diff --git a/.github/workflows/preview-cleanup.yml b/.github/workflows/preview-cleanup.yml
index 60f21c8d9..2df3d98d9 100644
--- a/.github/workflows/preview-cleanup.yml
+++ b/.github/workflows/preview-cleanup.yml
@@ -54,7 +54,7 @@ jobs:
           wrangler delete --name "$WORKER_NAME" --force || echo "Worker may not exist"
 
       - name: Delete GitHub Deployment
-        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const environment = `preview-pr-${{ github.event.pull_request.number }}`;
diff --git a/.github/workflows/preview-deploy.yml b/.github/workflows/preview-deploy.yml
index 62d2266af..c26ea1cf0 100644
--- a/.github/workflows/preview-deploy.yml
+++ b/.github/workflows/preview-deploy.yml
@@ -40,7 +40,7 @@ jobs:
 
       - name: Resolve preview request
         id: preview
-        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const { resolvePreviewRequest } = require('./trusted-preview-resolver/workers/preview/deploy/resolve_preview_request.cjs');
@@ -66,7 +66,7 @@ jobs:
       - name: Create GitHub Deployment
         if: env.IS_FORK == 'false'
         id: deployment
-        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const prNumber = process.env.PR_NUMBER;
@@ -206,12 +206,14 @@ jobs:
           cp -R trusted/workers/preview/src "$preview_dir/src"
           mkdir -p "$preview_dir/deploy"
           cp trusted/workers/preview/deploy/redact_preview_log.sh "$preview_dir/deploy/redact_preview_log.sh"
+          cp trusted/workers/preview/deploy/render_preview_config.cjs "$preview_dir/deploy/render_preview_config.cjs"
           chmod 0755 "$preview_dir/deploy/redact_preview_log.sh"
 
           diagnostics_nonce="$(openssl rand -hex 32)"
           sed -i "s/\${PR_NUMBER}/${PR_NUMBER}/g" "$preview_dir/wrangler.toml"
           sed -i "s/\${PR_NUMBER}/${PR_NUMBER}/g" "$preview_dir/src/index.ts"
           sed -i "s/\${PREVIEW_DIAGNOSTICS_NONCE}/${diagnostics_nonce}/g" "$preview_dir/src/index.ts"
+          cp "$preview_dir/wrangler.toml" "$preview_dir/wrangler.source.toml"
 
           if grep -F "\${PREVIEW_DIAGNOSTICS_NONCE}" "$preview_dir/src/index.ts" >/dev/null; then
             echo "Preview diagnostics nonce placeholder was not replaced" >&2
@@ -248,6 +250,7 @@ jobs:
           set -euo pipefail
 
           cd "$RUNNER_TEMP/sure-preview-worker"
+          source_config="$RUNNER_TEMP/sure-preview-worker/wrangler.source.toml"
           config_path="$RUNNER_TEMP/sure-preview-worker/wrangler.toml"
           image_tag="sure-preview-pr-${PR_NUMBER}:${HEAD_SHA}"
           temporary_image_ref="registry.cloudflare.com/${CLOUDFLARE_ACCOUNT_ID}/${image_tag}"
@@ -257,23 +260,8 @@ jobs:
 
           # wrangler containers push validates wrangler.toml, so point the trusted
           # config at a registry-shaped ref while it pushes the verified local image.
-          TEMPORARY_IMAGE_REF="$temporary_image_ref" node - "$config_path" <<'NODE'
-          const fs = require('node:fs');
-
-          const configPath = process.argv[2];
-          const imageRef = process.env.TEMPORARY_IMAGE_REF;
-
-          if (!/^registry\.cloudflare\.com\/[A-Za-z0-9_-]+\/sure-preview-pr-[1-9][0-9]*:[a-f0-9]{40}$/.test(imageRef || '')) {
-            throw new Error('Expected registry-shaped preview image ref before wrangler containers push');
-          }
-
-          const original = fs.readFileSync(configPath, 'utf8');
-          const updated = original.replace(/image = "[^"]+"/, `image = ${JSON.stringify(imageRef)}`);
-          if (updated === original) {
-            throw new Error('Expected wrangler.toml to contain an image entry to rewrite before push');
-          }
-          fs.writeFileSync(configPath, updated);
-          NODE
+          PREVIEW_IMAGE_REF="$temporary_image_ref" node ./deploy/render_preview_config.cjs render "$source_config" "$config_path"
+          cp "$config_path" "$RUNNER_TEMP/wrangler-push.toml"
 
           set +e
           ./node_modules/.bin/wrangler containers push "$image_tag" 2>&1 | tee "$push_log" | ./deploy/redact_preview_log.sh
@@ -285,19 +273,7 @@ jobs:
             exit "$push_status"
           fi
 
-          image_ref="$(node - "$clean_log" <<'NODE'
-          const fs = require('node:fs');
-
-          const logPath = process.argv[2];
-          const log = fs.readFileSync(logPath, 'utf8');
-          const expectedSuffix = `sure-preview-pr-${process.env.PR_NUMBER}:${process.env.HEAD_SHA}`;
-          const pattern = /registry\.cloudflare\.com\/[A-Za-z0-9_-]+\/sure-preview-pr-[1-9][0-9]*:[a-f0-9]{40}/g;
-          const matches = [...log.matchAll(pattern)].map((match) => match[0]);
-          const imageRef = matches.findLast((candidate) => candidate.endsWith(`/${expectedSuffix}`));
-
-          if (imageRef) process.stdout.write(imageRef);
-          NODE
-          )"
+          image_ref="$(node ./deploy/render_preview_config.cjs find "$clean_log")"
 
           if [ -z "$image_ref" ]; then
             echo "Could not find Cloudflare registry image reference in wrangler output" >&2
@@ -312,30 +288,12 @@ jobs:
         run: |
           set -euo pipefail
 
+          source_config="$RUNNER_TEMP/sure-preview-worker/wrangler.source.toml"
           config_path="$RUNNER_TEMP/sure-preview-worker/wrangler.toml"
-          # Use Node instead of sed so the replacement preserves TOML string syntax.
-          node - "$config_path" <<'NODE'
-          const fs = require('node:fs');
-
-          const configPath = process.argv[2];
-          const imageRef = process.env.IMAGE_REF;
-          const expectedSuffix = `sure-preview-pr-${process.env.PR_NUMBER}:${process.env.HEAD_SHA}`;
-
-          if (!/^registry\.cloudflare\.com\/[A-Za-z0-9_-]+\/sure-preview-pr-[1-9][0-9]*:[a-f0-9]{40}$/.test(imageRef || '')) {
-            throw new Error('Expected a Cloudflare registry image reference');
-          }
-
-          if (!imageRef.endsWith(`/${expectedSuffix}`)) {
-            throw new Error('Cloudflare registry image reference does not match this preview artifact');
-          }
-
-          const original = fs.readFileSync(configPath, 'utf8');
-          const updated = original.replace(/image = "[^"]+"/, `image = ${JSON.stringify(imageRef)}`);
-          if (updated === original) {
-            throw new Error('Expected wrangler.toml to contain an image entry to rewrite');
-          }
-          fs.writeFileSync(configPath, updated);
-          NODE
+          # Render from the preserved trusted source template so the push-time
+          # registry ref cannot make the final deploy rewrite stateful.
+          PREVIEW_IMAGE_REF="$IMAGE_REF" node "$RUNNER_TEMP/sure-preview-worker/deploy/render_preview_config.cjs" render "$source_config" "$config_path"
+          cp "$config_path" "$RUNNER_TEMP/wrangler-final.toml"
 
           # Print a redacted copy for logs without mutating the config used by deploy.
           redacted_config="$RUNNER_TEMP/wrangler-redacted.toml"
@@ -395,27 +353,66 @@ jobs:
         run: |
           set -euo pipefail
 
-          diagnostics_file="$RUNNER_TEMP/preview-diagnostics.json"
+          diagnostics_dir="$RUNNER_TEMP/preview-diagnostics"
+          diagnostics_file="$diagnostics_dir/preview-diagnostics.json"
+          latest_metrics_file="$diagnostics_dir/latest-metrics.json"
+          polls_log="$diagnostics_dir/metrics-polls.log"
+          summary_file="$diagnostics_dir/summary.md"
           last_error=""
+          mkdir -p "$diagnostics_dir"
 
           for attempt in $(seq 1 40); do
             if curl -fsS --connect-timeout 5 --max-time 15 "$PREVIEW_URL/_container_status" -o "$diagnostics_file"; then
-              if jq -e '.previewReady == true or .previewFailed == true' "$diagnostics_file" >/dev/null; then
-                break
+              if jq -e . "$diagnostics_file" >/dev/null 2>&1; then
+                jq -c --argjson attempt "$attempt" --arg at "$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
+                  '{attempt: $attempt, at: $at, previewReady: (.previewReady // false), previewFailed: (.previewFailed // false), progress: (.progress // {}), timings: (.timings // {})}' \
+                  "$diagnostics_file" >> "$polls_log"
+                jq '{previewReady: (.previewReady // false), previewFailed: (.previewFailed // false), progress: (.progress // {}), timings: (.timings // {})}' "$diagnostics_file" > "$latest_metrics_file"
+
+                if jq -e '.previewReady == true or .previewFailed == true' "$diagnostics_file" >/dev/null; then
+                  break
+                fi
+              else
+                last_error="invalid diagnostics JSON on attempt ${attempt}"
+                raw_snippet="$(head -c 2048 "$diagnostics_file")"
+                latest_metrics_snapshot="none"
+                if [ -f "$latest_metrics_file" ]; then
+                  latest_metrics_snapshot="$(head -c 2048 "$latest_metrics_file")"
+                fi
+                jq -nc --argjson attempt "$attempt" --arg at "$(date -u +%Y-%m-%dT%H:%M:%SZ)" --arg error "$last_error" --arg latestMetrics "$latest_metrics_snapshot" --arg rawSnippet "$raw_snippet" \
+                  '{attempt: $attempt, at: $at, error: $error, latestMetrics: $latestMetrics, rawSnippet: $rawSnippet}' >> "$polls_log"
               fi
             else
               last_error="curl failed on attempt ${attempt}"
+              jq -nc --argjson attempt "$attempt" --arg at "$(date -u +%Y-%m-%dT%H:%M:%SZ)" --arg error "$last_error" \
+                '{attempt: $attempt, at: $at, error: $error}' >> "$polls_log"
             fi
 
             sleep 3
           done
 
-          if [ ! -s "$diagnostics_file" ]; then
+          if [ ! -s "$diagnostics_file" ] || ! jq -e . "$diagnostics_file" >/dev/null 2>&1; then
             jq -n --arg error "${last_error:-preview diagnostics unavailable}" \
               --arg url "$PREVIEW_URL" \
               '{previewReady: false, previewFailed: false, error: $error, previewUrl: $url}' > "$diagnostics_file"
           fi
 
+          jq '{previewReady: (.previewReady // false), previewFailed: (.previewFailed // false), progress: (.progress // {}), timings: (.timings // {}), error: (.error // null)}' "$diagnostics_file" > "$latest_metrics_file"
+          {
+            echo "# Preview diagnostics"
+            echo
+            echo "- PR: ${PR_NUMBER}"
+            echo "- Commit: ${HEAD_SHA}"
+            echo "- Preview URL: ${PREVIEW_URL}"
+            echo "- Preview ready: $(jq -r '.previewReady // false' "$diagnostics_file")"
+            echo "- Preview failed: $(jq -r '.previewFailed // false' "$diagnostics_file")"
+            echo "- Phase: $(jq -r '.progress.phase // "unknown"' "$diagnostics_file")"
+            echo "- Stage: $(jq -r '.progress.stage // "unknown"' "$diagnostics_file")"
+            echo "- Seconds to Rails ready: $(jq -r '.timings.secondsToRailsReady // "unknown"' "$diagnostics_file")"
+            echo "- Seconds to demo data ready: $(jq -r '.timings.secondsToDemoDataReady // "unknown"' "$diagnostics_file")"
+            echo "- Seconds to preview ready: $(jq -r '.timings.secondsToPreviewReady // "unknown"' "$diagnostics_file")"
+          } > "$summary_file"
+
           jq -c . "$diagnostics_file"
 
           if jq -e '.previewFailed == true' "$diagnostics_file" >/dev/null; then
@@ -441,7 +438,7 @@ jobs:
         uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
         with:
           name: preview-diagnostics-pr-${{ env.PR_NUMBER }}-${{ env.HEAD_SHA }}
-          path: ${{ runner.temp }}/preview-diagnostics.json
+          path: ${{ runner.temp }}/preview-diagnostics
           if-no-files-found: error
           retention-days: 3
 
@@ -493,6 +490,9 @@ jobs:
             }' "$manifest_file" > "$diagnostics_dir/preview-image-manifest.json"
           fi
 
+          sanitize_copy "$RUNNER_TEMP/sure-preview-worker/wrangler.source.toml" "$diagnostics_dir/wrangler-source.toml"
+          sanitize_copy "$RUNNER_TEMP/wrangler-push.toml" "$diagnostics_dir/wrangler-push.toml"
+          sanitize_copy "$RUNNER_TEMP/wrangler-final.toml" "$diagnostics_dir/wrangler-final.toml"
           sanitize_copy "$RUNNER_TEMP/sure-preview-worker/wrangler.toml" "$diagnostics_dir/wrangler.toml"
           sanitize_copy "$RUNNER_TEMP/wrangler-containers-push.clean.log" "$diagnostics_dir/wrangler-containers-push.log"
           if [ -f "$RUNNER_TEMP/wrangler-deploy.clean.log" ]; then
@@ -551,7 +551,7 @@ jobs:
 
     steps:
       - name: Update Deployment Status
-        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const state = process.env.DEPLOY_RESULT === 'success' ? 'success' : 'failure';
@@ -581,7 +581,7 @@ jobs:
 
     steps:
       - name: Comment on PR
-        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const previewUrl = process.env.PREVIEW_URL;
diff --git a/SECURITY.md b/SECURITY.md
index 034e84803..390fb7b2e 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -2,20 +2,15 @@
 
 ## Supported Versions
 
-Use this section to tell people about which versions of your project are
-currently being supported with security updates.
+We maintain `vX.Y.Z-release-branch` [active areas](https://github.com/we-promise/sure/branches/all?query=release-branch&lastTab=overview) for high impact fixes that need to go out as "hotfix" releases ASAP.
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 5.1.x   | :white_check_mark: |
-| 5.0.x   | :x:                |
-| 4.0.x   | :white_check_mark: |
-| < 4.0   | :x:                |
+| 0.7.1   | :white_check_mark: |
+| 0.7.0   | :white_check_mark: |
+| 0.6.x   | :x:                |
 
 ## Reporting a Vulnerability
 
-Use this section to tell people how to report a vulnerability.
-
-Tell them where to go, how often they can expect to get an update on a
-reported vulnerability, what to expect if the vulnerability is accepted or
-declined, etc.
+Join our Discord and DM @Juanjo there so he can address the vulnerability before
+disclosing it.
diff --git a/app/assets/tailwind/sure-design-system/components.css b/app/assets/tailwind/sure-design-system/components.css
index c1e6af0df..7e96c3645 100644
--- a/app/assets/tailwind/sure-design-system/components.css
+++ b/app/assets/tailwind/sure-design-system/components.css
@@ -160,6 +160,42 @@
     }
   }
 
+  /*
+    Segmented control (#2137) — track + equal-footprint segments. The selected
+    state is a single `--active` class so an optional Stimulus controller can
+    toggle it as one unit. Values mirror the DS tab tokens (tab-bg-group /
+    tab-item-active / tab-item-hover) but are inlined with `@variant theme-dark`
+    because `@apply`-ing a custom utility drops its dark override. The near-black
+    dark track (alpha-black-700) is what makes the gray-700 selected pill read —
+    the bespoke controls used a too-light `container-inset` track, hence the
+    audit's "selected pill invisible on dark." Focus = neutral outline (matches
+    the canonical focus ring; inlined until that token lands on main).
+  */
+  .segmented-control {
+    @apply inline-flex items-center gap-0.5 p-1 rounded-lg bg-gray-50;
+    @variant theme-dark {
+      @apply bg-alpha-black-700;
+    }
+  }
+
+  .segmented-control__segment {
+    @apply inline-flex items-center justify-center px-2 py-1 rounded-md whitespace-nowrap;
+    @apply text-sm font-medium text-secondary cursor-pointer transition-colors duration-200;
+    @apply hover:bg-gray-200;
+    @apply focus-visible:outline-2 focus-visible:outline-offset-2;
+    @apply focus-visible:outline-alpha-black-400 theme-dark:focus-visible:outline-alpha-white-400;
+    @variant theme-dark {
+      @apply hover:bg-gray-800;
+    }
+  }
+
+  .segmented-control__segment--active {
+    @apply bg-white text-primary shadow-sm hover:bg-white;
+    @variant theme-dark {
+      @apply bg-gray-700 hover:bg-gray-700;
+    }
+  }
+
   /*
     Horizontally scrollable table wrapper (#2137). `overflow-x: auto` so wide
     tables scroll instead of clipping (the LLM-usage table was `overflow-hidden`
diff --git a/app/components/DS/buttonish.rb b/app/components/DS/buttonish.rb
index 653151f95..9d43d1aff 100644
--- a/app/components/DS/buttonish.rb
+++ b/app/components/DS/buttonish.rb
@@ -34,16 +34,25 @@ class DS::Buttonish < DesignSystemComponent
     }
   }.freeze
 
+  # Icon-only containers share a height rail with the text buttons of the
+  # same size (sm ≈ 28px, md ≈ 36px, lg ≈ 48px), so a mixed row — icon
+  # trigger next to text buttons, the most common header layout — lines up
+  # instead of mixing 32/44px squares with 36px buttons.
+  #
+  # pointer-coarse restores the 44px square on touch devices: the visual
+  # rail is a pointer-precision tradeoff, and WCAG 2.5.5's 44x44 target
+  # minimum is about fingers, not mice. Coarse-pointer users get the full
+  # target; fine-pointer users get the aligned row.
   SIZES = {
     sm: {
       container_classes: "px-2 py-1",
-      icon_container_classes: "inline-flex items-center justify-center w-8 h-8",
+      icon_container_classes: "inline-flex items-center justify-center w-7 h-7 pointer-coarse:w-11 pointer-coarse:h-11",
       radius_classes: "rounded-md",
       text_classes: "text-sm"
     },
     md: {
       container_classes: "px-3 py-2",
-      icon_container_classes: "inline-flex items-center justify-center w-11 h-11",
+      icon_container_classes: "inline-flex items-center justify-center w-9 h-9 pointer-coarse:w-11 pointer-coarse:h-11",
       radius_classes: "rounded-lg",
       text_classes: "text-sm"
     },
@@ -77,7 +86,13 @@ class DS::Buttonish < DesignSystemComponent
 
   def container_classes(override_classes = nil)
     class_names(
-      "font-medium whitespace-nowrap",
+      # Tailwind v4 preflight sets `cursor: pointer` on all <button>s, which
+      # also applies while disabled. Override so disabled buttons read as
+      # non-interactive. The aria-disabled twins cover buttons that gate via
+      # `aria-disabled` to stay clickable/focusable (e.g. submit buttons whose
+      # click handler surfaces validation errors — a truly disabled default
+      # submit would also swallow Enter-key implicit submission).
+      "font-medium whitespace-nowrap disabled:cursor-not-allowed aria-disabled:cursor-not-allowed aria-disabled:opacity-50",
       merged_base_classes,
       full_width ? "w-full justify-center" : nil,
       container_size_classes,
diff --git a/app/components/DS/pill.html.erb b/app/components/DS/pill.html.erb
index 2dc15e0ec..67e051905 100644
--- a/app/components/DS/pill.html.erb
+++ b/app/components/DS/pill.html.erb
@@ -10,11 +10,15 @@
 <% else %>
   <span class="<%= container_classes %>" style="<%= container_styles %>" title="<%= title || label %>">
     <% if icon %>
-      <%= helpers.icon(icon, size: "xs", color: "current") %>
+      <span class="shrink-0"><%= helpers.icon(icon, size: icon_size, color: "current") %></span>
     <% elsif show_dot %>
       <span class="inline-block shrink-0 rounded-full"
             style="width: <%= dot_size_px %>px; height: <%= dot_size_px %>px; background-color: <%= dot_color %>;"></span>
     <% end %>
-    <%= label %>
+    <% if truncate || label_testid %>
+      <%= tag.span label, class: ("min-w-0 truncate" if truncate), data: (label_testid ? { testid: label_testid } : nil) %>
+    <% else %>
+      <%= label %>
+    <% end %>
   </span>
 <% end %>
diff --git a/app/components/DS/pill.rb b/app/components/DS/pill.rb
index c45bf056c..b9ef102db 100644
--- a/app/components/DS/pill.rb
+++ b/app/components/DS/pill.rb
@@ -16,7 +16,8 @@ class DS::Pill < DesignSystemComponent
     neutral:     :gray
   }.freeze
 
-  attr_reader :label, :tone, :style, :size, :show_dot, :dot_only, :title, :icon, :marker, :custom_color
+  attr_reader :label, :tone, :style, :size, :show_dot, :dot_only, :title, :icon, :marker, :custom_color,
+              :truncate, :label_testid, :icon_size
 
   # Generic inline pill primitive. Two modes:
   #
@@ -50,8 +51,17 @@ class DS::Pill < DesignSystemComponent
   #   `SEMANTIC_TONE_ALIASES`.
   # - Sure has full violet / indigo / fuchsia / amber / green / gray /
   #   red ramps in the design system; this component picks named tokens
-  #   at render time. No raw hex.
-  def initialize(label: nil, tone: :violet, style: :soft, size: :sm, show_dot: nil, dot_only: false, title: nil, icon: nil, marker: true, custom_color: nil)
+  #   at render time. No raw hex — except `custom_color:`, which exists for
+  #   user-defined entities (categories, tags) whose hue is data, not design.
+  # - `truncate: true` lets the pill shrink inside a `min-w-0` parent and
+  #   ellipsize its label instead of overflowing (dense table cells like the
+  #   transaction row's category column). Default pills stay `shrink-0`.
+  # - `label_testid:` stamps `data-testid` on the label span for system /
+  #   controller tests that need to target the text node.
+  # - `icon_size:` passes through to the icon helper (default "xs"; the
+  #   category badge uses "sm" to keep its established glyph size).
+  def initialize(label: nil, tone: :violet, style: :soft, size: :sm, show_dot: nil, dot_only: false, title: nil, icon: nil, marker: true, custom_color: nil,
+                 truncate: false, label_testid: nil, icon_size: "xs")
     resolved_tone = SEMANTIC_TONE_ALIASES.fetch(tone.to_sym, tone.to_sym)
     @label = label || I18n.t("ds.pill.default_label", default: "Beta")
     @tone = TONES.include?(resolved_tone) ? resolved_tone : :violet
@@ -65,6 +75,9 @@ class DS::Pill < DesignSystemComponent
     @icon = icon
     @marker = marker
     @custom_color = custom_color
+    @truncate = truncate
+    @label_testid = label_testid
+    @icon_size = icon_size
   end
 
   def palette
@@ -149,7 +162,10 @@ class DS::Pill < DesignSystemComponent
 
   def container_classes
     base = [
-      "inline-flex items-center align-middle font-medium whitespace-nowrap shrink-0",
+      "inline-flex items-center align-middle font-medium",
+      # Truncating pills must be allowed to shrink (and let the label span
+      # ellipsize); everything else keeps its intrinsic width.
+      truncate ? "max-w-full min-w-0" : "whitespace-nowrap shrink-0",
       "border leading-none"
     ]
 
diff --git a/app/components/DS/popover.html.erb b/app/components/DS/popover.html.erb
index 7c73246da..1f5baf58b 100644
--- a/app/components/DS/popover.html.erb
+++ b/app/components/DS/popover.html.erb
@@ -9,7 +9,7 @@
         the fallback `ds.popover.avatar_default_label` is used. %>
     <button type="button"
             data-DS--popover-target="button"
-            class="inline-flex items-center justify-center w-11 h-11 cursor-pointer rounded-full focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-gray-900 theme-dark:focus-visible:outline-white"
+            class="inline-flex items-center justify-center w-9 h-9 pointer-coarse:w-11 pointer-coarse:h-11 cursor-pointer rounded-full focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-gray-900 theme-dark:focus-visible:outline-white"
             aria-label="<%= trigger_aria_label %>"
             aria-haspopup="dialog"
             aria-expanded="false"
diff --git a/app/components/DS/segmented_control.rb b/app/components/DS/segmented_control.rb
new file mode 100644
index 000000000..38c000e75
--- /dev/null
+++ b/app/components/DS/segmented_control.rb
@@ -0,0 +1,48 @@
+class DS::SegmentedControl < DesignSystemComponent
+  # A single-select pill group — filters, mode switches, compact view toggles.
+  # NOT the full ARIA tab/panel widget; use DS::Tabs for tabs-with-panels.
+  #
+  # Each segment is a link (pass `href:`) or a button (default — pass `data:`
+  # for a Stimulus-driven control). Mark the current one with `active: true`.
+  # The selected style lives in `.segmented-control__segment--active`, so a
+  # controller can toggle selection by flipping that one class.
+  #
+  # `full_width: true` stretches segments to equal width (the "equal-footprint"
+  # the #2137 audit asked for); default is content width.
+  renders_many :segments, ->(label, active: false, href: nil, **opts) do
+    classes = class_names(
+      "segmented-control__segment",
+      ("flex-1" if full_width),
+      ("segmented-control__segment--active" if active),
+      opts.delete(:class)
+    )
+
+    # Expose the selected state to assistive tech: link segments use
+    # `aria-current`, button segments use `aria-pressed`. A Stimulus
+    # controller that toggles `--active` should mirror these (see
+    # budget_filter_controller#filterValueChanged).
+    if href
+      link_to(label, href, class: classes, "aria-current": (active ? "true" : nil), **opts)
+    else
+      content_tag(:button, label, type: "button", class: classes, "aria-pressed": active.to_s, **opts)
+    end
+  end
+
+  attr_reader :full_width, :aria_label
+
+  def initialize(full_width: false, aria_label: nil, **opts)
+    @full_width = full_width
+    @aria_label = aria_label
+    @opts = opts
+  end
+
+  erb_template <<~ERB
+    <%= content_tag :div,
+          class: class_names("segmented-control", ("w-full" if full_width), @opts[:class]),
+          role: "group",
+          "aria-label": aria_label,
+          **@opts.except(:class) do %>
+      <% segments.each do |segment| %><%= segment %><% end %>
+    <% end %>
+  ERB
+end
diff --git a/app/components/DS/select.html.erb b/app/components/DS/select.html.erb
index 1ac9b027f..be136d947 100644
--- a/app/components/DS/select.html.erb
+++ b/app/components/DS/select.html.erb
@@ -31,7 +31,7 @@
         </button>
     </div>
   </div>
-  <div class="absolute z-50 p-1.5 w-full min-w-32 rounded-lg shadow-lg shadow-border-xs bg-container mt-1.5 transition duration-150 ease-out -translate-y-1 opacity-0 hidden" data-select-target="menu">
+  <div class="absolute z-50 p-1.5 w-full min-w-32 rounded-lg shadow-border-lg bg-container mt-1.5 transition duration-150 ease-out -translate-y-1 opacity-0 hidden" data-select-target="menu">
     <% if searchable %>
       <div class="flex items-center bg-container border border-secondary rounded-lg mb-1 focus-within:ring-4 focus-within:ring-alpha-black-200 theme-dark:focus-within:ring-alpha-white-300 transition-shadow">
         <%= render DS::SearchInput.new(
diff --git a/app/components/goals/card_component.html.erb b/app/components/goals/card_component.html.erb
index c42340d19..6c38e7921 100644
--- a/app/components/goals/card_component.html.erb
+++ b/app/components/goals/card_component.html.erb
@@ -5,20 +5,27 @@
   <div class="flex items-start gap-3">
     <%= render Goals::AvatarComponent.new(goal: goal, size: "lg") %>
     <div class="min-w-0 flex-1">
-      <div class="flex items-center gap-2 mb-0.5">
-        <p class="text-base font-medium text-primary truncate">
-          <a href="<%= goal_path(goal) %>"
-             aria-label="<%= aria_label %>"
-             class="before:absolute before:inset-0 before:rounded-xl focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-alpha-black-100">
-            <%= goal.name %>
-          </a>
-        </p>
+      <%# Name owns its row at full width — the status pill moved to the meta
+          line below so it stops eating the title space on narrow cards. %>
+      <p class="text-base font-medium text-primary truncate">
+        <a href="<%= goal_path(goal) %>"
+           aria-label="<%= aria_label %>"
+           class="before:absolute before:inset-0 before:rounded-xl focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-alpha-black-100">
+          <%= goal.name %>
+        </a>
+      </p>
+      <div class="flex items-center gap-2 mt-0.5">
         <%= render Goals::StatusPillComponent.new(goal: goal) %>
+        <% if secondary_line.present? %>
+          <p class="min-w-0 text-xs text-subdued truncate"><%= secondary_line %></p>
+        <% end %>
       </div>
-      <p class="text-xs text-subdued truncate"><%= secondary_line %></p>
     </div>
 
-    <%= render DS::ProgressRing.new(percent: progress_percent, tone: ring_tone) %>
+    <%# shrink-0 keeps the ring at full size; the name block shrinks first. %>
+    <div class="shrink-0">
+      <%= render DS::ProgressRing.new(percent: progress_percent, tone: ring_tone) %>
+    </div>
   </div>
 
   <div class="mt-5">
@@ -31,10 +38,13 @@
     <% end %>
   </div>
 
-  <div class="mt-4 flex items-center justify-between">
-    <div class="flex items-center gap-2">
+  <%# flex-wrap + gap so the account label and the footer line wrap onto
+      separate lines under a gap when cramped, instead of butting together
+      (the "1 accountcatch up" run-on at narrow card widths). %>
+  <div class="mt-4 flex flex-wrap items-center justify-between gap-x-3 gap-y-1">
+    <div class="flex items-center gap-2 min-w-0">
       <%= render Goals::AccountStackComponent.new(accounts: linked_accounts, color_map: goal.account_color_map) %>
-      <span class="text-xs text-subdued"><%= linked_accounts_count_label %></span>
+      <span class="text-xs text-subdued whitespace-nowrap"><%= linked_accounts_count_label %></span>
     </div>
     <span class="text-xs text-subdued tabular-nums <%= "privacy-sensitive" if footer_has_money? %>">
       <%= footer_line %><% if has_pending_pledge? %> · <%= t("goals.goal_card.pending_count", count: pending_pledges_count) %><% end %>
diff --git a/app/components/goals/card_component.rb b/app/components/goals/card_component.rb
index 7ebca94dd..2a1d23fc2 100644
--- a/app/components/goals/card_component.rb
+++ b/app/components/goals/card_component.rb
@@ -51,17 +51,18 @@ class Goals::CardComponent < ApplicationComponent
   end
 
   def secondary_line
-    if goal.completed?
-      I18n.t("goals.goal_card.completed")
-    elsif goal.target_date.nil?
-      I18n.t("goals.goal_card.no_target_date")
+    # nil when the status pill already carries it — the pill now sits on this
+    # same meta line, so "Completed Completed" / "Open Open" would read twice.
+    return nil if goal.completed? || goal.target_date.nil?
+
+    days = (goal.target_date - Date.current).to_i
+    if days >= 0
+      # Count only ("211 days left"); the full target date lives on the show
+      # page. Appending "· by <long date>" here overflowed the card's single
+      # line and truncated to a useless "211 d…".
+      I18n.t("goals.goal_card.days_left", count: days)
     else
-      days = (goal.target_date - Date.current).to_i
-      if days >= 0
-        I18n.t("goals.goal_card.days_left_by", count: days, date: I18n.l(goal.target_date, format: :long))
-      else
-        I18n.t("goals.goal_card.past_due")
-      end
+      I18n.t("goals.goal_card.past_due")
     end
   end
 
diff --git a/app/controllers/admin/sso_providers_controller.rb b/app/controllers/admin/sso_providers_controller.rb
index 97bc86fa3..ca493380b 100644
--- a/app/controllers/admin/sso_providers_controller.rb
+++ b/app/controllers/admin/sso_providers_controller.rb
@@ -50,7 +50,8 @@ module Admin
       authorize @sso_provider
 
       # Auto-update redirect_uri if name changed
-      params_hash = processed_params.to_h
+      params_hash = processed_params.to_h.with_indifferent_access
+      params_hash.delete(:client_secret) if params_hash[:client_secret].blank?
       if params_hash[:name].present? && params_hash[:name] != @sso_provider.name
         params_hash[:redirect_uri] = "#{request.base_url}/auth/#{params_hash[:name]}/callback"
       end
diff --git a/app/controllers/api/v1/merchants_controller.rb b/app/controllers/api/v1/merchants_controller.rb
index c11c7246c..cf190fc06 100644
--- a/app/controllers/api/v1/merchants_controller.rb
+++ b/app/controllers/api/v1/merchants_controller.rb
@@ -2,29 +2,14 @@
 
 module Api
   module V1
-    # API v1 endpoint for merchants
-    # Provides read-only access to family and provider merchants
-    #
-    # @example List all merchants
-    #   GET /api/v1/merchants
-    #
-    # @example Get a specific merchant
-    #   GET /api/v1/merchants/:id
-    #
     class MerchantsController < BaseController
-      before_action -> { authorize_scope!(:read) }
+      before_action -> { authorize_scope!(:read) }, only: [ :index, :show ]
+      before_action -> { authorize_scope!(:write) }, only: [ :create ]
 
-      # List all merchants available to the family
-      #
-      # Returns both family-owned merchants and provider merchants
-      # that are assigned to the family's transactions.
-      #
-      # @return [Array<Hash>] JSON array of merchant objects
       def index
         family = current_resource_owner.family
         user = current_resource_owner
 
-        # Single query with OR conditions - more efficient than Ruby deduplication
         family_merchant_ids = family.merchants.select(:id)
         accessible_account_ids = family.accounts.accessible_by(user).select(:id)
         provider_merchant_ids = Transaction.joins(:entry)
@@ -44,13 +29,6 @@ module Api
         render json: { error: "Failed to fetch merchants" }, status: :internal_server_error
       end
 
-      # Get a specific merchant by ID
-      #
-      # Returns a merchant if it belongs to the family or is assigned
-      # to any of the family's transactions.
-      #
-      # @param id [String] The merchant ID
-      # @return [Hash] JSON merchant object or error
       def show
         family = current_resource_owner.family
         user = current_resource_owner
@@ -71,12 +49,83 @@ module Api
         render json: { error: "Failed to fetch merchant" }, status: :internal_server_error
       end
 
+      def create
+        family = current_resource_owner.family
+
+        unless params[:file].present?
+          return render json: { error: "missing_file", message: "Please provide a CSV file." },
+                        status: :unprocessable_entity
+        end
+
+        file = params[:file]
+
+        if file.size > Import::MAX_CSV_SIZE
+          return render json: {
+            error: "file_too_large",
+            message: "File is too large. Maximum size is #{Import::MAX_CSV_SIZE / 1.megabyte}MB."
+          }, status: :unprocessable_entity
+        end
+
+        unless Import::ALLOWED_CSV_MIME_TYPES.include?(file.content_type)
+          return render json: {
+            error: "invalid_file_type",
+            message: "Invalid file type. Please upload a CSV file."
+          }, status: :unprocessable_entity
+        end
+
+        csv = Import.parse_csv_str(file.read)
+
+        name_header = normalized_header(csv.headers, "name")
+        unless name_header
+          return render json: {
+            error: "missing_column",
+            message: "CSV must include a 'name' column."
+          }, status: :unprocessable_entity
+        end
+
+        color_header = normalized_header(csv.headers, "color")
+        website_url_header = normalized_header(csv.headers, "website_url", "website url", "website")
+
+        imported = []
+        skipped = []
+
+        csv.each do |row|
+          name = row[name_header].to_s.strip
+          next if name.blank?
+
+          merchant = family.merchants.find_or_initialize_by(name: name)
+
+          if merchant.persisted?
+            skipped << { name: name, reason: "already_exists" }
+            next
+          end
+
+          merchant.color = row[color_header].to_s.strip.presence if color_header
+          merchant.website_url = row[website_url_header].to_s.strip.presence if website_url_header
+
+          if merchant.save
+            imported << merchant
+          else
+            skipped << { name: name, errors: merchant.errors.full_messages }
+          end
+        end
+
+        render json: {
+          imported: imported.count,
+          skipped: skipped.count,
+          merchants: imported.map { |m| merchant_json(m) }
+        }, status: :created
+      rescue CSV::MalformedCSVError => e
+        render json: { error: "invalid_csv", message: "CSV could not be parsed: #{e.message}" },
+               status: :unprocessable_entity
+      rescue StandardError => e
+        Rails.logger.error("API Merchants Import Error: #{e.message}")
+        render json: { error: "internal_server_error", message: "An unexpected error occurred" },
+               status: :internal_server_error
+      end
+
       private
 
-        # Serialize a merchant to JSON format
-        #
-        # @param merchant [Merchant] The merchant to serialize
-        # @return [Hash] JSON-serializable hash
         def merchant_json(merchant)
           {
             id: merchant.id,
@@ -86,6 +135,19 @@ module Api
             updated_at: merchant.updated_at
           }
         end
+
+        def normalized_header(headers, *candidates)
+          normalized_map = headers.to_h { |h| [ normalize(h), h ] }
+          candidates.each do |candidate|
+            header = normalized_map[normalize(candidate)]
+            return header if header.present?
+          end
+          nil
+        end
+
+        def normalize(str)
+          str.to_s.strip.downcase.gsub(/\*/, "").gsub(/[\s_-]+/, "_")
+        end
     end
   end
 end
diff --git a/app/controllers/imports_controller.rb b/app/controllers/imports_controller.rb
index 194a55dd3..0c13a57ae 100644
--- a/app/controllers/imports_controller.rb
+++ b/app/controllers/imports_controller.rb
@@ -111,7 +111,8 @@ class ImportsController < ApplicationController
     if !@import.uploaded?
       redirect_to import_upload_path(@import), alert: t("imports.show.finalize_upload")
     elsif !@import.publishable?
-      redirect_to import_confirm_path(@import), alert: t("imports.show.finalize_mappings")
+      next_path = @import.mapping_steps.empty? ? import_clean_path(@import) : import_confirm_path(@import)
+      redirect_to next_path, alert: t("imports.show.finalize_mappings")
     end
   end
 
diff --git a/app/controllers/transactions_controller.rb b/app/controllers/transactions_controller.rb
index 2fd63e4be..9387d7550 100644
--- a/app/controllers/transactions_controller.rb
+++ b/app/controllers/transactions_controller.rb
@@ -9,9 +9,7 @@ class TransactionsController < ApplicationController
     prefill_params_from_duplicate!
     super
     apply_duplicate_attributes!
-    @income_categories = Current.family.categories.incomes.alphabetically
-    @expense_categories = Current.family.categories.expenses.alphabetically
-    @categories = Current.family.categories.alphabetically
+    set_new_transaction_form_options
   end
 
   def index
@@ -117,6 +115,7 @@ class TransactionsController < ApplicationController
         format.turbo_stream { stream_redirect_back_or_to(account_path(@entry.account)) }
       end
     else
+      set_new_transaction_form_options
       render :new, status: :unprocessable_entity
     end
   end
@@ -489,6 +488,21 @@ class TransactionsController < ApplicationController
       set_entry
     end
 
+    def set_new_transaction_form_options
+      accessible_accounts_scope = accessible_accounts
+
+      @account_currencies = accessible_accounts_scope.pluck(:id, :currency).to_h
+      @manual_accounts = accessible_accounts_scope
+        .manual
+        .active
+        .alphabetically
+        .includes(:account_providers, logo_attachment: :blob)
+        .to_a
+      @categories = Current.family.categories.alphabetically.to_a
+      @merchants = Current.family.available_merchants_for(Current.user).alphabetically.to_a
+      @tags = Current.family.tags.alphabetically.to_a
+    end
+
     # Filters entry_params based on the user's permission on the account.
     # read_write users can only annotate (category, tags, notes, merchant).
     # read_only users cannot update anything.
diff --git a/app/helpers/imports_helper.rb b/app/helpers/imports_helper.rb
index 30f986bce..c98d023ec 100644
--- a/app/helpers/imports_helper.rb
+++ b/app/helpers/imports_helper.rb
@@ -25,7 +25,9 @@ module ImportsHelper
       entity_type: I18n.t("imports.column_labels.entity_type"),
       category_parent: I18n.t("imports.column_labels.category_parent"),
       category_color: I18n.t("imports.column_labels.category_color"),
-      category_icon: I18n.t("imports.column_labels.category_icon")
+      category_icon: I18n.t("imports.column_labels.category_icon"),
+      merchant_color: I18n.t("imports.column_labels.merchant_color"),
+      merchant_website: I18n.t("imports.column_labels.merchant_website")
     }[key]
   end
 
@@ -80,7 +82,7 @@ module ImportsHelper
 
   private
     def permitted_import_types
-      %w[transaction_import trade_import account_import mint_import actual_import category_import rule_import]
+      %w[transaction_import trade_import account_import mint_import actual_import category_import rule_import merchant_import]
     end
 
     DryRunResource = Struct.new(:label, :icon, :text_class, :bg_class, keyword_init: true)
diff --git a/app/javascript/controllers/budget_filter_controller.js b/app/javascript/controllers/budget_filter_controller.js
index 2187a0f65..0d73e4f43 100644
--- a/app/javascript/controllers/budget_filter_controller.js
+++ b/app/javascript/controllers/budget_filter_controller.js
@@ -32,11 +32,13 @@ export default class extends Controller {
 
     this.tabTargets.forEach((tab) => {
       const isActive = tab.dataset.budgetFilterFilterParam === filter;
-      tab.classList.toggle("bg-white", isActive);
-      tab.classList.toggle("theme-dark:bg-gray-700", isActive);
-      tab.classList.toggle("text-primary", isActive);
-      tab.classList.toggle("shadow-sm", isActive);
-      tab.classList.toggle("text-secondary", !isActive);
+      // Selected styling is encapsulated in the DS::SegmentedControl active
+      // class; the base `.segmented-control__segment` already carries the
+      // inactive (text-secondary) state.
+      tab.classList.toggle("segmented-control__segment--active", isActive);
+      // Keep assistive tech in sync with the visual selection (these are
+      // button segments, so aria-pressed).
+      tab.setAttribute("aria-pressed", String(isActive));
     });
   }
 
diff --git a/app/javascript/controllers/goal_form_controller.js b/app/javascript/controllers/goal_form_controller.js
index 251d50aae..eb556b81e 100644
--- a/app/javascript/controllers/goal_form_controller.js
+++ b/app/javascript/controllers/goal_form_controller.js
@@ -18,6 +18,7 @@ export default class extends Controller {
     "accountsError",
     "linkedAccountCheckbox",
     "suggested",
+    "submitButton",
   ];
 
   static INVALID_INPUT_CLASSES = ["ring-2", "ring-destructive", "border-destructive"];
@@ -26,6 +27,11 @@ export default class extends Controller {
     currency: { type: String, default: "USD" },
     suggestedWithDate: { type: String, default: "Save {monthly}/mo across {accounts} to hit it on time." },
     suggestedNoDate: { type: String, default: "Set a target date to project a finish line." },
+    // Only the create form must pick an account. On edit the checkboxes are
+    // populated from visible accounts only, so a goal backed by a now-hidden
+    // account renders none — and the controller preserves existing links when
+    // account_ids is omitted. Requiring a checkbox there would wedge the form.
+    requireAccount: { type: Boolean, default: true },
   };
 
   connect() {
@@ -35,12 +41,16 @@ export default class extends Controller {
       this._defaultAvatarHTML = this.avatarPreviewTarget.innerHTML;
     }
     this.updateSuggested();
+    // Edit form arrives pre-filled (valid) so this clears immediately; new
+    // form arrives empty so the submit starts visually disabled.
+    this.refreshSubmitState();
   }
 
   nameChanged() {
     if (this.hasNameInputTarget) {
       this.clearFieldError(this.nameInputTarget, this.hasNameErrorTarget ? this.nameErrorTarget : null);
     }
+    this.refreshSubmitState();
     if (!this.hasAvatarPreviewTarget || !this.hasNameInputTarget) return;
 
     // If the user has explicitly picked an icon, leave it alone. Name
@@ -62,6 +72,7 @@ export default class extends Controller {
     if (this.hasAmountInputTarget) {
       this.clearFieldError(this.amountInputTarget, this.hasAmountErrorTarget ? this.amountErrorTarget : null);
     }
+    this.refreshSubmitState();
   }
 
   linkedAccountChanged() {
@@ -69,6 +80,64 @@ export default class extends Controller {
     if (this.linkedAccountCheckboxTargets.some((cb) => cb.checked) && this.hasAccountsErrorTarget) {
       this.accountsErrorTarget.classList.add("hidden");
     }
+    this.refreshSubmitState();
+  }
+
+  // Required to create a goal: a name, a positive target amount, and at least
+  // one funding account. Mirrors the server-side Goal validations (name
+  // presence, target_amount > 0, must_have_at_least_one_linked_account) so the
+  // button only enables when a submit would actually succeed.
+  isValid() {
+    const name = this.hasNameInputTarget ? this.nameInputTarget.value.trim() : "";
+    const amount = this.hasAmountInputTarget ? Number.parseFloat(this.amountInputTarget.value) : Number.NaN;
+    const accountOk = !this.requireAccountValue || this.linkedAccountCheckboxTargets.some((cb) => cb.checked);
+    return name.length > 0 && Number.isFinite(amount) && amount > 0 && accountOk;
+  }
+
+  // `aria-disabled` instead of the `disabled` attribute: a truly disabled
+  // default submit also blocks Enter-key implicit submission, so an invalid
+  // form would be a dead button with every inline error still hidden. With
+  // aria-disabled the button keeps its not-allowed affordance (styled via the
+  // DS `aria-disabled:` variants) while clicks and Enter still reach
+  // validateOnSubmit, which surfaces the errors and moves focus.
+  refreshSubmitState() {
+    if (this.hasSubmitButtonTarget) {
+      this.submitButtonTarget.setAttribute("aria-disabled", String(!this.isValid()));
+    }
+  }
+
+  // The real gate for the submit: covers the funding-accounts group (a
+  // checkbox group can't carry native `required`) and everything the
+  // aria-disabled affordance merely hints at. Surfaces the inline errors and
+  // focuses the first offending field instead of a silent no-op.
+  validateOnSubmit(event) {
+    if (this.isValid()) return;
+
+    event.preventDefault();
+
+    const nameEmpty = !(this.hasNameInputTarget && this.nameInputTarget.value.trim().length > 0);
+    const amount = this.hasAmountInputTarget ? Number.parseFloat(this.amountInputTarget.value) : Number.NaN;
+    const amountInvalid = !(Number.isFinite(amount) && amount > 0);
+    const noAccount = this.requireAccountValue && !this.linkedAccountCheckboxTargets.some((cb) => cb.checked);
+
+    if (nameEmpty) {
+      this.showFieldError(this.nameInputTarget, this.hasNameErrorTarget ? this.nameErrorTarget : null);
+    }
+    if (amountInvalid) {
+      this.showFieldError(this.amountInputTarget, this.hasAmountErrorTarget ? this.amountErrorTarget : null);
+    }
+    if (noAccount && this.hasAccountsErrorTarget) {
+      this.accountsErrorTarget.classList.remove("hidden");
+    }
+
+    const firstInvalid = nameEmpty
+      ? this.nameInputTarget
+      : amountInvalid
+        ? this.amountInputTarget
+        : noAccount
+          ? this.linkedAccountCheckboxTargets[0]
+          : null;
+    firstInvalid?.focus();
   }
 
   // Hook for any input that influences the suggested-pace hint
diff --git a/app/javascript/controllers/sync_toast_controller.js b/app/javascript/controllers/sync_toast_controller.js
index 567f54635..20cfc4c9e 100644
--- a/app/javascript/controllers/sync_toast_controller.js
+++ b/app/javascript/controllers/sync_toast_controller.js
@@ -2,32 +2,114 @@ import { Controller } from "@hotwired/stimulus";
 
 // Connects to data-controller="sync-toast"
 //
-// Shown when a background sync completes and the family's data changes.
-// - If the user is not interacting with a form, auto-reloads after a short delay.
-// - If the user is mid-form, the toast stays visible so they can choose when to refresh.
+// Shown when a background sync completes and the family's data has changed.
+// - Idle              → morph-refreshes the page after a short delay.
+// - Mid-form          → stays put; the user refreshes when ready.
+// - A modal <dialog> is open → the toast is deferred (it would otherwise sit
+//   dimmed-but-clickable behind the dialog's top-layer backdrop, and a refresh
+//   would close the dialog and discard its in-progress input). It is revealed
+//   once the dialog closes — the first moment a refresh is actually safe.
 export default class extends Controller {
   static values = {
     autoRefreshDelay: { type: Number, default: 2000 },
   };
 
   connect() {
-    if (!this.#userIsInteracting()) {
-      this._timer = setTimeout(() => this.refresh(), this.autoRefreshDelayValue);
+    if (this.#dialogOpen()) {
+      this.#deferUntilDialogCloses();
+      return;
     }
+    this.#arm();
   }
 
   disconnect() {
     clearTimeout(this._timer);
+    this.#removeDeferredDialogListener();
   }
 
+  // Turbo 8 morph refresh (the app sets `turbo_refreshes_with method: :morph,
+  // scroll: :preserve`) instead of window.location.reload(): no white flash,
+  // scroll position and `data-turbo-permanent` elements (the AI chat panel)
+  // are preserved.
   refresh() {
     clearTimeout(this._timer);
-    window.location.reload();
+    Turbo.visit(window.location.href, { action: "replace" });
+  }
+
+  #arm() {
+    if (this.#userIsInteracting()) return; // mid-form: wait for a manual refresh
+    // Re-check at fire time, not just arm time: the post-dialog reveal often
+    // lands on a form the dialog was sitting on, and the user resumes typing
+    // inside this window (a morph would wipe their non-turbo-permanent
+    // input). A dialog opened during the window is the same hazard — the
+    // refresh would close it. Either way, bail and leave the toast visible
+    // for a manual refresh, matching the mid-form behavior.
+    this._timer = setTimeout(() => {
+      if (this.#userIsInteracting() || this.#dialogOpen()) return;
+      this.refresh();
+    }, this.autoRefreshDelayValue);
+  }
+
+  #deferUntilDialogCloses() {
+    this.element.style.display = "none";
+    const dialog = document.querySelector("dialog[open]");
+    if (!dialog) {
+      this.#reveal();
+      return;
+    }
+    // Keep refs so disconnect() can detach this listener. Otherwise a toast
+    // replaced by a newer broadcast while the dialog is still open stays
+    // subscribed, and its now-detached controller fires #reveal()/#arm() on
+    // close — a spurious auto-refresh from a stale toast.
+    //
+    // Known edge: if this dialog leaves the DOM without firing `close` (e.g.
+    // a morph removes it), the toast stays hidden until the next broadcast
+    // replaces it. Acceptable: the next sync re-delivers the toast.
+    this._deferredDialog = dialog;
+    this._dialogCloseHandler = () => this.#onDialogClose();
+    dialog.addEventListener("close", this._dialogCloseHandler, { once: true });
+  }
+
+  #onDialogClose() {
+    // The `once` listener has already fired and detached itself.
+    this._deferredDialog = null;
+    this._dialogCloseHandler = null;
+    // Another dialog may still be open (stacked modals) — keep deferring until
+    // every dialog has closed.
+    if (this.#dialogOpen()) {
+      this.#deferUntilDialogCloses();
+      return;
+    }
+    this.#reveal();
+  }
+
+  #removeDeferredDialogListener() {
+    if (this._deferredDialog && this._dialogCloseHandler) {
+      this._deferredDialog.removeEventListener(
+        "close",
+        this._dialogCloseHandler,
+      );
+    }
+    this._deferredDialog = null;
+    this._dialogCloseHandler = null;
+  }
+
+  #reveal() {
+    this.element.style.display = "";
+    this.#arm();
+  }
+
+  #dialogOpen() {
+    return !!document.querySelector("dialog[open]");
   }
 
   #userIsInteracting() {
     const el = document.activeElement;
-    if (!el || el === document.body || el === document.documentElement) return false;
-    return el.isContentEditable || el.closest("form, dialog, [role='dialog']") !== null;
+    if (!el || el === document.body || el === document.documentElement)
+      return false;
+    return (
+      el.isContentEditable ||
+      el.closest("form, dialog, [role='dialog']") !== null
+    );
   }
 }
diff --git a/app/models/family/sync_complete_event.rb b/app/models/family/sync_complete_event.rb
index 859e380fd..3949990d3 100644
--- a/app/models/family/sync_complete_event.rb
+++ b/app/models/family/sync_complete_event.rb
@@ -6,10 +6,11 @@ class Family::SyncCompleteEvent
   end
 
   def broadcast
-    # Append a lightweight toast to the notification tray instead of a full
-    # page refresh.  The sync-toast Stimulus controller handles two cases:
-    #   - User is idle       → auto-reloads after a short delay
-    #   - User is mid-form   → toast stays visible; user clicks "Refresh now"
+    # Replace the #sync-toast slot with a lightweight toast instead of a full
+    # page refresh.  The sync-toast Stimulus controller handles three cases:
+    #   - User is idle         → morph-refreshes after a short delay
+    #   - User is mid-form     → toast stays visible; user clicks "Refresh"
+    #   - A modal is open      → toast defers until the dialog closes
     #
     # This avoids wiping in-progress form state when a background sync fires.
     # The partial contains no user-scoped data (Current.user is nil here), so
diff --git a/app/models/goal.rb b/app/models/goal.rb
index da4f597af..67c4f6dae 100644
--- a/app/models/goal.rb
+++ b/app/models/goal.rb
@@ -101,8 +101,10 @@ class Goal < ApplicationRecord
       100
     elsif target_amount.to_d.zero?
       0
+    elsif remaining_amount.to_d.zero?
+      100
     else
-      [ ((current_balance.to_d / target_amount.to_d) * 100).round, 100 ].min
+      ((current_balance.to_d / target_amount.to_d) * 100).floor.clamp(0, 99)
     end
   end
 
@@ -238,14 +240,14 @@ class Goal < ApplicationRecord
     end
   end
 
-  # :reached         → progress_percent >= 100
+  # :reached         → completed, or no remaining amount
   # :on_track        → has target_date and pace >= required monthly
   # :behind          → has target_date and pace < required monthly
   # :no_target_date  → open-ended
   def status
     return @status if defined?(@status)
 
-    @status = if progress_percent >= 100
+    @status = if completed? || remaining_amount.to_d.zero?
       :reached
     elsif target_date.nil?
       :no_target_date
diff --git a/app/models/import.rb b/app/models/import.rb
index 4ea45f684..6c68dce9b 100644
--- a/app/models/import.rb
+++ b/app/models/import.rb
@@ -10,7 +10,7 @@ class Import < ApplicationRecord
 
   DOCUMENT_TYPES = %w[bank_statement credit_card_statement investment_statement financial_document contract other].freeze
 
-  TYPES = %w[TransactionImport TradeImport AccountImport MintImport ActualImport CategoryImport RuleImport PdfImport QifImport SureImport].freeze
+  TYPES = %w[TransactionImport TradeImport AccountImport MintImport ActualImport CategoryImport RuleImport MerchantImport PdfImport QifImport SureImport].freeze
   SIGNAGE_CONVENTIONS = %w[inflows_positive inflows_negative]
   SEPARATORS = [ [ "Comma (,)", "," ], [ "Semicolon (;)", ";" ] ].freeze
 
diff --git a/app/models/investment_flow_statement.rb b/app/models/investment_flow_statement.rb
index 66d68b7a9..229e6115e 100644
--- a/app/models/investment_flow_statement.rb
+++ b/app/models/investment_flow_statement.rb
@@ -1,6 +1,16 @@
 class InvestmentFlowStatement
   include Monetizable
 
+  CONTRIBUTIONS_TOTAL_SQL = Arel.sql(
+    "COALESCE(ABS(SUM(CASE WHEN transactions.investment_activity_label = 'Contribution' " \
+    "THEN entries.amount ELSE 0 END)), 0)"
+  )
+  WITHDRAWALS_TOTAL_SQL = Arel.sql(
+    "COALESCE(ABS(SUM(CASE WHEN transactions.investment_activity_label = 'Withdrawal' " \
+    "THEN entries.amount ELSE 0 END)), 0)"
+  )
+  private_constant :CONTRIBUTIONS_TOTAL_SQL, :WITHDRAWALS_TOTAL_SQL
+
   attr_reader :family, :user
 
   def initialize(family, user: nil)
@@ -18,13 +28,14 @@ class InvestmentFlowStatement
       .where(investment_activity_label: %w[Contribution Withdrawal])
 
     if user
-      scope = scope.joins(entry: :account).merge(Account.included_in_finances_for(user))
+      account_ids = family.accounts.included_in_finances_for(user).select(:id)
+      scope = scope.where(entries: { account_id: account_ids })
     end
 
-    transactions = scope
-
-    contributions = transactions.where(investment_activity_label: "Contribution").sum("entries.amount").abs
-    withdrawals = transactions.where(investment_activity_label: "Withdrawal").sum("entries.amount").abs
+    contributions, withdrawals = scope.pick(
+      CONTRIBUTIONS_TOTAL_SQL,
+      WITHDRAWALS_TOTAL_SQL
+    )
 
     PeriodTotals.new(
       contributions: Money.new(contributions, family.currency),
diff --git a/app/models/merchant_import.rb b/app/models/merchant_import.rb
new file mode 100644
index 000000000..58eb681de
--- /dev/null
+++ b/app/models/merchant_import.rb
@@ -0,0 +1,110 @@
+class MerchantImport < Import
+  def import!
+    transaction do
+      rows.each do |row|
+        merchant_name = row.name.to_s.strip
+        next if merchant_name.blank?
+
+        merchant = family.merchants.find_or_initialize_by(name: merchant_name)
+        next unless merchant.new_record?
+
+        merchant.color = row.merchant_color.presence || FamilyMerchant::COLORS.sample
+        merchant.website_url = row.merchant_website.presence
+        merchant.save!
+      end
+    end
+  end
+
+  def column_keys
+    %i[name merchant_color merchant_website]
+  end
+
+  def required_column_keys
+    %i[name]
+  end
+
+  def mapping_steps
+    []
+  end
+
+  def dry_run
+    { merchants: rows_count }
+  end
+
+  def csv_template
+    template = <<-CSV
+      name*,color,website_url
+      Coffee Shop,#e99537,https://coffeeshop.com
+      Pizza Palace,#4da568,https://pizzapalace.com
+      Bookstore,,
+    CSV
+
+    CSV.parse(template, headers: true)
+  end
+
+  def generate_rows_from_csv
+    rows.destroy_all
+
+    validate_required_headers!
+
+    name_header = header_for("name")
+    color_header = header_for("color")
+    website_header = header_for("website_url", "website url", "website")
+
+    csv_rows.each.with_index(1) do |row, index|
+      rows.create!(
+        source_row_number: index,
+        name: row[name_header].to_s.strip,
+        merchant_color: row[color_header].to_s.strip,
+        merchant_website: row[website_header].to_s.strip,
+        currency: default_currency
+      )
+    end
+  end
+
+  private
+    def validate_required_headers!
+      missing_headers = required_column_keys.map(&:to_s).reject { |key| header_for(key).present? }
+      return if missing_headers.empty?
+
+      errors.add(:base, :missing_columns, columns: missing_headers.join(", "))
+      raise ActiveRecord::RecordInvalid.new(self)
+    end
+
+    def header_for(*candidates)
+      candidates.each do |candidate|
+        normalized = normalize_header(candidate)
+        header = normalized_headers[normalized]
+        return header if header.present?
+      end
+
+      nil
+    end
+
+    def normalized_headers
+      @normalized_headers ||= begin
+        result = {}
+        duplicates = []
+
+        csv_headers.each do |header|
+          key = normalize_header(header)
+          if result.key?(key)
+            duplicates << header
+          else
+            result[key] = header
+          end
+        end
+
+        if duplicates.any?
+          errors.add(:base, :duplicate_columns, columns: duplicates.join(", "))
+          raise ActiveRecord::RecordInvalid.new(self)
+        end
+
+        result
+      end
+    end
+
+    def normalize_header(header)
+      header.to_s.strip.downcase.gsub(/\*/, "").gsub(/[\s-]+/, "_")
+    end
+end
diff --git a/app/views/admin/sso_providers/_form.html.erb b/app/views/admin/sso_providers/_form.html.erb
index 9845bab1a..a49adb22d 100644
--- a/app/views/admin/sso_providers/_form.html.erb
+++ b/app/views/admin/sso_providers/_form.html.erb
@@ -83,7 +83,9 @@
     <%= form.password_field :client_secret,
         label: t("admin.sso_providers.form.client_secret_label"),
         placeholder: sso_provider.persisted? ? t("admin.sso_providers.form.client_secret_placeholder_existing") : t("admin.sso_providers.form.client_secret_placeholder_new"),
-        required: !sso_provider.persisted? %>
+        required: !sso_provider.persisted?,
+        autocomplete: "new-password",
+        value: nil %>
     <% if sso_provider.persisted? %>
       <p class="text-xs text-secondary -mt-2"><%= t("admin.sso_providers.form.client_secret_help_existing") %></p>
     <% end %>
@@ -190,14 +192,18 @@
   <div class="border-t border-primary pt-4 space-y-4">
     <h3 class="font-medium text-primary"><%= t("admin.sso_providers.form.provisioning_title") %></h3>
 
-    <%= form.select "settings[default_role]",
-        options_for_select([
-          [t("admin.sso_providers.form.role_guest", default: "Guest"), "guest"],
-          [t("admin.sso_providers.form.role_member"), "member"],
-          [t("admin.sso_providers.form.role_admin"), "admin"],
-          [t("admin.sso_providers.form.role_super_admin"), "super_admin"]
-        ], sso_provider.settings&.dig("default_role").to_s.presence || "member"),
-        { label: t("admin.sso_providers.form.default_role_label"), include_blank: false } %>
+    <div class="form-field">
+      <%= label_tag "sso_provider_settings_default_role", t("admin.sso_providers.form.default_role_label"), class: "form-field__label" %>
+      <%= select_tag "sso_provider[settings][default_role]",
+          options_for_select([
+            [t("admin.sso_providers.form.role_guest", default: "Guest"), "guest"],
+            [t("admin.sso_providers.form.role_member"), "member"],
+            [t("admin.sso_providers.form.role_admin"), "admin"],
+            [t("admin.sso_providers.form.role_super_admin"), "super_admin"]
+          ], sso_provider.settings&.dig("default_role").to_s.presence || "member"),
+          id: "sso_provider_settings_default_role",
+          class: "form-field__input" %>
+    </div>
     <p class="text-xs text-secondary -mt-2"><%= t("admin.sso_providers.form.default_role_help") %></p>
 
     <details class="mt-4">
@@ -249,22 +255,29 @@
     <h3 class="font-medium text-primary"><%= t("admin.sso_providers.form.advanced_title") %></h3>
 
     <div>
-      <%= form.text_field "settings[scopes]",
-          label: t("admin.sso_providers.form.scopes_label"),
-          value: sso_provider.settings&.dig("scopes"),
-          placeholder: "openid email profile groups" %>
+      <%= label_tag "sso_provider_settings_scopes", t("admin.sso_providers.form.scopes_label"), class: "form-field__label" %>
+      <%= text_field_tag "sso_provider[settings][scopes]",
+          sso_provider.settings&.dig("scopes"),
+          id: "sso_provider_settings_scopes",
+          class: "form-field__input",
+          placeholder: "openid email profile groups",
+          autocomplete: "off" %>
       <p class="text-xs text-secondary mt-1"><%= t("admin.sso_providers.form.scopes_help") %></p>
     </div>
 
-    <%= form.select "settings[prompt]",
-        options_for_select([
-          [t("admin.sso_providers.form.prompt_default"), ""],
-          [t("admin.sso_providers.form.prompt_login"), "login"],
-          [t("admin.sso_providers.form.prompt_consent"), "consent"],
-          [t("admin.sso_providers.form.prompt_select_account"), "select_account"],
-          [t("admin.sso_providers.form.prompt_none"), "none"]
-        ], sso_provider.settings&.dig("prompt")),
-        { label: t("admin.sso_providers.form.prompt_label"), include_blank: false } %>
+    <div class="form-field">
+      <%= label_tag "sso_provider_settings_prompt", t("admin.sso_providers.form.prompt_label"), class: "form-field__label" %>
+      <%= select_tag "sso_provider[settings][prompt]",
+          options_for_select([
+            [t("admin.sso_providers.form.prompt_default"), ""],
+            [t("admin.sso_providers.form.prompt_login"), "login"],
+            [t("admin.sso_providers.form.prompt_consent"), "consent"],
+            [t("admin.sso_providers.form.prompt_select_account"), "select_account"],
+            [t("admin.sso_providers.form.prompt_none"), "none"]
+          ], sso_provider.settings&.dig("prompt")),
+          id: "sso_provider_settings_prompt",
+          class: "form-field__input" %>
+    </div>
     <p class="text-xs text-secondary -mt-2"><%= t("admin.sso_providers.form.prompt_help") %></p>
   </div>
 
diff --git a/app/views/budgets/_budget_tabs.html.erb b/app/views/budgets/_budget_tabs.html.erb
index cdb82ba31..71dd65458 100644
--- a/app/views/budgets/_budget_tabs.html.erb
+++ b/app/views/budgets/_budget_tabs.html.erb
@@ -1,31 +1,19 @@
+<% current_filter = %w[all over_budget on_track].include?(params[:filter]) ? params[:filter] : "all" %>
 <div class="w-full flex justify-center">
-    <div class="max-w-full w-full lg:w-auto overflow-x-auto no-scrollbar">
-        <div class="w-full inline-flex whitespace-nowrap bg-container-inset rounded-lg p-1 text-sm font-medium gap-0.5">
-
-        <button
-            data-action="click->budget-filter#setFilter"
-            data-budget-filter-filter-param="all"
-            data-budget-filter-target="tab"
-            class="w-full inline-flex justify-center items-center text-sm font-medium px-2 py-1 rounded-md transition-colors duration-200 bg-white theme-dark:bg-gray-700 text-primary shadow-sm">
-            <%= t("budgets.show.filter.all") %>
-        </button>
-
-        <button
-            data-action="click->budget-filter#setFilter"
-            data-budget-filter-filter-param="over_budget"
-            data-budget-filter-target="tab"
-            class="w-full inline-flex justify-center items-center text-sm font-medium px-2 py-1 rounded-md transition-colors duration-200 shadow-sm">
-            <%= t("budgets.show.filter.over_budget") %>
-        </button>
-
-        <button
-            data-action="click->budget-filter#setFilter"
-            data-budget-filter-filter-param="on_track"
-            data-budget-filter-target="tab"
-            class="w-full inline-flex justify-center items-center text-sm font-medium px-2 py-1 rounded-md transition-colors duration-200 shadow-sm">
-            <%= t("budgets.show.filter.on_track") %>
-        </button>
-
-        </div>
-    </div>
-</div>
\ No newline at end of file
+  <div class="max-w-full w-full lg:w-auto overflow-x-auto no-scrollbar">
+    <%= render DS::SegmentedControl.new(
+          full_width: true,
+          aria_label: t("budgets.show.filter.aria_label", default: "Filter budget categories"),
+          class: "w-full lg:w-auto") do |sc| %>
+      <% sc.with_segment t("budgets.show.filter.all"),
+           active: current_filter == "all",
+           data: { action: "click->budget-filter#setFilter", budget_filter_filter_param: "all", budget_filter_target: "tab" } %>
+      <% sc.with_segment t("budgets.show.filter.over_budget"),
+           active: current_filter == "over_budget",
+           data: { action: "click->budget-filter#setFilter", budget_filter_filter_param: "over_budget", budget_filter_target: "tab" } %>
+      <% sc.with_segment t("budgets.show.filter.on_track"),
+           active: current_filter == "on_track",
+           data: { action: "click->budget-filter#setFilter", budget_filter_filter_param: "on_track", budget_filter_target: "tab" } %>
+    <% end %>
+  </div>
+</div>
diff --git a/app/views/categories/_badge.html.erb b/app/views/categories/_badge.html.erb
index 5ab8d6c1d..283c05fc2 100644
--- a/app/views/categories/_badge.html.erb
+++ b/app/views/categories/_badge.html.erb
@@ -1,17 +1,20 @@
 <%# locals: (category:) %>
 <% category ||= Category.uncategorized %>
 
+<%# Canonical category badge: DS::Pill in badge mode carrying the category's
+    user-chosen hex (custom_color is the sanctioned escape hatch for hues that
+    are data, not design). truncate + this min-w-0 wrapper keep long names
+    ellipsizing inside tight columns (e.g. the transaction row's category
+    cell) instead of overflowing them. %>
 <div class="min-w-0">
-  <span class="flex w-full items-center gap-1 text-sm font-medium rounded-full px-1.5 py-1 border focus-visible:outline-none focus-visible:ring-0"
-        style="
-          background-color: color-mix(in oklab, <%= category.color %> 10%, transparent);
-          border-color: color-mix(in oklab, <%= category.color %> 10%, transparent);
-          color: <%= category.color %>;">
-    <% if category.lucide_icon.present? %>
-      <span class="shrink-0">
-        <%= icon category.lucide_icon, size: "sm", color: "current" %>
-      </span>
-    <% end %>
-    <span class="min-w-0 flex-1 truncate" data-testid="category-name"><%= category.name %></span>
-  </span>
+  <%= render DS::Pill.new(
+        label: category.name,
+        custom_color: category.color,
+        icon: category.lucide_icon.presence,
+        icon_size: "sm",
+        marker: false,
+        size: :md,
+        truncate: true,
+        label_testid: "category-name",
+        title: category.name) %>
 </div>
diff --git a/app/views/family_merchants/index.html.erb b/app/views/family_merchants/index.html.erb
index 28989178a..178bc2511 100644
--- a/app/views/family_merchants/index.html.erb
+++ b/app/views/family_merchants/index.html.erb
@@ -8,6 +8,12 @@
         frame: :modal,
         icon: "combine") %>
   <% end %>
+  <%= render DS::Link.new(
+    text: t(".import"),
+    variant: "outline",
+    icon: "upload",
+    href: new_import_path(type: "MerchantImport")
+  ) %>
   <%= render DS::Link.new(
     text: t(".new"),
     variant: "primary",
diff --git a/app/views/goals/_color_picker.html.erb b/app/views/goals/_color_picker.html.erb
index fb4d2891a..dc5292222 100644
--- a/app/views/goals/_color_picker.html.erb
+++ b/app/views/goals/_color_picker.html.erb
@@ -14,15 +14,16 @@
       <% end %>
     </span>
 
-    <%= render DS::Disclosure.new(
-          summary_class: "cursor-pointer absolute -bottom-1 -right-1 flex justify-center items-center bg-surface-inset hover:bg-surface-inset-hover border-2 w-6 h-6 border-subdued rounded-full text-secondary",
-          data: {
-            color_icon_picker_target: "details",
-            action: "mousedown->color-icon-picker#handleOutsideClick"
-          }) do |d| %>
-      <% d.with_summary_content do %>
+    <%# Raw <details> instead of DS::Disclosure: the disclosure wraps its body
+        in an `mt-2` div that lives in normal flow, which pushed the form down
+        ~8px every time this absolutely-positioned popover opened. %>
+    <details class="group"
+             data-color-icon-picker-target="details"
+             data-action="mousedown->color-icon-picker#handleOutsideClick">
+      <summary aria-label="<%= t("goals.color_picker.trigger_label") %>"
+               class="list-none cursor-pointer absolute -bottom-1 -right-1 flex justify-center items-center bg-surface-inset hover:bg-surface-inset-hover border-2 w-6 h-6 border-subdued rounded-full text-secondary focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-alpha-black-300">
         <%= icon("pen", size: "xs") %>
-      <% end %>
+      </summary>
 
       <div class="absolute top-full left-1/2 -translate-x-1/2 mt-2 z-50 bg-container p-3 border border-alpha-black-25 rounded-2xl shadow-xs w-80 max-w-[calc(100vw-2rem)] max-h-[60vh] overflow-y-auto"
            data-color-icon-picker-target="popup">
@@ -68,6 +69,6 @@
           </div>
         </div>
       </div>
-    <% end %>
+    </details>
   </div>
 </div>
diff --git a/app/views/goals/_form.html.erb b/app/views/goals/_form.html.erb
index ac64c468e..252bc4259 100644
--- a/app/views/goals/_form.html.erb
+++ b/app/views/goals/_form.html.erb
@@ -2,16 +2,14 @@
 
 <div data-controller="goal-form"
      data-goal-form-currency-value="<%= Current.family.primary_currency_code %>"
+     data-goal-form-require-account-value="<%= !goal.persisted? %>"
      data-goal-form-suggested-with-date-value="<%= t("goals.form.suggested_with_date") %>"
      data-goal-form-suggested-no-date-value="<%= t("goals.form.suggested_no_date") %>">
-  <% if goal.errors[:base].any? %>
-    <%= render "shared/form_errors", model: goal %>
-  <% end %>
-
   <%= styled_form_with model: goal,
                        url: goal.persisted? ? goal_path(goal) : goals_path,
                        method: goal.persisted? ? :patch : :post,
-                       class: "space-y-5" do |f| %>
+                       class: "space-y-5",
+                       data: { action: "submit->goal-form#validateOnSubmit" } do |f| %>
     <div class="flex justify-center">
       <%= render "color_picker", form: f, colors: Goal::COLORS, icons: Goal::ICONS %>
     </div>
@@ -23,17 +21,17 @@
                        required: true,
                        label: t("goals.form.fields.name"),
                        data: { goal_form_target: "nameInput", action: "input->goal-form#nameChanged" } %>
-      <p class="hidden mt-1.5 text-xs text-destructive" data-goal-form-target="nameError"><%= t("goals.form.errors.name_required") %></p>
+      <p class="<%= "hidden" unless goal.errors[:name].any? %> mt-1.5 text-xs text-destructive" data-goal-form-target="nameError"><%= t("goals.form.errors.name_required") %></p>
     </div>
 
-    <div class="grid grid-cols-2 gap-3">
+    <div class="grid grid-cols-2 gap-3 items-start">
       <div>
         <%= f.money_field :target_amount,
                           label: t("goals.form.fields.target_amount"),
                           hide_currency: true,
                           required: true,
                           amount_data: { goal_form_target: "amountInput", action: "input->goal-form#suggestedChanged" } %>
-        <p class="hidden mt-1.5 text-xs text-destructive" data-goal-form-target="amountError"><%= t("goals.form.errors.amount_required") %></p>
+        <p class="<%= "hidden" unless goal.errors[:target_amount].any? %> mt-1.5 text-xs text-destructive" data-goal-form-target="amountError"><%= t("goals.form.errors.amount_required") %></p>
       </div>
       <%= f.date_field :target_date,
                        label: t("goals.form.fields.target_date"),
@@ -74,7 +72,7 @@
           </div>
         <% end %>
       </div>
-      <p class="hidden mt-1.5 text-xs text-destructive" data-goal-form-target="accountsError"><%= t("goals.form.errors.accounts_required") %></p>
+      <p class="<%= "hidden" unless goal.errors[:base].any? %> mt-1.5 text-xs text-destructive" data-goal-form-target="accountsError"><%= t("goals.form.errors.accounts_required") %></p>
     </div>
 
     <%= f.text_area :notes,
@@ -83,7 +81,8 @@
                     placeholder: t("goals.form.fields.notes_placeholder") %>
 
     <div class="flex justify-end pt-2">
-      <%= f.submit goal.persisted? ? t("goals.form.save") : t("goals.form.create") %>
+      <%= f.submit goal.persisted? ? t("goals.form.save") : t("goals.form.create"),
+                   data: { goal_form_target: "submitButton" } %>
     </div>
   <% end %>
 </div>
diff --git a/app/views/goals/index.html.erb b/app/views/goals/index.html.erb
index 3c3e69b95..8d927234b 100644
--- a/app/views/goals/index.html.erb
+++ b/app/views/goals/index.html.erb
@@ -1,4 +1,8 @@
-<div class="space-y-8 pb-6 lg:pb-12">
+<%# @container so the KPI strip + card grids respond to the actual content
+    width (which shrinks when the account / AI sidebars are open) rather than
+    the viewport. Viewport breakpoints kept 3 columns in a narrow center
+    column and crushed the cards. %>
+<div class="@container space-y-8 pb-6 lg:pb-12">
   <header>
     <div class="flex items-center gap-2">
       <h1 class="text-2xl font-semibold text-primary"><%= t(".title") %></h1>
@@ -11,7 +15,7 @@
     <%= render "empty_state", linkable_account_count: @linkable_account_count %>
   <% else %>
     <%# KPI strip. Contributed last 30d (with prior-30d comparison) / Needs / On track %>
-    <section class="grid grid-cols-1 md:grid-cols-3 gap-3">
+    <section class="grid grid-cols-1 @3xl:grid-cols-3 gap-3">
       <div class="bg-container rounded-xl shadow-border-xs px-5 py-5">
         <p class="text-[11px] font-medium uppercase tracking-wide text-secondary"><%= t(".kpi.contributed_label") %></p>
         <p class="text-3xl font-medium text-primary tabular-nums mt-2 privacy-sensitive">
@@ -117,7 +121,11 @@
                   action: "input->goals-filter#filter"
                 }
               ) %>
-          <div class="inline-flex items-center gap-1 p-1 bg-surface-inset rounded-xl">
+          <%# overflow-x-auto + nowrap chips: the segmented control scrolls
+              horizontally when the column is too narrow for all six chips,
+              rather than wrapping "On track" mid-label or forcing the row
+              wider than the viewport. %>
+          <div class="inline-flex items-center gap-1 p-1 bg-surface-inset rounded-xl overflow-x-auto max-w-full">
             <% %w[all on_track behind no_target_date paused completed].each do |status| %>
               <% active = status == "all" %>
               <button type="button"
@@ -125,7 +133,7 @@
                       data-action="click->goals-filter#selectChip"
                       data-status="<%= status %>"
                       aria-pressed="<%= active %>"
-                      class="px-2.5 py-1 text-xs font-medium rounded-lg transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-alpha-black-100 <%= active ? "bg-container shadow-border-xs text-primary" : "text-secondary" %>">
+                      class="shrink-0 whitespace-nowrap px-2.5 py-1 text-xs font-medium rounded-lg transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-alpha-black-100 <%= active ? "bg-container shadow-border-xs text-primary" : "text-secondary" %>">
                 <%= t(".chips.#{status}") %>
               </button>
             <% end %>
@@ -139,7 +147,7 @@
           <span class="text-subdued">·</span>
           <span class="tabular-nums" data-goals-filter-target="count"><%= @grid_goals.size %></span>
         </div>
-        <div class="grid grid-cols-1 sm:grid-cols-2 lg:grid-cols-3 gap-3.5" data-goals-filter-target="grid">
+        <div class="grid grid-cols-1 @2xl:grid-cols-2 @5xl:grid-cols-3 gap-3.5" data-goals-filter-target="grid">
           <% @grid_goals.each do |goal| %>
             <%= render Goals::CardComponent.new(goal: goal) %>
           <% end %>
@@ -179,7 +187,7 @@
               <span class="tabular-nums"><%= @archived_goals.size %></span>
             </span>
           <% end %>
-          <div class="grid grid-cols-1 sm:grid-cols-2 lg:grid-cols-3 gap-3.5">
+          <div class="grid grid-cols-1 @2xl:grid-cols-2 @5xl:grid-cols-3 gap-3.5">
             <% @archived_goals.each do |goal| %>
               <%= render Goals::CardComponent.new(goal: goal, filterable: false) %>
             <% end %>
diff --git a/app/views/goals/show.html.erb b/app/views/goals/show.html.erb
index 92a482526..bffcfdf84 100644
--- a/app/views/goals/show.html.erb
+++ b/app/views/goals/show.html.erb
@@ -224,7 +224,7 @@
             <% end %>
           </div>
         </div>
-        <div class="flex-1 min-h-[200px]"
+        <div class="flex-1 min-h-[200px] privacy-sensitive"
              data-controller="goal-projection-chart"
              data-goal-projection-chart-data-value="<%= @goal.projection_payload.to_json %>"
              data-goal-projection-chart-aria-label-value="<%= t("goals.show.projection.aria_label", name: @goal.name) %>"
diff --git a/app/views/import/configurations/_merchant_import.html.erb b/app/views/import/configurations/_merchant_import.html.erb
new file mode 100644
index 000000000..7f4efc1fa
--- /dev/null
+++ b/app/views/import/configurations/_merchant_import.html.erb
@@ -0,0 +1,14 @@
+<%# locals: (import:) %>
+
+<div class="space-y-4">
+  <p class="text-sm text-secondary"><%= t("import.configurations.merchant_import.description") %></p>
+
+  <%= styled_form_with model: import,
+                       url: import_configuration_path(import),
+                       scope: :import,
+                       method: :patch,
+                       class: "space-y-3" do |form| %>
+    <p class="text-sm text-secondary"><%= t("import.configurations.merchant_import.instructions") %></p>
+    <%= form.submit t("import.configurations.merchant_import.button_label"), disabled: import.complete? %>
+  <% end %>
+</div>
\ No newline at end of file
diff --git a/app/views/imports/new.html.erb b/app/views/imports/new.html.erb
index 78950bd76..722ec9106 100644
--- a/app/views/imports/new.html.erb
+++ b/app/views/imports/new.html.erb
@@ -225,6 +225,16 @@
                 enabled: true %>
             <% end %>
 
+            <% if params[:type].nil? || params[:type] == "MerchantImport" %>
+              <%= render "imports/import_option",
+                type: "MerchantImport",
+                icon_name: "store",
+                icon_bg_class: "bg-orange-500/5",
+                icon_text_class: "text-orange-500",
+                label: t(".import_merchants"),
+                enabled: true %>
+            <% end %>
+
             <% if params[:type].nil? || params[:type] == "RuleImport" %>
               <%= render "imports/import_option",
                 type: "RuleImport",
diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb
index 39077cc6a..5a00adda6 100644
--- a/app/views/layouts/application.html.erb
+++ b/app/views/layouts/application.html.erb
@@ -60,7 +60,7 @@ end %>
 
       <div class="flex items-center gap-1">
         <button type="button"
-                class="inline-flex items-center justify-center w-8 h-8 rounded-lg text-secondary hover:text-primary transition-colors"
+                class="inline-flex items-center justify-center w-9 h-9 pointer-coarse:w-11 pointer-coarse:h-11 rounded-lg text-secondary hover:text-primary hover:bg-container-inset-hover transition-colors"
                 data-action="click->privacy-mode#toggle"
                 data-privacy-mode-target="toggle"
                 title="<%= t("layouts.application.privacy_mode") %>"
@@ -158,7 +158,7 @@ end %>
 
           <div class="flex items-center gap-2">
             <button type="button"
-                    class="inline-flex items-center justify-center w-8 h-8 rounded-lg text-secondary hover:text-primary hover:bg-surface-hover transition-colors"
+                    class="inline-flex items-center justify-center w-9 h-9 pointer-coarse:w-11 pointer-coarse:h-11 rounded-lg text-secondary hover:text-primary hover:bg-container-inset-hover transition-colors"
                     data-action="click->privacy-mode#toggle"
                     data-privacy-mode-target="toggle"
                     title="<%= t("layouts.application.privacy_mode") %>"
diff --git a/app/views/shared/notifications/_sync_toast.html.erb b/app/views/shared/notifications/_sync_toast.html.erb
index 763a6557f..4bd4efbe7 100644
--- a/app/views/shared/notifications/_sync_toast.html.erb
+++ b/app/views/shared/notifications/_sync_toast.html.erb
@@ -1,23 +1,34 @@
 <div id="sync-toast"
+     role="status"
+     aria-live="polite"
      data-controller="sync-toast element-removal"
-     class="relative flex gap-3 rounded-lg bg-container p-4 group w-full md:max-w-80 shadow-border-xs">
+     class="relative flex gap-3 rounded-lg bg-container p-4 w-full md:max-w-80 shadow-border-xs">
   <div class="h-5 w-5 shrink-0 p-px text-primary">
     <div class="flex h-full items-center justify-center rounded-full bg-info">
-      <%= icon "refresh-cw", size: "xs", color: "inverse" %>
+      <%= icon "refresh-cw", size: "xs", color: "white" %>
     </div>
   </div>
 
-  <div class="space-y-1 flex-1">
+  <div class="space-y-2 flex-1 min-w-0">
     <p class="text-primary text-sm font-medium"><%= t("shared.sync_toast.message") %></p>
-    <button type="button" class="text-xs text-info underline hover:opacity-80 transition-opacity"
-            data-action="click->sync-toast#refresh">
-      <%= t("shared.sync_toast.refresh") %>
-    </button>
+    <%= render DS::Button.new(
+      text: t("shared.sync_toast.refresh"),
+      variant: "secondary",
+      size: "sm",
+      icon: "refresh-cw",
+      type: "button",
+      data: { action: "sync-toast#refresh" }
+    ) %>
   </div>
 
-  <div class="absolute -top-2 -right-2">
-    <button type="button" class="p-0.5 hidden group-hover:inline-block border border-alpha-black-50 border-solid rounded-lg bg-container text-subdued cursor-pointer" aria-label="<%= t('defaults.common.close') %>" data-action="click->element-removal#remove">
-      <%= icon "x" %>
-    </button>
+  <div class="absolute top-1 right-1">
+    <%= render DS::Button.new(
+      variant: "icon",
+      size: "sm",
+      icon: "x",
+      type: "button",
+      "aria-label": t("defaults.common.close"),
+      data: { action: "click->element-removal#remove" }
+    ) %>
   </div>
 </div>
diff --git a/app/views/transactions/_form.html.erb b/app/views/transactions/_form.html.erb
index 1064da60f..acf69714f 100644
--- a/app/views/transactions/_form.html.erb
+++ b/app/views/transactions/_form.html.erb
@@ -1,7 +1,6 @@
-<%# locals: (entry:, categories:) %>
+<%# locals: (entry:, account_currencies:, manual_accounts:, categories:, merchants:, tags:) %>
 
-<% account_currencies = Current.family.accounts.map { |a| [a.id, a.currency] }.to_h.to_json %>
-<%= styled_form_with model: entry, url: transactions_path, class: "space-y-4", data: { controller: "transaction-form", transaction_form_exchange_rate_url_value: exchange_rate_path, transaction_form_account_currencies_value: account_currencies } do |f| %>
+<%= styled_form_with model: entry, url: transactions_path, class: "space-y-4", data: { controller: "transaction-form", transaction_form_exchange_rate_url_value: exchange_rate_path, transaction_form_account_currencies_value: account_currencies.to_json } do |f| %>
   <% if entry.errors.any? %>
     <%= render "shared/form_errors", model: entry %>
   <% end %>
@@ -19,7 +18,7 @@
     <% if @entry.account_id %>
       <%= f.hidden_field :account_id, data: { transaction_form_target: "account" } %>
     <% else %>
-      <%= f.collection_select :account_id, accessible_accounts.manual.active.alphabetically, :id, :name, { prompt: t(".account_prompt"), label: t(".account"), selected: Current.user.default_account_for_transactions&.id, variant: :logo }, required: true, class: "form-field__input text-ellipsis", data: { transaction_form_target: "account", action: "change->transaction-form#checkCurrencyDifference" } %>
+      <%= f.collection_select :account_id, manual_accounts, :id, :name, { prompt: t(".account_prompt"), label: t(".account"), selected: Current.user.default_account_for_transactions&.id, variant: :logo }, required: true, class: "form-field__input text-ellipsis", data: { transaction_form_target: "account", action: "change->transaction-form#checkCurrencyDifference" } %>
     <% end %>
 
     <%= f.money_field :amount,
@@ -87,7 +86,7 @@
     <section class="space-y-2">
       <%= f.fields_for :entryable do |ef| %>
         <%= ef.collection_select :merchant_id,
-                  Current.family.available_merchants_for(Current.user).alphabetically,
+                  merchants,
                   :id, :name,
                   { include_blank: t(".none"),
                     label: t(".merchant_label"),
@@ -96,7 +95,7 @@
                     menu_placement: :auto } %>
         <%= render DS::TagSelect.new(
               form: ef,
-              tags: Current.family.tags.alphabetically,
+              tags: tags,
               selected_ids: ef.object.tag_ids
             ) %>
       <% end %>
diff --git a/app/views/transactions/_transaction.html.erb b/app/views/transactions/_transaction.html.erb
index 9aff39d03..9752d6117 100644
--- a/app/views/transactions/_transaction.html.erb
+++ b/app/views/transactions/_transaction.html.erb
@@ -7,7 +7,7 @@
   <%= turbo_frame_tag dom_id(transaction) do %>
     <div class="group flex lg:grid lg:grid-cols-12 items-center text-primary text-sm font-medium p-3 lg:p-4 <%= "pl-8 lg:pl-12" if in_split_group %>">
 
-      <div class="pr-4 lg:pr-10 flex items-center gap-3 lg:gap-4 col-span-8 min-w-0">
+      <div class="pr-4 lg:pr-10 flex items-center gap-3 lg:gap-4 col-span-7 min-w-0">
         <%= check_box_tag dom_id(entry, "selection"),
             disabled: transaction.transfer.present?,
             class: "checkbox checkbox--light hidden lg:block",
@@ -179,7 +179,7 @@
         </div>
       </div>
 
-      <div class="hidden md:flex min-w-0 items-center gap-1 col-span-2">
+      <div class="hidden md:flex min-w-0 items-center gap-1 col-span-3">
         <% if entry.account.supports_trades? && !transaction.transfer? %>
           <%# For investment/crypto accounts, show activity label instead of category %>
           <%= render "investment_activity/quick_edit_badge", entry: entry, entryable: transaction %>
diff --git a/app/views/transactions/new.html.erb b/app/views/transactions/new.html.erb
index 3d612c0a8..1e13162cd 100644
--- a/app/views/transactions/new.html.erb
+++ b/app/views/transactions/new.html.erb
@@ -1,6 +1,12 @@
 <%= render DS::Dialog.new(scrollable: false, content_class: "lg:max-h-none lg:overflow-y-auto") do |dialog| %>
   <% dialog.with_header(title: t(".new_transaction")) %>
   <% dialog.with_body do %>
-    <%= render "form", entry: @entry, categories: @categories %>
+    <%= render "form",
+               entry: @entry,
+               account_currencies: @account_currencies,
+               manual_accounts: @manual_accounts,
+               categories: @categories,
+               merchants: @merchants,
+               tags: @tags %>
   <% end %>
 <% end %>
diff --git a/bin/preview_deploy_security_check.rb b/bin/preview_deploy_security_check.rb
index 72339cd6e..026bf54fb 100644
--- a/bin/preview_deploy_security_check.rb
+++ b/bin/preview_deploy_security_check.rb
@@ -8,6 +8,7 @@ PREVIEW_WORKFLOW_PATH = File.join(ROOT, ".github/workflows/preview-deploy.yml")
 PR_WORKFLOW_PATH = File.join(ROOT, ".github/workflows/pr.yml")
 LOCKFILE_PATH = File.join(ROOT, "workers/preview/package-lock.json")
 RESOLVER_PATH = File.join(ROOT, "workers/preview/deploy/resolve_preview_request.cjs")
+CONFIG_RENDERER_PATH = File.join(ROOT, "workers/preview/deploy/render_preview_config.cjs")
 REDACTION_HELPER_PATH = File.join(ROOT, "workers/preview/deploy/redact_preview_log.sh")
 PREVIEW_WORKER_PATH = File.join(ROOT, "workers/preview/src/index.ts")
 PREVIEW_DOCKERFILE_PATH = File.join(ROOT, "Dockerfile.preview")
@@ -15,7 +16,7 @@ PINNED_ACTION = /\A[^@\s]+@[a-f0-9]{40}\z/
 EXPECTED_ACTION_PINS = {
   "actions/checkout" => "93cb6efe18208431cddfb8368fd83d5badbf9bfd", # v5
   "actions/download-artifact" => "018cc2cf5baa6db3ef3c5f8a56943fffe632ef53", # v6
-  "actions/github-script" => "f28e40c7f34bde8b3046d885e986cb6290c5673b", # v7
+  "actions/github-script" => "ed597411d8f924073f98dfc5c65a23a2325f34cd", # v8
   "actions/setup-node" => "48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e", # v6
   "actions/upload-artifact" => "b7c566a772e6b6bfb58ed0dc250532a479d7789f" # v6
 }.freeze
@@ -52,6 +53,7 @@ EXPECTED_COMMENT_PERMISSIONS = {
 }.freeze
 EXPECTED_DEPLOY_SECRET_ENV = %w[CLOUDFLARE_ACCOUNT_ID CLOUDFLARE_API_TOKEN CLOUDFLARE_WORKERS_SUBDOMAIN].freeze
 EXPECTED_PUSH_SECRET_ENV = %w[CLOUDFLARE_ACCOUNT_ID CLOUDFLARE_API_TOKEN].freeze
+EXPECTED_DIAGNOSTICS_PATH = "${{ runner.temp }}/preview-diagnostics"
 EXPECTED_FAILURE_DIAGNOSTICS_PATH = "${{ runner.temp }}/preview-failure-diagnostics"
 EXPECTED_CLEANUP_METADATA_PATH = "${{ runner.temp }}/preview-cleanup-metadata/wrangler.toml"
 REQUIRED_PREPARE_LINES = [
@@ -62,9 +64,11 @@ REQUIRED_PREPARE_LINES = [
   'cp -R trusted/workers/preview/src "$preview_dir/src"',
   'mkdir -p "$preview_dir/deploy"',
   'cp trusted/workers/preview/deploy/redact_preview_log.sh "$preview_dir/deploy/redact_preview_log.sh"',
+  'cp trusted/workers/preview/deploy/render_preview_config.cjs "$preview_dir/deploy/render_preview_config.cjs"',
   'chmod 0755 "$preview_dir/deploy/redact_preview_log.sh"',
   'diagnostics_nonce="$(openssl rand -hex 32)"',
   'sed -i "s/\${PREVIEW_DIAGNOSTICS_NONCE}/${diagnostics_nonce}/g" "$preview_dir/src/index.ts"',
+  'cp "$preview_dir/wrangler.toml" "$preview_dir/wrangler.source.toml"',
   "Preview diagnostics nonce placeholder was not replaced",
   "npm ci --ignore-scripts --no-audit --no-fund"
 ].freeze
@@ -160,6 +164,7 @@ preview_workflow = YAML.safe_load_file(PREVIEW_WORKFLOW_PATH, aliases: true)
 pr_workflow = YAML.safe_load_file(PR_WORKFLOW_PATH, aliases: true)
 lockfile = JSON.parse(File.read(LOCKFILE_PATH))
 resolver_script = File.read(RESOLVER_PATH)
+config_renderer_script = File.read(CONFIG_RENDERER_PATH)
 redaction_helper_script = File.read(REDACTION_HELPER_PATH)
 preview_worker_script = File.read(PREVIEW_WORKER_PATH)
 preview_dockerfile = File.read(PREVIEW_DOCKERFILE_PATH)
@@ -282,7 +287,7 @@ comment_on_pr = step!(preview_comment_steps, "Comment on PR")
   [ "fork deployment record guard", create_deployment.fetch("if"), "env.IS_FORK == 'false'" ],
   [ "diagnostics upload if", upload_diagnostics.fetch("if"), "always() && steps.deploy.outputs.preview_url != ''" ],
   [ "diagnostics upload name", upload_diagnostics.dig("with", "name"), "preview-diagnostics-pr-${{ env.PR_NUMBER }}-${{ env.HEAD_SHA }}" ],
-  [ "diagnostics upload path", upload_diagnostics.dig("with", "path"), "${{ runner.temp }}/preview-diagnostics.json" ],
+  [ "diagnostics upload path", upload_diagnostics.dig("with", "path"), EXPECTED_DIAGNOSTICS_PATH ],
   [ "diagnostics upload retention", upload_diagnostics.dig("with", "retention-days"), 3 ],
   [ "failure diagnostics collect if", collect_failure_diagnostics.fetch("if"), "failure()" ],
   [ "failure diagnostics upload if", upload_failure_diagnostics.fetch("if"), "failure()" ],
@@ -423,6 +428,18 @@ assert(File.executable?(REDACTION_HELPER_PATH), "preview log redaction helper mu
   "<redacted-account>"
 ].each { |needle| assert(redaction_helper_script.include?(needle), "preview log redaction helper must include #{needle.inspect}") }
 
+[
+  "REGISTRY_IMAGE_REF_PATTERN",
+  "REGISTRY_IMAGE_REF_SCAN_PATTERN",
+  "function validateRegistryImageRef",
+  "function renderPreviewConfig",
+  "function findRegistryImageRef",
+  "Expected wrangler.toml source to contain exactly one image entry",
+  "Cloudflare registry image reference does not match this preview artifact",
+  "Cloudflare registry image reference account does not match this workflow",
+  "module.exports"
+].each { |needle| assert(config_renderer_script.include?(needle), "preview config renderer must include #{needle.inspect}") }
+
 prepare_run = assert_run_includes(prepare, *REQUIRED_PREPARE_LINES)
 assert(!prepare_run.include?("npm install"), "prepare step must not use npm install")
 assert(!prepare_run.include?("CLOUDFLARE_API_TOKEN"), "prepare step must not receive Cloudflare secrets")
@@ -440,29 +457,38 @@ push_image_run = assert_run_includes(
   push_image,
   "./node_modules/.bin/wrangler containers push",
   "registry.cloudflare.com/${CLOUDFLARE_ACCOUNT_ID}/${image_tag}",
-  "registry\\.cloudflare\\.com\\/",
   "image_ref=",
+  'source_config="$RUNNER_TEMP/sure-preview-worker/wrangler.source.toml"',
   'config_path="$RUNNER_TEMP/sure-preview-worker/wrangler.toml"',
   'temporary_image_ref="registry.cloudflare.com/${CLOUDFLARE_ACCOUNT_ID}/${image_tag}"',
-  'TEMPORARY_IMAGE_REF="$temporary_image_ref" node - "$config_path"',
-  "Expected registry-shaped preview image ref before wrangler containers push",
-  "Expected wrangler.toml to contain an image entry to rewrite before push"
+  'PREVIEW_IMAGE_REF="$temporary_image_ref" node ./deploy/render_preview_config.cjs render "$source_config" "$config_path"',
+  'cp "$config_path" "$RUNNER_TEMP/wrangler-push.toml"',
+  'image_ref="$(node ./deploy/render_preview_config.cjs find "$clean_log")"'
 )
-push_rewrite_index = push_image_run.index('TEMPORARY_IMAGE_REF="$temporary_image_ref" node - "$config_path"')
+push_rewrite_index = push_image_run.index('PREVIEW_IMAGE_REF="$temporary_image_ref" node ./deploy/render_preview_config.cjs render "$source_config" "$config_path"')
 push_command_index = push_image_run.index("./node_modules/.bin/wrangler containers push")
 assert(
   push_rewrite_index < push_command_index,
   "push step must rewrite wrangler.toml to a registry-shaped image ref before wrangler validates it"
 )
+assert(push_image_run.index('wrangler.source.toml') < push_rewrite_index, "push step must render from the preserved trusted source config")
 assert(!push_image_run.include?("LOCAL_IMAGE_TAG"), "push step must not write a local Docker tag into wrangler.toml")
 assert(!push_image_run.include?("Expected local preview image tag"), "push step must not accept local Docker tags as wrangler config image refs")
 assert_run_includes(push_image, 'tee "$push_log" | ./deploy/redact_preview_log.sh', "push_status=${PIPESTATUS[0]}")
-assert_run_includes(configure_image, "registry\\.cloudflare\\.com", "expectedSuffix", "imageRef.endsWith", "Cloudflare registry image reference does not match this preview artifact", 'const original = fs.readFileSync', 'const updated = original.replace(/image = "[^"]+"/', "updated === original", "Expected wrangler.toml to contain an image entry to rewrite", "JSON.stringify(imageRef)", 'redact_preview_log.sh" < "$config_path"')
+configure_image_run = assert_run_includes(
+  configure_image,
+  'source_config="$RUNNER_TEMP/sure-preview-worker/wrangler.source.toml"',
+  'PREVIEW_IMAGE_REF="$IMAGE_REF" node "$RUNNER_TEMP/sure-preview-worker/deploy/render_preview_config.cjs" render "$source_config" "$config_path"',
+  'cp "$config_path" "$RUNNER_TEMP/wrangler-final.toml"',
+  "preserved trusted source template",
+  'redact_preview_log.sh" < "$config_path"'
+)
+assert(!configure_image_run.include?('const updated = original.replace(/image = "[^"]+"/'), "final image configuration must use the tested renderer instead of inline regex replacement")
 assert_run_includes(create_deployment, "github.rest.repos.createDeployment", "ref: headSha", "preview-pr-${prNumber}")
 assert_run_includes(deploy, 'cd "$RUNNER_TEMP/sure-preview-worker"', "deploy_once()", "./node_modules/.bin/wrangler deploy --config wrangler.toml", '--var "PR_NUMBER:${PR_NUMBER}"', 'tee "$deploy_log" | ./deploy/redact_preview_log.sh', "deploy_status=${PIPESTATUS[0]}", "associated with a different durable object namespace", 'if ! ./node_modules/.bin/wrangler delete --name "sure-preview-${PR_NUMBER}" --force', "Preview Worker delete failed", "retrying once")
 assert_run_includes(warm_preview, "$PREVIEW_URL/_container_status", "--connect-timeout 5", "--max-time 15")
-assert_run_includes(collect_diagnostics, "$PREVIEW_URL/_container_status", "--connect-timeout 5", "--max-time 15", "seq 1 40", "preview-diagnostics.json", "jq -e '.previewReady == true or .previewFailed == true'", "jq -e '.previewFailed == true'", "Preview diagnostics from _container_status reported previewFailed=true", "jq -e '.previewReady == true'", "Preview diagnostics from _container_status did not reach previewReady=true", ".timings.previewReadyAt != null and .timings.secondsToPreviewReady != null", "Preview diagnostics are missing readiness timing fields", "exit 1")
-assert_run_includes(collect_failure_diagnostics, "preview-failure-diagnostics", "preview-request.json", "preview-image-manifest.json", "wrangler.toml", "wrangler-containers-push.log", "wrangler-deploy.log", "redaction_helper=", 'sanitize_copy "$RUNNER_TEMP/sure-preview-worker/wrangler.toml"', "wrangler-deploy.clean.log", "resolutionSource")
+assert_run_includes(collect_diagnostics, "$PREVIEW_URL/_container_status", "--connect-timeout 5", "--max-time 15", "seq 1 40", "preview-diagnostics", "preview-diagnostics.json", "latest-metrics.json", "metrics-polls.log", "summary.md", '! jq -e . "$diagnostics_file"', 'raw_snippet="$(head -c 2048 "$diagnostics_file")"', 'latest_metrics_snapshot="$(head -c 2048 "$latest_metrics_file")"', "rawSnippet", "latestMetrics", "jq -e '.previewReady == true or .previewFailed == true'", "jq -e '.previewFailed == true'", "Preview diagnostics from _container_status reported previewFailed=true", "jq -e '.previewReady == true'", "Preview diagnostics from _container_status did not reach previewReady=true", ".timings.previewReadyAt != null and .timings.secondsToPreviewReady != null", "Preview diagnostics are missing readiness timing fields", "exit 1")
+assert_run_includes(collect_failure_diagnostics, "preview-failure-diagnostics", "preview-request.json", "preview-image-manifest.json", "wrangler-source.toml", "wrangler-push.toml", "wrangler-final.toml", "wrangler.toml", "wrangler-containers-push.log", "wrangler-deploy.log", "redaction_helper=", 'sanitize_copy "$RUNNER_TEMP/sure-preview-worker/wrangler.source.toml"', 'sanitize_copy "$RUNNER_TEMP/wrangler-push.toml"', 'sanitize_copy "$RUNNER_TEMP/wrangler-final.toml"', "wrangler-deploy.clean.log", "resolutionSource")
 assert_run_includes(prepare_cleanup_metadata, "preview-cleanup-metadata", "redact_preview_log.sh", "$RUNNER_TEMP/sure-preview-worker/wrangler.toml", "$metadata_dir/wrangler.toml")
 assert_run_includes(update_deployment_status, "github.rest.repos.createDeploymentStatus", "process.env.DEPLOY_RESULT === 'success'", "deployment_id: Number(process.env.DEPLOYMENT_ID)")
 assert_run_includes(comment_on_pr, "github.rest.issues.listComments", "github.rest.issues.updateComment", "github.rest.issues.createComment", "Preview Deployment Ready")
diff --git a/config/locales/models/merchant_import/en.yml b/config/locales/models/merchant_import/en.yml
new file mode 100644
index 000000000..5cebc7ab4
--- /dev/null
+++ b/config/locales/models/merchant_import/en.yml
@@ -0,0 +1,8 @@
+---
+en:
+  activerecord:
+    errors:
+      models:
+        merchant_import:
+          missing_columns: "Missing required columns: %{columns}"
+          duplicate_columns: "Duplicate column names after normalization: %{columns}"
diff --git a/config/locales/views/budgets/en.yml b/config/locales/views/budgets/en.yml
index 04f745c61..072fc4773 100644
--- a/config/locales/views/budgets/en.yml
+++ b/config/locales/views/budgets/en.yml
@@ -48,6 +48,7 @@ en:
         title: Over Budget
       filter:
         all: All
+        aria_label: Filter budget categories
         on_track: On Track
         over_budget: Over Budget
       tabs:
diff --git a/config/locales/views/goals/en.yml b/config/locales/views/goals/en.yml
index 737ddc4c0..c8b04b9d2 100644
--- a/config/locales/views/goals/en.yml
+++ b/config/locales/views/goals/en.yml
@@ -2,6 +2,7 @@
 en:
   goals:
     color_picker:
+      trigger_label: Choose color and icon
       color_heading: Color
       icon_heading: Icon
       poor_contrast: Poor contrast, choose darker color or
@@ -223,9 +224,6 @@ en:
       days_left:
         one: 1 day left
         other: "%{count} days left"
-      days_left_by:
-        one: 1 day left · by %{date}
-        other: "%{count} days left · by %{date}"
       pace_with_target: "%{avg}/mo · target %{target}/mo"
       pace_no_target: "%{avg}/mo avg"
       footer_paused: Paused
diff --git a/config/locales/views/imports/en.yml b/config/locales/views/imports/en.yml
index 7d83f0793..f974e9a23 100644
--- a/config/locales/views/imports/en.yml
+++ b/config/locales/views/imports/en.yml
@@ -110,6 +110,10 @@ en:
         description: Upload a simple CSV file (like the one we generate when you
           export your data). We'll automatically map the columns for you.
         instructions: Select continue to parse your CSV and move on to the clean step.
+      merchant_import:
+        button_label: Continue
+        description: Upload a CSV file with your merchants. We'll automatically map the columns for you.
+        instructions: Select continue to parse your CSV and move on to the clean step.
       mint_import:
         date_format_label: Date format
       actual_import:
@@ -250,6 +254,8 @@ en:
       category_parent: "Parent category"
       category_color: "Color"
       category_icon: "Lucide icon"
+      merchant_color: "Color"
+      merchant_website: "Website URL"
     update:
       account_saved: "Account saved."
       invalid_account: "Account not found."
@@ -305,6 +311,7 @@ en:
       qif_import: "QIF import"
       category_import: "Category import"
       rule_import: "Rule import"
+      merchant_import: "Merchant import"
       pdf_import: "PDF import"
       document_import: "Document import"
       sure_import: "Sure import"
@@ -338,6 +345,7 @@ en:
           qif_import: "QIF"
           category_import: "Category"
           rule_import: "Rule"
+          merchant_import: "Merchant"
           pdf_import: "PDF"
           document_import: "Document"
           sure_import: "Sure"
@@ -362,6 +370,7 @@ en:
       import_ynab: Import from YNAB
       import_accounts: Import accounts
       import_categories: Import categories
+      import_merchants: Import merchants
       import_mint: Import from Mint
       import_actual: Import from Actual Budget
       import_portfolio: Import investments
diff --git a/config/locales/views/merchants/en.yml b/config/locales/views/merchants/en.yml
index 7c99f3e68..d1c55cdff 100644
--- a/config/locales/views/merchants/en.yml
+++ b/config/locales/views/merchants/en.yml
@@ -16,6 +16,7 @@ en:
     index:
       empty: No merchants yet
       new: New merchant
+      import: Import merchants
       merge: Merge merchants
       title: Merchants
       family_title: "%{moniker} merchants"
diff --git a/config/locales/views/shared/en.yml b/config/locales/views/shared/en.yml
index 50599089c..3ec0b37ea 100644
--- a/config/locales/views/shared/en.yml
+++ b/config/locales/views/shared/en.yml
@@ -6,8 +6,8 @@ en:
   shared:
     preview: Preview
     sync_toast:
-      message: "Your data has been updated"
-      refresh: "Refresh now"
+      message: "New data available"
+      refresh: "Refresh"
     confirm_modal:
       accept: Confirm
       body_html: "<p>You will not be able to undo this decision</p>"
diff --git a/config/routes.rb b/config/routes.rb
index 53bdc864a..21a608e15 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -515,7 +515,7 @@ Rails.application.routes.draw do
       resources :budgets, only: [ :index, :show ]
       resources :budget_categories, only: [ :index, :show ]
       resources :categories, only: [ :index, :show, :create ]
-      resources :merchants, only: [ :index, :show ]
+      resources :merchants, only: [ :index, :show, :create ]
       resources :rules, only: [ :index, :show ]
       resources :rule_runs, only: [ :index, :show ]
       resources :securities, only: [ :index, :show ]
diff --git a/db/migrate/20260525202505_add_merchant_columns_to_import_rows.rb b/db/migrate/20260525202505_add_merchant_columns_to_import_rows.rb
new file mode 100644
index 000000000..2a6573074
--- /dev/null
+++ b/db/migrate/20260525202505_add_merchant_columns_to_import_rows.rb
@@ -0,0 +1,6 @@
+class AddMerchantColumnsToImportRows < ActiveRecord::Migration[7.2]
+  def change
+    add_column :import_rows, :merchant_color, :string
+    add_column :import_rows, :merchant_website, :string
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 04dfb5053..ba446c860 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -978,6 +978,8 @@ ActiveRecord::Schema[7.2].define(version: 2026_05_31_213000) do
     t.text "conditions"
     t.text "actions"
     t.integer "source_row_number", null: false
+    t.string "merchant_color"
+    t.string "merchant_website"
     t.index ["import_id", "source_row_number"], name: "index_import_rows_on_import_id_and_source_row_number", unique: true
     t.index ["import_id"], name: "index_import_rows_on_import_id"
     t.check_constraint "source_row_number > 0", name: "chk_import_rows_source_row_number_positive"
diff --git a/docs/api/merchants.md b/docs/api/merchants.md
index 5e00b3dda..2be69b9e3 100644
--- a/docs/api/merchants.md
+++ b/docs/api/merchants.md
@@ -1,6 +1,6 @@
 # Merchants API
 
-The Merchants API allows external applications to retrieve merchants within Sure. Merchants represent payees or vendors associated with transactions.
+The Merchants API allows external applications to retrieve and bulk-import merchants within Sure. Merchants represent payees or vendors associated with transactions.
 
 ## Generated OpenAPI specification
 
@@ -21,7 +21,10 @@ The Merchants API allows external applications to retrieve merchants within Sure
 
 ## Authentication requirements
 
-All merchant endpoints require an OAuth2 access token or API key that grants the `read` scope.
+| Endpoint | Required scope |
+| --- | --- |
+| `GET` endpoints | `read` |
+| `POST /api/v1/merchants` (CSV import) | `write` |
 
 ## Available endpoints
 
@@ -29,6 +32,7 @@ All merchant endpoints require an OAuth2 access token or API key that grants the
 | --- | --- | --- |
 | `GET /api/v1/merchants` | `read` | List all merchants available to the family. |
 | `GET /api/v1/merchants/{id}` | `read` | Retrieve a single merchant by ID. |
+| `POST /api/v1/merchants` | `write` | Bulk-import merchants from a CSV file. |
 
 Refer to the generated [`openapi.yaml`](openapi.yaml) for request/response schemas, reusable components, and security definitions.
 
@@ -104,6 +108,84 @@ When creating or updating transactions, you can assign a merchant using the `mer
 }
 ```
 
+## Importing merchants via CSV
+
+`POST /api/v1/merchants` accepts a `multipart/form-data` upload and bulk-creates `FamilyMerchant` records. Existing merchants with the same name are skipped (no update, no error).
+
+### Request
+
+```http
+POST /api/v1/merchants
+Content-Type: multipart/form-data
+X-Api-Key: <write-scoped-key>
+
+file=@merchants.csv
+```
+
+### CSV format
+
+| Column | Required | Description |
+| --- | --- | --- |
+| `name` | Yes | Merchant name. Rows with a blank name are skipped. |
+| `color` | No | Hex colour code (e.g. `#e99537`). Defaults to a random palette colour. |
+| `website_url` | No | Merchant website. Aliases accepted: `website url`, `website`. |
+
+The header row is required. Column names are matched case-insensitively and extra spaces, underscores, and asterisks are ignored (e.g. `Name*`, `Website URL`, and `website_url` all match).
+
+Example CSV:
+
+```csv
+name,color,website_url
+Coffee Shop,#e99537,https://coffeeshop.com
+Pizza Palace,#4da568,https://pizzapalace.com
+Bookstore,,
+```
+
+### Response — 201 Created
+
+```json
+{
+  "imported": 2,
+  "skipped": 1,
+  "merchants": [
+    {
+      "id": "550e8400-e29b-41d4-a716-446655440001",
+      "name": "Coffee Shop",
+      "type": "FamilyMerchant",
+      "created_at": "2024-01-15T10:30:00Z",
+      "updated_at": "2024-01-15T10:30:00Z"
+    },
+    {
+      "id": "550e8400-e29b-41d4-a716-446655440002",
+      "name": "Pizza Palace",
+      "type": "FamilyMerchant",
+      "created_at": "2024-01-15T10:30:00Z",
+      "updated_at": "2024-01-15T10:30:00Z"
+    }
+  ]
+}
+```
+
+`skipped` counts rows where a merchant with that name already exists for the family.
+
+### Error responses for CSV import
+
+| HTTP status | `error` value | Cause |
+| --- | --- | --- |
+| `401` | `unauthorized` | Missing or invalid API key. |
+| `403` | `forbidden` | API key lacks the `write` scope. |
+| `422` | `missing_file` | No `file` parameter supplied. |
+| `422` | `file_too_large` | File exceeds 10 MB. |
+| `422` | `invalid_file_type` | File is not a recognised CSV MIME type. |
+| `422` | `missing_column` | CSV has no `name` column. |
+| `422` | `invalid_csv` | CSV is malformed or cannot be parsed. |
+
+## Importing merchants via the web UI
+
+Merchants can also be imported through the built-in multi-step import flow at **Settings → Imports → New Import → Raw Data → Import merchants**. The flow supports the same CSV format as the API endpoint (upload → configure → clean → publish).
+
+A shortcut button ("Import merchants") is also available directly on the **Merchants** page.
+
 ## Error responses
 
 Errors conform to the shared `ErrorResponse` schema in the OpenAPI document:
diff --git a/mobile/lib/providers/auth_provider.dart b/mobile/lib/providers/auth_provider.dart
index 884ef3d53..c9be3741f 100644
--- a/mobile/lib/providers/auth_provider.dart
+++ b/mobile/lib/providers/auth_provider.dart
@@ -58,6 +58,13 @@ class AuthProvider with ChangeNotifier {
     _loadStoredAuth();
   }
 
+  void _logAuthException(String operation, Object error) {
+    LogService.instance.error(
+      'AuthProvider',
+      '$operation failed with ${error.runtimeType}',
+    );
+  }
+
   Future<void> _loadStoredAuth() async {
     _isLoading = true;
     _isInitializing = true;
@@ -127,7 +134,10 @@ class AuthProvider with ChangeNotifier {
         otpCode: otpCode,
       );
 
-      LogService.instance.debug('AuthProvider', 'Login result: $result');
+      LogService.instance.debug(
+        'AuthProvider',
+        'Login result received: success=${result['success'] == true}, mfa_required=${result['mfa_required'] == true}',
+      );
 
       if (result['success'] == true) {
         _tokens = result['tokens'] as AuthTokens?;
@@ -141,7 +151,8 @@ class AuthProvider with ChangeNotifier {
         if (result['mfa_required'] == true) {
           _mfaRequired = true;
           _showMfaInput = true; // Show MFA input field
-          LogService.instance.debug('AuthProvider', 'MFA required! Setting _showMfaInput to true');
+          LogService.instance.debug(
+              'AuthProvider', 'MFA required! Setting _showMfaInput to true');
 
           // If user already submitted an OTP code, this is likely an invalid OTP error
           // Show the error message so user knows the code was wrong
@@ -165,7 +176,9 @@ class AuthProvider with ChangeNotifier {
         return false;
       }
     } catch (e) {
-      _errorMessage = 'Connection error: ${e.toString()}';
+      _logAuthException('Login', e);
+      _errorMessage =
+          'Unable to connect. Please check your network and try again.';
       _isLoading = false;
       notifyListeners();
       return false;
@@ -182,7 +195,10 @@ class AuthProvider with ChangeNotifier {
     try {
       final result = await _authService.loginWithApiKey(apiKey: apiKey);
 
-      LogService.instance.debug('AuthProvider', 'API key login result: $result');
+      LogService.instance.debug(
+        'AuthProvider',
+        'API key login result received: success=${result['success'] == true}',
+      );
 
       if (result['success'] == true) {
         _apiKey = apiKey;
@@ -197,9 +213,10 @@ class AuthProvider with ChangeNotifier {
         notifyListeners();
         return false;
       }
-    } catch (e, stackTrace) {
-      LogService.instance.error('AuthProvider', 'API key login error: $e\n$stackTrace');
-      _errorMessage = 'Unable to connect. Please check your network and try again.';
+    } catch (e) {
+      _logAuthException('API key login', e);
+      _errorMessage =
+          'Unable to connect. Please check your network and try again.';
       _isLoading = false;
       notifyListeners();
       return false;
@@ -241,7 +258,9 @@ class AuthProvider with ChangeNotifier {
         return false;
       }
     } catch (e) {
-      _errorMessage = 'Connection error: ${e.toString()}';
+      _logAuthException('Signup', e);
+      _errorMessage =
+          'Unable to connect. Please check your network and try again.';
       _isLoading = false;
       notifyListeners();
       return false;
@@ -260,12 +279,13 @@ class AuthProvider with ChangeNotifier {
         deviceInfo: deviceInfo,
       );
 
-      final launched = await launchUrl(Uri.parse(ssoUrl), mode: LaunchMode.externalApplication);
+      final launched = await launchUrl(Uri.parse(ssoUrl),
+          mode: LaunchMode.externalApplication);
       if (!launched) {
         _errorMessage = 'Unable to open browser for sign-in.';
       }
-    } catch (e, stackTrace) {
-      LogService.instance.error('AuthProvider', 'SSO launch error: $e\n$stackTrace');
+    } catch (e) {
+      _logAuthException('SSO launch', e);
       _errorMessage = 'Unable to start sign-in. Please try again.';
     } finally {
       _isLoading = false;
@@ -306,8 +326,8 @@ class AuthProvider with ChangeNotifier {
         notifyListeners();
         return false;
       }
-    } catch (e, stackTrace) {
-      LogService.instance.error('AuthProvider', 'SSO callback error: $e\n$stackTrace');
+    } catch (e) {
+      _logAuthException('SSO callback', e);
       _errorMessage = 'Sign-in failed. Please try again.';
       _isLoading = false;
       notifyListeners();
@@ -349,8 +369,8 @@ class AuthProvider with ChangeNotifier {
         notifyListeners();
         return false;
       }
-    } catch (e, stackTrace) {
-      LogService.instance.error('AuthProvider', 'SSO link error: $e\n$stackTrace');
+    } catch (e) {
+      _logAuthException('SSO link', e);
       _errorMessage = 'Failed to link account. Please try again.';
       _isLoading = false;
       notifyListeners();
@@ -392,8 +412,8 @@ class AuthProvider with ChangeNotifier {
         notifyListeners();
         return false;
       }
-    } catch (e, stackTrace) {
-      LogService.instance.error('AuthProvider', 'SSO create account error: $e\n$stackTrace');
+    } catch (e) {
+      _logAuthException('SSO create account', e);
       _errorMessage = 'Failed to create account. Please try again.';
       _isLoading = false;
       notifyListeners();
diff --git a/mobile/lib/providers/chat_provider.dart b/mobile/lib/providers/chat_provider.dart
index 2eb6ed212..6fc02e715 100644
--- a/mobile/lib/providers/chat_provider.dart
+++ b/mobile/lib/providers/chat_provider.dart
@@ -3,9 +3,11 @@ import 'package:flutter/foundation.dart';
 import '../models/chat.dart';
 import '../models/message.dart';
 import '../services/chat_service.dart';
+import '../services/log_service.dart';
 
 class ChatProvider with ChangeNotifier {
   final ChatService _chatService = ChatService();
+  final LogService _log = LogService.instance;
 
   List<Chat> _chats = [];
   Chat? _currentChat;
@@ -60,7 +62,7 @@ class ChatProvider with ChangeNotifier {
         _errorMessage = result['error'] ?? 'Failed to fetch chats';
       }
     } catch (e) {
-      debugPrint('fetchChats error: $e');
+      _log.warning('ChatProvider', 'fetchChats failed: ${e.runtimeType}');
       _errorMessage = 'Something went wrong. Please try again.';
     } finally {
       _isLoading = false;
@@ -94,7 +96,7 @@ class ChatProvider with ChangeNotifier {
         _errorMessage = result['error'] ?? 'Failed to fetch chat';
       }
     } catch (e) {
-      debugPrint('fetchChat error: $e');
+      _log.warning('ChatProvider', 'fetchChat failed: ${e.runtimeType}');
       _errorMessage = 'Something went wrong. Please try again.';
     } finally {
       _isLoading = false;
@@ -153,7 +155,7 @@ class ChatProvider with ChangeNotifier {
         return null;
       }
     } catch (e) {
-      debugPrint('createChat error: $e');
+      _log.warning('ChatProvider', 'createChat failed: ${e.runtimeType}');
       _errorMessage = 'Something went wrong. Please try again.';
       _isLoading = false;
       notifyListeners();
@@ -164,9 +166,8 @@ class ChatProvider with ChangeNotifier {
   void _rollbackOptimisticMessage(String optimisticId, String chatId) {
     if (_currentChat != null && _currentChat!.id == chatId) {
       _currentChat = _currentChat!.copyWith(
-        messages: _currentChat!.messages
-            .where((m) => m.id != optimisticId)
-            .toList(),
+        messages:
+            _currentChat!.messages.where((m) => m.id != optimisticId).toList(),
       );
     }
     _isWaitingForResponse = false;
@@ -236,7 +237,7 @@ class ChatProvider with ChangeNotifier {
     } catch (e) {
       // Roll back the optimistic message on error.
       _rollbackOptimisticMessage(optimisticId, chatId);
-      debugPrint('sendMessage error: $e');
+      _log.warning('ChatProvider', 'sendMessage failed: ${e.runtimeType}');
       _errorMessage = 'Something went wrong. Please try again.';
       return false;
     } finally {
@@ -282,7 +283,7 @@ class ChatProvider with ChangeNotifier {
         notifyListeners();
       }
     } catch (e) {
-      debugPrint('updateChatTitle error: $e');
+      _log.warning('ChatProvider', 'updateChatTitle failed: ${e.runtimeType}');
       _errorMessage = 'Something went wrong. Please try again.';
       notifyListeners();
     }
@@ -314,7 +315,7 @@ class ChatProvider with ChangeNotifier {
         return false;
       }
     } catch (e) {
-      debugPrint('deleteChat error: $e');
+      _log.warning('ChatProvider', 'deleteChat failed: ${e.runtimeType}');
       _errorMessage = 'Something went wrong. Please try again.';
       notifyListeners();
       return false;
@@ -334,7 +335,8 @@ class ChatProvider with ChangeNotifier {
 
       final deletedCount = (result['deletedCount'] as int?) ?? 0;
       if (result['success'] == true || deletedCount > 0) {
-        final failedIds = ((result['failedIds'] as List?) ?? []).cast<String>().toSet();
+        final failedIds =
+            ((result['failedIds'] as List?) ?? []).cast<String>().toSet();
         final deleted = chatIds.toSet().difference(failedIds);
         _chats.removeWhere((c) => deleted.contains(c.id));
 
@@ -350,7 +352,10 @@ class ChatProvider with ChangeNotifier {
       notifyListeners();
       return false;
     } catch (e) {
-      debugPrint('deleteMultipleChats error: $e');
+      _log.warning(
+        'ChatProvider',
+        'deleteMultipleChats failed: ${e.runtimeType}',
+      );
       _errorMessage = 'Something went wrong. Please try again.';
       notifyListeners();
       return false;
@@ -477,14 +482,15 @@ class ChatProvider with ChangeNotifier {
     } catch (e) {
       // Network error — allow polling to continue; timeout check below will
       // stop it if the deadline has passed.
-      debugPrint('Polling error: ${e.toString()}');
+      _log.warning('ChatProvider', 'Polling failed: ${e.runtimeType}');
     }
 
     // Evaluate timeout only after the attempt, and only when no progress was made.
     if (_pollingStartTime != null &&
         DateTime.now().difference(_pollingStartTime!) >= _pollingTimeout) {
       _stopPolling();
-      _errorMessage = 'The assistant took too long to respond. Please try again.';
+      _errorMessage =
+          'The assistant took too long to respond. Please try again.';
       notifyListeners();
     }
   }
diff --git a/mobile/lib/providers/transactions_provider.dart b/mobile/lib/providers/transactions_provider.dart
index 07e04c68b..8d63a2ed6 100644
--- a/mobile/lib/providers/transactions_provider.dart
+++ b/mobile/lib/providers/transactions_provider.dart
@@ -102,8 +102,10 @@ class TransactionsProvider with ChangeNotifier {
         accountId: accountId,
       );
 
-      _log.debug('TransactionsProvider',
-          'Loaded ${localTransactions.length} transactions from local storage (accountId: $accountId)');
+      _log.debug(
+        'TransactionsProvider',
+        'Loaded ${localTransactions.length} transactions from local storage${accountId != null ? " with account filter" : ""}',
+      );
 
       _transactions = localTransactions;
       notifyListeners();
@@ -114,8 +116,10 @@ class TransactionsProvider with ChangeNotifier {
           'Online: $isOnline, ForceSync: $forceSync, LocalEmpty: ${localTransactions.isEmpty}');
 
       if (isOnline && (forceSync || localTransactions.isEmpty)) {
-        _log.debug('TransactionsProvider',
-            'Syncing from server for accountId: $accountId');
+        _log.debug(
+          'TransactionsProvider',
+          'Syncing transactions from server${accountId != null ? " with account filter" : ""}',
+        );
         final result = await _syncService.syncFromServer(
           accessToken: accessToken,
           accountId: accountId,
@@ -168,8 +172,10 @@ class TransactionsProvider with ChangeNotifier {
     try {
       final isOnline = _connectivityService?.isOnline ?? false;
 
-      _log.info('TransactionsProvider',
-          'Creating transaction: $name, amount: $amount, online: $isOnline');
+      _log.info(
+        'TransactionsProvider',
+        'Creating transaction locally, online: $isOnline',
+      );
 
       // ALWAYS save locally first (offline-first strategy)
       final localTransaction = await _offlineStorage.saveTransaction(
@@ -189,8 +195,7 @@ class TransactionsProvider with ChangeNotifier {
         syncStatus: SyncStatus.pending, // Start as pending
       );
 
-      _log.info('TransactionsProvider',
-          'Transaction saved locally with ID: ${localTransaction.localId}');
+      _log.info('TransactionsProvider', 'Transaction saved locally');
 
       // Reload transactions to show the new one immediately
       await fetchTransactions(accessToken: accessToken, accountId: accountId);
@@ -446,8 +451,10 @@ class TransactionsProvider with ChangeNotifier {
     required String localId,
     required SyncStatus syncStatus,
   }) async {
-    _log.info('TransactionsProvider',
-        'Undoing transaction $localId with status $syncStatus');
+    _log.info(
+      'TransactionsProvider',
+      'Undoing transaction with status $syncStatus',
+    );
 
     try {
       final success =
diff --git a/mobile/lib/screens/backend_config_screen.dart b/mobile/lib/screens/backend_config_screen.dart
index b5cbf5519..a3c1afe96 100644
--- a/mobile/lib/screens/backend_config_screen.dart
+++ b/mobile/lib/screens/backend_config_screen.dart
@@ -4,6 +4,7 @@ import 'package:http/http.dart' as http;
 import '../models/custom_proxy_header.dart';
 import '../services/api_config.dart';
 import '../services/custom_proxy_headers_service.dart';
+import '../services/log_service.dart';
 import '../widgets/custom_proxy_headers_editor.dart';
 
 class BackendConfigScreen extends StatefulWidget {
@@ -47,10 +48,13 @@ class _BackendConfigScreenState extends State<BackendConfigScreen> {
       if (savedUrl != null && savedUrl.isNotEmpty) {
         urlToShow = savedUrl;
       }
-    } catch (e, stack) {
+    } catch (e) {
       // Swallow storage failures so the screen still becomes interactive with
       // sensible defaults; the user can re-enter and re-save.
-      debugPrint('BackendConfigScreen: failed to load saved config: $e\n$stack');
+      LogService.instance.warning(
+        'BackendConfigScreen',
+        'Failed to load saved backend config: $e',
+      );
     } finally {
       if (mounted) {
         setState(() {
@@ -75,9 +79,9 @@ class _BackendConfigScreenState extends State<BackendConfigScreen> {
     try {
       // Normalize base URL by removing trailing slashes
       final normalizedUrl = _urlController.text.trim().replaceAll(
-        RegExp(r'/+$'),
-        '',
-      );
+            RegExp(r'/+$'),
+            '',
+          );
 
       // Apply the unsaved edits only for the duration of this probe so the
       // test reflects what the user is about to save. Restored in `finally`.
@@ -85,23 +89,21 @@ class _BackendConfigScreenState extends State<BackendConfigScreen> {
 
       // Check /sessions/new page to verify it's a Sure backend
       final sessionsUrl = Uri.parse('$normalizedUrl/sessions/new');
-      final sessionsResponse = await http
-          .get(sessionsUrl, headers: ApiConfig.htmlHeaders())
-          .timeout(
-            const Duration(seconds: 10),
-            onTimeout: () {
-              throw Exception(
-                'Connection timeout. Please check the URL and try again.',
-              );
-            },
+      final sessionsResponse =
+          await http.get(sessionsUrl, headers: ApiConfig.htmlHeaders()).timeout(
+        const Duration(seconds: 10),
+        onTimeout: () {
+          throw Exception(
+            'Connection timeout. Please check the URL and try again.',
           );
+        },
+      );
 
       if (sessionsResponse.statusCode >= 200 &&
           sessionsResponse.statusCode < 400) {
         if (mounted) {
           setState(() {
-            _successMessage =
-                'Connection successful!';
+            _successMessage = 'Connection successful!';
           });
         }
       } else {
@@ -139,9 +141,9 @@ class _BackendConfigScreenState extends State<BackendConfigScreen> {
     try {
       // Normalize base URL by removing trailing slashes
       final normalizedUrl = _urlController.text.trim().replaceAll(
-        RegExp(r'/+$'),
-        '',
-      );
+            RegExp(r'/+$'),
+            '',
+          );
 
       // Save URL to SharedPreferences
       final prefs = await SharedPreferences.getInstance();
@@ -223,17 +225,17 @@ class _BackendConfigScreenState extends State<BackendConfigScreen> {
                 Text(
                   'Configuration',
                   style: Theme.of(context).textTheme.headlineMedium?.copyWith(
-                    fontWeight: FontWeight.bold,
-                    color: colorScheme.primary,
-                  ),
+                        fontWeight: FontWeight.bold,
+                        color: colorScheme.primary,
+                      ),
                   textAlign: TextAlign.center,
                 ),
                 const SizedBox(height: 8),
                 Text(
                   'Update your Sure server URL',
                   style: Theme.of(context).textTheme.bodyLarge?.copyWith(
-                    color: colorScheme.onSurfaceVariant,
-                  ),
+                        color: colorScheme.onSurfaceVariant,
+                      ),
                   textAlign: TextAlign.center,
                 ),
                 const SizedBox(height: 48),
@@ -430,8 +432,8 @@ class _BackendConfigScreenState extends State<BackendConfigScreen> {
                 Text(
                   'You can change this later in the settings.',
                   style: Theme.of(context).textTheme.bodySmall?.copyWith(
-                    color: colorScheme.onSurfaceVariant,
-                  ),
+                        color: colorScheme.onSurfaceVariant,
+                      ),
                   textAlign: TextAlign.center,
                 ),
               ],
diff --git a/mobile/lib/screens/calendar_screen.dart b/mobile/lib/screens/calendar_screen.dart
index 65ccc335c..2487f9e9c 100644
--- a/mobile/lib/screens/calendar_screen.dart
+++ b/mobile/lib/screens/calendar_screen.dart
@@ -51,7 +51,8 @@ class _CalendarScreenState extends State<CalendarScreen> {
       // Select first account of the selected type
       final filteredAccounts = _getFilteredAccounts(accountsProvider.accounts);
       setState(() {
-        _selectedAccount = filteredAccounts.isNotEmpty ? filteredAccounts.first : null;
+        _selectedAccount =
+            filteredAccounts.isNotEmpty ? filteredAccounts.first : null;
       });
       if (_selectedAccount != null) {
         await _loadTransactionsForAccount();
@@ -87,13 +88,17 @@ class _CalendarScreenState extends State<CalendarScreen> {
       );
 
       final transactions = transactionsProvider.transactions;
-      _log.info('CalendarScreen', 'Loaded ${transactions.length} transactions for account ${_selectedAccount!.name}');
+      _log.info(
+        'CalendarScreen',
+        'Loaded ${transactions.length} transactions for selected account',
+      );
 
       // Store transactions for date filtering
       _transactions = List.from(transactions);
 
       _calculateDailyChanges(transactions);
-      _log.info('CalendarScreen', 'Calculated ${_dailyChanges.length} days with changes');
+      _log.info('CalendarScreen',
+          'Calculated ${_dailyChanges.length} days with changes');
     }
 
     setState(() {
@@ -104,7 +109,8 @@ class _CalendarScreenState extends State<CalendarScreen> {
   void _calculateDailyChanges(List<Transaction> transactions) {
     final changes = <String, double>{};
 
-    _log.debug('CalendarScreen', 'Starting to calculate daily changes for ${transactions.length} transactions');
+    _log.debug('CalendarScreen',
+        'Starting to calculate daily changes for ${transactions.length} transactions');
 
     for (var transaction in transactions) {
       try {
@@ -115,23 +121,24 @@ class _CalendarScreenState extends State<CalendarScreen> {
 
         // For asset accounts, flip the sign to match accounting conventions
         // For liability accounts, also flip the sign
-        if (_selectedAccount?.isAsset == true || _selectedAccount?.isLiability == true) {
+        if (_selectedAccount?.isAsset == true ||
+            _selectedAccount?.isLiability == true) {
           amount = -amount;
         }
 
-        _log.debug('CalendarScreen', 'Processing transaction date: $dateKey, parsed amount sign adjusted');
-
         changes[dateKey] = (changes[dateKey] ?? 0.0) + amount;
-        _log.debug('CalendarScreen', 'Date $dateKey now has total: ${changes[dateKey]}');
-      } catch (_) {
-        _log.error('CalendarScreen', 'Failed to process transaction for calendar');
+      } catch (e) {
+        final sanitizedError = LogService.sanitize(e.toString());
+        final errorSummary = sanitizedError.length > 120
+            ? '${sanitizedError.substring(0, 120)}...'
+            : sanitizedError;
+        _log.error('CalendarScreen',
+            'Failed to process transaction for calendar: $errorSummary');
       }
     }
 
-    _log.info('CalendarScreen', 'Final changes map has ${changes.length} entries');
-    changes.forEach((date, amount) {
-      _log.debug('CalendarScreen', '$date -> $amount');
-    });
+    _log.info(
+        'CalendarScreen', 'Final changes map has ${changes.length} entries');
 
     setState(() {
       _dailyChanges = changes;
@@ -172,7 +179,8 @@ class _CalendarScreenState extends State<CalendarScreen> {
     return _transactions.where((transaction) {
       try {
         final transactionDate = DateTime.parse(transaction.date);
-        final transactionDateKey = DateFormat('yyyy-MM-dd').format(transactionDate);
+        final transactionDateKey =
+            DateFormat('yyyy-MM-dd').format(transactionDate);
         return transactionDateKey == dateKey;
       } catch (e) {
         return false;
@@ -237,7 +245,8 @@ class _CalendarScreenState extends State<CalendarScreen> {
     }
 
     // For asset accounts, flip the sign interpretation
-    if (_selectedAccount?.isAsset == true || _selectedAccount?.isLiability == true) {
+    if (_selectedAccount?.isAsset == true ||
+        _selectedAccount?.isLiability == true) {
       isNegative = !isNegative;
     }
 
@@ -321,8 +330,8 @@ class _CalendarScreenState extends State<CalendarScreen> {
                 Text(
                   'Account Type',
                   style: Theme.of(context).textTheme.titleSmall?.copyWith(
-                    fontWeight: FontWeight.w600,
-                  ),
+                        fontWeight: FontWeight.w600,
+                      ),
                 ),
                 const SizedBox(height: 8),
                 SegmentedButton<String>(
@@ -343,11 +352,15 @@ class _CalendarScreenState extends State<CalendarScreen> {
                     setState(() {
                       _accountType = newSelection.first;
                       // Switch to first account of new type
-                      final filteredAccounts = _getFilteredAccounts(accountsProvider.accounts);
-                      _selectedAccount = filteredAccounts.isNotEmpty ? filteredAccounts.first : null;
+                      final filteredAccounts =
+                          _getFilteredAccounts(accountsProvider.accounts);
+                      _selectedAccount = filteredAccounts.isNotEmpty
+                          ? filteredAccounts.first
+                          : null;
                       _dailyChanges = {};
                       _transactions = [];
-                      _selectedDate = null; // Clear selection when changing account type
+                      _selectedDate =
+                          null; // Clear selection when changing account type
                     });
                     if (_selectedAccount != null) {
                       _loadTransactionsForAccount();
@@ -382,7 +395,8 @@ class _CalendarScreenState extends State<CalendarScreen> {
                   vertical: 12,
                 ),
               ),
-              items: _getFilteredAccounts(accountsProvider.accounts).map((account) {
+              items: _getFilteredAccounts(accountsProvider.accounts)
+                  .map((account) {
                 return DropdownMenuItem(
                   value: account,
                   child: Text('${account.name} (${account.currency})'),
@@ -453,11 +467,11 @@ class _CalendarScreenState extends State<CalendarScreen> {
                 Text(
                   _formatCurrency(_getTotalForMonth()),
                   style: Theme.of(context).textTheme.titleLarge?.copyWith(
-                    color: _getTotalForMonth() >= 0
-                        ? Colors.green
-                        : Colors.red,
-                    fontWeight: FontWeight.bold,
-                  ),
+                        color: _getTotalForMonth() >= 0
+                            ? Colors.green
+                            : Colors.red,
+                        fontWeight: FontWeight.bold,
+                      ),
                 ),
               ],
             ),
@@ -475,8 +489,10 @@ class _CalendarScreenState extends State<CalendarScreen> {
   }
 
   Widget _buildCalendar(ColorScheme colorScheme) {
-    final firstDayOfMonth = DateTime(_currentMonth.year, _currentMonth.month, 1);
-    final lastDayOfMonth = DateTime(_currentMonth.year, _currentMonth.month + 1, 0);
+    final firstDayOfMonth =
+        DateTime(_currentMonth.year, _currentMonth.month, 1);
+    final lastDayOfMonth =
+        DateTime(_currentMonth.year, _currentMonth.month + 1, 0);
     final daysInMonth = lastDayOfMonth.day;
     final startWeekday = firstDayOfMonth.weekday % 7; // 0 = Sunday
 
@@ -506,18 +522,21 @@ class _CalendarScreenState extends State<CalendarScreen> {
             ),
 
             // Calendar grid
-            ...List.generate((daysInMonth + startWeekday + 6) ~/ 7, (weekIndex) {
+            ...List.generate((daysInMonth + startWeekday + 6) ~/ 7,
+                (weekIndex) {
               return SizedBox(
                 height: 70,
                 child: Row(
                   children: List.generate(7, (dayIndex) {
-                    final dayNumber = weekIndex * 7 + dayIndex - startWeekday + 1;
+                    final dayNumber =
+                        weekIndex * 7 + dayIndex - startWeekday + 1;
 
                     if (dayNumber < 1 || dayNumber > daysInMonth) {
                       return const Expanded(child: SizedBox.shrink());
                     }
 
-                    final date = DateTime(_currentMonth.year, _currentMonth.month, dayNumber);
+                    final date = DateTime(
+                        _currentMonth.year, _currentMonth.month, dayNumber);
                     final dateKey = DateFormat('yyyy-MM-dd').format(date);
                     final change = _dailyChanges[dateKey] ?? 0.0;
                     final hasChange = _dailyChanges.containsKey(dateKey);
@@ -541,7 +560,8 @@ class _CalendarScreenState extends State<CalendarScreen> {
     );
   }
 
-  Widget _buildDayCell(DateTime date, int day, double change, bool hasChange, ColorScheme colorScheme) {
+  Widget _buildDayCell(DateTime date, int day, double change, bool hasChange,
+      ColorScheme colorScheme) {
     Color? backgroundColor;
     Color? textColor;
 
@@ -569,7 +589,9 @@ class _CalendarScreenState extends State<CalendarScreen> {
           color: backgroundColor ?? colorScheme.surface,
           borderRadius: BorderRadius.circular(8),
           border: Border.all(
-            color: isSelected ? Theme.of(context).primaryColor : colorScheme.outlineVariant,
+            color: isSelected
+                ? Theme.of(context).primaryColor
+                : colorScheme.outlineVariant,
             width: isSelected ? 3 : 1,
           ),
         ),
diff --git a/mobile/lib/screens/settings_screen.dart b/mobile/lib/screens/settings_screen.dart
index 137d8a00b..316b8d400 100644
--- a/mobile/lib/screens/settings_screen.dart
+++ b/mobile/lib/screens/settings_screen.dart
@@ -35,6 +35,11 @@ class _SettingsScreenState extends State<SettingsScreen> {
   bool _isTogglingBiometric = false;
   List<CustomProxyHeader> _customHeaders = [];
 
+  String _displayInitial(String? displayName) {
+    final trimmed = displayName?.trim() ?? '';
+    return trimmed.isEmpty ? 'U' : trimmed[0].toUpperCase();
+  }
+
   @override
   void initState() {
     super.initState();
@@ -86,7 +91,7 @@ class _SettingsScreenState extends State<SettingsScreen> {
     if (mounted) {
       final build = packageInfo.buildNumber;
       final display = build.isNotEmpty
-          ? '${packageInfo.version} (${build})'
+          ? '${packageInfo.version} ($build)'
           : packageInfo.version;
       setState(() => _appVersion = display);
     }
@@ -107,8 +112,11 @@ class _SettingsScreenState extends State<SettingsScreen> {
       if (mounted) {
         setState(() => _customHeaders = headers);
       }
-    } catch (e, stack) {
-      debugPrint('SettingsScreen: failed to load custom headers: $e\n$stack');
+    } catch (e) {
+      LogService.instance.warning(
+        'SettingsScreen',
+        'Failed to load custom headers: $e',
+      );
       // Keep the existing _customHeaders state so the screen remains usable.
     }
   }
@@ -119,10 +127,9 @@ class _SettingsScreenState extends State<SettingsScreen> {
       builder: (context) => AlertDialog(
         title: const Text('Clear Local Data'),
         content: const Text(
-          'This will delete all locally cached transactions and accounts. '
-          'Your data on the server will not be affected. '
-          'Are you sure you want to continue?'
-        ),
+            'This will delete all locally cached transactions and accounts. '
+            'Your data on the server will not be affected. '
+            'Are you sure you want to continue?'),
         actions: [
           TextButton(
             onPressed: () => Navigator.pop(context, false),
@@ -156,7 +163,8 @@ class _SettingsScreenState extends State<SettingsScreen> {
         if (context.mounted) {
           ScaffoldMessenger.of(context).showSnackBar(
             const SnackBar(
-              content: Text('Local data cleared successfully. Pull to refresh to sync from server.'),
+              content: Text(
+                  'Local data cleared successfully. Pull to refresh to sync from server.'),
               backgroundColor: Colors.green,
               duration: Duration(seconds: 3),
             ),
@@ -242,7 +250,8 @@ class _SettingsScreenState extends State<SettingsScreen> {
 
         ScaffoldMessenger.of(context).showSnackBar(
           const SnackBar(
-            content: Text('Account reset has been initiated. This may take a moment.'),
+            content: Text(
+                'Account reset has been initiated. This may take a moment.'),
             backgroundColor: Colors.green,
           ),
         );
@@ -298,7 +307,8 @@ class _SettingsScreenState extends State<SettingsScreen> {
         return;
       }
 
-      final result = await UserService().deleteAccount(accessToken: accessToken);
+      final result =
+          await UserService().deleteAccount(accessToken: accessToken);
 
       if (!context.mounted) return;
 
@@ -344,7 +354,8 @@ class _SettingsScreenState extends State<SettingsScreen> {
 
   Future<void> _showCustomHeadersDialog() async {
     final formKey = GlobalKey<FormState>();
-    final latestHeaders = await CustomProxyHeadersService.instance.loadHeaders();
+    final latestHeaders =
+        await CustomProxyHeadersService.instance.loadHeaders();
     if (!mounted) return;
 
     setState(() => _customHeaders = latestHeaders);
@@ -438,7 +449,7 @@ class _SettingsScreenState extends State<SettingsScreen> {
                           radius: 30,
                           backgroundColor: colorScheme.primary,
                           child: Text(
-                            authProvider.user?.displayName[0].toUpperCase() ?? 'U',
+                            _displayInitial(authProvider.user?.displayName),
                             style: TextStyle(
                               fontSize: 24,
                               color: colorScheme.onPrimary,
@@ -453,9 +464,12 @@ class _SettingsScreenState extends State<SettingsScreen> {
                             children: [
                               Text(
                                 authProvider.user?.displayName ?? 'User',
-                                style: Theme.of(context).textTheme.titleLarge?.copyWith(
-                                  fontWeight: FontWeight.bold,
-                                ),
+                                style: Theme.of(context)
+                                    .textTheme
+                                    .titleLarge
+                                    ?.copyWith(
+                                      fontWeight: FontWeight.bold,
+                                    ),
                               ),
                               const SizedBox(height: 4),
                               Text(
@@ -512,7 +526,8 @@ class _SettingsScreenState extends State<SettingsScreen> {
               onTap: () {
                 Navigator.push(
                   context,
-                  MaterialPageRoute(builder: (context) => const LogViewerScreen()),
+                  MaterialPageRoute(
+                      builder: (context) => const LogViewerScreen()),
                 );
               },
             ),
@@ -570,7 +585,8 @@ class _SettingsScreenState extends State<SettingsScreen> {
                     ),
                   ],
                   selected: {themeProvider.themeMode},
-                  onSelectionChanged: (modes) => themeProvider.setThemeMode(modes.first),
+                  onSelectionChanged: (modes) =>
+                      themeProvider.setThemeMode(modes.first),
                   showSelectedIcon: false,
                 ),
               );
@@ -627,7 +643,6 @@ class _SettingsScreenState extends State<SettingsScreen> {
 
           if (_biometricSupported) ...[
             const Divider(),
-
             const Padding(
               padding: EdgeInsets.fromLTRB(16, 16, 16, 8),
               child: Text(
@@ -639,11 +654,11 @@ class _SettingsScreenState extends State<SettingsScreen> {
                 ),
               ),
             ),
-
             SwitchListTile(
               secondary: const Icon(Icons.fingerprint),
               title: const Text('Biometric Lock'),
-              subtitle: const Text('Require biometric authentication when resuming the app'),
+              subtitle: const Text(
+                  'Require biometric authentication when resuming the app'),
               value: _biometricEnabled,
               onChanged: _isTogglingBiometric ? null : _toggleBiometric,
             ),
@@ -671,10 +686,15 @@ class _SettingsScreenState extends State<SettingsScreen> {
               'Delete all accounts, categories, merchants, and tags but keep your user account',
             ),
             trailing: _isResettingAccount
-                ? const SizedBox(width: 20, height: 20, child: CircularProgressIndicator(strokeWidth: 2))
+                ? const SizedBox(
+                    width: 20,
+                    height: 20,
+                    child: CircularProgressIndicator(strokeWidth: 2))
                 : null,
             enabled: !_isResettingAccount && !_isDeletingAccount,
-            onTap: _isResettingAccount || _isDeletingAccount ? null : () => _handleResetAccount(context),
+            onTap: _isResettingAccount || _isDeletingAccount
+                ? null
+                : () => _handleResetAccount(context),
           ),
 
           ListTile(
@@ -684,10 +704,15 @@ class _SettingsScreenState extends State<SettingsScreen> {
               'Permanently remove all your data. This cannot be undone.',
             ),
             trailing: _isDeletingAccount
-                ? const SizedBox(width: 20, height: 20, child: CircularProgressIndicator(strokeWidth: 2))
+                ? const SizedBox(
+                    width: 20,
+                    height: 20,
+                    child: CircularProgressIndicator(strokeWidth: 2))
                 : null,
             enabled: !_isDeletingAccount && !_isResettingAccount,
-            onTap: _isDeletingAccount || _isResettingAccount ? null : () => _handleDeleteAccount(context),
+            onTap: _isDeletingAccount || _isResettingAccount
+                ? null
+                : () => _handleDeleteAccount(context),
           ),
 
           const Divider(),
diff --git a/mobile/lib/services/auth_service.dart b/mobile/lib/services/auth_service.dart
index e39ae6254..2a419b914 100644
--- a/mobile/lib/services/auth_service.dart
+++ b/mobile/lib/services/auth_service.dart
@@ -15,6 +15,28 @@ class AuthService {
   static const String _apiKeyKey = 'api_key';
   static const String _authModeKey = 'auth_mode';
 
+  void _logAuthException(String operation, Object error) {
+    LogService.instance.error(
+      'AuthService',
+      '$operation failed with ${error.runtimeType}',
+    );
+  }
+
+  String _responseError(Map<String, dynamic> responseData, String fallback) {
+    final error = responseData['error'];
+    if (error is String && error.isNotEmpty) return error;
+
+    final errors = responseData['errors'];
+    if (errors is List) {
+      final joined = errors.whereType<Object>().join(', ');
+      if (joined.isNotEmpty) return joined;
+    } else if (errors is String && errors.isNotEmpty) {
+      return errors;
+    }
+
+    return fallback;
+  }
+
   Future<Map<String, dynamic>> login({
     required String email,
     required String password,
@@ -34,14 +56,18 @@ class AuthService {
         body['otp_code'] = otpCode;
       }
 
-      final response = await http.post(
-        url,
-        headers: ApiConfig.jsonHeaders(),
-        body: jsonEncode(body),
-      ).timeout(const Duration(seconds: 30));
+      final response = await http
+          .post(
+            url,
+            headers: ApiConfig.jsonHeaders(),
+            body: jsonEncode(body),
+          )
+          .timeout(const Duration(seconds: 30));
 
-      LogService.instance.debug('AuthService', 'Login response status: ${response.statusCode}');
-      LogService.instance.debug('AuthService', 'Login response body: ${response.body}');
+      LogService.instance.debug(
+        'AuthService',
+        'Login response received with status ${response.statusCode}',
+      );
 
       final responseData = jsonDecode(response.body);
 
@@ -54,7 +80,7 @@ class AuthService {
         User? user;
         if (responseData['user'] != null) {
           final rawUser = responseData['user'];
-          _logRawUserPayload('login', rawUser);
+          _logUserPayloadShape('login', rawUser);
           user = User.fromJson(rawUser);
           await _saveUser(user);
         }
@@ -64,7 +90,8 @@ class AuthService {
           'tokens': tokens,
           'user': user,
         };
-      } else if (response.statusCode == 401 && responseData['mfa_required'] == true) {
+      } else if (response.statusCode == 401 &&
+          responseData['mfa_required'] == true) {
         return {
           'success': false,
           'mfa_required': true,
@@ -73,41 +100,41 @@ class AuthService {
       } else {
         return {
           'success': false,
-          'error': responseData['error'] ?? responseData['errors']?.join(', ') ?? 'Login failed',
+          'error': _responseError(responseData, 'Login failed'),
         };
       }
-    } on SocketException catch (e, stackTrace) {
-      LogService.instance.error('AuthService', 'Login SocketException: $e\n$stackTrace');
+    } on SocketException catch (e) {
+      _logAuthException('Login', e);
       return {
         'success': false,
         'error': 'Network unavailable',
       };
-    } on TimeoutException catch (e, stackTrace) {
-      LogService.instance.error('AuthService', 'Login TimeoutException: $e\n$stackTrace');
+    } on TimeoutException catch (e) {
+      _logAuthException('Login', e);
       return {
         'success': false,
         'error': 'Request timed out',
       };
-    } on HttpException catch (e, stackTrace) {
-      LogService.instance.error('AuthService', 'Login HttpException: $e\n$stackTrace');
+    } on HttpException catch (e) {
+      _logAuthException('Login', e);
       return {
         'success': false,
         'error': 'Invalid response from server',
       };
-    } on FormatException catch (e, stackTrace) {
-      LogService.instance.error('AuthService', 'Login FormatException: $e\n$stackTrace');
+    } on FormatException catch (e) {
+      _logAuthException('Login', e);
       return {
         'success': false,
         'error': 'Invalid response from server',
       };
-    } on TypeError catch (e, stackTrace) {
-      LogService.instance.error('AuthService', 'Login TypeError: $e\n$stackTrace');
+    } on TypeError catch (e) {
+      _logAuthException('Login', e);
       return {
         'success': false,
         'error': 'Invalid response from server',
       };
-    } catch (e, stackTrace) {
-      LogService.instance.error('AuthService', 'Login unexpected error: $e\n$stackTrace');
+    } catch (e) {
+      _logAuthException('Login', e);
       return {
         'success': false,
         'error': 'An unexpected error occurred',
@@ -140,11 +167,13 @@ class AuthService {
         body['invite_code'] = inviteCode;
       }
 
-      final response = await http.post(
-        url,
-        headers: ApiConfig.jsonHeaders(),
-        body: jsonEncode(body),
-      ).timeout(const Duration(seconds: 30));
+      final response = await http
+          .post(
+            url,
+            headers: ApiConfig.jsonHeaders(),
+            body: jsonEncode(body),
+          )
+          .timeout(const Duration(seconds: 30));
 
       final responseData = jsonDecode(response.body);
 
@@ -157,7 +186,7 @@ class AuthService {
         User? user;
         if (responseData['user'] != null) {
           final rawUser = responseData['user'];
-          _logRawUserPayload('signup', rawUser);
+          _logUserPayloadShape('signup', rawUser);
           user = User.fromJson(rawUser);
           await _saveUser(user);
         }
@@ -170,41 +199,41 @@ class AuthService {
       } else {
         return {
           'success': false,
-          'error': responseData['error'] ?? responseData['errors']?.join(', ') ?? 'Signup failed',
+          'error': _responseError(responseData, 'Signup failed'),
         };
       }
-    } on SocketException catch (e, stackTrace) {
-      LogService.instance.error('AuthService', 'Signup SocketException: $e\n$stackTrace');
+    } on SocketException catch (e) {
+      _logAuthException('Signup', e);
       return {
         'success': false,
         'error': 'Network unavailable',
       };
-    } on TimeoutException catch (e, stackTrace) {
-      LogService.instance.error('AuthService', 'Signup TimeoutException: $e\n$stackTrace');
+    } on TimeoutException catch (e) {
+      _logAuthException('Signup', e);
       return {
         'success': false,
         'error': 'Request timed out',
       };
-    } on HttpException catch (e, stackTrace) {
-      LogService.instance.error('AuthService', 'Signup HttpException: $e\n$stackTrace');
+    } on HttpException catch (e) {
+      _logAuthException('Signup', e);
       return {
         'success': false,
         'error': 'Invalid response from server',
       };
-    } on FormatException catch (e, stackTrace) {
-      LogService.instance.error('AuthService', 'Signup FormatException: $e\n$stackTrace');
+    } on FormatException catch (e) {
+      _logAuthException('Signup', e);
       return {
         'success': false,
         'error': 'Invalid response from server',
       };
-    } on TypeError catch (e, stackTrace) {
-      LogService.instance.error('AuthService', 'Signup TypeError: $e\n$stackTrace');
+    } on TypeError catch (e) {
+      _logAuthException('Signup', e);
       return {
         'success': false,
         'error': 'Invalid response from server',
       };
-    } catch (e, stackTrace) {
-      LogService.instance.error('AuthService', 'Signup unexpected error: $e\n$stackTrace');
+    } catch (e) {
+      _logAuthException('Signup', e);
       return {
         'success': false,
         'error': 'An unexpected error occurred',
@@ -219,14 +248,16 @@ class AuthService {
     try {
       final url = Uri.parse('${ApiConfig.baseUrl}/api/v1/auth/refresh');
 
-      final response = await http.post(
-        url,
-        headers: ApiConfig.jsonHeaders(),
-        body: jsonEncode({
-          'refresh_token': refreshToken,
-          'device': deviceInfo,
-        }),
-      ).timeout(const Duration(seconds: 30));
+      final response = await http
+          .post(
+            url,
+            headers: ApiConfig.jsonHeaders(),
+            body: jsonEncode({
+              'refresh_token': refreshToken,
+              'device': deviceInfo,
+            }),
+          )
+          .timeout(const Duration(seconds: 30));
 
       final responseData = jsonDecode(response.body);
 
@@ -244,38 +275,38 @@ class AuthService {
           'error': responseData['error'] ?? 'Token refresh failed',
         };
       }
-    } on SocketException catch (e, stackTrace) {
-      LogService.instance.error('AuthService', 'RefreshToken SocketException: $e\n$stackTrace');
+    } on SocketException catch (e) {
+      _logAuthException('RefreshToken', e);
       return {
         'success': false,
         'error': 'Network unavailable',
       };
-    } on TimeoutException catch (e, stackTrace) {
-      LogService.instance.error('AuthService', 'RefreshToken TimeoutException: $e\n$stackTrace');
+    } on TimeoutException catch (e) {
+      _logAuthException('RefreshToken', e);
       return {
         'success': false,
         'error': 'Request timed out',
       };
-    } on HttpException catch (e, stackTrace) {
-      LogService.instance.error('AuthService', 'RefreshToken HttpException: $e\n$stackTrace');
+    } on HttpException catch (e) {
+      _logAuthException('RefreshToken', e);
       return {
         'success': false,
         'error': 'Invalid response from server',
       };
-    } on FormatException catch (e, stackTrace) {
-      LogService.instance.error('AuthService', 'RefreshToken FormatException: $e\n$stackTrace');
+    } on FormatException catch (e) {
+      _logAuthException('RefreshToken', e);
       return {
         'success': false,
         'error': 'Invalid response from server',
       };
-    } on TypeError catch (e, stackTrace) {
-      LogService.instance.error('AuthService', 'RefreshToken TypeError: $e\n$stackTrace');
+    } on TypeError catch (e) {
+      _logAuthException('RefreshToken', e);
       return {
         'success': false,
         'error': 'Invalid response from server',
       };
-    } catch (e, stackTrace) {
-      LogService.instance.error('AuthService', 'RefreshToken unexpected error: $e\n$stackTrace');
+    } catch (e) {
+      _logAuthException('RefreshToken', e);
       return {
         'success': false,
         'error': 'An unexpected error occurred',
@@ -298,7 +329,8 @@ class AuthService {
         },
       ).timeout(const Duration(seconds: 30));
 
-      LogService.instance.debug('AuthService', 'API key login response status: ${response.statusCode}');
+      LogService.instance.debug('AuthService',
+          'API key login response status: ${response.statusCode}');
 
       if (response.statusCode == 200) {
         await _saveApiKey(apiKey);
@@ -316,20 +348,20 @@ class AuthService {
           'error': 'Login failed (status ${response.statusCode})',
         };
       }
-    } on SocketException catch (e, stackTrace) {
-      LogService.instance.error('AuthService', 'API key login SocketException: $e\n$stackTrace');
+    } on SocketException catch (e) {
+      _logAuthException('API key login', e);
       return {
         'success': false,
         'error': 'Network unavailable',
       };
-    } on TimeoutException catch (e, stackTrace) {
-      LogService.instance.error('AuthService', 'API key login TimeoutException: $e\n$stackTrace');
+    } on TimeoutException catch (e) {
+      _logAuthException('API key login', e);
       return {
         'success': false,
         'error': 'Request timed out',
       };
-    } catch (e, stackTrace) {
-      LogService.instance.error('AuthService', 'API key login unexpected error: $e\n$stackTrace');
+    } catch (e) {
+      _logAuthException('API key login', e);
       return {
         'success': false,
         'error': 'An unexpected error occurred',
@@ -388,11 +420,13 @@ class AuthService {
     // Exchange authorization code for tokens via secure POST
     try {
       final url = Uri.parse('${ApiConfig.baseUrl}/api/v1/auth/sso_exchange');
-      final response = await http.post(
-        url,
-        headers: ApiConfig.jsonHeaders(),
-        body: jsonEncode({'code': code}),
-      ).timeout(const Duration(seconds: 30));
+      final response = await http
+          .post(
+            url,
+            headers: ApiConfig.jsonHeaders(),
+            body: jsonEncode({'code': code}),
+          )
+          .timeout(const Duration(seconds: 30));
 
       if (response.statusCode != 200) {
         final errorData = jsonDecode(response.body);
@@ -413,7 +447,7 @@ class AuthService {
       });
       await _saveTokens(tokens);
 
-      _logRawUserPayload('sso_exchange', data['user']);
+      _logUserPayloadShape('sso_exchange', data['user']);
       final user = User.fromJson(data['user']);
       await _saveUser(user);
 
@@ -422,20 +456,20 @@ class AuthService {
         'tokens': tokens,
         'user': user,
       };
-    } on SocketException catch (e, stackTrace) {
-      LogService.instance.error('AuthService', 'SSO exchange SocketException: $e\n$stackTrace');
+    } on SocketException catch (e) {
+      _logAuthException('SSO exchange', e);
       return {
         'success': false,
         'error': 'Network unavailable',
       };
-    } on TimeoutException catch (e, stackTrace) {
-      LogService.instance.error('AuthService', 'SSO exchange TimeoutException: $e\n$stackTrace');
+    } on TimeoutException catch (e) {
+      _logAuthException('SSO exchange', e);
       return {
         'success': false,
         'error': 'Request timed out',
       };
-    } catch (e, stackTrace) {
-      LogService.instance.error('AuthService', 'SSO exchange unexpected error: $e\n$stackTrace');
+    } catch (e) {
+      _logAuthException('SSO exchange', e);
       return {
         'success': false,
         'error': 'Failed to exchange authorization code',
@@ -450,15 +484,17 @@ class AuthService {
   }) async {
     try {
       final url = Uri.parse('${ApiConfig.baseUrl}/api/v1/auth/sso_link');
-      final response = await http.post(
-        url,
-        headers: ApiConfig.jsonHeaders(),
-        body: jsonEncode({
-          'linking_code': linkingCode,
-          'email': email,
-          'password': password,
-        }),
-      ).timeout(const Duration(seconds: 30));
+      final response = await http
+          .post(
+            url,
+            headers: ApiConfig.jsonHeaders(),
+            body: jsonEncode({
+              'linking_code': linkingCode,
+              'email': email,
+              'password': password,
+            }),
+          )
+          .timeout(const Duration(seconds: 30));
 
       final responseData = jsonDecode(response.body);
 
@@ -468,7 +504,7 @@ class AuthService {
 
         User? user;
         if (responseData['user'] != null) {
-          _logRawUserPayload('sso_link', responseData['user']);
+          _logUserPayloadShape('sso_link', responseData['user']);
           user = User.fromJson(responseData['user']);
           await _saveUser(user);
         }
@@ -481,15 +517,17 @@ class AuthService {
       } else {
         return {
           'success': false,
-          'error': responseData['error'] ?? responseData['errors']?.join(', ') ?? 'Account linking failed',
+          'error': _responseError(responseData, 'Account linking failed'),
         };
       }
-    } on SocketException {
+    } on SocketException catch (e) {
+      _logAuthException('SSO link', e);
       return {'success': false, 'error': 'Network unavailable'};
-    } on TimeoutException {
+    } on TimeoutException catch (e) {
+      _logAuthException('SSO link', e);
       return {'success': false, 'error': 'Request timed out'};
-    } catch (e, stackTrace) {
-      LogService.instance.error('AuthService', 'SSO link error: $e\n$stackTrace');
+    } catch (e) {
+      _logAuthException('SSO link', e);
       return {'success': false, 'error': 'Failed to link account'};
     }
   }
@@ -500,18 +538,21 @@ class AuthService {
     String? lastName,
   }) async {
     try {
-      final url = Uri.parse('${ApiConfig.baseUrl}/api/v1/auth/sso_create_account');
+      final url =
+          Uri.parse('${ApiConfig.baseUrl}/api/v1/auth/sso_create_account');
       final body = <String, dynamic>{
         'linking_code': linkingCode,
       };
       if (firstName != null) body['first_name'] = firstName;
       if (lastName != null) body['last_name'] = lastName;
 
-      final response = await http.post(
-        url,
-        headers: ApiConfig.jsonHeaders(),
-        body: jsonEncode(body),
-      ).timeout(const Duration(seconds: 30));
+      final response = await http
+          .post(
+            url,
+            headers: ApiConfig.jsonHeaders(),
+            body: jsonEncode(body),
+          )
+          .timeout(const Duration(seconds: 30));
 
       final responseData = jsonDecode(response.body);
 
@@ -521,7 +562,7 @@ class AuthService {
 
         User? user;
         if (responseData['user'] != null) {
-          _logRawUserPayload('sso_create_account', responseData['user']);
+          _logUserPayloadShape('sso_create_account', responseData['user']);
           user = User.fromJson(responseData['user']);
           await _saveUser(user);
         }
@@ -534,15 +575,17 @@ class AuthService {
       } else {
         return {
           'success': false,
-          'error': responseData['error'] ?? responseData['errors']?.join(', ') ?? 'Account creation failed',
+          'error': _responseError(responseData, 'Account creation failed'),
         };
       }
-    } on SocketException {
+    } on SocketException catch (e) {
+      _logAuthException('SSO create account', e);
       return {'success': false, 'error': 'Network unavailable'};
-    } on TimeoutException {
+    } on TimeoutException catch (e) {
+      _logAuthException('SSO create account', e);
       return {'success': false, 'error': 'Request timed out'};
-    } catch (e, stackTrace) {
-      LogService.instance.error('AuthService', 'SSO create account error: $e\n$stackTrace');
+    } catch (e) {
+      _logAuthException('SSO create account', e);
       return {'success': false, 'error': 'Failed to create account'};
     }
   }
@@ -563,7 +606,7 @@ class AuthService {
       final responseData = jsonDecode(response.body);
 
       if (response.statusCode == 200) {
-        _logRawUserPayload('enable_ai', responseData['user']);
+        _logUserPayloadShape('enable_ai', responseData['user']);
         final user = User.fromJson(responseData['user']);
         await _saveUser(user);
         return {
@@ -574,12 +617,13 @@ class AuthService {
 
       return {
         'success': false,
-        'error': responseData['error'] ?? responseData['errors']?.join(', ') ?? 'Failed to enable AI',
+        'error': _responseError(responseData, 'Failed to enable AI'),
       };
     } catch (e) {
+      _logAuthException('Enable AI', e);
       return {
         'success': false,
-        'error': 'Network error: ${e.toString()}',
+        'error': 'Network error',
       };
     }
   }
@@ -594,7 +638,7 @@ class AuthService {
   Future<AuthTokens?> getStoredTokens() async {
     final tokensJson = await _storage.read(key: _tokenKey);
     if (tokensJson == null) return null;
-    
+
     try {
       return AuthTokens.fromJson(jsonDecode(tokensJson));
     } catch (e) {
@@ -605,7 +649,7 @@ class AuthService {
   Future<User?> getStoredUser() async {
     final userJson = await _storage.read(key: _userKey);
     if (userJson == null) return null;
-    
+
     try {
       return User.fromJson(jsonDecode(userJson));
     } catch (e) {
@@ -627,20 +671,25 @@ class AuthService {
     );
   }
 
-  void _logRawUserPayload(String source, dynamic userPayload) {
+  void _logUserPayloadShape(String source, dynamic userPayload) {
     if (userPayload == null) {
-      LogService.instance.debug('AuthService', '$source user payload: <missing>');
+      LogService.instance.debug(
+        'AuthService',
+        '$source user payload missing',
+      );
       return;
     }
 
     if (userPayload is Map<String, dynamic>) {
-      try {
-        LogService.instance.debug('AuthService', '$source user payload: ${jsonEncode(userPayload)}');
-      } catch (_) {
-        LogService.instance.debug('AuthService', '$source user payload: $userPayload');
-      }
+      LogService.instance.debug(
+        'AuthService',
+        '$source user payload received with ${userPayload.length} fields',
+      );
     } else {
-      LogService.instance.debug('AuthService', '$source user payload type: ${userPayload.runtimeType}');
+      LogService.instance.debug(
+        'AuthService',
+        '$source user payload type: ${userPayload.runtimeType}',
+      );
     }
   }
 
diff --git a/mobile/lib/services/database_helper.dart b/mobile/lib/services/database_helper.dart
index d0145edba..91741adb3 100644
--- a/mobile/lib/services/database_helper.dart
+++ b/mobile/lib/services/database_helper.dart
@@ -201,8 +201,7 @@ class DatabaseHelper {
       return localId;
     }
     final db = await database;
-    _log.debug('DatabaseHelper',
-        'Inserting transaction: local_id=${transaction['local_id']}, account_id="${transaction['account_id']}", server_id=${transaction['server_id']}');
+    _log.debug('DatabaseHelper', 'Inserting transaction into local database');
     await db.insert(
       'transactions',
       transaction,
@@ -235,8 +234,7 @@ class DatabaseHelper {
     final db = await database;
 
     if (accountId != null) {
-      _log.debug('DatabaseHelper',
-          'Querying transactions WHERE account_id = "$accountId"');
+      _log.debug('DatabaseHelper', 'Querying scoped transactions');
       final results = await db.query(
         'transactions',
         where: 'account_id = ?',
diff --git a/mobile/lib/services/log_service.dart b/mobile/lib/services/log_service.dart
index 83c0a389d..ebe66372c 100644
--- a/mobile/lib/services/log_service.dart
+++ b/mobile/lib/services/log_service.dart
@@ -32,17 +32,88 @@ class LogService with ChangeNotifier {
 
   List<LogEntry> get logs => List.unmodifiable(_logs);
 
+  static final List<RegExp> _authPatterns = [
+    RegExp(
+      r'\b(authorization|x-api-key|api[-_]?key|access[-_]?token|refresh[-_]?token|auth[-_]?token|bearer|password|otp[-_]?code|linking[-_]?code|secret|custom[-_]?proxy[-_]?headers?)\b\s*[:=]\s*(Bearer\s+[A-Za-z0-9._~+/=-]+|"[^"]*"|[^\s,}]+)',
+      caseSensitive: false,
+    ),
+    RegExp(
+      r'"(authorization|x-api-key|api[-_]?key|access[-_]?token|refresh[-_]?token|auth[-_]?token|password|otp[-_]?code|linking[-_]?code|secret)"\s*:\s*("[^"]*"|[0-9.]+|true|false|null)',
+      caseSensitive: false,
+    ),
+  ];
+
+  static final List<RegExp> _businessDataPatterns = [
+    RegExp(
+      r'\b(local[-_]?id|account[-_]?id|server[-_]?id|transaction[-_]?id|merchant[-_]?id|category[-_]?id|tag[-_]?ids?|user[-_]?id|backend[-_]?url|base[-_]?url|amount|account[-_]?name|merchant[-_]?name|category[-_]?name|display[-_]?name|transaction[-_]?name|email|first[-_]?name|last[-_]?name)\b\s*[:=]\s*("[^"]*"|[^\s,}]+)',
+      caseSensitive: false,
+    ),
+    RegExp(
+      r'"(local[-_]?id|account[-_]?id|server[-_]?id|transaction[-_]?id|merchant[-_]?id|category[-_]?id|tag[-_]?ids?|user[-_]?id|backend[-_]?url|base[-_]?url|amount|account[-_]?name|merchant[-_]?name|category[-_]?name|display[-_]?name|transaction[-_]?name|email|first[-_]?name|last[-_]?name)"\s*:\s*("[^"]*"|[0-9.]+|true|false|null)',
+      caseSensitive: false,
+    ),
+  ];
+  static final List<RegExp> _sensitiveKeyPatterns = [
+    ..._authPatterns,
+    ..._businessDataPatterns,
+  ];
+
+  static final RegExp _bearerTokenPattern =
+      RegExp(r'\bBearer\s+[A-Za-z0-9._~+/=-]+', caseSensitive: false);
+  static final RegExp _urlPattern = RegExp(r'https?://[^\s,}]+');
+  static final RegExp _hostLookupPattern = RegExp(
+    r'''(Failed host lookup:\s*)['"]?[^'"\s)]+['"]?''',
+    caseSensitive: false,
+  );
+  static final RegExp _socketAddressPattern = RegExp(
+    r'\b(address|host)\s*=\s*([^\s,}]+)',
+    caseSensitive: false,
+  );
+  static final RegExp _emailPattern = RegExp(
+      r'\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b',
+      caseSensitive: false);
+  static final RegExp _uuidPattern = RegExp(
+    r'\b[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\b',
+    caseSensitive: false,
+  );
+  static final RegExp _longNumericIdPattern = RegExp(r'\b\d{14,}\b');
+
+  static String sanitize(String message) {
+    var sanitized = message;
+
+    for (final pattern in _sensitiveKeyPatterns) {
+      sanitized = sanitized.replaceAllMapped(pattern, (match) {
+        final key = match.group(1) ?? 'value';
+        return '$key=[redacted]';
+      });
+    }
+
+    sanitized = sanitized
+        .replaceAll(_bearerTokenPattern, 'Bearer [redacted]')
+        .replaceAll(_urlPattern, '[url]')
+        .replaceAllMapped(
+            _hostLookupPattern, (match) => '${match.group(1)}[host]')
+        .replaceAllMapped(
+            _socketAddressPattern, (match) => '${match.group(1)}=[host]')
+        .replaceAll(_emailPattern, '[email]')
+        .replaceAll(_uuidPattern, '[id]')
+        .replaceAll(_longNumericIdPattern, '[id]');
+
+    return sanitized;
+  }
+
   /// Call this when log viewer screen becomes active
   void setLogViewerActive(bool active) {
     _isLogViewerActive = active;
   }
 
   void log(String tag, String message, {String level = 'INFO'}) {
+    final sanitizedMessage = sanitize(message);
     final entry = LogEntry(
       timestamp: DateTime.now(),
       level: level,
       tag: tag,
-      message: message,
+      message: sanitizedMessage,
     );
 
     _logs.add(entry);
@@ -53,7 +124,7 @@ class LogService with ChangeNotifier {
     }
 
     // Also print to console for development
-    debugPrint('[$level][$tag] $message');
+    debugPrint('[$level][$tag] $sanitizedMessage');
 
     // Only notify listeners if log viewer is active to avoid unnecessary rebuilds
     if (_isLogViewerActive) {
@@ -63,7 +134,8 @@ class LogService with ChangeNotifier {
 
   void debug(String tag, String message) => log(tag, message, level: 'DEBUG');
   void info(String tag, String message) => log(tag, message, level: 'INFO');
-  void warning(String tag, String message) => log(tag, message, level: 'WARNING');
+  void warning(String tag, String message) =>
+      log(tag, message, level: 'WARNING');
   void error(String tag, String message) => log(tag, message, level: 'ERROR');
 
   void clear() {
@@ -73,8 +145,10 @@ class LogService with ChangeNotifier {
 
   String exportLogs() {
     final buffer = StringBuffer();
+    // Log messages are sanitized before storage; export should preserve them.
     for (final log in _logs) {
-      buffer.writeln('${log.formattedTime} [${log.level}][${log.tag}] ${log.message}');
+      buffer.writeln(
+          '${log.formattedTime} [${log.level}][${log.tag}] ${log.message}');
     }
     return buffer.toString();
   }
diff --git a/mobile/lib/services/offline_storage_service.dart b/mobile/lib/services/offline_storage_service.dart
index 520de7763..cad906fb1 100644
--- a/mobile/lib/services/offline_storage_service.dart
+++ b/mobile/lib/services/offline_storage_service.dart
@@ -30,8 +30,10 @@ class OfflineStorageService {
   }) async {
     final localId = _uuid.v4();
 
-    _log.info('OfflineStorage',
-        'saveTransaction called: localId=$localId, accountId=$accountId, syncStatus=$syncStatus');
+    _log.info(
+      'OfflineStorage',
+      'saveTransaction called with syncStatus=$syncStatus',
+    );
 
     final transaction = OfflineTransaction(
       id: serverId,
@@ -54,8 +56,7 @@ class OfflineStorageService {
 
     try {
       await _dbHelper.insertTransaction(transaction.toDatabaseMap());
-      _log.info('OfflineStorage',
-          'Transaction saved successfully with localId: $localId');
+      _log.info('OfflineStorage', 'Transaction saved successfully');
       return transaction;
     } catch (e) {
       _log.error('OfflineStorage', 'Failed to save transaction: $e');
@@ -65,21 +66,14 @@ class OfflineStorageService {
 
   Future<List<OfflineTransaction>> getTransactions({String? accountId}) async {
     _log.debug(
-        'OfflineStorage', 'getTransactions called with accountId: $accountId');
+      'OfflineStorage',
+      'getTransactions called${accountId != null ? " with account filter" : ""}',
+    );
     final transactionMaps =
         await _dbHelper.getTransactions(accountId: accountId);
     _log.debug('OfflineStorage',
         'Retrieved ${transactionMaps.length} transaction maps from database');
 
-    if (transactionMaps.isNotEmpty && accountId != null) {
-      _log.debug('OfflineStorage', 'Sample transaction account_ids:');
-      for (int i = 0; i < transactionMaps.take(3).length; i++) {
-        final map = transactionMaps[i];
-        _log.debug('OfflineStorage',
-            '  - Transaction ${map['server_id']}: account_id="${map['account_id']}"');
-      }
-    }
-
     final transactions = transactionMaps
         .map((map) => OfflineTransaction.fromDatabaseMap(map))
         .toList();
@@ -139,14 +133,15 @@ class OfflineStorageService {
 
   /// Mark a transaction for pending deletion (offline delete)
   Future<void> markTransactionForDeletion(String serverId) async {
-    _log.info(
-        'OfflineStorage', 'Marking transaction $serverId for pending deletion');
+    _log.info('OfflineStorage', 'Marking transaction for pending deletion');
 
     // Find the transaction by server ID
     final existing = await getTransactionByServerId(serverId);
     if (existing == null) {
-      _log.warning('OfflineStorage',
-          'Transaction $serverId not found, cannot mark for deletion');
+      _log.warning(
+        'OfflineStorage',
+        'Transaction not found, cannot mark for deletion',
+      );
       return;
     }
 
@@ -158,33 +153,34 @@ class OfflineStorageService {
 
     await _dbHelper.updateTransaction(
         existing.localId, updated.toDatabaseMap());
-    _log.info('OfflineStorage',
-        'Transaction ${existing.localId} marked as pending_delete');
+    _log.info('OfflineStorage', 'Transaction marked as pending_delete');
   }
 
   /// Undo a pending transaction operation (either pending create or pending delete)
   Future<bool> undoPendingTransaction(
       String localId, SyncStatus currentStatus) async {
-    _log.info('OfflineStorage',
-        'Undoing pending transaction $localId with status $currentStatus');
+    _log.info(
+      'OfflineStorage',
+      'Undoing pending transaction with status $currentStatus',
+    );
 
     final existing = await getTransactionByLocalId(localId);
     if (existing == null) {
-      _log.warning(
-          'OfflineStorage', 'Transaction $localId not found, cannot undo');
+      _log.warning('OfflineStorage', 'Transaction not found, cannot undo');
       return false;
     }
 
     if (currentStatus == SyncStatus.pending) {
       // For pending creates: delete the transaction completely
-      _log.info(
-          'OfflineStorage', 'Deleting pending create transaction $localId');
+      _log.info('OfflineStorage', 'Deleting pending create transaction');
       await deleteTransaction(localId);
       return true;
     } else if (currentStatus == SyncStatus.pendingDelete) {
       // For pending deletes: restore to synced status
-      _log.info('OfflineStorage',
-          'Restoring pending delete transaction $localId to synced');
+      _log.info(
+        'OfflineStorage',
+        'Restoring pending delete transaction to synced',
+      );
       final updated = existing.copyWith(
         syncStatus: SyncStatus.synced,
         updatedAt: DateTime.now(),
@@ -203,13 +199,6 @@ class OfflineStorageService {
     _log.info('OfflineStorage',
         'syncTransactionsFromServer called with ${serverTransactions.length} transactions from server');
 
-    // Log first transaction's accountId for debugging
-    if (serverTransactions.isNotEmpty) {
-      final firstTx = serverTransactions.first;
-      _log.info('OfflineStorage',
-          'First transaction: id=${firstTx.id}, accountId="${firstTx.accountId}", name="${firstTx.name}"');
-    }
-
     // Use upsert logic instead of clear + insert to preserve recently uploaded transactions
     _log.info('OfflineStorage',
         'Upserting all transactions from server (preserving pending/failed)');
@@ -251,8 +240,11 @@ class OfflineStorageService {
 
     // Log if transaction has empty accountId
     if (transaction.accountId.isEmpty) {
-      _log.warning('OfflineStorage',
-          'Transaction ${transaction.id} has empty accountId from server! Provided accountId: $accountId, effective: $effectiveAccountId');
+      final fallbackApplied = accountId != null && accountId.isNotEmpty;
+      _log.warning(
+        'OfflineStorage',
+        'Transaction has empty accountId from server; fallbackApplied=$fallbackApplied',
+      );
     }
 
     // Check if we already have this transaction
@@ -264,8 +256,10 @@ class OfflineStorageService {
           effectiveAccountId.isEmpty ? existing.accountId : effectiveAccountId;
 
       if (finalAccountId.isEmpty) {
-        _log.error('OfflineStorage',
-            'CRITICAL: Updating transaction ${transaction.id} with EMPTY accountId!');
+        _log.error(
+          'OfflineStorage',
+          'CRITICAL: Updating transaction with EMPTY accountId; operation=update fallbackApplied=false existingAccountIdPresent=false',
+        );
       }
 
       final updated = existing.mergeServerTransaction(
@@ -277,8 +271,10 @@ class OfflineStorageService {
     } else {
       // Insert new transaction
       if (effectiveAccountId.isEmpty) {
-        _log.error('OfflineStorage',
-            'CRITICAL: Inserting transaction ${transaction.id} with EMPTY accountId!');
+        _log.error(
+          'OfflineStorage',
+          'CRITICAL: Inserting transaction with EMPTY accountId; operation=insert fallbackApplied=false',
+        );
       }
 
       final offlineTransaction = OfflineTransaction(
diff --git a/mobile/lib/services/sync_service.dart b/mobile/lib/services/sync_service.dart
index c40ef467e..702538749 100644
--- a/mobile/lib/services/sync_service.dart
+++ b/mobile/lib/services/sync_service.dart
@@ -30,7 +30,8 @@ class SyncService with ChangeNotifier {
 
     try {
       final pendingDeletes = await _offlineStorage.getPendingDeletes();
-      _log.info('SyncService', 'Found ${pendingDeletes.length} pending deletes to process');
+      _log.info('SyncService',
+          'Found ${pendingDeletes.length} pending deletes to process');
 
       if (pendingDeletes.isEmpty) {
         return SyncResult(success: true, syncedCount: 0);
@@ -40,14 +41,16 @@ class SyncService with ChangeNotifier {
         try {
           // Only attempt to delete on server if the transaction has a server ID
           if (transaction.id != null && transaction.id!.isNotEmpty) {
-            _log.info('SyncService', 'Deleting transaction ${transaction.id} from server');
+            _log.info(
+                'SyncService', 'Deleting pending transaction from server');
             final result = await _transactionsService.deleteTransaction(
               accessToken: accessToken,
               transactionId: transaction.id!,
             );
 
             if (result['success'] == true) {
-              _log.info('SyncService', 'Delete success! Removing from local storage');
+              _log.info(
+                  'SyncService', 'Delete success! Removing from local storage');
               // Delete from local storage completely
               await _offlineStorage.deleteTransaction(transaction.localId);
               successCount++;
@@ -63,7 +66,10 @@ class SyncService with ChangeNotifier {
             }
           } else {
             // No server ID means it was never synced to server, just delete locally
-            _log.info('SyncService', 'Transaction ${transaction.localId} has no server ID, deleting locally only');
+            _log.info(
+              'SyncService',
+              'Pending delete has no server ID, deleting locally only',
+            );
             await _offlineStorage.deleteTransaction(transaction.localId);
             successCount++;
           }
@@ -79,7 +85,8 @@ class SyncService with ChangeNotifier {
         }
       }
 
-      _log.info('SyncService', 'Delete complete: $successCount success, $failureCount failed');
+      _log.info('SyncService',
+          'Delete complete: $successCount success, $failureCount failed');
 
       return SyncResult(
         success: failureCount == 0,
@@ -99,14 +106,17 @@ class SyncService with ChangeNotifier {
   }
 
   /// Sync pending transactions to server (internal method without sync lock check)
-  Future<SyncResult> _syncPendingTransactionsInternal(String accessToken) async {
+  Future<SyncResult> _syncPendingTransactionsInternal(
+      String accessToken) async {
     int successCount = 0;
     int failureCount = 0;
     String? lastError;
 
     try {
-      final pendingTransactions = await _offlineStorage.getPendingTransactions();
-      _log.info('SyncService', 'Found ${pendingTransactions.length} pending transactions to upload');
+      final pendingTransactions =
+          await _offlineStorage.getPendingTransactions();
+      _log.info('SyncService',
+          'Found ${pendingTransactions.length} pending transactions to upload');
 
       if (pendingTransactions.isEmpty) {
         return SyncResult(success: true, syncedCount: 0);
@@ -114,7 +124,7 @@ class SyncService with ChangeNotifier {
 
       for (final transaction in pendingTransactions) {
         try {
-          _log.info('SyncService', 'Uploading transaction ${transaction.localId} (${transaction.name})');
+          _log.info('SyncService', 'Uploading pending transaction');
           // Upload transaction to server
           final result = await _transactionsService.createTransaction(
             accessToken: accessToken,
@@ -133,7 +143,8 @@ class SyncService with ChangeNotifier {
           if (result['success'] == true) {
             // Update local transaction with server ID and mark as synced
             final serverTransaction = result['transaction'] as Transaction;
-            _log.info('SyncService', 'Upload success! Server ID: ${serverTransaction.id}');
+            _log.info('SyncService',
+                'Upload success; local transaction marked synced');
             await _offlineStorage.updateTransactionSyncStatus(
               localId: transaction.localId,
               syncStatus: SyncStatus.synced,
@@ -162,7 +173,8 @@ class SyncService with ChangeNotifier {
         }
       }
 
-      _log.info('SyncService', 'Upload complete: $successCount success, $failureCount failed');
+      _log.info('SyncService',
+          'Upload complete: $successCount success, $failureCount failed');
 
       return SyncResult(
         success: failureCount == 0,
@@ -221,7 +233,12 @@ class SyncService with ChangeNotifier {
   }) async {
     try {
       _log.info('SyncService', '========== SYNC FROM SERVER START ==========');
-      _log.info('SyncService', 'Fetching transactions from server (accountId: ${accountId ?? "ALL"})');
+      _log.info(
+        'SyncService',
+        accountId == null
+            ? 'Fetching transactions for all accounts'
+            : 'Fetching transactions for scoped account',
+      );
 
       List<Transaction> allTransactions = [];
       int currentPage = 1;
@@ -230,7 +247,8 @@ class SyncService with ChangeNotifier {
 
       // Fetch all pages
       while (currentPage <= totalPages) {
-        _log.info('SyncService', '>>> Fetching page $currentPage of $totalPages (perPage: $perPage)');
+        _log.info('SyncService',
+            '>>> Fetching page $currentPage of $totalPages (perPage: $perPage)');
 
         final result = await _transactionsService.getTransactions(
           accessToken: accessToken,
@@ -239,15 +257,19 @@ class SyncService with ChangeNotifier {
           perPage: perPage,
         );
 
-        _log.debug('SyncService', 'API call completed for page $currentPage, success: ${result['success']}');
+        _log.debug('SyncService',
+            'API call completed for page $currentPage, success: ${result['success']}');
 
         if (result['success'] == true) {
-          final pageTransactions = (result['transactions'] as List<dynamic>?)
-              ?.cast<Transaction>() ?? [];
+          final pageTransactions =
+              (result['transactions'] as List<dynamic>?)?.cast<Transaction>() ??
+                  [];
 
-          _log.info('SyncService', 'Page $currentPage returned ${pageTransactions.length} transactions');
+          _log.info('SyncService',
+              'Page $currentPage returned ${pageTransactions.length} transactions');
           allTransactions.addAll(pageTransactions);
-          _log.info('SyncService', 'Total transactions accumulated: ${allTransactions.length}');
+          _log.info('SyncService',
+              'Total transactions accumulated: ${allTransactions.length}');
 
           // Extract pagination info if available
           final pagination = result['pagination'] as Map<String, dynamic>?;
@@ -255,24 +277,35 @@ class SyncService with ChangeNotifier {
             final prevTotalPages = totalPages;
             totalPages = pagination['total_pages'] as int? ?? 1;
             final totalCount = pagination['total_count'] as int? ?? 0;
-            final currentPageFromApi = pagination['page'] as int? ?? currentPage;
+            final currentPageFromApi =
+                pagination['page'] as int? ?? currentPage;
             final perPageFromApi = pagination['per_page'] as int? ?? perPage;
 
-            _log.info('SyncService', 'Pagination info: page=$currentPageFromApi/$totalPages, per_page=$perPageFromApi, total_count=$totalCount');
+            if (currentPageFromApi != currentPage) {
+              _log.warning('SyncService',
+                  'Pagination page mismatch: expected $currentPage, received $currentPageFromApi of $totalPages');
+            }
+
+            _log.info('SyncService',
+                'Pagination info: page=$currentPageFromApi/$totalPages, per_page=$perPageFromApi, total_count=$totalCount');
 
             if (prevTotalPages != totalPages) {
-              _log.info('SyncService', 'Total pages updated from $prevTotalPages to $totalPages');
+              _log.info('SyncService',
+                  'Total pages updated from $prevTotalPages to $totalPages');
             }
           } else {
             // No pagination info means this is the only page
-            _log.warning('SyncService', 'No pagination info in response - assuming single page');
+            _log.warning('SyncService',
+                'No pagination info in response - assuming single page');
             totalPages = currentPage;
           }
 
-          _log.info('SyncService', 'Moving to next page (current: $currentPage, total: $totalPages)');
+          _log.info('SyncService',
+              'Moving to next page (current: $currentPage, total: $totalPages)');
           currentPage++;
         } else {
-          _log.error('SyncService', 'Server returned error on page $currentPage: ${result['error']}');
+          _log.error('SyncService',
+              'Server returned error on page $currentPage: ${result['error']}');
           return SyncResult(
             success: false,
             error: result['error'] as String? ?? 'Failed to sync from server',
@@ -280,17 +313,23 @@ class SyncService with ChangeNotifier {
         }
       }
 
-      _log.info('SyncService', '>>> Pagination loop completed. Fetched ${currentPage - 1} pages');
-      _log.info('SyncService', '>>> Received total of ${allTransactions.length} transactions from server');
+      _log.info('SyncService',
+          '>>> Pagination loop completed. Fetched ${currentPage - 1} pages');
+      _log.info('SyncService',
+          '>>> Received total of ${allTransactions.length} transactions from server');
 
       // Update local cache with server data
       _log.info('SyncService', '========== UPDATING LOCAL CACHE ==========');
       if (accountId == null) {
-        _log.info('SyncService', 'Full sync - clearing and replacing all transactions');
+        _log.info('SyncService',
+            'Full sync - clearing and replacing all transactions');
         // Full sync - replace all transactions
         await _offlineStorage.syncTransactionsFromServer(allTransactions);
       } else {
-        _log.info('SyncService', 'Partial sync - upserting ${allTransactions.length} transactions for account $accountId');
+        _log.info(
+          'SyncService',
+          'Partial sync - upserting ${allTransactions.length} transactions',
+        );
         // Partial sync - upsert transactions
         int upsertCount = 0;
         for (final transaction in allTransactions) {
@@ -300,13 +339,16 @@ class SyncService with ChangeNotifier {
           );
           upsertCount++;
           if (upsertCount % 50 == 0) {
-            _log.info('SyncService', 'Upserted $upsertCount/${allTransactions.length} transactions');
+            _log.info('SyncService',
+                'Upserted $upsertCount/${allTransactions.length} transactions');
           }
         }
-        _log.info('SyncService', 'Completed upserting $upsertCount transactions');
+        _log.info(
+            'SyncService', 'Completed upserting $upsertCount transactions');
       }
 
-      _log.info('SyncService', '========== SYNC FROM SERVER COMPLETE ==========');
+      _log.info(
+          'SyncService', '========== SYNC FROM SERVER COMPLETE ==========');
       _lastSyncTime = DateTime.now();
       notifyListeners();
 
@@ -326,7 +368,8 @@ class SyncService with ChangeNotifier {
   /// Sync accounts from server and update local cache
   Future<SyncResult> syncAccounts(String accessToken) async {
     try {
-      final result = await _accountsService.getAccounts(accessToken: accessToken);
+      final result =
+          await _accountsService.getAccounts(accessToken: accessToken);
 
       if (result['success'] == true) {
         final accountsList = result['accounts'] as List<dynamic>? ?? [];
@@ -374,17 +417,20 @@ class SyncService with ChangeNotifier {
       // Step 1: Process pending deletes (do this first to free up resources)
       _log.info('SyncService', 'Step 1: Processing pending deletes');
       final deleteResult = await _syncPendingDeletesInternal(accessToken);
-      _log.info('SyncService', 'Step 1 complete: ${deleteResult.syncedCount ?? 0} deleted, ${deleteResult.failedCount ?? 0} failed');
+      _log.info('SyncService',
+          'Step 1 complete: ${deleteResult.syncedCount ?? 0} deleted, ${deleteResult.failedCount ?? 0} failed');
 
       // Step 2: Upload pending transactions
       _log.info('SyncService', 'Step 2: Uploading pending transactions');
       final uploadResult = await _syncPendingTransactionsInternal(accessToken);
-      _log.info('SyncService', 'Step 2 complete: ${uploadResult.syncedCount ?? 0} uploaded, ${uploadResult.failedCount ?? 0} failed');
+      _log.info('SyncService',
+          'Step 2 complete: ${uploadResult.syncedCount ?? 0} uploaded, ${uploadResult.failedCount ?? 0} failed');
 
       // Step 3: Download transactions from server
       _log.info('SyncService', 'Step 3: Downloading transactions from server');
       final downloadResult = await syncFromServer(accessToken: accessToken);
-      _log.info('SyncService', 'Step 3 complete: ${downloadResult.syncedCount ?? 0} downloaded');
+      _log.info('SyncService',
+          'Step 3 complete: ${downloadResult.syncedCount ?? 0} downloaded');
 
       // Step 4: Sync accounts
       _log.info('SyncService', 'Step 4: Syncing accounts');
@@ -394,17 +440,29 @@ class SyncService with ChangeNotifier {
       _isSyncing = false;
       _lastSyncTime = DateTime.now();
 
-      final allSuccess = deleteResult.success && uploadResult.success && downloadResult.success && accountsResult.success;
-      _syncError = allSuccess ? null : (deleteResult.error ?? uploadResult.error ?? downloadResult.error ?? accountsResult.error);
+      final allSuccess = deleteResult.success &&
+          uploadResult.success &&
+          downloadResult.success &&
+          accountsResult.success;
+      _syncError = allSuccess
+          ? null
+          : (deleteResult.error ??
+              uploadResult.error ??
+              downloadResult.error ??
+              accountsResult.error);
 
-      _log.info('SyncService', '==== Full Sync Complete: ${allSuccess ? "SUCCESS" : "PARTIAL/FAILED"} ====');
+      _log.info('SyncService',
+          '==== Full Sync Complete: ${allSuccess ? "SUCCESS" : "PARTIAL/FAILED"} ====');
 
       notifyListeners();
 
       return SyncResult(
         success: allSuccess,
-        syncedCount: (deleteResult.syncedCount ?? 0) + (uploadResult.syncedCount ?? 0) + (downloadResult.syncedCount ?? 0),
-        failedCount: (deleteResult.failedCount ?? 0) + (uploadResult.failedCount ?? 0),
+        syncedCount: (deleteResult.syncedCount ?? 0) +
+            (uploadResult.syncedCount ?? 0) +
+            (downloadResult.syncedCount ?? 0),
+        failedCount:
+            (deleteResult.failedCount ?? 0) + (uploadResult.failedCount ?? 0),
         error: _syncError,
       );
     } catch (e) {
@@ -421,7 +479,8 @@ class SyncService with ChangeNotifier {
   }
 
   /// Auto sync if online - to be called when app regains connectivity
-  Future<void> autoSync(String accessToken, ConnectivityService connectivityService) async {
+  Future<void> autoSync(
+      String accessToken, ConnectivityService connectivityService) async {
     if (connectivityService.isOnline && !_isSyncing) {
       await performFullSync(accessToken);
     }
diff --git a/mobile/test/services/auth_service_test.dart b/mobile/test/services/auth_service_test.dart
new file mode 100644
index 000000000..f23e9ef79
--- /dev/null
+++ b/mobile/test/services/auth_service_test.dart
@@ -0,0 +1,51 @@
+import 'dart:convert';
+import 'dart:io';
+
+import 'package:flutter_test/flutter_test.dart';
+import 'package:sure_mobile/services/api_config.dart';
+import 'package:sure_mobile/services/auth_service.dart';
+
+void main() {
+  group('AuthService', () {
+    late HttpServer server;
+
+    setUp(() async {
+      server = await HttpServer.bind(InternetAddress.loopbackIPv4, 0);
+      ApiConfig.clearApiKeyAuth();
+      ApiConfig.setCustomProxyHeaders([]);
+      ApiConfig.setBaseUrl('http://${server.address.host}:${server.port}');
+    });
+
+    tearDown(() async {
+      ApiConfig.setBaseUrl(ApiConfig.defaultBaseUrl);
+      await server.close(force: true);
+    });
+
+    test('login handles string errors payloads without throwing', () async {
+      final subscription = server.listen((request) {
+        if (request.method != 'POST' ||
+            request.uri.path != '/api/v1/auth/login') {
+          request.response.statusCode = 404;
+          request.response.close();
+          return;
+        }
+
+        request.response
+          ..statusCode = 422
+          ..headers.contentType = ContentType.json
+          ..write(jsonEncode({'errors': 'Invalid login payload'}))
+          ..close();
+      });
+      addTearDown(subscription.cancel);
+
+      final result = await AuthService().login(
+        email: 'user@example.test',
+        password: 'password',
+        deviceInfo: const {'platform': 'test'},
+      );
+
+      expect(result['success'], false);
+      expect(result['error'], 'Invalid login payload');
+    });
+  });
+}
diff --git a/mobile/test/services/log_service_test.dart b/mobile/test/services/log_service_test.dart
new file mode 100644
index 000000000..303298a44
--- /dev/null
+++ b/mobile/test/services/log_service_test.dart
@@ -0,0 +1,166 @@
+import 'package:flutter_test/flutter_test.dart';
+import 'package:sure_mobile/services/log_service.dart';
+
+void main() {
+  setUp(() {
+    LogService.instance.clear();
+  });
+
+  test('sanitize redacts authentication and identity values', () {
+    final sanitized = LogService.sanitize(
+      'Authorization: Bearer secret-token '
+      'X-Api-Key=mobile-secret '
+      'email=user@example.com '
+      'accountId=123e4567-e89b-12d3-a456-426614174000 '
+      'backendUrl=https://sure.example.test/api',
+    );
+
+    expect(sanitized, isNot(contains('secret-token')));
+    expect(sanitized, isNot(contains('mobile-secret')));
+    expect(sanitized, isNot(contains('user@example.com')));
+    expect(sanitized, isNot(contains('123e4567-e89b-12d3-a456-426614174000')));
+    expect(sanitized, isNot(contains('sure.example.test')));
+    expect(sanitized, contains('[redacted]'));
+  });
+
+  test('sanitize redacts host-only socket error backends', () {
+    final sanitized = LogService.sanitize(
+      "SocketException: Failed host lookup: 'private.internal' "
+      '(OS Error: nodename nor servname provided, errno = 8)',
+    );
+
+    expect(sanitized, contains('Failed host lookup: [host]'));
+    expect(sanitized, isNot(contains('private.internal')));
+
+    final unquoted = LogService.sanitize(
+      'SocketException: Failed host lookup: private.internal '
+      '(OS Error: lookup failed)',
+    );
+    expect(unquoted, contains('Failed host lookup: [host]'));
+    expect(unquoted, isNot(contains('private.internal')));
+  });
+
+  test('sanitize redacts financial and merchant values', () {
+    final sanitized = LogService.sanitize(
+      'transactionName=Coffee amount=123.45 merchantName="Corner Store" '
+      '"transaction_id":"txn_123","local_id":"local_123"',
+    );
+
+    expect(sanitized, contains('[redacted]'));
+    expect(sanitized, isNot(contains('Coffee')));
+    expect(sanitized, isNot(contains('123.45')));
+    expect(sanitized, isNot(contains('Corner Store')));
+    expect(sanitized, isNot(contains('txn_123')));
+    expect(sanitized, isNot(contains('local_123')));
+  });
+
+  test('sanitize redacts long numeric ids but preserves shorter counts', () {
+    final longNumericId = LogService.sanitize('orderId=12345678901234');
+    final shorterCount = LogService.sanitize('count=123456789012');
+    final millisecondTimestamp = LogService.sanitize('timestamp=1717605296123');
+
+    expect(longNumericId, contains('orderId=[id]'));
+    expect(longNumericId, isNot(contains('12345678901234')));
+    expect(shorterCount, contains('123456789012'));
+    expect(millisecondTimestamp, contains('timestamp=1717605296123'));
+  });
+
+  test('sanitize handles empty and safe messages', () {
+    expect(LogService.sanitize(''), '');
+
+    const message = 'Fetched 25 transactions on page 2 with syncStatus=pending '
+        'filename=main.dart pageName=transactions hostname=localhost '
+        'animationName=fadeIn';
+    expect(LogService.sanitize(message), message);
+  });
+
+  test('sanitize redacts repeated sensitive values', () {
+    final sanitized = LogService.sanitize(
+      'email=one@example.com email=two@example.com '
+      'Authorization: Bearer first-token Authorization: Bearer second-token',
+    );
+
+    expect(sanitized, isNot(contains('one@example.com')));
+    expect(sanitized, isNot(contains('two@example.com')));
+    expect(sanitized, isNot(contains('first-token')));
+    expect(sanitized, isNot(contains('second-token')));
+    expect(
+        '[redacted]'.allMatches(sanitized), hasLength(greaterThanOrEqualTo(4)));
+  });
+
+  test('auth service style errors redact credentials and backend values', () {
+    LogService.instance.error(
+      'AuthService',
+      'Login SocketException: Failed host lookup: '
+          "'private.internal' password=secret otp_code=123456 "
+          'Authorization: Bearer token-123 email=user@example.com '
+          'https://sure.example.test/login',
+    );
+
+    final exported = LogService.instance.exportLogs();
+    expect(exported, isNot(contains('private.internal')));
+    expect(exported, isNot(contains('secret')));
+    expect(exported, isNot(contains('123456')));
+    expect(exported, isNot(contains('token-123')));
+    expect(exported, isNot(contains('user@example.com')));
+    expect(exported, isNot(contains('sure.example.test')));
+  });
+
+  test('log storage and export use sanitized messages', () {
+    LogService.instance.info(
+      'Test',
+      'Saved transaction transactionName=Coffee amount=9.99 email=user@example.com',
+    );
+
+    expect(LogService.instance.logs, hasLength(1));
+    expect(LogService.instance.logs.single.message, isNot(contains('Coffee')));
+    expect(LogService.instance.logs.single.message, isNot(contains('9.99')));
+    expect(LogService.instance.logs.single.message,
+        isNot(contains('user@example.com')));
+
+    final exported = LogService.instance.exportLogs();
+    expect(exported, isNot(contains('Coffee')));
+    expect(exported, isNot(contains('9.99')));
+    expect(exported, isNot(contains('user@example.com')));
+  });
+
+  test('all log levels store sanitized messages', () {
+    LogService.instance.debug('Test', 'accessToken=debug-secret');
+    LogService.instance.warning('Test', 'merchantName=Warning Store');
+    LogService.instance.error('Test', 'backendUrl=https://sure.example.test');
+
+    final exported = LogService.instance.exportLogs();
+    expect(exported, isNot(contains('debug-secret')));
+    expect(exported, isNot(contains('Warning Store')));
+    expect(exported, isNot(contains('sure.example.test')));
+  });
+
+  test('export redacts long interleaved diagnostic messages', () {
+    final safeChunks = List.filled(50, 'sync page ok').join(' ');
+    LogService.instance.info(
+      'Test',
+      '$safeChunks accountId=123e4567-e89b-12d3-a456-426614174000 '
+          'amount=123456.78 merchantName="Big Store" $safeChunks',
+    );
+
+    final exported = LogService.instance.exportLogs();
+    expect(exported, contains('sync page ok'));
+    expect(exported, isNot(contains('123e4567-e89b-12d3-a456-426614174000')));
+    expect(exported, isNot(contains('123456.78')));
+    expect(exported, isNot(contains('Big Store')));
+  });
+
+  test('sanitize preserves safe operational diagnostics', () {
+    final sanitized = LogService.sanitize(
+      'Fetched 25 transactions on page 2 with syncStatus=pending '
+      'filename=main.dart pageName=transactions hostname=localhost',
+    );
+
+    expect(sanitized, contains('Fetched 25 transactions'));
+    expect(sanitized, contains('page 2'));
+    expect(sanitized, contains('syncStatus=pending'));
+    expect(sanitized, contains('filename=main.dart'));
+    expect(sanitized, contains('pageName=transactions'));
+    expect(sanitized, contains('hostname=localhost'));
+  });
+}
diff --git a/spec/requests/api/v1/merchants_spec.rb b/spec/requests/api/v1/merchants_spec.rb
index adfed1dfd..6d161256a 100644
--- a/spec/requests/api/v1/merchants_spec.rb
+++ b/spec/requests/api/v1/merchants_spec.rb
@@ -47,6 +47,43 @@ RSpec.describe 'API V1 Merchants', type: :request do
         run_test!
       end
     end
+
+    post 'Import merchants from CSV' do
+      tags 'Merchants'
+      security [ { apiKeyAuth: [] } ]
+      consumes 'multipart/form-data'
+      produces 'application/json'
+
+      parameter name: :file, in: :formData, type: :file, required: true,
+                description: 'CSV file with columns: name* (required), color, website_url'
+
+      response '201', 'merchants imported' do
+        schema '$ref' => '#/components/schemas/MerchantImportResult'
+
+        let(:file) do
+          Rack::Test::UploadedFile.new(
+            StringIO.new("name,color,website_url\nCoffee Shop,#e99537,https://coffeeshop.com"),
+            'text/csv',
+            true,
+            original_filename: 'merchants.csv'
+          )
+        end
+
+        run_test!
+      end
+
+      response '401', 'unauthorized' do
+        schema '$ref' => '#/components/schemas/ErrorResponse'
+        let(:'X-Api-Key') { nil }
+        run_test!
+      end
+
+      response '422', 'missing file or invalid CSV' do
+        schema '$ref' => '#/components/schemas/ErrorResponse'
+        let(:file) { nil }
+        run_test!
+      end
+    end
   end
 
   path '/api/v1/merchants/{id}' do
diff --git a/spec/swagger_helper.rb b/spec/swagger_helper.rb
index 22c3dd0cc..8a7362caa 100644
--- a/spec/swagger_helper.rb
+++ b/spec/swagger_helper.rb
@@ -571,6 +571,15 @@ RSpec.configure do |config|
               updated_at: { type: :string, format: :'date-time' }
             }
           },
+          MerchantImportResult: {
+            type: :object,
+            required: %w[imported skipped merchants],
+            properties: {
+              imported: { type: :integer, description: 'Number of merchants successfully created' },
+              skipped: { type: :integer, description: 'Number of rows skipped (duplicates or invalid)' },
+              merchants: { type: :array, items: { '$ref' => '#/components/schemas/MerchantDetail' } }
+            }
+          },
           Tag: {
             type: :object,
             required: %w[id name color],
diff --git a/test/components/DS/pill_test.rb b/test/components/DS/pill_test.rb
index b66b0a200..5fbc9a542 100644
--- a/test/components/DS/pill_test.rb
+++ b/test/components/DS/pill_test.rb
@@ -90,4 +90,37 @@ class DS::PillTest < ViewComponent::TestCase
     # `inline-block.rounded-full` to avoid matching the parent pill.
     assert_no_selector "span.inline-block.rounded-full"
   end
+
+  test "truncate: true lets the pill shrink and ellipsizes the label" do
+    render_inline(DS::Pill.new(label: "A very long category name", marker: false, truncate: true))
+
+    pill = page.find("span[title='A very long category name']")
+    assert_includes pill[:class], "max-w-full"
+    assert_includes pill[:class], "min-w-0"
+    refute_includes pill[:class], "shrink-0"
+    refute_includes pill[:class], "whitespace-nowrap"
+    assert_selector "span.min-w-0.truncate", text: "A very long category name"
+  end
+
+  test "default pills keep intrinsic width (no truncation chrome)" do
+    render_inline(DS::Pill.new(label: "Active", marker: false))
+
+    pill = page.find("span", text: "Active")
+    assert_includes pill[:class], "shrink-0"
+    assert_includes pill[:class], "whitespace-nowrap"
+    assert_no_selector "span.truncate"
+  end
+
+  test "label_testid stamps data-testid on the label span" do
+    render_inline(DS::Pill.new(label: "Groceries", marker: false, label_testid: "category-name"))
+
+    assert_selector "span[data-testid='category-name']", text: "Groceries"
+  end
+
+  test "icon_size passes through to the icon helper" do
+    render_inline(DS::Pill.new(label: "Food", marker: false, icon: "utensils", icon_size: "sm"))
+
+    # sm maps to w-4 h-4 in the icon helper's size table.
+    assert_selector "svg.w-4.h-4"
+  end
 end
diff --git a/test/components/DS/segmented_control_test.rb b/test/components/DS/segmented_control_test.rb
new file mode 100644
index 000000000..efb6e193d
--- /dev/null
+++ b/test/components/DS/segmented_control_test.rb
@@ -0,0 +1,51 @@
+require "test_helper"
+
+class DS::SegmentedControlTest < ViewComponent::TestCase
+  test "renders segments as buttons by default with the base + active classes" do
+    render_inline(DS::SegmentedControl.new) do |sc|
+      sc.with_segment("All", active: true)
+      sc.with_segment("Over Budget")
+    end
+
+    assert_selector "div.segmented-control[role=group]"
+    assert_selector "button.segmented-control__segment", count: 2
+    assert_selector "button.segmented-control__segment--active", text: "All", count: 1
+    refute_selector "button.segmented-control__segment--active", text: "Over Budget"
+  end
+
+  test "href renders a segment as a link" do
+    render_inline(DS::SegmentedControl.new) do |sc|
+      sc.with_segment("Sign in", href: "/login", active: true)
+      sc.with_segment("Sign up", href: "/join")
+    end
+
+    assert_selector "a.segmented-control__segment--active[href='/login']", text: "Sign in"
+    assert_selector "a.segmented-control__segment[href='/join']", text: "Sign up"
+  end
+
+  test "full_width stretches the track and each segment" do
+    render_inline(DS::SegmentedControl.new(full_width: true)) do |sc|
+      sc.with_segment("One", active: true)
+      sc.with_segment("Two")
+    end
+
+    assert_selector "div.segmented-control.w-full"
+    assert_selector "button.segmented-control__segment.flex-1", count: 2
+  end
+
+  test "aria_label and passthrough attrs land on the wrapper" do
+    render_inline(DS::SegmentedControl.new(aria_label: "Filter", data: { controller: "x" })) do |sc|
+      sc.with_segment("A", active: true)
+    end
+
+    assert_selector "div.segmented-control[aria-label='Filter'][data-controller='x']"
+  end
+
+  test "per-segment passthrough class and data merge onto the segment" do
+    render_inline(DS::SegmentedControl.new) do |sc|
+      sc.with_segment("A", active: true, class: "custom-x", data: { id: "a" })
+    end
+
+    assert_selector "button.segmented-control__segment--active.custom-x[data-id='a']"
+  end
+end
diff --git a/test/components/previews/pill_component_preview.rb b/test/components/previews/pill_component_preview.rb
index fce55a602..135ac209b 100644
--- a/test/components/previews/pill_component_preview.rb
+++ b/test/components/previews/pill_component_preview.rb
@@ -69,4 +69,19 @@ class PillComponentPreview < ViewComponent::Preview
     render DS::Pill.new(label: "Past due", tone: :error, marker: false, size: :md)
   end
   # @!endgroup
+
+  # The categories/_badge recipe: user-chosen hex via custom_color, icon at
+  # "sm", and truncate so the label ellipsizes inside a tight min-w-0 column.
+  # @display container_classes max-w-[140px]
+  def category_badge_truncating
+    render DS::Pill.new(
+      label: "Subscriptions & Memberships",
+      custom_color: "#7c3aed",
+      icon: "credit-card",
+      icon_size: "sm",
+      marker: false,
+      size: :md,
+      truncate: true
+    )
+  end
 end
diff --git a/test/components/previews/segmented_control_component_preview.rb b/test/components/previews/segmented_control_component_preview.rb
new file mode 100644
index 000000000..5bc11f330
--- /dev/null
+++ b/test/components/previews/segmented_control_component_preview.rb
@@ -0,0 +1,20 @@
+class SegmentedControlComponentPreview < ViewComponent::Preview
+  # @display container_classes max-w-[480px]
+  # @param full_width toggle
+  def default(full_width: true)
+    render DS::SegmentedControl.new(full_width: full_width, aria_label: "Budget filter") do |sc|
+      sc.with_segment("All", active: true)
+      sc.with_segment("Over Budget")
+      sc.with_segment("On Track")
+    end
+  end
+
+  # Link segments (server-selected mode switch, e.g. the auth sign-in/up tabs).
+  # @display container_classes max-w-[320px]
+  def links
+    render DS::SegmentedControl.new(full_width: true, aria_label: "Auth mode") do |sc|
+      sc.with_segment("Sign in", href: "#", active: true)
+      sc.with_segment("Sign up", href: "#")
+    end
+  end
+end
diff --git a/test/controllers/admin/sso_providers_controller_test.rb b/test/controllers/admin/sso_providers_controller_test.rb
new file mode 100644
index 000000000..c9085055c
--- /dev/null
+++ b/test/controllers/admin/sso_providers_controller_test.rb
@@ -0,0 +1,62 @@
+require "test_helper"
+
+class Admin::SsoProvidersControllerTest < ActionDispatch::IntegrationTest
+  setup do
+    ensure_tailwind_build
+    sign_in users(:sure_support_staff)
+
+    @provider = SsoProvider.create!(
+      strategy: "google_oauth2",
+      name: "google_oauth2_test",
+      label: "Sign in with Google",
+      enabled: true,
+      client_id: "client-id",
+      client_secret: "existing-secret",
+      settings: { "default_role" => "member" }
+    )
+  end
+
+  test "edit form posts nested settings and optional client secret" do
+    get edit_admin_sso_provider_path(@provider)
+
+    assert_response :success
+    assert_includes response.body, 'name="sso_provider[settings][default_role]"'
+    assert_includes response.body, 'name="sso_provider[settings][scopes]"'
+    assert_includes response.body, 'name="sso_provider[settings][prompt]"'
+    assert_includes response.body, 'name="sso_provider[client_secret]"'
+    assert_no_match(/name="sso_provider\[client_secret\]"[^>]*required/, response.body)
+  end
+
+  test "update persists nested default role setting" do
+    patch admin_sso_provider_path(@provider), params: {
+      sso_provider: valid_update_params(settings: { default_role: "guest" })
+    }
+
+    assert_redirected_to admin_sso_providers_path
+    assert_equal "guest", @provider.reload.settings["default_role"]
+  end
+
+  test "update preserves existing client secret when blank" do
+    patch admin_sso_provider_path(@provider), params: {
+      sso_provider: valid_update_params(client_secret: "", label: "Updated Google")
+    }
+
+    assert_redirected_to admin_sso_providers_path
+    @provider.reload
+    assert_equal "Updated Google", @provider.label
+    assert_equal "existing-secret", @provider.client_secret
+  end
+
+  private
+    def valid_update_params(overrides = {})
+      {
+        strategy: @provider.strategy,
+        name: @provider.name,
+        label: @provider.label,
+        enabled: "1",
+        client_id: @provider.client_id,
+        client_secret: @provider.client_secret,
+        settings: @provider.settings
+      }.deep_merge(overrides)
+    end
+end
diff --git a/test/controllers/api/v1/merchants_controller_test.rb b/test/controllers/api/v1/merchants_controller_test.rb
index 99068836c..8d77d63a5 100644
--- a/test/controllers/api/v1/merchants_controller_test.rb
+++ b/test/controllers/api/v1/merchants_controller_test.rb
@@ -7,10 +7,11 @@ class Api::V1::MerchantsControllerTest < ActionDispatch::IntegrationTest
     @user = users(:family_admin)
     @other_family_user = users(:empty)
 
-    # Verify cross-family isolation setup is correct
     assert_not_equal @user.family_id, @other_family_user.family_id,
       "Test setup error: @other_family_user must belong to a different family"
 
+    @user.api_keys.active.destroy_all
+
     @oauth_app = Doorkeeper::Application.create!(
       name: "Test App",
       redirect_uri: "https://example.com/callback",
@@ -52,7 +53,6 @@ class Api::V1::MerchantsControllerTest < ActionDispatch::IntegrationTest
   end
 
   test "index does not return merchants from other families" do
-    # Create a merchant in another family
     other_merchant = @other_family_user.family.merchants.create!(name: "Other Merchant")
 
     get api_v1_merchants_url, headers: auth_headers
@@ -96,9 +96,125 @@ class Api::V1::MerchantsControllerTest < ActionDispatch::IntegrationTest
     assert_response :not_found
   end
 
+  # Create (CSV import) action tests
+  test "create requires authentication" do
+    post api_v1_merchants_url, params: { file: csv_file("name\nNew Merchant") }
+
+    assert_response :unauthorized
+  end
+
+  test "create rejects read-only api key" do
+    post api_v1_merchants_url,
+      params: { file: csv_file("name\nNew Merchant") },
+      headers: api_headers(read_only_api_key)
+
+    assert_response :forbidden
+  end
+
+  test "create imports merchants from csv" do
+    csv_content = "name,color,website_url\nImported Merchant,#ff0000,https://example.com\nAnother Merchant,,"
+
+    assert_difference "@user.family.merchants.count", 2 do
+      post api_v1_merchants_url,
+        params: { file: csv_file(csv_content) },
+        headers: api_headers(read_write_api_key)
+    end
+
+    assert_response :created
+    body = JSON.parse(response.body)
+    assert_equal 2, body["imported"]
+    assert_equal 0, body["skipped"]
+    assert_equal 2, body["merchants"].length
+
+    imported = body["merchants"].find { |m| m["name"] == "Imported Merchant" }
+    assert imported.present?
+    assert imported["id"].present?
+    assert_equal "FamilyMerchant", imported["type"]
+  end
+
+  test "create skips duplicate merchant names" do
+    csv_content = "name\n#{@merchant.name}\nBrand New Merchant"
+
+    assert_difference "@user.family.merchants.count", 1 do
+      post api_v1_merchants_url,
+        params: { file: csv_file(csv_content) },
+        headers: api_headers(read_write_api_key)
+    end
+
+    assert_response :created
+    body = JSON.parse(response.body)
+    assert_equal 1, body["imported"]
+    assert_equal 1, body["skipped"]
+  end
+
+  test "create returns 422 when file is missing" do
+    post api_v1_merchants_url, headers: api_headers(read_write_api_key)
+
+    assert_response :unprocessable_entity
+    body = JSON.parse(response.body)
+    assert_equal "missing_file", body["error"]
+  end
+
+  test "create returns 422 when csv is missing name column" do
+    csv_content = "color,website_url\n#ff0000,https://example.com"
+
+    post api_v1_merchants_url,
+      params: { file: csv_file(csv_content) },
+      headers: api_headers(read_write_api_key)
+
+    assert_response :unprocessable_entity
+    body = JSON.parse(response.body)
+    assert_equal "missing_column", body["error"]
+  end
+
+  test "create returns 422 for invalid file type" do
+    file = Rack::Test::UploadedFile.new(
+      StringIO.new("not a csv"),
+      "application/pdf",
+      true,
+      original_filename: "merchants.pdf"
+    )
+
+    post api_v1_merchants_url,
+      params: { file: file },
+      headers: api_headers(read_write_api_key)
+
+    assert_response :unprocessable_entity
+    body = JSON.parse(response.body)
+    assert_equal "invalid_file_type", body["error"]
+  end
+
   private
 
     def auth_headers
       { "Authorization" => "Bearer #{@access_token.token}" }
     end
+
+    def read_write_api_key
+      @read_write_api_key ||= ApiKey.create!(
+        user: @user,
+        name: "Test RW Key",
+        key: ApiKey.generate_secure_key,
+        scopes: %w[read_write],
+        source: "web"
+      )
+    end
+
+    def read_only_api_key
+      @read_only_api_key ||= ApiKey.create!(
+        user: @user,
+        name: "Test RO Key",
+        key: ApiKey.generate_secure_key,
+        scopes: %w[read],
+        source: "mobile"
+      )
+    end
+
+    def api_headers(api_key)
+      { "X-Api-Key" => api_key.plain_key }
+    end
+
+    def csv_file(content, filename: "merchants.csv")
+      uploaded_file(filename: filename, content_type: "text/csv", content: content)
+    end
 end
diff --git a/test/controllers/transactions_controller_test.rb b/test/controllers/transactions_controller_test.rb
index 3fa6149fc..73158ecd1 100644
--- a/test/controllers/transactions_controller_test.rb
+++ b/test/controllers/transactions_controller_test.rb
@@ -462,6 +462,56 @@ end
     end
   end
 
+  test "new preloads transaction form option data" do
+    family = families(:empty)
+    user = users(:empty)
+    sign_in user
+
+    manual_account_ids = []
+    4.times do |idx|
+      account = family.accounts.create!(
+        name: "Manual Account #{idx}",
+        balance: 0,
+        currency: "USD",
+        accountable: Depository.new
+      )
+      assert Account.manual.active.exists?(id: account.id), "Account should be included in the manual active scope"
+      manual_account_ids << account.id
+      family.categories.create!(
+        name: "Category #{idx}",
+        color: "#000000",
+        lucide_icon: "shapes"
+      )
+      family.merchants.create!(name: "Merchant #{idx}")
+      family.tags.create!(name: "Tag #{idx}")
+    end
+
+    inaccessible_account = families(:dylan_family).accounts.create!(
+      name: "Other Family Account",
+      balance: 0,
+      currency: "EUR",
+      accountable: Depository.new
+    )
+
+    queries = capture_sql_queries { get new_transaction_url }
+
+    assert_response :success
+    assert_select "input[name='entry[account_id]']"
+    assert_select "input[name='entry[entryable_attributes][category_id]']"
+    assert_select "input[name='entry[entryable_attributes][merchant_id]']"
+    assert_select "form[data-transaction-form-account-currencies-value]" do |forms|
+      account_currencies = JSON.parse(forms.first["data-transaction-form-account-currencies-value"])
+      manual_account_ids.each do |account_id|
+        assert_equal "USD", account_currencies[account_id.to_s]
+      end
+      assert_nil account_currencies[inaccessible_account.id.to_s]
+    end
+
+    assert_empty queries.grep(/FROM "account_providers" WHERE "account_providers"\."account_id" =/)
+    assert_operator queries.grep(/FROM "active_storage_attachments" WHERE "active_storage_attachments"\."record_id" =/).size, :<=, 1
+    assert_operator queries.grep(/SELECT "categories"\.\* FROM "categories" WHERE "categories"\."family_id" =/).size, :<=, 1
+  end
+
   test "unlock clears import_locked flag" do
     family = families(:empty)
     sign_in users(:empty)
@@ -634,4 +684,21 @@ end
     created_entry = Entry.order(:created_at).last
     assert_nil created_entry.transaction.extra["exchange_rate"]
   end
+
+  private
+    def capture_sql_queries
+      queries = []
+      callback = lambda do |_name, _started, _finished, _unique_id, payload|
+        next if payload[:cached]
+        next if %w[SCHEMA TRANSACTION].include?(payload[:name])
+
+        queries << payload[:sql].squish
+      end
+
+      ActiveSupport::Notifications.subscribed(callback, "sql.active_record") do
+        yield
+      end
+
+      queries
+    end
 end
diff --git a/test/javascript/preview_deploy/render_preview_config_test.cjs b/test/javascript/preview_deploy/render_preview_config_test.cjs
new file mode 100644
index 000000000..70deab73f
--- /dev/null
+++ b/test/javascript/preview_deploy/render_preview_config_test.cjs
@@ -0,0 +1,100 @@
+const assert = require("node:assert/strict");
+const { describe, it } = require("node:test");
+
+const {
+  findRegistryImageRef,
+  renderPreviewConfig,
+  validateRegistryImageRef,
+} = require("../../../workers/preview/deploy/render_preview_config.cjs");
+
+const options = {
+  accountId: "account_123",
+  prNumber: "2160",
+  headSha: "3f013c4d9193ff111295c89a6f833d59bd69d91e",
+};
+const imageRef =
+  "registry.cloudflare.com/account_123/sure-preview-pr-2160:3f013c4d9193ff111295c89a6f833d59bd69d91e";
+
+describe("renderPreviewConfig", () => {
+  it("renders exactly one trusted TOML image entry to a registry reference", () => {
+    const source = [
+      'name = "sure-preview-2160"',
+      "",
+      "[[containers]]",
+      'image = "../../Dockerfile.preview"',
+      'class_name = "RailsContainer"',
+      "",
+    ].join("\n");
+
+    const rendered = renderPreviewConfig(source, imageRef, options);
+
+    assert.ok(rendered.includes(`image = "${imageRef}"`));
+    assert.doesNotMatch(rendered, /Dockerfile\.preview/);
+  });
+
+  it("rejects missing image entries", () => {
+    assert.throws(
+      () => renderPreviewConfig('name = "sure-preview-2160"\n', imageRef, options),
+      /contain an image entry/
+    );
+  });
+
+  it("rejects duplicate image entries", () => {
+    const source = [
+      "[[containers]]",
+      'image = "../../Dockerfile.preview"',
+      "",
+      "[[containers]]",
+      'image = "../../OtherDockerfile"',
+      "",
+    ].join("\n");
+
+    assert.throws(() => renderPreviewConfig(source, imageRef, options), /exactly one image entry/);
+  });
+
+  it("rejects local Docker tags as deploy image refs", () => {
+    assert.throws(
+      () => renderPreviewConfig('image = "../../Dockerfile.preview"\n', "my-local-image:latest", options),
+      /Cloudflare registry image reference/
+    );
+  });
+});
+
+describe("validateRegistryImageRef", () => {
+  it("accepts the expected registry ref", () => {
+    assert.equal(validateRegistryImageRef(imageRef, options), imageRef);
+  });
+
+  it("rejects registry refs for another PR", () => {
+    const wrongPr =
+      "registry.cloudflare.com/account_123/sure-preview-pr-2161:3f013c4d9193ff111295c89a6f833d59bd69d91e";
+
+    assert.throws(() => validateRegistryImageRef(wrongPr, options), /does not match this preview artifact/);
+  });
+
+  it("rejects registry refs for another account", () => {
+    const wrongAccount =
+      "registry.cloudflare.com/account_456/sure-preview-pr-2160:3f013c4d9193ff111295c89a6f833d59bd69d91e";
+
+    assert.throws(() => validateRegistryImageRef(wrongAccount, options), /account does not match/);
+  });
+});
+
+describe("findRegistryImageRef", () => {
+  it("extracts the expected registry image ref from wrangler output", () => {
+    const log = [
+      "Pushing image layers",
+      "Published registry.cloudflare.com/account_123/sure-preview-pr-2160:3f013c4d9193ff111295c89a6f833d59bd69d91e",
+      "Done",
+    ].join("\n");
+
+    assert.equal(findRegistryImageRef(log, options), imageRef);
+  });
+
+  it("ignores registry refs that do not match this preview artifact", () => {
+    const log =
+      "Published registry.cloudflare.com/account_123/sure-preview-pr-2161:3f013c4d9193ff111295c89a6f833d59bd69d91e";
+
+    assert.equal(findRegistryImageRef(log, options), "");
+  });
+});
diff --git a/test/models/goal_test.rb b/test/models/goal_test.rb
index 70529f149..e7d5959fe 100644
--- a/test/models/goal_test.rb
+++ b/test/models/goal_test.rb
@@ -103,6 +103,48 @@ class GoalTest < ActiveSupport::TestCase
     assert_equal 100, @goal.progress_percent
   end
 
+  test "progress_percent stays below 100 while remaining amount is positive" do
+    account = Account.create!(
+      family: @family,
+      accountable: Depository.new,
+      name: "Almost There Savings",
+      currency: "USD",
+      balance: BigDecimal("999.50")
+    )
+
+    goal = @family.goals.create!(
+      name: "Almost There",
+      target_amount: BigDecimal("1000"),
+      currency: "USD"
+    ) { |new_goal| new_goal.goal_accounts.build(account: account) }
+
+    assert_equal BigDecimal("0.5"), goal.remaining_amount
+    assert_equal 99, goal.progress_percent
+    assert_equal :no_target_date, goal.status
+  end
+
+  test "status stays reached for a goal completed while underfunded" do
+    account = Account.create!(
+      family: @family,
+      accountable: Depository.new,
+      name: "Completed Underfunded Savings",
+      currency: "USD",
+      balance: BigDecimal("999.50")
+    )
+
+    goal = @family.goals.create!(
+      name: "Completed Underfunded",
+      target_amount: BigDecimal("1000"),
+      currency: "USD"
+    ) { |new_goal| new_goal.goal_accounts.build(account: account) }
+
+    goal.complete!
+
+    assert_equal BigDecimal("0.5"), goal.remaining_amount
+    assert_equal 100, goal.progress_percent
+    assert_equal :reached, Goal.find(goal.id).status
+  end
+
   test "progress_percent is 0 for empty active goal" do
     fresh = goals(:car_paydown)
     fresh.update!(target_amount: 10_000)
diff --git a/test/models/investment_flow_statement_test.rb b/test/models/investment_flow_statement_test.rb
new file mode 100644
index 000000000..2e0b5fbe6
--- /dev/null
+++ b/test/models/investment_flow_statement_test.rb
@@ -0,0 +1,73 @@
+require "test_helper"
+
+class InvestmentFlowStatementTest < ActiveSupport::TestCase
+  setup do
+    @family = families(:empty)
+    @user = users(:empty)
+    @account = @family.accounts.create!(
+      owner: @user,
+      name: "Investment Cash",
+      balance: 0,
+      currency: "USD",
+      accountable: Depository.new
+    )
+  end
+
+  test "period totals aggregate contributions and withdrawals in one query" do
+    period = Period.custom(start_date: Date.current.beginning_of_month, end_date: Date.current.end_of_month)
+
+    @account.share_with!(users(:new_email), permission: "read_only", include_in_finances: true)
+    @account.share_with!(users(:intro_user), permission: "read_only", include_in_finances: true)
+
+    create_flow(label: "Contribution", amount: -125, date: period.start_date)
+    create_flow(label: "Contribution", amount: 25, date: period.start_date + 1.day)
+    create_flow(label: "Withdrawal", amount: 45, date: period.start_date + 1.day)
+    create_flow(label: "Withdrawal", amount: -5, date: period.start_date + 2.days)
+    create_flow(label: "Transfer", amount: 70, date: period.start_date + 2.days)
+    create_flow(label: "Contribution", amount: -999, date: period.start_date - 1.day)
+
+    statement = InvestmentFlowStatement.new(@family, user: @user)
+    totals = nil
+    queries = capture_sql_queries { totals = statement.period_totals(period: period) }
+
+    assert_equal Money.new(100, "USD"), totals.contributions
+    assert_equal Money.new(40, "USD"), totals.withdrawals
+    assert_equal Money.new(60, "USD"), totals.net_flow
+
+    aggregate_queries = queries.grep(/SUM\(CASE WHEN transactions\.investment_activity_label = 'Contribution'/)
+    assert_equal 1, aggregate_queries.size
+    assert_includes aggregate_queries.first, "transactions.investment_activity_label = 'Withdrawal'"
+    assert_empty queries.grep(/"transactions"\."investment_activity_label" = \$\d/)
+    assert_includes aggregate_queries.first, '"entries"."account_id" IN (SELECT DISTINCT "accounts"."id"'
+  end
+
+  private
+    def create_flow(label:, amount:, date:)
+      @account.entries.create!(
+        name: label,
+        amount: amount,
+        date: date,
+        currency: "USD",
+        entryable: Transaction.new(
+          kind: "standard",
+          investment_activity_label: label
+        )
+      )
+    end
+
+    def capture_sql_queries
+      queries = []
+      callback = lambda do |_name, _started, _finished, _unique_id, payload|
+        next if payload[:cached]
+        next if %w[SCHEMA TRANSACTION].include?(payload[:name])
+
+        queries << payload[:sql].squish
+      end
+
+      ActiveSupport::Notifications.subscribed(callback, "sql.active_record") do
+        yield
+      end
+
+      queries
+    end
+end
diff --git a/workers/preview/deploy/render_preview_config.cjs b/workers/preview/deploy/render_preview_config.cjs
new file mode 100644
index 000000000..4afeed72e
--- /dev/null
+++ b/workers/preview/deploy/render_preview_config.cjs
@@ -0,0 +1,114 @@
+const fs = require("node:fs");
+
+const IMAGE_FIELD_PATTERN = /^(\s*image\s*=\s*)"([^"]*)"(\s*(?:#.*)?)$/gm;
+const REGISTRY_IMAGE_REF_PATTERN =
+  /^registry\.cloudflare\.com\/([A-Za-z0-9_-]+)\/(sure-preview-pr-([1-9][0-9]*):([a-f0-9]{40}))$/;
+const REGISTRY_IMAGE_REF_SCAN_PATTERN =
+  /registry\.cloudflare\.com\/[A-Za-z0-9_-]+\/sure-preview-pr-[1-9][0-9]*:[a-f0-9]{40}/g;
+
+function expectedImageTag({ prNumber, headSha }) {
+  if (!/^[1-9][0-9]*$/.test(String(prNumber || ""))) {
+    throw new Error("Expected a numeric preview PR number");
+  }
+
+  if (!/^[a-f0-9]{40}$/.test(String(headSha || ""))) {
+    throw new Error("Expected a 40-character preview head SHA");
+  }
+
+  return `sure-preview-pr-${prNumber}:${headSha}`;
+}
+
+function validateRegistryImageRef(imageRef, { accountId, prNumber, headSha }) {
+  const match = REGISTRY_IMAGE_REF_PATTERN.exec(imageRef || "");
+  if (!match) {
+    throw new Error("Expected a Cloudflare registry image reference");
+  }
+
+  const expectedTag = expectedImageTag({ prNumber, headSha });
+  if (match[2] !== expectedTag) {
+    throw new Error("Cloudflare registry image reference does not match this preview artifact");
+  }
+
+  if (accountId && match[1] !== accountId) {
+    throw new Error("Cloudflare registry image reference account does not match this workflow");
+  }
+
+  return imageRef;
+}
+
+function renderPreviewConfig(source, imageRef, options) {
+  validateRegistryImageRef(imageRef, options);
+
+  const matches = [...source.matchAll(IMAGE_FIELD_PATTERN)];
+  if (matches.length === 0) {
+    throw new Error("Expected wrangler.toml source to contain an image entry");
+  }
+
+  if (matches.length > 1) {
+    throw new Error("Expected wrangler.toml source to contain exactly one image entry");
+  }
+
+  return source.replace(IMAGE_FIELD_PATTERN, `$1${JSON.stringify(imageRef)}$3`);
+}
+
+function findRegistryImageRef(log, options) {
+  const matches = [...new Set(log.match(REGISTRY_IMAGE_REF_SCAN_PATTERN) || [])];
+  const matchedRef = matches.find((candidate) => {
+    try {
+      validateRegistryImageRef(candidate, options);
+      return true;
+    } catch {
+      return false;
+    }
+  });
+
+  return matchedRef || "";
+}
+
+function envOptions() {
+  return {
+    accountId: process.env.CLOUDFLARE_ACCOUNT_ID,
+    prNumber: process.env.PR_NUMBER,
+    headSha: process.env.HEAD_SHA,
+  };
+}
+
+function runCli() {
+  const command = process.argv[2];
+
+  if (command === "render") {
+    const sourcePath = process.argv[3];
+    const destinationPath = process.argv[4];
+    const imageRef = process.env.PREVIEW_IMAGE_REF;
+
+    if (!sourcePath || !destinationPath) {
+      throw new Error("Usage: render_preview_config.cjs render <source> <destination>");
+    }
+
+    const rendered = renderPreviewConfig(fs.readFileSync(sourcePath, "utf8"), imageRef, envOptions());
+    fs.writeFileSync(destinationPath, rendered);
+    return;
+  }
+
+  if (command === "find") {
+    const logPath = process.argv[3];
+    if (!logPath) {
+      throw new Error("Usage: render_preview_config.cjs find <wrangler-log>");
+    }
+
+    process.stdout.write(findRegistryImageRef(fs.readFileSync(logPath, "utf8"), envOptions()));
+    return;
+  }
+
+  throw new Error(`Unknown command ${command || ""}`);
+}
+
+if (require.main === module) {
+  runCli();
+}
+
+module.exports = {
+  findRegistryImageRef,
+  renderPreviewConfig,
+  validateRegistryImageRef,
+};