diff --git a/.github/workflows/typecheck.yaml b/.github/workflows/typecheck.yaml
index ba92b6bf6..ca7ceb2a9 100644
--- a/.github/workflows/typecheck.yaml
+++ b/.github/workflows/typecheck.yaml
@@ -9,9 +9,9 @@ jobs:
   typecheck:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6
         with:
           node-version: 24
       - name: Install dependencies
diff --git a/.github/workflows/unit-tests.yaml b/.github/workflows/unit-tests.yaml
index 39c09388c..1c5b5cdd0 100644
--- a/.github/workflows/unit-tests.yaml
+++ b/.github/workflows/unit-tests.yaml
@@ -17,9 +17,9 @@ jobs:
           - saflib
           # END WORKFLOW AREA
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6
         with:
           node-version: 24
           cache: "npm"
diff --git a/.github/workflows/workflow-checklist.yaml b/.github/workflows/workflow-checklist.yaml
index 74295f519..e2032f0dd 100644
--- a/.github/workflows/workflow-checklist.yaml
+++ b/.github/workflows/workflow-checklist.yaml
@@ -9,9 +9,9 @@ jobs:
   workflow-integration-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6
         with:
           node-version: 24
 
diff --git a/.github/workflows/workflow-git.yaml b/.github/workflows/workflow-git.yaml
index 758edfb6c..d8e0de529 100644
--- a/.github/workflows/workflow-git.yaml
+++ b/.github/workflows/workflow-git.yaml
@@ -9,9 +9,9 @@ jobs:
   workflow-git-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6
         with:
           node-version: 24
 
diff --git a/.github/workflows/workflow-print.yaml b/.github/workflows/workflow-print.yaml
index 367c8cbad..c2992b184 100644
--- a/.github/workflows/workflow-print.yaml
+++ b/.github/workflows/workflow-print.yaml
@@ -9,9 +9,9 @@ jobs:
   workflow-integration-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6
         with:
           node-version: 24
 
diff --git a/.github/workflows/workflow-run.yaml b/.github/workflows/workflow-run.yaml
index 54b1d2bfe..7e59f70d7 100644
--- a/.github/workflows/workflow-run.yaml
+++ b/.github/workflows/workflow-run.yaml
@@ -9,9 +9,9 @@ jobs:
   workflow-integration-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6
         with:
           node-version: 24
 
diff --git a/.github/workflows/workflow-script.yaml b/.github/workflows/workflow-script.yaml
index 9fa79427d..afaf4dbe0 100644
--- a/.github/workflows/workflow-script.yaml
+++ b/.github/workflows/workflow-script.yaml
@@ -9,9 +9,9 @@ jobs:
   workflow-integration-test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6
         with:
           node-version: 24
 
diff --git a/analytics-service/AnalyticsServiceBase.ts b/analytics-service/AnalyticsServiceBase.ts
index b2c67578c..112deb777 100644
--- a/analytics-service/AnalyticsServiceBase.ts
+++ b/analytics-service/AnalyticsServiceBase.ts
@@ -1,4 +1,4 @@
-import { getSafContext } from "@saflib/node";
+import { getSafContext, getSafReporters } from "@saflib/node";
 import type { SafContext } from "@saflib/node";
 import type { AnalyticsService, CommonEvent, IdentifyProps } from "./types.ts";
 
@@ -52,6 +52,13 @@ export abstract class AnalyticsServiceBase implements AnalyticsService {
       event: event.event,
       context: mergedContext,
     });
+
+    const { log } = getSafReporters();
+    log.info(`Product event: ${event.event}`, {
+      event: event.event,
+      distinct_id: distinctId,
+      ...(mergedContext !== undefined ? { context: mergedContext } : {}),
+    });
   }
 
   protected abstract emitCapture(event: {
diff --git a/backup/backup-sdk/Dockerfile.template b/backup/backup-sdk/Dockerfile.template
index 33eac4500..d89f05f72 100644
--- a/backup/backup-sdk/Dockerfile.template
+++ b/backup/backup-sdk/Dockerfile.template
@@ -7,8 +7,7 @@ RUN npm install -g npm@11.14.1
 WORKDIR /app
 
 #{ copy_packages }#
-RUN npm install
-RUN npm install @rollup/rollup-linux-arm64-gnu
+RUN npm ci
 
 #{ copy_src }#
 
diff --git a/cron/cron/Dockerfile.template b/cron/cron/Dockerfile.template
index b1fa0c628..f5be43a68 100644
--- a/cron/cron/Dockerfile.template
+++ b/cron/cron/Dockerfile.template
@@ -4,7 +4,7 @@ FROM node:alpine3.19
 WORKDIR /app
 
 #{ copy_packages }#
-RUN npm install --omit=dev
+RUN npm ci --omit=dev
 #{ copy_src }#
 
 WORKDIR /app/services/cron
diff --git a/drizzle/types/file-metadata.ts b/drizzle/types/file-metadata.ts
index 89fe77f02..c0dbde3f4 100644
--- a/drizzle/types/file-metadata.ts
+++ b/drizzle/types/file-metadata.ts
@@ -20,6 +20,7 @@ export const fileMetadataColumns = {
   file_original_name: text("file_original_name").notNull(),
   mimetype: text("mimetype").notNull(),
   size: integer("size").notNull(),
+  md5_hash: text("md5_hash"),
   created_at: text("created_at")
     .notNull()
     .$defaultFn(() => new Date().toISOString()),
@@ -47,6 +48,7 @@ export interface FileMetadataFields {
   file_original_name: string;
   mimetype: string;
   size: number;
+  md5_hash: string | null;
   created_at: string;
   updated_at: string;
 }
diff --git a/express/src/middleware/auth.ts b/express/src/middleware/auth.ts
index 0ade4266c..4ef7bf971 100644
--- a/express/src/middleware/auth.ts
+++ b/express/src/middleware/auth.ts
@@ -4,6 +4,7 @@ import {
   AUTH_ERROR_EMAIL_VERIFICATION_REQUIRED,
   AUTH_ERROR_MFA_REQUIRED,
 } from "@saflib/sdk/auth-error-codes";
+import { typedEnv } from "@saflib/env";
 
 interface AuthMiddlewareOptions {
   adminRequired?: boolean;
@@ -57,7 +58,7 @@ export const makeAuthMiddleware = (
     const routeRequiresMfa =
       Boolean(mfaRequired) ||
       tags?.includes("mfa-required") === true ||
-      Boolean(adminRequired);
+      (Boolean(adminRequired) && typedEnv.NODE_ENV === "production");
 
     if (tags?.includes("no-auth")) {
       return next();
diff --git a/express/src/middleware/csrf.ts b/express/src/middleware/csrf.ts
index 28b6abe1c..748087bbc 100644
--- a/express/src/middleware/csrf.ts
+++ b/express/src/middleware/csrf.ts
@@ -6,6 +6,8 @@ const SAFE_METHODS = new Set(["GET", "HEAD", "OPTIONS"]);
 /**
  * Enforce CSRF double-submit token validation on state-changing requests.
  * Skips routes tagged `no-auth` (same convention as auth middleware).
+ * Skips `csrf-exempt` for browser-initiated posts that cannot attach our token
+ * (e.g. Content-Security-Policy violation reports).
  */
 export const makeCsrfMiddleware = (): Handler => {
   return (req, res, next): void => {
@@ -13,7 +15,8 @@ export const makeCsrfMiddleware = (): Handler => {
       return next();
     }
 
-    if (req.openapi?.schema?.tags?.includes("no-auth")) {
+    const tags = req.openapi?.schema?.tags;
+    if (tags?.includes("no-auth") || tags?.includes("csrf-exempt")) {
       return next();
     }
 
diff --git a/express/src/middleware/errors.ts b/express/src/middleware/errors.ts
index 9520e240e..201a3361d 100644
--- a/express/src/middleware/errors.ts
+++ b/express/src/middleware/errors.ts
@@ -1,6 +1,6 @@
 import createError, { HttpError } from "http-errors";
 import type { Request, Response, NextFunction, Handler } from "express";
-import { safReportersStorage } from "@saflib/node";
+import { getErrorCollectors, safReportersStorage } from "@saflib/node";
 import { typedEnv } from "@saflib/env";
 /**
  * 404 Handler
@@ -24,13 +24,19 @@ export const errorHandler = (
   const status = err.status || 500;
 
   if (status >= 500) {
-    if (typedEnv.NODE_ENV === "test") {
+    if (
+      typedEnv.NODE_ENV === "test" &&
+      getErrorCollectors().length === 0
+    ) {
       console.error(err.stack);
     }
     const store = safReportersStorage.getStore();
     if (store) {
       store.logError(err);
-    } else {
+    } else if (
+      typedEnv.NODE_ENV !== "test" ||
+      getErrorCollectors().length === 0
+    ) {
       console.log("Error", err);
     }
   }
diff --git a/node/src/errors.ts b/node/src/errors.ts
index 8623bf2bf..f1ca9149f 100644
--- a/node/src/errors.ts
+++ b/node/src/errors.ts
@@ -18,7 +18,7 @@ export const addErrorCollector = (collector: ErrorCollector) => {
   errorCollectors.push(collector);
 };
 
-const getErrorCollectors = () => {
+export const getErrorCollectors = () => {
   return errorCollectors.slice();
 };
 
diff --git a/package.json b/package.json
index 99ffe2554..acd9398e5 100644
--- a/package.json
+++ b/package.json
@@ -17,7 +17,6 @@
     "@saflib/vue": "*",
     "@vue/tsconfig": "^0.9.1",
     "typescript": "~6.0.0",
-    "vite": "^8.0.9",
     "vue-router": "^5.0.0",
     "vue-tsc": "^3.0.6"
   },
diff --git a/processes/workflows/spec-project.ts b/processes/workflows/spec-project.ts
index bca3bfb04..a22516d85 100644
--- a/processes/workflows/spec-project.ts
+++ b/processes/workflows/spec-project.ts
@@ -126,6 +126,8 @@ export const SpecProjectWorkflowDefinition = defineWorkflow<
 
       Now that you have a plan, you can write the workflows per the aligned plan to implement the spec. Only one workflow has been generated, but make as many as the plan dictates. Have the main one run the others (orchestrating them).
 
+      **Step shape:** Do not start a phase workflow (or the orchestrator) with a review-only \`PromptStepMachine\` that only tells the agent to read the spec/plan. The first step should be real work (\`CdStepMachine\`, a sub-workflow, or an implementation prompt). Put context in that first step's prompt with \`Use workflow docFiles (**<name>.spec.md**, **<name>.plan.md** Phase N)\` — the workflow's \`docFiles\` block already wires those paths; reading them is not a separate step. Follow \`daemon/plans/notes/2026-05-21-questionnaire-mappings/\` phase workflows as the reference shape.
+
       For each workflow, run "npm exec saf-workflow dry-run ./path/to/workflow.ts" to make sure everything is wired up correctly. One of the more common errors is for the workflow to not include "CdStepMachine" to move into the right directory before running the workflow. Location matters.
       `,
     })),
diff --git a/product/workflows/templates/.github/actions/setup-node-deps/action.yml b/product/workflows/templates/.github/actions/setup-node-deps/action.yml
new file mode 100644
index 000000000..b918cdacd
--- /dev/null
+++ b/product/workflows/templates/.github/actions/setup-node-deps/action.yml
@@ -0,0 +1,36 @@
+name: Setup Node dependencies
+description: >-
+  Setup Node.js, restore ~/.npm and workspace node_modules caches, and run npm ci
+  only on cache miss. The monorepo installs into nested node_modules (e.g.
+  saflib/node_modules); caching only the repo root tree breaks typecheck.
+inputs:
+  node-version:
+    description: Node.js version
+    required: false
+    default: "24"
+runs:
+  using: composite
+  steps:
+    - name: Setup Node.js
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      with:
+        node-version: ${{ inputs.node-version }}
+        cache: npm
+
+    - name: Cache node_modules
+      id: node-modules-cache
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+      with:
+        path: |
+          node_modules
+          saflib/**/node_modules
+          daemon/**/node_modules
+          deploy/**/node_modules
+        key: node-modules-v2-${{ runner.os }}-node-${{ inputs.node-version }}-${{ hashFiles('package-lock.json') }}
+        restore-keys: |
+          node-modules-v2-${{ runner.os }}-node-${{ inputs.node-version }}-
+
+    - name: Install dependencies
+      if: steps.node-modules-cache.outputs.cache-hit != 'true'
+      shell: bash
+      run: npm ci --prefer-offline --no-audit --no-fund
diff --git a/product/workflows/templates/.github/workflows/playwright.yml b/product/workflows/templates/.github/workflows/playwright.yml
index 6419aa5fd..02fd9aa80 100644
--- a/product/workflows/templates/.github/workflows/playwright.yml
+++ b/product/workflows/templates/.github/workflows/playwright.yml
@@ -10,15 +10,10 @@ jobs:
       run:
         working-directory: .
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          node-version: lts/*
-          cache: "npm"
-      - name: Install submodules
-        run: git submodule update --init
-      - name: Install dependencies
-        run: npm ci
+          submodules: recursive
+      - uses: ./.github/actions/setup-node-deps
       # For some reason, github actions hang when I do `npm exec saf-docker generate`. So we run the script directly.
       - name: Generate Docker
         run: node --experimental-strip-types --disable-warning=ExperimentalWarning saflib/dev-tools/src/saf-docker-cli.ts generate
@@ -36,14 +31,14 @@ jobs:
       - name: Shut down
         run: docker stop $(docker ps -a -q)
       # TODO: gather all logs and upload them as artifacts
-      # - uses: actions/upload-artifact@v4
+      # - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4
       #   if: ${{ !cancelled() }}
       #   with:
       #     name: playwright-report
       #     path: ./clients/web-auth/playwright-report/
       #     retention-days: 30
       - name: Upload docker compose logs
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7
         if: ${{ !cancelled() }}
         with:
           name: last-docker-compose-log
diff --git a/product/workflows/templates/.github/workflows/push.yml b/product/workflows/templates/.github/workflows/push.yml
index eac95a88b..81a9ba138 100644
--- a/product/workflows/templates/.github/workflows/push.yml
+++ b/product/workflows/templates/.github/workflows/push.yml
@@ -26,21 +26,13 @@ jobs:
     env:
       CONTAINER_REGISTRY: ghcr.io/${{ github.repository_owner }}
     steps:
-      - uses: actions/checkout@v6
-      - name: Install submodules
-        run: git submodule update --init
-
-      - name: Set up Node.js
-        uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          node-version: 24
-          cache: npm
-
-      - name: Install dependencies
-        run: npm ci
+          submodules: recursive
+      - uses: ./.github/actions/setup-node-deps
 
       - name: Log in to GHCR
-        uses: docker/login-action@v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121  # v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
diff --git a/product/workflows/templates/.github/workflows/typecheck.yml b/product/workflows/templates/.github/workflows/typecheck.yml
index a6be1fe3d..a6ffed1ce 100644
--- a/product/workflows/templates/.github/workflows/typecheck.yml
+++ b/product/workflows/templates/.github/workflows/typecheck.yml
@@ -9,15 +9,9 @@ jobs:
   typecheck:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - name: Setup Node.js
-        uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          node-version: 24
-          cache: "npm"
-      - name: Install submodules
-        run: git submodule update --init
-      - name: Install dependencies
-        run: npm ci
+          submodules: recursive
+      - uses: ./.github/actions/setup-node-deps
       - name: Run Typecheck
         run: npm run typecheck
diff --git a/product/workflows/templates/.github/workflows/unit-tests.yaml b/product/workflows/templates/.github/workflows/unit-tests.yaml
index b00709f5e..106a52c2e 100644
--- a/product/workflows/templates/.github/workflows/unit-tests.yaml
+++ b/product/workflows/templates/.github/workflows/unit-tests.yaml
@@ -17,20 +17,10 @@ jobs:
           - __product-name__
           # END WORKFLOW AREA
     steps:
-      - uses: actions/checkout@v6
-      - name: Setup Node.js
-        uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          node-version: 24
-          cache: "npm"
-      - name: Install submodules
-        run: git submodule update --init
-      - name: Install dependencies
-        run: npm ci
-
-      # Tests fail to run if this one package isn't installed
-      - name: Install rollup for linux
-        run: npm install @rollup/rollup-linux-x64-gnu
+          submodules: recursive
+      - uses: ./.github/actions/setup-node-deps
 
       - name: Run Unit Tests
         run: npm run test -- --project='*${{ matrix.project }}*'
diff --git a/product/workflows/templates/__product-name__/dev/Dockerfile.template b/product/workflows/templates/__product-name__/dev/Dockerfile.template
index df5d13875..836f8e560 100644
--- a/product/workflows/templates/__product-name__/dev/Dockerfile.template
+++ b/product/workflows/templates/__product-name__/dev/Dockerfile.template
@@ -14,7 +14,7 @@ RUN npm install -g npm@11.14.1
 WORKDIR /app
 
 #{ copy_packages }#
-RUN npm install --omit=dev
+RUN npm ci --omit=dev
 
 #{ copy_src }#
 
diff --git a/product/workflows/templates/__product-name__/dev/kratos/kratos.yml b/product/workflows/templates/__product-name__/dev/kratos/kratos.yml
index 8b29f9800..38bae434a 100644
--- a/product/workflows/templates/__product-name__/dev/kratos/kratos.yml
+++ b/product/workflows/templates/__product-name__/dev/kratos/kratos.yml
@@ -13,11 +13,13 @@ serve:
 selfservice:
   default_browser_return_url: http://auth.docker.localhost/
 
-  # Permit return_to from any app on this dev domain (e.g. app.recipes.docker.localhost).
-  # Root host is listed separately; *.docker.localhost does not match the apex.
+  # Only apex and product hosts (no subdomain wildcard — T-9 open redirect).
   allowed_return_urls:
     - http://docker.localhost/
-    - http://*.docker.localhost/
+    - http://app.docker.localhost/
+    - http://admin.docker.localhost/
+    - http://auth.docker.localhost/
+    - http://account.docker.localhost/
 
   flows:
     registration:
diff --git a/product/workflows/templates/__product-name__/service/monolith/Dockerfile.template b/product/workflows/templates/__product-name__/service/monolith/Dockerfile.template
index ba3b74daa..414a69f46 100644
--- a/product/workflows/templates/__product-name__/service/monolith/Dockerfile.template
+++ b/product/workflows/templates/__product-name__/service/monolith/Dockerfile.template
@@ -4,7 +4,7 @@ FROM node:alpine3.19
 WORKDIR /app
 
 #{ copy_packages }#
-RUN npm install --omit=dev
+RUN npm ci --omit=dev
 #{ copy_src }#
 
 WORKDIR /app/__product-name__/service/monolith
diff --git a/product/workflows/templates/deploy/Dockerfile.prod b/product/workflows/templates/deploy/Dockerfile.prod
index b13482332..e2b35e215 100644
--- a/product/workflows/templates/deploy/Dockerfile.prod
+++ b/product/workflows/templates/deploy/Dockerfile.prod
@@ -11,7 +11,7 @@ RUN export $(grep -v "^#" /app/env.__product-name__.prod-local | xargs) && DOMAI
 # END WORKFLOW AREA
 
 FROM caddy:2.11.3-builder-alpine AS caddy-rebuild
-RUN xcaddy build v2.11.2
+RUN xcaddy build v2.11.3
 
 FROM caddy:2.11.3-alpine
 COPY --from=caddy-rebuild /usr/bin/caddy /usr/bin/caddy
diff --git a/product/workflows/templates/deploy/kratos-prod-local/kratos.yml b/product/workflows/templates/deploy/kratos-prod-local/kratos.yml
index cd36ec6c7..e2ad6168a 100644
--- a/product/workflows/templates/deploy/kratos-prod-local/kratos.yml
+++ b/product/workflows/templates/deploy/kratos-prod-local/kratos.yml
@@ -13,10 +13,13 @@ serve:
 selfservice:
   default_browser_return_url: http://auth.docker.localhost/
 
-  # Same as recipes/dev: any HTTP origin on docker.localhost for local prod-like stacks.
+  # Only apex and product hosts (no subdomain wildcard — T-9 open redirect).
   allowed_return_urls:
     - http://docker.localhost/
-    - http://*.docker.localhost/
+    - http://app.docker.localhost/
+    - http://admin.docker.localhost/
+    - http://auth.docker.localhost/
+    - http://account.docker.localhost/
 
   flows:
     registration:
diff --git a/product/workflows/templates/deploy/remote-assets/kratos/kratos.yml b/product/workflows/templates/deploy/remote-assets/kratos/kratos.yml
index 1656875f4..e13bc5d2f 100644
--- a/product/workflows/templates/deploy/remote-assets/kratos/kratos.yml
+++ b/product/workflows/templates/deploy/remote-assets/kratos/kratos.yml
@@ -13,10 +13,13 @@ serve:
 selfservice:
   default_browser_return_url: https://auth.__domain-name__/
 
-  # Permit return_to from any HTTPS app on this domain (wildcard does not match apex).
+  # Only apex and product hosts (no subdomain wildcard — T-9 open redirect).
   allowed_return_urls:
     - https://__domain-name__/
-    - https://*.__domain-name__/
+    - https://app.__domain-name__/
+    - https://admin.__domain-name__/
+    - https://auth.__domain-name__/
+    - https://account.__domain-name__/
 
   flows:
     registration:
diff --git a/sdk/src/client.ts b/sdk/src/client.ts
index 8a59d9771..456feaaf7 100644
--- a/sdk/src/client.ts
+++ b/sdk/src/client.ts
@@ -1,6 +1,5 @@
 import { QueryClient } from "@tanstack/vue-query";
 import createClient from "openapi-fetch";
-import { isTestEnv } from "@saflib/vue";
 import { getProtocol, getHost } from "@saflib/links";
 import { TanstackError } from "./errors.ts";
 import type { ClientResult } from "./types.ts";
@@ -94,9 +93,6 @@ export const handleClientMethod = async <T>(
     // This is because UI should not render the untranslated error message, but instead
     // give the user a message based on the HTTP status or, if that's not sufficient,
     // the error code.
-    if (isTestEnv()) {
-      console.error(result.error);
-    }
     throw new TanstackError(result.response.status, result.error.code);
   }
   if (result.data === undefined) {
diff --git a/sdk/workflows/templates/Dockerfile.template b/sdk/workflows/templates/Dockerfile.template
index 7b2543c36..9d2b959ee 100644
--- a/sdk/workflows/templates/Dockerfile.template
+++ b/sdk/workflows/templates/Dockerfile.template
@@ -7,8 +7,7 @@ RUN npm install -g npm@11.14.1
 WORKDIR /app
 
 #{ copy_packages }#
-RUN npm install
-RUN npm install @rollup/rollup-linux-arm64-gnu
+RUN npm ci
 
 #{ copy_src }#
 
diff --git a/sentry/package.json b/sentry/package.json
index 152cc3573..6c7dafe69 100644
--- a/sentry/package.json
+++ b/sentry/package.json
@@ -24,7 +24,7 @@
   "devDependencies": {
     "@saflib/vitest": "*",
     "@saflib/workflows": "*",
-    "vite": "^8.0.7",
+    "vite": "8.0.13",
     "vitest": "^3.2.4"
   }
 }
diff --git a/service/workflows/service-templates/Dockerfile.template b/service/workflows/service-templates/Dockerfile.template
index 562df1397..044181f6d 100644
--- a/service/workflows/service-templates/Dockerfile.template
+++ b/service/workflows/service-templates/Dockerfile.template
@@ -4,7 +4,7 @@ FROM node:alpine3.19
 WORKDIR /app
 
 #{ copy_packages }#
-RUN npm install --omit=dev
+RUN npm ci --omit=dev
 #{ copy_src }#
 
 WORKDIR /app/__service-group-dir__/__service-name__-service
diff --git a/vite/package.json b/vite/package.json
index fe91e0056..5d378197f 100644
--- a/vite/package.json
+++ b/vite/package.json
@@ -16,7 +16,7 @@
     "@saflib/vue": "*",
     "@vitejs/plugin-vue": "^6.0.1",
     "rollup-plugin-ignore": "^1.0.10",
-    "vite": "^8.0.0",
+    "vite": "8.0.13",
     "vite-plugin-vue-devtools": "^8.0.1",
     "vite-plugin-vuetify": "^2.1.3"
   },
diff --git a/vitest/base-vitest.config.js b/vitest/base-vitest.config.js
index 933924714..1c81dde75 100644
--- a/vitest/base-vitest.config.js
+++ b/vitest/base-vitest.config.js
@@ -1,7 +1,11 @@
+import path from "node:path";
 import { defineConfig } from "vitest/config";
 
+const testSetupFile = path.join(import.meta.dirname, "test-setup.ts");
+
 export const defaultConfig = defineConfig({
   test: {
+    setupFiles: [testSetupFile],
     /*
      * By default, isolate tests. There's no apparent change in performance, but sometimes tests
      * will break in CI or when you run them locally with --no-file-parallelism, particularly when
diff --git a/vitest/test-setup.ts b/vitest/test-setup.ts
new file mode 100644
index 000000000..94c9de251
--- /dev/null
+++ b/vitest/test-setup.ts
@@ -0,0 +1,8 @@
+import { addErrorCollector } from "@saflib/node";
+
+/**
+ * Register a no-op collector so {@link defaultErrorReporter} and
+ * {@link queryWrapper} do not print expected error stacks to stderr during tests.
+ * Suites that assert on logging can register their own collector afterward.
+ */
+addErrorCollector(() => {});
diff --git a/vue/components/UsPhoneNumberInput.vue b/vue/components/UsPhoneNumberInput.vue
index f8013dab7..e4bbfffaf 100644
--- a/vue/components/UsPhoneNumberInput.vue
+++ b/vue/components/UsPhoneNumberInput.vue
@@ -1,5 +1,6 @@
 <template>
   <v-text-field
+    ref="inputRef"
     v-model="displayValue"
     v-bind="$attrs"
     :label="label"
@@ -49,6 +50,11 @@ const emit = defineEmits<{
 
 const displayValue = ref("");
 const isFocused = ref(false);
+const inputRef = ref<{ focus: () => void } | null>(null);
+
+defineExpose({
+  focus: () => inputRef.value?.focus(),
+});
 
 // Handle input changes
 const handleInput = (event: Event) => {
diff --git a/vue/docs/01-overview.md b/vue/docs/01-overview.md
index 29b14d927..686a904e9 100644
--- a/vue/docs/01-overview.md
+++ b/vue/docs/01-overview.md
@@ -59,13 +59,15 @@ For more information, see [`@saflib/playwright`](../../playwright/docs/overview.
 Contains the components for each page of the SPA. Each page is expected to have:
 
 1. The main component which handles what is displayed
-2. An "async" component which uses `AsyncPage` to render a loading screen while data is fetched and code is loaded.
+2. An "async" component which uses `AsyncPage` to render a loading screen while data is fetched and code is loaded, and `useAsyncPageDocumentTitle` to set the browser tab title.
 3. A "loader" which is used by both the main and async components to run Tanstack Queries.
-4. A "strings" file which contains the default language strings for the page.
+4. A "strings" file which contains the default language strings for the page (including `documentTitle` for the browser tab).
 5. A test file which mainly checks the component correctly renders on page load.
 6. (optional) a "components" directory for sub-components specific to this page (shared components should go in a "common" package).
 
-For more information, see [Pages](./02-pages.md).
+For more information, see [Components — Views and pages](./02-components.md).
+
+When a page has several URL-addressable sub-views that share chrome (sidebar, breadcrumbs), see [Nested routes with AsyncPage](./05-nested-routes.md).
 
 ### `{Subdomain}App.vue`
 
diff --git a/vue/docs/02-components.md b/vue/docs/02-components.md
index 835dc648b..39107cc02 100644
--- a/vue/docs/02-components.md
+++ b/vue/docs/02-components.md
@@ -51,18 +51,35 @@ By default, SAF SPAs will split out every page. This is controlled by the `Async
 
 ```vue
 <template>
-  <AsyncPage :loader="() => usePageLoader()" :page-component="Page" />
+  <AsyncPage :loader="usePageLoader" :page-component="Page" />
 </template>
 
 <script setup lang="ts">
 import { defineAsyncComponent } from "vue";
 import { usePageLoader } from "./PageName.loader.ts";
+import { page_name as strings } from "./PageName.strings.ts";
 import { AsyncPage } from "@saflib/vue/components";
+import { useAsyncPageDocumentTitle } from "@saflib/vue";
+
+useAsyncPageDocumentTitle(strings.documentTitle);
 
 const Page = defineAsyncComponent(() => import("./PageName.vue"));
 </script>
 ```
 
+Add a `documentTitle` string to the page's `.strings.ts` file (for example `documentTitle: "Settings"`). The Async component sets `document.title` as soon as it mounts, before the page code loads. Configure the app suffix once in `main.ts` with `configureAppDocumentTitle("My Product")` so tabs read like `Settings — My Product`.
+
+When the tab title should include loaded data (for example a resource name), call the composable with a second argument — a ref or computed from the loader. The Async shell and `AsyncPage` may each call the loader independently; TanStack Query deduplicates the requests.
+
+```ts
+const loader = usePageLoader();
+
+useAsyncPageDocumentTitle(
+  strings.documentTitle,
+  computed(() => loader.resourceQuery.data.value?.name),
+);
+```
+
 The Vue router, and by extension the Vue app, do not directly import or render the page component. This is where the majority of the app's business logic will go, and so by default only necessary code is loaded by the application at first. The async component decides what will render while the code is loading and the data is being fetched; `AsyncPage` only renders the page component when both are present. `AsyncPage` also handles generic error states when either fail to arrive.
 
 If it's important to have certain common landing pages loaded sooner, the tradeoff can be decided to import the page component directly.
@@ -71,6 +88,10 @@ It's important that _no other components in the app_ render async components. By
 
 The only exception to this is if the component is not rendered on page load. For example if there's a heavy dialog, the page might render the async component only when the dialog is opened, or after the page is initially loaded to preload the code.
 
+#### Nested routes
+
+When a page has several sub-views that share chrome (sidebar, breadcrumbs, header), use [nested routes with AsyncPage](./05-nested-routes.md). The parent `*Async.vue` renders shared chrome through `AsyncPage` and a sibling `<router-view>`; each child route is its own `*Async.vue` with its own loader. Parent and child loaders run in parallel, child code is split per route, and TanStack Query deduplicates shared requests.
+
 ### Loader: Data Fetching
 
 _[Template file](../workflows/template/__subdomain-name__/__group-name__/__TargetName__.loader.ts)_
diff --git a/vue/docs/03-i18n.md b/vue/docs/03-i18n.md
index c77c79e9f..d3f0a73ed 100644
--- a/vue/docs/03-i18n.md
+++ b/vue/docs/03-i18n.md
@@ -40,6 +40,8 @@ Messages are compiled with Vue I18n’s **message syntax** (ICU-style). Placehol
 
 **Do not** use Mustache-style `{{name}}` inside strings that go through `t(...)`. Double braces are invalid for the message compiler and tend to fail in **production builds** (AOT compilation) while sometimes appearing to work in Vite dev mode.
 
+**Do not** put a bare `@` in messages (e.g. email placeholders like `user@example.com`). `@` starts [linked messages](https://vue-i18n.intlify.dev/guide/essentials/syntax.html#linked-messages) and often surfaces as `SyntaxError: 10` (`INVALID_LINKED_FORMAT`) when the string is first rendered. Use literal interpolation instead: `user{'@'}example.com`.
+
 **Do** pass values as the second argument to `t`:
 
 ```ts
diff --git a/vue/docs/04-testing.md b/vue/docs/04-testing.md
index 2f825bd38..2b1845908 100644
--- a/vue/docs/04-testing.md
+++ b/vue/docs/04-testing.md
@@ -103,6 +103,12 @@ The template includes a basic render test (`PageName.test.ts`) that mounts the a
 
 Render tests should **not** attempt to test interactions (clicking buttons, filling forms, submitting). That logic should be extracted into composables and tested there, or covered by Playwright E2E tests. Render tests that simulate interactions are fragile, slow, and duplicate coverage.
 
+### Nested routes
+
+Pages that use [nested routes with AsyncPage](./05-nested-routes.md) must be tested by mounting a root `<RouterView />` wrapper, not the parent async component directly. Push the router to an explicit child path (for example `/resource/:id/section`) before mounting so the parent layout and child route both render at the correct depth.
+
+Use `router.push()` to navigate between child sections in tests rather than clicking sidebar items when you are verifying route-driven content changes.
+
 ## Coverage
 
 ### Excluded Files
diff --git a/vue/docs/05-nested-routes.md b/vue/docs/05-nested-routes.md
new file mode 100644
index 000000000..d91afbf81
--- /dev/null
+++ b/vue/docs/05-nested-routes.md
@@ -0,0 +1,277 @@
+# Nested routes with AsyncPage
+
+Some views are really a **layout** with several sub-views: a detail page with a sidebar, a settings area with tabs, a wizard step that shares chrome, and so on. Instead of switching tabs in local state, use **Vue Router nested routes** so each sub-view is its own page with its own loader and async wrapper.
+
+This pattern keeps shared chrome (breadcrumbs, title, sidebar) in the parent while each child owns only the data it needs. Parent and child loaders run in parallel, child code is code-split per route, and TanStack Query deduplicates any shared requests.
+
+## When to use it
+
+Use nested routes when:
+
+- Several sub-views share the same chrome (header, breadcrumbs, sidebar).
+- Sub-views have **different data requirements** and you want those loaders separated.
+- Sub-views should be addressable by URL (bookmarkable, back/forward, deep links).
+
+Keep a single page with local tab state when sub-views are trivial, share identical data, or do not need their own URLs.
+
+## Architecture
+
+```mermaid
+flowchart TB
+  subgraph router [Vue Router]
+    ParentRoute["/resource/:id"]
+    ChildRoute["/resource/:id/section"]
+  end
+
+  subgraph parent [Parent route component]
+    ParentAsync["ResourceDetailAsync.vue"]
+    ParentLoader["useResourceDetailLoader()"]
+    Chrome["ResourceDetail.vue — breadcrumbs + title"]
+    Sidebar["Sidebar nav with :to links"]
+    RV["router-view"]
+  end
+
+  subgraph child [Child route component]
+    ChildAsync["OverviewAsync.vue"]
+    ChildLoader["useOverviewPageLoader()"]
+    OverviewPage["OverviewPage.vue"]
+  end
+
+  ParentRoute --> ParentAsync
+  ChildRoute --> ChildAsync
+  ParentAsync --> ParentLoader
+  ParentAsync --> Chrome
+  ParentAsync --> Sidebar
+  ParentAsync --> RV
+  RV --> ChildAsync
+  ChildAsync --> ChildLoader
+  ChildAsync --> OverviewPage
+```
+
+On navigation to `/resource/:id/overview`:
+
+1. Vue Router mounts the **parent** route component (`ResourceDetailAsync.vue`).
+2. The parent starts its loader and async-imports its chrome page (`ResourceDetail.vue`).
+3. The parent's `<router-view>` mounts the **child** route component (`OverviewAsync.vue`) immediately — no waiting for the parent loader to finish first.
+4. The child starts its own loader and async-imports its page component.
+5. Parent chrome, child content, parent data, and child data all load **in parallel**. TanStack Query shares cache entries when both loaders use the same query keys.
+
+There is no waterfall for code or data as long as each level uses the standard `*Async.vue` + `AsyncPage` pattern.
+
+## Directory layout
+
+Extend the usual page directory with one folder per child route:
+
+```
+resource-detail/
+├── ResourceDetail.vue              # Shared chrome only (breadcrumbs, title)
+├── ResourceDetail.loader.ts        # Data needed by chrome
+├── ResourceDetail.strings.ts
+├── ResourceDetailAsync.vue         # Layout: AsyncPage + sidebar + router-view
+├── ResourceDetail.test.ts
+│
+├── overview/
+│   ├── OverviewPage.vue
+│   ├── OverviewPage.loader.ts
+│   ├── OverviewAsync.vue
+│   ├── OverviewPanel.vue           # Section-specific sub-components
+│   └── …
+├── settings/
+│   ├── SettingsPage.vue
+│   ├── SettingsPage.loader.ts
+│   ├── SettingsAsync.vue
+│   └── …
+└── activity/
+    ├── ActivityPage.vue
+    ├── ActivityPage.loader.ts
+    ├── ActivityAsync.vue
+    └── …
+```
+
+Each child folder contains that section's page, loader, async wrapper, and sub-components. Keep section-specific components in the child folder rather than at the parent level.
+
+## Parent layout component
+
+The parent `*Async.vue` is the route component registered in `router.ts`. It renders shared chrome through `AsyncPage`, then a sibling `<router-view>` for the active child.
+
+```vue
+<template>
+  <v-container>
+    <AsyncPage
+      :loader="useResourceDetailLoader"
+      :page-component="ResourceDetail"
+    />
+
+    <div class="d-flex ga-4">
+      <v-card class="resource-detail-sidebar flex-shrink-0" variant="outlined">
+        <v-list nav density="compact">
+          <v-list-item
+            v-for="item in sidebarItems"
+            :key="item.value"
+            :to="item.to"
+          >
+            {{ item.label }}
+          </v-list-item>
+        </v-list>
+      </v-card>
+
+      <div class="flex-grow-1 min-width-0">
+        <router-view />
+      </div>
+    </div>
+  </v-container>
+</template>
+
+<script setup lang="ts">
+import { computed, defineAsyncComponent } from "vue";
+import { useRoute } from "vue-router";
+import { useResourceDetailLoader } from "./ResourceDetail.loader.ts";
+import { AsyncPage } from "@saflib/vue/components";
+
+const ResourceDetail = defineAsyncComponent(
+  () => import("./ResourceDetail.vue"),
+);
+</script>
+```
+
+Important details:
+
+- **`AsyncPage` and `<router-view>` are siblings.** The child route mounts as soon as the parent component mounts; it does not wait for the parent's loader to resolve.
+- **Navigation uses `:to` on list items** (or `router-link`) so Vue Router handles active state and history.
+- **The parent loader stays minimal** — only queries the chrome needs (entity name, breadcrumb labels, display metadata, etc.).
+
+The chrome page itself (`ResourceDetail.vue`) should be thin: breadcrumbs, title, and any layout logic that applies to every child. It should not render child content.
+
+## Child route components
+
+Each child route is a normal page: `OverviewAsync.vue` wraps `OverviewPage.vue` with `AsyncPage` and a dedicated loader.
+
+```vue
+<template>
+  <AsyncPage
+    :loader="useOverviewPageLoader"
+    :page-component="OverviewPage"
+  />
+</template>
+
+<script setup lang="ts">
+import { defineAsyncComponent } from "vue";
+import { useOverviewPageLoader } from "./OverviewPage.loader.ts";
+import { overview_page as strings } from "./OverviewPage.strings.ts";
+import { AsyncPage } from "@saflib/vue/components";
+import { useAsyncPageDocumentTitle } from "@saflib/vue";
+
+useAsyncPageDocumentTitle(strings.documentTitle);
+
+const OverviewPage = defineAsyncComponent(
+  () => import("./OverviewPage.vue"),
+);
+</script>
+```
+
+The child page component calls the same loader and renders the happy path. It composes sub-components from its own folder.
+
+## Loaders
+
+### Split data by responsibility
+
+| Loader | Owns |
+|---|---|
+| Parent (`useResourceDetailLoader`) | Shared chrome: entity record, display title, breadcrumb context |
+| Child (`useOverviewPageLoader`) | Section-specific queries: related records, section metadata, etc. |
+
+Both loaders may call the same TanStack query (for example `getResourceQuery(resourceId)`). That is fine — TanStack deduplicates by query key, so only one network request runs and both components read the same cached result.
+
+### Return only query objects from loaders used by AsyncPage
+
+`AsyncPage` treats every value returned from a loader as a TanStack query and reads `query.isLoading.value`. Loaders consumed by `AsyncPage` must return **only** query-like objects (`useQuery` results or thin wrappers with `isLoading`, `isError`, and `error`).
+
+Do **not** return bare `computed()` refs or other values from a loader passed to `AsyncPage`. Derive those in the page component from the query results instead.
+
+```typescript
+// Good — loader returns queries only
+export function useOverviewPageLoader() {
+  const resourceQuery = useQuery({ ...getResourceQuery(resourceId), ... });
+  const relatedQuery = useQuery({ ...listRelatedResourcesQuery(resourceId), ... });
+  return { resourceQuery, relatedQuery };
+}
+
+// In OverviewPage.vue — derive display values from query data
+const resource = computed(() => loader.resourceQuery.data.value?.resource);
+const summary = computed(() => resource.value?.summary ?? null);
+```
+
+See [Loader: Data Fetching](./02-components.md#loader-data-fetching) for the general loader rules (bounded query count, parallel fetching, no data-dependent query loops).
+
+## Router configuration
+
+Register the parent as the route component and list children underneath. Redirect the bare parent path to a default child with an **absolute** redirect function — a relative redirect like `{ path: "", redirect: "overview" }` can resolve incorrectly when other routes share path segments under the same `:id` prefix.
+
+```typescript
+{
+  path: appLinks.resourceDetail.path, // e.g. "/resource/:id"
+  component: ResourceDetailAsync,
+  children: [
+    {
+      path: "",
+      redirect: (to) => `${to.path}/overview`,
+    },
+    { path: "overview", component: OverviewAsync },
+    { path: "settings", component: SettingsAsync },
+    { path: "activity", component: ActivityAsync },
+  ],
+},
+```
+
+Child paths are relative to the parent, so `overview` matches `/resource/:id/overview`.
+
+The parent link in your links package stays the base path (`/resource/:id`). The redirect sends users to the default child. You do not need separate link entries for each child unless you link to them directly from elsewhere in the app.
+
+## Testing
+
+Nested routes require mounting through a root `<router-view>`, not by mounting the parent async component directly. Mounting the parent alone leaves `<router-view>` at the wrong depth and child routes will not render.
+
+```typescript
+import { defineComponent } from "vue";
+import { RouterView } from "vue-router";
+import { mountWithPlugins } from "@saflib/vue/testing";
+import { createAppRouter } from "../../../router.ts";
+
+const RouterViewWrapper = defineComponent({
+  components: { RouterView },
+  template: "<RouterView />",
+});
+
+it("renders the default child", async () => {
+  const router = createAppRouter();
+  await router.push("/resource/res_test/overview");
+  await router.isReady();
+
+  const wrapper = mountWithPlugins(
+    RouterViewWrapper,
+    {},
+    { router, i18nMessages: app_strings },
+  );
+
+  await vi.waitFor(() =>
+    expect(wrapper.text()).toContain("Expected content from child page"),
+  );
+});
+```
+
+To exercise sidebar navigation or cross-section behavior, call `router.push("/resource/res_test/settings")` and `await flushPromises()` rather than clicking list items — route navigation is what you are testing.
+
+When updating tests that previously expected navigation to the bare parent path, account for the default-child redirect (for example expect `/resource/:id/overview` instead of `/resource/:id`).
+
+See [Testing](./04-testing.md) for general render-test guidance.
+
+## Checklist
+
+When adding a nested route layout:
+
+1. Slim the parent loader to chrome-only queries.
+2. Create a child folder per section with `*Page.vue`, `*Page.loader.ts`, and `*Async.vue`.
+3. Register nested routes in `router.ts` with an absolute default-child redirect.
+4. Wire sidebar (or tab) navigation with `:to` paths under the parent base path.
+5. Keep section-specific sub-components in the child folder; child pages compose them.
+6. Add render tests that mount through `<RouterView />` and push to explicit child paths.
diff --git a/vue/docs/workflows/add-page.md b/vue/docs/workflows/add-page.md
index c877ca71d..c2e591f03 100644
--- a/vue/docs/workflows/add-page.md
+++ b/vue/docs/workflows/add-page.md
@@ -24,7 +24,7 @@ When run, the workflow will:
   - Upsert **WelcomeNewUser.loader.ts** from [template](https://github.com/sderickson/saflib/blob/main/vue/workflows/template/__product-name__-__subdomain-name__-spa/pages/page-template/__TargetName__.loader.ts)
   - Upsert **WelcomeNewUser.vue** from [template](https://github.com/sderickson/saflib/blob/main/vue/workflows/template/__product-name__-__subdomain-name__-spa/pages/page-template/__TargetName__.vue)
   - Upsert **WelcomeNewUserAsync.vue** from [template](https://github.com/sderickson/saflib/blob/main/vue/workflows/template/__product-name__-__subdomain-name__-spa/pages/page-template/__TargetName__Async.vue)
-  - Upsert **WelcomeNewUser.strings.ts** from [template](https://github.com/sderickson/saflib/blob/main/vue/workflows/template/__product-name__-__subdomain-name__-spa/pages/page-template/__TargetName__.strings.ts)
+  - Upsert **WelcomeNewUser.strings.ts** from [template](https://github.com/sderickson/saflib/blob/main/vue/workflows/template/__product-name__-__subdomain-name__-spa/pages/page-template/__TargetName__.strings.ts) (includes `documentTitle` for the browser tab)
   - Upsert **WelcomeNewUser.test.ts** from [template](https://github.com/sderickson/saflib/blob/main/vue/workflows/template/__product-name__-__subdomain-name__-spa/pages/page-template/__TargetName__.test.ts)
 - Update **WelcomeNewUser.loader.ts**: return Tanstack queries needed to render the page.
 - Update **WelcomeNewUser.vue**: take the data from the loader, assert that it's loaded, and render sample data.
diff --git a/vue/src/document-title.test.ts b/vue/src/document-title.test.ts
new file mode 100644
index 000000000..b74dc9417
--- /dev/null
+++ b/vue/src/document-title.test.ts
@@ -0,0 +1,27 @@
+import { afterEach, describe, expect, it } from "vitest";
+import {
+  configureAppDocumentTitle,
+  DEFAULT_APP_DOCUMENT_TITLE,
+  formatDocumentTitle,
+} from "./document-title.ts";
+
+describe("formatDocumentTitle", () => {
+  afterEach(() => {
+    configureAppDocumentTitle(DEFAULT_APP_DOCUMENT_TITLE);
+  });
+
+  it("appends the configured app name when a segment is provided", () => {
+    configureAppDocumentTitle("CaseDaemon");
+    expect(formatDocumentTitle("Home")).toBe("Home — CaseDaemon");
+  });
+
+  it("returns only the app name when the segment is empty", () => {
+    configureAppDocumentTitle("CaseDaemon");
+    expect(formatDocumentTitle(null)).toBe("CaseDaemon");
+    expect(formatDocumentTitle("   ")).toBe("CaseDaemon");
+  });
+
+  it("allows a per-call app title override", () => {
+    expect(formatDocumentTitle("Home", "Other App")).toBe("Home — Other App");
+  });
+});
diff --git a/vue/src/document-title.ts b/vue/src/document-title.ts
new file mode 100644
index 000000000..1d984683c
--- /dev/null
+++ b/vue/src/document-title.ts
@@ -0,0 +1,34 @@
+export const DEFAULT_APP_DOCUMENT_TITLE = "App";
+
+let appDocumentTitle = DEFAULT_APP_DOCUMENT_TITLE;
+
+/** Set the app name appended to page titles, e.g. `Home — CaseDaemon`. */
+export function configureAppDocumentTitle(title: string): void {
+  const trimmed = title.trim();
+  appDocumentTitle = trimmed.length > 0 ? trimmed : DEFAULT_APP_DOCUMENT_TITLE;
+}
+
+export function getAppDocumentTitle(): string {
+  return appDocumentTitle;
+}
+
+export function formatDocumentTitle(
+  segment: string | null | undefined,
+  appTitle: string = appDocumentTitle,
+): string {
+  const trimmedSegment = segment?.trim();
+  const trimmedAppTitle = appTitle.trim() || DEFAULT_APP_DOCUMENT_TITLE;
+  return trimmedSegment
+    ? `${trimmedSegment} — ${trimmedAppTitle}`
+    : trimmedAppTitle;
+}
+
+export function setDocumentTitle(
+  segment: string | null | undefined,
+  appTitle?: string,
+): void {
+  if (typeof document === "undefined") {
+    return;
+  }
+  document.title = formatDocumentTitle(segment, appTitle);
+}
diff --git a/vue/src/index.ts b/vue/src/index.ts
index b565caba4..b8751ec3e 100644
--- a/vue/src/index.ts
+++ b/vue/src/index.ts
@@ -13,3 +13,5 @@ export * from "./test-mode.ts";
 export * from "./wip-env.ts";
 export * from "./git-hash";
 export * from "./useResolvedHref.ts";
+export * from "./document-title.ts";
+export * from "./useAsyncPageDocumentTitle.ts";
diff --git a/vue/src/useAsyncPageDocumentTitle.test.ts b/vue/src/useAsyncPageDocumentTitle.test.ts
new file mode 100644
index 000000000..eecc83b89
--- /dev/null
+++ b/vue/src/useAsyncPageDocumentTitle.test.ts
@@ -0,0 +1,46 @@
+import { afterEach, describe, expect, it } from "vitest";
+import { computed, effectScope, ref } from "vue";
+import { configureAppDocumentTitle } from "./document-title.ts";
+import { useAsyncPageDocumentTitle } from "./useAsyncPageDocumentTitle.ts";
+
+describe("useAsyncPageDocumentTitle", () => {
+  afterEach(() => {
+    configureAppDocumentTitle("App");
+    document.title = "App";
+  });
+
+  it("sets the static page title immediately", () => {
+    configureAppDocumentTitle("CaseDaemon");
+    const scope = effectScope();
+    scope.run(() => {
+      useAsyncPageDocumentTitle("Matters");
+    });
+    scope.stop();
+
+    expect(document.title).toBe("Matters — CaseDaemon");
+  });
+
+  it("prepends loader detail when it becomes available", async () => {
+    configureAppDocumentTitle("CaseDaemon");
+    const matterName = ref<string | null>(null);
+    const scope = effectScope();
+
+    scope.run(() => {
+      useAsyncPageDocumentTitle(
+        "Review",
+        computed(() => matterName.value),
+      );
+    });
+
+    expect(document.title).toBe("Review — CaseDaemon");
+
+    matterName.value = "Immigration Case A";
+    await Promise.resolve();
+
+    expect(document.title).toBe(
+      "Immigration Case A — Review — CaseDaemon",
+    );
+
+    scope.stop();
+  });
+});
diff --git a/vue/src/useAsyncPageDocumentTitle.ts b/vue/src/useAsyncPageDocumentTitle.ts
new file mode 100644
index 000000000..3bf2bf0c3
--- /dev/null
+++ b/vue/src/useAsyncPageDocumentTitle.ts
@@ -0,0 +1,20 @@
+import { toValue, watch, type MaybeRefOrGetter } from "vue";
+import { setDocumentTitle } from "./document-title.ts";
+
+/** Set `document.title` from an Async page shell using strings + optional loader data. */
+export function useAsyncPageDocumentTitle(
+  pageTitle: string,
+  detail?: MaybeRefOrGetter<string | null | undefined>,
+  appTitle?: string,
+): void {
+  watch(
+    () => {
+      const trimmedDetail = detail ? toValue(detail)?.trim() : undefined;
+      return trimmedDetail
+        ? `${trimmedDetail} — ${pageTitle}`
+        : pageTitle;
+    },
+    (segment) => setDocumentTitle(segment, appTitle),
+    { immediate: true },
+  );
+}
diff --git a/vue/testing/string-utils.ts b/vue/testing/string-utils.ts
index a7fe866da..f5a48fc2b 100644
--- a/vue/testing/string-utils.ts
+++ b/vue/testing/string-utils.ts
@@ -1,15 +1,57 @@
 import { expect } from "vitest";
-import { type VueWrapper } from "@vue/test-utils";
+import { DOMWrapper, type VueWrapper } from "@vue/test-utils";
 import {
   convertI18NInterpolationToRegex,
   type ElementString,
 } from "@saflib/utils";
 
+type ElementWrapper = VueWrapper | DOMWrapper<Element>;
+
+function findInputForLabel(
+  wrapper: ElementWrapper,
+  labelText: string,
+): ElementWrapper | undefined {
+  const inputs = wrapper.findAll("input, textarea, select");
+  const inputByAria = inputs.find(
+    (el) => el.attributes("aria-label")?.trim() === labelText,
+  );
+  if (inputByAria?.exists()) {
+    return inputByAria;
+  }
+
+  const labelLike = [
+    ...wrapper.findAll("label"),
+    ...wrapper.findAll(".v-label"),
+    ...wrapper.findAll(".v-field-label"),
+  ];
+  const labelEl = labelLike.find((el) => el.text().trim() === labelText);
+  if (!labelEl?.exists()) {
+    return undefined;
+  }
+
+  const forId = labelEl.attributes("for");
+  if (forId) {
+    const linked = wrapper.find(`#${CSS.escape(forId)}`);
+    if (linked.exists()) {
+      return linked;
+    }
+  }
+
+  const fieldInput = labelEl.element
+    .closest(".v-field")
+    ?.querySelector("input, textarea, select");
+  if (fieldInput) {
+    return new DOMWrapper(fieldInput);
+  }
+
+  return labelEl;
+}
+
 /**
  * This should always be used to find elements in tests.
  */
 export const getElementByString = (
-  wrapper: VueWrapper,
+  wrapper: ElementWrapper,
   stringObj: ElementString,
 ) => {
   if (typeof stringObj === "string" || stringObj["text"]) {
@@ -37,8 +79,7 @@ export const getElementByString = (
   }
 
   if (stringObj.label) {
-    const elements = wrapper.findAll("label");
-    const element = elements.find((el) => el.text() === stringObj.label);
+    const element = findInputForLabel(wrapper, stringObj.label);
     expect(element?.exists()).toBe(true);
     return element!;
   }
diff --git a/vue/testing/vitest-setup.js b/vue/testing/vitest-setup.js
index a14f29199..6f7d6d13e 100644
--- a/vue/testing/vitest-setup.js
+++ b/vue/testing/vitest-setup.js
@@ -1,6 +1,23 @@
 // Stubs for browser APIs not available in jsdom.
 // This setup file is referenced by vitest-config.js and runs before each test file.
 
+import { addErrorCollector } from "@saflib/node";
+
+addErrorCollector(() => {});
+
+const originalConsoleWarn = console.warn;
+console.warn = (...args) => {
+  const first = args[0];
+  if (
+    typeof first === "string" &&
+    (first.includes("router.resolve() was passed an invalid location") ||
+      first.includes("No match found for location with path"))
+  ) {
+    return;
+  }
+  originalConsoleWarn(...args);
+};
+
 if (typeof globalThis.ResizeObserver === "undefined") {
   globalThis.ResizeObserver = class ResizeObserver {
     observe() {}
diff --git a/vue/workflows/add-view.ts b/vue/workflows/add-view.ts
index 4dfc8eee8..b3ed8f2a8 100644
--- a/vue/workflows/add-view.ts
+++ b/vue/workflows/add-view.ts
@@ -155,7 +155,7 @@ export const AddSpaViewWorkflowDefinition = defineWorkflow<
 
       * Located at ${context.copiedFiles?.vue}
       * Use the adjacent (${path.basename(context.copiedFiles!.loader)}) to add Tanstack queries for any data needed to render the page (the Tanstack queries are imported from the appropriate sdk package)
-      * Use the adjacent (${path.basename(context.copiedFiles!.strings)}) for all user-facing copy.
+      * Use the adjacent (${path.basename(context.copiedFiles!.strings)}) for all user-facing copy. Keep \`documentTitle\` in that file for the browser tab (the Async component already wires it via \`useAsyncPageDocumentTitle\`).
       * Take the data from the loader, assert that it's loaded, and render the page.
       * Do not add any sort of loading state or skeleton; that's the job of the "Async" component (and \`AsyncPage\` for query errors). Sub-components should receive **values to render** (e.g. lists, labels), not query \`isPending\`/\`isError\` or raw query objects—unless you have deliberately split loading (JIT) and documented it.
       * Don't break reactivity! Render the data directly from the tanstack queries, or if necessary create a computed property.
diff --git a/vue/workflows/template/__static-subdomain-name__/Dockerfile.template b/vue/workflows/template/__static-subdomain-name__/Dockerfile.template
index bc20a9434..0666a057d 100644
--- a/vue/workflows/template/__static-subdomain-name__/Dockerfile.template
+++ b/vue/workflows/template/__static-subdomain-name__/Dockerfile.template
@@ -5,7 +5,7 @@ RUN npm install -g npm@11.14.1
 
 WORKDIR /app
 #{ copy_packages }#
-RUN npm install --omit=dev
+RUN npm ci --omit=dev
 #{ copy_src }#
 
 WORKDIR /app/__product-name__/clients/__static-subdomain-name__
diff --git a/vue/workflows/template/__subdomain-name__/__group-name__/__TargetName__.strings.ts b/vue/workflows/template/__subdomain-name__/__group-name__/__TargetName__.strings.ts
index fb3277fba..993b5c15c 100644
--- a/vue/workflows/template/__subdomain-name__/__group-name__/__TargetName__.strings.ts
+++ b/vue/workflows/template/__subdomain-name__/__group-name__/__TargetName__.strings.ts
@@ -1,6 +1,8 @@
 export const __full_name__ = {
   // TODO: Replace strings with strings from the actual design
   // Use descriptive keys that work well with translation systems
+  /** Browser tab title (set by the Async component via useAsyncPageDocumentTitle). */
+  documentTitle: "__FullName__",
   title: "Hello, __FullName__!",
   subtitle: "This is a subtitle",
   description: "This is a description of what this page does",
diff --git a/vue/workflows/template/__subdomain-name__/__group-name__/__TargetName__Async.vue b/vue/workflows/template/__subdomain-name__/__group-name__/__TargetName__Async.vue
index df07ed8e9..9de053c0b 100644
--- a/vue/workflows/template/__subdomain-name__/__group-name__/__TargetName__Async.vue
+++ b/vue/workflows/template/__subdomain-name__/__group-name__/__TargetName__Async.vue
@@ -8,7 +8,12 @@
 <script setup lang="ts">
 import { defineAsyncComponent } from "vue";
 import { use__TargetName__Loader } from "./__TargetName__.loader.ts";
+import { __full_name__ as strings } from "./__TargetName__.strings.ts";
 import { AsyncPage } from "@saflib/vue/components";
+import { useAsyncPageDocumentTitle } from "@saflib/vue";
+
+useAsyncPageDocumentTitle(strings.documentTitle);
+
 const __TargetName__ = defineAsyncComponent(
   () => import("./__TargetName__.vue"),
 );
diff --git a/vue/workflows/template/__subdomain-name__/main.ts b/vue/workflows/template/__subdomain-name__/main.ts
index b4746b60d..283e9c790 100644
--- a/vue/workflows/template/__subdomain-name__/main.ts
+++ b/vue/workflows/template/__subdomain-name__/main.ts
@@ -1,4 +1,4 @@
-import { createVueApp } from "@saflib/vue";
+import { configureAppDocumentTitle, createVueApp } from "@saflib/vue";
 import { setClientName } from "@saflib/links";
 import Spa from "./__SubdomainName__Spa.vue";
 import "vuetify/styles";
@@ -7,6 +7,7 @@ import { __subdomain_name___strings } from "./strings.ts";
 
 export const main = () => {
   setClientName("__subdomain-name__");
+  configureAppDocumentTitle("__ProductName__ __SubdomainName__");
   const router = create__SubdomainName__Router();
   createVueApp(Spa, {
     router,
diff --git a/vue/workflows/template/build/Dockerfile.template b/vue/workflows/template/build/Dockerfile.template
index 3ee668d0e..543a9ea11 100644
--- a/vue/workflows/template/build/Dockerfile.template
+++ b/vue/workflows/template/build/Dockerfile.template
@@ -7,8 +7,8 @@ RUN npm install -g npm@11.14.1
 WORKDIR /app
 
 #{ copy_packages }#
-RUN npm install --omit=dev
-# RUN npm install @rollup/rollup-linux-arm64-gnu
+RUN npm ci --omit=dev
+# Native Rollup binaries: optionalDependencies from package-lock.json install for the image OS/arch during npm ci.
 
 #{ copy_src }#