.ts b/apps/gateway/src/routes/__tests__/account.test.ts
index 41facac..e3fd306 100644
--- a/apps/gateway/src/routes/__tests__/account.test.ts
+++ b/apps/gateway/src/routes/__tests__/account.test.ts
@@ -75,12 +75,9 @@ describe("DELETE /account/me", () => {
       .mockResolvedValueOnce(undefined as any) // BEGIN
       .mockResolvedValueOnce({ rows: [{ id: "a1" }] } as any) // only admin
       .mockResolvedValueOnce({ rows: [{ id: "u1", role: "admin" }] } as any) // user
-      .mockResolvedValueOnce(undefined as any) // DELETE invites
-      .mockResolvedValueOnce(undefined as any) // DELETE api_keys
-      .mockResolvedValueOnce(undefined as any) // DELETE alert_rules
-      .mockResolvedValueOnce(undefined as any) // DELETE audit_events
+      .mockResolvedValueOnce(undefined as any) // DELETE telemetry_readings
       .mockResolvedValueOnce(undefined as any) // DELETE devices
-      .mockResolvedValueOnce(undefined as any) // DELETE tenant_users
+      .mockResolvedValueOnce({ rows: [{ count: 0 }] } as any) // COUNT audit_events
       .mockResolvedValueOnce(undefined as any) // DELETE tenants
       .mockResolvedValueOnce(undefined as any); // COMMIT
 
@@ -88,6 +85,22 @@ describe("DELETE /account/me", () => {
     expect(res.status).toBe(200);
     expect(res.body.scope).toBe("tenant");
   });
+
+  it("reports retained immutable audit events when present", async () => {
+    mockPool.query
+      .mockResolvedValueOnce(undefined as any) // BEGIN
+      .mockResolvedValueOnce({ rows: [{ id: "a1" }] } as any) // only admin
+      .mockResolvedValueOnce({ rows: [{ id: "u1", role: "admin" }] } as any) // user
+      .mockResolvedValueOnce(undefined as any) // DELETE telemetry_readings
+      .mockResolvedValueOnce(undefined as any) // DELETE devices
+      .mockResolvedValueOnce({ rows: [{ count: 3 }] } as any) // COUNT audit_events
+      .mockResolvedValueOnce(undefined as any) // DELETE tenants
+      .mockResolvedValueOnce(undefined as any); // COMMIT
+
+    const res = await request(app).delete("/account/me");
+    expect(res.status).toBe(200);
+    expect(res.body.message).toContain("Immutable audit events");
+  });
 });
 
 describe("GET /account/export", () => {
diff --git a/apps/gateway/src/routes/__tests__/sso.test.ts b/apps/gateway/src/routes/__tests__/sso.test.ts
index ce3b971..a2a69c4 100644
--- a/apps/gateway/src/routes/__tests__/sso.test.ts
+++ b/apps/gateway/src/routes/__tests__/sso.test.ts
@@ -22,12 +22,14 @@ jest.mock("../../lib/auth0Management", () => ({
 
 import { ssoRouter } from "../sso";
 import { writePool as pool } from "../../database/db";
+import { listOrgConnections } from "../../lib/auth0Management";
 
 const app = express();
 app.use(express.json());
 app.use(ssoRouter);
 
 const mockPool = pool as unknown as { query: jest.Mock };
+const mockListOrgConnections = listOrgConnections as jest.Mock;
 
 describe("GET /tenants/me/sso", () => {
   it("returns unconfigured state when no org exists", async () => {
@@ -44,6 +46,16 @@ describe("GET /tenants/me/sso", () => {
     expect(res.body.configured).toBe(true);
     expect(res.body.connections).toHaveLength(1);
   });
+
+  it("returns a soft warning when Auth0 management is unavailable", async () => {
+    mockPool.query.mockResolvedValue({ rows: [{ auth0_org_id: "org-123" }] } as any);
+    mockListOrgConnections.mockRejectedValueOnce(new Error("SSO not configured"));
+    const res = await request(app).get("/tenants/me/sso");
+    expect(res.status).toBe(200);
+    expect(res.body.configured).toBe(true);
+    expect(res.body.connections).toEqual([]);
+    expect(res.body.warning).toContain("Auth0 management API");
+  });
 });
 
 describe("POST /tenants/me/sso/org", () => {
diff --git a/apps/gateway/src/routes/account.ts b/apps/gateway/src/routes/account.ts
index c2de51f..6bbb572 100644
--- a/apps/gateway/src/routes/account.ts
+++ b/apps/gateway/src/routes/account.ts
@@ -5,13 +5,12 @@ import { writePool as pool } from "../database/db";
 
 export const accountRouter = Router();
 
-accountRouter.use(apiRateLimiter);
-
 // ── GET /account/me ─────────────────────────────────────────────────────────
 // Returns the current user's profile and tenant info.
 accountRouter.get(
   "/account/me",
   authMiddleware,
+  apiRateLimiter,
   async (req: Request, res: Response) => {
     const tenantId = req.user!.tenantId;
     const userId = req.user!.sub;
@@ -47,6 +46,7 @@ accountRouter.get(
 accountRouter.delete(
   "/account/me",
   authMiddleware,
+  apiRateLimiter,
   async (req: Request, res: Response) => {
     const tenantId = req.user!.tenantId;
     const userId = req.user!.sub;
@@ -76,17 +76,37 @@ accountRouter.delete(
         admins.length === 1;
 
       if (isLastAdmin) {
-        // Delete the entire tenant and all associated data
-        await client.query("DELETE FROM tenant_invites WHERE tenant_id = $1", [tenantId]);
-        await client.query("DELETE FROM api_keys WHERE tenant_id = $1", [tenantId]);
-        await client.query("DELETE FROM alert_rules WHERE tenant_id = $1", [tenantId]);
-        await client.query("DELETE FROM audit_events WHERE tenant_id = $1", [tenantId]);
+        // Delete tenant-owned device data first because telemetry_readings
+        // references devices without ON DELETE CASCADE.
+        await client.query(
+          `DELETE FROM telemetry_readings tr
+           USING devices d
+           WHERE tr.device_id = d.id
+             AND d.tenant_id = $1`,
+          [tenantId]
+        );
         await client.query("DELETE FROM devices WHERE tenant_id = $1", [tenantId]);
-        await client.query("DELETE FROM tenant_users WHERE tenant_id = $1", [tenantId]);
+
+        const { rows: auditEventRows } = await client.query(
+          "SELECT COUNT(*)::int AS count FROM audit_events WHERE tenant_id = $1",
+          [tenantId]
+        );
+
+        // Most tenant-linked tables cascade from tenants, so deleting the
+        // tenant removes them automatically. Immutable audit_events are
+        // intentionally retained for compliance and cannot be deleted.
         await client.query("DELETE FROM tenants WHERE id = $1", [tenantId]);
 
         await client.query("COMMIT");
-        return res.json({ deleted: true, scope: "tenant", message: "Tenant and all data deleted" });
+        const immutableAuditEvents = auditEventRows[0]?.count ?? 0;
+        return res.json({
+          deleted: true,
+          scope: "tenant",
+          message:
+            immutableAuditEvents > 0
+              ? "Tenant deleted. Immutable audit events were retained for compliance."
+              : "Tenant and all mutable data deleted",
+        });
       }
 
       // Just remove this user from the tenant
@@ -112,34 +132,40 @@ accountRouter.delete(
 accountRouter.get(
   "/account/export",
   authMiddleware,
+  apiRateLimiter,
   async (req: Request, res: Response) => {
-    const tenantId = req.user!.tenantId;
-
-    const [tenantResult, usersResult, devicesResult, alertsResult, auditResult, keysResult] =
-      await Promise.all([
-        pool.query("SELECT id, name, slug, plan, email, created_at FROM tenants WHERE id = $1", [tenantId]),
-        pool.query("SELECT id, email, role, created_at FROM tenant_users WHERE tenant_id = $1", [tenantId]),
-        pool.query("SELECT id, serial_number, created_at FROM devices WHERE tenant_id = $1", [tenantId]),
-        pool.query("SELECT id, name, metric, operator, threshold, enabled, created_at FROM alert_rules WHERE tenant_id = $1", [tenantId]),
-        pool.query("SELECT id, event_type, actor_id, resource_type, payload, created_at FROM audit_events WHERE tenant_id = $1 ORDER BY created_at DESC LIMIT 1000", [tenantId]),
-        pool.query("SELECT id, name, created_at, expires_at, revoked_at FROM api_keys WHERE tenant_id = $1", [tenantId]),
-      ]);
-
-    const exportData = {
-      exportedAt: new Date().toISOString(),
-      tenant: tenantResult.rows[0] || null,
-      users: usersResult.rows,
-      devices: devicesResult.rows,
-      alertRules: alertsResult.rows,
-      auditEvents: auditResult.rows,
-      apiKeys: keysResult.rows,
-    };
-
-    res.setHeader("Content-Type", "application/json");
-    res.setHeader(
-      "Content-Disposition",
-      `attachment; filename="grainguard-export-${tenantId}-${new Date().toISOString().slice(0, 10)}.json"`
-    );
-    return res.json(exportData);
+    try {
+      const tenantId = req.user!.tenantId;
+
+      const [tenantResult, usersResult, devicesResult, alertsResult, auditResult, keysResult] =
+        await Promise.all([
+          pool.query("SELECT id, name, slug, plan, email, created_at FROM tenants WHERE id = $1", [tenantId]),
+          pool.query("SELECT id, email, role, created_at FROM tenant_users WHERE tenant_id = $1", [tenantId]),
+          pool.query("SELECT id, serial_number, created_at FROM devices WHERE tenant_id = $1", [tenantId]),
+          pool.query("SELECT id, name, metric, operator, threshold, enabled, created_at FROM alert_rules WHERE tenant_id = $1", [tenantId]),
+          pool.query("SELECT id, event_type, actor_id, resource_type, payload, created_at FROM audit_events WHERE tenant_id = $1 ORDER BY created_at DESC LIMIT 1000", [tenantId]),
+          pool.query("SELECT id, name, created_at, expires_at, revoked_at FROM api_keys WHERE tenant_id = $1", [tenantId]),
+        ]);
+
+      const exportData = {
+        exportedAt: new Date().toISOString(),
+        tenant: tenantResult.rows[0] || null,
+        users: usersResult.rows,
+        devices: devicesResult.rows,
+        alertRules: alertsResult.rows,
+        auditEvents: auditResult.rows,
+        apiKeys: keysResult.rows,
+      };
+
+      res.setHeader("Content-Type", "application/json");
+      res.setHeader(
+        "Content-Disposition",
+        `attachment; filename="grainguard-export-${tenantId}-${new Date().toISOString().slice(0, 10)}.json"`
+      );
+      return res.json(exportData);
+    } catch (err) {
+      console.error("[account] export error:", err);
+      return res.status(500).json({ error: "internal_error" });
+    }
   }
 );
diff --git a/apps/gateway/src/routes/sso.ts b/apps/gateway/src/routes/sso.ts
index 9eb830d..39734a4 100644
--- a/apps/gateway/src/routes/sso.ts
+++ b/apps/gateway/src/routes/sso.ts
@@ -43,9 +43,19 @@ ssoRouter.get(
     }
 
     const orgId = rows[0].auth0_org_id;
-    const connections = await listOrgConnections(orgId);
-
-    return res.json({ configured: true, orgId, connections });
+    try {
+      const connections = await listOrgConnections(orgId);
+
+      return res.json({ configured: true, orgId, connections });
+    } catch (error) {
+      console.error("[sso] failed to list org connections:", error);
+      return res.json({
+        configured: true,
+        orgId,
+        connections: [],
+        warning: "Auth0 management API is unavailable for the gateway right now.",
+      });
+    }
   }
 );
 
diff --git a/apps/gateway/src/server.ts b/apps/gateway/src/server.ts
index 173175c..59a2962 100644
--- a/apps/gateway/src/server.ts
+++ b/apps/gateway/src/server.ts
@@ -36,8 +36,20 @@ const ALLOWED_ORIGINS = (
   .split(",")
   .map((o) => o.trim());
 
-const BFF_HOST = "grainguard-bff";
-const BFF_PORT = 4000;
+function isAllowedOrigin(origin: string): boolean {
+  return ALLOWED_ORIGINS.some((allowedOrigin) => {
+    if (allowedOrigin === origin) return true;
+    if (!allowedOrigin.includes("*")) return false;
+
+    const pattern = new RegExp(
+      `^${allowedOrigin.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*")}$`
+    );
+    return pattern.test(origin);
+  });
+}
+
+const BFF_HOST = process.env.BFF_HOST || "grainguard-bff";
+const BFF_PORT = parseInt(process.env.BFF_PORT || "4000", 10);
 
 /**
  * Helmet
@@ -69,7 +81,7 @@ app.use(
   cors({
     origin: (origin, cb) => {
       if (!origin) return cb(null, true);
-      if (ALLOWED_ORIGINS.includes(origin)) return cb(null, true);
+      if (isAllowedOrigin(origin)) return cb(null, true);
       return cb(new Error(`CORS blocked for ${origin}`));
     },
     credentials: true,
@@ -105,6 +117,12 @@ app.use((req: Request, _res: Response, next: NextFunction) => {
   next();
 });
 
+app.get("/health", (_req, res) => {
+  res.json({ status: "ok" });
+});
+
+app.get("/metrics", metricsHandler());
+
 /**
  * GraphQL Reverse Proxy — manual node http proxy (bypasses hpm v3 issues)
  */
@@ -231,12 +249,6 @@ app.get(
   }
 );
 
-app.get("/health", (_req, res) => {
-  res.json({ status: "ok" });
-});
-
-app.get("/metrics", metricsHandler());
-
 process.on("SIGTERM", async () => {
   await redis.quit();
   await pool.end();
diff --git a/apps/gateway/src/services/device.ts b/apps/gateway/src/services/device.ts
index 309f8dd..c6f1a2b 100644
--- a/apps/gateway/src/services/device.ts
+++ b/apps/gateway/src/services/device.ts
@@ -8,9 +8,22 @@ import fs from "fs";
    📦 Load Proto
 ========================================= */
 
-const protoPath = fs.existsSync("/app/libs/proto/device.proto")
-  ? "/app/libs/proto/device.proto"
-  : path.resolve(__dirname, "../../libs/proto/device.proto");
+const protoCandidates = [
+  path.resolve(process.cwd(), "libs/proto/device.proto"),
+  path.resolve(__dirname, "../../libs/proto/device.proto"),
+  path.resolve(__dirname, "../../../libs/proto/device.proto"),
+  path.resolve(__dirname, "../../../../libs/proto/device.proto"),
+  "/app/libs/proto/device.proto",
+  "/libs/proto/device.proto",
+];
+
+const protoPath = protoCandidates.find((candidate) => fs.existsSync(candidate));
+
+if (!protoPath) {
+  throw new Error(
+    `device.proto not found; checked: ${protoCandidates.join(", ")}`
+  );
+}
 
 const packageDefinition = protoLoader.loadSync(protoPath, {
   keepCase: true,
diff --git a/apps/read-model-builder/cmd/main.go b/apps/read-model-builder/cmd/main.go
index a380c25..1c05a83 100644
--- a/apps/read-model-builder/cmd/main.go
+++ b/apps/read-model-builder/cmd/main.go
@@ -96,6 +96,7 @@ func main() {
 
 	redisClient := redis.NewUniversalClient(&redis.UniversalOptions{
 		Addrs:          addrs,
+		Password:       os.Getenv("REDIS_PASSWORD"),
 		PoolSize:       getenvInt("REDIS_POOL_SIZE", 20),
 		MinIdleConns:   5,
 		ReadTimeout:    2 * time.Second,
@@ -198,4 +199,3 @@ func main() {
 	wg.Wait()
 	log.Info().Msg("all consumers drained — exiting")
 }
-
diff --git a/apps/read-model-builder/migrations/000002_add_rls_tenant_isolation.up.sql b/apps/read-model-builder/migrations/000002_add_rls_tenant_isolation.up.sql
index 7a0193a..551ab20 100644
--- a/apps/read-model-builder/migrations/000002_add_rls_tenant_isolation.up.sql
+++ b/apps/read-model-builder/migrations/000002_add_rls_tenant_isolation.up.sql
@@ -5,18 +5,43 @@
 
 -- Enable RLS on telemetry tables
 ALTER TABLE device_telemetry_latest ENABLE ROW LEVEL SECURITY;
-ALTER TABLE device_telemetry_history ENABLE ROW LEVEL SECURITY;
 ALTER TABLE device_projections ENABLE ROW LEVEL SECURITY;
 
+DO $$
+BEGIN
+  IF EXISTS (
+    SELECT 1
+    FROM information_schema.tables
+    WHERE table_schema = 'public'
+      AND table_name = 'device_telemetry_history'
+  ) THEN
+    ALTER TABLE device_telemetry_history ENABLE ROW LEVEL SECURITY;
+  END IF;
+END
+$$;
+
 -- Create tenant-scoped role for application queries
 -- The app sets this variable before each query
 CREATE POLICY tenant_isolation_telemetry_latest
   ON device_telemetry_latest
   USING (tenant_id = current_setting('app.current_tenant_id')::uuid);
 
-CREATE POLICY tenant_isolation_telemetry_history
-  ON device_telemetry_history
-  USING (tenant_id = current_setting('app.current_tenant_id')::uuid);
+DO $$
+BEGIN
+  IF EXISTS (
+    SELECT 1
+    FROM information_schema.tables
+    WHERE table_schema = 'public'
+      AND table_name = 'device_telemetry_history'
+  ) THEN
+    EXECUTE $policy$
+      CREATE POLICY tenant_isolation_telemetry_history
+        ON device_telemetry_history
+        USING (tenant_id = current_setting('app.current_tenant_id')::uuid)
+    $policy$;
+  END IF;
+END
+$$;
 
 CREATE POLICY tenant_isolation_device_projections
   ON device_projections
@@ -32,10 +57,22 @@ END
 $$;
 
 GRANT SELECT, INSERT, UPDATE ON device_telemetry_latest TO grainguard_app;
-GRANT SELECT, INSERT ON device_telemetry_history TO grainguard_app;
 GRANT SELECT ON device_projections TO grainguard_app;
 GRANT SELECT, INSERT ON processed_events TO grainguard_app;
 
+DO $$
+BEGIN
+  IF EXISTS (
+    SELECT 1
+    FROM information_schema.tables
+    WHERE table_schema = 'public'
+      AND table_name = 'device_telemetry_history'
+  ) THEN
+    GRANT SELECT, INSERT ON device_telemetry_history TO grainguard_app;
+  END IF;
+END
+$$;
+
 -- Superuser (postgres) bypasses RLS by default — this is intentional
 -- for migrations and admin operations
 -- Application connections use grainguard_app role which is subject to RLS
diff --git a/infra/docker/docker-compose.yml b/infra/docker/docker-compose.yml
index 2be16a9..e31013c 100644
--- a/infra/docker/docker-compose.yml
+++ b/infra/docker/docker-compose.yml
@@ -557,6 +557,8 @@ services:
       dockerfile: apps/gateway/Dockerfile
     container_name: grainguard-gateway
     restart: unless-stopped
+    env_file:
+      - ../../.env
     volumes:
       - ../certs:/certs
     environment:
@@ -578,17 +580,6 @@ services:
       WRITE_DB_NAME: grainguard
       WRITE_DB_USER: postgres
       WRITE_DB_PASSWORD: postgres
-      # Stripe — override via root .env
-      STRIPE_SECRET_KEY: "${STRIPE_SECRET_KEY:-sk_test_placeholder}"
-      STRIPE_WEBHOOK_SECRET: "${STRIPE_WEBHOOK_SECRET:-whsec_placeholder}"
-      STRIPE_PRICE_STARTER: "${STRIPE_PRICE_STARTER:-price_starter_placeholder}"
-      STRIPE_PRICE_PROFESSIONAL: "${STRIPE_PRICE_PROFESSIONAL:-price_pro_placeholder}"
-      STRIPE_PRICE_ENTERPRISE: "${STRIPE_PRICE_ENTERPRISE:-price_enterprise_placeholder}"
-      # Auth0 M2M — override via root .env
-      AUTH0_DOMAIN: "${AUTH0_DOMAIN:-dev-dz6bl3nngdeib7ro.us.auth0.com}"
-      AUTH0_MANAGEMENT_CLIENT_ID: "${AUTH0_MANAGEMENT_CLIENT_ID:-}"
-      AUTH0_MANAGEMENT_CLIENT_SECRET: "${AUTH0_MANAGEMENT_CLIENT_SECRET:-}"
-      AUTH0_M2M_AUDIENCE: "${AUTH0_MANAGEMENT_AUDIENCE:-https://dev-dz6bl3nngdeib7ro.us.auth0.com/api/v2/}"
     depends_on:
       redis:
         condition: service_started
@@ -620,11 +611,12 @@ services:
     container_name: grainguard-grafana
     ports:
       - "3000:3000"
+    env_file:
+      - ../../.env
     environment:
       - GF_SECURITY_ADMIN_PASSWORD=admin
       - GF_USERS_ALLOW_SIGN_UP=false
       - GF_UNIFIED_ALERTING_ENABLED=true
-      - SLACK_WEBHOOK_URL=${SLACK_WEBHOOK_URL:-https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK}
     volumes:
       - grafana-data:/var/lib/grafana
       - ./grafana/provisioning:/etc/grafana/provisioning
@@ -764,12 +756,11 @@ services:
       dockerfile: apps/jobs-worker/Dockerfile
     container_name: grainguard-jobs-worker
     restart: unless-stopped
+    env_file:
+      - ../../.env
     environment:
       RABBITMQ_URL: amqp://grainguard:grainguard@rabbitmq:5672/grainguard
       DATABASE_URL: postgres://postgres:postgres@pgbouncer-write:5432/grainguard?sslmode=disable
-      # Set RESEND_API_KEY and EMAIL_FROM via root .env to enable real email delivery
-      RESEND_API_KEY: "${RESEND_API_KEY:-}"
-      EMAIL_FROM: "${EMAIL_FROM:-GrainGuard <noreply@grainguard.com>}"
     depends_on:
       rabbitmq:
         condition: service_healthy
diff --git a/infra/terraform/environments/dev/main.tf b/infra/terraform/environments/dev/main.tf
index e3ce892..489e678 100644
--- a/infra/terraform/environments/dev/main.tf
+++ b/infra/terraform/environments/dev/main.tf
@@ -65,7 +65,7 @@ module "iam_irsa" {
   environment             = "dev"
   oidc_issuer_url         = module.eks.oidc_issuer_url
   oidc_provider_arn       = module.eks.oidc_provider_arn
-  k8s_namespace           = "grainguard"
+  k8s_namespace           = "grainguard-dev"
   secrets_read_policy_arn = module.secrets_manager.secrets_read_policy_arn
   dynamodb_table_arns     = module.dynamodb.all_table_arns
 }
diff --git a/infra/terraform/environments/staging/.gitignore b/infra/terraform/environments/staging/.gitignore
new file mode 100644
index 0000000..1c99dc1
--- /dev/null
+++ b/infra/terraform/environments/staging/.gitignore
@@ -0,0 +1 @@
+.terraform/
diff --git a/infra/terraform/environments/staging/.terraform.lock.hcl b/infra/terraform/environments/staging/.terraform.lock.hcl
new file mode 100644
index 0000000..8ae2b79
--- /dev/null
+++ b/infra/terraform/environments/staging/.terraform.lock.hcl
@@ -0,0 +1,45 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "5.100.0"
+  constraints = "~> 5.0"
+  hashes = [
+    "h1:Ijt7pOlB7Tr7maGQIqtsLFbl7pSMIj06TVdkoSBcYOw=",
+    "zh:054b8dd49f0549c9a7cc27d159e45327b7b65cf404da5e5a20da154b90b8a644",
+    "zh:0b97bf8d5e03d15d83cc40b0530a1f84b459354939ba6f135a0086c20ebbe6b2",
+    "zh:1589a2266af699cbd5d80737a0fe02e54ec9cf2ca54e7e00ac51c7359056f274",
+    "zh:6330766f1d85f01ae6ea90d1b214b8b74cc8c1badc4696b165b36ddd4cc15f7b",
+    "zh:7c8c2e30d8e55291b86fcb64bdf6c25489d538688545eb48fd74ad622e5d3862",
+    "zh:99b1003bd9bd32ee323544da897148f46a527f622dc3971af63ea3e251596342",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:9f8b909d3ec50ade83c8062290378b1ec553edef6a447c56dadc01a99f4eaa93",
+    "zh:aaef921ff9aabaf8b1869a86d692ebd24fbd4e12c21205034bb679b9caf883a2",
+    "zh:ac882313207aba00dd5a76dbd572a0ddc818bb9cbf5c9d61b28fe30efaec951e",
+    "zh:bb64e8aff37becab373a1a0cc1080990785304141af42ed6aa3dd4913b000421",
+    "zh:dfe495f6621df5540d9c92ad40b8067376350b005c637ea6efac5dc15028add4",
+    "zh:f0ddf0eaf052766cfe09dea8200a946519f653c384ab4336e2a4a64fdd6310e9",
+    "zh:f1b7e684f4c7ae1eed272b6de7d2049bb87a0275cb04dbb7cda6636f600699c9",
+    "zh:ff461571e3f233699bf690db319dfe46aec75e58726636a0d97dd9ac6e32fb70",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/tls" {
+  version     = "4.2.1"
+  constraints = "~> 4.0"
+  hashes = [
+    "h1:akFNuHwvrtnYMBofieoeXhPJDhYZzJVu/Q/BgZK2fgg=",
+    "zh:0d1e7d07ac973b97fa228f46596c800de830820506ee145626f079dd6bbf8d8a",
+    "zh:5c7e3d4348cb4861ab812973ef493814a4b224bdd3e9d534a7c8a7c992382b86",
+    "zh:7c6d4a86cd7a4e9c1025c6b3a3a6a45dea202af85d870cddbab455fb1bd568ad",
+    "zh:7d0864755ba093664c4b2c07c045d3f5e3d7c799dda1a3ef33d17ed1ac563191",
+    "zh:83734f57950ab67c0d6a87babdb3f13c908cbe0a48949333f489698532e1391b",
+    "zh:951e3c285218ebca0cf20eaa4265020b4ef042fea9c6ade115ad1558cfe459e5",
+    "zh:b9543955b4297e1d93b85900854891c0e645d936d8285a190030475379c5c635",
+    "zh:bb1bd9e86c003d08c30c1b00d44118ed5bbbf6b1d2d6f7eaac4fa5c6ebea5933",
+    "zh:c9477bfe00653629cd77ddac3968475f7ad93ac3ca8bc45b56d1d9efb25e4a6e",
+    "zh:d4cfda8687f736d0cba664c22ec49dae1188289e214ef57f5afe6a7217854fed",
+    "zh:dc77ee066cf96532a48f0578c35b1eaf6dc4d8ddd0e3ae8e029a3b10676dd5d3",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
diff --git a/infra/terraform/environments/staging/main.tf b/infra/terraform/environments/staging/main.tf
new file mode 100644
index 0000000..84434c4
--- /dev/null
+++ b/infra/terraform/environments/staging/main.tf
@@ -0,0 +1,79 @@
+module "vpc" {
+  source             = "../../modules/vpc"
+  project            = var.project
+  environment        = "staging"
+  vpc_cidr           = "10.10.0.0/16"
+  availability_zones = ["us-east-1a", "us-east-1b"]
+}
+
+module "eks" {
+  source             = "../../modules/eks"
+  project            = var.project
+  environment        = "staging"
+  private_subnet_ids = module.vpc.private_subnet_ids
+  instance_type      = "t3.large"
+  desired_nodes      = 2
+}
+
+module "rds" {
+  source             = "../../modules/rds"
+  project            = var.project
+  environment        = "staging"
+  vpc_id             = module.vpc.vpc_id
+  vpc_cidr           = "10.10.0.0/16"
+  private_subnet_ids = module.vpc.private_subnet_ids
+  instance_class     = "db.t3.medium"
+  db_password        = var.db_password
+}
+
+module "elasticache" {
+  source             = "../../modules/elasticache"
+  project            = var.project
+  environment        = "staging"
+  vpc_id             = module.vpc.vpc_id
+  vpc_cidr           = "10.10.0.0/16"
+  private_subnet_ids = module.vpc.private_subnet_ids
+  node_type          = "cache.t3.small"
+}
+
+module "msk" {
+  source             = "../../modules/msk"
+  project            = var.project
+  environment        = "staging"
+  vpc_id             = module.vpc.vpc_id
+  vpc_cidr           = "10.10.0.0/16"
+  private_subnet_ids = module.vpc.private_subnet_ids
+  instance_type      = "kafka.t3.small"
+}
+
+module "dynamodb" {
+  source                      = "../../modules/dynamodb"
+  project                     = var.project
+  environment                 = "staging"
+  create_terraform_lock_table = false
+}
+
+module "secrets_manager" {
+  source      = "../../modules/secrets_manager"
+  project     = var.project
+  environment = "staging"
+}
+
+module "iam_irsa" {
+  source                  = "../../modules/iam_irsa"
+  project                 = var.project
+  environment             = "staging"
+  oidc_issuer_url         = module.eks.oidc_issuer_url
+  oidc_provider_arn       = module.eks.oidc_provider_arn
+  k8s_namespace           = "grainguard-staging"
+  secrets_read_policy_arn = module.secrets_manager.secrets_read_policy_arn
+  dynamodb_table_arns     = module.dynamodb.all_table_arns
+}
+
+module "ecr" {
+  source            = "../../modules/ecr"
+  project           = var.project
+  environment       = "staging"
+  eks_node_role_arn = module.eks.node_role_arn
+  ci_role_arn       = module.iam_irsa.ci_push_role_arn
+}
diff --git a/infra/terraform/environments/staging/outputs.tf b/infra/terraform/environments/staging/outputs.tf
new file mode 100644
index 0000000..d8a7aa0
--- /dev/null
+++ b/infra/terraform/environments/staging/outputs.tf
@@ -0,0 +1,17 @@
+output "eks_cluster_name" { value = module.eks.cluster_name }
+output "eks_cluster_endpoint" { value = module.eks.cluster_endpoint }
+output "rds_endpoint" { value = module.rds.endpoint }
+output "redis_endpoint" { value = module.elasticache.primary_endpoint }
+output "kafka_brokers_tls" { value = module.msk.bootstrap_brokers_tls }
+output "kafka_brokers_sasl" { value = module.msk.bootstrap_brokers_sasl }
+output "ecr_repository_urls" { value = module.ecr.repository_urls }
+output "service_role_arns" { value = module.iam_irsa.service_role_arns }
+output "secret_names" { value = module.secrets_manager.secret_names }
+output "dynamodb_tables" {
+  value = {
+    feature_flags       = module.dynamodb.feature_flags_table_name
+    idempotency_keys    = module.dynamodb.idempotency_keys_table_name
+    rate_counters       = module.dynamodb.rate_counters_table_name
+    webhook_retry_state = module.dynamodb.webhook_retry_state_table_name
+  }
+}
diff --git a/infra/terraform/environments/staging/providers.tf b/infra/terraform/environments/staging/providers.tf
new file mode 100644
index 0000000..169532d
--- /dev/null
+++ b/infra/terraform/environments/staging/providers.tf
@@ -0,0 +1,25 @@
+terraform {
+  required_version = ">= 1.5.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    tls = {
+      source  = "hashicorp/tls"
+      version = "~> 4.0"
+    }
+  }
+
+  backend "s3" {
+    bucket         = "grainguard-terraform-state"
+    key            = "environments/staging/terraform.tfstate"
+    region         = "us-east-1"
+    dynamodb_table = "grainguard-terraform-locks"
+    encrypt        = true
+  }
+}
+
+provider "aws" {
+  region = var.aws_region
+}
diff --git a/infra/terraform/environments/staging/variables.tf b/infra/terraform/environments/staging/variables.tf
new file mode 100644
index 0000000..3844676
--- /dev/null
+++ b/infra/terraform/environments/staging/variables.tf
@@ -0,0 +1,14 @@
+variable "project" {
+  type    = string
+  default = "grainguard"
+}
+
+variable "aws_region" {
+  type    = string
+  default = "us-east-1"
+}
+
+variable "db_password" {
+  type      = string
+  sensitive = true
+}
diff --git a/infra/terraform/modules/msk/main.tf b/infra/terraform/modules/msk/main.tf
index 499ed4c..1c7a1b9 100644
--- a/infra/terraform/modules/msk/main.tf
+++ b/infra/terraform/modules/msk/main.tf
@@ -53,11 +53,11 @@ resource "aws_cloudwatch_log_group" "msk" {
 resource "aws_msk_cluster" "main" {
   cluster_name           = "${var.project}-${var.environment}"
   kafka_version          = "3.6.0"
-  number_of_broker_nodes = var.environment == "prod" ? 3 : 1
+  number_of_broker_nodes = var.environment == "prod" ? 3 : 2
 
   broker_node_group_info {
     instance_type   = var.instance_type
-    client_subnets  = slice(var.private_subnet_ids, 0, var.environment == "prod" ? 3 : 1)
+    client_subnets  = slice(var.private_subnet_ids, 0, var.environment == "prod" ? 3 : 2)
     security_groups = [aws_security_group.msk.id]
 
     storage_info {
@@ -86,7 +86,7 @@ resource "aws_msk_cluster" "main" {
 
   open_monitoring {
     prometheus {
-      jmx_exporter  { enabled_in_broker = true }
+      jmx_exporter { enabled_in_broker = true }
       node_exporter { enabled_in_broker = true }
     }
   }
diff --git a/k8s/argocd/apps/grainguard-staging.yaml b/k8s/argocd/apps/grainguard-staging.yaml
new file mode 100644
index 0000000..5d19211
--- /dev/null
+++ b/k8s/argocd/apps/grainguard-staging.yaml
@@ -0,0 +1,36 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: grainguard-staging
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  labels:
+    environment: staging
+spec:
+  project: grainguard
+  source:
+    repoURL: https://github.com/pahuldeepp/GrainGuard-.git
+    targetRevision: HEAD
+    path: k8s/helm/grainguard
+    helm:
+      valueFiles:
+        - values.yaml
+        - values-staging.yaml
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: grainguard-staging
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
+    retry:
+      limit: 4
+      backoff:
+        duration: 8s
+        factor: 2
+        maxDuration: 2m
+  revisionHistoryLimit: 7
diff --git a/k8s/argocd/project.yaml b/k8s/argocd/project.yaml
index 2a2e66c..35d8243 100644
--- a/k8s/argocd/project.yaml
+++ b/k8s/argocd/project.yaml
@@ -10,6 +10,8 @@ spec:
   destinations:
     - namespace: grainguard-dev
       server: https://kubernetes.default.svc
+    - namespace: grainguard-staging
+      server: https://kubernetes.default.svc
     - namespace: grainguard-prod
       server: https://kubernetes.default.svc
     - namespace: argocd
@@ -31,3 +33,8 @@ spec:
       policies:
         - p, proj:grainguard:prod-deployer, applications, sync, grainguard/grainguard-prod, allow
         - p, proj:grainguard:prod-deployer, applications, get,  grainguard/grainguard-prod, allow
+    - name: staging-deployer
+      description: Can sync staging for pre-production validation
+      policies:
+        - p, proj:grainguard:staging-deployer, applications, sync, grainguard/grainguard-staging, allow
+        - p, proj:grainguard:staging-deployer, applications, get,  grainguard/grainguard-staging, allow
diff --git a/k8s/helm/grainguard/templates/analysis-template.yaml b/k8s/helm/grainguard/templates/analysis-template.yaml
new file mode 100644
index 0000000..82d6b2b
--- /dev/null
+++ b/k8s/helm/grainguard/templates/analysis-template.yaml
@@ -0,0 +1,37 @@
+{{- $gatewayRollout := (index .Values.rollouts "gateway") | default dict }}
+{{- if and ($gatewayRollout.enabled | default false) (eq ($gatewayRollout.strategy | default "canary") "canary") ($gatewayRollout.analysis.enabled | default false) }}
+---
+apiVersion: argoproj.io/v1alpha1
+kind: AnalysisTemplate
+metadata:
+  name: {{ $gatewayRollout.analysis.templateName | default "gateway-slo" }}
+  namespace: {{ .Values.namespace }}
+spec:
+  metrics:
+    - name: gateway-success-rate
+      interval: 1m
+      count: 3
+      successCondition: result[0] >= 0.99
+      provider:
+        prometheus:
+          address: {{ $gatewayRollout.analysis.prometheusAddress | default "http://prometheus.monitoring.svc.cluster.local:9090" | quote }}
+          query: |
+            sum(rate(http_requests_total{service="gateway",status!~"5.."}[2m]))
+            /
+            sum(rate(http_requests_total{service="gateway"}[2m]))
+
+    - name: gateway-p95-latency
+      interval: 1m
+      count: 3
+      successCondition: result[0] <= 0.5
+      provider:
+        prometheus:
+          address: {{ $gatewayRollout.analysis.prometheusAddress | default "http://prometheus.monitoring.svc.cluster.local:9090" | quote }}
+          query: |
+            histogram_quantile(
+              0.95,
+              sum by (le) (
+                rate(http_request_duration_seconds_bucket{service="gateway"}[2m])
+              )
+            )
+{{- end }}
diff --git a/k8s/helm/grainguard/templates/deployment.yaml b/k8s/helm/grainguard/templates/deployment.yaml
index c56124b..aa71a98 100644
--- a/k8s/helm/grainguard/templates/deployment.yaml
+++ b/k8s/helm/grainguard/templates/deployment.yaml
@@ -1,5 +1,7 @@
 {{- range $name, $svc := .Values.services }}
 {{- if $svc.enabled }}
+{{- $rolloutCfg := (index $.Values.rollouts $name) | default dict }}
+{{- if not ($rolloutCfg.enabled | default false) }}
 {{- $rollingUpdate := $svc.rollingUpdate | default dict }}
 ---
 apiVersion: apps/v1
@@ -39,16 +41,19 @@ spec:
         - name: {{ $name }}
           image: "{{ $.Values.image.registry }}/{{ $name }}:{{ $svc.image.tag | default $.Values.image.tag }}"
           imagePullPolicy: {{ $.Values.image.pullPolicy }}
+          {{- $httpPort := int $svc.port }}
+          {{- $grpcPort := int ($svc.grpcPort | default 0) }}
+          {{- $healthPort := int ($svc.healthPort | default 0) }}
           ports:
             - name: http
               containerPort: {{ $svc.port }}
               protocol: TCP
-            {{- if $svc.grpcPort }}
+            {{- if and $svc.grpcPort (ne $grpcPort $httpPort) }}
             - name: grpc
               containerPort: {{ $svc.grpcPort }}
               protocol: TCP
             {{- end }}
-            {{- if $svc.healthPort }}
+            {{- if and $svc.healthPort (ne $healthPort $httpPort) (or (not $svc.grpcPort) (ne $healthPort $grpcPort)) }}
             - name: health
               containerPort: {{ $svc.healthPort }}
               protocol: TCP
@@ -71,6 +76,7 @@ spec:
               port: {{ $svc.healthPort | default $svc.port }}
             initialDelaySeconds: 15
             periodSeconds: 10
+            timeoutSeconds: {{ $svc.probeTimeoutSeconds | default 1 }}
             failureThreshold: 3
           readinessProbe:
             httpGet:
@@ -78,6 +84,7 @@ spec:
               port: {{ $svc.healthPort | default $svc.port }}
             initialDelaySeconds: 5
             periodSeconds: 5
+            timeoutSeconds: {{ $svc.probeTimeoutSeconds | default 1 }}
             failureThreshold: 3
           resources:
             requests:
@@ -88,3 +95,4 @@ spec:
               memory: {{ $svc.resources.limits.memory | default "256Mi" }}
 {{- end }}
 {{- end }}
+{{- end }}
diff --git a/k8s/helm/grainguard/templates/hpa.yaml b/k8s/helm/grainguard/templates/hpa.yaml
index 94907fe..6969fb9 100644
--- a/k8s/helm/grainguard/templates/hpa.yaml
+++ b/k8s/helm/grainguard/templates/hpa.yaml
@@ -1,5 +1,7 @@
 {{- range $name, $svc := .Values.services }}
 {{- if and $svc.enabled $svc.autoscaling.enabled }}
+{{- $rolloutCfg := (index $.Values.rollouts $name) | default dict }}
+{{- $rolloutEnabled := $rolloutCfg.enabled | default false }}
 ---
 apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
@@ -12,8 +14,13 @@ metadata:
     helm.sh/chart: {{ $.Chart.Name }}-{{ $.Chart.Version }}
 spec:
   scaleTargetRef:
+    {{- if $rolloutEnabled }}
+    apiVersion: argoproj.io/v1alpha1
+    kind: Rollout
+    {{- else }}
     apiVersion: apps/v1
     kind: Deployment
+    {{- end }}
     name: {{ $name }}
   minReplicas: {{ $svc.autoscaling.minReplicas | default 1 }}
   maxReplicas: {{ $svc.autoscaling.maxReplicas | default 5 }}
diff --git a/k8s/helm/grainguard/templates/rollout.yaml b/k8s/helm/grainguard/templates/rollout.yaml
new file mode 100644
index 0000000..8d066ab
--- /dev/null
+++ b/k8s/helm/grainguard/templates/rollout.yaml
@@ -0,0 +1,117 @@
+{{- $name := "gateway" }}
+{{- $svc := index .Values.services $name }}
+{{- $rollout := (index .Values.rollouts $name) | default dict }}
+{{- if and $svc.enabled ($rollout.enabled | default false) (eq ($rollout.strategy | default "canary") "canary") }}
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Rollout
+metadata:
+  name: {{ $name }}
+  namespace: {{ .Values.namespace }}
+  labels:
+    app.kubernetes.io/name: {{ $name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+spec:
+  replicas: {{ $svc.replicaCount | default 1 }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ $name }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  strategy:
+    canary:
+      canaryService: {{ $name }}-canary
+      stableService: {{ $name }}
+      maxSurge: {{ $rollout.maxSurge | default 1 }}
+      maxUnavailable: {{ $rollout.maxUnavailable | default 0 }}
+      autoPromotionEnabled: {{ $rollout.autoPromotionEnabled | default false }}
+      {{- if $rollout.analysis.enabled }}
+      analysis:
+        templates:
+          - templateName: {{ $rollout.analysis.templateName | default "gateway-slo" }}
+      {{- end }}
+      steps:
+{{- if $rollout.steps }}
+{{ toYaml $rollout.steps | indent 8 }}
+{{- else }}
+        - setWeight: 5
+        - pause:
+            duration: 5m
+        - setWeight: 20
+        - pause:
+            duration: 10m
+        - setWeight: 50
+        - pause:
+            duration: 10m
+        - setWeight: 100
+{{- end }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ $name }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: {{ $svc.metricsPort | default $svc.port | quote }}
+    spec:
+      serviceAccountName: {{ $svc.serviceAccountName | default "default" }}
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+      containers:
+        - name: {{ $name }}
+          image: "{{ .Values.image.registry }}/{{ $name }}:{{ $svc.image.tag | default .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- $httpPort := int $svc.port }}
+          {{- $grpcPort := int ($svc.grpcPort | default 0) }}
+          {{- $healthPort := int ($svc.healthPort | default 0) }}
+          ports:
+            - name: http
+              containerPort: {{ $svc.port }}
+              protocol: TCP
+            {{- if and $svc.grpcPort (ne $grpcPort $httpPort) }}
+            - name: grpc
+              containerPort: {{ $svc.grpcPort }}
+              protocol: TCP
+            {{- end }}
+            {{- if and $svc.healthPort (ne $healthPort $httpPort) (or (not $svc.grpcPort) (ne $healthPort $grpcPort)) }}
+            - name: health
+              containerPort: {{ $svc.healthPort }}
+              protocol: TCP
+            {{- end }}
+          env:
+            {{- range $key, $val := $svc.env }}
+            - name: {{ $key }}
+              value: {{ $val | quote }}
+            {{- end }}
+            {{- range $svc.envFromSecret }}
+            - name: {{ .name }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .secretName }}
+                  key: {{ .secretKey }}
+            {{- end }}
+          livenessProbe:
+            httpGet:
+              path: {{ $svc.healthPath | default "/health" }}
+              port: {{ $svc.healthPort | default $svc.port }}
+            initialDelaySeconds: 15
+            periodSeconds: 10
+            timeoutSeconds: {{ $svc.probeTimeoutSeconds | default 1 }}
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: {{ $svc.readinessPath | default $svc.healthPath | default "/health" }}
+              port: {{ $svc.healthPort | default $svc.port }}
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            timeoutSeconds: {{ $svc.probeTimeoutSeconds | default 1 }}
+            failureThreshold: 3
+          resources:
+            requests:
+              cpu: {{ $svc.resources.requests.cpu | default "100m" }}
+              memory: {{ $svc.resources.requests.memory | default "128Mi" }}
+            limits:
+              cpu: {{ $svc.resources.limits.cpu | default "500m" }}
+              memory: {{ $svc.resources.limits.memory | default "256Mi" }}
+{{- end }}
diff --git a/k8s/helm/grainguard/templates/service.yaml b/k8s/helm/grainguard/templates/service.yaml
index 5f23b6c..c051e8f 100644
--- a/k8s/helm/grainguard/templates/service.yaml
+++ b/k8s/helm/grainguard/templates/service.yaml
@@ -1,5 +1,8 @@
 {{- range $name, $svc := .Values.services }}
 {{- if $svc.enabled }}
+{{- $rolloutCfg := (index $.Values.rollouts $name) | default dict }}
+{{- $rolloutEnabled := $rolloutCfg.enabled | default false }}
+{{- if and (not $rolloutEnabled) (or (ne $name "gateway") (not ($rolloutCfg.strategy | default "" | eq "canary"))) }}
 ---
 apiVersion: v1
 kind: Service
@@ -26,5 +29,59 @@ spec:
       targetPort: {{ $svc.grpcPort }}
       protocol: TCP
     {{- end }}
+{{- else if and $rolloutEnabled (eq ($rolloutCfg.strategy | default "canary") "canary") (eq $name "gateway") }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ $name }}
+  namespace: {{ $.Values.namespace }}
+  labels:
+    app.kubernetes.io/name: {{ $name }}
+    app.kubernetes.io/instance: {{ $.Release.Name }}
+    helm.sh/chart: {{ $.Chart.Name }}-{{ $.Chart.Version }}
+spec:
+  type: {{ $svc.serviceType | default "ClusterIP" }}
+  selector:
+    app.kubernetes.io/name: {{ $name }}
+    app.kubernetes.io/instance: {{ $.Release.Name }}
+  ports:
+    - name: http
+      port: {{ $svc.port }}
+      targetPort: {{ $svc.port }}
+      protocol: TCP
+    {{- if $svc.grpcPort }}
+    - name: grpc
+      port: {{ $svc.grpcPort }}
+      targetPort: {{ $svc.grpcPort }}
+      protocol: TCP
+    {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ $name }}-canary
+  namespace: {{ $.Values.namespace }}
+  labels:
+    app.kubernetes.io/name: {{ $name }}
+    app.kubernetes.io/instance: {{ $.Release.Name }}
+    helm.sh/chart: {{ $.Chart.Name }}-{{ $.Chart.Version }}
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: {{ $name }}
+    app.kubernetes.io/instance: {{ $.Release.Name }}
+  ports:
+    - name: http
+      port: {{ $svc.port }}
+      targetPort: {{ $svc.port }}
+      protocol: TCP
+    {{- if $svc.grpcPort }}
+    - name: grpc
+      port: {{ $svc.grpcPort }}
+      targetPort: {{ $svc.grpcPort }}
+      protocol: TCP
+    {{- end }}
+{{- end }}
 {{- end }}
 {{- end }}
diff --git a/k8s/helm/grainguard/values-dev.yaml b/k8s/helm/grainguard/values-dev.yaml
index 73acce5..b3183d3 100644
--- a/k8s/helm/grainguard/values-dev.yaml
+++ b/k8s/helm/grainguard/values-dev.yaml
@@ -1,3 +1,5 @@
+namespace: grainguard-dev
+
 # Dev environment overrides — lower replicas, no autoscaling
 image:
   tag: latest
diff --git a/k8s/helm/grainguard/values-prod.yaml b/k8s/helm/grainguard/values-prod.yaml
index b6ad562..21c3ebf 100644
--- a/k8s/helm/grainguard/values-prod.yaml
+++ b/k8s/helm/grainguard/values-prod.yaml
@@ -1,7 +1,18 @@
+namespace: grainguard-prod
+
 # Prod environment overrides — higher replicas, aggressive autoscaling
 image:
   pullPolicy: Always
 
+rollouts:
+  gateway:
+    enabled: true
+    strategy: canary
+    autoPromotionEnabled: false
+    analysis:
+      enabled: true
+      templateName: gateway-slo
+
 services:
   gateway:
     replicaCount: 3
diff --git a/k8s/helm/grainguard/values-staging.yaml b/k8s/helm/grainguard/values-staging.yaml
new file mode 100644
index 0000000..59cd2e8
--- /dev/null
+++ b/k8s/helm/grainguard/values-staging.yaml
@@ -0,0 +1,109 @@
+namespace: grainguard-staging
+
+# Staging environment overrides — production-like topology with slightly
+# reduced capacity so we can validate rollouts, ingress, and restores safely.
+image:
+  registry: 658362403982.dkr.ecr.us-east-1.amazonaws.com/grainguard
+  pullPolicy: Always
+  tag: staging-bootstrap
+
+services:
+  gateway:
+    replicaCount: 2
+    image:
+      tag: staging-bootstrap
+    healthPort: 3000
+    healthPath: /health
+    probeTimeoutSeconds: 5
+    readinessPath: /health
+    env:
+      ALLOWED_ORIGINS: "http://localhost:5173,http://*.elb.amazonaws.com:8080"
+      AUTH_ENABLED: "false"
+      NODE_TLS_REJECT_UNAUTHORIZED: "0"
+      REDIS_HOST: master.grainguard-staging.2vbpuh.use1.cache.amazonaws.com
+      REDIS_PORT: "6379"
+      READ_DB_SSL_REJECT_UNAUTHORIZED: "false"
+      STRIPE_SECRET_KEY: sk_test_staging_placeholder
+      WRITE_DB_SSL_REJECT_UNAUTHORIZED: "false"
+    autoscaling:
+      enabled: true
+      minReplicas: 2
+      maxReplicas: 8
+
+  bff:
+    replicaCount: 2
+    image:
+      tag: staging-bootstrap
+    healthPath: /metrics
+    readinessPath: /metrics
+    env:
+      ALLOWED_ORIGINS: "http://localhost:5173,http://*.elb.amazonaws.com:8080"
+      AUTH_ENABLED: "false"
+      NODE_TLS_REJECT_UNAUTHORIZED: "0"
+      PORT: "4000"
+      REDIS_HOST: master.grainguard-staging.2vbpuh.use1.cache.amazonaws.com
+      REDIS_PORT: "6379"
+      READ_DB_SSL_REJECT_UNAUTHORIZED: "false"
+    autoscaling:
+      enabled: true
+      minReplicas: 2
+      maxReplicas: 6
+
+  dashboard:
+    enabled: true
+    replicaCount: 1
+    port: 8080
+    healthPath: /
+    readinessPath: /
+    serviceType: LoadBalancer
+    image:
+      tag: staging-dashboard
+    resources:
+      requests:
+        cpu: 50m
+        memory: 64Mi
+      limits:
+        cpu: 250m
+        memory: 128Mi
+    autoscaling:
+      enabled: false
+    pdb:
+      enabled: false
+    networkPolicy:
+      enabled: true
+      allowExternal: true
+      allowFromSameNamespace: true
+      allowFromServices: []
+
+  telemetry-service:
+    enabled: false
+
+  saga-orchestrator:
+    enabled: false
+
+  read-model-builder:
+    enabled: false
+
+  asset-registry:
+    enabled: false
+
+  risk-engine:
+    enabled: false
+
+  search-indexer:
+    enabled: false
+
+  workflow-alerts:
+    enabled: false
+
+  jobs-worker:
+    enabled: false
+
+  cassandra-writer:
+    enabled: false
+
+  cdc-transformer:
+    enabled: false
+
+  dlq-reprocessor:
+    enabled: false
diff --git a/k8s/helm/grainguard/values.yaml b/k8s/helm/grainguard/values.yaml
index 171f67d..93de33d 100644
--- a/k8s/helm/grainguard/values.yaml
+++ b/k8s/helm/grainguard/values.yaml
@@ -5,6 +5,29 @@ image:
   tag: latest
   pullPolicy: IfNotPresent
 
+rollouts:
+  gateway:
+    enabled: false
+    strategy: canary
+    maxSurge: 1
+    maxUnavailable: 0
+    autoPromotionEnabled: false
+    steps:
+      - setWeight: 5
+      - pause:
+          duration: 5m
+      - setWeight: 20
+      - pause:
+          duration: 10m
+      - setWeight: 50
+      - pause:
+          duration: 10m
+      - setWeight: 100
+    analysis:
+      enabled: false
+      templateName: gateway-slo
+      prometheusAddress: http://prometheus.monitoring.svc.cluster.local:9090
+
 # ─── Services ────────────────────────────────────────────────────────────────
 services:
 
@@ -21,18 +44,29 @@ services:
     env:
       REDIS_HOST: redis
       REDIS_PORT: "6379"
+      BFF_HOST: bff
+      BFF_PORT: "4000"
       GRPC_TARGET: "telemetry-service:50051"
       OTEL_EXPORTER_OTLP_ENDPOINT: "otel-collector:4317"
     envFromSecret:
       - name: READ_DATABASE_URL
         secretName: postgres-read-secret
         secretKey: READ_DATABASE_URL
+      - name: WRITE_DATABASE_URL
+        secretName: postgres-secret
+        secretKey: WRITE_DB_URL
       - name: JWKS_URL
         secretName: auth-secret
         secretKey: JWKS_URL
       - name: JWT_ISSUER
         secretName: auth-secret
         secretKey: JWT_ISSUER
+      - name: JWT_AUDIENCE
+        secretName: auth-secret
+        secretKey: JWT_AUDIENCE
+      - name: REDIS_PASSWORD
+        secretName: redis-secret
+        secretKey: REDIS_PASSWORD
     resources:
       requests:
         cpu: 100m
@@ -72,9 +106,24 @@ services:
       REDIS_HOST: redis
       REDIS_PORT: "6379"
     envFromSecret:
+      - name: READ_DATABASE_URL
+        secretName: postgres-read-secret
+        secretKey: READ_DATABASE_URL
       - name: READ_DB_PASSWORD
         secretName: postgres-read-secret
         secretKey: POSTGRES_PASSWORD
+      - name: JWKS_URL
+        secretName: auth-secret
+        secretKey: JWKS_URL
+      - name: JWT_ISSUER
+        secretName: auth-secret
+        secretKey: JWT_ISSUER
+      - name: JWT_AUDIENCE
+        secretName: auth-secret
+        secretKey: JWT_AUDIENCE
+      - name: REDIS_PASSWORD
+        secretName: redis-secret
+        secretKey: REDIS_PASSWORD
     resources:
       requests:
         cpu: 100m
@@ -279,7 +328,7 @@ services:
       KAFKA_BROKERS: "kafka:9092"
       OTEL_EXPORTER_OTLP_ENDPOINT: "otel-collector:4317"
     envFromSecret:
-      - name: WRITE_DB_URL
+      - name: DATABASE_URL
         secretName: postgres-secret
         secretKey: WRITE_DB_URL
     resources:
@@ -317,6 +366,10 @@ services:
       KAFKA_BROKERS: "kafka:9092"
       RABBITMQ_URL: "amqp://rabbitmq:5672"
       OTEL_EXPORTER_OTLP_ENDPOINT: "otel-collector:4317"
+    envFromSecret:
+      - name: DATABASE_URL
+        secretName: postgres-secret
+        secretKey: WRITE_DB_URL
     resources:
       requests:
         cpu: 200m
@@ -379,6 +432,10 @@ services:
       REDIS_HOST: redis
       REDIS_PORT: "6379"
       OTEL_EXPORTER_OTLP_ENDPOINT: "otel-collector:4317"
+    envFromSecret:
+      - name: DATABASE_URL
+        secretName: postgres-secret
+        secretKey: WRITE_DB_URL
     resources:
       requests:
         cpu: 100m
@@ -414,6 +471,10 @@ services:
       REDIS_HOST: redis
       REDIS_PORT: "6379"
       OTEL_EXPORTER_OTLP_ENDPOINT: "otel-collector:4317"
+    envFromSecret:
+      - name: DATABASE_URL
+        secretName: postgres-secret
+        secretKey: WRITE_DB_URL
     resources:
       requests:
         cpu: 100m
diff --git a/scripts/load-tests/graphql-stress.js b/scripts/load-tests/graphql-stress.js
new file mode 100644
index 0000000..cd1f34a
--- /dev/null
+++ b/scripts/load-tests/graphql-stress.js
@@ -0,0 +1,59 @@
+import http from "k6/http";
+import { check, sleep } from "k6";
+import { Rate, Trend } from "k6/metrics";
+
+const errorRate = new Rate("errors");
+const gatewayLatency = new Trend("gateway_graphql_latency");
+
+export const options = {
+  stages: [
+    { duration: "15s", target: 10 },
+    { duration: "30s", target: 30 },
+    { duration: "20s", target: 60 },
+    { duration: "15s", target: 0 },
+  ],
+  thresholds: {
+    http_req_failed: ["rate<0.05"],
+    checks: ["rate>0.95"],
+    gateway_graphql_latency: ["p(95)<300"],
+  },
+};
+
+const GATEWAY_URL = __ENV.GATEWAY_URL || "http://localhost:8086";
+const GRAPHQL_BODY = JSON.stringify({
+  query:
+    "query { devices(limit: 20) { deviceId serialNumber temperature humidity version } }",
+});
+const HEADERS = { "Content-Type": "application/json" };
+
+export default function () {
+  const response = http.post(`${GATEWAY_URL}/graphql`, GRAPHQL_BODY, {
+    headers: HEADERS,
+  });
+
+  gatewayLatency.add(response.timings.duration);
+  const ok = check(response, {
+    "gateway graphql 200": (r) => r.status === 200,
+    "gateway graphql devices": (r) => {
+      try {
+        const devices = JSON.parse(r.body).data.devices;
+        return Array.isArray(devices);
+      } catch {
+        return false;
+      }
+    },
+  });
+
+  errorRate.add(!ok);
+  sleep(0.2);
+}
+
+export function handleSummary(data) {
+  return {
+    "scripts/load-tests/results/graphql-stress-summary.json": JSON.stringify(
+      data,
+      null,
+      2
+    ),
+  };
+}
diff --git a/scripts/load-tests/ingest-stress.js b/scripts/load-tests/ingest-stress.js
new file mode 100644
index 0000000..1b1cc0b
--- /dev/null
+++ b/scripts/load-tests/ingest-stress.js
@@ -0,0 +1,79 @@
+import http from "k6/http";
+import { check, sleep } from "k6";
+import { Rate, Trend } from "k6/metrics";
+
+const errorRate = new Rate("errors");
+const ingestLatency = new Trend("ingest_latency");
+
+export const options = {
+  stages: [
+    { duration: "15s", target: 20 },
+    { duration: "25s", target: 60 },
+    { duration: "20s", target: 120 },
+    { duration: "15s", target: 0 },
+  ],
+  thresholds: {
+    http_req_failed: ["rate<0.05"],
+    checks: ["rate>0.95"],
+    ingest_latency: ["p(95)<500"],
+  },
+};
+
+const INGEST_URL = __ENV.INGEST_URL || "http://localhost:3001";
+const API_KEY = __ENV.INGEST_API_KEY || "";
+const DEVICE_IDS = (__ENV.DEVICE_IDS || "")
+  .split(",")
+  .map((value) => value.trim())
+  .filter(Boolean);
+
+if (!API_KEY) {
+  throw new Error("INGEST_API_KEY is required");
+}
+
+if (DEVICE_IDS.length === 0) {
+  throw new Error("DEVICE_IDS must contain at least one UUID");
+}
+
+function buildPayload(deviceId) {
+  return JSON.stringify({
+    serialNumber: deviceId,
+    temperature: 20 + Math.random() * 15,
+    humidity: 35 + Math.random() * 35,
+    timestamp: new Date().toISOString(),
+  });
+}
+
+export default function () {
+  const deviceId = DEVICE_IDS[__ITER % DEVICE_IDS.length];
+  const response = http.post(`${INGEST_URL}/ingest`, buildPayload(deviceId), {
+    headers: {
+      "Content-Type": "application/json",
+      "X-Api-Key": API_KEY,
+    },
+  });
+
+  ingestLatency.add(response.timings.duration);
+  const ok = check(response, {
+    "ingest accepted": (r) => r.status === 202,
+    "ingest acknowledged": (r) => {
+      try {
+        return JSON.parse(r.body).accepted === true;
+      } catch {
+        return false;
+      }
+    },
+  });
+
+  errorRate.add(!ok);
+  sleep(0.1);
+}
+
+export function handleSummary(data) {
+  return {
+    "scripts/load-tests/results/ingest-stress-summary.json": JSON.stringify(
+      data,
+      null,
+      2
+    ),
+  };
+}
diff --git a/scripts/load-tests/mixed-stack-stress.js b/scripts/load-tests/mixed-stack-stress.js
new file mode 100644
index 0000000..9219945
--- /dev/null
+++ b/scripts/load-tests/mixed-stack-stress.js
@@ -0,0 +1,127 @@
+import http from "k6/http";
+import { check, sleep } from "k6";
+import { Rate, Trend } from "k6/metrics";
+
+const errorRate = new Rate("errors");
+const gatewayLatency = new Trend("gateway_graphql_latency");
+const ingestLatency = new Trend("ingest_latency");
+
+export const options = {
+  scenarios: {
+    graphql_readers: {
+      executor: "ramping-vus",
+      exec: "graphqlReader",
+      startVUs: 0,
+      stages: [
+        { duration: "15s", target: 10 },
+        { duration: "25s", target: 30 },
+        { duration: "20s", target: 50 },
+        { duration: "15s", target: 0 },
+      ],
+    },
+    ingest_writers: {
+      executor: "ramping-vus",
+      exec: "ingestWriter",
+      startVUs: 0,
+      stages: [
+        { duration: "15s", target: 20 },
+        { duration: "25s", target: 50 },
+        { duration: "20s", target: 80 },
+        { duration: "15s", target: 0 },
+      ],
+      startTime: "5s",
+    },
+  },
+  thresholds: {
+    http_req_failed: ["rate<0.08"],
+    checks: ["rate>0.92"],
+    gateway_graphql_latency: ["p(95)<400"],
+    ingest_latency: ["p(95)<600"],
+  },
+};
+
+const GATEWAY_URL = __ENV.GATEWAY_URL || "http://localhost:8086";
+const INGEST_URL = __ENV.INGEST_URL || "http://localhost:3001";
+const API_KEY = __ENV.INGEST_API_KEY || "";
+const DEVICE_IDS = (__ENV.DEVICE_IDS || "")
+  .split(",")
+  .map((value) => value.trim())
+  .filter(Boolean);
+const GRAPHQL_BODY = JSON.stringify({
+  query:
+    "query { devices(limit: 20) { deviceId serialNumber temperature humidity version } }",
+});
+
+if (!API_KEY) {
+  throw new Error("INGEST_API_KEY is required");
+}
+
+if (DEVICE_IDS.length === 0) {
+  throw new Error("DEVICE_IDS must contain at least one UUID");
+}
+
+function buildPayload(deviceId) {
+  return JSON.stringify({
+    serialNumber: deviceId,
+    temperature: 20 + Math.random() * 15,
+    humidity: 35 + Math.random() * 35,
+    timestamp: new Date().toISOString(),
+  });
+}
+
+export function graphqlReader() {
+  const response = http.post(`${GATEWAY_URL}/graphql`, GRAPHQL_BODY, {
+    headers: { "Content-Type": "application/json" },
+  });
+
+  gatewayLatency.add(response.timings.duration);
+  const ok = check(response, {
+    "gateway graphql 200": (r) => r.status === 200,
+    "gateway graphql devices": (r) => {
+      try {
+        const devices = JSON.parse(r.body).data.devices;
+        return Array.isArray(devices);
+      } catch {
+        return false;
+      }
+    },
+  });
+
+  errorRate.add(!ok);
+  sleep(0.2);
+}
+
+export function ingestWriter() {
+  const deviceId = DEVICE_IDS[__ITER % DEVICE_IDS.length];
+  const response = http.post(`${INGEST_URL}/ingest`, buildPayload(deviceId), {
+    headers: {
+      "Content-Type": "application/json",
+      "X-Api-Key": API_KEY,
+    },
+  });
+
+  ingestLatency.add(response.timings.duration);
+  const ok = check(response, {
+    "ingest accepted": (r) => r.status === 202,
+    "ingest acknowledged": (r) => {
+      try {
+        return JSON.parse(r.body).accepted === true;
+      } catch {
+        return false;
+      }
+    },
+  });
+
+  errorRate.add(!ok);
+  sleep(0.1);
+}
+
+export function handleSummary(data) {
+  return {
+    "scripts/load-tests/results/mixed-stack-stress-summary.json": JSON.stringify(
+      data,
+      null,
+      2
+    ),
+  };
+}
diff --git a/tests/e2e/auth.spec.ts b/tests/e2e/auth.spec.ts
index 7eefead..c7b9d61 100644
--- a/tests/e2e/auth.spec.ts
+++ b/tests/e2e/auth.spec.ts
@@ -38,12 +38,12 @@ test.describe("Authenticated user", () => {
 
   test("devices page loads after login", async ({ page }) => {
     await page.goto("/");
-    await expect(page.getByRole("heading", { name: "Devices" })).toBeVisible({ timeout: 15_000 });
+    await expect(page.getByRole("heading", { name: "Devices", exact: true })).toBeVisible({ timeout: 15_000 });
   });
 
   test("billing page shows plan cards", async ({ page }) => {
     await page.goto("/billing");
-    await expect(page.getByText("Starter")).toBeVisible({ timeout: 10_000 });
-    await expect(page.getByText("Professional")).toBeVisible();
+    await expect(page.getByRole("heading", { name: "Starter", exact: true })).toBeVisible({ timeout: 10_000 });
+    await expect(page.getByRole("heading", { name: "Professional", exact: true })).toBeVisible();
   });
 });
diff --git a/tests/e2e/billing.spec.ts b/tests/e2e/billing.spec.ts
index 1b2f623..bc988e6 100644
--- a/tests/e2e/billing.spec.ts
+++ b/tests/e2e/billing.spec.ts
@@ -10,9 +10,9 @@ test.describe("Billing page", () => {
   });
 
   test("shows three plan cards", async ({ page }) => {
-    await expect(page.getByText("Starter")).toBeVisible({ timeout: 10_000 });
-    await expect(page.getByText("Professional")).toBeVisible();
-    await expect(page.getByText("Enterprise")).toBeVisible();
+    await expect(page.getByRole("heading", { name: "Starter", exact: true })).toBeVisible({ timeout: 10_000 });
+    await expect(page.getByRole("heading", { name: "Professional", exact: true })).toBeVisible();
+    await expect(page.getByRole("heading", { name: "Enterprise", exact: true })).toBeVisible();
   });
 
   test("shows plan prices", async ({ page }) => {
diff --git a/tests/e2e/devices.spec.ts b/tests/e2e/devices.spec.ts
index d4bd9d4..f68eab9 100644
--- a/tests/e2e/devices.spec.ts
+++ b/tests/e2e/devices.spec.ts
@@ -17,7 +17,7 @@ test.describe("Devices page", () => {
   test("Register Device modal opens on click", async ({ page }) => {
     await page.getByRole("button", { name: "+ Register Device" }).click();
     await expect(page.getByRole("dialog")).toBeVisible();
-    await expect(page.getByText("Register a Device")).toBeVisible();
+    await expect(page.getByRole("heading", { name: "Register Device", exact: true })).toBeVisible();
   });
 
   test("modal closes on Escape", async ({ page }) => {
@@ -37,29 +37,28 @@ test.describe("Devices page", () => {
 
   test("serial number input normalises to uppercase", async ({ page }) => {
     await page.getByRole("button", { name: "+ Register Device" }).click();
-    const input = page.getByLabel("Serial Number");
+    const input = page.getByLabel("Serial Number", { exact: true });
     await input.fill("sn12345678");
     await expect(input).toHaveValue("SN12345678");
   });
 
   test("submit button disabled when serial is too short", async ({ page }) => {
     await page.getByRole("button", { name: "+ Register Device" }).click();
-    const submitBtn = page.getByRole("button", { name: "Register Device" });
+    const submitBtn = page.getByRole("button", { name: "Register Device", exact: true });
     await expect(submitBtn).toBeDisabled();
 
-    await page.getByLabel("Serial Number").fill("SN1");
+    await page.getByLabel("Serial Number", { exact: true }).fill("SN");
     await expect(submitBtn).toBeDisabled();
 
-    await page.getByLabel("Serial Number").fill("SN12");
+    await page.getByLabel("Serial Number", { exact: true }).fill("SN12");
     await expect(submitBtn).toBeEnabled();
   });
 
   test("invalid serial shows validation error", async ({ page }) => {
     await page.getByRole("button", { name: "+ Register Device" }).click();
-    await page.getByLabel("Serial Number").fill("AB!@#");
-    await page.getByRole("button", { name: "Register Device" }).click();
+    await page.getByLabel("Serial Number", { exact: true }).fill("AB!@#");
     await expect(page.getByRole("alert")).toBeVisible();
-    await expect(page.getByRole("alert")).toContainText("4–30 uppercase");
+    await expect(page.getByRole("alert")).toContainText("Only letters, numbers, hyphens and underscores allowed");
   });
 
   test("CSV Export button is present", async ({ page }) => {
diff --git a/tests/e2e/fixtures/mockAuth.ts b/tests/e2e/fixtures/mockAuth.ts
index bb61545..ce3c2bb 100644
--- a/tests/e2e/fixtures/mockAuth.ts
+++ b/tests/e2e/fixtures/mockAuth.ts
@@ -18,6 +18,8 @@ const PAYLOAD = b64({
   aud:    "https://api.grainguard.com",
   iat:    Math.floor(Date.now() / 1000),
   exp:    Math.floor(Date.now() / 1000) + 86400, // 24h
+  "https://grainguard.com/tenant_id": "00000000-0000-0000-0000-000000000001",
+  "https://grainguard.com/roles":     ["admin"],
   "https://grainguard/tenant_id": "00000000-0000-0000-0000-000000000001",
   "https://grainguard/roles":     ["admin"],
 });
@@ -29,13 +31,15 @@ export const FAKE_TOKEN = `${HEADER}.${PAYLOAD}.fake_signature`;
 
 const CLIENT_ID = process.env.VITE_AUTH0_CLIENT_ID || "6DwwDrUpsC4LckBieVQdlGYtguTPnYys";
 const AUDIENCE  = process.env.VITE_AUTH0_AUDIENCE  || "https://api.grainguard.com";
-const AUTH0_CACHE_KEY = `@@auth0spajs@@::${CLIENT_ID}::${AUDIENCE}::openid profile email`;
+const SCOPE = "openid profile email offline_access";
+const MOCK_TENANT_ID = "00000000-0000-0000-0000-000000000001";
+const AUTH0_CACHE_KEY = `@@auth0spajs@@::${CLIENT_ID}::${AUDIENCE}::${SCOPE}`;
 
 const AUTH0_CACHE_VALUE = JSON.stringify({
   body: {
     access_token:  FAKE_TOKEN,
     id_token:      FAKE_TOKEN,
-    scope:         "openid profile email",
+    scope:         SCOPE,
     expires_in:    86400,
     token_type:    "Bearer",
     decodedToken: {
@@ -45,6 +49,10 @@ const AUTH0_CACHE_VALUE = JSON.stringify({
         sub:   "auth0|e2e-test-user",
         email: "e2e@grainguard.com",
         name:  "E2E Test User",
+        "https://grainguard.com/tenant_id": MOCK_TENANT_ID,
+        "https://grainguard/tenant_id": MOCK_TENANT_ID,
+        "https://grainguard.com/roles": ["admin"],
+        "https://grainguard/roles": ["admin"],
       },
     },
     audience:  AUDIENCE,
@@ -56,26 +64,45 @@ const AUTH0_CACHE_VALUE = JSON.stringify({
 // ─── Mock API responses ───────────────────────────────────────────────────────
 
 const MOCK_DEVICES = [
-  { id: "dev-1", serialNumber: "SN00100001", status: "online",  lastSeen: new Date().toISOString() },
-  { id: "dev-2", serialNumber: "SN00100002", status: "offline", lastSeen: new Date().toISOString() },
+  {
+    deviceId: "00000000-0000-0000-0000-000000000001",
+    tenantId: MOCK_TENANT_ID,
+    serialNumber: "SN00100001",
+    temperature: 21.5,
+    humidity: 48.2,
+    recordedAt: new Date().toISOString(),
+    createdAt: new Date().toISOString(),
+  },
+  {
+    deviceId: "00000000-0000-0000-0000-000000000002",
+    tenantId: MOCK_TENANT_ID,
+    serialNumber: "SN00100002",
+    temperature: null,
+    humidity: null,
+    recordedAt: null,
+    createdAt: new Date().toISOString(),
+  },
 ];
 
 const MOCK_SUBSCRIPTION = {
   plan: "professional",
-  subscription_status: "active",
-  trial_ends_at: null,
-  current_period_end: new Date(Date.now() + 30 * 86400 * 1000).toISOString(),
+  status: "active",
+  trialEndsAt: null,
+  currentPeriodEnd: Math.floor((Date.now() + 30 * 86400 * 1000) / 1000),
+  cancelAtPeriodEnd: false,
+  paymentFailed: false,
 };
 
 const MOCK_DEVICES_CONNECTION = {
   edges: MOCK_DEVICES.map((device) => ({
-    cursor: device.id,
+    cursor: device.deviceId,
     node: device,
   })),
   pageInfo: {
-    endCursor: MOCK_DEVICES.at(-1)?.id ?? null,
+    endCursor: MOCK_DEVICES.at(-1)?.deviceId ?? null,
     hasNextPage: false,
   },
+  totalCount: MOCK_DEVICES.length,
 };
 
 // ─── injectMockAuth ───────────────────────────────────────────────────────────
@@ -101,7 +128,7 @@ export async function injectMockAuth(page: Page): Promise<void> {
   );
 
   // 3. Intercept GraphQL (BFF) — return mock data
-  await page.route("**/graphql", (route) => {
+  await page.route("**/*graphql*", (route) => {
     const body = route.request().postDataJSON() as { query?: string } | null;
     const query = body?.query ?? "";
 
@@ -155,9 +182,9 @@ export async function injectMockAuth(page: Page): Promise<void> {
         json: {
           data: {
             me: {
-              id:       "00000000-0000-0000-0000-000000000001",
+              id:       MOCK_TENANT_ID,
               email:    "e2e@grainguard.com",
-              tenantId: "00000000-0000-0000-0000-000000000001",
+              tenantId: MOCK_TENANT_ID,
               plan:     "professional",
             },
           },
@@ -187,15 +214,24 @@ export async function injectMockAuth(page: Page): Promise<void> {
     if (route.request().method() === "GET") {
       return route.fulfill({ json: MOCK_DEVICES });
     }
-    return route.fulfill({ json: { deviceId: "dev-new", serialNumber: "SNNEW001" } });
+    return route.fulfill({
+      json: {
+        deviceId: "00000000-0000-0000-0000-000000000099",
+        tenantId: MOCK_TENANT_ID,
+        serialNumber: "SNNEW001",
+      },
+    });
   });
 
   // 6. Inject Auth0 cache into localStorage before app loads
   await page.addInitScript(
-    ({ key, value, token }) => {
+    ({ clientId, key, value, token }) => {
       localStorage.setItem(key, value);
+      localStorage.setItem("auth0.is.authenticated", "true");
+      document.cookie = `auth0.is.authenticated=true; path=/`;
+      document.cookie = `auth0.${clientId}.is.authenticated=true; path=/`;
       localStorage.setItem("__e2e_access_token", token);
     },
-    { key: AUTH0_CACHE_KEY, value: AUTH0_CACHE_VALUE, token: FAKE_TOKEN }
+    { clientId: CLIENT_ID, key: AUTH0_CACHE_KEY, value: AUTH0_CACHE_VALUE, token: FAKE_TOKEN }
   );
 }