From a6b6c206919610a5a07274fedafb2d7cc9fd3e61 Mon Sep 17 00:00:00 2001
From: Bionic711 <nadoyle@microsoft.com>
Date: Fri, 29 May 2026 19:22:52 -0500
Subject: [PATCH 01/12] init governance

---
 .gitignore                                    |    2 +-
 application/single_app/app.py                 |    4 +
 application/single_app/app_settings_cache.py  |   41 +-
 application/single_app/config.py              |   14 +-
 .../single_app/functions_activity_logging.py  |   64 +
 .../single_app/functions_governance.py        |  643 ++++
 .../single_app/functions_group_actions.py     |    4 +
 .../single_app/functions_group_agents.py      |    4 +
 .../single_app/functions_personal_actions.py  |    2 +
 .../single_app/functions_personal_agents.py   |    2 +
 application/single_app/functions_settings.py  |    9 +
 .../single_app/route_backend_agents.py        |  107 +-
 application/single_app/route_backend_chats.py |   83 +-
 .../single_app/route_backend_governance.py    |  200 ++
 .../single_app/route_backend_groups.py        |    3 +-
 .../single_app/route_backend_models.py        |   70 +-
 .../single_app/route_backend_plugins.py       |   49 +-
 .../route_frontend_admin_settings.py          |   58 +-
 .../single_app/route_frontend_chats.py        |   79 +-
 .../route_frontend_group_workspaces.py        |   16 +-
 .../single_app/route_frontend_workspace.py    |   17 +-
 .../static/js/admin/admin_governance.js       | 2595 +++++++++++++++++
 .../single_app/templates/_sidebar_nav.html    |    5 +
 .../single_app/templates/admin_settings.html  |  175 ++
 .../templates/group_workspaces.html           |   40 +-
 .../single_app/templates/workspace.html       |   34 +-
 .../features/v0.242.001/GOVERNANCE.md         |  372 +++
 ...est_admin_agent_default_model_migration.py |   25 +-
 .../test_governance_activity_logging.py       |  143 +
 .../test_governance_enforcement_logic.py      |  138 +
 ...st_governance_route_and_wiring_coverage.py |  309 ++
 .../test_group_plugin_global_merge_fix.py     |    9 +-
 ...eyvault_plugin_secret_scope_enforcement.py |   39 +-
 ui_tests/test_admin_governance_tab.py         |  213 ++
 ...st_workspace_governance_template_gating.py |   64 +
 35 files changed, 5535 insertions(+), 97 deletions(-)
 create mode 100644 application/single_app/functions_governance.py
 create mode 100644 application/single_app/route_backend_governance.py
 create mode 100644 application/single_app/static/js/admin/admin_governance.js
 create mode 100644 docs/explanation/features/v0.242.001/GOVERNANCE.md
 create mode 100644 functional_tests/test_governance_activity_logging.py
 create mode 100644 functional_tests/test_governance_enforcement_logic.py
 create mode 100644 functional_tests/test_governance_route_and_wiring_coverage.py
 create mode 100644 ui_tests/test_admin_governance_tab.py
 create mode 100644 ui_tests/test_workspace_governance_template_gating.py

diff --git a/.gitignore b/.gitignore
index 05e2a5ac0..7faa6693f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -52,4 +52,4 @@ nul
 /artifacts/tmp
 scripts/agent.json
 scripts/me.json
-.github/instructions/python-venv-path.instructions.md
\ No newline at end of file
+.github/instructions/local.instructions.md
diff --git a/application/single_app/app.py b/application/single_app/app.py
index 422133651..5433d5266 100644
--- a/application/single_app/app.py
+++ b/application/single_app/app.py
@@ -68,6 +68,7 @@
 from route_backend_control_center import *
 from route_backend_notifications import *
 from route_backend_retention_policy import *
+from route_backend_governance import register_route_backend_governance
 from route_backend_plugins import bpap as admin_plugins_bp, bpdp as dynamic_plugins_bp
 from route_backend_agents import bpa as admin_agents_bp
 from route_backend_agent_templates import bp_agent_templates
@@ -934,6 +935,9 @@ def list_semantic_kernel_plugins():
 # ------------------- API Retention Policy Routes --------
 register_route_backend_retention_policy(app)
 
+# ------------------- API Governance Routes --------------
+register_route_backend_governance(app)
+
 # ------------------- API Public Workspaces Routes -------
 register_route_backend_public_workspaces(app)
 
diff --git a/application/single_app/app_settings_cache.py b/application/single_app/app_settings_cache.py
index b9c4a3cc2..711ec0190 100644
--- a/application/single_app/app_settings_cache.py
+++ b/application/single_app/app_settings_cache.py
@@ -19,6 +19,8 @@
 APP_SETTINGS_CACHE = {}
 APP_STREAM_SESSION_METADATA = {}
 APP_STREAM_SESSION_EVENTS = {}
+APP_GOVERNANCE_CACHE_VERSION = 0
+GOVERNANCE_CACHE_VERSION_KEY = 'GOVERNANCE_CACHE_VERSION'
 update_settings_cache = None
 get_settings_cache = None
 initialize_stream_session_cache = None
@@ -27,6 +29,8 @@
 append_stream_session_event = None
 get_stream_session_events = None
 delete_stream_session_cache = None
+get_governance_cache_version = None
+bump_governance_cache_version = None
 app_cache_is_using_redis = False
 _app_cache_lock = threading.Lock()
 
@@ -43,11 +47,22 @@ def _is_expired(entry):
     expires_at = entry.get('expires_at')
     return expires_at is not None and expires_at <= time.time()
 
+
+def _normalize_cache_version(value):
+    if isinstance(value, bytes):
+        value = value.decode('utf-8')
+    try:
+        return int(value or 0)
+    except (TypeError, ValueError):
+        return 0
+
 def configure_app_cache(settings, redis_cache_endpoint=None):
     global _settings, update_settings_cache, get_settings_cache, APP_SETTINGS_CACHE
     global APP_STREAM_SESSION_METADATA, APP_STREAM_SESSION_EVENTS
+    global APP_GOVERNANCE_CACHE_VERSION
     global initialize_stream_session_cache, set_stream_session_meta, get_stream_session_meta
     global append_stream_session_event, get_stream_session_events, delete_stream_session_cache
+    global get_governance_cache_version, bump_governance_cache_version
     global app_cache_is_using_redis
     # Local import to avoid circular dependency: functions_keyvault imports app_settings_cache.
     from functions_appinsights import log_event
@@ -174,6 +189,16 @@ def delete_stream_session_cache_redis(cache_key):
                 get_stream_session_events_key(cache_key),
             )
 
+        def get_governance_cache_version_redis():
+            cached = redis_client.get(GOVERNANCE_CACHE_VERSION_KEY)
+            if cached is None:
+                redis_client.setnx(GOVERNANCE_CACHE_VERSION_KEY, 0)
+                return 0
+            return _normalize_cache_version(cached)
+
+        def bump_governance_cache_version_redis():
+            return _normalize_cache_version(redis_client.incr(GOVERNANCE_CACHE_VERSION_KEY))
+
         update_settings_cache = update_settings_cache_redis
         get_settings_cache = get_settings_cache_redis
         initialize_stream_session_cache = initialize_stream_session_cache_redis
@@ -182,6 +207,8 @@ def delete_stream_session_cache_redis(cache_key):
         append_stream_session_event = append_stream_session_event_redis
         get_stream_session_events = get_stream_session_events_redis
         delete_stream_session_cache = delete_stream_session_cache_redis
+        get_governance_cache_version = get_governance_cache_version_redis
+        bump_governance_cache_version = bump_governance_cache_version_redis
 
     else:
         def update_settings_cache_mem(new_settings):
@@ -258,6 +285,16 @@ def delete_stream_session_cache_mem(cache_key):
                 APP_STREAM_SESSION_METADATA.pop(cache_key, None)
                 APP_STREAM_SESSION_EVENTS.pop(cache_key, None)
 
+        def get_governance_cache_version_mem():
+            with _app_cache_lock:
+                return APP_GOVERNANCE_CACHE_VERSION
+
+        def bump_governance_cache_version_mem():
+            global APP_GOVERNANCE_CACHE_VERSION
+            with _app_cache_lock:
+                APP_GOVERNANCE_CACHE_VERSION += 1
+                return APP_GOVERNANCE_CACHE_VERSION
+
         update_settings_cache = update_settings_cache_mem
         get_settings_cache = get_settings_cache_mem
         initialize_stream_session_cache = initialize_stream_session_cache_mem
@@ -265,4 +302,6 @@ def delete_stream_session_cache_mem(cache_key):
         get_stream_session_meta = get_stream_session_meta_mem
         append_stream_session_event = append_stream_session_event_mem
         get_stream_session_events = get_stream_session_events_mem
-        delete_stream_session_cache = delete_stream_session_cache_mem
\ No newline at end of file
+        delete_stream_session_cache = delete_stream_session_cache_mem
+        get_governance_cache_version = get_governance_cache_version_mem
+        bump_governance_cache_version = bump_governance_cache_version_mem
\ No newline at end of file
diff --git a/application/single_app/config.py b/application/single_app/config.py
index 30cb1b95f..1c168c0d6 100644
--- a/application/single_app/config.py
+++ b/application/single_app/config.py
@@ -94,7 +94,7 @@
 EXECUTOR_TYPE = 'thread'
 EXECUTOR_MAX_WORKERS = 30
 SESSION_TYPE = 'filesystem'
-VERSION = "0.241.007"
+VERSION = "0.242.011"
 
 SECRET_KEY = os.getenv('SECRET_KEY', 'dev-secret-key-change-in-production')
 
@@ -478,6 +478,18 @@ def get_redis_cache_infrastructure_endpoint(redis_hostname: str) -> str:
     partition_key=PartitionKey(path="/id")
 )
 
+cosmos_governance_policies_container_name = "governance_policies"
+cosmos_governance_policies_container = cosmos_database.create_container_if_not_exists(
+    id=cosmos_governance_policies_container_name,
+    partition_key=PartitionKey(path="/id")
+)
+
+cosmos_governance_item_policies_container_name = "governance_item_policies"
+cosmos_governance_item_policies_container = cosmos_database.create_container_if_not_exists(
+    id=cosmos_governance_item_policies_container_name,
+    partition_key=PartitionKey(path="/id")
+)
+
 cosmos_agent_templates_container_name = "agent_templates"
 cosmos_agent_templates_container = cosmos_database.create_container_if_not_exists(
     id=cosmos_agent_templates_container_name,
diff --git a/application/single_app/functions_activity_logging.py b/application/single_app/functions_activity_logging.py
index 92c78dfb8..666f012f5 100644
--- a/application/single_app/functions_activity_logging.py
+++ b/application/single_app/functions_activity_logging.py
@@ -1788,6 +1788,70 @@ def log_general_admin_action(
         debug_print(f"⚠️  Warning: Failed to log admin action: {str(e)}")
 
 
+def log_governance_change(
+    admin_user_id: str,
+    admin_email: str,
+    action: str,
+    scope: str,
+    target_id: str,
+    before_state: Optional[Dict[str, Any]] = None,
+    after_state: Optional[Dict[str, Any]] = None,
+    change_details: Optional[Dict[str, Any]] = None,
+) -> None:
+    """Log governance mutations with detailed before/after payloads."""
+    normalized_admin_user_id = coerce_activity_log_user_id(admin_user_id)
+    timestamp = datetime.utcnow().isoformat()
+    activity_record = {
+        'id': str(uuid.uuid4()),
+        'user_id': normalized_admin_user_id,
+        'activity_type': 'governance',
+        'type': 'governance',
+        'timestamp': timestamp,
+        'created_at': timestamp,
+        'admin': {
+            'user_id': normalized_admin_user_id,
+            'email': admin_email,
+        },
+        'action': action,
+        'workspace_type': 'admin',
+        'workspace_context': {
+            'action': action,
+            'scope': scope,
+            'target_id': target_id,
+        },
+        'governance_change': {
+            'scope': scope,
+            'target_id': target_id,
+            'before': before_state or {},
+            'after': after_state or {},
+            'details': change_details or {},
+        },
+    }
+
+    try:
+        cosmos_activity_logs_container.create_item(body=activity_record)
+        log_event(
+            message=f"Governance change logged: {action} on {scope}/{target_id}",
+            extra=activity_record,
+            level=logging.INFO,
+        )
+        debug_print(f"✅ Governance change logged: {action} on {scope}/{target_id}")
+    except Exception as e:
+        log_event(
+            message=f"Error logging governance change: {str(e)}",
+            extra={
+                'admin_user_id': normalized_admin_user_id,
+                'admin_email': admin_email,
+                'action': action,
+                'scope': scope,
+                'target_id': target_id,
+                'error': str(e),
+            },
+            level=logging.ERROR,
+        )
+        debug_print(f"⚠️  Warning: Failed to log governance change: {str(e)}")
+
+
 # === AGENT & ACTION ACTIVITY LOGGING ===
 def log_agent_creation(
     user_id: str,
diff --git a/application/single_app/functions_governance.py b/application/single_app/functions_governance.py
new file mode 100644
index 000000000..ee8d944fa
--- /dev/null
+++ b/application/single_app/functions_governance.py
@@ -0,0 +1,643 @@
+# functions_governance.py
+
+"""Governance policy helpers for agents, actions, and endpoints."""
+
+from copy import deepcopy
+from datetime import datetime
+from threading import RLock
+from time import monotonic
+from typing import Any, Dict, List, Optional, Set
+
+from flask import g, has_request_context
+
+import app_settings_cache
+from config import cosmos_governance_item_policies_container, cosmos_governance_policies_container
+from functions_activity_logging import log_governance_change
+from functions_group import get_user_groups
+from functions_public_workspaces import get_user_public_workspaces
+from functions_settings import get_settings
+
+
+DEFAULT_FEATURE_POLICIES = {
+    "governance_user_endpoints": "user_endpoints",
+    "governance_group_endpoints": "group_endpoints",
+    "governance_global_endpoints": "global_endpoints",
+    "governance_user_agents": "user_agents",
+    "governance_group_agents": "group_agents",
+    "governance_global_agents_usage": "global_agents_usage",
+    "governance_user_actions": "user_actions",
+    "governance_group_actions": "group_actions",
+    "governance_global_actions_usage": "global_actions_usage",
+}
+
+
+DEFAULT_ITEM_POLICY_ENTITY_TYPES = {
+    "endpoint",
+    "global_agent",
+    "global_action",
+}
+
+
+GOVERNANCE_CACHE_TTL_SECONDS = 60
+_GOVERNANCE_REQUEST_CACHE_ATTR = "simplechat_governance_request_cache"
+_GOVERNANCE_CACHE_MISS = object()
+_governance_cache_lock = RLock()
+_governance_cache_version = 0
+_governance_process_cache: Dict[Any, Dict[str, Any]] = {}
+
+
+def _clone_cache_value(value: Any) -> Any:
+    return deepcopy(value)
+
+
+def _get_request_cache() -> Optional[Dict[Any, Any]]:
+    if not has_request_context():
+        return None
+
+    cache = getattr(g, _GOVERNANCE_REQUEST_CACHE_ATTR, None)
+    if cache is None:
+        cache = {}
+        setattr(g, _GOVERNANCE_REQUEST_CACHE_ATTR, cache)
+    return cache
+
+
+def _get_request_cache_value(cache_key: Any) -> Any:
+    cache = _get_request_cache()
+    if cache is None or cache_key not in cache:
+        return _GOVERNANCE_CACHE_MISS
+    return _clone_cache_value(cache[cache_key])
+
+
+def _set_request_cache_value(cache_key: Any, value: Any) -> None:
+    cache = _get_request_cache()
+    if cache is not None:
+        cache[cache_key] = _clone_cache_value(value)
+
+
+def _get_shared_governance_cache_version() -> int:
+    getter = getattr(app_settings_cache, "get_governance_cache_version", None)
+    if callable(getter):
+        try:
+            return int(getter() or 0)
+        except Exception:
+            return _governance_cache_version
+    return _governance_cache_version
+
+
+def _bump_shared_governance_cache_version() -> int:
+    global _governance_cache_version
+
+    bumper = getattr(app_settings_cache, "bump_governance_cache_version", None)
+    if callable(bumper):
+        try:
+            _governance_cache_version = int(bumper() or 0)
+            return _governance_cache_version
+        except Exception:
+            pass
+
+    _governance_cache_version += 1
+    return _governance_cache_version
+
+
+def _get_process_cache_value(cache_key: Any) -> Any:
+    now = monotonic()
+    current_version = _get_shared_governance_cache_version()
+    with _governance_cache_lock:
+        entry = _governance_process_cache.get(cache_key)
+        if not entry:
+            return _GOVERNANCE_CACHE_MISS
+
+        if entry.get("version") != current_version or entry.get("expires_at", 0) <= now:
+            _governance_process_cache.pop(cache_key, None)
+            return _GOVERNANCE_CACHE_MISS
+
+        return _clone_cache_value(entry.get("value"))
+
+
+def _set_process_cache_value(cache_key: Any, value: Any) -> None:
+    current_version = _get_shared_governance_cache_version()
+    with _governance_cache_lock:
+        _governance_process_cache[cache_key] = {
+            "expires_at": monotonic() + GOVERNANCE_CACHE_TTL_SECONDS,
+            "version": current_version,
+            "value": _clone_cache_value(value),
+        }
+
+
+def _get_request_cached_governance_value(cache_key: Any, loader) -> Any:
+    cached_value = _get_request_cache_value(cache_key)
+    if cached_value is not _GOVERNANCE_CACHE_MISS:
+        return cached_value
+
+    loaded_value = loader()
+    _set_request_cache_value(cache_key, loaded_value)
+    return loaded_value
+
+
+def _get_cached_governance_value(cache_key: Any, loader) -> Any:
+    cached_value = _get_request_cache_value(cache_key)
+    if cached_value is not _GOVERNANCE_CACHE_MISS:
+        return cached_value
+
+    cached_value = _get_process_cache_value(cache_key)
+    if cached_value is not _GOVERNANCE_CACHE_MISS:
+        _set_request_cache_value(cache_key, cached_value)
+        return cached_value
+
+    loaded_value = loader()
+    _set_process_cache_value(cache_key, loaded_value)
+    _set_request_cache_value(cache_key, loaded_value)
+    return loaded_value
+
+
+def invalidate_governance_cache() -> None:
+    _bump_shared_governance_cache_version()
+
+    with _governance_cache_lock:
+        _governance_process_cache.clear()
+
+    request_cache = _get_request_cache()
+    if request_cache is not None:
+        request_cache.clear()
+
+
+def _normalize_str_list(values: Any) -> List[str]:
+    if not isinstance(values, list):
+        return []
+    normalized: List[str] = []
+    seen: Set[str] = set()
+    for value in values:
+        as_str = str(value or "").strip()
+        if not as_str:
+            continue
+        if as_str in seen:
+            continue
+        seen.add(as_str)
+        normalized.append(as_str)
+    return normalized
+
+
+def _extract_group_ids(group_docs: Any) -> List[str]:
+    if not isinstance(group_docs, list):
+        return []
+    group_ids: List[str] = []
+    seen: Set[str] = set()
+    for group_doc in group_docs:
+        group_id = str((group_doc or {}).get("id") or "").strip()
+        if not group_id or group_id in seen:
+            continue
+        seen.add(group_id)
+        group_ids.append(group_id)
+    return group_ids
+
+
+def _extract_workspace_ids(workspace_docs: Any) -> List[str]:
+    if not isinstance(workspace_docs, list):
+        return []
+    workspace_ids: List[str] = []
+    seen: Set[str] = set()
+    for workspace_doc in workspace_docs:
+        workspace_id = str((workspace_doc or {}).get("id") or "").strip()
+        if not workspace_id or workspace_id in seen:
+            continue
+        seen.add(workspace_id)
+        workspace_ids.append(workspace_id)
+    return workspace_ids
+
+
+def _default_feature_policy_doc(feature_key: str) -> Dict[str, Any]:
+    return {
+        "id": f"feature:{feature_key}",
+        "feature_key": feature_key,
+        "allow_all": True,
+        "allowed_users": [],
+        "allowed_groups": [],
+        "updated_at": datetime.utcnow().isoformat(),
+    }
+
+
+def _default_item_policy_doc(entity_type: str, item_id: str) -> Dict[str, Any]:
+    return {
+        "id": f"item:{entity_type}:{item_id}",
+        "entity_type": entity_type,
+        "item_id": item_id,
+        "allow_all": True,
+        "allowed_users": [],
+        "allowed_groups": [],
+        "updated_at": datetime.utcnow().isoformat(),
+    }
+
+
+def _normalize_policy_state(payload: Dict[str, Any]) -> Dict[str, Any]:
+    allow_all = bool(payload.get("allow_all", True))
+    allowed_users = _normalize_str_list(payload.get("allowed_users", []))
+    allowed_groups = _normalize_str_list(payload.get("allowed_groups", []))
+
+    if allow_all and (allowed_users or allowed_groups):
+        allow_all = False
+
+    if allow_all:
+        allowed_users = []
+        allowed_groups = []
+
+    return {
+        "allow_all": allow_all,
+        "allowed_users": allowed_users,
+        "allowed_groups": allowed_groups,
+    }
+
+
+def _read_feature_policy(feature_key: str) -> Dict[str, Any]:
+    try:
+        return _read_stored_feature_policy(feature_key)
+    except Exception:
+        return _default_feature_policy_doc(feature_key)
+
+
+def _read_stored_feature_policy(feature_key: str) -> Dict[str, Any]:
+    policy_id = f"feature:{feature_key}"
+    return cosmos_governance_policies_container.read_item(item=policy_id, partition_key=policy_id)
+
+
+def _read_item_policy(entity_type: str, item_id: str) -> Dict[str, Any]:
+    normalized_item_id = str(item_id or "").strip()
+    if not normalized_item_id:
+        return _default_item_policy_doc(entity_type, normalized_item_id)
+
+    try:
+        return _read_stored_item_policy(entity_type, normalized_item_id)
+    except Exception:
+        return _default_item_policy_doc(entity_type, normalized_item_id)
+
+
+def _read_stored_item_policy(entity_type: str, item_id: str) -> Dict[str, Any]:
+    normalized_item_id = str(item_id or "").strip()
+    policy_id = f"item:{entity_type}:{normalized_item_id}"
+    return cosmos_governance_item_policies_container.read_item(item=policy_id, partition_key=policy_id)
+
+
+def get_feature_policy(feature_key: str) -> Dict[str, Any]:
+    normalized_feature_key = str(feature_key or "").strip()
+
+    def load_policy() -> Dict[str, Any]:
+        policy = dict(_read_feature_policy(normalized_feature_key))
+        normalized = _normalize_policy_state(policy)
+        policy.update(normalized)
+        return policy
+
+    return _get_cached_governance_value(("feature_policy", normalized_feature_key), load_policy)
+
+
+def get_item_policy(entity_type: str, item_id: str) -> Dict[str, Any]:
+    normalized_entity_type = str(entity_type or "").strip()
+    normalized_item_id = str(item_id or "").strip()
+
+    def load_policy() -> Dict[str, Any]:
+        policy = dict(_read_item_policy(normalized_entity_type, normalized_item_id))
+        normalized = _normalize_policy_state(policy)
+        policy.update(normalized)
+        return policy
+
+    return _get_cached_governance_value(
+        ("item_policy", normalized_entity_type, normalized_item_id),
+        load_policy,
+    )
+
+
+def _build_diff(before_doc: Dict[str, Any], after_doc: Dict[str, Any]) -> Dict[str, Any]:
+    before_users = set(_normalize_str_list(before_doc.get("allowed_users", [])))
+    after_users = set(_normalize_str_list(after_doc.get("allowed_users", [])))
+    before_groups = set(_normalize_str_list(before_doc.get("allowed_groups", [])))
+    after_groups = set(_normalize_str_list(after_doc.get("allowed_groups", [])))
+
+    return {
+        "allow_all": {
+            "before": bool(before_doc.get("allow_all", True)),
+            "after": bool(after_doc.get("allow_all", True)),
+        },
+        "users_added": sorted(list(after_users - before_users)),
+        "users_removed": sorted(list(before_users - after_users)),
+        "groups_added": sorted(list(after_groups - before_groups)),
+        "groups_removed": sorted(list(before_groups - after_groups)),
+    }
+
+
+def upsert_feature_policy(
+    feature_key: str,
+    payload: Dict[str, Any],
+    actor_user_id: str,
+    actor_email: str,
+) -> Dict[str, Any]:
+    before_policy = _read_feature_policy(feature_key)
+    policy_id = f"feature:{feature_key}"
+    normalized_payload = _normalize_policy_state(payload)
+    after_policy = {
+        "id": policy_id,
+        "feature_key": feature_key,
+        "allow_all": normalized_payload["allow_all"],
+        "allowed_users": normalized_payload["allowed_users"],
+        "allowed_groups": normalized_payload["allowed_groups"],
+        "updated_by": str(actor_user_id or "").strip(),
+        "updated_at": datetime.utcnow().isoformat(),
+    }
+
+    stored = cosmos_governance_policies_container.upsert_item(body=after_policy)
+    invalidate_governance_cache()
+
+    log_governance_change(
+        admin_user_id=str(actor_user_id or "").strip(),
+        admin_email=str(actor_email or "").strip(),
+        action="feature_policy_upsert",
+        scope="feature",
+        target_id=feature_key,
+        before_state=before_policy,
+        after_state=stored,
+        change_details=_build_diff(before_policy, stored),
+    )
+
+    return stored
+
+
+def upsert_item_policy(
+    entity_type: str,
+    item_id: str,
+    payload: Dict[str, Any],
+    actor_user_id: str,
+    actor_email: str,
+) -> Dict[str, Any]:
+    normalized_item_id = str(item_id or "").strip()
+    before_policy = _read_item_policy(entity_type, normalized_item_id)
+    policy_id = f"item:{entity_type}:{normalized_item_id}"
+    normalized_payload = _normalize_policy_state(payload)
+
+    after_policy = {
+        "id": policy_id,
+        "entity_type": str(entity_type or "").strip(),
+        "item_id": normalized_item_id,
+        "allow_all": normalized_payload["allow_all"],
+        "allowed_users": normalized_payload["allowed_users"],
+        "allowed_groups": normalized_payload["allowed_groups"],
+        "updated_by": str(actor_user_id or "").strip(),
+        "updated_at": datetime.utcnow().isoformat(),
+    }
+
+    stored = cosmos_governance_item_policies_container.upsert_item(body=after_policy)
+    invalidate_governance_cache()
+
+    log_governance_change(
+        admin_user_id=str(actor_user_id or "").strip(),
+        admin_email=str(actor_email or "").strip(),
+        action="item_policy_upsert",
+        scope=entity_type,
+        target_id=normalized_item_id,
+        before_state=before_policy,
+        after_state=stored,
+        change_details=_build_diff(before_policy, stored),
+    )
+
+    return stored
+
+
+def delete_item_policy(
+    entity_type: str,
+    item_id: str,
+    actor_user_id: str,
+    actor_email: str,
+) -> Dict[str, Any]:
+    normalized_entity_type = str(entity_type or "").strip()
+    normalized_item_id = str(item_id or "").strip()
+    policy_id = f"item:{normalized_entity_type}:{normalized_item_id}"
+    before_policy = _read_stored_item_policy(normalized_entity_type, normalized_item_id)
+
+    cosmos_governance_item_policies_container.delete_item(
+        item=policy_id,
+        partition_key=policy_id,
+    )
+    invalidate_governance_cache()
+
+    after_policy = _default_item_policy_doc(normalized_entity_type, normalized_item_id)
+    log_governance_change(
+        admin_user_id=str(actor_user_id or "").strip(),
+        admin_email=str(actor_email or "").strip(),
+        action="item_policy_delete",
+        scope=normalized_entity_type,
+        target_id=normalized_item_id,
+        before_state=before_policy,
+        after_state=after_policy,
+        change_details=_build_diff(before_policy, after_policy),
+    )
+
+    return before_policy
+
+
+def list_feature_policies() -> List[Dict[str, Any]]:
+    query = "SELECT * FROM c"
+    rows = list(cosmos_governance_policies_container.query_items(query=query, enable_cross_partition_query=True))
+
+    rows_by_feature_key = {
+        str(row.get("feature_key") or "").strip(): row
+        for row in rows
+        if isinstance(row, dict) and str(row.get("feature_key") or "").strip()
+    }
+
+    normalized_rows = []
+    seen_feature_keys = set()
+
+    for feature_key in DEFAULT_FEATURE_POLICIES.keys():
+        row = rows_by_feature_key.get(feature_key) or _default_feature_policy_doc(feature_key)
+        normalized_row = dict(row)
+        normalized_row["allowed_users"] = _normalize_str_list(normalized_row.get("allowed_users", []))
+        normalized_row["allowed_groups"] = _normalize_str_list(normalized_row.get("allowed_groups", []))
+        normalized_row["allow_all"] = bool(normalized_row.get("allow_all", True))
+        normalized_rows.append(normalized_row)
+
+        seen_feature_keys.add(feature_key)
+
+    for row in rows:
+        feature_key = str((row or {}).get("feature_key") or "").strip()
+        if not feature_key or feature_key in seen_feature_keys:
+            continue
+        normalized_row = dict(row)
+        normalized_row["allowed_users"] = _normalize_str_list(normalized_row.get("allowed_users", []))
+        normalized_row["allowed_groups"] = _normalize_str_list(normalized_row.get("allowed_groups", []))
+        normalized_row["allow_all"] = bool(normalized_row.get("allow_all", True))
+        normalized_rows.append(normalized_row)
+        seen_feature_keys.add(feature_key)
+
+    return sorted(normalized_rows, key=lambda item: str(item.get("feature_key") or ""))
+
+
+def list_item_policies(entity_type: Optional[str] = None) -> List[Dict[str, Any]]:
+    if entity_type:
+        query = "SELECT * FROM c WHERE c.entity_type = @entity_type"
+        parameters = [{"name": "@entity_type", "value": entity_type}]
+        rows = list(
+            cosmos_governance_item_policies_container.query_items(
+                query=query,
+                parameters=parameters,
+                enable_cross_partition_query=True,
+            )
+        )
+    else:
+        query = "SELECT * FROM c"
+        rows = list(
+            cosmos_governance_item_policies_container.query_items(
+                query=query,
+                enable_cross_partition_query=True,
+            )
+        )
+
+    normalized_rows = []
+    for row in rows:
+        normalized_row = dict(row)
+        normalized_row.update(_normalize_policy_state(normalized_row))
+        normalized_rows.append(normalized_row)
+    return sorted(
+        normalized_rows,
+        key=lambda item: (str(item.get("entity_type") or ""), str(item.get("item_id") or "")),
+    )
+
+
+def get_user_governance_group_ids(user_id: str) -> Set[str]:
+    normalized_user_id = str(user_id or "").strip()
+    if not normalized_user_id:
+        return set()
+
+    def load_group_ids() -> Set[str]:
+        group_ids = set()
+
+        try:
+            user_groups = get_user_groups(normalized_user_id)
+            group_ids.update(_extract_group_ids(user_groups))
+        except Exception:
+            pass
+
+        try:
+            user_workspaces = get_user_public_workspaces(normalized_user_id)
+            group_ids.update(_extract_workspace_ids(user_workspaces))
+        except Exception:
+            pass
+
+        return group_ids
+
+    return _get_cached_governance_value(("user_governance_group_ids", normalized_user_id), load_group_ids)
+
+
+def _passes_policy(policy: Dict[str, Any], user_id: str, group_ids: Set[str]) -> bool:
+    if bool(policy.get("allow_all", True)):
+        return True
+
+    allowed_users = set(_normalize_str_list(policy.get("allowed_users", [])))
+    allowed_groups = set(_normalize_str_list(policy.get("allowed_groups", [])))
+
+    if not allowed_users and not allowed_groups:
+        return True
+
+    normalized_user_id = str(user_id or "").strip()
+    if normalized_user_id and normalized_user_id in allowed_users:
+        return True
+
+    if group_ids.intersection(allowed_groups):
+        return True
+
+    return False
+
+
+def ensure_governance_access(
+    feature_key: str,
+    user_id: str,
+    item_entity_type: Optional[str] = None,
+    item_id: Optional[str] = None,
+) -> None:
+    normalized_feature_key = str(feature_key or "").strip()
+    normalized_user_id = str(user_id or "").strip()
+    normalized_item_entity_type = str(item_entity_type or "").strip()
+    normalized_item_id = str(item_id or "").strip()
+    decision_key = (
+        "governance_access_decision",
+        normalized_feature_key,
+        normalized_user_id,
+        normalized_item_entity_type,
+        normalized_item_id,
+    )
+
+    cached_decision = _get_request_cache_value(decision_key)
+    if cached_decision is True:
+        return
+
+    settings = _get_request_cached_governance_value(("settings",), get_settings)
+    if not bool((settings or {}).get(normalized_feature_key, False)):
+        _set_request_cache_value(decision_key, True)
+        return
+
+    user_group_ids = get_user_governance_group_ids(normalized_user_id)
+
+    feature_policy = get_feature_policy(normalized_feature_key)
+    if not _passes_policy(feature_policy, normalized_user_id, user_group_ids):
+        raise PermissionError(f"Governance policy blocks access for feature '{feature_key}'.")
+
+    if normalized_item_entity_type and normalized_item_id:
+        item_policy = get_item_policy(normalized_item_entity_type, normalized_item_id)
+        if not _passes_policy(item_policy, normalized_user_id, user_group_ids):
+            raise PermissionError(
+                f"Governance policy blocks access to {item_entity_type} '{item_id}'."
+            )
+
+    _set_request_cache_value(decision_key, True)
+
+
+def is_governance_access_allowed(
+    feature_key: str,
+    user_id: str,
+    item_entity_type: Optional[str] = None,
+    item_id: Optional[str] = None,
+) -> bool:
+    try:
+        ensure_governance_access(feature_key, user_id, item_entity_type, item_id)
+        return True
+    except PermissionError:
+        return False
+
+
+def filter_governed_model_endpoints(
+    user_id: str,
+    endpoints: Any,
+    feature_key: str,
+) -> List[Dict[str, Any]]:
+    if not is_governance_access_allowed(feature_key, user_id):
+        return []
+
+    governed_endpoints = []
+    for endpoint in endpoints or []:
+        if not isinstance(endpoint, dict):
+            continue
+
+        endpoint_id = str(endpoint.get("id") or "").strip()
+        if endpoint_id and not is_governance_access_allowed(
+            feature_key,
+            user_id,
+            item_entity_type="endpoint",
+            item_id=endpoint_id,
+        ):
+            continue
+
+        governed_endpoints.append(endpoint)
+
+    return governed_endpoints
+
+
+def bootstrap_default_feature_policies() -> None:
+    created_defaults = False
+    for feature_key in DEFAULT_FEATURE_POLICIES.keys():
+        try:
+            _read_stored_feature_policy(feature_key)
+            continue
+        except Exception:
+            pass
+
+        default_policy = _default_feature_policy_doc(feature_key)
+        cosmos_governance_policies_container.upsert_item(body=default_policy)
+        created_defaults = True
+
+    if created_defaults:
+        invalidate_governance_cache()
diff --git a/application/single_app/functions_group_actions.py b/application/single_app/functions_group_actions.py
index 450d34e59..7ed0685b1 100644
--- a/application/single_app/functions_group_actions.py
+++ b/application/single_app/functions_group_actions.py
@@ -17,6 +17,7 @@
     keyvault_plugin_get_helper,
     keyvault_plugin_save_helper,
 )
+from functions_governance import ensure_governance_access
 
 
 _NAME_PATTERN = re.compile(r"^[A-Za-z0-9_-]+$")
@@ -84,6 +85,9 @@ def get_group_action(
 
 def save_group_action(group_id: str, action_data: Dict[str, Any], user_id: Optional[str] = None) -> Dict[str, Any]:
     """Create or update a group action entry."""
+    if user_id:
+        ensure_governance_access('governance_group_actions', user_id)
+
     payload = dict(action_data)
     action_id = payload.get("id") or str(uuid.uuid4())
 
diff --git a/application/single_app/functions_group_agents.py b/application/single_app/functions_group_agents.py
index ae79309bc..ec8216e35 100644
--- a/application/single_app/functions_group_agents.py
+++ b/application/single_app/functions_group_agents.py
@@ -17,6 +17,7 @@
     keyvault_agent_save_helper,
 )
 from functions_agent_payload import sanitize_agent_payload
+from functions_governance import ensure_governance_access
 
 
 _NAME_PATTERN = re.compile(r"^[A-Za-z0-9_-]+$")
@@ -65,6 +66,9 @@ def get_group_agent(group_id: str, agent_id: str) -> Optional[Dict[str, Any]]:
 
 def save_group_agent(group_id: str, agent_data: Dict[str, Any], user_id: Optional[str] = None) -> Dict[str, Any]:
     """Create or update a group agent entry."""
+    if user_id:
+        ensure_governance_access('governance_group_agents', user_id)
+
     payload = sanitize_agent_payload(agent_data)
     agent_id = payload.get("id") or str(uuid.uuid4())
     payload["id"] = agent_id
diff --git a/application/single_app/functions_personal_actions.py b/application/single_app/functions_personal_actions.py
index 56d5e36fb..e67ca889d 100644
--- a/application/single_app/functions_personal_actions.py
+++ b/application/single_app/functions_personal_actions.py
@@ -16,6 +16,7 @@
 from functions_debug import debug_print
 from config import cosmos_personal_actions_container
 import logging
+from functions_governance import ensure_governance_access
 
 def get_personal_actions(user_id, return_type=SecretReturnType.TRIGGER):
     """
@@ -107,6 +108,7 @@ def save_personal_action(user_id, action_data):
         dict: Saved action data with ID
     """
     try:
+        ensure_governance_access('governance_user_actions', user_id)
         # Check if an action with this name already exists
         existing_action = None
         if action_data.get('id'):
diff --git a/application/single_app/functions_personal_agents.py b/application/single_app/functions_personal_agents.py
index d6720d103..63fc38528 100644
--- a/application/single_app/functions_personal_agents.py
+++ b/application/single_app/functions_personal_agents.py
@@ -20,6 +20,7 @@
 from functions_keyvault import keyvault_agent_save_helper, keyvault_agent_get_helper, keyvault_agent_delete_helper
 from functions_agent_payload import sanitize_agent_payload
 from functions_debug import debug_print
+from functions_governance import ensure_governance_access
 
 def get_personal_agents(user_id):
     """
@@ -118,6 +119,7 @@ def save_personal_agent(user_id, agent_data, actor_user_id=None):
         dict: Saved agent data with ID
     """
     try:
+        ensure_governance_access('governance_user_agents', user_id)
         modifying_user_id = actor_user_id or user_id
         cleaned_agent = sanitize_agent_payload(agent_data)
         for field in ['name', 'display_name', 'description', 'instructions']:
diff --git a/application/single_app/functions_settings.py b/application/single_app/functions_settings.py
index 0091d0a38..3bbc5cc34 100644
--- a/application/single_app/functions_settings.py
+++ b/application/single_app/functions_settings.py
@@ -105,6 +105,15 @@ def get_settings(use_cosmos=False, include_source=False):
         'allow_group_agents': False,
         'allow_group_custom_endpoints': False,
         'allow_group_custom_agent_endpoints': False,
+        'governance_user_endpoints': False,
+        'governance_group_endpoints': False,
+        'governance_global_endpoints': False,
+        'governance_user_agents': False,
+        'governance_group_agents': False,
+        'governance_global_agents_usage': False,
+        'governance_user_actions': False,
+        'governance_group_actions': False,
+        'governance_global_actions_usage': False,
         'allow_ai_foundry_agents': False,
         'allow_group_ai_foundry_agents': False,
         'allow_personal_ai_foundry_agents': False,
diff --git a/application/single_app/route_backend_agents.py b/application/single_app/route_backend_agents.py
index 561f1d181..db32c00ba 100644
--- a/application/single_app/route_backend_agents.py
+++ b/application/single_app/route_backend_agents.py
@@ -42,10 +42,29 @@
     log_agent_deletion,
     log_general_admin_action,
 )
+from functions_governance import ensure_governance_access, upsert_item_policy
 
 bpa = Blueprint('admin_agents', __name__)
 
 
+def _is_agent_allowed_for_user_selection(user_id, agent):
+    try:
+        if agent.get('is_global'):
+            ensure_governance_access(
+                'governance_global_agents_usage',
+                user_id,
+                item_entity_type='global_agent',
+                item_id=str(agent.get('id') or agent.get('name') or ''),
+            )
+        elif agent.get('is_group'):
+            ensure_governance_access('governance_group_agents', user_id)
+        else:
+            ensure_governance_access('governance_user_agents', user_id)
+        return True
+    except PermissionError:
+        return False
+
+
 def _build_user_selectable_agents(user_id, requested_agent=None):
     """Build the set of agents the current user is allowed to select."""
     settings = get_settings()
@@ -545,6 +564,8 @@ def get_user_agents():
         agent['is_group'] = False
         agent.setdefault('agent_type', 'local')
 
+    agents = [agent for agent in agents if _is_agent_allowed_for_user_selection(user_id, agent)]
+
     # Check global/merge toggles
     per_user = settings.get('per_user_semantic_kernel', False)
     merge_global = settings.get('merge_global_semantic_kernel_with_workspace', False)
@@ -556,6 +577,8 @@ def get_user_agents():
             agent['is_global'] = True
             agent['is_group'] = False
             agent.setdefault('agent_type', 'local')
+
+        global_agents = [agent for agent in global_agents if _is_agent_allowed_for_user_selection(user_id, agent)]
         
         # Merge agents using ID as key to avoid name conflicts
         # This allows both personal and global agents with same name to coexist
@@ -626,6 +649,11 @@ def set_user_agents():
     current_agent_names = set(agent['name'] for agent in current_agents)
     
     # Save new/updated agents to personal_agents container
+    try:
+        ensure_governance_access('governance_user_agents', user_id)
+    except PermissionError as exc:
+        return jsonify({'error': str(exc)}), 403
+
     for agent in filtered_agents:
         save_personal_agent(user_id, agent)
     
@@ -714,6 +742,12 @@ def get_group_agents_route():
         return jsonify({'error': str(exc)}), 403
 
     agents = get_group_agents(active_group)
+    for agent in agents:
+        if isinstance(agent, dict):
+            agent['is_global'] = False
+            agent['is_group'] = True
+            agent['group_id'] = active_group
+    agents = [agent for agent in agents if isinstance(agent, dict) and _is_agent_allowed_for_user_selection(user_id, agent)]
     return jsonify({'agents': agents}), 200
 
 
@@ -789,6 +823,8 @@ def create_group_agent_route():
 
     try:
         saved = save_group_agent(active_group, cleaned_payload, user_id=user_id)
+    except PermissionError as exc:
+        return jsonify({'error': str(exc)}), 403
     except Exception as exc:
         debug_print('Failed to save group agent: %s', exc)
         return jsonify({'error': 'Unable to save agent'}), 500
@@ -858,6 +894,8 @@ def update_group_agent_route(agent_id):
 
     try:
         saved = save_group_agent(active_group, cleaned_payload, user_id=user_id)
+    except PermissionError as exc:
+        return jsonify({'error': str(exc)}), 403
     except Exception as exc:
         debug_print('Failed to update group agent %s: %s', agent_id, exc)
         return jsonify({'error': 'Unable to update agent'}), 500
@@ -917,6 +955,21 @@ def set_user_selected_agent():
     if not matched_agent:
         return jsonify({'error': 'Selected agent is not available for this user or scope.'}), 400
 
+    try:
+        if matched_agent.get('is_global'):
+            ensure_governance_access(
+                'governance_global_agents_usage',
+                user_id,
+                item_entity_type='global_agent',
+                item_id=str(matched_agent.get('id') or matched_agent.get('name') or ''),
+            )
+        elif matched_agent.get('is_group'):
+            ensure_governance_access('governance_group_agents', user_id)
+        else:
+            ensure_governance_access('governance_user_agents', user_id)
+    except PermissionError as exc:
+        return jsonify({'error': str(exc)}), 403
+
     user_settings = get_user_settings(user_id)
     settings_to_update = user_settings.get('settings', {})
     agent_name = (matched_agent.get('name') or '').strip()
@@ -1201,6 +1254,8 @@ def add_agent():
         except AgentPayloadError as exc:
             log_event("Add agent failed: payload error", level=logging.WARNING, extra={"action": "add", "error": str(exc)})
             return jsonify({'error': str(exc)}), 400
+
+        governance_policy_payload = cleaned_agent.pop('governance_policy', None)
         cleaned_agent['is_global'] = True
         cleaned_agent['is_group'] = False
         validation_error = validate_agent(cleaned_agent)
@@ -1224,6 +1279,15 @@ def add_agent():
         if not result:
             return jsonify({'error': 'Failed to save agent.'}), 500
 
+        if isinstance(governance_policy_payload, dict):
+            upsert_item_policy(
+                entity_type='global_agent',
+                item_id=str(cleaned_agent.get('id') or ''),
+                payload=governance_policy_payload,
+                actor_user_id=str(get_current_user_id() or ''),
+                actor_email=str((session.get('user') or {}).get('email') or ''),
+            )
+
         log_agent_creation(user_id=str(get_current_user_id()), agent_id=cleaned_agent.get('id', ''), agent_name=cleaned_agent.get('name', ''), agent_display_name=cleaned_agent.get('display_name', ''), scope='global')
         log_event("Agent added", extra={"action": "add", "agent": {k: v for k, v in cleaned_agent.items() if k != 'id'}, "user": str(get_current_user_id())})
         # --- HOT RELOAD TRIGGER ---
@@ -1307,6 +1371,8 @@ def edit_agent(agent_name):
         except AgentPayloadError as exc:
             log_event("Edit agent failed: payload error", level=logging.WARNING, extra={"action": "edit", "agent_name": agent_name, "error": str(exc)})
             return jsonify({'error': str(exc)}), 400
+
+        governance_policy_payload = cleaned_agent.pop('governance_policy', None)
         cleaned_agent['is_global'] = True
         cleaned_agent['is_group'] = False
         validation_error = validate_agent(cleaned_agent)
@@ -1336,6 +1402,15 @@ def edit_agent(agent_name):
         if not result:
             return jsonify({'error': 'Failed to save agent.'}), 500
 
+        if isinstance(governance_policy_payload, dict):
+            upsert_item_policy(
+                entity_type='global_agent',
+                item_id=str(cleaned_agent.get('id') or ''),
+                payload=governance_policy_payload,
+                actor_user_id=str(get_current_user_id() or ''),
+                actor_email=str((session.get('user') or {}).get('email') or ''),
+            )
+
         log_agent_update(user_id=str(get_current_user_id()), agent_id=cleaned_agent.get('id', ''), agent_name=agent_name, agent_display_name=cleaned_agent.get('display_name', ''), scope='global')
         log_event(
             f"Agent {agent_name} edited",
@@ -1457,20 +1532,28 @@ def build_combined_model_endpoints(settings, user_id=None, group_id=None):
 
     if group_id:
         if allow_group_custom_endpoints:
-            group_endpoints = get_group_model_endpoints(group_id)
-            for endpoint in group_endpoints:
-                enriched = dict(endpoint)
-                enriched["scope"] = "group"
-                enriched["group_id"] = group_id
-                endpoints.append(enriched)
+            try:
+                ensure_governance_access("governance_group_endpoints", user_id)
+                group_endpoints = get_group_model_endpoints(group_id)
+                for endpoint in group_endpoints:
+                    enriched = dict(endpoint)
+                    enriched["scope"] = "group"
+                    enriched["group_id"] = group_id
+                    endpoints.append(enriched)
+            except PermissionError:
+                pass
     elif user_id:
         if allow_user_custom_endpoints:
-            user_settings = get_user_settings(user_id)
-            personal = user_settings.get("settings", {}).get("personal_model_endpoints", [])
-            for endpoint in personal:
-                enriched = dict(endpoint)
-                enriched["scope"] = "user"
-                endpoints.append(enriched)
+            try:
+                ensure_governance_access("governance_user_endpoints", user_id)
+                user_settings = get_user_settings(user_id)
+                personal = user_settings.get("settings", {}).get("personal_model_endpoints", [])
+                for endpoint in personal:
+                    enriched = dict(endpoint)
+                    enriched["scope"] = "user"
+                    endpoints.append(enriched)
+            except PermissionError:
+                pass
 
     return sanitize_model_endpoints_for_frontend(endpoints)
 
diff --git a/application/single_app/route_backend_chats.py b/application/single_app/route_backend_chats.py
index 4d31db45f..6f67da267 100644
--- a/application/single_app/route_backend_chats.py
+++ b/application/single_app/route_backend_chats.py
@@ -39,6 +39,7 @@
 from functions_conversation_metadata import collect_conversation_metadata, update_conversation_with_metadata
 from functions_conversation_unread import mark_conversation_unread
 from functions_debug import debug_print
+from functions_governance import ensure_governance_access
 from functions_notifications import create_chat_response_notification
 from functions_activity_logging import log_chat_activity, log_conversation_creation, log_token_usage
 from flask import current_app
@@ -5819,41 +5820,63 @@ def get_streaming_model_endpoint_candidates(settings, user_id, active_group_ids=
     user_settings = user_settings_doc.get('settings', {}) if isinstance(user_settings_doc, dict) else {}
 
     if settings.get('allow_user_custom_endpoints', False):
-        personal_endpoints, _ = normalize_model_endpoints(user_settings.get('personal_model_endpoints', []) or [])
-        endpoints.extend([
-            {**endpoint, '_endpoint_scope': 'user'}
-            for endpoint in personal_endpoints
-            if isinstance(endpoint, dict)
-        ])
+        try:
+            ensure_governance_access('governance_user_endpoints', user_id)
+            personal_endpoints, _ = normalize_model_endpoints(user_settings.get('personal_model_endpoints', []) or [])
+            endpoints.extend([
+                {**endpoint, '_endpoint_scope': 'user'}
+                for endpoint in personal_endpoints
+                if isinstance(endpoint, dict)
+            ])
+        except PermissionError:
+            debug_print('[Streaming][Model Resolution] User endpoint governance policy denied access to personal endpoints.')
 
     if settings.get('allow_group_custom_endpoints', False):
-        seen_group_ids = set()
-        for group_id in active_group_ids:
-            group_key = str(group_id or '').strip()
-            if not group_key or group_key in seen_group_ids:
-                continue
-            seen_group_ids.add(group_key)
+        try:
+            ensure_governance_access('governance_group_endpoints', user_id)
+            seen_group_ids = set()
+            for group_id in active_group_ids:
+                group_key = str(group_id or '').strip()
+                if not group_key or group_key in seen_group_ids:
+                    continue
+                seen_group_ids.add(group_key)
 
-            try:
-                group_endpoints, _ = normalize_model_endpoints(get_group_model_endpoints(group_key) or [])
-            except Exception as group_error:
-                debug_print(
-                    f"[Streaming][Model Resolution] Failed to load group endpoints for group_id={group_key}: {group_error}"
-                )
-                continue
+                try:
+                    group_endpoints, _ = normalize_model_endpoints(get_group_model_endpoints(group_key) or [])
+                except Exception as group_error:
+                    debug_print(
+                        f"[Streaming][Model Resolution] Failed to load group endpoints for group_id={group_key}: {group_error}"
+                    )
+                    continue
 
-            endpoints.extend([
-                {**endpoint, '_endpoint_scope': 'group'}
-                for endpoint in group_endpoints
-                if isinstance(endpoint, dict)
-            ])
+                endpoints.extend([
+                    {**endpoint, '_endpoint_scope': 'group'}
+                    for endpoint in group_endpoints
+                    if isinstance(endpoint, dict)
+                ])
+        except PermissionError:
+            debug_print('[Streaming][Model Resolution] Group endpoint governance policy denied access to group endpoints.')
 
-    global_endpoints, _ = normalize_model_endpoints(settings.get('model_endpoints', []) or [])
-    endpoints.extend([
-        {**endpoint, '_endpoint_scope': 'global'}
-        for endpoint in global_endpoints
-        if isinstance(endpoint, dict)
-    ])
+    try:
+        ensure_governance_access('governance_global_endpoints', user_id)
+        global_endpoints, _ = normalize_model_endpoints(settings.get('model_endpoints', []) or [])
+        for endpoint in global_endpoints:
+            if not isinstance(endpoint, dict):
+                continue
+            endpoint_id = str(endpoint.get('id') or '').strip()
+            if endpoint_id:
+                try:
+                    ensure_governance_access(
+                        'governance_global_endpoints',
+                        user_id,
+                        item_entity_type='endpoint',
+                        item_id=endpoint_id,
+                    )
+                except PermissionError:
+                    continue
+            endpoints.append({**endpoint, '_endpoint_scope': 'global'})
+    except PermissionError:
+        debug_print('[Streaming][Model Resolution] Global endpoint governance policy denied access to global endpoints.')
 
     return endpoints
 
diff --git a/application/single_app/route_backend_governance.py b/application/single_app/route_backend_governance.py
new file mode 100644
index 000000000..61cf2b690
--- /dev/null
+++ b/application/single_app/route_backend_governance.py
@@ -0,0 +1,200 @@
+# route_backend_governance.py
+
+"""Admin API routes for governance policy management."""
+
+from flask import jsonify, request, session
+
+from functions_authentication import admin_required, get_current_user_id, login_required
+from functions_governance import (
+    DEFAULT_FEATURE_POLICIES,
+    bootstrap_default_feature_policies,
+    delete_item_policy,
+    list_feature_policies,
+    list_item_policies,
+    upsert_feature_policy,
+    upsert_item_policy,
+)
+from swagger_wrapper import get_auth_security, swagger_route
+
+
+DEFAULT_GOVERNANCE_REVIEW_PAGE_SIZE = 25
+MAX_GOVERNANCE_REVIEW_PAGE_SIZE = 100
+
+
+def _normalize_actor_email() -> str:
+    user = session.get("user") if isinstance(session.get("user"), dict) else {}
+    return str(user.get("email") or "").strip()
+
+
+def _sanitize_policy_payload(payload):
+    if not isinstance(payload, dict):
+        return {
+            "allow_all": True,
+            "allowed_users": [],
+            "allowed_groups": [],
+        }
+
+    allowed_users = payload.get("allowed_users", [])
+    if not isinstance(allowed_users, list):
+        allowed_users = []
+
+    allowed_groups = payload.get("allowed_groups", [])
+    if not isinstance(allowed_groups, list):
+        allowed_groups = []
+
+    return {
+        "allow_all": bool(payload.get("allow_all", True)),
+        "allowed_users": allowed_users,
+        "allowed_groups": allowed_groups,
+    }
+
+
+def _normalize_review_pagination(args):
+    try:
+        page = int(str(args.get("page") or "1").strip())
+    except (TypeError, ValueError):
+        page = 1
+
+    try:
+        per_page = int(str(args.get("per_page") or str(DEFAULT_GOVERNANCE_REVIEW_PAGE_SIZE)).strip())
+    except (TypeError, ValueError):
+        per_page = DEFAULT_GOVERNANCE_REVIEW_PAGE_SIZE
+
+    page = max(page, 1)
+    per_page = max(1, min(per_page, MAX_GOVERNANCE_REVIEW_PAGE_SIZE))
+    return page, per_page
+
+
+def _build_item_policy_search_haystack(policy):
+    return " ".join([
+        str(policy.get("entity_type") or ""),
+        str(policy.get("item_id") or ""),
+        str(policy.get("allow_all") or ""),
+        " ".join(str(value or "") for value in policy.get("allowed_users", []) if value),
+        " ".join(str(value or "") for value in policy.get("allowed_groups", []) if value),
+    ]).lower()
+
+
+def register_route_backend_governance(app):
+    @app.route('/api/admin/governance/policies', methods=['GET'])
+    @swagger_route(security=get_auth_security())
+    @login_required
+    @admin_required
+    def get_governance_policies_route():
+        bootstrap_default_feature_policies()
+        return jsonify({
+            'features': list_feature_policies(),
+            'feature_keys': list(DEFAULT_FEATURE_POLICIES.keys()),
+        }), 200
+
+    @app.route('/api/admin/governance/policies/<feature_key>', methods=['PUT'])
+    @swagger_route(security=get_auth_security())
+    @login_required
+    @admin_required
+    def update_governance_feature_policy_route(feature_key):
+        if feature_key not in DEFAULT_FEATURE_POLICIES:
+            return jsonify({'error': f"Unknown feature policy: {feature_key}"}), 400
+
+        payload = _sanitize_policy_payload(request.get_json(silent=True) or {})
+        actor_user_id = str(get_current_user_id() or '').strip()
+        actor_email = _normalize_actor_email()
+
+        updated = upsert_feature_policy(
+            feature_key=feature_key,
+            payload=payload,
+            actor_user_id=actor_user_id,
+            actor_email=actor_email,
+        )
+        return jsonify({'policy': updated}), 200
+
+    @app.route('/api/admin/governance/item-policies/<entity_type>/<item_id>', methods=['DELETE'])
+    @swagger_route(security=get_auth_security())
+    @login_required
+    @admin_required
+    def delete_governance_item_policy_route(entity_type, item_id):
+        normalized_entity_type = str(entity_type or '').strip().lower()
+        normalized_item_id = str(item_id or '').strip()
+        if not normalized_entity_type or not normalized_item_id:
+            return jsonify({'error': 'entity_type and item_id are required.'}), 400
+
+        actor_user_id = str(get_current_user_id() or '').strip()
+        actor_email = _normalize_actor_email()
+
+        try:
+            deleted = delete_item_policy(
+                entity_type=normalized_entity_type,
+                item_id=normalized_item_id,
+                actor_user_id=actor_user_id,
+                actor_email=actor_email,
+            )
+        except Exception:
+            return jsonify({'error': 'Item governance policy not found.'}), 404
+
+        return jsonify({'deleted': deleted}), 200
+
+    @app.route('/api/admin/governance/item-policies', methods=['GET'])
+    @swagger_route(security=get_auth_security())
+    @login_required
+    @admin_required
+    def get_governance_item_policies_route():
+        entity_type = str(request.args.get('entity_type') or '').strip() or None
+        return jsonify({'item_policies': list_item_policies(entity_type=entity_type)}), 200
+
+    @app.route('/api/admin/governance/item-policies/review', methods=['GET'])
+    @swagger_route(security=get_auth_security())
+    @login_required
+    @admin_required
+    def review_governance_item_policies_route():
+        entity_type = str(request.args.get('entity_type') or '').strip().lower() or None
+        search = str(request.args.get('search') or '').strip().lower()
+        page, per_page = _normalize_review_pagination(request.args)
+
+        policies = list_item_policies(entity_type=entity_type)
+        if search:
+            policies = [
+                policy for policy in policies
+                if search in _build_item_policy_search_haystack(policy)
+            ]
+
+        total_items = len(policies)
+        total_pages = (total_items + per_page - 1) // per_page if total_items else 1
+        page = min(page, total_pages)
+        offset = (page - 1) * per_page
+        paged_policies = policies[offset:offset + per_page]
+
+        return jsonify({
+            'item_policies': paged_policies,
+            'pagination': {
+                'page': page,
+                'per_page': per_page,
+                'total_items': total_items,
+                'total_pages': total_pages,
+                'has_prev': page > 1,
+                'has_next': page < total_pages,
+            },
+            'search': search,
+            'entity_type': entity_type,
+        }), 200
+
+    @app.route('/api/admin/governance/item-policies/<entity_type>/<item_id>', methods=['PUT'])
+    @swagger_route(security=get_auth_security())
+    @login_required
+    @admin_required
+    def update_governance_item_policy_route(entity_type, item_id):
+        normalized_entity_type = str(entity_type or '').strip().lower()
+        normalized_item_id = str(item_id or '').strip()
+        if not normalized_entity_type or not normalized_item_id:
+            return jsonify({'error': 'entity_type and item_id are required.'}), 400
+
+        payload = _sanitize_policy_payload(request.get_json(silent=True) or {})
+        actor_user_id = str(get_current_user_id() or '').strip()
+        actor_email = _normalize_actor_email()
+
+        updated = upsert_item_policy(
+            entity_type=normalized_entity_type,
+            item_id=normalized_item_id,
+            payload=payload,
+            actor_user_id=actor_user_id,
+            actor_email=actor_email,
+        )
+        return jsonify({'policy': updated}), 200
diff --git a/application/single_app/route_backend_groups.py b/application/single_app/route_backend_groups.py
index 9186e4ce4..705e301ef 100644
--- a/application/single_app/route_backend_groups.py
+++ b/application/single_app/route_backend_groups.py
@@ -41,9 +41,10 @@ def discover_groups():
         for g in all_items:
             name = g.get("name", "").lower()
             desc = g.get("description", "").lower()
+            group_id = str(g.get("id", "")).lower()
 
             if search_query:
-                if search_query not in name and search_query not in desc:
+                if search_query not in name and search_query not in desc and search_query not in group_id:
                     continue
 
             if not show_all:
diff --git a/application/single_app/route_backend_models.py b/application/single_app/route_backend_models.py
index c047b5b00..a34178d49 100644
--- a/application/single_app/route_backend_models.py
+++ b/application/single_app/route_backend_models.py
@@ -4,6 +4,7 @@
 
 from config import *
 from functions_authentication import *
+from functions_governance import ensure_governance_access
 from functions_group import assert_group_role, get_group_model_endpoints, require_active_group, update_group_model_endpoints
 from functions_keyvault import SecretReturnType, keyvault_model_endpoint_cleanup_helper, keyvault_model_endpoint_delete_helper, keyvault_model_endpoint_get_helper, keyvault_model_endpoint_save_helper
 from functions_settings import *
@@ -81,20 +82,60 @@ def build_group_access_error_response(user_id, exception, resource_name):
     def resolve_scoped_model_endpoints(user_id, scope):
         settings = get_settings()
         endpoints = []
+
+        def get_governed_endpoints(candidate_endpoints, feature_key, endpoint_scope):
+            try:
+                ensure_governance_access(feature_key, user_id)
+            except PermissionError:
+                return []
+
+            governed_endpoints = []
+            for endpoint in candidate_endpoints or []:
+                if not isinstance(endpoint, dict):
+                    continue
+                endpoint_id = str(endpoint.get("id") or "").strip()
+                if endpoint_id:
+                    try:
+                        ensure_governance_access(
+                            feature_key,
+                            user_id,
+                            item_entity_type="endpoint",
+                            item_id=endpoint_id,
+                        )
+                    except PermissionError:
+                        continue
+                governed_endpoint = dict(endpoint)
+                governed_endpoint["_governance_endpoint_scope"] = endpoint_scope
+                governed_endpoints.append(governed_endpoint)
+            return governed_endpoints
+
         if scope == "group":
             if settings.get("allow_group_custom_endpoints", False):
                 group_id = require_active_group(user_id)
-                endpoints.extend(get_group_model_endpoints(group_id))
+                endpoints.extend(get_governed_endpoints(get_group_model_endpoints(group_id), "governance_group_endpoints", "group"))
         elif scope == "user":
             if settings.get("allow_user_custom_endpoints", False):
                 user_settings = get_user_settings(user_id)
-                endpoints.extend(user_settings.get("settings", {}).get("personal_model_endpoints", []))
-        endpoints.extend(settings.get("model_endpoints", []) or [])
+                endpoints.extend(get_governed_endpoints(user_settings.get("settings", {}).get("personal_model_endpoints", []), "governance_user_endpoints", "user"))
+        endpoints.extend(get_governed_endpoints(settings.get("model_endpoints", []) or [], "governance_global_endpoints", "global"))
         return endpoints
 
     def resolve_endpoint_by_id(user_id, scope, endpoint_id):
         endpoints = resolve_scoped_model_endpoints(user_id, scope)
-        return next((endpoint for endpoint in endpoints if endpoint.get("id") == endpoint_id), None)
+        endpoint = next((endpoint for endpoint in endpoints if endpoint.get("id") == endpoint_id), None)
+        if endpoint:
+            endpoint = dict(endpoint)
+            endpoint_scope = endpoint.pop("_governance_endpoint_scope", scope)
+            feature_key = "governance_global_endpoints"
+            if endpoint_scope in ("user", "group"):
+                feature_key = f"governance_{endpoint_scope}_endpoints"
+            ensure_governance_access(
+                feature_key,
+                user_id,
+                item_entity_type="endpoint",
+                item_id=endpoint_id,
+            )
+        return endpoint
 
     def resolve_endpoint_scope_value(endpoint_cfg, fallback_endpoint_id=""):
         endpoint_id = (fallback_endpoint_id or endpoint_cfg.get("id") or "").strip()
@@ -709,6 +750,9 @@ def test_model_inference_connection():
                 level=logging.WARNING,
             )
             return build_safe_error_response("The selected model endpoint could not be found.", 404)
+        except PermissionError as e:
+            log_models_exception("Test connection blocked by governance policy", e, level=logging.WARNING)
+            return build_safe_error_response(str(e), 403)
         except ValueError as e:
             log_models_exception("Test connection validation failed", e, level=logging.WARNING)
             return build_safe_error_response(
@@ -739,6 +783,10 @@ def fetch_model_list():
     @enabled_required('allow_user_custom_endpoints')
     def get_user_model_endpoints():
         user_id = get_current_user_id()
+        try:
+            ensure_governance_access("governance_user_endpoints", user_id)
+        except PermissionError as exc:
+            return jsonify({"error": str(exc)}), 403
         user_settings = get_user_settings(user_id)
         endpoints = user_settings.get("settings", {}).get("personal_model_endpoints", [])
         return jsonify({
@@ -753,6 +801,10 @@ def get_user_model_endpoints():
     @enabled_required('allow_user_custom_endpoints')
     def save_user_model_endpoints():
         user_id = get_current_user_id()
+        try:
+            ensure_governance_access("governance_user_endpoints", user_id)
+        except PermissionError as exc:
+            return jsonify({"error": str(exc)}), 403
         data = request.get_json() or {}
         incoming = data.get("endpoints", [])
         if not isinstance(incoming, list):
@@ -817,6 +869,7 @@ def save_user_model_endpoints():
     def get_group_model_endpoints_route():
         user_id = get_current_user_id()
         try:
+            ensure_governance_access("governance_group_endpoints", user_id)
             group_id = require_active_group(user_id)
             assert_group_role(
                 user_id,
@@ -843,6 +896,10 @@ def get_group_model_endpoints_route():
     @enabled_required('allow_group_custom_endpoints')
     def save_group_model_endpoints():
         user_id = get_current_user_id()
+        try:
+            ensure_governance_access("governance_group_endpoints", user_id)
+        except PermissionError as exc:
+            return jsonify({"error": str(exc)}), 403
         data = request.get_json() or {}
         incoming = data.get("endpoints", [])
         if not isinstance(incoming, list):
@@ -932,7 +989,10 @@ def list_foundry_agents():
             except PermissionError as exc:
                 return build_group_access_error_response(user_id, exc, "group Foundry agents")
 
-        endpoint_cfg = resolve_endpoint_by_id(user_id, scope, endpoint_id)
+        try:
+            endpoint_cfg = resolve_endpoint_by_id(user_id, scope, endpoint_id)
+        except PermissionError as exc:
+            return jsonify({"error": str(exc)}), 403
         if not endpoint_cfg:
             return jsonify({"error": "Model endpoint not found."}), 404
         endpoint_cfg = keyvault_model_endpoint_get_helper(
diff --git a/application/single_app/route_backend_plugins.py b/application/single_app/route_backend_plugins.py
index b60f81894..4db01ae21 100644
--- a/application/single_app/route_backend_plugins.py
+++ b/application/single_app/route_backend_plugins.py
@@ -3,7 +3,7 @@
 import re
 import builtins
 import json
-from flask import Blueprint, jsonify, request, current_app
+from flask import Blueprint, jsonify, request, current_app, session
 from semantic_kernel_plugins.plugin_loader import get_all_plugin_metadata
 from semantic_kernel_plugins.plugin_health_checker import PluginHealthChecker, PluginErrorRecovery
 from functions_settings import get_settings, is_tabular_processing_enabled, update_settings
@@ -44,6 +44,7 @@
     log_action_update,
     log_action_deletion,
 )
+from functions_governance import ensure_governance_access, upsert_item_policy
 
 def discover_plugin_types():
     # Dynamically discover allowed plugin types from available plugin classes.
@@ -308,8 +309,21 @@ def get_user_plugins():
     if merge_global:
         # Import and get global actions from container
         global_plugins = get_global_actions()
-        # Mark global plugins
+        filtered_global_plugins = []
         for plugin in global_plugins:
+            try:
+                ensure_governance_access(
+                    'governance_global_actions_usage',
+                    user_id,
+                    item_entity_type='global_action',
+                    item_id=str(plugin.get('id') or plugin.get('name') or ''),
+                )
+            except PermissionError:
+                continue
+            filtered_global_plugins.append(plugin)
+
+        # Mark global plugins
+        for plugin in filtered_global_plugins:
             plugin['is_global'] = True
         
         # Merge plugins using ID as key to avoid name conflicts
@@ -322,7 +336,7 @@ def get_user_plugins():
             all_plugins[key] = plugin
             
         # Add global plugins
-        for plugin in global_plugins:
+        for plugin in filtered_global_plugins:
             key = f"global_{plugin.get('id', plugin['name'])}"
             all_plugins[key] = plugin
             
@@ -336,6 +350,11 @@ def get_user_plugins():
 @enabled_required("allow_user_plugins")
 def set_user_plugins():
     user_id = get_current_user_id()
+    try:
+        ensure_governance_access('governance_user_actions', user_id)
+    except PermissionError as exc:
+        return jsonify({'error': str(exc)}), 403
+
     plugins = request.json if isinstance(request.json, list) else []
     
     # Get global plugin names (case-insensitive)
@@ -581,6 +600,8 @@ def create_group_action_route():
 
     try:
         saved = save_group_action(active_group, payload, user_id=user_id)
+    except PermissionError as exc:
+        return jsonify({'error': str(exc)}), 403
     except Exception as exc:
         debug_print('Failed to save group action: %s', exc)
         return jsonify({'error': 'Unable to save action'}), 500
@@ -650,6 +671,8 @@ def update_group_action_route(action_id):
 
     try:
         saved = save_group_action(active_group, merged, user_id=user_id)
+    except PermissionError as exc:
+        return jsonify({'error': str(exc)}), 403
     except Exception as exc:
         debug_print('Failed to update group action %s: %s', action_id, exc)
         return jsonify({'error': 'Unable to update action'}), 500
@@ -819,9 +842,19 @@ def add_plugin():
         # Assign a unique ID
         plugin_id = str(uuid.uuid4())
         new_plugin['id'] = plugin_id
+        governance_policy_payload = new_plugin.pop('governance_policy', None)
         
         # Save to global actions container
         save_global_action(new_plugin, user_id=str(get_current_user_id()))
+
+        if isinstance(governance_policy_payload, dict):
+            upsert_item_policy(
+                entity_type='global_action',
+                item_id=plugin_id,
+                payload=governance_policy_payload,
+                actor_user_id=str(get_current_user_id() or ''),
+                actor_email=str((session.get('user') or {}).get('email') or ''),
+            )
         
         log_action_creation(user_id=str(get_current_user_id()), action_id=plugin_id, action_name=new_plugin.get('name', ''), action_type=new_plugin.get('type', ''), scope='global')
         log_event("Plugin added", extra={"action": "add", "plugin": _redact_plugin_for_logging(new_plugin), "user": str(get_current_user_id())})
@@ -841,6 +874,7 @@ def edit_plugin(plugin_name):
     try:
         plugins = get_global_actions()
         updated_plugin = request.json
+        governance_policy_payload = updated_plugin.pop('governance_policy', None) if isinstance(updated_plugin, dict) else None
         
         # Strict validation with dynamic allowed types
         allowed_types = discover_plugin_types()
@@ -889,6 +923,15 @@ def edit_plugin(plugin_name):
                 updated_plugin['id'] = str(uuid.uuid4())
             
             save_global_action(updated_plugin, user_id=str(get_current_user_id()))
+
+            if isinstance(governance_policy_payload, dict):
+                upsert_item_policy(
+                    entity_type='global_action',
+                    item_id=str(updated_plugin.get('id') or ''),
+                    payload=governance_policy_payload,
+                    actor_user_id=str(get_current_user_id() or ''),
+                    actor_email=str((session.get('user') or {}).get('email') or ''),
+                )
             
             log_action_update(user_id=str(get_current_user_id()), action_id=updated_plugin.get('id', ''), action_name=plugin_name, action_type=updated_plugin.get('type', ''), scope='global')
             log_event("Plugin edited", extra={"action": "edit", "plugin": _redact_plugin_for_logging(updated_plugin), "user": str(get_current_user_id())})
diff --git a/application/single_app/route_frontend_admin_settings.py b/application/single_app/route_frontend_admin_settings.py
index 435134c65..cd7860bec 100644
--- a/application/single_app/route_frontend_admin_settings.py
+++ b/application/single_app/route_frontend_admin_settings.py
@@ -5,7 +5,7 @@
 from functions_authentication import *
 from functions_keyvault import keyvault_model_endpoint_cleanup_helper, keyvault_model_endpoint_delete_helper, keyvault_model_endpoint_save_helper, redact_model_endpoint_secret_values
 from functions_settings import *
-from functions_activity_logging import log_web_search_consent_acceptance, log_general_admin_action
+from functions_activity_logging import log_web_search_consent_acceptance, log_general_admin_action, log_governance_change
 from functions_notifications import broadcast_system_notification
 from functions_logging import *
 from swagger_wrapper import swagger_route, get_auth_security
@@ -1112,6 +1112,15 @@ def is_valid_url(url):
                 'enable_agent_template_gallery': form_data.get('enable_agent_template_gallery') == 'on',
                 'agent_templates_allow_user_submission': form_data.get('agent_templates_allow_user_submission') == 'on',
                 'agent_templates_require_approval': form_data.get('agent_templates_require_approval') == 'on',
+                'governance_user_endpoints': form_data.get('governance_user_endpoints') == 'on',
+                'governance_group_endpoints': form_data.get('governance_group_endpoints') == 'on',
+                'governance_global_endpoints': form_data.get('governance_global_endpoints') == 'on',
+                'governance_user_agents': form_data.get('governance_user_agents') == 'on',
+                'governance_group_agents': form_data.get('governance_group_agents') == 'on',
+                'governance_global_agents_usage': form_data.get('governance_global_agents_usage') == 'on',
+                'governance_user_actions': form_data.get('governance_user_actions') == 'on',
+                'governance_group_actions': form_data.get('governance_group_actions') == 'on',
+                'governance_global_actions_usage': form_data.get('governance_global_actions_usage') == 'on',
 
                 # GPT (Direct & APIM)
                 'enable_gpt_apim': form_data.get('enable_gpt_apim') == 'on',
@@ -1621,6 +1630,27 @@ def is_valid_url(url):
                     flash(f"Error processing favicon file: {e}. Existing favicon preserved.", "danger")
                     log_event(f"Error processing favicon file: {e}", level=logging.ERROR)
 
+            governance_toggle_keys = [
+                'governance_user_endpoints',
+                'governance_group_endpoints',
+                'governance_global_endpoints',
+                'governance_user_agents',
+                'governance_group_agents',
+                'governance_global_agents_usage',
+                'governance_user_actions',
+                'governance_group_actions',
+                'governance_global_actions_usage',
+            ]
+            governance_toggle_changes = {}
+            for toggle_key in governance_toggle_keys:
+                before_value = bool(settings.get(toggle_key, False))
+                after_value = bool(new_settings.get(toggle_key, False))
+                if before_value != after_value:
+                    governance_toggle_changes[toggle_key] = {
+                        'before': before_value,
+                        'after': after_value,
+                    }
+
             # --- Update settings in DB ---
             # new_settings now contains either the new logo/favicon base64 or the original ones
             if update_settings(new_settings):
@@ -1638,6 +1668,32 @@ def is_valid_url(url):
                 else:
                     print("ERROR: Could not fetch settings after update to ensure logo/favicon files.")
 
+                if governance_toggle_changes:
+                    try:
+                        log_governance_change(
+                            admin_user_id=user_id,
+                            admin_email=admin_email,
+                            action='governance_feature_toggles_updated',
+                            scope='feature_policy',
+                            target_id='governance_feature_toggles',
+                            before_state={
+                                key: bool(settings.get(key, False))
+                                for key in governance_toggle_keys
+                            },
+                            after_state={
+                                key: bool(new_settings.get(key, False))
+                                for key in governance_toggle_keys
+                            },
+                            change_details={
+                                'changed_toggles': governance_toggle_changes
+                            },
+                        )
+                    except Exception as governance_log_error:
+                        log_event(
+                            f"Failed to log governance toggle change: {governance_log_error}",
+                            level=logging.ERROR,
+                        )
+
                 if chunk_size_changed:
                     try:
                         log_general_admin_action(
diff --git a/application/single_app/route_frontend_chats.py b/application/single_app/route_frontend_chats.py
index 2679f57b4..d1b1e66c2 100644
--- a/application/single_app/route_frontend_chats.py
+++ b/application/single_app/route_frontend_chats.py
@@ -9,6 +9,7 @@
 from functions_group import find_group_by_id, get_group_model_endpoints, get_user_groups
 from functions_group_agents import get_group_agents
 from functions_global_agents import get_global_agents
+from functions_governance import ensure_governance_access
 from functions_personal_agents import ensure_migration_complete, get_personal_agents
 from functions_prompts import list_all_prompts_for_scope
 from functions_public_workspaces import find_public_workspace_by_id, get_user_visible_public_workspace_ids_from_settings
@@ -46,6 +47,49 @@ def _normalize_chat_model_value(value):
     return str(value or '').strip()
 
 
+def _is_chat_agent_allowed_by_governance(user_id, agent, scope_type):
+    try:
+        if scope_type == 'global':
+            ensure_governance_access(
+                'governance_global_agents_usage',
+                user_id,
+                item_entity_type='global_agent',
+                item_id=str(agent.get('id') or agent.get('name') or ''),
+            )
+        elif scope_type == 'group':
+            ensure_governance_access('governance_group_agents', user_id)
+        else:
+            ensure_governance_access('governance_user_agents', user_id)
+        return True
+    except PermissionError:
+        return False
+
+
+def _filter_chat_model_endpoints_by_governance(user_id, endpoints, feature_key):
+    try:
+        ensure_governance_access(feature_key, user_id)
+    except PermissionError:
+        return []
+
+    allowed_endpoints = []
+    for endpoint in endpoints or []:
+        if not isinstance(endpoint, dict):
+            continue
+        endpoint_id = str(endpoint.get('id') or '').strip()
+        if endpoint_id:
+            try:
+                ensure_governance_access(
+                    feature_key,
+                    user_id,
+                    item_entity_type='endpoint',
+                    item_id=endpoint_id,
+                )
+            except PermissionError:
+                continue
+        allowed_endpoints.append(endpoint)
+    return allowed_endpoints
+
+
 def _build_initial_chat_model_selection(*, chat_model_options, preferred_model_id=None, preferred_model_deployment=None):
     scope_order = {
         'global': 0,
@@ -165,11 +209,16 @@ def append_models(endpoints, scope_type, scope_id=None, scope_name=None):
                     'scope_name': scope_name,
                 })
 
-    append_models(settings.get('model_endpoints', []) or [], 'global', None, 'Global')
+    append_models(
+        _filter_chat_model_endpoints_by_governance(user_id, settings.get('model_endpoints', []) or [], 'governance_global_endpoints'),
+        'global',
+        None,
+        'Global'
+    )
 
     if settings.get('allow_user_custom_endpoints', False):
         append_models(
-            user_settings_dict.get('personal_model_endpoints', []) or [],
+            _filter_chat_model_endpoints_by_governance(user_id, user_settings_dict.get('personal_model_endpoints', []) or [], 'governance_user_endpoints'),
             'personal',
             user_id,
             'Personal'
@@ -181,7 +230,7 @@ def append_models(endpoints, scope_type, scope_id=None, scope_name=None):
             if not group_id:
                 continue
             append_models(
-                get_group_model_endpoints(group_id),
+                _filter_chat_model_endpoints_by_governance(user_id, get_group_model_endpoints(group_id), 'governance_group_endpoints'),
                 'group',
                 group_id,
                 group_doc.get('name', 'Unnamed Group')
@@ -280,7 +329,8 @@ def chats():
 
         multi_endpoint_models = []
         if enable_multi_model_endpoints:
-            endpoints = public_settings.get("model_endpoints", []) or []
+            endpoints = _filter_chat_model_endpoints_by_governance(user_id, settings.get("model_endpoints", []) or [], 'governance_global_endpoints')
+            endpoints = sanitize_model_endpoints_for_frontend(endpoints)
             for endpoint in endpoints:
                 if not endpoint.get("enabled", True):
                     continue
@@ -326,12 +376,14 @@ def chats():
             if settings.get('allow_user_agents', False):
                 ensure_migration_complete(user_id)
                 for agent in get_personal_agents(user_id):
-                    chat_agent_options.append(_serialize_chat_agent_option(agent))
+                    if _is_chat_agent_allowed_by_governance(user_id, agent, 'personal'):
+                        chat_agent_options.append(_serialize_chat_agent_option(agent))
 
             merge_global = settings.get('per_user_semantic_kernel', False) and settings.get('merge_global_semantic_kernel_with_workspace', False)
             if merge_global:
                 for agent in get_global_agents():
-                    chat_agent_options.append(_serialize_chat_agent_option(agent, is_global=True))
+                    if _is_chat_agent_allowed_by_governance(user_id, agent, 'global'):
+                        chat_agent_options.append(_serialize_chat_agent_option(agent, is_global=True))
 
             if settings.get('enable_group_workspaces', False) and settings.get('allow_group_agents', False):
                 for group_doc in user_groups_raw:
@@ -340,14 +392,15 @@ def chats():
                         continue
                     group_name = group_doc.get('name', 'Unnamed Group')
                     for agent in get_group_agents(group_id):
-                        chat_agent_options.append(
-                            _serialize_chat_agent_option(
-                                agent,
-                                is_group=True,
-                                group_id=group_id,
-                                group_name=group_name,
+                        if _is_chat_agent_allowed_by_governance(user_id, agent, 'group'):
+                            chat_agent_options.append(
+                                _serialize_chat_agent_option(
+                                    agent,
+                                    is_group=True,
+                                    group_id=group_id,
+                                    group_name=group_name,
+                                )
                             )
-                        )
         except Exception as e:
             logger.warning(f"Failed to load chat agent options: {e}")
 
diff --git a/application/single_app/route_frontend_group_workspaces.py b/application/single_app/route_frontend_group_workspaces.py
index 6e3186f62..27b661853 100644
--- a/application/single_app/route_frontend_group_workspaces.py
+++ b/application/single_app/route_frontend_group_workspaces.py
@@ -3,6 +3,7 @@
 from config import *
 from functions_authentication import *
 from functions_group import get_group_model_endpoints, require_active_group, update_active_group_for_user
+from functions_governance import filter_governed_model_endpoints, is_governance_access_allowed
 from functions_settings import *
 from swagger_wrapper import swagger_route, get_auth_security
 
@@ -57,11 +58,19 @@ def group_workspaces():
         ))
         allowed_extensions_str = "Allowed: " + ", ".join(allowed_extensions)
 
+        workspace_governance = {
+            "group_agents": is_governance_access_allowed("governance_group_agents", user_id),
+            "group_actions": is_governance_access_allowed("governance_group_actions", user_id),
+            "group_endpoints": is_governance_access_allowed("governance_group_endpoints", user_id),
+            "global_endpoints": is_governance_access_allowed("governance_global_endpoints", user_id),
+        }
+
+        group_endpoints = get_group_model_endpoints(active_group_id) if active_group_id else []
         group_model_endpoints = sanitize_model_endpoints_for_frontend(
-            get_group_model_endpoints(active_group_id) if active_group_id else []
+            filter_governed_model_endpoints(user_id, group_endpoints, "governance_group_endpoints")
         )
         global_model_endpoints = sanitize_model_endpoints_for_frontend(
-            settings.get("model_endpoints", [])
+            filter_governed_model_endpoints(user_id, settings.get("model_endpoints", []), "governance_global_endpoints")
         )
 
         # Build allowed extensions string
@@ -87,7 +96,8 @@ def group_workspaces():
             legacy_docs_count=legacy_count,
             allowed_extensions=allowed_extensions_str,
             group_model_endpoints=group_model_endpoints,
-            global_model_endpoints=global_model_endpoints
+            global_model_endpoints=global_model_endpoints,
+            workspace_governance=workspace_governance
         )
 
     @app.route('/set_active_group', methods=['POST'])
diff --git a/application/single_app/route_frontend_workspace.py b/application/single_app/route_frontend_workspace.py
index 98ccb65af..4bab89a42 100644
--- a/application/single_app/route_frontend_workspace.py
+++ b/application/single_app/route_frontend_workspace.py
@@ -2,6 +2,7 @@
 
 from config import *
 from functions_authentication import *
+from functions_governance import filter_governed_model_endpoints, is_governance_access_allowed
 from functions_settings import *
 from swagger_wrapper import swagger_route, get_auth_security
 
@@ -51,10 +52,19 @@ def workspace():
         ))
         allowed_extensions_str = "Allowed: " + ", ".join(allowed_extensions)
         
+        workspace_governance = {
+            "user_agents": is_governance_access_allowed("governance_user_agents", user_id),
+            "user_actions": is_governance_access_allowed("governance_user_actions", user_id),
+            "user_endpoints": is_governance_access_allowed("governance_user_endpoints", user_id),
+            "global_endpoints": is_governance_access_allowed("governance_global_endpoints", user_id),
+        }
+
         personal_endpoints = user_settings.get("settings", {}).get("personal_model_endpoints", [])
-        personal_model_endpoints = sanitize_model_endpoints_for_frontend(personal_endpoints)
+        personal_model_endpoints = sanitize_model_endpoints_for_frontend(
+            filter_governed_model_endpoints(user_id, personal_endpoints, "governance_user_endpoints")
+        )
         global_model_endpoints = sanitize_model_endpoints_for_frontend(
-            settings.get("model_endpoints", [])
+            filter_governed_model_endpoints(user_id, settings.get("model_endpoints", []), "governance_global_endpoints")
         )
 
         return render_template(
@@ -68,7 +78,8 @@ def workspace():
             legacy_docs_count=legacy_count,
             allowed_extensions=allowed_extensions_str,
             personal_model_endpoints=personal_model_endpoints,
-            global_model_endpoints=global_model_endpoints
+            global_model_endpoints=global_model_endpoints,
+            workspace_governance=workspace_governance
         )
 
     
\ No newline at end of file
diff --git a/application/single_app/static/js/admin/admin_governance.js b/application/single_app/static/js/admin/admin_governance.js
new file mode 100644
index 000000000..49a0ee7a6
--- /dev/null
+++ b/application/single_app/static/js/admin/admin_governance.js
@@ -0,0 +1,2595 @@
+// admin_governance.js
+
+const GOVERNANCE_FEATURE_LABELS = {
+    governance_user_endpoints: 'User Endpoints',
+    governance_group_endpoints: 'Group Endpoints',
+    governance_global_endpoints: 'Global Endpoints',
+    governance_user_agents: 'User Agents',
+    governance_group_agents: 'Group Agents',
+    governance_global_agents_usage: 'Global Agent Usage',
+    governance_user_actions: 'User Actions',
+    governance_group_actions: 'Group Actions',
+    governance_global_actions_usage: 'Global Action Usage',
+};
+
+const GOVERNANCE_ITEM_ENTITY_LABELS = {
+    endpoint: 'Endpoint',
+    global_agent: 'Global Agent',
+    global_action: 'Global Action',
+};
+
+const GOVERNANCE_ITEM_LOOKUP_HINTS = {
+    endpoint: 'Select an endpoint configured in Admin Settings.',
+    global_agent: 'Select a global agent available for delegation.',
+    global_action: 'Select a global action available for delegation.',
+};
+
+const GOVERNANCE_ALLOWLIST_PAGE_SIZE_DEFAULT = 50;
+const GOVERNANCE_ALLOWLIST_PAGE_SIZES = [10, 25, 50, 100];
+const GOVERNANCE_ALLOWLIST_TRUNCATE_ID_LENGTH = 35;
+
+const GOVERNANCE_ITEM_REVIEW_DEFAULT_PAGE_SIZE = 25;
+
+const governanceItemReviewState = {
+    search: '',
+    entityType: '',
+    page: 1,
+    perPage: GOVERNANCE_ITEM_REVIEW_DEFAULT_PAGE_SIZE,
+};
+
+let governanceItemReviewModal = null;
+let governanceAllowListEditorModal = null;
+let governanceAllowListEditorContext = null;
+let governanceItemPolicyDeleteModal = null;
+let governanceItemPolicyDeleteContext = null;
+const governanceItemLookupState = {
+    endpoint: [],
+    global_agent: [],
+    global_action: [],
+};
+
+const governanceAllowListSelectionViewState = {
+    users: {
+        search: '',
+        page: 1,
+        pageSize: GOVERNANCE_ALLOWLIST_PAGE_SIZE_DEFAULT,
+    },
+    groups: {
+        search: '',
+        page: 1,
+        pageSize: GOVERNANCE_ALLOWLIST_PAGE_SIZE_DEFAULT,
+    },
+};
+
+const governanceAllowListDisplayNameCache = {
+    users: {},
+    groups: {},
+};
+
+const governanceAllowListHydrationState = {
+    users: new Set(),
+    groups: new Set(),
+};
+
+function escapeHtml(value) {
+    return String(value ?? '')
+        .replace(/&/g, '&amp;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&#39;');
+}
+
+function splitPrincipalList(value) {
+    if (!value) {
+        return [];
+    }
+
+    return String(value)
+        .split(',')
+        .map((item) => item.trim())
+        .filter((item) => item.length > 0);
+}
+
+function joinPrincipalList(values) {
+    if (!Array.isArray(values) || values.length === 0) {
+        return '';
+    }
+
+    return values.join(', ');
+}
+
+function parseCsvPrincipalLines(csvText) {
+    if (!csvText) {
+        return [];
+    }
+
+    return String(csvText)
+        .split(/\r?\n/)
+        .flatMap((line) => line.split(','))
+        .map((value) => value.trim())
+        .filter((value) => value.length > 0);
+}
+
+function uniquePrincipalList(values) {
+    return Array.from(new Set((Array.isArray(values) ? values : []).map((value) => String(value || '').trim()).filter((value) => value)));
+}
+
+function buildAllowListSummary(users, groups) {
+    const usersCount = Array.isArray(users) ? users.length : 0;
+    const groupsCount = Array.isArray(groups) ? groups.length : 0;
+    if (usersCount === 0 && groupsCount === 0) {
+        return 'No explicit users or groups configured';
+    }
+    return `${usersCount} user${usersCount === 1 ? '' : 's'}, ${groupsCount} group${groupsCount === 1 ? '' : 's'}`;
+}
+
+function getGovernanceUsersInputForFeatureRow(row) {
+    return row?.querySelector('.governance-allowed-users') || null;
+}
+
+function getGovernanceGroupsInputForFeatureRow(row) {
+    return row?.querySelector('.governance-allowed-groups') || null;
+}
+
+function getGovernanceFeatureAllowAllInput(row) {
+    return row?.querySelector('.governance-allow-all') || null;
+}
+
+function getItemAllowAllInput() {
+    return document.getElementById('governance-item-allow-all');
+}
+
+function getItemUsersInput() {
+    return document.getElementById('governance-item-users');
+}
+
+function getItemGroupsInput() {
+    return document.getElementById('governance-item-groups');
+}
+
+function getItemEntityTypeInput() {
+    return document.getElementById('governance-item-entity-type');
+}
+
+function getItemIdInput() {
+    return document.getElementById('governance-item-id');
+}
+
+function setGovernanceItemLookupStatus(message, level = 'muted') {
+    const status = document.getElementById('governance-item-id-status');
+    if (!status) {
+        return;
+    }
+
+    status.classList.remove('text-muted', 'text-success', 'text-warning', 'text-danger');
+    const className = {
+        muted: 'text-muted',
+        success: 'text-success',
+        warning: 'text-warning',
+        danger: 'text-danger',
+    }[level] || 'text-muted';
+    status.classList.add(className);
+    status.textContent = message || '';
+}
+
+function normalizeGovernanceLookupOption(option, fallbackLabelPrefix) {
+    const value = String(option?.value || option?.id || '').trim();
+    if (!value) {
+        return null;
+    }
+
+    const label = String(option?.label || option?.name || option?.display_name || `${fallbackLabelPrefix} ${value}`).trim();
+    const subtitle = String(option?.subtitle || option?.description || '').trim();
+    return {
+        value,
+        label,
+        subtitle,
+    };
+}
+
+function buildGovernanceItemLookupOption(option) {
+    const label = option.subtitle ? `${option.label} (${option.subtitle})` : option.label;
+    const element = document.createElement('option');
+    element.value = option.value;
+    element.textContent = label;
+    return element;
+}
+
+function getAdminEndpointLookupOptionsFromWindow() {
+    const fromWindow = Array.isArray(window.modelEndpoints) ? window.modelEndpoints : [];
+    const fromHiddenInputRaw = document.getElementById('model_endpoints_json')?.value || '[]';
+
+    let fromHiddenInput = [];
+    try {
+        const parsed = JSON.parse(fromHiddenInputRaw);
+        fromHiddenInput = Array.isArray(parsed) ? parsed : [];
+    } catch (error) {
+        fromHiddenInput = [];
+    }
+
+    const merged = [...fromWindow, ...fromHiddenInput];
+    return merged
+        .map((endpoint) => normalizeGovernanceLookupOption({
+            value: endpoint?.id,
+            label: endpoint?.name || endpoint?.id,
+            subtitle: endpoint?.connection?.endpoint || endpoint?.endpoint || '',
+        }, 'Endpoint'))
+        .filter((endpoint) => endpoint !== null)
+        .filter((endpoint, index, arr) => arr.findIndex((candidate) => candidate.value === endpoint.value) === index);
+}
+
+async function fetchAdminGlobalAgentLookupOptions() {
+    const response = await fetch('/api/admin/agents', {
+        method: 'GET',
+        headers: {
+            Accept: 'application/json',
+        },
+    });
+
+    if (!response.ok) {
+        throw new Error('Unable to load global agents lookup.');
+    }
+
+    const payload = await response.json();
+    return (Array.isArray(payload) ? payload : [])
+        .map((agent) => normalizeGovernanceLookupOption({
+            value: agent?.id,
+            label: agent?.display_name || agent?.name || agent?.id,
+            subtitle: agent?.name && agent?.display_name && agent?.display_name !== agent?.name ? agent?.name : '',
+        }, 'Agent'))
+        .filter((option) => option !== null);
+}
+
+async function fetchAdminGlobalActionLookupOptions() {
+    const response = await fetch('/api/admin/plugins', {
+        method: 'GET',
+        headers: {
+            Accept: 'application/json',
+        },
+    });
+
+    if (!response.ok) {
+        throw new Error('Unable to load global actions lookup.');
+    }
+
+    const payload = await response.json();
+    return (Array.isArray(payload) ? payload : [])
+        .map((action) => normalizeGovernanceLookupOption({
+            value: action?.id,
+            label: action?.name || action?.id,
+            subtitle: action?.type || '',
+        }, 'Action'))
+        .filter((option) => option !== null);
+}
+
+async function loadGovernanceItemLookup(entityType, forceReload = false) {
+    const normalizedEntityType = String(entityType || '').trim();
+    if (!normalizedEntityType) {
+        return [];
+    }
+
+    if (!forceReload && Array.isArray(governanceItemLookupState[normalizedEntityType]) && governanceItemLookupState[normalizedEntityType].length > 0) {
+        return governanceItemLookupState[normalizedEntityType];
+    }
+
+    if (normalizedEntityType === 'endpoint') {
+        governanceItemLookupState.endpoint = getAdminEndpointLookupOptionsFromWindow();
+        return governanceItemLookupState.endpoint;
+    }
+    if (normalizedEntityType === 'global_agent') {
+        governanceItemLookupState.global_agent = await fetchAdminGlobalAgentLookupOptions();
+        return governanceItemLookupState.global_agent;
+    }
+    if (normalizedEntityType === 'global_action') {
+        governanceItemLookupState.global_action = await fetchAdminGlobalActionLookupOptions();
+        return governanceItemLookupState.global_action;
+    }
+
+    return [];
+}
+
+function renderGovernanceItemLookupOptions(entityType, preferredValue = '') {
+    const itemIdInput = getItemIdInput();
+    if (!itemIdInput) {
+        return;
+    }
+
+    const options = Array.isArray(governanceItemLookupState[entityType]) ? governanceItemLookupState[entityType] : [];
+    const currentValue = String(preferredValue || '').trim();
+
+    itemIdInput.innerHTML = '';
+
+    const placeholder = document.createElement('option');
+    placeholder.value = '';
+    placeholder.textContent = options.length > 0 ? 'Select an item' : 'No items available';
+    itemIdInput.appendChild(placeholder);
+
+    options.forEach((option) => {
+        itemIdInput.appendChild(buildGovernanceItemLookupOption(option));
+    });
+
+    if (currentValue && options.some((option) => option.value === currentValue)) {
+        itemIdInput.value = currentValue;
+    } else {
+        itemIdInput.value = '';
+    }
+
+    const hint = GOVERNANCE_ITEM_LOOKUP_HINTS[entityType] || 'Select a delegated item.';
+    if (options.length > 0) {
+        setGovernanceItemLookupStatus(`${hint} Loaded ${options.length} item${options.length === 1 ? '' : 's'}.`, 'muted');
+    } else {
+        setGovernanceItemLookupStatus(`${hint} No items found for this type.`, 'warning');
+    }
+}
+
+async function refreshGovernanceItemLookup(entityType, forceReload = false, preferredValue = '') {
+    const refreshButton = document.getElementById('governance-item-id-refresh-btn');
+    if (refreshButton) {
+        refreshButton.disabled = true;
+    }
+
+    try {
+        await loadGovernanceItemLookup(entityType, forceReload);
+        renderGovernanceItemLookupOptions(entityType, preferredValue);
+    } catch (error) {
+        renderGovernanceItemLookupOptions(entityType, '');
+        setGovernanceItemLookupStatus(error.message || 'Failed to load delegated item lookup.', 'danger');
+    } finally {
+        if (refreshButton) {
+            refreshButton.disabled = false;
+        }
+    }
+}
+
+function updateFeatureAllowListSummary(row) {
+    const usersInput = getGovernanceUsersInputForFeatureRow(row);
+    const groupsInput = getGovernanceGroupsInputForFeatureRow(row);
+    const summaryEl = row?.querySelector('.governance-allowlist-summary');
+    if (!usersInput || !groupsInput || !summaryEl) {
+        return;
+    }
+
+    const users = splitPrincipalList(usersInput.value);
+    const groups = splitPrincipalList(groupsInput.value);
+    summaryEl.textContent = buildAllowListSummary(users, groups);
+}
+
+function updateItemAllowListSummary() {
+    const usersInput = getItemUsersInput();
+    const groupsInput = getItemGroupsInput();
+    const summaryInput = document.getElementById('governance-item-allowlist-summary');
+    if (!usersInput || !groupsInput || !summaryInput) {
+        return;
+    }
+
+    summaryInput.value = buildAllowListSummary(splitPrincipalList(usersInput.value), splitPrincipalList(groupsInput.value));
+}
+
+function applyFeatureAllowAllUiState(row) {
+    const allowAllInput = getGovernanceFeatureAllowAllInput(row);
+    const editButton = row?.querySelector('.governance-edit-feature-allowlist-btn');
+    const usersInput = getGovernanceUsersInputForFeatureRow(row);
+    const groupsInput = getGovernanceGroupsInputForFeatureRow(row);
+    if (!allowAllInput || !usersInput || !groupsInput) {
+        return;
+    }
+
+    if (allowAllInput.checked) {
+        usersInput.value = '';
+        groupsInput.value = '';
+    }
+
+    if (editButton) {
+        editButton.disabled = allowAllInput.checked;
+    }
+
+    updateFeatureAllowListSummary(row);
+}
+
+function applyItemAllowAllUiState() {
+    const allowAllInput = getItemAllowAllInput();
+    const editButton = document.getElementById('governance-edit-item-allowlist-btn');
+    const allowedPrincipalsControls = document.getElementById('governance-item-allowed-principals-controls');
+    const usersInput = getItemUsersInput();
+    const groupsInput = getItemGroupsInput();
+    if (!allowAllInput || !usersInput || !groupsInput) {
+        return;
+    }
+
+    if (allowAllInput.checked) {
+        usersInput.value = '';
+        groupsInput.value = '';
+    }
+
+    if (editButton) {
+        editButton.disabled = allowAllInput.checked;
+    }
+
+    if (allowedPrincipalsControls) {
+        allowedPrincipalsControls.classList.toggle('d-none', allowAllInput.checked);
+    }
+
+    updateItemAllowListSummary();
+}
+
+async function governanceLookupUsers(query) {
+    const response = await fetch(`/api/userSearch?query=${encodeURIComponent(String(query || '').trim())}`, {
+        method: 'GET',
+        headers: {
+            Accept: 'application/json',
+        },
+    });
+
+    if (!response.ok) {
+        throw new Error('User lookup failed.');
+    }
+
+    const payload = await response.json();
+    return Array.isArray(payload) ? payload : [];
+}
+
+async function governanceLookupGroups(query) {
+    const response = await fetch(`/api/groups/discover?search=${encodeURIComponent(String(query || '').trim())}&showAll=true`, {
+        method: 'GET',
+        headers: {
+            Accept: 'application/json',
+        },
+    });
+
+    if (!response.ok) {
+        throw new Error('Group lookup failed.');
+    }
+
+    const payload = await response.json();
+    return Array.isArray(payload) ? payload : [];
+}
+
+// Prep hook for chat/workspace follow-up to reuse the same normalized lookup behavior.
+window.governancePrincipalLookup = {
+    searchUsers: governanceLookupUsers,
+    searchGroups: governanceLookupGroups,
+};
+
+function buildItemPolicyEntityLabel(entityType) {
+    return GOVERNANCE_ITEM_ENTITY_LABELS[entityType] || entityType || '';
+}
+
+function mapGovernanceLevelToToastVariant(level = 'info') {
+    const normalized = String(level || 'info').toLowerCase();
+    if (normalized === 'error') {
+        return 'danger';
+    }
+    if (normalized === 'warn') {
+        return 'warning';
+    }
+    return normalized;
+}
+
+function setGovernanceInlineStatusFallback(message, level = 'info') {
+    const status = document.getElementById('governance-status');
+    if (!status) {
+        return;
+    }
+
+    const alertLevel = mapGovernanceLevelToToastVariant(level);
+    status.className = `alert alert-${alertLevel}`;
+    status.classList.remove('d-none');
+    status.textContent = String(message || '');
+}
+
+function setGovernanceStatus(message, level = 'info') {
+    if (!message) {
+        return;
+    }
+    showGovernanceToast(message, mapGovernanceLevelToToastVariant(level));
+}
+
+function clearGovernanceStatus() {
+    const status = document.getElementById('governance-status');
+    if (!status) {
+        return;
+    }
+
+    status.className = 'alert d-none';
+    status.textContent = '';
+}
+
+function showGovernanceToast(message, variant = 'success') {
+    const normalizedVariant = mapGovernanceLevelToToastVariant(variant);
+    const container = document.getElementById('toast-container');
+    if (!container || typeof bootstrap?.Toast !== 'function') {
+        setGovernanceInlineStatusFallback(message, normalizedVariant === 'danger' ? 'danger' : normalizedVariant);
+        return;
+    }
+
+    const toastEl = document.createElement('div');
+    toastEl.className = `toast align-items-center text-bg-${normalizedVariant}`;
+    toastEl.setAttribute('role', 'alert');
+    toastEl.setAttribute('aria-live', 'assertive');
+    toastEl.setAttribute('aria-atomic', 'true');
+
+    const contentEl = document.createElement('div');
+    contentEl.className = 'd-flex';
+
+    const bodyEl = document.createElement('div');
+    bodyEl.className = 'toast-body';
+    bodyEl.textContent = String(message || '');
+
+    const closeButtonEl = document.createElement('button');
+    closeButtonEl.type = 'button';
+    closeButtonEl.className = 'btn-close btn-close-white me-2 m-auto';
+    closeButtonEl.setAttribute('data-bs-dismiss', 'toast');
+    closeButtonEl.setAttribute('aria-label', 'Close');
+
+    contentEl.appendChild(bodyEl);
+    contentEl.appendChild(closeButtonEl);
+    toastEl.appendChild(contentEl);
+    container.appendChild(toastEl);
+
+    const bsToast = new bootstrap.Toast(toastEl, { delay: 5000 });
+    bsToast.show();
+
+    toastEl.addEventListener('hidden.bs.toast', () => {
+        toastEl.remove();
+    });
+}
+
+function getGovernanceFeatureToggle(featureKey) {
+    const toggle = document.getElementById(featureKey);
+    return toggle instanceof HTMLInputElement ? toggle : null;
+}
+
+function syncGovernanceFeaturePolicyRowVisibility(row) {
+    const featureKey = String(row?.dataset?.featureKey || '').trim();
+    if (!row || !featureKey) {
+        return;
+    }
+
+    const featureToggle = getGovernanceFeatureToggle(featureKey);
+    const shouldShow = !featureToggle || featureToggle.checked;
+    row.classList.toggle('d-none', !shouldShow);
+}
+
+function syncGovernanceFeaturePolicyVisibility() {
+    Array.from(document.querySelectorAll('#governance-feature-policies-body tr')).forEach((row) => {
+        syncGovernanceFeaturePolicyRowVisibility(row);
+    });
+}
+
+function buildFeaturePolicyRow(policy) {
+    const row = document.createElement('tr');
+    row.dataset.featureKey = policy.feature_key;
+
+    const featureCell = document.createElement('td');
+    featureCell.textContent = GOVERNANCE_FEATURE_LABELS[policy.feature_key] || policy.feature_key;
+
+    const allowAllCell = document.createElement('td');
+    const allowAll = document.createElement('input');
+    allowAll.type = 'checkbox';
+    allowAll.className = 'form-check-input governance-allow-all';
+    allowAll.checked = Boolean(policy.allow_all);
+    allowAllCell.appendChild(allowAll);
+
+    const usersCell = document.createElement('td');
+    const usersInput = document.createElement('input');
+    usersInput.type = 'text';
+    usersInput.className = 'form-control form-control-sm governance-allowed-users d-none';
+    usersInput.value = joinPrincipalList(policy.allowed_users);
+    usersCell.appendChild(usersInput);
+
+    const usersSummary = document.createElement('div');
+    usersSummary.className = 'small text-body-secondary governance-allowlist-summary';
+    usersSummary.textContent = buildAllowListSummary(policy.allowed_users, policy.allowed_groups);
+    usersCell.appendChild(usersSummary);
+
+    const usersEditButton = document.createElement('button');
+    usersEditButton.type = 'button';
+    usersEditButton.className = 'btn btn-sm btn-outline-primary mt-1 governance-edit-feature-allowlist-btn';
+    usersEditButton.textContent = 'Edit Allow List';
+    usersCell.appendChild(usersEditButton);
+
+    const groupsCell = document.createElement('td');
+    const groupsInput = document.createElement('input');
+    groupsInput.type = 'text';
+    groupsInput.className = 'form-control form-control-sm governance-allowed-groups d-none';
+    groupsInput.value = joinPrincipalList(policy.allowed_groups);
+    groupsCell.appendChild(groupsInput);
+
+    const groupsSummary = document.createElement('div');
+    groupsSummary.className = 'small text-body-secondary';
+    groupsSummary.textContent = 'Includes group IDs added in the editor.';
+    groupsCell.appendChild(groupsSummary);
+
+    row.appendChild(featureCell);
+    row.appendChild(allowAllCell);
+    row.appendChild(usersCell);
+    row.appendChild(groupsCell);
+
+    applyFeatureAllowAllUiState(row);
+    syncGovernanceFeaturePolicyRowVisibility(row);
+
+    return row;
+}
+
+async function loadFeaturePolicies() {
+    const tbody = document.getElementById('governance-feature-policies-body');
+    if (!tbody) {
+        return;
+    }
+
+    const response = await fetch('/api/admin/governance/policies', {
+        method: 'GET',
+        headers: {
+            Accept: 'application/json',
+        },
+    });
+
+    if (!response.ok) {
+        throw new Error('Unable to load governance feature policies.');
+    }
+
+    const payload = await response.json();
+    const featurePolicies = Array.isArray(payload.features) ? payload.features : [];
+
+    tbody.innerHTML = '';
+    featurePolicies.forEach((policy) => {
+        tbody.appendChild(buildFeaturePolicyRow(policy));
+    });
+    syncGovernanceFeaturePolicyVisibility();
+}
+
+async function saveFeaturePolicies() {
+    const rows = Array.from(document.querySelectorAll('#governance-feature-policies-body tr'));
+    if (rows.length === 0) {
+        setGovernanceStatus('No feature policies are available to save.', 'warning');
+        return;
+    }
+
+    for (const row of rows) {
+        const featureKey = row.dataset.featureKey;
+        const allowAllInput = row.querySelector('.governance-allow-all');
+        const usersInput = row.querySelector('.governance-allowed-users');
+        const groupsInput = row.querySelector('.governance-allowed-groups');
+
+        if (!featureKey || !allowAllInput || !usersInput || !groupsInput) {
+            continue;
+        }
+
+        const body = {
+            allow_all: allowAllInput.checked,
+            allowed_users: splitPrincipalList(usersInput.value),
+            allowed_groups: splitPrincipalList(groupsInput.value),
+        };
+
+        const response = await fetch(`/api/admin/governance/policies/${encodeURIComponent(featureKey)}`, {
+            method: 'PUT',
+            headers: {
+                'Content-Type': 'application/json',
+                Accept: 'application/json',
+            },
+            body: JSON.stringify(body),
+        });
+
+        if (!response.ok) {
+            throw new Error(`Failed to save policy for ${featureKey}.`);
+        }
+    }
+
+    clearGovernanceStatus();
+    showGovernanceToast('Governance feature policies saved successfully.', 'success');
+}
+
+function buildItemPolicyRow(policy) {
+    const row = document.createElement('tr');
+
+    const entityTypeCell = document.createElement('td');
+    const entityType = String(policy.entity_type || '');
+    const itemId = String(policy.item_id || '');
+    const allowAll = Boolean(policy.allow_all);
+    const allowedUsers = Array.isArray(policy.allowed_users) ? policy.allowed_users : [];
+    const allowedGroups = Array.isArray(policy.allowed_groups) ? policy.allowed_groups : [];
+
+    entityTypeCell.textContent = buildItemPolicyEntityLabel(entityType);
+
+    const itemIdCell = document.createElement('td');
+    itemIdCell.textContent = itemId;
+
+    const allowAllCell = document.createElement('td');
+    allowAllCell.textContent = allowAll ? 'Yes' : 'No';
+
+    const usersCell = document.createElement('td');
+    renderGovernancePrincipalReviewCell(usersCell, 'users', allowedUsers);
+
+    const groupsCell = document.createElement('td');
+    renderGovernancePrincipalReviewCell(groupsCell, 'groups', allowedGroups);
+
+    const actionsCell = document.createElement('td');
+    actionsCell.className = 'text-nowrap';
+    const editButton = document.createElement('button');
+    editButton.type = 'button';
+    editButton.className = 'btn btn-sm btn-outline-primary governance-edit-item-policy-btn';
+    editButton.textContent = 'Edit';
+    editButton.dataset.entityType = entityType;
+    editButton.dataset.itemId = itemId;
+    editButton.dataset.allowAll = allowAll ? 'true' : 'false';
+    editButton.dataset.allowedUsers = JSON.stringify(allowedUsers);
+    editButton.dataset.allowedGroups = JSON.stringify(allowedGroups);
+    actionsCell.appendChild(editButton);
+
+    const deleteButton = document.createElement('button');
+    deleteButton.type = 'button';
+    deleteButton.className = 'btn btn-sm btn-outline-danger ms-2 governance-delete-item-policy-btn';
+    deleteButton.textContent = 'Delete';
+    deleteButton.dataset.entityType = entityType;
+    deleteButton.dataset.itemId = itemId;
+    actionsCell.appendChild(deleteButton);
+
+    row.appendChild(entityTypeCell);
+    row.appendChild(itemIdCell);
+    row.appendChild(allowAllCell);
+    row.appendChild(usersCell);
+    row.appendChild(groupsCell);
+    row.appendChild(actionsCell);
+
+    return row;
+}
+
+function renderGovernancePrincipalReviewCell(cell, listType, ids, hydrateMissing = true) {
+    if (!cell) {
+        return;
+    }
+
+    const normalizedIds = uniquePrincipalList(ids);
+    cell.textContent = '';
+    cell.className = 'small';
+
+    if (normalizedIds.length === 0) {
+        cell.className = 'small text-muted';
+        cell.textContent = 'None';
+        return;
+    }
+
+    const missingIds = [];
+    normalizedIds.forEach((idValue) => {
+        const displayName = getGovernanceDisplayName(listType, idValue);
+        const truncatedId = truncateGovernanceId(idValue);
+        const wrapper = document.createElement('div');
+        wrapper.className = 'mb-1';
+
+        const primary = document.createElement('div');
+        primary.textContent = displayName || truncatedId;
+        primary.title = displayName || idValue;
+        wrapper.appendChild(primary);
+
+        if (displayName) {
+            const secondary = document.createElement('div');
+            secondary.className = 'text-muted';
+            secondary.textContent = truncatedId;
+            secondary.title = idValue;
+            wrapper.appendChild(secondary);
+        } else {
+            missingIds.push(idValue);
+        }
+
+        cell.appendChild(wrapper);
+    });
+
+    if (hydrateMissing && missingIds.length > 0) {
+        void hydrateGovernanceDisplayNames(listType, missingIds).then(() => {
+            renderGovernancePrincipalReviewCell(cell, listType, normalizedIds, false);
+        }).catch(() => {
+            renderGovernancePrincipalReviewCell(cell, listType, normalizedIds, false);
+        });
+    }
+}
+
+function parseGovernancePrincipalDataset(value) {
+    try {
+        const parsed = JSON.parse(value || '[]');
+        return uniquePrincipalList(Array.isArray(parsed) ? parsed : []);
+    } catch (error) {
+        return [];
+    }
+}
+
+function ensureGovernanceItemIdOption(itemIdInput, itemId) {
+    const normalizedItemId = String(itemId || '').trim();
+    if (!itemIdInput || !normalizedItemId) {
+        return;
+    }
+
+    const hasOption = Array.from(itemIdInput.options || []).some((option) => option.value === normalizedItemId);
+    if (!hasOption) {
+        const option = document.createElement('option');
+        option.value = normalizedItemId;
+        option.textContent = normalizedItemId;
+        itemIdInput.appendChild(option);
+    }
+    itemIdInput.value = normalizedItemId;
+}
+
+async function loadGovernanceItemPolicyIntoEditor(policy) {
+    const entityTypeInput = document.getElementById('governance-item-entity-type');
+    const itemIdInput = document.getElementById('governance-item-id');
+    const allowAllInput = document.getElementById('governance-item-allow-all');
+    const usersInput = getItemUsersInput();
+    const groupsInput = getItemGroupsInput();
+
+    if (!entityTypeInput || !itemIdInput || !allowAllInput || !usersInput || !groupsInput) {
+        return;
+    }
+
+    const entityType = String(policy?.entity_type || '').trim();
+    const itemId = String(policy?.item_id || '').trim();
+    if (!entityType || !itemId) {
+        return;
+    }
+
+    entityTypeInput.value = entityType;
+    await refreshGovernanceItemLookup(entityType, false, itemId);
+    ensureGovernanceItemIdOption(itemIdInput, itemId);
+
+    allowAllInput.checked = Boolean(policy.allow_all);
+    usersInput.value = joinPrincipalList(policy.allowed_users || []);
+    groupsInput.value = joinPrincipalList(policy.allowed_groups || []);
+
+    updateItemAllowListSummary();
+    applyItemAllowAllUiState();
+    document.getElementById('governance-item-policy-form')?.scrollIntoView({ behavior: 'smooth', block: 'center' });
+    itemIdInput.focus();
+}
+
+function openCurrentDelegatedItemAllowListEditor() {
+    const usersInput = getItemUsersInput();
+    const groupsInput = getItemGroupsInput();
+    const entityTypeInput = document.getElementById('governance-item-entity-type');
+    const itemIdInput = document.getElementById('governance-item-id');
+
+    if (!usersInput || !groupsInput) {
+        return;
+    }
+
+    const entityType = String(entityTypeInput?.value || '').trim();
+    const itemId = String(itemIdInput?.value || '').trim();
+    const contextSuffix = entityType && itemId
+        ? ` (${GOVERNANCE_ITEM_ENTITY_LABELS[entityType] || entityType}: ${itemId})`
+        : '';
+
+    openGovernanceAllowListEditor({
+        title: `Edit Delegated Item Allow List${contextSuffix}`,
+        description: 'Manage explicitly allowed users and groups for this delegated item policy.',
+        getUsers: () => splitPrincipalList(usersInput.value),
+        getGroups: () => splitPrincipalList(groupsInput.value),
+        setValues: (users, groups) => {
+            usersInput.value = joinPrincipalList(users);
+            groupsInput.value = joinPrincipalList(groups);
+            const allowAllInput = getItemAllowAllInput();
+            if (allowAllInput) {
+                allowAllInput.checked = false;
+            }
+            applyItemAllowAllUiState();
+        },
+    });
+}
+
+function openCurrentDelegatedItemAllowListEditorAfterReviewModalCloses() {
+    const reviewModalElement = document.getElementById('governance-item-policies-review-modal');
+    if (!reviewModalElement?.classList.contains('show')) {
+        openCurrentDelegatedItemAllowListEditor();
+        return;
+    }
+
+    reviewModalElement.addEventListener('hidden.bs.modal', () => {
+        openCurrentDelegatedItemAllowListEditor();
+    }, { once: true });
+    governanceItemReviewModal?.hide();
+}
+
+function ensureGovernanceItemPolicyDeleteModal() {
+    let modalElement = document.getElementById('governance-item-policy-delete-confirm-modal');
+    if (!modalElement) {
+        const modalMarkup = `
+            <div class="modal fade" id="governance-item-policy-delete-confirm-modal" tabindex="-1" aria-hidden="true">
+                <div class="modal-dialog modal-dialog-centered">
+                    <div class="modal-content">
+                        <div class="modal-header">
+                            <h5 class="modal-title">Delete Delegated Item Policy</h5>
+                            <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
+                        </div>
+                        <div class="modal-body">
+                            <p class="mb-2">Delete this delegated item policy?</p>
+                            <div class="alert alert-warning mb-0" id="governance-item-policy-delete-summary"></div>
+                        </div>
+                        <div class="modal-footer">
+                            <button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Cancel</button>
+                            <button type="button" class="btn btn-danger" id="governance-item-policy-delete-confirm-btn">Delete Policy</button>
+                        </div>
+                    </div>
+                </div>
+            </div>
+        `;
+
+        const wrapper = document.createElement('div');
+        wrapper.innerHTML = modalMarkup.trim();
+        modalElement = wrapper.firstElementChild;
+        document.body.appendChild(modalElement);
+    }
+
+    if (!governanceItemPolicyDeleteModal) {
+        governanceItemPolicyDeleteModal = bootstrap.Modal.getOrCreateInstance(modalElement);
+    }
+
+    if (!modalElement.dataset.wired) {
+        modalElement.dataset.wired = 'true';
+        const confirmButton = document.getElementById('governance-item-policy-delete-confirm-btn');
+        if (confirmButton) {
+            confirmButton.addEventListener('click', async () => {
+                try {
+                    await deleteGovernanceItemPolicyFromContext();
+                } catch (error) {
+                    setGovernanceStatus(error.message || 'Failed to delete item governance policy.', 'danger');
+                }
+            });
+        }
+    }
+
+    return modalElement;
+}
+
+function openGovernanceItemPolicyDeleteModal(entityType, itemId) {
+    const normalizedEntityType = String(entityType || '').trim();
+    const normalizedItemId = String(itemId || '').trim();
+    if (!normalizedEntityType || !normalizedItemId) {
+        return;
+    }
+
+    governanceItemPolicyDeleteContext = {
+        entityType: normalizedEntityType,
+        itemId: normalizedItemId,
+    };
+
+    ensureGovernanceItemPolicyDeleteModal();
+    const summary = document.getElementById('governance-item-policy-delete-summary');
+    if (summary) {
+        summary.textContent = `${buildItemPolicyEntityLabel(normalizedEntityType)}: ${normalizedItemId}`;
+    }
+    governanceItemPolicyDeleteModal?.show();
+}
+
+async function deleteGovernanceItemPolicyFromContext() {
+    if (!governanceItemPolicyDeleteContext) {
+        return;
+    }
+
+    const { entityType, itemId } = governanceItemPolicyDeleteContext;
+    const response = await fetch(
+        `/api/admin/governance/item-policies/${encodeURIComponent(entityType)}/${encodeURIComponent(itemId)}`,
+        {
+            method: 'DELETE',
+            headers: {
+                Accept: 'application/json',
+            },
+        }
+    );
+
+    if (!response.ok) {
+        throw new Error('Unable to delete item governance policy.');
+    }
+
+    governanceItemPolicyDeleteModal?.hide();
+    governanceItemPolicyDeleteContext = null;
+
+    const entityTypeInput = document.getElementById('governance-item-entity-type');
+    const itemIdInput = document.getElementById('governance-item-id');
+    if (entityTypeInput?.value === entityType && itemIdInput?.value === itemId) {
+        const allowAllInput = getItemAllowAllInput();
+        const usersInput = getItemUsersInput();
+        const groupsInput = getItemGroupsInput();
+        if (allowAllInput) {
+            allowAllInput.checked = true;
+        }
+        if (usersInput) {
+            usersInput.value = '';
+        }
+        if (groupsInput) {
+            groupsInput.value = '';
+        }
+        applyItemAllowAllUiState();
+    }
+
+    await loadItemPolicies();
+    await loadGovernanceItemPolicyReview();
+    showGovernanceToast('Delegated item policy deleted.', 'success');
+}
+
+function ensureGovernanceItemReviewModal() {
+    const existingModal = document.getElementById('governance-item-policies-review-modal');
+    if (existingModal) {
+        wireGovernanceItemReviewHandlers(existingModal);
+        return existingModal;
+    }
+
+    const modalMarkup = `
+        <div class="modal fade" id="governance-item-policies-review-modal" tabindex="-1" aria-hidden="true">
+            <div class="modal-dialog modal-xl modal-dialog-scrollable">
+                <div class="modal-content">
+                    <div class="modal-header">
+                        <div>
+                            <h5 class="modal-title mb-1">Configured Delegated Items</h5>
+                            <div class="text-muted small">Search and page through the configured item policies.</div>
+                        </div>
+                        <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
+                    </div>
+                    <div class="modal-body">
+                        <div class="row g-2 align-items-end mb-3">
+                            <div class="col-md-5">
+                                <label class="form-label" for="governance-item-review-search">Search</label>
+                                <input type="search" class="form-control" id="governance-item-review-search" placeholder="Search users, groups, endpoint IDs, or item IDs">
+                            </div>
+                            <div class="col-md-3">
+                                <label class="form-label" for="governance-item-review-entity-type">Entity Type</label>
+                                <select class="form-select" id="governance-item-review-entity-type">
+                                    <option value="">All</option>
+                                    <option value="endpoint">Endpoint</option>
+                                    <option value="global_agent">Global Agent</option>
+                                    <option value="global_action">Global Action</option>
+                                </select>
+                            </div>
+                            <div class="col-md-2">
+                                <label class="form-label" for="governance-item-review-page-size">Page Size</label>
+                                <select class="form-select" id="governance-item-review-page-size">
+                                    <option value="10">10</option>
+                                    <option value="25" selected>25</option>
+                                    <option value="50">50</option>
+                                </select>
+                            </div>
+                            <div class="col-md-2 d-grid gap-2">
+                                <button type="button" class="btn btn-primary" id="governance-item-review-search-btn">Search</button>
+                                <button type="button" class="btn btn-outline-secondary" id="governance-item-review-reset-btn">Reset</button>
+                            </div>
+                        </div>
+
+                        <div class="table-responsive">
+                            <table class="table table-sm table-striped align-middle">
+                                <thead>
+                                    <tr>
+                                        <th>Entity Type</th>
+                                        <th>Item ID</th>
+                                        <th>Allow All</th>
+                                        <th>Allowed Users</th>
+                                        <th>Allowed Groups</th>
+                                        <th>Actions</th>
+                                    </tr>
+                                </thead>
+                                <tbody id="governance-item-policies-review-body"></tbody>
+                            </table>
+                        </div>
+
+                        <div class="d-flex align-items-center justify-content-between gap-2 mt-3">
+                            <div class="text-muted small" id="governance-item-review-summary"></div>
+                            <div class="btn-group" role="group" aria-label="Delegated item policy pagination">
+                                <button type="button" class="btn btn-outline-secondary btn-sm" id="governance-item-review-prev-btn">Previous</button>
+                                <button type="button" class="btn btn-outline-secondary btn-sm" id="governance-item-review-next-btn">Next</button>
+                            </div>
+                        </div>
+                    </div>
+                    <div class="modal-footer">
+                        <button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Close</button>
+                    </div>
+                </div>
+            </div>
+        </div>
+    `;
+
+    const wrapper = document.createElement('div');
+    wrapper.innerHTML = modalMarkup.trim();
+    const modalElement = wrapper.firstElementChild;
+    document.body.appendChild(modalElement);
+    wireGovernanceItemReviewHandlers(modalElement);
+    return modalElement;
+}
+
+function wireGovernanceItemReviewHandlers(modalElement) {
+    if (!modalElement || modalElement.dataset.reviewWired) {
+        return;
+    }
+
+    const itemPolicyReviewBody = modalElement.querySelector('#governance-item-policies-review-body');
+    if (!itemPolicyReviewBody) {
+        return;
+    }
+
+    modalElement.dataset.reviewWired = 'true';
+    itemPolicyReviewBody.addEventListener('click', async (event) => {
+        const target = event.target;
+        const editButton = target instanceof HTMLElement ? target.closest('.governance-edit-item-policy-btn') : null;
+        const deleteButton = target instanceof HTMLElement ? target.closest('.governance-delete-item-policy-btn') : null;
+
+        if (deleteButton) {
+            openGovernanceItemPolicyDeleteModal(deleteButton.dataset.entityType, deleteButton.dataset.itemId);
+            return;
+        }
+
+        if (!editButton) {
+            return;
+        }
+
+        const policy = {
+            entity_type: editButton.dataset.entityType || '',
+            item_id: editButton.dataset.itemId || '',
+            allow_all: editButton.dataset.allowAll === 'true',
+            allowed_users: parseGovernancePrincipalDataset(editButton.dataset.allowedUsers),
+            allowed_groups: parseGovernancePrincipalDataset(editButton.dataset.allowedGroups),
+        };
+
+        await loadGovernanceItemPolicyIntoEditor(policy);
+        openCurrentDelegatedItemAllowListEditorAfterReviewModalCloses();
+    });
+}
+
+function syncGovernanceItemReviewControls() {
+    const searchInput = document.getElementById('governance-item-review-search');
+    const entityTypeSelect = document.getElementById('governance-item-review-entity-type');
+    const pageSizeSelect = document.getElementById('governance-item-review-page-size');
+
+    if (searchInput) {
+        searchInput.value = governanceItemReviewState.search;
+    }
+    if (entityTypeSelect) {
+        entityTypeSelect.value = governanceItemReviewState.entityType;
+    }
+    if (pageSizeSelect) {
+        pageSizeSelect.value = String(governanceItemReviewState.perPage);
+    }
+}
+
+function renderGovernanceItemReviewRows(itemPolicies) {
+    const tbody = document.getElementById('governance-item-policies-review-body');
+    if (!tbody) {
+        return;
+    }
+
+    tbody.innerHTML = '';
+    if (!Array.isArray(itemPolicies) || itemPolicies.length === 0) {
+        const emptyRow = document.createElement('tr');
+        const emptyCell = document.createElement('td');
+        emptyCell.colSpan = 6;
+        emptyCell.className = 'text-center text-muted';
+        emptyCell.textContent = 'No delegated item policies found.';
+        emptyRow.appendChild(emptyCell);
+        tbody.appendChild(emptyRow);
+        return;
+    }
+
+    itemPolicies.forEach((policy) => {
+        tbody.appendChild(buildItemPolicyRow(policy));
+    });
+}
+
+function updateGovernanceItemReviewSummary(pagination, totalVisible) {
+    const summary = document.getElementById('governance-item-review-summary');
+    if (!summary) {
+        return;
+    }
+
+    if (!pagination) {
+        summary.textContent = '';
+        return;
+    }
+
+    const currentStart = pagination.total_items === 0 ? 0 : ((pagination.page - 1) * pagination.per_page) + 1;
+    const currentEnd = pagination.total_items === 0 ? 0 : Math.min(pagination.page * pagination.per_page, pagination.total_items);
+    summary.textContent = `Showing ${currentStart}-${currentEnd} of ${pagination.total_items} configured item policy${pagination.total_items === 1 ? '' : 'ies'} (${totalVisible} on page ${pagination.page} of ${pagination.total_pages}).`;
+}
+
+function updateGovernanceItemReviewPagination(pagination) {
+    const prevButton = document.getElementById('governance-item-review-prev-btn');
+    const nextButton = document.getElementById('governance-item-review-next-btn');
+
+    if (prevButton) {
+        prevButton.disabled = !pagination || !pagination.has_prev;
+    }
+    if (nextButton) {
+        nextButton.disabled = !pagination || !pagination.has_next;
+    }
+}
+
+async function loadGovernanceItemPolicyReview(page = governanceItemReviewState.page) {
+    const tbody = document.getElementById('governance-item-policies-review-body');
+    if (!tbody) {
+        return;
+    }
+
+    governanceItemReviewState.page = Math.max(1, Number(page) || 1);
+
+    const params = new URLSearchParams();
+    if (governanceItemReviewState.search) {
+        params.set('search', governanceItemReviewState.search);
+    }
+    if (governanceItemReviewState.entityType) {
+        params.set('entity_type', governanceItemReviewState.entityType);
+    }
+    params.set('page', String(governanceItemReviewState.page));
+    params.set('per_page', String(governanceItemReviewState.perPage));
+
+    const response = await fetch(`/api/admin/governance/item-policies/review?${params.toString()}`, {
+        method: 'GET',
+        headers: {
+            Accept: 'application/json',
+        },
+    });
+
+    if (!response.ok) {
+        throw new Error('Unable to load delegated item policy review data.');
+    }
+
+    const payload = await response.json();
+    const itemPolicies = Array.isArray(payload.item_policies) ? payload.item_policies : [];
+    renderGovernanceItemReviewRows(itemPolicies);
+    updateGovernanceItemReviewSummary(payload.pagination, itemPolicies.length);
+    updateGovernanceItemReviewPagination(payload.pagination);
+}
+
+function openGovernanceItemReviewModal() {
+    const modalElement = ensureGovernanceItemReviewModal();
+    if (!modalElement) {
+        return;
+    }
+
+    if (!governanceItemReviewModal) {
+        governanceItemReviewModal = bootstrap.Modal.getOrCreateInstance(modalElement);
+    }
+
+    governanceItemReviewState.page = 1;
+    syncGovernanceItemReviewControls();
+    governanceItemReviewModal.show();
+    loadGovernanceItemPolicyReview().catch((error) => {
+        setGovernanceStatus(error.message || 'Failed to load delegated item policy review.', 'danger');
+    });
+}
+
+function ensureGovernanceAllowListEditorModal() {
+    let modalElement = document.getElementById('governanceAllowListEditorModal');
+    if (!modalElement) {
+        const modalMarkup = `
+            <div class="modal fade" id="governanceAllowListEditorModal" tabindex="-1" aria-hidden="true">
+                <div class="modal-dialog modal-xl modal-dialog-scrollable">
+                    <div class="modal-content">
+                        <div class="modal-header">
+                            <div>
+                                <h5 class="modal-title mb-1" id="governance-allowlist-editor-title">Edit Allow List</h5>
+                                <div class="small text-muted">Use lookup and CSV import to manage users/groups. Saving updates the underlying policy fields.</div>
+                            </div>
+                            <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
+                        </div>
+                        <div class="modal-body">
+                            <div class="alert alert-info py-2 small mb-3" id="governance-allowlist-editor-context"></div>
+
+                            <div class="row g-3">
+                                <div class="col-lg-6">
+                                    <h6 class="mb-2">User Lookup</h6>
+                                    <div class="input-group mb-2">
+                                        <input type="search" class="form-control" id="governance-allowlist-user-search" placeholder="Search users by name or email">
+                                        <button type="button" class="btn btn-outline-primary" id="governance-allowlist-user-search-btn">Search</button>
+                                    </div>
+                                    <div class="table-responsive border rounded">
+                                        <table class="table table-sm align-middle mb-0">
+                                            <thead>
+                                                <tr>
+                                                    <th style="width: 40px;"><input type="checkbox" id="governance-allowlist-select-all-user-results"></th>
+                                                    <th>User</th>
+                                                    <th>Email</th>
+                                                </tr>
+                                            </thead>
+                                            <tbody id="governance-allowlist-user-results"></tbody>
+                                        </table>
+                                    </div>
+                                    <div class="d-flex justify-content-end mt-2">
+                                        <button type="button" class="btn btn-sm btn-primary" id="governance-allowlist-add-selected-users-btn">Add Selected Users</button>
+                                    </div>
+                                </div>
+
+                                <div class="col-lg-6">
+                                    <h6 class="mb-2">Group Lookup</h6>
+                                    <div class="input-group mb-2">
+                                        <input type="search" class="form-control" id="governance-allowlist-group-search" placeholder="Search groups by name">
+                                        <button type="button" class="btn btn-outline-primary" id="governance-allowlist-group-search-btn">Search</button>
+                                    </div>
+                                    <div class="table-responsive border rounded">
+                                        <table class="table table-sm align-middle mb-0">
+                                            <thead>
+                                                <tr>
+                                                    <th style="width: 40px;"><input type="checkbox" id="governance-allowlist-select-all-group-results"></th>
+                                                    <th>Group</th>
+                                                    <th>Group ID</th>
+                                                </tr>
+                                            </thead>
+                                            <tbody id="governance-allowlist-group-results"></tbody>
+                                        </table>
+                                    </div>
+                                    <div class="d-flex justify-content-end mt-2">
+                                        <button type="button" class="btn btn-sm btn-primary" id="governance-allowlist-add-selected-groups-btn">Add Selected Groups</button>
+                                    </div>
+                                </div>
+                            </div>
+
+                            <hr>
+
+                            <div class="row g-3">
+                                <div class="col-lg-6">
+                                    <h6 class="mb-2">Selected Users</h6>
+                                    <div class="row g-2 align-items-end mb-2">
+                                        <div class="col-8">
+                                            <label class="form-label small mb-1" for="governance-allowlist-selected-user-search">Find in Selected Users</label>
+                                            <input type="search" class="form-control form-control-sm" id="governance-allowlist-selected-user-search" placeholder="Filter by user ID">
+                                        </div>
+                                        <div class="col-4">
+                                            <label class="form-label small mb-1" for="governance-allowlist-selected-user-page-size">Page Size</label>
+                                            <select class="form-select form-select-sm" id="governance-allowlist-selected-user-page-size">
+                                                <option value="10">10</option>
+                                                <option value="25">25</option>
+                                                <option value="50" selected>50</option>
+                                                <option value="100">100</option>
+                                            </select>
+                                        </div>
+                                    </div>
+                                    <div class="table-responsive border rounded" style="max-height: 260px; overflow-y: auto;">
+                                        <table class="table table-sm align-middle mb-0">
+                                            <thead>
+                                                <tr>
+                                                    <th style="width: 40px;"><input type="checkbox" id="governance-allowlist-select-all-selected-users"></th>
+                                                    <th>User</th>
+                                                    <th style="width: 40px;"></th>
+                                                </tr>
+                                            </thead>
+                                            <tbody id="governance-allowlist-selected-users"></tbody>
+                                        </table>
+                                    </div>
+                                    <div class="d-flex align-items-center justify-content-between mt-2">
+                                        <div class="small text-muted" id="governance-allowlist-selected-users-summary"></div>
+                                        <div class="btn-group btn-group-sm" role="group" aria-label="Selected users pagination">
+                                            <button type="button" class="btn btn-outline-secondary" id="governance-allowlist-selected-users-prev-btn">Previous</button>
+                                            <button type="button" class="btn btn-outline-secondary" id="governance-allowlist-selected-users-next-btn">Next</button>
+                                        </div>
+                                    </div>
+                                    <div class="d-flex justify-content-end mt-2 gap-2">
+                                        <button type="button" class="btn btn-sm btn-outline-danger" id="governance-allowlist-remove-selected-users-btn">Remove Selected</button>
+                                        <button type="button" class="btn btn-sm btn-outline-secondary" id="governance-allowlist-clear-users-btn">Clear Users</button>
+                                    </div>
+                                </div>
+
+                                <div class="col-lg-6">
+                                    <h6 class="mb-2">Selected Groups</h6>
+                                    <div class="row g-2 align-items-end mb-2">
+                                        <div class="col-8">
+                                            <label class="form-label small mb-1" for="governance-allowlist-selected-group-search">Find in Selected Groups</label>
+                                            <input type="search" class="form-control form-control-sm" id="governance-allowlist-selected-group-search" placeholder="Filter by group ID">
+                                        </div>
+                                        <div class="col-4">
+                                            <label class="form-label small mb-1" for="governance-allowlist-selected-group-page-size">Page Size</label>
+                                            <select class="form-select form-select-sm" id="governance-allowlist-selected-group-page-size">
+                                                <option value="10">10</option>
+                                                <option value="25">25</option>
+                                                <option value="50" selected>50</option>
+                                                <option value="100">100</option>
+                                            </select>
+                                        </div>
+                                    </div>
+                                    <div class="table-responsive border rounded" style="max-height: 260px; overflow-y: auto;">
+                                        <table class="table table-sm align-middle mb-0">
+                                            <thead>
+                                                <tr>
+                                                    <th style="width: 40px;"><input type="checkbox" id="governance-allowlist-select-all-selected-groups"></th>
+                                                    <th>Group</th>
+                                                    <th style="width: 40px;"></th>
+                                                </tr>
+                                            </thead>
+                                            <tbody id="governance-allowlist-selected-groups"></tbody>
+                                        </table>
+                                    </div>
+                                    <div class="d-flex align-items-center justify-content-between mt-2">
+                                        <div class="small text-muted" id="governance-allowlist-selected-groups-summary"></div>
+                                        <div class="btn-group btn-group-sm" role="group" aria-label="Selected groups pagination">
+                                            <button type="button" class="btn btn-outline-secondary" id="governance-allowlist-selected-groups-prev-btn">Previous</button>
+                                            <button type="button" class="btn btn-outline-secondary" id="governance-allowlist-selected-groups-next-btn">Next</button>
+                                        </div>
+                                    </div>
+                                    <div class="d-flex justify-content-end mt-2 gap-2">
+                                        <button type="button" class="btn btn-sm btn-outline-danger" id="governance-allowlist-remove-selected-groups-btn">Remove Selected</button>
+                                        <button type="button" class="btn btn-sm btn-outline-secondary" id="governance-allowlist-clear-groups-btn">Clear Groups</button>
+                                    </div>
+                                </div>
+                            </div>
+
+                            <hr>
+
+                            <div>
+                                <h6 class="mb-2">CSV Import</h6>
+                                <div class="row g-2 align-items-end">
+                                    <div class="col-md-3">
+                                        <label class="form-label" for="governance-allowlist-csv-target">Target</label>
+                                        <select class="form-select" id="governance-allowlist-csv-target">
+                                            <option value="users">Users</option>
+                                            <option value="groups">Groups</option>
+                                        </select>
+                                    </div>
+                                    <div class="col-md-3">
+                                        <label class="form-label" for="governance-allowlist-csv-mode">Mode</label>
+                                        <select class="form-select" id="governance-allowlist-csv-mode">
+                                            <option value="merge">Merge</option>
+                                            <option value="replace">Replace</option>
+                                        </select>
+                                    </div>
+                                    <div class="col-md-6 d-grid">
+                                        <button type="button" class="btn btn-outline-primary" id="governance-allowlist-csv-apply-btn">Apply CSV</button>
+                                    </div>
+                                </div>
+                                <textarea class="form-control mt-2" id="governance-allowlist-csv-input" rows="4" placeholder="Paste one ID per line or comma-separated IDs"></textarea>
+                                <div class="form-text">Use this for quick bulk updates when IDs are already known.</div>
+                            </div>
+
+                            <div class="small text-muted mt-3" id="governance-allowlist-editor-status"></div>
+                        </div>
+                        <div class="modal-footer">
+                            <button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Cancel</button>
+                            <button type="button" class="btn btn-primary" id="governance-allowlist-save-btn">Apply to Policy</button>
+                        </div>
+                    </div>
+                </div>
+            </div>
+        `;
+
+        const wrapper = document.createElement('div');
+        wrapper.innerHTML = modalMarkup.trim();
+        modalElement = wrapper.firstElementChild;
+        document.body.appendChild(modalElement);
+    }
+
+    if (!governanceAllowListEditorModal) {
+        governanceAllowListEditorModal = bootstrap.Modal.getOrCreateInstance(modalElement);
+    }
+
+    if (!modalElement.dataset.wired) {
+        modalElement.dataset.wired = 'true';
+        wireGovernanceAllowListEditorHandlers();
+    }
+
+    return modalElement;
+}
+
+function setGovernanceAllowListEditorStatus(message) {
+    const normalizedMessage = String(message || '').trim();
+    if (!normalizedMessage) {
+        return;
+    }
+
+    let variant = 'info';
+    if (/failed|error|unable/i.test(normalizedMessage)) {
+        variant = 'danger';
+    } else if (/no\s+csv|enter\s+a\s+user\s+search/i.test(normalizedMessage)) {
+        variant = 'warning';
+    } else if (/added|removed|cleared|completed|updated/i.test(normalizedMessage)) {
+        variant = 'success';
+    }
+
+    showGovernanceToast(normalizedMessage, variant);
+}
+
+function normalizeGovernanceAllowListPageSize(value) {
+    const parsed = Number(value) || GOVERNANCE_ALLOWLIST_PAGE_SIZE_DEFAULT;
+    return GOVERNANCE_ALLOWLIST_PAGE_SIZES.includes(parsed) ? parsed : GOVERNANCE_ALLOWLIST_PAGE_SIZE_DEFAULT;
+}
+
+function resetGovernanceAllowListSelectionViewState() {
+    governanceAllowListSelectionViewState.users.search = '';
+    governanceAllowListSelectionViewState.users.page = 1;
+    governanceAllowListSelectionViewState.users.pageSize = GOVERNANCE_ALLOWLIST_PAGE_SIZE_DEFAULT;
+
+    governanceAllowListSelectionViewState.groups.search = '';
+    governanceAllowListSelectionViewState.groups.page = 1;
+    governanceAllowListSelectionViewState.groups.pageSize = GOVERNANCE_ALLOWLIST_PAGE_SIZE_DEFAULT;
+}
+
+function syncGovernanceAllowListSelectionControls() {
+    const userSearchInput = document.getElementById('governance-allowlist-selected-user-search');
+    const userPageSizeSelect = document.getElementById('governance-allowlist-selected-user-page-size');
+    const groupSearchInput = document.getElementById('governance-allowlist-selected-group-search');
+    const groupPageSizeSelect = document.getElementById('governance-allowlist-selected-group-page-size');
+
+    if (userSearchInput) {
+        userSearchInput.value = governanceAllowListSelectionViewState.users.search;
+    }
+    if (userPageSizeSelect) {
+        userPageSizeSelect.value = String(governanceAllowListSelectionViewState.users.pageSize);
+    }
+    if (groupSearchInput) {
+        groupSearchInput.value = governanceAllowListSelectionViewState.groups.search;
+    }
+    if (groupPageSizeSelect) {
+        groupPageSizeSelect.value = String(governanceAllowListSelectionViewState.groups.pageSize);
+    }
+}
+
+function getGovernanceSelectedIdsByType(listType) {
+    if (!governanceAllowListEditorContext) {
+        return [];
+    }
+    if (listType === 'groups') {
+        return Array.isArray(governanceAllowListEditorContext.workingGroups) ? governanceAllowListEditorContext.workingGroups : [];
+    }
+    return Array.isArray(governanceAllowListEditorContext.workingUsers) ? governanceAllowListEditorContext.workingUsers : [];
+}
+
+function getFilteredGovernanceSelectedIds(listType) {
+    const allIds = getGovernanceSelectedIdsByType(listType);
+    const state = governanceAllowListSelectionViewState[listType];
+    const searchValue = String(state?.search || '').trim().toLowerCase();
+    if (!searchValue) {
+        return allIds;
+    }
+    return allIds.filter((value) => {
+        const idText = String(value || '').toLowerCase();
+        const displayName = String(getGovernanceDisplayName(listType, value) || '').toLowerCase();
+        return idText.includes(searchValue) || displayName.includes(searchValue);
+    });
+}
+
+function truncateGovernanceId(idValue, maxLength = GOVERNANCE_ALLOWLIST_TRUNCATE_ID_LENGTH) {
+    const str = String(idValue || '');
+    if (str.length <= maxLength) {
+        return str;
+    }
+    return str.substring(0, maxLength - 1) + '…';
+}
+
+function getGovernanceDisplayName(listType, idValue) {
+    const cache = governanceAllowListDisplayNameCache[listType] || {};
+    return cache[idValue] || null;
+}
+
+function setGovernanceDisplayName(listType, idValue, displayName) {
+    if (!governanceAllowListDisplayNameCache[listType]) {
+        governanceAllowListDisplayNameCache[listType] = {};
+    }
+    governanceAllowListDisplayNameCache[listType][idValue] = String(displayName || '').trim();
+}
+
+function buildGovernanceUserLabel(user) {
+    const upn = String(user?.userPrincipalName || user?.mail || user?.email || '').trim();
+    const displayName = String(user?.displayName || user?.display_name || upn || '(no name)').trim();
+    if (upn && upn.toLowerCase() !== displayName.toLowerCase()) {
+        return `${displayName} (${upn})`;
+    }
+    return displayName;
+}
+
+async function resolveGovernanceUserLabelById(userId) {
+    try {
+        const users = await governanceLookupUsers(userId);
+        const matchedUser = (Array.isArray(users) ? users : []).find((user) => String(user?.id || '').trim() === userId);
+        if (matchedUser) {
+            return buildGovernanceUserLabel(matchedUser);
+        }
+    } catch {
+        // Fall back to local user info below.
+    }
+
+    try {
+        const response = await fetch(`/api/user/info/${encodeURIComponent(userId)}`, {
+            method: 'GET',
+            headers: { Accept: 'application/json' },
+        });
+        if (!response.ok) {
+            return '';
+        }
+        const payload = await response.json();
+        return buildGovernanceUserLabel(payload || {});
+    } catch {
+        return '';
+    }
+}
+
+async function resolveGovernanceGroupLabelById(groupId) {
+    try {
+        const groups = await governanceLookupGroups(groupId);
+        const matchedGroup = (Array.isArray(groups) ? groups : []).find((group) => String(group?.id || '').trim() === groupId);
+        if (!matchedGroup) {
+            return '';
+        }
+        return String(matchedGroup.name || 'Unnamed Group').trim();
+    } catch {
+        return '';
+    }
+}
+
+async function hydrateGovernanceDisplayNames(listType, ids) {
+    const normalizedIds = uniquePrincipalList(ids);
+    if (normalizedIds.length === 0) {
+        return;
+    }
+
+    const inFlight = governanceAllowListHydrationState[listType] || new Set();
+    const missingIds = normalizedIds.filter((idValue) => {
+        return idValue && !getGovernanceDisplayName(listType, idValue) && !inFlight.has(idValue);
+    });
+
+    if (missingIds.length === 0) {
+        return;
+    }
+
+    missingIds.forEach((idValue) => inFlight.add(idValue));
+    governanceAllowListHydrationState[listType] = inFlight;
+
+    let hasUpdates = false;
+    await Promise.all(missingIds.map(async (idValue) => {
+        try {
+            const resolvedLabel = listType === 'users'
+                ? await resolveGovernanceUserLabelById(idValue)
+                : await resolveGovernanceGroupLabelById(idValue);
+
+            if (resolvedLabel) {
+                setGovernanceDisplayName(listType, idValue, resolvedLabel);
+                hasUpdates = true;
+            }
+        } finally {
+            inFlight.delete(idValue);
+        }
+    }));
+
+    if (hasUpdates && governanceAllowListEditorContext) {
+        renderGovernanceAllowListEditorSelections();
+    }
+}
+
+function renderGovernanceSelectedList(options) {
+    const {
+        listType,
+        containerId,
+        checkboxClass,
+        emptyMessage,
+        summaryId,
+        prevButtonId,
+        nextButtonId,
+    } = options;
+
+    const tbody = document.getElementById(containerId);
+    const summary = document.getElementById(summaryId);
+    const prevButton = document.getElementById(prevButtonId);
+    const nextButton = document.getElementById(nextButtonId);
+    const state = governanceAllowListSelectionViewState[listType];
+
+    if (!tbody || !state) {
+        return;
+    }
+
+    const filteredIds = getFilteredGovernanceSelectedIds(listType);
+    const pageSize = normalizeGovernanceAllowListPageSize(state.pageSize);
+    state.pageSize = pageSize;
+    const totalItems = filteredIds.length;
+    const totalPages = Math.max(1, Math.ceil(totalItems / pageSize));
+    state.page = Math.min(Math.max(1, state.page), totalPages);
+    const startIndex = (state.page - 1) * pageSize;
+    const visibleIds = filteredIds.slice(startIndex, startIndex + pageSize);
+
+    tbody.innerHTML = '';
+    if (visibleIds.length === 0) {
+        const row = document.createElement('tr');
+        const cell = document.createElement('td');
+        cell.colSpan = 3;
+        cell.className = 'text-center text-muted';
+        cell.textContent = emptyMessage;
+        row.appendChild(cell);
+        tbody.appendChild(row);
+    } else {
+        visibleIds.forEach((idValue) => {
+            const row = document.createElement('tr');
+
+            const checkCell = document.createElement('td');
+            const checkbox = document.createElement('input');
+            checkbox.type = 'checkbox';
+            checkbox.className = checkboxClass;
+            checkbox.value = idValue;
+            checkCell.appendChild(checkbox);
+
+            const displayName = getGovernanceDisplayName(listType, idValue);
+            const truncatedId = truncateGovernanceId(idValue);
+            const displayText = displayName ? `${displayName} (${truncatedId})` : truncatedId;
+
+            const infoCell = document.createElement('td');
+            infoCell.className = 'small';
+            infoCell.textContent = displayText;
+            infoCell.title = idValue;
+
+            const copyCell = document.createElement('td');
+            copyCell.className = 'text-center';
+            const copyButton = document.createElement('button');
+            copyButton.type = 'button';
+            copyButton.className = 'btn btn-sm btn-link p-0';
+            copyButton.innerHTML = '<i class="bi bi-clipboard"></i>';
+            copyButton.title = 'Copy ID';
+            copyButton.addEventListener('click', (e) => {
+                e.preventDefault();
+                e.stopPropagation();
+                const originalHtml = copyButton.innerHTML;
+                navigator.clipboard.writeText(idValue).then(() => {
+                    copyButton.innerHTML = '<i class="bi bi-check"></i>';
+                    setTimeout(() => {
+                        copyButton.innerHTML = originalHtml;
+                    }, 1500);
+                }).catch(() => {
+                    copyButton.innerHTML = '<i class="bi bi-x"></i>';
+                    setTimeout(() => {
+                        copyButton.innerHTML = originalHtml;
+                    }, 1500);
+                });
+            });
+            copyCell.appendChild(copyButton);
+
+            row.appendChild(checkCell);
+            row.appendChild(infoCell);
+            row.appendChild(copyCell);
+            tbody.appendChild(row);
+        });
+    }
+
+    if (summary) {
+        const viewStart = totalItems === 0 ? 0 : startIndex + 1;
+        const viewEnd = totalItems === 0 ? 0 : Math.min(startIndex + visibleIds.length, totalItems);
+        summary.textContent = `Showing ${viewStart}-${viewEnd} of ${totalItems} selected (${state.page}/${totalPages}).`;
+    }
+
+    if (prevButton) {
+        prevButton.disabled = state.page <= 1 || totalItems === 0;
+    }
+    if (nextButton) {
+        nextButton.disabled = state.page >= totalPages || totalItems === 0;
+    }
+}
+
+function renderPrincipalIdRows(containerId, ids, checkboxClass, emptyMessage) {
+    const tbody = document.getElementById(containerId);
+    if (!tbody) {
+        return;
+    }
+
+    tbody.innerHTML = '';
+    if (!Array.isArray(ids) || ids.length === 0) {
+        const row = document.createElement('tr');
+        const cell = document.createElement('td');
+        cell.colSpan = 2;
+        cell.className = 'text-center text-muted';
+        cell.textContent = emptyMessage;
+        row.appendChild(cell);
+        tbody.appendChild(row);
+        return;
+    }
+
+    ids.forEach((idValue) => {
+        const row = document.createElement('tr');
+
+        const checkCell = document.createElement('td');
+        const checkbox = document.createElement('input');
+        checkbox.type = 'checkbox';
+        checkbox.className = checkboxClass;
+        checkbox.value = idValue;
+        checkCell.appendChild(checkbox);
+
+        const idCell = document.createElement('td');
+        idCell.textContent = idValue;
+
+        row.appendChild(checkCell);
+        row.appendChild(idCell);
+        tbody.appendChild(row);
+    });
+}
+
+function renderGovernanceAllowListEditorSelections() {
+    if (!governanceAllowListEditorContext) {
+        return;
+    }
+
+    const users = uniquePrincipalList(governanceAllowListEditorContext.workingUsers);
+    const groups = uniquePrincipalList(governanceAllowListEditorContext.workingGroups);
+
+    void hydrateGovernanceDisplayNames('users', users);
+    void hydrateGovernanceDisplayNames('groups', groups);
+
+    renderGovernanceSelectedList({
+        listType: 'users',
+        containerId: 'governance-allowlist-selected-users',
+        checkboxClass: 'governance-selected-user-checkbox',
+        emptyMessage: 'No users selected.',
+        summaryId: 'governance-allowlist-selected-users-summary',
+        prevButtonId: 'governance-allowlist-selected-users-prev-btn',
+        nextButtonId: 'governance-allowlist-selected-users-next-btn',
+    });
+    renderGovernanceSelectedList({
+        listType: 'groups',
+        containerId: 'governance-allowlist-selected-groups',
+        checkboxClass: 'governance-selected-group-checkbox',
+        emptyMessage: 'No groups selected.',
+        summaryId: 'governance-allowlist-selected-groups-summary',
+        prevButtonId: 'governance-allowlist-selected-groups-prev-btn',
+        nextButtonId: 'governance-allowlist-selected-groups-next-btn',
+    });
+}
+
+function renderGovernanceAllowListUserResults(users) {
+    const tbody = document.getElementById('governance-allowlist-user-results');
+    if (!tbody) {
+        return;
+    }
+
+    tbody.innerHTML = '';
+    if (!Array.isArray(users) || users.length === 0) {
+        const row = document.createElement('tr');
+        const cell = document.createElement('td');
+        cell.colSpan = 3;
+        cell.className = 'text-center text-muted';
+        cell.textContent = 'No users found.';
+        row.appendChild(cell);
+        tbody.appendChild(row);
+        return;
+    }
+
+    users.forEach((user) => {
+        const userId = String(user.id || '').trim();
+        const upn = String(user.userPrincipalName || user.mail || user.email || '').trim();
+        const displayName = String(user.displayName || upn || '(no name)').trim();
+        const userLabel = buildGovernanceUserLabel(user);
+
+        if (userId && userLabel) {
+            setGovernanceDisplayName('users', userId, userLabel);
+        }
+
+        const row = document.createElement('tr');
+
+        const selectCell = document.createElement('td');
+        const checkbox = document.createElement('input');
+        checkbox.type = 'checkbox';
+        checkbox.className = 'governance-user-result-checkbox';
+        checkbox.value = userId;
+        checkbox.dataset.displayLabel = userLabel;
+        selectCell.appendChild(checkbox);
+
+        const userCell = document.createElement('td');
+        userCell.textContent = displayName;
+
+        const emailCell = document.createElement('td');
+        emailCell.textContent = upn;
+
+        row.appendChild(selectCell);
+        row.appendChild(userCell);
+        row.appendChild(emailCell);
+        tbody.appendChild(row);
+    });
+}
+
+function renderGovernanceAllowListGroupResults(groups) {
+    const tbody = document.getElementById('governance-allowlist-group-results');
+    if (!tbody) {
+        return;
+    }
+
+    tbody.innerHTML = '';
+    if (!Array.isArray(groups) || groups.length === 0) {
+        const row = document.createElement('tr');
+        const cell = document.createElement('td');
+        cell.colSpan = 3;
+        cell.className = 'text-center text-muted';
+        cell.textContent = 'No groups found.';
+        row.appendChild(cell);
+        tbody.appendChild(row);
+        return;
+    }
+
+    groups.forEach((group) => {
+        const groupId = String(group.id || '').trim();
+        const groupName = String(group.name || 'Unnamed Group');
+
+        if (groupId && groupName) {
+            setGovernanceDisplayName('groups', groupId, groupName);
+        }
+
+        const row = document.createElement('tr');
+
+        const selectCell = document.createElement('td');
+        const checkbox = document.createElement('input');
+        checkbox.type = 'checkbox';
+        checkbox.className = 'governance-group-result-checkbox';
+        checkbox.value = groupId;
+        checkbox.dataset.displayLabel = groupName;
+        selectCell.appendChild(checkbox);
+
+        const nameCell = document.createElement('td');
+        nameCell.textContent = groupName;
+
+        const idCell = document.createElement('td');
+        idCell.textContent = groupId;
+
+        row.appendChild(selectCell);
+        row.appendChild(nameCell);
+        row.appendChild(idCell);
+        tbody.appendChild(row);
+    });
+}
+
+async function loadGovernanceAllowListUserResults() {
+    const searchInput = document.getElementById('governance-allowlist-user-search');
+    const query = String(searchInput?.value || '').trim();
+    if (!query) {
+        setGovernanceAllowListEditorStatus('Enter a user search term.');
+        renderGovernanceAllowListUserResults([]);
+        return;
+    }
+
+    const users = await governanceLookupUsers(query);
+    renderGovernanceAllowListUserResults(users);
+    renderGovernanceAllowListEditorSelections();
+    setGovernanceAllowListEditorStatus('User results updated.');
+}
+
+async function loadGovernanceAllowListGroupResults() {
+    const searchInput = document.getElementById('governance-allowlist-group-search');
+    const query = String(searchInput?.value || '').trim();
+
+    const groups = await governanceLookupGroups(query);
+    renderGovernanceAllowListGroupResults(groups);
+    renderGovernanceAllowListEditorSelections();
+    setGovernanceAllowListEditorStatus('Group results updated.');
+}
+
+function applyGovernanceAllowListToContext() {
+    if (!governanceAllowListEditorContext) {
+        return;
+    }
+
+    const users = uniquePrincipalList(governanceAllowListEditorContext.workingUsers);
+    const groups = uniquePrincipalList(governanceAllowListEditorContext.workingGroups);
+    governanceAllowListEditorContext.setValues(users, groups);
+    governanceAllowListEditorModal?.hide();
+}
+
+function openGovernanceAllowListEditor(context) {
+    if (!context || typeof context.getUsers !== 'function' || typeof context.getGroups !== 'function' || typeof context.setValues !== 'function') {
+        return;
+    }
+
+    ensureGovernanceAllowListEditorModal();
+
+    governanceAllowListEditorContext = {
+        ...context,
+        workingUsers: uniquePrincipalList(context.getUsers()),
+        workingGroups: uniquePrincipalList(context.getGroups()),
+    };
+
+    const title = document.getElementById('governance-allowlist-editor-title');
+    const contextAlert = document.getElementById('governance-allowlist-editor-context');
+    const userSearchInput = document.getElementById('governance-allowlist-user-search');
+    const groupSearchInput = document.getElementById('governance-allowlist-group-search');
+    const csvInput = document.getElementById('governance-allowlist-csv-input');
+
+    if (title) {
+        title.textContent = context.title || 'Edit Allow List';
+    }
+    if (contextAlert) {
+        contextAlert.textContent = context.description || 'Manage users and groups that are explicitly allowed for this policy.';
+    }
+    if (userSearchInput) {
+        userSearchInput.value = '';
+    }
+    if (groupSearchInput) {
+        groupSearchInput.value = '';
+    }
+    if (csvInput) {
+        csvInput.value = '';
+    }
+
+    resetGovernanceAllowListSelectionViewState();
+    syncGovernanceAllowListSelectionControls();
+
+    renderGovernanceAllowListUserResults([]);
+    renderGovernanceAllowListGroupResults([]);
+    renderGovernanceAllowListEditorSelections();
+    setGovernanceAllowListEditorStatus('');
+
+    governanceAllowListEditorModal?.show();
+}
+
+function readCheckedValues(selector) {
+    return Array.from(document.querySelectorAll(selector))
+        .filter((input) => input instanceof HTMLInputElement && input.checked)
+        .map((input) => String(input.value || '').trim())
+        .filter((value) => value);
+}
+
+function toggleCheckboxes(selector, checked) {
+    Array.from(document.querySelectorAll(selector)).forEach((input) => {
+        if (input instanceof HTMLInputElement) {
+            input.checked = checked;
+        }
+    });
+}
+
+function removeCheckedFromList(list, checkedValues) {
+    const valuesToRemove = new Set((checkedValues || []).map((value) => String(value || '').trim()));
+    return (Array.isArray(list) ? list : []).filter((value) => !valuesToRemove.has(String(value || '').trim()));
+}
+
+function wireGovernanceAllowListEditorHandlers() {
+    const userSearchButton = document.getElementById('governance-allowlist-user-search-btn');
+    if (userSearchButton) {
+        userSearchButton.addEventListener('click', async () => {
+            try {
+                await loadGovernanceAllowListUserResults();
+            } catch (error) {
+                setGovernanceAllowListEditorStatus(error.message || 'Failed to load user results.');
+            }
+        });
+    }
+
+    const groupSearchButton = document.getElementById('governance-allowlist-group-search-btn');
+    if (groupSearchButton) {
+        groupSearchButton.addEventListener('click', async () => {
+            try {
+                await loadGovernanceAllowListGroupResults();
+            } catch (error) {
+                setGovernanceAllowListEditorStatus(error.message || 'Failed to load group results.');
+            }
+        });
+    }
+
+    const addSelectedUsersButton = document.getElementById('governance-allowlist-add-selected-users-btn');
+    if (addSelectedUsersButton) {
+        addSelectedUsersButton.addEventListener('click', () => {
+            if (!governanceAllowListEditorContext) {
+                return;
+            }
+            const selectedUserIds = readCheckedValues('.governance-user-result-checkbox');
+            selectedUserIds.forEach((userId) => {
+                const userCheckbox = Array.from(document.querySelectorAll('.governance-user-result-checkbox')).find(
+                    (checkbox) => checkbox.value === userId
+                );
+                const displayLabel = String(userCheckbox?.dataset.displayLabel || '').trim();
+                if (displayLabel) {
+                    setGovernanceDisplayName('users', userId, displayLabel);
+                }
+            });
+            governanceAllowListEditorContext.workingUsers = uniquePrincipalList([...governanceAllowListEditorContext.workingUsers, ...selectedUserIds]);
+            renderGovernanceAllowListEditorSelections();
+            setGovernanceAllowListEditorStatus(`Added ${selectedUserIds.length} user${selectedUserIds.length === 1 ? '' : 's'}.`);
+        });
+    }
+
+    const addSelectedGroupsButton = document.getElementById('governance-allowlist-add-selected-groups-btn');
+    if (addSelectedGroupsButton) {
+        addSelectedGroupsButton.addEventListener('click', () => {
+            if (!governanceAllowListEditorContext) {
+                return;
+            }
+            const selectedGroupIds = readCheckedValues('.governance-group-result-checkbox');
+            selectedGroupIds.forEach((groupId) => {
+                const groupCheckbox = Array.from(document.querySelectorAll('.governance-group-result-checkbox')).find(
+                    (checkbox) => checkbox.value === groupId
+                );
+                const displayLabel = String(groupCheckbox?.dataset.displayLabel || '').trim();
+                if (displayLabel) {
+                    setGovernanceDisplayName('groups', groupId, displayLabel);
+                }
+            });
+            governanceAllowListEditorContext.workingGroups = uniquePrincipalList([...governanceAllowListEditorContext.workingGroups, ...selectedGroupIds]);
+            renderGovernanceAllowListEditorSelections();
+            setGovernanceAllowListEditorStatus(`Added ${selectedGroupIds.length} group${selectedGroupIds.length === 1 ? '' : 's'}.`);
+        });
+    }
+
+    const removeSelectedUsersButton = document.getElementById('governance-allowlist-remove-selected-users-btn');
+    if (removeSelectedUsersButton) {
+        removeSelectedUsersButton.addEventListener('click', () => {
+            if (!governanceAllowListEditorContext) {
+                return;
+            }
+            const selectedUserIds = readCheckedValues('.governance-selected-user-checkbox');
+            governanceAllowListEditorContext.workingUsers = removeCheckedFromList(governanceAllowListEditorContext.workingUsers, selectedUserIds);
+            renderGovernanceAllowListEditorSelections();
+            setGovernanceAllowListEditorStatus(`Removed ${selectedUserIds.length} user${selectedUserIds.length === 1 ? '' : 's'}.`);
+        });
+    }
+
+    const removeSelectedGroupsButton = document.getElementById('governance-allowlist-remove-selected-groups-btn');
+    if (removeSelectedGroupsButton) {
+        removeSelectedGroupsButton.addEventListener('click', () => {
+            if (!governanceAllowListEditorContext) {
+                return;
+            }
+            const selectedGroupIds = readCheckedValues('.governance-selected-group-checkbox');
+            governanceAllowListEditorContext.workingGroups = removeCheckedFromList(governanceAllowListEditorContext.workingGroups, selectedGroupIds);
+            renderGovernanceAllowListEditorSelections();
+            setGovernanceAllowListEditorStatus(`Removed ${selectedGroupIds.length} group${selectedGroupIds.length === 1 ? '' : 's'}.`);
+        });
+    }
+
+    const clearUsersButton = document.getElementById('governance-allowlist-clear-users-btn');
+    if (clearUsersButton) {
+        clearUsersButton.addEventListener('click', () => {
+            if (!governanceAllowListEditorContext) {
+                return;
+            }
+            governanceAllowListEditorContext.workingUsers = [];
+            renderGovernanceAllowListEditorSelections();
+            setGovernanceAllowListEditorStatus('Cleared selected users.');
+        });
+    }
+
+    const clearGroupsButton = document.getElementById('governance-allowlist-clear-groups-btn');
+    if (clearGroupsButton) {
+        clearGroupsButton.addEventListener('click', () => {
+            if (!governanceAllowListEditorContext) {
+                return;
+            }
+            governanceAllowListEditorContext.workingGroups = [];
+            renderGovernanceAllowListEditorSelections();
+            setGovernanceAllowListEditorStatus('Cleared selected groups.');
+        });
+    }
+
+    const csvApplyButton = document.getElementById('governance-allowlist-csv-apply-btn');
+    if (csvApplyButton) {
+        csvApplyButton.addEventListener('click', () => {
+            if (!governanceAllowListEditorContext) {
+                return;
+            }
+
+            const targetSelect = document.getElementById('governance-allowlist-csv-target');
+            const modeSelect = document.getElementById('governance-allowlist-csv-mode');
+            const csvInput = document.getElementById('governance-allowlist-csv-input');
+            const target = String(targetSelect?.value || 'users');
+            const mode = String(modeSelect?.value || 'merge');
+            const importedValues = uniquePrincipalList(parseCsvPrincipalLines(csvInput?.value || ''));
+
+            if (importedValues.length === 0) {
+                setGovernanceAllowListEditorStatus('No CSV values detected.');
+                return;
+            }
+
+            if (target === 'groups') {
+                governanceAllowListEditorContext.workingGroups = mode === 'replace'
+                    ? importedValues
+                    : uniquePrincipalList([...governanceAllowListEditorContext.workingGroups, ...importedValues]);
+            } else {
+                governanceAllowListEditorContext.workingUsers = mode === 'replace'
+                    ? importedValues
+                    : uniquePrincipalList([...governanceAllowListEditorContext.workingUsers, ...importedValues]);
+            }
+
+            renderGovernanceAllowListEditorSelections();
+            setGovernanceAllowListEditorStatus(`CSV ${mode} completed for ${target}. Imported ${importedValues.length} ID${importedValues.length === 1 ? '' : 's'}.`);
+        });
+    }
+
+    const saveButton = document.getElementById('governance-allowlist-save-btn');
+    if (saveButton) {
+        saveButton.addEventListener('click', () => {
+            applyGovernanceAllowListToContext();
+        });
+    }
+
+    const selectedUserSearchInput = document.getElementById('governance-allowlist-selected-user-search');
+    if (selectedUserSearchInput) {
+        selectedUserSearchInput.addEventListener('input', () => {
+            governanceAllowListSelectionViewState.users.search = String(selectedUserSearchInput.value || '').trim();
+            governanceAllowListSelectionViewState.users.page = 1;
+            renderGovernanceAllowListEditorSelections();
+        });
+    }
+
+    const selectedGroupSearchInput = document.getElementById('governance-allowlist-selected-group-search');
+    if (selectedGroupSearchInput) {
+        selectedGroupSearchInput.addEventListener('input', () => {
+            governanceAllowListSelectionViewState.groups.search = String(selectedGroupSearchInput.value || '').trim();
+            governanceAllowListSelectionViewState.groups.page = 1;
+            renderGovernanceAllowListEditorSelections();
+        });
+    }
+
+    const selectedUserPageSizeSelect = document.getElementById('governance-allowlist-selected-user-page-size');
+    if (selectedUserPageSizeSelect) {
+        selectedUserPageSizeSelect.addEventListener('change', () => {
+            governanceAllowListSelectionViewState.users.pageSize = normalizeGovernanceAllowListPageSize(selectedUserPageSizeSelect.value);
+            governanceAllowListSelectionViewState.users.page = 1;
+            renderGovernanceAllowListEditorSelections();
+        });
+    }
+
+    const selectedGroupPageSizeSelect = document.getElementById('governance-allowlist-selected-group-page-size');
+    if (selectedGroupPageSizeSelect) {
+        selectedGroupPageSizeSelect.addEventListener('change', () => {
+            governanceAllowListSelectionViewState.groups.pageSize = normalizeGovernanceAllowListPageSize(selectedGroupPageSizeSelect.value);
+            governanceAllowListSelectionViewState.groups.page = 1;
+            renderGovernanceAllowListEditorSelections();
+        });
+    }
+
+    const selectedUsersPrevButton = document.getElementById('governance-allowlist-selected-users-prev-btn');
+    if (selectedUsersPrevButton) {
+        selectedUsersPrevButton.addEventListener('click', () => {
+            governanceAllowListSelectionViewState.users.page = Math.max(1, governanceAllowListSelectionViewState.users.page - 1);
+            renderGovernanceAllowListEditorSelections();
+        });
+    }
+
+    const selectedUsersNextButton = document.getElementById('governance-allowlist-selected-users-next-btn');
+    if (selectedUsersNextButton) {
+        selectedUsersNextButton.addEventListener('click', () => {
+            governanceAllowListSelectionViewState.users.page += 1;
+            renderGovernanceAllowListEditorSelections();
+        });
+    }
+
+    const selectedGroupsPrevButton = document.getElementById('governance-allowlist-selected-groups-prev-btn');
+    if (selectedGroupsPrevButton) {
+        selectedGroupsPrevButton.addEventListener('click', () => {
+            governanceAllowListSelectionViewState.groups.page = Math.max(1, governanceAllowListSelectionViewState.groups.page - 1);
+            renderGovernanceAllowListEditorSelections();
+        });
+    }
+
+    const selectedGroupsNextButton = document.getElementById('governance-allowlist-selected-groups-next-btn');
+    if (selectedGroupsNextButton) {
+        selectedGroupsNextButton.addEventListener('click', () => {
+            governanceAllowListSelectionViewState.groups.page += 1;
+            renderGovernanceAllowListEditorSelections();
+        });
+    }
+
+    const selectAllMappings = [
+        ['governance-allowlist-select-all-user-results', '.governance-user-result-checkbox'],
+        ['governance-allowlist-select-all-group-results', '.governance-group-result-checkbox'],
+        ['governance-allowlist-select-all-selected-users', '.governance-selected-user-checkbox'],
+        ['governance-allowlist-select-all-selected-groups', '.governance-selected-group-checkbox'],
+    ];
+
+    selectAllMappings.forEach(([masterId, checkboxSelector]) => {
+        const master = document.getElementById(masterId);
+        if (!master) {
+            return;
+        }
+        master.addEventListener('change', () => {
+            toggleCheckboxes(checkboxSelector, master.checked);
+        });
+    });
+}
+
+async function loadItemPolicies() {
+    const tbody = document.getElementById('governance-item-policies-body');
+    if (!tbody) {
+        return;
+    }
+
+    const response = await fetch('/api/admin/governance/item-policies', {
+        method: 'GET',
+        headers: {
+            Accept: 'application/json',
+        },
+    });
+
+    if (!response.ok) {
+        throw new Error('Unable to load governance item policies.');
+    }
+
+    const payload = await response.json();
+    const itemPolicies = Array.isArray(payload.item_policies) ? payload.item_policies : [];
+
+    tbody.innerHTML = '';
+    itemPolicies.forEach((policy) => {
+        tbody.appendChild(buildItemPolicyRow(policy));
+    });
+}
+
+async function saveItemPolicy(event) {
+    if (event && typeof event.preventDefault === 'function') {
+        event.preventDefault();
+    }
+
+    const entityTypeInput = document.getElementById('governance-item-entity-type');
+    const itemIdInput = document.getElementById('governance-item-id');
+    const allowAllInput = document.getElementById('governance-item-allow-all');
+    const usersInput = document.getElementById('governance-item-users');
+    const groupsInput = document.getElementById('governance-item-groups');
+
+    if (!entityTypeInput || !itemIdInput || !allowAllInput || !usersInput || !groupsInput) {
+        return;
+    }
+
+    const entityType = String(entityTypeInput.value || '').trim();
+    const itemId = String(itemIdInput.value || '').trim();
+
+    if (!entityType || !itemId) {
+        setGovernanceStatus('Entity type and item ID are required for item governance policies.', 'warning');
+        return;
+    }
+
+    const payload = {
+        allow_all: allowAllInput.checked,
+        allowed_users: allowAllInput.checked ? [] : splitPrincipalList(usersInput.value),
+        allowed_groups: allowAllInput.checked ? [] : splitPrincipalList(groupsInput.value),
+    };
+
+    const response = await fetch(
+        `/api/admin/governance/item-policies/${encodeURIComponent(entityType)}/${encodeURIComponent(itemId)}`,
+        {
+            method: 'PUT',
+            headers: {
+                'Content-Type': 'application/json',
+                Accept: 'application/json',
+            },
+            body: JSON.stringify(payload),
+        }
+    );
+
+    if (!response.ok) {
+        throw new Error('Unable to save item governance policy.');
+    }
+
+    await loadItemPolicies();
+    const reviewModalElement = document.getElementById('governance-item-policies-review-modal');
+    if (reviewModalElement?.classList.contains('show')) {
+        await loadGovernanceItemPolicyReview();
+    }
+    updateItemAllowListSummary();
+    clearGovernanceStatus();
+    showGovernanceToast('Item governance policy saved successfully.', 'success');
+}
+
+function wireGovernanceHandlers() {
+    Object.keys(GOVERNANCE_FEATURE_LABELS).forEach((featureKey) => {
+        const featureToggle = getGovernanceFeatureToggle(featureKey);
+        if (!featureToggle) {
+            return;
+        }
+        featureToggle.addEventListener('change', () => {
+            syncGovernanceFeaturePolicyVisibility();
+        });
+    });
+
+    const featurePolicyTableBody = document.getElementById('governance-feature-policies-body');
+    if (featurePolicyTableBody) {
+        featurePolicyTableBody.addEventListener('change', (event) => {
+            const target = event.target;
+            if (!(target instanceof HTMLInputElement)) {
+                return;
+            }
+            if (target.classList.contains('governance-allow-all')) {
+                const row = target.closest('tr');
+                applyFeatureAllowAllUiState(row);
+            }
+        });
+
+        featurePolicyTableBody.addEventListener('click', (event) => {
+            const target = event.target;
+            const editButton = target instanceof HTMLElement ? target.closest('.governance-edit-feature-allowlist-btn') : null;
+            if (!editButton) {
+                return;
+            }
+
+            const row = editButton.closest('tr');
+            const usersInput = getGovernanceUsersInputForFeatureRow(row);
+            const groupsInput = getGovernanceGroupsInputForFeatureRow(row);
+            const featureKey = String(row?.dataset?.featureKey || '').trim();
+            if (!usersInput || !groupsInput || !featureKey) {
+                return;
+            }
+
+            openGovernanceAllowListEditor({
+                title: `Edit Allow List: ${GOVERNANCE_FEATURE_LABELS[featureKey] || featureKey}`,
+                description: 'Manage explicitly allowed users and groups for this feature policy.',
+                getUsers: () => splitPrincipalList(usersInput.value),
+                getGroups: () => splitPrincipalList(groupsInput.value),
+                setValues: (users, groups) => {
+                    usersInput.value = joinPrincipalList(users);
+                    groupsInput.value = joinPrincipalList(groups);
+                    const allowAllInput = getGovernanceFeatureAllowAllInput(row);
+                    if (allowAllInput) {
+                        allowAllInput.checked = false;
+                    }
+                    applyFeatureAllowAllUiState(row);
+                },
+            });
+        });
+    }
+
+    const saveFeaturePoliciesButton = document.getElementById('governance-save-feature-policies-btn');
+    if (saveFeaturePoliciesButton) {
+        saveFeaturePoliciesButton.addEventListener('click', async () => {
+            clearGovernanceStatus();
+            try {
+                await saveFeaturePolicies();
+            } catch (error) {
+                setGovernanceStatus(error.message || 'Failed to save feature policies.', 'danger');
+            }
+        });
+    }
+
+    const saveItemPolicyButton = document.getElementById('governance-save-item-policy-btn');
+    if (saveItemPolicyButton) {
+        saveItemPolicyButton.addEventListener('click', async (event) => {
+            clearGovernanceStatus();
+            try {
+                await saveItemPolicy(event);
+            } catch (error) {
+                setGovernanceStatus(error.message || 'Failed to save item policy.', 'danger');
+            }
+        });
+    }
+
+    const itemEntityTypeInput = getItemEntityTypeInput();
+    if (itemEntityTypeInput) {
+        itemEntityTypeInput.addEventListener('change', async () => {
+            const entityType = String(itemEntityTypeInput.value || '').trim();
+            await refreshGovernanceItemLookup(entityType, false, '');
+        });
+    }
+
+    const itemLookupRefreshButton = document.getElementById('governance-item-id-refresh-btn');
+    if (itemLookupRefreshButton) {
+        itemLookupRefreshButton.addEventListener('click', async () => {
+            const entityType = String(getItemEntityTypeInput()?.value || '').trim();
+            await refreshGovernanceItemLookup(entityType, true, String(getItemIdInput()?.value || '').trim());
+        });
+    }
+
+    const itemAllowAllInput = getItemAllowAllInput();
+    if (itemAllowAllInput) {
+        itemAllowAllInput.addEventListener('change', () => {
+            applyItemAllowAllUiState();
+        });
+    }
+
+    const itemEditAllowListButton = document.getElementById('governance-edit-item-allowlist-btn');
+    if (itemEditAllowListButton) {
+        itemEditAllowListButton.addEventListener('click', () => {
+            const usersInput = getItemUsersInput();
+            const groupsInput = getItemGroupsInput();
+            const entityTypeInput = document.getElementById('governance-item-entity-type');
+            const itemIdInput = document.getElementById('governance-item-id');
+
+            if (!usersInput || !groupsInput) {
+                return;
+            }
+
+            const entityType = String(entityTypeInput?.value || '').trim();
+            const itemId = String(itemIdInput?.value || '').trim();
+            const contextSuffix = entityType && itemId
+                ? ` (${GOVERNANCE_ITEM_ENTITY_LABELS[entityType] || entityType}: ${itemId})`
+                : '';
+
+            openGovernanceAllowListEditor({
+                title: `Edit Delegated Item Allow List${contextSuffix}`,
+                description: 'Manage explicitly allowed users and groups for this delegated item policy.',
+                getUsers: () => splitPrincipalList(usersInput.value),
+                getGroups: () => splitPrincipalList(groupsInput.value),
+                setValues: (users, groups) => {
+                    usersInput.value = joinPrincipalList(users);
+                    groupsInput.value = joinPrincipalList(groups);
+                    const allowAllInput = getItemAllowAllInput();
+                    if (allowAllInput) {
+                        allowAllInput.checked = false;
+                    }
+                    applyItemAllowAllUiState();
+                },
+            });
+        });
+    }
+
+    const refreshItemPoliciesButton = document.getElementById('governance-refresh-item-policies-btn');
+    if (refreshItemPoliciesButton) {
+        refreshItemPoliciesButton.addEventListener('click', async () => {
+            clearGovernanceStatus();
+            try {
+                await loadItemPolicies();
+                setGovernanceStatus('Item governance policies refreshed.', 'info');
+            } catch (error) {
+                setGovernanceStatus(error.message || 'Failed to refresh item policies.', 'danger');
+            }
+        });
+    }
+
+    const reviewItemPoliciesButton = document.getElementById('governance-review-item-policies-btn');
+    if (reviewItemPoliciesButton) {
+        reviewItemPoliciesButton.addEventListener('click', () => {
+            clearGovernanceStatus();
+            openGovernanceItemReviewModal();
+        });
+    }
+
+    const reviewSearchButton = document.getElementById('governance-item-review-search-btn');
+    if (reviewSearchButton) {
+        reviewSearchButton.addEventListener('click', async () => {
+            const searchInput = document.getElementById('governance-item-review-search');
+            const entityTypeSelect = document.getElementById('governance-item-review-entity-type');
+            const pageSizeSelect = document.getElementById('governance-item-review-page-size');
+            governanceItemReviewState.search = String(searchInput?.value || '').trim();
+            governanceItemReviewState.entityType = String(entityTypeSelect?.value || '').trim();
+            governanceItemReviewState.perPage = Math.max(1, Number(pageSizeSelect?.value || GOVERNANCE_ITEM_REVIEW_DEFAULT_PAGE_SIZE) || GOVERNANCE_ITEM_REVIEW_DEFAULT_PAGE_SIZE);
+            governanceItemReviewState.page = 1;
+            syncGovernanceItemReviewControls();
+            try {
+                await loadGovernanceItemPolicyReview();
+            } catch (error) {
+                setGovernanceStatus(error.message || 'Failed to search delegated item policies.', 'danger');
+            }
+        });
+    }
+
+    const reviewResetButton = document.getElementById('governance-item-review-reset-btn');
+    if (reviewResetButton) {
+        reviewResetButton.addEventListener('click', async () => {
+            governanceItemReviewState.search = '';
+            governanceItemReviewState.entityType = '';
+            governanceItemReviewState.page = 1;
+            governanceItemReviewState.perPage = GOVERNANCE_ITEM_REVIEW_DEFAULT_PAGE_SIZE;
+            syncGovernanceItemReviewControls();
+            try {
+                await loadGovernanceItemPolicyReview();
+            } catch (error) {
+                setGovernanceStatus(error.message || 'Failed to reset delegated item policy filters.', 'danger');
+            }
+        });
+    }
+
+    const reviewPrevButton = document.getElementById('governance-item-review-prev-btn');
+    if (reviewPrevButton) {
+        reviewPrevButton.addEventListener('click', async () => {
+            if (governanceItemReviewState.page <= 1) {
+                return;
+            }
+            governanceItemReviewState.page -= 1;
+            syncGovernanceItemReviewControls();
+            try {
+                await loadGovernanceItemPolicyReview();
+            } catch (error) {
+                setGovernanceStatus(error.message || 'Failed to load previous delegated item policy page.', 'danger');
+            }
+        });
+    }
+
+    const reviewNextButton = document.getElementById('governance-item-review-next-btn');
+    if (reviewNextButton) {
+        reviewNextButton.addEventListener('click', async () => {
+            governanceItemReviewState.page += 1;
+            syncGovernanceItemReviewControls();
+            try {
+                await loadGovernanceItemPolicyReview();
+            } catch (error) {
+                setGovernanceStatus(error.message || 'Failed to load next delegated item policy page.', 'danger');
+            }
+        });
+    }
+}
+
+async function initializeGovernanceTab() {
+    if (!document.getElementById('governance')) {
+        return;
+    }
+
+    wireGovernanceHandlers();
+    clearGovernanceStatus();
+
+    ensureGovernanceItemReviewModal();
+    ensureGovernanceAllowListEditorModal();
+
+    try {
+        await loadFeaturePolicies();
+        await loadItemPolicies();
+        const initialEntityType = String(getItemEntityTypeInput()?.value || 'global_agent').trim();
+        await refreshGovernanceItemLookup(initialEntityType, false, String(getItemIdInput()?.value || '').trim());
+        applyItemAllowAllUiState();
+    } catch (error) {
+        setGovernanceStatus(error.message || 'Unable to initialize governance settings.', 'danger');
+    }
+}
+
+document.addEventListener('DOMContentLoaded', () => {
+    initializeGovernanceTab();
+});
diff --git a/application/single_app/templates/_sidebar_nav.html b/application/single_app/templates/_sidebar_nav.html
index d26cdfb42..ace3323b9 100644
--- a/application/single_app/templates/_sidebar_nav.html
+++ b/application/single_app/templates/_sidebar_nav.html
@@ -519,6 +519,11 @@
               <i class="bi bi-speedometer2 me-2"></i><span class="nav-text">Control Center</span>
             </a>
           </li>
+          <li class="nav-item">
+            <a class="nav-link d-flex align-items-center admin-nav-tab" href="#" data-tab="governance">
+              <i class="bi bi-shield-lock me-2"></i><span class="nav-text">Governance</span>
+            </a>
+          </li>
           <li class="nav-item">
             <a class="nav-link d-flex align-items-center admin-nav-tab" href="#" data-tab="workspaces">
               <i class="bi bi-folder me-2"></i><span class="nav-text">Workspaces</span>
diff --git a/application/single_app/templates/admin_settings.html b/application/single_app/templates/admin_settings.html
index 2afbb6bbd..7e88f4d2e 100644
--- a/application/single_app/templates/admin_settings.html
+++ b/application/single_app/templates/admin_settings.html
@@ -947,6 +947,13 @@ <h4>12. Enhanced Citations and Image Generation</h4>
                 </button>
             </li>
 
+            <li class="nav-item" role="presentation">
+                <button class="nav-link" id="governance-tab" data-bs-toggle="tab" data-bs-target="#governance"
+                    type="button" role="tab" aria-controls="governance" aria-selected="false">
+                    Governance
+                </button>
+            </li>
+
             <li class="nav-item" role="presentation">
                 <button class="nav-link" id="logging-tab" data-bs-toggle="tab" data-bs-target="#logging" 
                     type="button" role="tab" aria-controls="logging" aria-selected="false">
@@ -1295,6 +1302,173 @@ <h6 class="mb-2">Core Action Toggles</h6>
             </div>
 
 
+            <!-- Governance Tab Content -->
+            <div class="tab-pane fade" id="governance" role="tabpanel" aria-labelledby="governance-tab">
+                <p class="text-muted">
+                    Configure governance enforcement for endpoint, agent, and action creation or usage. Governance is disabled by default and only enforced when toggled on.
+                </p>
+
+                <div class="card p-3 mb-3" id="governance-feature-toggles-section">
+                    <h5>
+                        <i class="bi bi-shield-lock me-2"></i>Governance Feature Toggles
+                    </h5>
+                    <p class="text-muted">Turn on governance checks for each feature area. Save with the main Settings button to persist these toggles.</p>
+
+                    <div class="row">
+                        <div class="col-md-4">
+                            <div class="fw-semibold mb-2">User Scope</div>
+                            <div class="form-check form-switch mb-2">
+                                <input class="form-check-input" type="checkbox" role="switch" id="governance_user_endpoints" name="governance_user_endpoints" {% if settings.governance_user_endpoints %}checked{% endif %}>
+                                <label class="form-check-label ms-2" for="governance_user_endpoints">Govern User Endpoints</label>
+                            </div>
+                            <div class="form-check form-switch mb-2">
+                                <input class="form-check-input" type="checkbox" role="switch" id="governance_user_agents" name="governance_user_agents" {% if settings.governance_user_agents %}checked{% endif %}>
+                                <label class="form-check-label ms-2" for="governance_user_agents">Govern User Agents</label>
+                            </div>
+                            <div class="form-check form-switch mb-2">
+                                <input class="form-check-input" type="checkbox" role="switch" id="governance_user_actions" name="governance_user_actions" {% if settings.governance_user_actions %}checked{% endif %}>
+                                <label class="form-check-label ms-2" for="governance_user_actions">Govern User Actions</label>
+                            </div>
+                        </div>
+                        <div class="col-md-4">
+                            <div class="fw-semibold mb-2">Group Scope</div>
+                            <div class="form-check form-switch mb-2">
+                                <input class="form-check-input" type="checkbox" role="switch" id="governance_group_endpoints" name="governance_group_endpoints" {% if settings.governance_group_endpoints %}checked{% endif %}>
+                                <label class="form-check-label ms-2" for="governance_group_endpoints">Govern Group Endpoints</label>
+                            </div>
+                            <div class="form-check form-switch mb-2">
+                                <input class="form-check-input" type="checkbox" role="switch" id="governance_group_agents" name="governance_group_agents" {% if settings.governance_group_agents %}checked{% endif %}>
+                                <label class="form-check-label ms-2" for="governance_group_agents">Govern Group Agents</label>
+                            </div>
+                            <div class="form-check form-switch mb-2">
+                                <input class="form-check-input" type="checkbox" role="switch" id="governance_group_actions" name="governance_group_actions" {% if settings.governance_group_actions %}checked{% endif %}>
+                                <label class="form-check-label ms-2" for="governance_group_actions">Govern Group Actions</label>
+                            </div>
+                        </div>
+                        <div class="col-md-4">
+                            <div class="fw-semibold mb-2">Global Scope</div>
+                            <div class="form-check form-switch mb-2">
+                                <input class="form-check-input" type="checkbox" role="switch" id="governance_global_endpoints" name="governance_global_endpoints" {% if settings.governance_global_endpoints %}checked{% endif %}>
+                                <label class="form-check-label ms-2" for="governance_global_endpoints">Govern Global Endpoints</label>
+                            </div>
+                            <div class="form-check form-switch mb-2">
+                                <input class="form-check-input" type="checkbox" role="switch" id="governance_global_agents_usage" name="governance_global_agents_usage" {% if settings.governance_global_agents_usage %}checked{% endif %}>
+                                <label class="form-check-label ms-2" for="governance_global_agents_usage">Govern Global Agents</label>
+                            </div>
+                            <div class="form-check form-switch mb-2">
+                                <input class="form-check-input" type="checkbox" role="switch" id="governance_global_actions_usage" name="governance_global_actions_usage" {% if settings.governance_global_actions_usage %}checked{% endif %}>
+                                <label class="form-check-label ms-2" for="governance_global_actions_usage">Govern Global Actions</label>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+
+                <div class="card p-3 mb-3" id="governance-feature-policies-section">
+                    <div class="d-flex justify-content-between align-items-center mb-2">
+                        <h5 class="mb-0"><i class="bi bi-sliders2 me-2"></i>Feature Policies</h5>
+                        <button type="button" class="btn btn-primary btn-sm" id="governance-save-feature-policies-btn">Save Feature Policies</button>
+                    </div>
+                    <p class="text-muted">Set allow-all or explicit allowlists for each governed feature.</p>
+                    <div class="table-responsive">
+                        <table class="table table-bordered" id="governance-feature-policies-table">
+                            <thead>
+                                <tr>
+                                    <th>Feature</th>
+                                    <th>Allow All</th>
+                                    <th>Allowed Users (Entra IDs)</th>
+                                    <th>Allowed Groups (Workspace IDs)</th>
+                                </tr>
+                            </thead>
+                            <tbody id="governance-feature-policies-body"></tbody>
+                        </table>
+                    </div>
+                </div>
+
+                <div class="card p-3 mb-3" id="governance-item-policies-section">
+                    <div class="d-flex justify-content-between align-items-center mb-2">
+                        <h5 class="mb-0"><i class="bi bi-list-check me-2"></i>Delegated Item Policies</h5>
+                        <div class="d-flex gap-2">
+                            <button type="button" class="btn btn-outline-primary btn-sm" id="governance-review-item-policies-btn">Review Configured List</button>
+                            <button type="button" class="btn btn-outline-secondary btn-sm" id="governance-refresh-item-policies-btn">Refresh</button>
+                        </div>
+                    </div>
+                    <p class="text-muted">Manage per-item governance for global endpoints, agents, and actions that admins delegate to specific users or groups.</p>
+
+                    <div id="governance-item-policy-form" class="border rounded p-3 bg-body-tertiary mb-3">
+                        <div class="row g-3 align-items-start">
+                            <div class="col-lg-3 col-md-4">
+                                <label class="form-label" for="governance-item-entity-type">Entity Type</label>
+                                <select class="form-select" id="governance-item-entity-type">
+                                    <option value="global_agent" selected>Global Agent</option>
+                                    <option value="global_action">Global Action</option>
+                                    <option value="endpoint">Endpoint</option>
+                                </select>
+                            </div>
+                            <div class="col-lg-5 col-md-8">
+                                <label class="form-label" for="governance-item-id">Delegated Item</label>
+                                <div class="input-group">
+                                    <select class="form-select" id="governance-item-id">
+                                        <option value="">Loading items...</option>
+                                    </select>
+                                    <button type="button" class="btn btn-outline-secondary" id="governance-item-id-refresh-btn" title="Refresh lookup" aria-label="Refresh delegated item lookup">
+                                        <i class="bi bi-arrow-clockwise"></i>
+                                    </button>
+                                </div>
+                                <div class="form-text" id="governance-item-id-status">Choose an entity type to load available delegated items.</div>
+                            </div>
+                            <div class="col-lg-2 col-md-4">
+                                <label class="form-label" for="governance-item-allow-all">Access</label>
+                                <div class="border rounded px-3 py-2 bg-body h-100 d-flex align-items-center">
+                                    <div class="form-check form-switch mb-0">
+                                        <input class="form-check-input" type="checkbox" role="switch" id="governance-item-allow-all" checked>
+                                        <label class="form-check-label ms-2" for="governance-item-allow-all">Allow All</label>
+                                    </div>
+                                </div>
+                            </div>
+                            <div class="col-lg-2 col-md-4 d-grid">
+                                <label class="form-label invisible" aria-hidden="true">Save</label>
+                                <button type="button" class="btn btn-primary" id="governance-save-item-policy-btn">Save Item Policy</button>
+                            </div>
+                        </div>
+
+                        <div class="row g-3 mt-2 pt-3 border-top d-none" id="governance-item-allowed-principals-controls">
+                            <div class="col-lg-9">
+                                <label class="form-label" for="governance-item-allowlist-summary">Allowed Principals</label>
+                                <input type="text" class="form-control" id="governance-item-allowlist-summary" placeholder="No explicit users or groups configured" readonly>
+                            </div>
+                            <div class="col-lg-3 d-grid align-items-end">
+                                <button type="button" class="btn btn-outline-primary" id="governance-edit-item-allowlist-btn">Edit List</button>
+                            </div>
+                        </div>
+
+                        <div class="d-none" aria-hidden="true">
+                            <input type="text" class="form-control" id="governance-item-users" placeholder="user-id-1,user-id-2">
+                            <input type="text" class="form-control" id="governance-item-groups" placeholder="group-id-1,group-id-2">
+                        </div>
+                    </div>
+
+                    
+
+                    <div class="table-responsive d-none">
+                        <table class="table table-sm table-striped" id="governance-item-policies-table">
+                            <thead>
+                                <tr>
+                                    <th>Entity Type</th>
+                                    <th>Item ID</th>
+                                    <th>Allow All</th>
+                                    <th>Allowed Users</th>
+                                    <th>Allowed Groups</th>
+                                    <th>Actions</th>
+                                </tr>
+                            </thead>
+                            <tbody id="governance-item-policies-body"></tbody>
+                        </table>
+                    </div>
+                </div>
+
+                <div id="governance-status" class="alert d-none" role="alert"></div>
+            </div>
+
             <!-- Logging Tab Content -->
             <div class="tab-pane fade" id="logging" role="tabpanel" aria-labelledby="logging-tab">
                 <p class="text-muted">
@@ -6493,6 +6667,7 @@ <h5 class="modal-title" id="userAgreementPreviewModalLabel">
 </script>
 <script type="module" src="{{ url_for('static', filename='js/admin/admin_settings.js') }}"></script>
 <script type="module" src="{{ url_for('static', filename='js/admin/admin_model_endpoints.js') }}"></script>
+<script type="module" src="{{ url_for('static', filename='js/admin/admin_governance.js') }}"></script>
 <script type="module" src="{{ url_for('static', filename='js/admin/admin_sidebar_nav.js') }}"></script>
 <script type="module" src="{{ url_for('static', filename='js/plugin_modal_stepper.js') }}"></script>
 {% if settings.enable_semantic_kernel %}
diff --git a/application/single_app/templates/group_workspaces.html b/application/single_app/templates/group_workspaces.html
index 05c8be619..a8ae733f0 100644
--- a/application/single_app/templates/group_workspaces.html
+++ b/application/single_app/templates/group_workspaces.html
@@ -796,6 +796,8 @@ <h2 class="workspace-page-title">Group Workspace</h2>
       role="tabpanel"
       aria-labelledby="group-agents-tab-btn"
     >
+      {% if settings.allow_group_agents %}
+      {% if workspace_governance.group_agents %}
       <div class="card p-3 my-3">
         <div class="d-flex justify-content-between align-items-center mb-2">
           <div class="d-flex align-items-center gap-2">
@@ -847,6 +849,16 @@ <h2 class="workspace-page-title">Group Workspace</h2>
         <div id="group-agents-grid-view" class="row g-3 d-none"></div>
       </div>
       <div id="group-agents-error"></div>
+      {% else %}
+      <div class="alert alert-warning text-center my-4">
+        Group agents are disabled by governance for your account. Please contact your admin.
+      </div>
+      {% endif %}
+      {% else %}
+      <div class="alert alert-warning text-center my-4">
+        Group agents are currently disabled. Please ask your admin to enable agents for group workspaces.
+      </div>
+      {% endif %}
     </div>
     <!-- End GROUP AGENTS TAB -->
 
@@ -858,6 +870,7 @@ <h2 class="workspace-page-title">Group Workspace</h2>
       role="tabpanel"
       aria-labelledby="group-plugins-tab-btn"
     >
+      {% if workspace_governance.group_actions %}
       <div id="group-plugins-permission-warning" class="alert alert-warning d-none mt-3">
         You do not have permission to manage group actions.
       </div>
@@ -905,6 +918,11 @@ <h2 class="workspace-page-title">Group Workspace</h2>
           <div id="group-plugins-grid-view" class="row g-3 d-none"></div>
         </div>
       </template>
+      {% else %}
+      <div class="alert alert-warning text-center my-4">
+        Group actions are disabled by governance for your account. Please contact your admin.
+      </div>
+      {% endif %}
     </div>
     <!-- End GROUP ACTIONS TAB -->
     {% endif %}
@@ -917,6 +935,7 @@ <h2 class="workspace-page-title">Group Workspace</h2>
       role="tabpanel"
       aria-labelledby="group-endpoints-tab-btn"
     >
+      {% if workspace_governance.group_endpoints %}
       <!-- Group Model Endpoints -->
       <div class="card p-3 my-3" id="group-multi-endpoint-configuration">
         <h6 class="mb-2"><i class="bi bi-hdd-network me-2"></i>Group Model Endpoints</h6>
@@ -951,6 +970,11 @@ <h6 class="mb-0">Group Endpoints</h6>
         </div>
         <input type="hidden" id="model_endpoints_json" />
       </div>
+      {% else %}
+      <div class="alert alert-warning text-center my-4">
+        Group endpoints are disabled by governance for your account. Please contact your admin.
+      </div>
+      {% endif %}
     </div>
     <!-- End GROUP ENDPOINTS TAB -->
     {% endif %}
@@ -1032,7 +1056,9 @@ <h5 class="mb-3"><i class="bi bi-hourglass-split me-2"></i>Retention Policy Sett
 </div>
 <!-- End Container -->
 
+{% if settings.enable_semantic_kernel and settings.allow_group_custom_endpoints and settings.enable_multi_model_endpoints and workspace_governance.group_endpoints %}
 {% include '_multiendpoint_modal.html' %}
+{% endif %}
 <!-- Item View Modal (shared by agents & actions grid/list view buttons) -->
 <div class="modal fade" id="item-view-modal" tabindex="-1" aria-labelledby="item-view-modal-title" aria-hidden="true">
   <div class="modal-dialog modal-lg modal-dialog-scrollable">
@@ -1250,10 +1276,16 @@ <h5 class="modal-title" id="docMetadataModalLabel">
   </div>
 </div>
 
-{% if settings.enable_semantic_kernel and (settings.allow_group_agents or settings.allow_group_plugins) %}
+{% set load_group_agent_modal = settings.enable_semantic_kernel and settings.allow_group_agents and workspace_governance.group_agents %}
+{% set load_group_action_modal = settings.enable_semantic_kernel and settings.allow_group_plugins and workspace_governance.group_actions %}
+{% if load_group_agent_modal or load_group_action_modal %}
 <div>
+  {% if load_group_agent_modal %}
   {% include "_agent_modal.html" %}
+  {% endif %}
+  {% if load_group_action_modal %}
   {% include "_plugin_modal.html" %}
+  {% endif %}
 </div>
 {% endif %}
 
@@ -1530,7 +1562,7 @@ <h5 class="modal-title" id="groupTagSelectionModalLabel">Select Tags</h5>
   window.workspaceModelEndpoints = {{ group_model_endpoints|default([], true)|tojson|safe }};
   window.globalModelEndpoints = {{ global_model_endpoints|default([], true)|tojson|safe }};
 </script>
-{% if settings.enable_semantic_kernel and settings.allow_group_custom_endpoints and settings.enable_multi_model_endpoints %}
+{% if settings.enable_semantic_kernel and settings.allow_group_custom_endpoints and settings.enable_multi_model_endpoints and workspace_governance.group_endpoints %}
 <script type="module" src="{{ url_for('static', filename='js/workspace/workspace_model_endpoints.js') }}"></script>
 {% endif %}
 
@@ -5777,11 +5809,11 @@ <h5 class="alert-heading">
   })();
 
 </script>
-{% if settings.enable_semantic_kernel and settings.allow_group_agents %}
+{% if settings.enable_semantic_kernel and settings.allow_group_agents and workspace_governance.group_agents %}
 <script type="module" src="/static/js/agents_common.js"></script>
 <script type="module" src="/static/js/workspace/group_agents.js"></script>
 {% endif %}
-{% if settings.enable_semantic_kernel and settings.allow_group_plugins %}
+{% if settings.enable_semantic_kernel and settings.allow_group_plugins and workspace_governance.group_actions %}
 <script type="module" src="/static/js/plugin_modal_stepper.js"></script>
 <script type="module" src="/static/js/workspace/group_plugins.js"></script>
 {% endif %}
diff --git a/application/single_app/templates/workspace.html b/application/single_app/templates/workspace.html
index 01c171ce3..ae842b70b 100644
--- a/application/single_app/templates/workspace.html
+++ b/application/single_app/templates/workspace.html
@@ -897,6 +897,7 @@ <h2 class="workspace-page-title">Personal Workspace</h2>
         aria-labelledby="agents-tab-btn"
       >
         {% if settings.allow_user_agents %}
+          {% if workspace_governance.user_agents %}
           <div class="tab-pane-inner">
             <div class="card p-3 my-3">
               <div class="d-flex justify-content-between align-items-center mb-2">
@@ -936,6 +937,11 @@ <h2 class="workspace-page-title">Personal Workspace</h2>
             </div>
             <div id="workspace-agents-error"></div>
           </div>
+          {% else %}
+          <div class="alert alert-warning text-center my-4">
+            Personal agents are disabled by governance for your account. Please contact your admin.
+          </div>
+          {% endif %}
         {% else %}
           <div class="alert alert-warning text-center my-4">
             Custom User Agents are currently disabled. Please ask your admin to enable agents for your workspace.
@@ -954,6 +960,7 @@ <h2 class="workspace-page-title">Personal Workspace</h2>
         aria-labelledby="plugins-tab-btn"
       >
         {% if settings.allow_user_plugins %}
+          {% if workspace_governance.user_actions %}
           <div id="workspace-plugins-root"></div>
           <!-- Actions Table Template (hidden) -->
           <template id="plugins-table-template">
@@ -983,6 +990,11 @@ <h2 class="workspace-page-title">Personal Workspace</h2>
               <div id="plugins-grid-view" class="row g-3 d-none"></div>
             </div>
           </template>
+          {% else %}
+          <div class="alert alert-warning text-center my-4">
+            Personal actions are disabled by governance for your account. Please contact your admin.
+          </div>
+          {% endif %}
         {% else %}
           <div class="alert alert-warning text-center my-4">
             Custom User Actions are currently disabled. Please ask your admin to enable actions for your workspace.
@@ -999,6 +1011,7 @@ <h2 class="workspace-page-title">Personal Workspace</h2>
         role="tabpanel"
         aria-labelledby="endpoints-tab-btn"
       >
+        {% if workspace_governance.user_endpoints %}
         <div class="tab-pane-inner">
           <!-- Workspace Model Endpoints -->
           <div class="card p-3 my-3" id="workspace-multi-endpoint-configuration">
@@ -1035,6 +1048,11 @@ <h6 class="mb-0">Your Endpoints</h6>
             <input type="hidden" id="model_endpoints_json" />
           </div>
         </div>
+        {% else %}
+        <div class="alert alert-warning text-center my-4">
+          Personal endpoints are disabled by governance for your account. Please contact your admin.
+        </div>
+        {% endif %}
       </div>
       <!-- End ENDPOINTS TAB -->
       {% endif %}
@@ -1044,7 +1062,9 @@ <h6 class="mb-0">Your Endpoints</h6>
   </div>
   <!--</div>-->
 
+  {% if settings.allow_user_custom_endpoints and settings.enable_multi_model_endpoints and workspace_governance.user_endpoints %}
   {% include '_multiendpoint_modal.html' %}
+  {% endif %}
   <!-- Shared Item View Modal (read-only details for agents/actions) -->
   <div class="modal fade" id="item-view-modal" tabindex="-1" aria-labelledby="item-view-modal-label" aria-hidden="true">
     <div class="modal-dialog modal-lg modal-dialog-scrollable">
@@ -1418,15 +1438,23 @@ <h5 class="modal-title" id="tagSelectionModalLabel">Select Tags</h5>
   </div>
 </div>
 
+{% set load_user_agent_modal = settings.per_user_semantic_kernel and settings.enable_semantic_kernel and settings.allow_user_agents and workspace_governance.user_agents %}
+{% set load_user_action_modal = settings.per_user_semantic_kernel and settings.enable_semantic_kernel and settings.allow_user_plugins and workspace_governance.user_actions %}
+{% if load_user_agent_modal or load_user_action_modal %}
 <div>
   <!-- Modal for Creating/Editing Agent -->
 
+  {% if load_user_agent_modal %}
   {% include "_agent_modal.html" %}
+  {% endif %}
 
   <!-- Modal for Creating/Editing Plugin -->
 
+  {% if load_user_action_modal %}
   {% include "_plugin_modal.html" %}
+  {% endif %}
 </div>
+{% endif %}
 
 <!-- Share Document Modal -->
 <div class="modal fade" id="shareDocumentModal" tabindex="-1" aria-hidden="true" autocomplete="off" data-lpignore="true" data-1p-ignore="true" data-bwignore="true">
@@ -1605,9 +1633,11 @@ <h5 class="modal-title" id="approveSharedModalLabel">Approve Shared Document</h5
 
 {% block scripts %}
   {{ super() }}
-  {% if settings.per_user_semantic_kernel and settings.enable_semantic_kernel %}
+  {% if settings.per_user_semantic_kernel and settings.enable_semantic_kernel and settings.allow_user_agents and workspace_governance.user_agents %}
     <script type="module" src="/static/js/agents_common.js"></script>
     <script type="module" src="/static/js/workspace/workspace_agents.js"></script>
+  {% endif %}
+  {% if settings.per_user_semantic_kernel and settings.enable_semantic_kernel and settings.allow_user_plugins and workspace_governance.user_actions %}
     <script type="module" src="/static/js/workspace/workspace_plugins.js"></script>
   {% endif %}
   <script>
@@ -1616,7 +1646,7 @@ <h5 class="modal-title" id="approveSharedModalLabel">Approve Shared Document</h5
       window.workspaceModelEndpoints = {{ personal_model_endpoints|default([], true)|tojson|safe }};
       window.globalModelEndpoints = {{ global_model_endpoints|default([], true)|tojson|safe }};
   </script>
-  {% if settings.per_user_semantic_kernel and settings.enable_semantic_kernel and settings.allow_user_custom_endpoints and settings.enable_multi_model_endpoints %}
+  {% if settings.per_user_semantic_kernel and settings.enable_semantic_kernel and settings.allow_user_custom_endpoints and settings.enable_multi_model_endpoints and workspace_governance.user_endpoints %}
   <script type="module" src="{{ url_for('static', filename='js/workspace/workspace_model_endpoints.js') }}"></script>
   {% endif %}
   <!-- <script src="https://cdn.jsdelivr.net/npm/simplemde/dist/simplemde.min.js"></script>
diff --git a/docs/explanation/features/v0.242.001/GOVERNANCE.md b/docs/explanation/features/v0.242.001/GOVERNANCE.md
new file mode 100644
index 000000000..3098cab54
--- /dev/null
+++ b/docs/explanation/features/v0.242.001/GOVERNANCE.md
@@ -0,0 +1,372 @@
+# Governance
+
+Implemented/Updated in version: **0.242.011**
+
+## Overview
+
+Governance provides administrative controls for limiting access to user, group, and global resources across endpoints, agents, and actions. It combines coarse feature-level controls with optional delegated item-level controls so administrators can decide whether a capability is open to all users or restricted to explicit users and groups.
+
+The current implementation keeps backend enforcement as the source of truth. Frontend governance UI and Jinja rendering gates improve user experience by hiding disabled workspace modules before their JavaScript loads, but they are not treated as the authorization boundary.
+
+## Purpose
+
+Governance is intended to:
+
+- Restrict access to user endpoints, group endpoints, global endpoints, user agents, group agents, global agent usage, user actions, group actions, and global action usage.
+- Support allow lists containing explicit user IDs and group IDs.
+- Support delegated item policies for specific endpoints, global agents, and global actions.
+- Provide admin tooling that scales to large allow lists.
+- Minimize repeated governance reads on hot API paths through request-level memoization and short-lived process caching.
+
+## Dependencies
+
+- Flask backend routes and decorators for authenticated admin/user access.
+- Cosmos DB containers for feature policies and item policies.
+- Existing settings keys that enable or disable governance checks.
+- Microsoft Graph-backed user lookup through `/api/userSearch`.
+- Group discovery through `/api/groups/discover`.
+- Bootstrap 5 modals, tables, forms, and toasts.
+- `functions_governance.py` for policy normalization, enforcement, and caching.
+- `app_settings_cache.py` for local or Redis-backed governance cache versioning.
+
+## Feature Policies
+
+Feature policies are keyed by governance setting names. Each policy stores:
+
+- `allow_all`: whether every authenticated user can access the feature when governance is enabled.
+- `allowed_users`: explicit user IDs allowed when `allow_all` is false.
+- `allowed_groups`: explicit group or workspace IDs allowed when `allow_all` is false.
+- audit metadata such as `updated_by` and `updated_at`.
+
+Supported feature policy keys:
+
+- `governance_user_endpoints`
+- `governance_group_endpoints`
+- `governance_global_endpoints`
+- `governance_user_agents`
+- `governance_group_agents`
+- `governance_global_agents_usage`
+- `governance_user_actions`
+- `governance_group_actions`
+- `governance_global_actions_usage`
+
+If a governance setting is disabled, the enforcement helper exits early and allows access. If the setting is enabled, the related feature policy must pass.
+
+## Delegated Item Policies
+
+Item policies add a second layer of control for specific delegated resources. Supported item entity types are:
+
+- `endpoint`
+- `global_agent`
+- `global_action`
+
+Item policies use the same `allow_all`, `allowed_users`, and `allowed_groups` structure as feature policies. During enforcement, the user must pass the feature policy first and then the item policy when one is provided.
+
+## Admin API Endpoints
+
+Governance administration is exposed through these backend routes:
+
+- `GET /api/admin/governance/policies`
+- `PUT /api/admin/governance/policies/<feature_key>`
+- `GET /api/admin/governance/item-policies`
+- `GET /api/admin/governance/item-policies/review`
+- `PUT /api/admin/governance/item-policies/<entity_type>/<item_id>`
+
+All governance admin routes are protected with Swagger security, login enforcement, and admin authorization.
+
+## Enforcement Flow
+
+Backend enforcement is centralized in `ensure_governance_access()` in `application/single_app/functions_governance.py`.
+
+The flow is:
+
+1. Normalize the feature key, user ID, optional item entity type, and optional item ID.
+2. Check request-level cache for an already-approved decision.
+3. Read settings and exit early if the relevant governance setting is disabled.
+4. Resolve the user's governance group IDs from group workspaces and public workspaces.
+5. Read and evaluate the feature policy.
+6. If an item entity type and item ID are provided, read and evaluate the item policy.
+7. Cache successful decisions for the remainder of the request.
+8. Raise `PermissionError` if the feature or item policy blocks access.
+
+The policy pass rules are:
+
+- `allow_all` passes immediately.
+- Empty `allowed_users` and `allowed_groups` passes for backwards-compatible default behavior.
+- The user passes if their user ID is explicitly listed.
+- The user passes if any of their resolved group/workspace IDs intersects the allowed group list.
+
+## Cache Strategy
+
+Governance is called from hot API paths, so the implementation includes two cache layers.
+
+### Request-Level Memoization
+
+Request-level cache is stored on Flask `g` using the `simplechat_governance_request_cache` attribute. It avoids repeated reads within the same HTTP request for:
+
+- settings
+- feature policies
+- item policies
+- user governance group IDs
+- successful access decisions
+
+This is the safest cache layer because it naturally expires at the end of each request.
+
+### Short-Lived Process Cache
+
+A process-level cache stores feature policies, item policies, and user governance group IDs for `60` seconds. Cache entries are deep-copied on read/write to avoid mutation leaks between callers.
+
+Process cache keys include the data type and normalized identifiers, for example:
+
+- `("feature_policy", feature_key)`
+- `("item_policy", entity_type, item_id)`
+- `("user_governance_group_ids", user_id)`
+
+The cache is guarded by an `RLock`. Each entry is stamped with the current shared governance cache version before it is stored. On read, entries are trusted only when their stamped version matches the current shared governance version and the entry has not expired.
+
+### Shared Governance Cache Version
+
+The governance cache version is exposed through `app_settings_cache.py`:
+
+- `get_governance_cache_version()`
+- `bump_governance_cache_version()`
+
+The backing store is selected automatically by the existing app cache configuration:
+
+- Redis disabled or unavailable: version is stored in local process memory.
+- Redis enabled and app cache configured successfully: version is stored in Redis under `GOVERNANCE_CACHE_VERSION` and bumped with Redis `INCR`.
+
+This keeps the governance process cache fast while allowing Redis-enabled deployments to invalidate stale process-cache entries across App Service instances and workers.
+
+### Invalidation
+
+`invalidate_governance_cache()` bumps the shared cache version and clears the current process cache. It is called when:
+
+- a feature policy is upserted
+- an item policy is upserted
+- default feature policies are bootstrapped
+
+When Redis is enabled, other processes observe the bumped shared version before trusting their local process-cache entries. Stale entries are dropped lazily on their next read. When Redis is disabled or unavailable, the version is process-local and other processes converge when their short TTL expires.
+
+## Admin UI
+
+Governance administration is hosted in the Admin Settings governance tab.
+
+Major UI areas include:
+
+- Governance feature toggles grouped by User, Group, and Global scope.
+- Feature policy table for all configured governance feature keys.
+- Delegated item policy form for endpoints, global agents, and global actions.
+- Delegated item review modal with search, entity-type filtering, paging, and page size selection.
+- Allow-list editor modal for managing users and groups.
+- Bootstrap toast notifications for governance status messages.
+
+Governance feature toggles also control the visible Feature Policies table. When a governance feature toggle is disabled, its matching policy row is hidden. Re-enabling the toggle immediately shows that policy row again.
+
+## Delegated Item Lookup
+
+The item policy editor uses dropdown lookup data instead of requiring admins to type IDs manually.
+
+Lookup behavior:
+
+- Endpoints are resolved from admin settings model endpoint data available on the page.
+- Global agents are loaded from `/api/admin/agents`.
+- Global actions are loaded from `/api/admin/plugins`.
+- The refresh button reloads lookup values for the selected entity type.
+- Empty or failed lookups show status text near the delegated item selector.
+
+Delegated item policies are saved through a dedicated JavaScript handler instead of a nested HTML form, so saving a delegated item rule updates the governance item policy API rather than submitting the full Admin Settings form.
+
+Existing delegated item policies can be edited from the configured-list review modal. The modal row action loads the selected policy back into the delegated item editor, including entity type, item ID, allow-all state, and explicit users/groups, then automatically opens the allow-list editor modal.
+
+Existing delegated item policies can also be deleted from the review modal. Deletion uses a Bootstrap confirmation modal, calls the delegated item policy DELETE API, clears matching editor state, refreshes the configured policy list, and writes governance audit activity.
+
+The configured-list review modal shows hydrated user and group labels above the raw IDs. User entries show the best available display name and UPN/email, while group entries show group names. Raw IDs remain visible below the labels for traceability.
+
+## Workspace Jinja Gating
+
+Personal and group workspace templates receive a `workspace_governance` render-context object with the current user's feature-level governance decisions for agents, actions, and endpoints.
+
+When a workspace feature is enabled in settings but governance blocks the current user:
+
+- the tab remains available so the user sees why the module is unavailable;
+- the tab body renders a Bootstrap warning message explaining that the capability is disabled by governance;
+- the matching agent, action, or endpoint module JavaScript is not loaded;
+- creation/edit modals for the disabled module are not rendered;
+- endpoint lists passed to the browser are filtered through both feature and delegated endpoint item policies before sanitization.
+
+Backend API routes still enforce governance for all affected operations. The Jinja gating only prevents unnecessary UI module loading and gives users a clearer disabled state.
+
+## Allow-List Editor
+
+The allow-list editor supports both lookup-based and bulk workflows.
+
+User lookup:
+
+- Searches by display name or email through `/api/userSearch`.
+- Displays user name and email/UPN in the lookup result table.
+- Adds selected users to the working allow list.
+
+Group lookup:
+
+- Searches groups through `/api/groups/discover`.
+- Group discovery now matches group ID as well as name and description so existing selected group IDs can hydrate names.
+- Displays group name and group ID in the lookup result table.
+- Adds selected groups to the working allow list.
+
+CSV import:
+
+- Accepts one ID per line or comma-separated IDs.
+- Can target users or groups.
+- Supports merge and replace modes.
+
+## Selected User and Group List Scalability
+
+Selected allow lists are designed to stay usable with large lists.
+
+Scalability controls include:
+
+- Search within selected users and selected groups.
+- Independent pagination state for users and groups.
+- Page size options: `10`, `25`, `50`, and `100`.
+- Bounded table height with internal scrolling.
+- Previous and Next controls with disabled states at boundaries.
+- Summary text showing the currently visible range and total selected count.
+
+Search matches both raw IDs and hydrated display labels when labels are available.
+
+## Selected Row Display
+
+Selected user rows display the best available user label before the ID:
+
+- display name plus UPN/email when both are available
+- UPN/email when no display name is available
+- raw ID as fallback
+
+Selected group rows display the group name before the ID when available.
+
+Long IDs are truncated in the visible row to protect table layout. The full ID remains available through the row tooltip and the copy button.
+
+Each selected row includes a copy button that writes the full ID to the clipboard and briefly changes the icon to confirm the copy action.
+
+## Metadata Hydration
+
+Existing policies can contain raw user and group IDs without names. The allow-list editor performs best-effort metadata hydration when selected lists render.
+
+User hydration:
+
+- First tries `/api/userSearch` with the selected user ID.
+- Falls back to `/api/user/info/<user_id>`.
+- Stores display name and UPN/email in the selected-list display cache.
+
+Group hydration:
+
+- Uses `/api/groups/discover` with the selected group ID.
+- Stores the group name in the selected-list display cache.
+
+Hydration is de-duplicated with in-flight tracking so repeated renders do not launch duplicate lookup requests for the same ID.
+
+## Frontend Governance Adherence
+
+Chat-facing agent and model option lists are filtered through backend governance before they are sent to the browser.
+
+Agent UI filtering applies to:
+
+- preloaded chat agent dropdown options
+- retry dialog agent options returned from user and group agent list endpoints
+- global agent usage policy and global agent item policies
+- user and group agent feature policies
+
+Model/endpoint UI filtering applies to:
+
+- global model endpoints through `governance_global_endpoints`
+- user custom model endpoints through `governance_user_endpoints`
+- group custom model endpoints through `governance_group_endpoints`
+- endpoint item policies for all endpoint scopes when an endpoint ID is available
+
+This filtering is a user-experience improvement only. Backend enforcement remains the final authorization boundary for selected agent and endpoint use.
+
+## Toast Notifications
+
+Governance UI status messages use Bootstrap toast popups.
+
+Toast handling covers:
+
+- feature policy save success
+- item policy save success
+- refresh messages
+- search/load failures
+- allow-list add/remove/clear messages
+- CSV import results
+- validation warnings
+
+A small inline fallback remains for degraded cases where Bootstrap toast support or the toast container is unavailable.
+
+## File Structure
+
+Primary implementation files:
+
+- `application/single_app/functions_governance.py`
+- `application/single_app/app_settings_cache.py`
+- `application/single_app/route_backend_governance.py`
+- `application/single_app/route_backend_agents.py`
+- `application/single_app/route_backend_models.py`
+- `application/single_app/route_backend_chats.py`
+- `application/single_app/route_frontend_chats.py`
+- `application/single_app/static/js/admin/admin_governance.js`
+- `application/single_app/templates/admin_settings.html`
+- `application/single_app/route_backend_groups.py`
+- `application/single_app/route_backend_users.py`
+
+Primary validation files:
+
+- `functional_tests/test_governance_route_and_wiring_coverage.py`
+- `ui_tests/test_admin_governance_tab.py`
+
+## Security Notes
+
+- Backend enforcement remains mandatory and centralized in `ensure_governance_access()`.
+- Frontend controls and filtered option lists are only for administration and user experience; they are not authorization boundaries.
+- Governance admin routes require login and admin access.
+- The cache stores policy and membership decisions server-side only; it does not push full governance rules into user tokens.
+- Cache invalidation happens centrally after policy updates.
+- Redis-enabled deployments use a shared governance cache version for cross-process invalidation.
+- Redis-disabled deployments rely on the short TTL for cross-process cache convergence.
+
+## Testing and Validation
+
+Current validation includes:
+
+- governance route registration and guard checks
+- enforcement hook coverage across changed backend routes
+- cache optimization hook coverage
+- admin governance tab UI test coverage
+- JavaScript diagnostics for governance UI changes
+
+Latest verified test commands:
+
+```bash
+python -m pytest functional_tests/test_governance_route_and_wiring_coverage.py -q
+python -m pytest ui_tests/test_admin_governance_tab.py -q
+```
+
+Expected current result:
+
+- functional governance coverage passes
+- admin governance UI test may be skipped in environments where the UI preconditions are not available
+
+## Known Limitations
+
+- Redis-backed cross-process invalidation depends on Redis being enabled and successfully configured for the app cache.
+- If Redis is disabled or falls back to local memory, cross-process or cross-instance invalidation is bounded by the `60` second TTL.
+- Frontend option filtering exists for chat agent/model choices, but backend enforcement remains mandatory for all protected operations.
+- User and group display names are best-effort metadata and may fall back to raw IDs if lookups fail.
+- Clipboard copy requires browser clipboard API support.
+
+## Future Enhancements
+
+Recommended next steps:
+
+- Add a broader frontend governance bootstrap endpoint for non-chat UI gating without repeated per-control calls.
+- Add telemetry counters for cache hit/miss rates and policy block decisions.
+- Add focused tests for cache invalidation behavior with mocked governance containers.
diff --git a/functional_tests/test_admin_agent_default_model_migration.py b/functional_tests/test_admin_agent_default_model_migration.py
index 65dc516b9..99e99afc8 100644
--- a/functional_tests/test_admin_agent_default_model_migration.py
+++ b/functional_tests/test_admin_agent_default_model_migration.py
@@ -2,8 +2,8 @@
 #!/usr/bin/env python3
 """
 Functional test for admin agent default-model migration workflow.
-Version: 0.240.075
-Implemented in: 0.240.073
+Version: 0.241.022
+Implemented in: 0.240.073; 0.241.022
 
 This test ensures admin APIs and the AI Models admin page expose a preview and
 selection-driven migration workflow for legacy agents and future default-model
@@ -13,6 +13,16 @@
 import os
 
 
+def parse_version(version_text):
+    parts = version_text.split(".")
+    if len(parts) != 3:
+        raise AssertionError(f"Invalid version format: {version_text}")
+    try:
+        return tuple(int(part) for part in parts)
+    except ValueError as exc:
+        raise AssertionError(f"Version contains non-numeric segments: {version_text}") from exc
+
+
 def read_file_text(file_path):
     with open(file_path, "r", encoding="utf-8") as file:
         return file.read()
@@ -121,8 +131,15 @@ def test_admin_agent_default_model_migration_wiring():
     assert "openAdminSettingsTab" in admin_settings_js_content, (
         "Expected admin settings JS to expose a reusable tab navigation helper for cross-links."
     )
-    assert 'VERSION = "0.240.075"' in config_content, (
-        "Expected config.py version 0.240.075 after the workspace agent chat launch selection fix."
+    version_line = next(
+        (line.strip() for line in config_content.splitlines() if line.strip().startswith("VERSION = ")),
+        "",
+    )
+    assert version_line, "Expected config.py to define VERSION."
+    current_version = version_line.split("=", 1)[1].strip().strip('"')
+    minimum_version = "0.240.075"
+    assert parse_version(current_version) >= parse_version(minimum_version), (
+        f"Expected config.py version >= {minimum_version}, found {current_version}."
     )
 
     print("✅ Admin agent default-model migration wiring verified.")
diff --git a/functional_tests/test_governance_activity_logging.py b/functional_tests/test_governance_activity_logging.py
new file mode 100644
index 000000000..1debb4a70
--- /dev/null
+++ b/functional_tests/test_governance_activity_logging.py
@@ -0,0 +1,143 @@
+# test_governance_activity_logging.py
+#!/usr/bin/env python3
+"""
+Functional test for governance activity logging and policy mutation behavior.
+Version: 0.241.010
+Implemented in: 0.241.010
+
+This test ensures that governance changes create activity log records with
+activity_type/type set to governance and include detailed before/after fields.
+"""
+
+import os
+import sys
+
+
+CURRENT_DIR = os.path.dirname(os.path.abspath(__file__))
+SINGLE_APP_DIR = os.path.join(CURRENT_DIR, "..", "application", "single_app")
+if SINGLE_APP_DIR not in sys.path:
+    sys.path.append(SINGLE_APP_DIR)
+
+import functions_activity_logging as activity_logging
+import functions_governance as governance
+
+
+class _InMemoryContainer:
+    def __init__(self):
+        self.items = {}
+
+    def read_item(self, item, partition_key):
+        if item not in self.items:
+            raise KeyError(item)
+        return self.items[item]
+
+    def upsert_item(self, body):
+        item_id = str(body.get("id") or "").strip()
+        if not item_id:
+            raise ValueError("id is required")
+        self.items[item_id] = dict(body)
+        return self.items[item_id]
+
+
+def test_log_governance_change_payload_shape():
+    print("Testing governance activity log payload shape...")
+
+    captured_records = []
+
+    class _CaptureContainer:
+        def create_item(self, body):
+            captured_records.append(body)
+
+    original_container = activity_logging.cosmos_activity_logs_container
+    try:
+        activity_logging.cosmos_activity_logs_container = _CaptureContainer()
+
+        activity_logging.log_governance_change(
+            admin_user_id="admin-123",
+            admin_email="admin@example.com",
+            action="feature_policy_updated",
+            scope="feature_policy",
+            target_id="feature:governance_user_agents",
+            before_state={"allow_all": True},
+            after_state={"allow_all": False},
+            change_details={"users_added": ["user-a"]},
+        )
+
+        assert len(captured_records) == 1, "Expected exactly one governance activity record"
+        record = captured_records[0]
+
+        assert record.get("activity_type") == "governance", "activity_type must be governance"
+        assert record.get("type") == "governance", "type must be governance"
+
+        governance_change = record.get("governance_change") or {}
+        assert governance_change.get("before") == {"allow_all": True}, "before payload mismatch"
+        assert governance_change.get("after") == {"allow_all": False}, "after payload mismatch"
+        assert governance_change.get("details") == {"users_added": ["user-a"]}, "details payload mismatch"
+
+        print("PASS: governance activity payload includes required governance fields")
+        return True
+    finally:
+        activity_logging.cosmos_activity_logs_container = original_container
+
+
+def test_upsert_feature_policy_emits_detailed_diff():
+    print("Testing governance feature policy diff generation...")
+
+    original_container = governance.cosmos_governance_policies_container
+    original_logger = governance.log_governance_change
+
+    captured_logs = []
+
+    def _capture_log(**kwargs):
+        captured_logs.append(kwargs)
+
+    try:
+        governance.cosmos_governance_policies_container = _InMemoryContainer()
+        governance.log_governance_change = _capture_log
+
+        updated = governance.upsert_feature_policy(
+            feature_key="governance_user_agents",
+            payload={
+                "allow_all": False,
+                "allowed_users": ["user-1", "user-2"],
+                "allowed_groups": ["group-1"],
+            },
+            actor_user_id="admin-xyz",
+            actor_email="admin@example.com",
+        )
+
+        assert updated.get("allow_all") is False, "allow_all was not updated"
+        assert sorted(updated.get("allowed_users", [])) == ["user-1", "user-2"], "allowed_users mismatch"
+        assert updated.get("allowed_groups") == ["group-1"], "allowed_groups mismatch"
+
+        assert len(captured_logs) == 1, "Expected one governance log event"
+        details = captured_logs[0].get("change_details") or {}
+        assert details.get("allow_all", {}).get("before") is True, "diff.before allow_all mismatch"
+        assert details.get("allow_all", {}).get("after") is False, "diff.after allow_all mismatch"
+        assert details.get("users_added") == ["user-1", "user-2"], "users_added mismatch"
+        assert details.get("groups_added") == ["group-1"], "groups_added mismatch"
+
+        print("PASS: governance feature policy emits detailed diff data")
+        return True
+    finally:
+        governance.cosmos_governance_policies_container = original_container
+        governance.log_governance_change = original_logger
+
+
+if __name__ == "__main__":
+    tests = [
+        test_log_governance_change_payload_shape,
+        test_upsert_feature_policy_emits_detailed_diff,
+    ]
+    results = []
+
+    for test in tests:
+        try:
+            results.append(test())
+        except Exception as exc:
+            print(f"FAIL: {test.__name__} -> {exc}")
+            results.append(False)
+
+    passed = sum(1 for result in results if result)
+    print(f"Results: {passed}/{len(results)} tests passed")
+    sys.exit(0 if all(results) else 1)
diff --git a/functional_tests/test_governance_enforcement_logic.py b/functional_tests/test_governance_enforcement_logic.py
new file mode 100644
index 000000000..cbac63d21
--- /dev/null
+++ b/functional_tests/test_governance_enforcement_logic.py
@@ -0,0 +1,138 @@
+# test_governance_enforcement_logic.py
+#!/usr/bin/env python3
+"""
+Functional test for governance enforcement logic.
+Version: 0.241.010
+Implemented in: 0.241.010
+
+This test ensures ensure_governance_access correctly allows and denies access
+based on feature toggles, feature policies, item policies, and caller groups.
+"""
+
+import os
+import sys
+
+
+CURRENT_DIR = os.path.dirname(os.path.abspath(__file__))
+SINGLE_APP_DIR = os.path.join(CURRENT_DIR, "..", "application", "single_app")
+if SINGLE_APP_DIR not in sys.path:
+    sys.path.append(SINGLE_APP_DIR)
+
+import functions_governance as governance
+
+
+def test_ensure_governance_access_allows_when_feature_toggle_disabled():
+    print("Testing governance access bypass when feature toggle is disabled...")
+
+    original_get_settings = governance.get_settings
+    original_get_feature_policy = governance.get_feature_policy
+
+    def _settings_disabled():
+        return {"governance_user_agents": False}
+
+    def _deny_policy(_):
+        return {
+            "allow_all": False,
+            "allowed_users": [],
+            "allowed_groups": [],
+        }
+
+    try:
+        governance.get_settings = _settings_disabled
+        governance.get_feature_policy = _deny_policy
+
+        # Should not raise because governance feature toggle is disabled.
+        governance.ensure_governance_access("governance_user_agents", "user-1")
+        print("PASS: feature toggle disabled bypassed governance checks")
+        return True
+    finally:
+        governance.get_settings = original_get_settings
+        governance.get_feature_policy = original_get_feature_policy
+
+
+def test_ensure_governance_access_enforces_feature_and_item_policies():
+    print("Testing governance feature and item policy enforcement...")
+
+    original_get_settings = governance.get_settings
+    original_get_feature_policy = governance.get_feature_policy
+    original_get_item_policy = governance.get_item_policy
+    original_get_user_governance_group_ids = governance.get_user_governance_group_ids
+
+    try:
+        governance.get_settings = lambda: {"governance_global_actions_usage": True}
+
+        governance.get_feature_policy = lambda _feature_key: {
+            "allow_all": False,
+            "allowed_users": [],
+            "allowed_groups": ["group-a"],
+        }
+
+        governance.get_item_policy = lambda _entity_type, _item_id: {
+            "allow_all": False,
+            "allowed_users": ["user-allowed"],
+            "allowed_groups": [],
+        }
+
+        # 1) Allowed by feature policy via group membership and by item policy via user allowlist.
+        governance.get_user_governance_group_ids = lambda _user_id: {"group-a"}
+        governance.ensure_governance_access(
+            feature_key="governance_global_actions_usage",
+            user_id="user-allowed",
+            item_entity_type="global_action",
+            item_id="global-action-1",
+        )
+
+        # 2) Blocked by feature policy when user has no allowed group.
+        governance.get_user_governance_group_ids = lambda _user_id: set()
+        blocked_feature = False
+        try:
+            governance.ensure_governance_access(
+                feature_key="governance_global_actions_usage",
+                user_id="user-allowed",
+                item_entity_type="global_action",
+                item_id="global-action-1",
+            )
+        except PermissionError:
+            blocked_feature = True
+        assert blocked_feature, "Expected feature policy to block access without allowed groups"
+
+        # 3) Allowed by feature policy, then blocked by item policy for non-allowlisted user.
+        governance.get_user_governance_group_ids = lambda _user_id: {"group-a"}
+        blocked_item = False
+        try:
+            governance.ensure_governance_access(
+                feature_key="governance_global_actions_usage",
+                user_id="user-denied",
+                item_entity_type="global_action",
+                item_id="global-action-1",
+            )
+        except PermissionError:
+            blocked_item = True
+        assert blocked_item, "Expected item policy to block non-allowlisted user"
+
+        print("PASS: governance enforcement allows/denies correctly for feature and item policies")
+        return True
+    finally:
+        governance.get_settings = original_get_settings
+        governance.get_feature_policy = original_get_feature_policy
+        governance.get_item_policy = original_get_item_policy
+        governance.get_user_governance_group_ids = original_get_user_governance_group_ids
+
+
+if __name__ == "__main__":
+    tests = [
+        test_ensure_governance_access_allows_when_feature_toggle_disabled,
+        test_ensure_governance_access_enforces_feature_and_item_policies,
+    ]
+    results = []
+
+    for test in tests:
+        try:
+            results.append(test())
+        except Exception as exc:
+            print(f"FAIL: {test.__name__} -> {exc}")
+            results.append(False)
+
+    passed = sum(1 for result in results if result)
+    print(f"Results: {passed}/{len(results)} tests passed")
+    sys.exit(0 if all(results) else 1)
diff --git a/functional_tests/test_governance_route_and_wiring_coverage.py b/functional_tests/test_governance_route_and_wiring_coverage.py
new file mode 100644
index 000000000..6ab531513
--- /dev/null
+++ b/functional_tests/test_governance_route_and_wiring_coverage.py
@@ -0,0 +1,309 @@
+# test_governance_route_and_wiring_coverage.py
+#!/usr/bin/env python3
+"""
+Functional test for governance route and enforcement wiring coverage.
+Version: 0.242.011
+Implemented in: 0.242.011
+
+This test ensures governance routes are registered and guarded, and that
+updated backend modules include governance enforcement hooks for endpoint,
+agent, and action flows.
+"""
+
+import os
+import sys
+
+
+ROOT_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+SINGLE_APP_DIR = os.path.join(ROOT_DIR, "application", "single_app")
+if SINGLE_APP_DIR not in sys.path:
+    sys.path.append(SINGLE_APP_DIR)
+
+
+def _read(*parts):
+    path = os.path.join(ROOT_DIR, *parts)
+    with open(path, "r", encoding="utf-8") as handle:
+        return handle.read()
+
+
+def test_governance_route_registration_and_guards():
+    print("Testing governance route registration and guards...")
+
+    app_content = _read("application", "single_app", "app.py")
+    route_content = _read("application", "single_app", "route_backend_governance.py")
+
+    assert "from route_backend_governance import register_route_backend_governance" in app_content, (
+        "Expected app.py to import governance route registration"
+    )
+    assert "register_route_backend_governance(app)" in app_content, (
+        "Expected governance routes to be registered in app.py"
+    )
+
+    expected_routes = [
+        "/api/admin/governance/policies",
+        "/api/admin/governance/policies/<feature_key>",
+        "/api/admin/governance/item-policies",
+        "/api/admin/governance/item-policies/review",
+        "/api/admin/governance/item-policies/<entity_type>/<item_id>",
+    ]
+    for route in expected_routes:
+        assert route in route_content, f"Missing governance route: {route}"
+
+    assert route_content.count("@swagger_route(security=get_auth_security())") >= 4, (
+        "Expected swagger security decorators on governance routes"
+    )
+    assert route_content.count("@login_required") >= 4, (
+        "Expected login_required on governance routes"
+    )
+    assert route_content.count("@admin_required") >= 4, (
+        "Expected admin_required on governance routes"
+    )
+
+    assert "def _sanitize_policy_payload(payload):" in route_content, (
+        "Expected policy payload sanitization helper in governance route module"
+    )
+    assert "delete_governance_item_policy_route" in route_content, (
+        "Expected delegated item policy delete route in governance route module"
+    )
+
+    print("PASS: governance route registration and guards verified")
+
+
+def test_governance_enforcement_hooks_across_changed_routes():
+    print("Testing governance enforcement hooks across changed route files...")
+
+    agents_content = _read("application", "single_app", "route_backend_agents.py")
+    plugins_content = _read("application", "single_app", "route_backend_plugins.py")
+    chats_content = _read("application", "single_app", "route_backend_chats.py")
+    frontend_chats_content = _read("application", "single_app", "route_frontend_chats.py")
+    models_content = _read("application", "single_app", "route_backend_models.py")
+    admin_settings_route_content = _read("application", "single_app", "route_frontend_admin_settings.py")
+    settings_content = _read("application", "single_app", "functions_settings.py")
+    admin_settings_template_content = _read("application", "single_app", "templates", "admin_settings.html")
+    admin_governance_js_content = _read("application", "single_app", "static", "js", "admin", "admin_governance.js")
+
+    # Agents route: user/group/global agent governance and endpoint governance hooks.
+    for key in [
+        "governance_user_agents",
+        "governance_group_agents",
+        "governance_global_agents_usage",
+        "governance_user_endpoints",
+        "governance_group_endpoints",
+    ]:
+        assert key in agents_content, f"Missing governance key in route_backend_agents.py: {key}"
+
+    # Plugins route: user/global action governance hooks and item policy persistence.
+    for key in [
+        "governance_user_actions",
+        "governance_global_actions_usage",
+    ]:
+        assert key in plugins_content, f"Missing governance key in route_backend_plugins.py: {key}"
+    assert "upsert_item_policy(" in plugins_content, (
+        "Expected route_backend_plugins.py to persist governance item policy updates"
+    )
+
+    # Chats/models route: endpoint governance hooks.
+    for key in ["governance_user_endpoints", "governance_group_endpoints", "governance_global_endpoints"]:
+        assert key in chats_content, f"Missing governance key in route_backend_chats.py: {key}"
+        assert key in models_content, f"Missing governance key in route_backend_models.py: {key}"
+    assert "item_entity_type=\"endpoint\"" in models_content or "item_entity_type='endpoint'" in models_content, (
+        "Expected endpoint item delegation enforcement in route_backend_models.py"
+    )
+
+    # Admin settings route/template/js: governance toggles and governance tab wiring.
+    for key in [
+        "governance_user_endpoints",
+        "governance_group_endpoints",
+        "governance_global_endpoints",
+        "governance_user_agents",
+        "governance_group_agents",
+        "governance_global_agents_usage",
+        "governance_user_actions",
+        "governance_group_actions",
+        "governance_global_actions_usage",
+    ]:
+        assert key in admin_settings_route_content, f"Missing governance toggle persistence key: {key}"
+        assert key in settings_content, f"Missing governance default setting key: {key}"
+
+    for marker in [
+        "id=\"governance\"",
+        "governance-feature-policies-table",
+        "governance-item-policies-table",
+        "governance-save-feature-policies-btn",
+        "governance-save-item-policy-btn",
+    ]:
+        assert marker in admin_settings_template_content, f"Missing governance UI marker in admin_settings.html: {marker}"
+
+    for endpoint in [
+        "/api/admin/governance/policies",
+        "/api/admin/governance/item-policies",
+        "/api/admin/governance/item-policies/review",
+    ]:
+        assert endpoint in admin_governance_js_content, f"Missing governance API call in admin_governance.js: {endpoint}"
+
+    for marker in [
+        "syncGovernanceFeaturePolicyVisibility()",
+        "syncGovernanceFeaturePolicyRowVisibility(row)",
+        "getGovernanceFeatureToggle(featureKey)",
+        "governance-item-allowed-principals-controls",
+        "_filter_chat_model_endpoints_by_governance",
+        "_is_chat_agent_allowed_by_governance",
+        "_is_agent_allowed_for_user_selection",
+        "governance-edit-item-policy-btn",
+        "governance-delete-item-policy-btn",
+        "governance-item-policy-delete-confirm-modal",
+        "loadGovernanceItemPolicyIntoEditor",
+        "openCurrentDelegatedItemAllowListEditorAfterReviewModalCloses",
+        "deleteGovernanceItemPolicyFromContext",
+        "renderGovernancePrincipalReviewCell",
+        "wireGovernanceItemReviewHandlers",
+    ]:
+        assert marker in admin_governance_js_content or marker in admin_settings_template_content or marker in frontend_chats_content or marker in agents_content, (
+            f"Missing governance UI visibility marker: {marker}"
+        )
+
+    assert '<div id="governance-item-policy-form"' in admin_settings_template_content, (
+        "Delegated item policy editor must not be a nested form inside Admin Settings"
+    )
+    assert 'type="button" class="btn btn-primary" id="governance-save-item-policy-btn"' in admin_settings_template_content, (
+        "Delegated item policy save button must not submit the global settings form"
+    )
+
+    print("PASS: governance enforcement hooks and admin governance wiring verified")
+
+
+def test_governance_cache_optimization_hooks():
+    print("Testing governance cache optimization hooks...")
+
+    governance_content = _read("application", "single_app", "functions_governance.py")
+    app_cache_content = _read("application", "single_app", "app_settings_cache.py")
+
+    for marker in [
+        "GOVERNANCE_CACHE_TTL_SECONDS",
+        "_get_request_cache()",
+        "_get_cached_governance_value(",
+        "invalidate_governance_cache()",
+        "_get_shared_governance_cache_version()",
+        "_bump_shared_governance_cache_version()",
+        "_set_request_cache_value(decision_key, True)",
+    ]:
+        assert marker in governance_content, f"Missing governance cache optimization marker: {marker}"
+
+    for marker in [
+        "GOVERNANCE_CACHE_VERSION_KEY",
+        "get_governance_cache_version",
+        "bump_governance_cache_version",
+        "get_governance_cache_version_redis",
+        "bump_governance_cache_version_redis",
+        "get_governance_cache_version_mem",
+        "bump_governance_cache_version_mem",
+    ]:
+        assert marker in app_cache_content, f"Missing shared governance version cache marker: {marker}"
+
+    assert "get_feature_policy(" in governance_content and "(\"feature_policy\"," in governance_content, (
+        "Expected feature policy reads to use governance cache keys"
+    )
+    assert "get_item_policy(" in governance_content and "(\"item_policy\"," in governance_content, (
+        "Expected item policy reads to use governance cache keys"
+    )
+    assert "delete_item_policy(" in governance_content and "item_policy_delete" in governance_content, (
+        "Expected delegated item policy delete support and audit logging"
+    )
+    assert "get_user_governance_group_ids(" in governance_content and "user_governance_group_ids" in governance_content, (
+        "Expected governance group memberships to use cache keys"
+    )
+    assert "rows_by_feature_key" in governance_content and "_default_feature_policy_doc(feature_key)" in governance_content, (
+        "Expected feature policy listing to include defaults for newly added governance keys"
+    )
+    assert "_read_stored_feature_policy(feature_key)" in governance_content, (
+        "Expected default feature policy bootstrap to distinguish stored rows from fallback defaults"
+    )
+
+    print("PASS: governance cache optimization hooks verified")
+
+
+def test_workspace_jinja_governance_gating_hooks():
+    print("Testing workspace Jinja governance gating hooks...")
+
+    governance_content = _read("application", "single_app", "functions_governance.py")
+    workspace_route_content = _read("application", "single_app", "route_frontend_workspace.py")
+    group_route_content = _read("application", "single_app", "route_frontend_group_workspaces.py")
+    workspace_template_content = _read("application", "single_app", "templates", "workspace.html")
+    group_template_content = _read("application", "single_app", "templates", "group_workspaces.html")
+
+    for marker in [
+        "def is_governance_access_allowed(",
+        "def filter_governed_model_endpoints(",
+        "item_entity_type=\"endpoint\"",
+    ]:
+        assert marker in governance_content, f"Missing workspace governance helper marker: {marker}"
+
+    for marker in [
+        "workspace_governance = {",
+        "governance_user_agents",
+        "governance_user_actions",
+        "governance_user_endpoints",
+        "filter_governed_model_endpoints(user_id, personal_endpoints, \"governance_user_endpoints\")",
+        "workspace_governance=workspace_governance",
+    ]:
+        assert marker in workspace_route_content, f"Missing personal workspace governance route marker: {marker}"
+
+    for marker in [
+        "workspace_governance = {",
+        "governance_group_agents",
+        "governance_group_actions",
+        "governance_group_endpoints",
+        "filter_governed_model_endpoints(user_id, group_endpoints, \"governance_group_endpoints\")",
+        "workspace_governance=workspace_governance",
+    ]:
+        assert marker in group_route_content, f"Missing group workspace governance route marker: {marker}"
+
+    for marker in [
+        "workspace_governance.user_agents",
+        "workspace_governance.user_actions",
+        "workspace_governance.user_endpoints",
+        "Personal agents are disabled by governance",
+        "Personal actions are disabled by governance",
+        "Personal endpoints are disabled by governance",
+        "settings.allow_user_agents and workspace_governance.user_agents",
+        "settings.allow_user_plugins and workspace_governance.user_actions",
+        "settings.allow_user_custom_endpoints and settings.enable_multi_model_endpoints and workspace_governance.user_endpoints",
+    ]:
+        assert marker in workspace_template_content, f"Missing personal workspace Jinja governance marker: {marker}"
+
+    for marker in [
+        "workspace_governance.group_agents",
+        "workspace_governance.group_actions",
+        "workspace_governance.group_endpoints",
+        "Group agents are disabled by governance",
+        "Group actions are disabled by governance",
+        "Group endpoints are disabled by governance",
+        "settings.allow_group_agents and workspace_governance.group_agents",
+        "settings.allow_group_plugins and workspace_governance.group_actions",
+        "settings.allow_group_custom_endpoints and settings.enable_multi_model_endpoints and workspace_governance.group_endpoints",
+    ]:
+        assert marker in group_template_content, f"Missing group workspace Jinja governance marker: {marker}"
+
+    print("PASS: workspace Jinja governance gating hooks verified")
+
+
+if __name__ == "__main__":
+    tests = [
+        test_governance_route_registration_and_guards,
+        test_governance_enforcement_hooks_across_changed_routes,
+        test_governance_cache_optimization_hooks,
+        test_workspace_jinja_governance_gating_hooks,
+    ]
+    results = []
+
+    for test in tests:
+        try:
+            test()
+            results.append(True)
+        except Exception as exc:
+            print(f"FAIL: {test.__name__} -> {exc}")
+            results.append(False)
+
+    passed = sum(1 for result in results if result)
+    print(f"Results: {passed}/{len(results)} tests passed")
+    sys.exit(0 if all(results) else 1)
diff --git a/functional_tests/test_group_plugin_global_merge_fix.py b/functional_tests/test_group_plugin_global_merge_fix.py
index 6e85e8663..383dfe08a 100644
--- a/functional_tests/test_group_plugin_global_merge_fix.py
+++ b/functional_tests/test_group_plugin_global_merge_fix.py
@@ -2,8 +2,8 @@
 # test_group_plugin_global_merge_fix.py
 """
 Functional test for group plugin global merge behavior.
-Version: 0.233.164
-Implemented in: 0.233.164
+Version: 0.241.022
+Implemented in: 0.233.164; 0.241.022
 
 This test ensures that when global actions are merged into group workspaces,
 only group-owned actions remain editable and duplicate names are handled.
@@ -12,7 +12,10 @@
 import sys
 import os
 
-sys.path.append(os.path.dirname(os.path.abspath(__file__)))
+ROOT_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+SINGLE_APP_DIR = os.path.join(ROOT_DIR, "application", "single_app")
+if SINGLE_APP_DIR not in sys.path:
+    sys.path.append(SINGLE_APP_DIR)
 
 
 def test_global_actions_are_included_without_duplicates():
diff --git a/functional_tests/test_keyvault_plugin_secret_scope_enforcement.py b/functional_tests/test_keyvault_plugin_secret_scope_enforcement.py
index 65c82cd3d..99071a505 100644
--- a/functional_tests/test_keyvault_plugin_secret_scope_enforcement.py
+++ b/functional_tests/test_keyvault_plugin_secret_scope_enforcement.py
@@ -22,14 +22,8 @@
 PLUGIN_ROUTE_FILE = os.path.join(ROOT_DIR, "application", "single_app", "route_backend_plugins.py")
 SK_LOADER_FILE = os.path.join(ROOT_DIR, "application", "single_app", "semantic_kernel_loader.py")
 CONFIG_FILE = os.path.join(ROOT_DIR, "application", "single_app", "config.py")
-FIX_DOC = os.path.join(
-    ROOT_DIR,
-    "docs",
-    "explanation",
-    "fixes",
-    "v0.241.011",
-    "KEY_VAULT_PLUGIN_SECRET_SCOPE_ENFORCEMENT_FIX.md",
-)
+FIX_DOC_ROOT = os.path.join(ROOT_DIR, "docs", "explanation", "fixes")
+FIX_DOC_NAME = "KEY_VAULT_PLUGIN_SECRET_SCOPE_ENFORCEMENT_FIX.md"
 
 
 def read_file_text(file_path):
@@ -44,6 +38,24 @@ def read_config_version():
     raise AssertionError("VERSION assignment not found in config.py")
 
 
+def parse_version(version_text):
+    parts = version_text.split(".")
+    if len(parts) != 3:
+        raise AssertionError(f"Invalid version format: {version_text}")
+    try:
+        return tuple(int(part) for part in parts)
+    except ValueError as exc:
+        raise AssertionError(f"Version contains non-numeric segments: {version_text}") from exc
+
+
+def find_fix_doc_paths(root_path, file_name):
+    matching_paths = []
+    for dirpath, _, filenames in os.walk(root_path):
+        if file_name in filenames:
+            matching_paths.append(os.path.join(dirpath, file_name))
+    return sorted(matching_paths)
+
+
 def load_functions(file_path, function_names, namespace=None):
     source = read_file_text(file_path)
     parsed = ast.parse(source, filename=file_path)
@@ -250,8 +262,15 @@ def test_fix_documentation_and_version_exist():
     """Verify the config version bump and fix documentation landed for this change."""
     print("🔍 Testing Key Vault scope enforcement documentation and version...")
 
-    assert read_config_version() == "0.241.022"
-    assert os.path.exists(FIX_DOC), f"Expected fix documentation at {FIX_DOC}"
+    current_version = read_config_version()
+    minimum_version = "0.241.022"
+    assert parse_version(current_version) >= parse_version(minimum_version), (
+        f"Expected config version >= {minimum_version}, found {current_version}"
+    )
+    matching_fix_docs = find_fix_doc_paths(FIX_DOC_ROOT, FIX_DOC_NAME)
+    assert matching_fix_docs, (
+        f"Expected fix documentation named {FIX_DOC_NAME} under {FIX_DOC_ROOT}"
+    )
 
     print("✅ Key Vault scope enforcement documentation and version passed")
 
diff --git a/ui_tests/test_admin_governance_tab.py b/ui_tests/test_admin_governance_tab.py
new file mode 100644
index 000000000..b77dd5933
--- /dev/null
+++ b/ui_tests/test_admin_governance_tab.py
@@ -0,0 +1,213 @@
+# test_admin_governance_tab.py
+"""
+UI test for admin governance tab rendering and API wiring.
+
+Version: 0.241.025
+Implemented in: 0.241.009; 0.241.025
+
+This test ensures the Governance tab is present in admin settings, the
+sidebar navigation exposes the same destination, feature policy fetch/save
+calls are wired, and delegated item policy calls are sent to governance API
+endpoints.
+"""
+
+import json
+import os
+from pathlib import Path
+
+import pytest
+
+
+BASE_URL = os.getenv("SIMPLECHAT_UI_BASE_URL", "").rstrip("/")
+STORAGE_STATE = os.getenv("SIMPLECHAT_UI_STORAGE_STATE", "")
+
+
+@pytest.mark.ui
+def test_admin_governance_tab_and_api_wiring():
+    if not BASE_URL:
+        pytest.skip("Set SIMPLECHAT_UI_BASE_URL to run this UI test.")
+    if not STORAGE_STATE or not Path(STORAGE_STATE).exists():
+        pytest.skip("Set SIMPLECHAT_UI_STORAGE_STATE to a valid authenticated Playwright storage state file.")
+
+    playwright_sync_api = pytest.importorskip("playwright.sync_api")
+
+    feature_get_requests = []
+    feature_put_requests = []
+    item_get_requests = []
+    item_review_get_requests = []
+    item_put_requests = []
+    agent_lookup_requests = []
+    action_lookup_requests = []
+
+    feature_payload = {
+        "features": [
+            {
+                "feature_key": "governance_user_agents",
+                "allow_all": True,
+                "allowed_users": [],
+                "allowed_groups": [],
+            },
+            {
+                "feature_key": "governance_global_actions_usage",
+                "allow_all": False,
+                "allowed_users": ["entra-user-123"],
+                "allowed_groups": ["workspace-group-abc"],
+            },
+        ],
+        "feature_keys": [
+            "governance_user_agents",
+            "governance_global_actions_usage",
+        ],
+    }
+
+    def fulfill_feature_get(route):
+        feature_get_requests.append(route.request.url)
+        route.fulfill(status=200, content_type="application/json", body=json.dumps(feature_payload))
+
+    def fulfill_feature_put(route):
+        feature_put_requests.append(route.request.url)
+        route.fulfill(status=200, content_type="application/json", body='{"policy": {"ok": true}}')
+
+    def fulfill_item_get(route):
+        item_get_requests.append(route.request.url)
+        route.fulfill(
+            status=200,
+            content_type="application/json",
+            body=json.dumps({
+                "item_policies": [
+                    {
+                        "entity_type": "global_agent",
+                        "item_id": "global-agent-1",
+                        "allow_all": False,
+                        "allowed_users": ["entra-user-123"],
+                        "allowed_groups": ["workspace-group-abc"],
+                    }
+                ]
+            }),
+        )
+
+    def fulfill_item_review_get(route):
+        item_review_get_requests.append(route.request.url)
+        route.fulfill(
+            status=200,
+            content_type="application/json",
+            body=json.dumps({
+                "item_policies": [
+                    {
+                        "entity_type": "endpoint",
+                        "item_id": "endpoint-1",
+                        "allow_all": False,
+                        "allowed_users": ["entra-user-123"],
+                        "allowed_groups": ["workspace-group-abc"],
+                    }
+                ],
+                "pagination": {
+                    "page": 1,
+                    "per_page": 25,
+                    "total_items": 1,
+                    "total_pages": 1,
+                    "has_prev": False,
+                    "has_next": False,
+                },
+                "search": "",
+                "entity_type": None,
+            }),
+        )
+
+    def fulfill_item_put(route):
+        item_put_requests.append(route.request.url)
+        route.fulfill(status=200, content_type="application/json", body='{"policy": {"ok": true}}')
+
+    def fulfill_admin_agents_lookup(route):
+        agent_lookup_requests.append(route.request.url)
+        route.fulfill(
+            status=200,
+            content_type="application/json",
+            body=json.dumps([
+                {
+                    "id": "global-agent-1",
+                    "name": "Global Agent One",
+                    "display_name": "Global Agent One",
+                },
+                {
+                    "id": "global-agent-2",
+                    "name": "Global Agent Two",
+                    "display_name": "Global Agent Two",
+                },
+            ]),
+        )
+
+    def fulfill_admin_plugins_lookup(route):
+        action_lookup_requests.append(route.request.url)
+        route.fulfill(
+            status=200,
+            content_type="application/json",
+            body=json.dumps([
+                {
+                    "id": "global-action-1",
+                    "name": "Global Action One",
+                    "type": "api",
+                }
+            ]),
+        )
+
+    with playwright_sync_api.sync_playwright() as playwright:
+        browser = playwright.chromium.launch()
+        context = browser.new_context(
+            storage_state=STORAGE_STATE,
+            viewport={"width": 1365, "height": 900},
+        )
+        page = context.new_page()
+
+        try:
+            page.route("**/api/admin/governance/policies", fulfill_feature_get)
+            page.route("**/api/admin/governance/policies/*", fulfill_feature_put)
+            page.route("**/api/admin/governance/item-policies", fulfill_item_get)
+            page.route("**/api/admin/governance/item-policies/review**", fulfill_item_review_get)
+            page.route("**/api/admin/governance/item-policies/*/*", fulfill_item_put)
+            page.route("**/api/admin/agents", fulfill_admin_agents_lookup)
+            page.route("**/api/admin/plugins", fulfill_admin_plugins_lookup)
+
+            page.goto(f"{BASE_URL}/admin/settings", wait_until="domcontentloaded")
+
+            page.get_by_role("link", name="Governance").click()
+            page.wait_for_selector("#governance-feature-policies-table")
+
+            page.get_by_role("tab", name="Governance").click()
+            page.wait_for_selector("#governance-feature-policies-table")
+
+            page.get_by_role("button", name="Review Configured List").click()
+            page.wait_for_selector("#governance-item-policies-review-modal.show")
+            page.wait_for_selector("#governance-item-policies-review-body tr")
+
+            page.get_by_role("button", name="Save Feature Policies").click()
+            page.wait_for_timeout(300)
+
+            page.locator("#governance-item-id").select_option("global-agent-2")
+            page.get_by_role("button", name="Edit List").click()
+            page.wait_for_selector("#governanceAllowListEditorModal.show")
+
+            page.locator("#governance-allowlist-csv-target").select_option("users")
+            page.locator("#governance-allowlist-csv-mode").select_option("merge")
+            page.locator("#governance-allowlist-csv-input").fill("entra-user-123")
+            page.get_by_role("button", name="Apply CSV").click()
+
+            page.locator("#governance-allowlist-csv-target").select_option("groups")
+            page.locator("#governance-allowlist-csv-input").fill("workspace-group-abc")
+            page.get_by_role("button", name="Apply CSV").click()
+
+            page.get_by_role("button", name="Apply to Policy").click()
+            page.wait_for_selector("#governanceAllowListEditorModal.show", state="hidden")
+
+            page.get_by_role("button", name="Save Item Policy").click()
+            page.wait_for_timeout(300)
+
+            assert feature_get_requests, "Expected governance feature policies GET request"
+            assert item_get_requests, "Expected governance item policies GET request"
+            assert item_review_get_requests, "Expected governance item policy review GET request"
+            assert feature_put_requests, "Expected governance feature policies PUT request"
+            assert item_put_requests, "Expected governance item policy PUT request"
+            assert agent_lookup_requests, "Expected global agent lookup GET request"
+        finally:
+            context.close()
+            browser.close()
diff --git a/ui_tests/test_workspace_governance_template_gating.py b/ui_tests/test_workspace_governance_template_gating.py
new file mode 100644
index 000000000..1ab8d3abe
--- /dev/null
+++ b/ui_tests/test_workspace_governance_template_gating.py
@@ -0,0 +1,64 @@
+# test_workspace_governance_template_gating.py
+"""
+UI test for workspace governance template gating.
+
+Version: 0.242.011
+Implemented in: 0.242.011
+
+This test ensures personal and group workspace templates keep the Jinja-level
+governance gates that replace disabled modules with user-facing messages and
+avoid loading matching JavaScript modules.
+"""
+
+from pathlib import Path
+
+import pytest
+
+
+ROOT_DIR = Path(__file__).resolve().parents[1]
+
+
+def _read_template(name):
+    return (ROOT_DIR / "application" / "single_app" / "templates" / name).read_text(encoding="utf-8")
+
+
+@pytest.mark.ui
+def test_workspace_templates_gate_governed_modules():
+    """Validate Jinja governance gates for personal and group workspace modules."""
+    workspace_template = _read_template("workspace.html")
+    group_template = _read_template("group_workspaces.html")
+
+    personal_markers = [
+        "workspace_governance.user_agents",
+        "workspace_governance.user_actions",
+        "workspace_governance.user_endpoints",
+        "Personal agents are disabled by governance",
+        "Personal actions are disabled by governance",
+        "Personal endpoints are disabled by governance",
+        "settings.allow_user_agents and workspace_governance.user_agents",
+        "settings.allow_user_plugins and workspace_governance.user_actions",
+        "settings.allow_user_custom_endpoints and settings.enable_multi_model_endpoints and workspace_governance.user_endpoints",
+        "js/workspace/workspace_agents.js",
+        "js/workspace/workspace_plugins.js",
+        "js/workspace/workspace_model_endpoints.js",
+    ]
+    group_markers = [
+        "workspace_governance.group_agents",
+        "workspace_governance.group_actions",
+        "workspace_governance.group_endpoints",
+        "Group agents are disabled by governance",
+        "Group actions are disabled by governance",
+        "Group endpoints are disabled by governance",
+        "settings.allow_group_agents and workspace_governance.group_agents",
+        "settings.allow_group_plugins and workspace_governance.group_actions",
+        "settings.allow_group_custom_endpoints and settings.enable_multi_model_endpoints and workspace_governance.group_endpoints",
+        "js/workspace/group_agents.js",
+        "js/workspace/group_plugins.js",
+        "js/workspace/workspace_model_endpoints.js",
+    ]
+
+    for marker in personal_markers:
+        assert marker in workspace_template, f"Missing personal workspace governance marker: {marker}"
+
+    for marker in group_markers:
+        assert marker in group_template, f"Missing group workspace governance marker: {marker}"
\ No newline at end of file

From 7817b0f4e7a77e3b7d07e97dd0537406f1912dbf Mon Sep 17 00:00:00 2001
From: Bionic711 <nadoyle@microsoft.com>
Date: Fri, 5 Jun 2026 19:41:27 -0500
Subject: [PATCH 02/12] cont of governance

---
 .../prepare-for-pull-request.prompt.md        |  161 ++
 application/single_app/app_settings_cache.py  |  211 ++-
 application/single_app/config.py              |    2 +-
 .../single_app/functions_governance.py        |  335 +++-
 application/single_app/functions_settings.py  |   60 +-
 application/single_app/route_backend_chats.py |    2 +-
 .../single_app/route_backend_governance.py    |   31 +-
 .../single_app/route_backend_models.py        |    4 +-
 application/single_app/route_backend_users.py |   93 +-
 .../route_frontend_admin_settings.py          |   18 +-
 .../single_app/route_frontend_chats.py        |    2 +-
 application/single_app/static/css/chats.css   |   37 +-
 .../static/js/admin/admin_agents.js           |   61 +
 .../static/js/admin/admin_governance.js       | 1525 +++++++++++++----
 .../static/js/admin/admin_model_endpoints.js  |  128 +-
 .../static/js/admin/admin_plugins.js          |   57 +
 .../static/js/chat/chat-documents.js          |   97 +-
 .../single_app/static/js/plugin_common.js     |   22 +-
 .../templates/_governance_info.html           |  339 ++++
 .../single_app/templates/_sidebar_nav.html    |    2 +-
 .../single_app/templates/admin_settings.html  |  138 +-
 application/single_app/templates/chats.html   |    6 +-
 .../features/v0.242.001/GOVERNANCE.md         |   67 +-
 .../APP_SETTINGS_CACHE_VERSIONING.md          |   79 +
 .../CHAT_DROPDOWN_RESPONSIVE_WIDTH_FIX.md     |   50 +
 docs/explanation/release_notes.md             |   10 +
 .../test_app_settings_cache_versioning.py     |  111 ++
 .../test_chat_searchable_selectors.py         |   31 +-
 ...st_governance_route_and_wiring_coverage.py |  103 +-
 ui_tests/test_admin_governance_tab.py         |   94 +-
 .../test_chat_search_panel_mobile_drawer.py   |  151 +-
 31 files changed, 3389 insertions(+), 638 deletions(-)
 create mode 100644 .github/prompts/prepare-for-pull-request.prompt.md
 create mode 100644 application/single_app/templates/_governance_info.html
 create mode 100644 docs/explanation/features/v0.242.020/APP_SETTINGS_CACHE_VERSIONING.md
 create mode 100644 docs/explanation/fixes/CHAT_DROPDOWN_RESPONSIVE_WIDTH_FIX.md
 create mode 100644 functional_tests/test_app_settings_cache_versioning.py

diff --git a/.github/prompts/prepare-for-pull-request.prompt.md b/.github/prompts/prepare-for-pull-request.prompt.md
new file mode 100644
index 000000000..6e2d78fef
--- /dev/null
+++ b/.github/prompts/prepare-for-pull-request.prompt.md
@@ -0,0 +1,161 @@
+---
+name: "Prepare for Pull Request"
+description: "Use when the user says: Prepare for a pull request, PR prep, ready this branch for PR, validate before PR, or create a PR to Development. Runs SimpleChat branch sync and validation workflow before optionally pushing or creating a GitHub pull request."
+argument-hint: "Optional: include merge Development, rebase Development, push, create draft PR, or create PR"
+agent: "agent"
+---
+
+# Prepare SimpleChat for a Pull Request
+
+You are preparing the current SimpleChat branch for a GitHub pull request into `Development`.
+
+The default outcome is a verified PR-readiness report. You may push the branch or create the pull request only after explicitly asking the user to proceed and receiving confirmation. If the user already asked to push or create the PR, still pause at the final confirmation gate before doing it.
+
+## Repository Policy
+
+- Work in the SimpleChat repo, normally `c:\Repos\simplechatmsft`.
+- Target contributor PRs to `Development`, not `main` or `Staging`.
+- Treat `Development` and `Staging` as case-sensitive branch names.
+- Prefer the remote named `upstream` when it exists and has `Development`; otherwise use `origin/Development`.
+- Never use destructive Git commands such as `git reset --hard`, `git checkout -- <path>`, or force push unless the user explicitly asks and understands the consequence.
+- Do not revert unrelated user changes.
+- Do not commit, push, or create a PR without a user confirmation step.
+- If secrets, `.env` files, session tokens, storage keys, connection strings, or generated local artifacts appear in the changed file set, stop and ask before proceeding.
+
+## Initial Discovery
+
+Run read-only checks first and summarize what you find:
+
+1. Confirm the repo root and current branch.
+2. Show concise working tree status, including untracked files.
+3. Show remotes and identify the remote target branch for `Development`.
+4. Fetch the target branch: `git fetch <remote> Development`.
+5. Determine whether the current branch contains the latest target branch:
+   - Up to date when `<remote>/Development` is an ancestor of `HEAD`.
+   - Behind or diverged when it is not.
+6. Determine changed files relative to `<remote>/Development` and include both committed and uncommitted local changes.
+
+If the current branch is `Development`, `Staging`, or `main`, stop and ask whether to create or switch to a feature branch before continuing.
+
+## Development Sync Gate
+
+Before reporting PR readiness or creating a PR, ensure the current branch includes the latest `Development` changes.
+
+Default behavior:
+
+- Fetch `Development` and report whether the branch is up to date.
+- If the branch is behind or diverged, stop and ask how to integrate the changes.
+- Do not merge or rebase automatically.
+
+Supported opt-in behaviors:
+
+- If the user asks to `merge Development`, run a normal merge from `<remote>/Development` after confirming.
+- If the user asks to `rebase Development` or `rebase onto Development`, rebase onto `<remote>/Development` after confirming.
+- If the user asks only to check readiness, do not integrate. Explain that PR readiness is blocked until the branch includes the latest target branch.
+
+After any merge or rebase, recompute changed files and rerun all applicable validation.
+
+## Conflict Handling
+
+If a merge or rebase produces conflicts, do not ask the user to manually resolve files. Resolve conflicts interactively with the user while you do the editing.
+
+For each conflict:
+
+1. Identify the conflicted file and the affected feature or behavior.
+2. Explain the two sides clearly:
+   - `ours`: what the user's current branch changed.
+   - `theirs`: what `Development` changed.
+3. Explain the likely impact of choosing either side or combining them.
+4. Recommend a resolution when there is enough context, but ask the user how to proceed.
+5. Apply the selected resolution yourself.
+6. Continue until there are no conflict markers and `git status` shows no unmerged paths.
+7. Continue the merge or rebase with non-interactive Git commands.
+
+If the user cancels conflict resolution, report the current Git state and the safest next step. Do not abandon a merge or rebase unless the user explicitly asks.
+
+## Local Validation
+
+Use the repo's existing workflow files, scripts, and instructions as the source of truth. Run the smallest reliable set that matches the changed files, then broaden only when risk calls for it.
+
+Always run:
+
+- `git diff --check` for changed files.
+- A Python syntax compile check for changed Python files, and at minimum the Python files under `application/single_app` that GitHub compiles.
+- Any new or changed test files directly.
+
+When Python route files changed:
+
+- Run `python scripts/check_swagger_routes.py <changed-python-files>`.
+- Verify every Flask route has `@swagger_route(security=get_auth_security())` immediately after `@app.route(...)`.
+
+When JavaScript, HTML, or Python browser-rendering surfaces changed:
+
+- Run `python scripts/check_xss_sinks.py` against changed `application/**/*.js`, `application/**/*.html`, and `application/**/*.py` files.
+- If validating only committed changes, prefer changed-line mode:
+  `python scripts/check_xss_sinks.py --base-sha <remote>/Development --head-sha HEAD <files>`.
+- If the working tree has uncommitted changes, use `--full-file` for those files because they are not represented by `HEAD`.
+
+When Python authorization-sensitive surfaces changed:
+
+- Run `python scripts/check_broken_access_control.py` against changed `application/**/*.py` files.
+- If validating only committed changes, prefer changed-line mode:
+  `python scripts/check_broken_access_control.py --base-sha <remote>/Development --head-sha HEAD <files>`.
+- If the working tree has uncommitted changes, use `--full-file` for those files.
+
+When HTML, CSS, or JavaScript changes affect UI behavior:
+
+- Run relevant `ui_tests/` tests when the local app and authentication state are available.
+- If UI tests cannot be run locally, say why and include the gap in the final PR-readiness report.
+
+When bug fixes, new features, route changes, API changes, security changes, or UI workflow changes are present:
+
+- Check for matching functional tests under `functional_tests/`.
+- Run relevant functional tests with pytest or directly with Python, matching existing test style.
+- If no relevant test exists, call this out and recommend the missing coverage.
+
+When application code changed:
+
+- Verify `application/single_app/config.py` has an appropriate patch version bump unless the change is docs-only.
+- Verify fix or feature documentation exists when required by the repo instructions.
+- Check whether `docs/explanation/release_notes.md` should be updated. If release notes are needed and missing, update them under the current `config.py` version as part of PR readiness unless the user explicitly requested report-only behavior.
+- If the current `config.py` version does not have a release notes section yet, create a new section at the top of the release notes before adding the entry.
+
+## PR Readiness Review
+
+Before asking to push or create a PR, provide a concise report with:
+
+- Current branch and target branch.
+- Whether the branch includes the latest `Development`.
+- Changed-file summary grouped by area.
+- Validation commands run and pass/fail status.
+- Tests run and any skipped tests with reasons.
+- Version, documentation, and release notes status.
+- Security review notes for secrets, XSS, broken access control, settings sanitization, and route decorators.
+- Remaining risks or manual follow-up.
+
+If validation fails, fix issues that are clearly in scope and rerun the affected checks. If a failure is unrelated or needs a product decision, stop and explain the blocker.
+
+## Optional Push and PR Creation
+
+Only after the readiness report is clean or the user accepts the noted risks, ask whether to proceed with push and PR creation.
+
+If uncommitted changes remain:
+
+- Do not push or create a PR yet.
+- Ask whether the user wants you to stage and commit the PR-ready changes.
+- Propose a concise commit message based on the change summary.
+
+If the user confirms push:
+
+- Push the current branch to the appropriate remote.
+- Do not force push unless the user explicitly asks after seeing the risk.
+
+If the user confirms PR creation:
+
+- Use GitHub CLI when available.
+- Create the PR against `Development`.
+- Default to a draft PR unless the user asks for a ready-for-review PR.
+- Include a PR body with summary, validation, tests, release notes status, and known risks.
+- Return the PR URL.
+
+If GitHub CLI is unavailable or unauthenticated, report the exact blocker and provide the PR title/body text for manual creation.
\ No newline at end of file
diff --git a/application/single_app/app_settings_cache.py b/application/single_app/app_settings_cache.py
index 711ec0190..44e28367a 100644
--- a/application/single_app/app_settings_cache.py
+++ b/application/single_app/app_settings_cache.py
@@ -8,6 +8,7 @@
 import logging
 import threading
 import time
+from datetime import datetime
 from redis import Redis
 from azure.identity import DefaultAzureCredential
 
@@ -16,13 +17,25 @@
 # functions_appinsights is also imported locally for the same reason.
 
 _settings = None
+_logger = logging.getLogger(__name__)
 APP_SETTINGS_CACHE = {}
 APP_STREAM_SESSION_METADATA = {}
 APP_STREAM_SESSION_EVENTS = {}
+APP_SETTINGS_CACHE_VERSION = 0
 APP_GOVERNANCE_CACHE_VERSION = 0
+APP_SETTINGS_SHARED_VERSION_CACHE = {'value': 0, 'expires_at': 0}
+APP_GOVERNANCE_SHARED_VERSION_CACHE = {'value': 0, 'expires_at': 0}
+APP_SETTINGS_CACHE_KEY = 'APP_SETTINGS_CACHE'
+APP_SETTINGS_CACHE_VERSION_KEY = 'APP_SETTINGS_CACHE_VERSION'
+APP_SETTINGS_CACHE_VERSION_DOC_ID = 'app_settings_cache_version'
 GOVERNANCE_CACHE_VERSION_KEY = 'GOVERNANCE_CACHE_VERSION'
+GOVERNANCE_CACHE_VERSION_DOC_ID = 'governance_cache_version'
+CACHE_VERSION_DOC_TYPE = 'cache_version'
+CACHE_VERSION_READ_TTL_SECONDS = 15
 update_settings_cache = None
 get_settings_cache = None
+get_app_settings_cache_version = None
+bump_app_settings_cache_version = None
 initialize_stream_session_cache = None
 set_stream_session_meta = None
 get_stream_session_meta = None
@@ -56,12 +69,62 @@ def _normalize_cache_version(value):
     except (TypeError, ValueError):
         return 0
 
+
+def _read_cosmos_cache_version(container, doc_id, log_event_func=None):
+    try:
+        doc = container.read_item(item=doc_id, partition_key=doc_id)
+        return _normalize_cache_version((doc or {}).get('version'))
+    except Exception as ex:
+        _logger.warning("[ASC] Shared cache version read failed for %s; using local version fallback: %s", doc_id, ex)
+        return None
+
+
+def _bump_cosmos_cache_version(container, doc_id, log_event_func=None):
+    try:
+        current_version = _read_cosmos_cache_version(container, doc_id, log_event_func=None)
+        next_version = _normalize_cache_version(current_version) + 1
+        container.upsert_item({
+            'id': doc_id,
+            'type': CACHE_VERSION_DOC_TYPE,
+            'version': next_version,
+            'updated_at': datetime.utcnow().isoformat(),
+        })
+        return next_version
+    except Exception as ex:
+        _logger.warning("[ASC] Shared cache version bump failed for %s; using local version fallback: %s", doc_id, ex)
+        return None
+
+
+def _get_ttl_cached_cosmos_version(version_cache, container, doc_id, fallback_version, log_event_func=None):
+    now = time.time()
+    with _app_cache_lock:
+        cached_expires_at = version_cache.get('expires_at') or 0
+        if cached_expires_at > now:
+            return _normalize_cache_version(version_cache.get('value'))
+
+    shared_version = _read_cosmos_cache_version(container, doc_id, log_event_func=log_event_func)
+    if shared_version is None:
+        shared_version = fallback_version
+
+    with _app_cache_lock:
+        version_cache['value'] = _normalize_cache_version(shared_version)
+        version_cache['expires_at'] = now + CACHE_VERSION_READ_TTL_SECONDS
+        return _normalize_cache_version(version_cache.get('value'))
+
+
+def _set_ttl_cached_version(version_cache, version):
+    with _app_cache_lock:
+        version_cache['value'] = _normalize_cache_version(version)
+        version_cache['expires_at'] = time.time() + CACHE_VERSION_READ_TTL_SECONDS
+
 def configure_app_cache(settings, redis_cache_endpoint=None):
     global _settings, update_settings_cache, get_settings_cache, APP_SETTINGS_CACHE
     global APP_STREAM_SESSION_METADATA, APP_STREAM_SESSION_EVENTS
-    global APP_GOVERNANCE_CACHE_VERSION
+    global APP_SETTINGS_CACHE_VERSION, APP_GOVERNANCE_CACHE_VERSION
+    global APP_SETTINGS_SHARED_VERSION_CACHE, APP_GOVERNANCE_SHARED_VERSION_CACHE
     global initialize_stream_session_cache, set_stream_session_meta, get_stream_session_meta
     global append_stream_session_event, get_stream_session_events, delete_stream_session_cache
+    global get_app_settings_cache_version, bump_app_settings_cache_version
     global get_governance_cache_version, bump_governance_cache_version
     global app_cache_is_using_redis
     # Local import to avoid circular dependency: functions_keyvault imports app_settings_cache.
@@ -120,12 +183,48 @@ def configure_app_cache(settings, redis_cache_endpoint=None):
                 ssl=True
             )
 
+        def get_app_settings_cache_version_redis():
+            cached = redis_client.get(APP_SETTINGS_CACHE_VERSION_KEY)
+            if cached is None:
+                redis_client.setnx(APP_SETTINGS_CACHE_VERSION_KEY, 0)
+                return 0
+            return _normalize_cache_version(cached)
+
+        def bump_app_settings_cache_version_redis():
+            return _normalize_cache_version(redis_client.incr(APP_SETTINGS_CACHE_VERSION_KEY))
+
+        def get_ttl_cached_app_settings_version_redis():
+            now = time.time()
+            with _app_cache_lock:
+                if APP_SETTINGS_SHARED_VERSION_CACHE.get('expires_at', 0) > now:
+                    return _normalize_cache_version(APP_SETTINGS_SHARED_VERSION_CACHE.get('value'))
+
+            shared_version = get_app_settings_cache_version_redis()
+            _set_ttl_cached_version(APP_SETTINGS_SHARED_VERSION_CACHE, shared_version)
+            return shared_version
+
         def update_settings_cache_redis(new_settings):
-            redis_client.set('APP_SETTINGS_CACHE', json.dumps(new_settings))
+            global APP_SETTINGS_CACHE, APP_SETTINGS_CACHE_VERSION
+            redis_client.set(APP_SETTINGS_CACHE_KEY, json.dumps(new_settings))
+            shared_version = get_app_settings_cache_version_redis()
+            with _app_cache_lock:
+                APP_SETTINGS_CACHE = new_settings
+                APP_SETTINGS_CACHE_VERSION = shared_version
+            _set_ttl_cached_version(APP_SETTINGS_SHARED_VERSION_CACHE, shared_version)
 
         def get_settings_cache_redis():
-            cached = redis_client.get('APP_SETTINGS_CACHE')
-            return json.loads(cached) if cached else {}
+            global APP_SETTINGS_CACHE, APP_SETTINGS_CACHE_VERSION
+            shared_version = get_ttl_cached_app_settings_version_redis()
+            with _app_cache_lock:
+                if APP_SETTINGS_CACHE and APP_SETTINGS_CACHE_VERSION == shared_version:
+                    return APP_SETTINGS_CACHE
+
+            cached = redis_client.get(APP_SETTINGS_CACHE_KEY)
+            loaded_settings = json.loads(cached) if cached else {}
+            with _app_cache_lock:
+                APP_SETTINGS_CACHE = loaded_settings
+                APP_SETTINGS_CACHE_VERSION = shared_version
+            return loaded_settings
 
         def get_stream_session_metadata_key(cache_key):
             return f'STREAM_SESSION_META:{cache_key}'
@@ -201,6 +300,8 @@ def bump_governance_cache_version_redis():
 
         update_settings_cache = update_settings_cache_redis
         get_settings_cache = get_settings_cache_redis
+        get_app_settings_cache_version = get_app_settings_cache_version_redis
+        bump_app_settings_cache_version = bump_app_settings_cache_version_redis
         initialize_stream_session_cache = initialize_stream_session_cache_redis
         set_stream_session_meta = set_stream_session_meta_redis
         get_stream_session_meta = get_stream_session_meta_redis
@@ -212,11 +313,33 @@ def bump_governance_cache_version_redis():
 
     else:
         def update_settings_cache_mem(new_settings):
-            global APP_SETTINGS_CACHE
-            APP_SETTINGS_CACHE = new_settings
+            global APP_SETTINGS_CACHE, APP_SETTINGS_CACHE_VERSION
+            shared_version = get_app_settings_cache_version_mem()
+            with _app_cache_lock:
+                APP_SETTINGS_CACHE = new_settings
+                APP_SETTINGS_CACHE_VERSION = shared_version
 
         def get_settings_cache_mem():
-            return APP_SETTINGS_CACHE
+            global APP_SETTINGS_CACHE, APP_SETTINGS_CACHE_VERSION
+            shared_version = get_app_settings_cache_version_mem()
+            with _app_cache_lock:
+                if APP_SETTINGS_CACHE and APP_SETTINGS_CACHE_VERSION == shared_version:
+                    return APP_SETTINGS_CACHE
+
+            try:
+                from config import cosmos_settings_container
+                loaded_settings = cosmos_settings_container.read_item(
+                    item='app_settings',
+                    partition_key='app_settings',
+                )
+                with _app_cache_lock:
+                    APP_SETTINGS_CACHE = loaded_settings
+                    APP_SETTINGS_CACHE_VERSION = shared_version
+                return loaded_settings
+            except Exception as ex:
+                _logger.warning("[ASC] Failed to refresh app settings cache from Cosmos; using local cache fallback: %s", ex)
+                with _app_cache_lock:
+                    return APP_SETTINGS_CACHE
 
         def initialize_stream_session_cache_mem(cache_key, metadata, ttl_seconds=None):
             expiration_timestamp = _get_expiration_timestamp(ttl_seconds)
@@ -285,18 +408,86 @@ def delete_stream_session_cache_mem(cache_key):
                 APP_STREAM_SESSION_METADATA.pop(cache_key, None)
                 APP_STREAM_SESSION_EVENTS.pop(cache_key, None)
 
-        def get_governance_cache_version_mem():
+        def get_app_settings_cache_version_mem():
+            global APP_SETTINGS_CACHE_VERSION
+            try:
+                from config import cosmos_settings_container
+                return _get_ttl_cached_cosmos_version(
+                    APP_SETTINGS_SHARED_VERSION_CACHE,
+                    cosmos_settings_container,
+                    APP_SETTINGS_CACHE_VERSION_DOC_ID,
+                    APP_SETTINGS_CACHE_VERSION,
+                    log_event_func=log_event,
+                )
+            except Exception:
+                with _app_cache_lock:
+                    return APP_SETTINGS_CACHE_VERSION
+
+        def bump_app_settings_cache_version_mem():
+            global APP_SETTINGS_CACHE_VERSION
+            try:
+                from config import cosmos_settings_container
+                bumped_version = _bump_cosmos_cache_version(
+                    cosmos_settings_container,
+                    APP_SETTINGS_CACHE_VERSION_DOC_ID,
+                    log_event_func=log_event,
+                )
+                if bumped_version is not None:
+                    with _app_cache_lock:
+                        APP_SETTINGS_CACHE_VERSION = bumped_version
+                    _set_ttl_cached_version(APP_SETTINGS_SHARED_VERSION_CACHE, bumped_version)
+                    return bumped_version
+            except Exception:
+                pass
+
             with _app_cache_lock:
-                return APP_GOVERNANCE_CACHE_VERSION
+                APP_SETTINGS_CACHE_VERSION += 1
+                fallback_version = APP_SETTINGS_CACHE_VERSION
+            _set_ttl_cached_version(APP_SETTINGS_SHARED_VERSION_CACHE, fallback_version)
+            return fallback_version
+
+        def get_governance_cache_version_mem():
+            global APP_GOVERNANCE_CACHE_VERSION
+            try:
+                from config import cosmos_governance_policies_container
+                return _get_ttl_cached_cosmos_version(
+                    APP_GOVERNANCE_SHARED_VERSION_CACHE,
+                    cosmos_governance_policies_container,
+                    GOVERNANCE_CACHE_VERSION_DOC_ID,
+                    APP_GOVERNANCE_CACHE_VERSION,
+                    log_event_func=log_event,
+                )
+            except Exception:
+                with _app_cache_lock:
+                    return APP_GOVERNANCE_CACHE_VERSION
 
         def bump_governance_cache_version_mem():
             global APP_GOVERNANCE_CACHE_VERSION
+            try:
+                from config import cosmos_governance_policies_container
+                bumped_version = _bump_cosmos_cache_version(
+                    cosmos_governance_policies_container,
+                    GOVERNANCE_CACHE_VERSION_DOC_ID,
+                    log_event_func=log_event,
+                )
+                if bumped_version is not None:
+                    with _app_cache_lock:
+                        APP_GOVERNANCE_CACHE_VERSION = bumped_version
+                    _set_ttl_cached_version(APP_GOVERNANCE_SHARED_VERSION_CACHE, bumped_version)
+                    return bumped_version
+            except Exception:
+                pass
+
             with _app_cache_lock:
                 APP_GOVERNANCE_CACHE_VERSION += 1
-                return APP_GOVERNANCE_CACHE_VERSION
+                fallback_version = APP_GOVERNANCE_CACHE_VERSION
+            _set_ttl_cached_version(APP_GOVERNANCE_SHARED_VERSION_CACHE, fallback_version)
+            return fallback_version
 
         update_settings_cache = update_settings_cache_mem
         get_settings_cache = get_settings_cache_mem
+        get_app_settings_cache_version = get_app_settings_cache_version_mem
+        bump_app_settings_cache_version = bump_app_settings_cache_version_mem
         initialize_stream_session_cache = initialize_stream_session_cache_mem
         set_stream_session_meta = set_stream_session_meta_mem
         get_stream_session_meta = get_stream_session_meta_mem
diff --git a/application/single_app/config.py b/application/single_app/config.py
index 1c168c0d6..ead06b3d7 100644
--- a/application/single_app/config.py
+++ b/application/single_app/config.py
@@ -94,7 +94,7 @@
 EXECUTOR_TYPE = 'thread'
 EXECUTOR_MAX_WORKERS = 30
 SESSION_TYPE = 'filesystem'
-VERSION = "0.242.011"
+VERSION = "0.242.022"
 
 SECRET_KEY = os.getenv('SECRET_KEY', 'dev-secret-key-change-in-production')
 
diff --git a/application/single_app/functions_governance.py b/application/single_app/functions_governance.py
index ee8d944fa..f3ccb7a20 100644
--- a/application/single_app/functions_governance.py
+++ b/application/single_app/functions_governance.py
@@ -6,7 +6,8 @@
 from datetime import datetime
 from threading import RLock
 from time import monotonic
-from typing import Any, Dict, List, Optional, Set
+from typing import Any, Dict, List, Optional, Set, Tuple
+import uuid
 
 from flask import g, has_request_context
 
@@ -32,12 +33,17 @@
 
 
 DEFAULT_ITEM_POLICY_ENTITY_TYPES = {
-    "endpoint",
+    "global_endpoint",
     "global_agent",
     "global_action",
 }
 
 
+LEGACY_ITEM_POLICY_ENTITY_TYPE_ALIASES = {
+    "endpoint": "global_endpoint",
+}
+
+
 GOVERNANCE_CACHE_TTL_SECONDS = 60
 _GOVERNANCE_REQUEST_CACHE_ATTR = "simplechat_governance_request_cache"
 _GOVERNANCE_CACHE_MISS = object()
@@ -177,6 +183,77 @@ def _normalize_str_list(values: Any) -> List[str]:
     return normalized
 
 
+def _normalize_item_policy_entity_type(entity_type: str) -> str:
+    normalized_entity_type = str(entity_type or "").strip().lower()
+    return LEGACY_ITEM_POLICY_ENTITY_TYPE_ALIASES.get(normalized_entity_type, normalized_entity_type)
+
+
+def _get_legacy_item_policy_entity_types(entity_type: str) -> List[str]:
+    normalized_entity_type = _normalize_item_policy_entity_type(entity_type)
+    return [
+        legacy_entity_type
+        for legacy_entity_type, current_entity_type in LEGACY_ITEM_POLICY_ENTITY_TYPE_ALIASES.items()
+        if current_entity_type == normalized_entity_type
+    ]
+
+
+def _item_policy_document_id(entity_type: str, item_id: str, policy_id: str) -> str:
+    normalized_entity_type = _normalize_item_policy_entity_type(entity_type)
+    normalized_item_id = str(item_id or "").strip()
+    normalized_policy_id = str(policy_id or "default").strip() or "default"
+    return f"item:{normalized_entity_type}:{normalized_item_id}:{normalized_policy_id}"
+
+
+def _legacy_item_policy_document_id(entity_type: str, item_id: str) -> str:
+    normalized_entity_type = _normalize_item_policy_entity_type(entity_type)
+    normalized_item_id = str(item_id or "").strip()
+    return f"item:{normalized_entity_type}:{normalized_item_id}"
+
+
+def _extract_policy_id_from_item_doc(policy: Dict[str, Any], entity_type: str, item_id: str) -> str:
+    explicit_policy_id = str((policy or {}).get("policy_id") or "").strip()
+    if explicit_policy_id:
+        return explicit_policy_id
+
+    doc_id = str((policy or {}).get("id") or "").strip()
+    normalized_entity_type = _normalize_item_policy_entity_type(entity_type)
+    normalized_item_id = str(item_id or "").strip()
+    prefix = f"item:{normalized_entity_type}:{normalized_item_id}:"
+    if doc_id.startswith(prefix):
+        suffix = doc_id[len(prefix):].strip()
+        if suffix:
+            return suffix
+
+    return "default"
+
+
+def _default_item_policy_name(entity_type: str, item_id: str, resource_label: str = "") -> str:
+    label = str(resource_label or "").strip() or str(item_id or "").strip() or "Resource"
+    entity_label = _normalize_item_policy_entity_type(entity_type).replace("_", " ").title()
+    return f"{label} {entity_label} Policy"
+
+
+def _normalize_item_policy_doc(policy: Dict[str, Any]) -> Dict[str, Any]:
+    normalized_policy = dict(policy)
+    normalized_entity_type = _normalize_item_policy_entity_type(normalized_policy.get("entity_type", ""))
+    normalized_item_id = str(normalized_policy.get("item_id") or "").strip()
+    normalized_policy_id = _extract_policy_id_from_item_doc(normalized_policy, normalized_entity_type, normalized_item_id)
+    normalized_resource_label = str(normalized_policy.get("resource_label") or "").strip()
+    normalized_policy_name = str(normalized_policy.get("policy_name") or "").strip() or _default_item_policy_name(
+        normalized_entity_type,
+        normalized_item_id,
+        normalized_resource_label,
+    )
+    normalized_policy["id"] = _item_policy_document_id(normalized_entity_type, normalized_item_id, normalized_policy_id)
+    normalized_policy["policy_id"] = normalized_policy_id
+    normalized_policy["policy_name"] = normalized_policy_name
+    normalized_policy["resource_label"] = normalized_resource_label
+    normalized_policy["entity_type"] = normalized_entity_type
+    normalized_policy["item_id"] = normalized_item_id
+    normalized_policy.update(_normalize_policy_state(normalized_policy))
+    return normalized_policy
+
+
 def _extract_group_ids(group_docs: Any) -> List[str]:
     if not isinstance(group_docs, list):
         return []
@@ -216,11 +293,29 @@ def _default_feature_policy_doc(feature_key: str) -> Dict[str, Any]:
     }
 
 
-def _default_item_policy_doc(entity_type: str, item_id: str) -> Dict[str, Any]:
+def _default_item_policy_doc(
+    entity_type: str,
+    item_id: str,
+    policy_id: str = "default",
+    policy_name: str = "",
+    resource_label: str = "",
+) -> Dict[str, Any]:
+    normalized_entity_type = _normalize_item_policy_entity_type(entity_type)
+    normalized_item_id = str(item_id or "").strip()
+    normalized_policy_id = str(policy_id or "default").strip() or "default"
+    normalized_resource_label = str(resource_label or "").strip()
+    normalized_policy_name = str(policy_name or "").strip() or _default_item_policy_name(
+        normalized_entity_type,
+        normalized_item_id,
+        normalized_resource_label,
+    )
     return {
-        "id": f"item:{entity_type}:{item_id}",
-        "entity_type": entity_type,
-        "item_id": item_id,
+        "id": _item_policy_document_id(normalized_entity_type, normalized_item_id, normalized_policy_id),
+        "policy_id": normalized_policy_id,
+        "policy_name": normalized_policy_name,
+        "resource_label": normalized_resource_label,
+        "entity_type": normalized_entity_type,
+        "item_id": normalized_item_id,
         "allow_all": True,
         "allowed_users": [],
         "allowed_groups": [],
@@ -259,20 +354,67 @@ def _read_stored_feature_policy(feature_key: str) -> Dict[str, Any]:
     return cosmos_governance_policies_container.read_item(item=policy_id, partition_key=policy_id)
 
 
-def _read_item_policy(entity_type: str, item_id: str) -> Dict[str, Any]:
+def _read_item_policies(entity_type: str, item_id: str) -> List[Dict[str, Any]]:
+    normalized_entity_type = _normalize_item_policy_entity_type(entity_type)
     normalized_item_id = str(item_id or "").strip()
     if not normalized_item_id:
-        return _default_item_policy_doc(entity_type, normalized_item_id)
+        return [_default_item_policy_doc(normalized_entity_type, normalized_item_id)]
+
+    candidate_entity_types = [normalized_entity_type] + _get_legacy_item_policy_entity_types(normalized_entity_type)
+    rows = []
+    query = "SELECT * FROM c WHERE c.entity_type = @entity_type AND c.item_id = @item_id"
+    for candidate_entity_type in candidate_entity_types:
+        parameters = [
+            {"name": "@entity_type", "value": candidate_entity_type},
+            {"name": "@item_id", "value": normalized_item_id},
+        ]
+        try:
+            rows.extend(list(cosmos_governance_item_policies_container.query_items(
+                query=query,
+                parameters=parameters,
+                enable_cross_partition_query=True,
+            )))
+        except Exception:
+            pass
 
     try:
-        return _read_stored_item_policy(entity_type, normalized_item_id)
+        legacy_policy = _read_stored_item_policy(normalized_entity_type, normalized_item_id)
+        rows.append(legacy_policy)
     except Exception:
-        return _default_item_policy_doc(entity_type, normalized_item_id)
+        pass
+
+    for legacy_entity_type in _get_legacy_item_policy_entity_types(normalized_entity_type):
+        try:
+            rows.append(_read_stored_item_policy(legacy_entity_type, normalized_item_id))
+        except Exception:
+            pass
+
+    normalized_rows_by_key: Dict[Tuple[str, str, str], Dict[str, Any]] = {}
+    for row in rows:
+        if not isinstance(row, dict):
+            continue
+        normalized_row = _normalize_item_policy_doc(row)
+        row_key = (
+            str(normalized_row.get("entity_type") or ""),
+            str(normalized_row.get("item_id") or ""),
+            str(normalized_row.get("policy_id") or ""),
+        )
+        normalized_rows_by_key[row_key] = normalized_row
+
+    normalized_rows = list(normalized_rows_by_key.values())
+    if not normalized_rows:
+        return [_default_item_policy_doc(normalized_entity_type, normalized_item_id)]
+
+    return sorted(normalized_rows, key=lambda item: (str(item.get("policy_name") or ""), str(item.get("policy_id") or "")))
+
+
+def _read_item_policy(entity_type: str, item_id: str) -> Dict[str, Any]:
+    return _read_item_policies(entity_type, item_id)[0]
 
 
 def _read_stored_item_policy(entity_type: str, item_id: str) -> Dict[str, Any]:
     normalized_item_id = str(item_id or "").strip()
-    policy_id = f"item:{entity_type}:{normalized_item_id}"
+    policy_id = _legacy_item_policy_document_id(entity_type, normalized_item_id)
     return cosmos_governance_item_policies_container.read_item(item=policy_id, partition_key=policy_id)
 
 
@@ -289,18 +431,25 @@ def load_policy() -> Dict[str, Any]:
 
 
 def get_item_policy(entity_type: str, item_id: str) -> Dict[str, Any]:
-    normalized_entity_type = str(entity_type or "").strip()
+    return get_item_policies(entity_type, item_id)[0]
+
+
+def get_item_policies(entity_type: str, item_id: str) -> List[Dict[str, Any]]:
+    normalized_entity_type = _normalize_item_policy_entity_type(entity_type)
     normalized_item_id = str(item_id or "").strip()
 
-    def load_policy() -> Dict[str, Any]:
-        policy = dict(_read_item_policy(normalized_entity_type, normalized_item_id))
-        normalized = _normalize_policy_state(policy)
-        policy.update(normalized)
-        return policy
+    def load_policies() -> List[Dict[str, Any]]:
+        policies = []
+        for policy in _read_item_policies(normalized_entity_type, normalized_item_id):
+            normalized_policy = dict(policy)
+            normalized = _normalize_policy_state(normalized_policy)
+            normalized_policy.update(normalized)
+            policies.append(normalized_policy)
+        return policies
 
     return _get_cached_governance_value(
-        ("item_policy", normalized_entity_type, normalized_item_id),
-        load_policy,
+        ("item_policies", normalized_entity_type, normalized_item_id),
+        load_policies,
     )
 
 
@@ -365,14 +514,32 @@ def upsert_item_policy(
     actor_user_id: str,
     actor_email: str,
 ) -> Dict[str, Any]:
+    normalized_entity_type = _normalize_item_policy_entity_type(entity_type)
     normalized_item_id = str(item_id or "").strip()
-    before_policy = _read_item_policy(entity_type, normalized_item_id)
-    policy_id = f"item:{entity_type}:{normalized_item_id}"
+    incoming_policy_id = str((payload or {}).get("policy_id") or "").strip()
+    normalized_policy_id = incoming_policy_id or str(uuid.uuid4())
+    policy_id = _item_policy_document_id(normalized_entity_type, normalized_item_id, normalized_policy_id)
+    before_policy = next(
+        (
+            policy for policy in _read_item_policies(normalized_entity_type, normalized_item_id)
+            if str(policy.get("policy_id") or "") == normalized_policy_id
+        ),
+        _default_item_policy_doc(normalized_entity_type, normalized_item_id, normalized_policy_id),
+    )
     normalized_payload = _normalize_policy_state(payload)
+    normalized_resource_label = str((payload or {}).get("resource_label") or "").strip()
+    normalized_policy_name = str((payload or {}).get("policy_name") or "").strip() or _default_item_policy_name(
+        normalized_entity_type,
+        normalized_item_id,
+        normalized_resource_label,
+    )
 
     after_policy = {
         "id": policy_id,
-        "entity_type": str(entity_type or "").strip(),
+        "policy_id": normalized_policy_id,
+        "policy_name": normalized_policy_name,
+        "resource_label": normalized_resource_label,
+        "entity_type": normalized_entity_type,
         "item_id": normalized_item_id,
         "allow_all": normalized_payload["allow_all"],
         "allowed_users": normalized_payload["allowed_users"],
@@ -382,13 +549,33 @@ def upsert_item_policy(
     }
 
     stored = cosmos_governance_item_policies_container.upsert_item(body=after_policy)
+    legacy_current_policy_id = _legacy_item_policy_document_id(normalized_entity_type, normalized_item_id)
+    if legacy_current_policy_id != policy_id:
+        try:
+            cosmos_governance_item_policies_container.delete_item(
+                item=legacy_current_policy_id,
+                partition_key=legacy_current_policy_id,
+            )
+        except Exception:
+            pass
+
+    for legacy_entity_type in _get_legacy_item_policy_entity_types(normalized_entity_type):
+        legacy_policy_id = _legacy_item_policy_document_id(legacy_entity_type, normalized_item_id)
+        try:
+            cosmos_governance_item_policies_container.delete_item(
+                item=legacy_policy_id,
+                partition_key=legacy_policy_id,
+            )
+        except Exception:
+            pass
+
     invalidate_governance_cache()
 
     log_governance_change(
         admin_user_id=str(actor_user_id or "").strip(),
         admin_email=str(actor_email or "").strip(),
         action="item_policy_upsert",
-        scope=entity_type,
+        scope=normalized_entity_type,
         target_id=normalized_item_id,
         before_state=before_policy,
         after_state=stored,
@@ -398,24 +585,63 @@ def upsert_item_policy(
     return stored
 
 
+def _read_existing_item_policy_for_delete(entity_type: str, item_id: str, policy_id: Optional[str] = None) -> Tuple[Dict[str, Any], str, str]:
+    normalized_entity_type = _normalize_item_policy_entity_type(entity_type)
+    normalized_item_id = str(item_id or "").strip()
+    normalized_policy_id = str(policy_id or "").strip()
+    candidate_entity_types = [normalized_entity_type] + _get_legacy_item_policy_entity_types(normalized_entity_type)
+
+    if normalized_policy_id:
+        for candidate_entity_type in candidate_entity_types:
+            document_id = _item_policy_document_id(candidate_entity_type, normalized_item_id, normalized_policy_id)
+            try:
+                return cosmos_governance_item_policies_container.read_item(item=document_id, partition_key=document_id), candidate_entity_type, document_id
+            except Exception:
+                pass
+
+    if normalized_policy_id in ("", "default"):
+        for candidate_entity_type in candidate_entity_types:
+            legacy_document_id = _legacy_item_policy_document_id(candidate_entity_type, normalized_item_id)
+            try:
+                return cosmos_governance_item_policies_container.read_item(item=legacy_document_id, partition_key=legacy_document_id), candidate_entity_type, legacy_document_id
+            except Exception:
+                pass
+
+    last_exception = None
+    for candidate_entity_type in candidate_entity_types:
+        try:
+            policies = _read_item_policies(candidate_entity_type, normalized_item_id)
+            if policies:
+                policy = policies[0]
+                document_id = str(policy.get("id") or _item_policy_document_id(candidate_entity_type, normalized_item_id, policy.get("policy_id") or "default"))
+                return policy, candidate_entity_type, document_id
+        except Exception as ex:
+            last_exception = ex
+
+    if last_exception:
+        raise last_exception
+    raise ValueError("Item governance policy not found.")
+
+
 def delete_item_policy(
     entity_type: str,
     item_id: str,
     actor_user_id: str,
     actor_email: str,
+    policy_id: Optional[str] = None,
 ) -> Dict[str, Any]:
-    normalized_entity_type = str(entity_type or "").strip()
+    normalized_entity_type = _normalize_item_policy_entity_type(entity_type)
     normalized_item_id = str(item_id or "").strip()
-    policy_id = f"item:{normalized_entity_type}:{normalized_item_id}"
-    before_policy = _read_stored_item_policy(normalized_entity_type, normalized_item_id)
+    stored_policy, stored_entity_type, document_id = _read_existing_item_policy_for_delete(normalized_entity_type, normalized_item_id, policy_id)
+    before_policy = _normalize_item_policy_doc(stored_policy)
 
     cosmos_governance_item_policies_container.delete_item(
-        item=policy_id,
-        partition_key=policy_id,
+        item=document_id,
+        partition_key=document_id,
     )
     invalidate_governance_cache()
 
-    after_policy = _default_item_policy_doc(normalized_entity_type, normalized_item_id)
+    after_policy = _default_item_policy_doc(normalized_entity_type, normalized_item_id, before_policy.get("policy_id") or "default")
     log_governance_change(
         admin_user_id=str(actor_user_id or "").strip(),
         admin_email=str(actor_email or "").strip(),
@@ -468,16 +694,23 @@ def list_feature_policies() -> List[Dict[str, Any]]:
 
 
 def list_item_policies(entity_type: Optional[str] = None) -> List[Dict[str, Any]]:
+    query_entity_types = []
     if entity_type:
+        normalized_entity_type = _normalize_item_policy_entity_type(entity_type)
+        query_entity_types = [normalized_entity_type] + _get_legacy_item_policy_entity_types(normalized_entity_type)
         query = "SELECT * FROM c WHERE c.entity_type = @entity_type"
-        parameters = [{"name": "@entity_type", "value": entity_type}]
-        rows = list(
-            cosmos_governance_item_policies_container.query_items(
-                query=query,
-                parameters=parameters,
-                enable_cross_partition_query=True,
+        rows = []
+        for query_entity_type in query_entity_types:
+            parameters = [{"name": "@entity_type", "value": query_entity_type}]
+            rows.extend(
+                list(
+                    cosmos_governance_item_policies_container.query_items(
+                        query=query,
+                        parameters=parameters,
+                        enable_cross_partition_query=True,
+                    )
+                )
             )
-        )
     else:
         query = "SELECT * FROM c"
         rows = list(
@@ -487,14 +720,26 @@ def list_item_policies(entity_type: Optional[str] = None) -> List[Dict[str, Any]
             )
         )
 
-    normalized_rows = []
+    normalized_rows_by_key = {}
     for row in rows:
-        normalized_row = dict(row)
-        normalized_row.update(_normalize_policy_state(normalized_row))
-        normalized_rows.append(normalized_row)
+        stored_entity_type = str((row or {}).get("entity_type") or "").strip().lower()
+        normalized_row = _normalize_item_policy_doc(row)
+        normalized_entity_type = str(normalized_row.get("entity_type") or "")
+        normalized_item_id = str(normalized_row.get("item_id") or "")
+        normalized_policy_id = str(normalized_row.get("policy_id") or "")
+        row_key = (normalized_entity_type, normalized_item_id, normalized_policy_id)
+        existing_row = normalized_rows_by_key.get(row_key)
+        if not existing_row or stored_entity_type == normalized_entity_type:
+            normalized_rows_by_key[row_key] = normalized_row
+
+    normalized_rows = list(normalized_rows_by_key.values())
     return sorted(
         normalized_rows,
-        key=lambda item: (str(item.get("entity_type") or ""), str(item.get("item_id") or "")),
+        key=lambda item: (
+            str(item.get("entity_type") or ""),
+            str(item.get("resource_label") or item.get("item_id") or ""),
+            str(item.get("policy_name") or ""),
+        ),
     )
 
 
@@ -551,7 +796,7 @@ def ensure_governance_access(
 ) -> None:
     normalized_feature_key = str(feature_key or "").strip()
     normalized_user_id = str(user_id or "").strip()
-    normalized_item_entity_type = str(item_entity_type or "").strip()
+    normalized_item_entity_type = _normalize_item_policy_entity_type(item_entity_type or "")
     normalized_item_id = str(item_id or "").strip()
     decision_key = (
         "governance_access_decision",
@@ -577,8 +822,8 @@ def ensure_governance_access(
         raise PermissionError(f"Governance policy blocks access for feature '{feature_key}'.")
 
     if normalized_item_entity_type and normalized_item_id:
-        item_policy = get_item_policy(normalized_item_entity_type, normalized_item_id)
-        if not _passes_policy(item_policy, normalized_user_id, user_group_ids):
+        item_policies = get_item_policies(normalized_item_entity_type, normalized_item_id)
+        if not any(_passes_policy(item_policy, normalized_user_id, user_group_ids) for item_policy in item_policies):
             raise PermissionError(
                 f"Governance policy blocks access to {item_entity_type} '{item_id}'."
             )
@@ -616,7 +861,7 @@ def filter_governed_model_endpoints(
         if endpoint_id and not is_governance_access_allowed(
             feature_key,
             user_id,
-            item_entity_type="endpoint",
+            item_entity_type="global_endpoint",
             item_id=endpoint_id,
         ):
             continue
diff --git a/application/single_app/functions_settings.py b/application/single_app/functions_settings.py
index 3bbc5cc34..558968d5e 100644
--- a/application/single_app/functions_settings.py
+++ b/application/single_app/functions_settings.py
@@ -66,6 +66,45 @@ def is_tabular_processing_enabled(settings):
     """Tabular processing is available whenever enhanced citations is enabled."""
     return bool((settings or {}).get('enable_enhanced_citations', False))
 
+
+def _refresh_app_settings_cache_after_write(settings_payload, context="app_settings_write"):
+    """Update shared/local settings cache around a version bump."""
+    cache_updater = getattr(app_settings_cache, "update_settings_cache", None)
+    version_bumper = getattr(app_settings_cache, "bump_app_settings_cache_version", None)
+
+    def _update_cache(stage):
+        if not callable(cache_updater):
+            return
+        try:
+            cache_updater(copy.deepcopy(settings_payload))
+        except Exception as cache_error:
+            log_event(
+                "App settings cache update failed after settings write.",
+                extra={
+                    "context": context,
+                    "stage": stage,
+                    "error": str(cache_error)
+                },
+                level=logging.WARNING
+            )
+
+    _update_cache("before_version_bump")
+
+    if callable(version_bumper):
+        try:
+            version_bumper()
+        except Exception as version_error:
+            log_event(
+                "App settings cache version bump failed after settings write.",
+                extra={
+                    "context": context,
+                    "error": str(version_error)
+                },
+                level=logging.WARNING
+            )
+
+    _update_cache("after_version_bump")
+
 def get_settings(use_cosmos=False, include_source=False):
     import secrets
     default_settings = {
@@ -107,7 +146,7 @@ def get_settings(use_cosmos=False, include_source=False):
         'allow_group_custom_agent_endpoints': False,
         'governance_user_endpoints': False,
         'governance_group_endpoints': False,
-        'governance_global_endpoints': False,
+        'governance_global_endpoints': True,
         'governance_user_agents': False,
         'governance_group_agents': False,
         'governance_global_agents_usage': False,
@@ -545,19 +584,7 @@ def _format_result(settings_payload, source):
         # If merging added anything new, upsert back to Cosmos so future reads remain up to date
         if merge_changed or migration_updated:
             cosmos_settings_container.upsert_item(merged)
-            cache_updater = getattr(app_settings_cache, "update_settings_cache", None)
-            if callable(cache_updater):
-                try:
-                    cache_updater(copy.deepcopy(merged))
-                except Exception as cache_error:
-                    log_event(
-                        "App settings cache update failed after merge upsert.",
-                        extra={
-                            "settings_source": settings_source,
-                            "error": str(cache_error)
-                        },
-                        level=logging.WARNING
-                    )
+            _refresh_app_settings_cache_after_write(merged, context="merge_upsert")
 
             log_event(
                 "App settings missing keys were merged and persisted to Cosmos DB.",
@@ -573,6 +600,7 @@ def _format_result(settings_payload, source):
 
     except CosmosResourceNotFoundError:
         cosmos_settings_container.create_item(body=default_settings)
+        _refresh_app_settings_cache_after_write(default_settings, context="default_create")
 
         log_event(
             "App settings document not found. Default settings created in Cosmos DB.",
@@ -607,9 +635,7 @@ def update_settings(new_settings):
         )
         settings_item['enable_tabular_processing_plugin'] = is_tabular_processing_enabled(settings_item)
         cosmos_settings_container.upsert_item(settings_item)
-        cache_updater = getattr(app_settings_cache, "update_settings_cache", None)
-        if callable(cache_updater):
-            cache_updater(settings_item)
+        _refresh_app_settings_cache_after_write(settings_item, context="update_settings")
         log_event(
             "App settings updated successfully.",
             level=logging.INFO
diff --git a/application/single_app/route_backend_chats.py b/application/single_app/route_backend_chats.py
index 6f67da267..634d72b50 100644
--- a/application/single_app/route_backend_chats.py
+++ b/application/single_app/route_backend_chats.py
@@ -5869,7 +5869,7 @@ def get_streaming_model_endpoint_candidates(settings, user_id, active_group_ids=
                     ensure_governance_access(
                         'governance_global_endpoints',
                         user_id,
-                        item_entity_type='endpoint',
+                        item_entity_type='global_endpoint',
                         item_id=endpoint_id,
                     )
                 except PermissionError:
diff --git a/application/single_app/route_backend_governance.py b/application/single_app/route_backend_governance.py
index 61cf2b690..c72b42bbe 100644
--- a/application/single_app/route_backend_governance.py
+++ b/application/single_app/route_backend_governance.py
@@ -32,6 +32,9 @@ def _sanitize_policy_payload(payload):
             "allow_all": True,
             "allowed_users": [],
             "allowed_groups": [],
+            "policy_id": "",
+            "policy_name": "",
+            "resource_label": "",
         }
 
     allowed_users = payload.get("allowed_users", [])
@@ -46,6 +49,9 @@ def _sanitize_policy_payload(payload):
         "allow_all": bool(payload.get("allow_all", True)),
         "allowed_users": allowed_users,
         "allowed_groups": allowed_groups,
+        "policy_id": str(payload.get("policy_id") or "").strip(),
+        "policy_name": str(payload.get("policy_name") or "").strip(),
+        "resource_label": str(payload.get("resource_label") or "").strip(),
     }
 
 
@@ -67,6 +73,9 @@ def _normalize_review_pagination(args):
 
 def _build_item_policy_search_haystack(policy):
     return " ".join([
+        str(policy.get("policy_id") or ""),
+        str(policy.get("policy_name") or ""),
+        str(policy.get("resource_label") or ""),
         str(policy.get("entity_type") or ""),
         str(policy.get("item_id") or ""),
         str(policy.get("allow_all") or ""),
@@ -107,13 +116,10 @@ def update_governance_feature_policy_route(feature_key):
         )
         return jsonify({'policy': updated}), 200
 
-    @app.route('/api/admin/governance/item-policies/<entity_type>/<item_id>', methods=['DELETE'])
-    @swagger_route(security=get_auth_security())
-    @login_required
-    @admin_required
-    def delete_governance_item_policy_route(entity_type, item_id):
+    def _delete_governance_item_policy(entity_type, item_id, policy_id=None):
         normalized_entity_type = str(entity_type or '').strip().lower()
         normalized_item_id = str(item_id or '').strip()
+        normalized_policy_id = str(policy_id or '').strip() or None
         if not normalized_entity_type or not normalized_item_id:
             return jsonify({'error': 'entity_type and item_id are required.'}), 400
 
@@ -124,6 +130,7 @@ def delete_governance_item_policy_route(entity_type, item_id):
             deleted = delete_item_policy(
                 entity_type=normalized_entity_type,
                 item_id=normalized_item_id,
+                policy_id=normalized_policy_id,
                 actor_user_id=actor_user_id,
                 actor_email=actor_email,
             )
@@ -132,6 +139,20 @@ def delete_governance_item_policy_route(entity_type, item_id):
 
         return jsonify({'deleted': deleted}), 200
 
+    @app.route('/api/admin/governance/item-policies/<entity_type>/<item_id>', methods=['DELETE'])
+    @swagger_route(security=get_auth_security())
+    @login_required
+    @admin_required
+    def delete_governance_item_policy_route(entity_type, item_id):
+        return _delete_governance_item_policy(entity_type, item_id)
+
+    @app.route('/api/admin/governance/item-policies/<entity_type>/<item_id>/<policy_id>', methods=['DELETE'])
+    @swagger_route(security=get_auth_security())
+    @login_required
+    @admin_required
+    def delete_governance_named_item_policy_route(entity_type, item_id, policy_id):
+        return _delete_governance_item_policy(entity_type, item_id, policy_id)
+
     @app.route('/api/admin/governance/item-policies', methods=['GET'])
     @swagger_route(security=get_auth_security())
     @login_required
diff --git a/application/single_app/route_backend_models.py b/application/single_app/route_backend_models.py
index a34178d49..9ba95c0d9 100644
--- a/application/single_app/route_backend_models.py
+++ b/application/single_app/route_backend_models.py
@@ -99,7 +99,7 @@ def get_governed_endpoints(candidate_endpoints, feature_key, endpoint_scope):
                         ensure_governance_access(
                             feature_key,
                             user_id,
-                            item_entity_type="endpoint",
+                            item_entity_type="global_endpoint",
                             item_id=endpoint_id,
                         )
                     except PermissionError:
@@ -132,7 +132,7 @@ def resolve_endpoint_by_id(user_id, scope, endpoint_id):
             ensure_governance_access(
                 feature_key,
                 user_id,
-                item_entity_type="endpoint",
+                item_entity_type="global_endpoint",
                 item_id=endpoint_id,
             )
         return endpoint
diff --git a/application/single_app/route_backend_users.py b/application/single_app/route_backend_users.py
index eac97c37e..a7273e864 100644
--- a/application/single_app/route_backend_users.py
+++ b/application/single_app/route_backend_users.py
@@ -1,6 +1,9 @@
 # route_backend_users.py
 
+from urllib.parse import quote
+
 from config import *
+from functions_appinsights import log_event
 from functions_authentication import *
 from functions_group import update_active_group_for_user
 from functions_public_workspaces import update_active_public_workspace_for_user
@@ -12,6 +15,49 @@ def _escape_graph_odata_literal(value):
     return str(value or "").replace("'", "''")
 
 
+def _build_user_info_response(user_id, display_name="", email="", user_principal_name=""):
+    resolved_email = email or user_principal_name or ""
+    return {
+        "id": user_id,
+        "user_id": user_id,
+        "displayName": display_name or resolved_email or "",
+        "display_name": display_name or resolved_email or "",
+        "email": resolved_email,
+        "mail": email or "",
+        "userPrincipalName": user_principal_name or resolved_email,
+    }
+
+
+def _get_graph_user_info_by_id(user_id):
+    normalized_user_id = str(user_id or "").strip()
+    if not normalized_user_id:
+        return None
+
+    token = get_valid_access_token()
+    if not token:
+        return None
+
+    user_endpoint = get_graph_endpoint(f"/users/{quote(normalized_user_id, safe='')}")
+    headers = {
+        "Authorization": f"Bearer {token}",
+        "Content-Type": "application/json"
+    }
+    params = {
+        "$select": "id,displayName,mail,userPrincipalName"
+    }
+
+    response = requests.get(user_endpoint, headers=headers, params=params)
+    response.raise_for_status()
+    user = response.json() or {}
+    graph_user_id = user.get("id") or normalized_user_id
+    return _build_user_info_response(
+        graph_user_id,
+        display_name=user.get("displayName", ""),
+        email=user.get("mail", ""),
+        user_principal_name=user.get("userPrincipalName", ""),
+    )
+
+
 def register_route_backend_users(app):
     """
     This route will expose GET /api/userSearch?query=<searchTerm> which calls
@@ -88,24 +134,41 @@ def api_get_user_info(user_id):
         """
         Get user info (email, display_name) by user_id (oid).
         """
-        # Directly query Cosmos for the user document by id (oid)
-        from config import cosmos_user_settings_container
+        normalized_user_id = str(user_id or "").strip()
+        if not normalized_user_id:
+            return jsonify({"error": "User ID is required"}), 400
+
         try:
             user_doc = cosmos_user_settings_container.read_item(
-                item=user_id,
-                partition_key=user_id
+                item=normalized_user_id,
+                partition_key=normalized_user_id
             )
-            print(f"/api/user/info/{user_id} → doc: {user_doc}", flush=True)
-            return jsonify({
-                "user_id": user_id,
-                "email": user_doc.get("email", ""),
-                "display_name": user_doc.get("display_name", "")
-            }), 200
-        except Exception as e:
-            print(f"[ERROR] /api/user/info/{user_id} failed: {e}", flush=True)
-            return jsonify({
-                "error": f"User not found for oid {user_id}"
-            }), 404
+            return jsonify(_build_user_info_response(
+                normalized_user_id,
+                display_name=user_doc.get("display_name", ""),
+                email=user_doc.get("email", ""),
+            )), 200
+        except Exception:
+            pass
+
+        try:
+            graph_user_info = _get_graph_user_info_by_id(normalized_user_id)
+            if graph_user_info:
+                return jsonify(graph_user_info), 200
+        except requests.exceptions.RequestException as ex:
+            log_event(
+                "[Users] Graph user info lookup failed",
+                level=logging.WARNING,
+                extra={
+                    "target_user_id": normalized_user_id,
+                    "status_code": getattr(ex.response, "status_code", None),
+                },
+                debug_only=True,
+            )
+
+        return jsonify({
+            "error": f"User not found for oid {normalized_user_id}"
+        }), 404
     
     @app.route('/api/user/settings', methods=['GET', 'POST'])
     @swagger_route(security=get_auth_security())
diff --git a/application/single_app/route_frontend_admin_settings.py b/application/single_app/route_frontend_admin_settings.py
index cd7860bec..f0094fab7 100644
--- a/application/single_app/route_frontend_admin_settings.py
+++ b/application/single_app/route_frontend_admin_settings.py
@@ -1112,15 +1112,15 @@ def is_valid_url(url):
                 'enable_agent_template_gallery': form_data.get('enable_agent_template_gallery') == 'on',
                 'agent_templates_allow_user_submission': form_data.get('agent_templates_allow_user_submission') == 'on',
                 'agent_templates_require_approval': form_data.get('agent_templates_require_approval') == 'on',
-                'governance_user_endpoints': form_data.get('governance_user_endpoints') == 'on',
-                'governance_group_endpoints': form_data.get('governance_group_endpoints') == 'on',
-                'governance_global_endpoints': form_data.get('governance_global_endpoints') == 'on',
-                'governance_user_agents': form_data.get('governance_user_agents') == 'on',
-                'governance_group_agents': form_data.get('governance_group_agents') == 'on',
-                'governance_global_agents_usage': form_data.get('governance_global_agents_usage') == 'on',
-                'governance_user_actions': form_data.get('governance_user_actions') == 'on',
-                'governance_group_actions': form_data.get('governance_group_actions') == 'on',
-                'governance_global_actions_usage': form_data.get('governance_global_actions_usage') == 'on',
+                'governance_user_endpoints': form_data.get('governance_user_endpoints') == 'on' and form_data.get('allow_user_custom_endpoints') == 'on',
+                'governance_group_endpoints': form_data.get('governance_group_endpoints') == 'on' and form_data.get('allow_group_custom_endpoints') == 'on',
+                'governance_global_endpoints': True,
+                'governance_user_agents': form_data.get('governance_user_agents') == 'on' and form_data.get('allow_user_agents') == 'on',
+                'governance_group_agents': form_data.get('governance_group_agents') == 'on' and form_data.get('allow_group_agents') == 'on',
+                'governance_global_agents_usage': form_data.get('governance_global_agents_usage') == 'on' and form_data.get('enable_semantic_kernel') == 'on',
+                'governance_user_actions': form_data.get('governance_user_actions') == 'on' and form_data.get('allow_user_plugins') == 'on',
+                'governance_group_actions': form_data.get('governance_group_actions') == 'on' and form_data.get('allow_group_plugins') == 'on',
+                'governance_global_actions_usage': form_data.get('governance_global_actions_usage') == 'on' and form_data.get('enable_semantic_kernel') == 'on',
 
                 # GPT (Direct & APIM)
                 'enable_gpt_apim': form_data.get('enable_gpt_apim') == 'on',
diff --git a/application/single_app/route_frontend_chats.py b/application/single_app/route_frontend_chats.py
index d1b1e66c2..67eec3a52 100644
--- a/application/single_app/route_frontend_chats.py
+++ b/application/single_app/route_frontend_chats.py
@@ -81,7 +81,7 @@ def _filter_chat_model_endpoints_by_governance(user_id, endpoints, feature_key):
                 ensure_governance_access(
                     feature_key,
                     user_id,
-                    item_entity_type='endpoint',
+                    item_entity_type='global_endpoint',
                     item_id=endpoint_id,
                 )
             except PermissionError:
diff --git a/application/single_app/static/css/chats.css b/application/single_app/static/css/chats.css
index 6474185b0..eeee60080 100644
--- a/application/single_app/static/css/chats.css
+++ b/application/single_app/static/css/chats.css
@@ -87,23 +87,21 @@ body.sidebar-collapsed #chat-sidebar-inline-toggle {
   z-index: 1060 !important;
 }
 
-/* Handle dropdown positioning at the edge of viewport */
-#document-dropdown.dropup .dropdown-menu {
-  bottom: 100% !important;
-  top: auto !important;
-  margin-bottom: 0.125rem;
-}
-
 #document-dropdown .dropdown-menu {
-  width: auto;
-  min-width: 400px; /* Increased width as requested */
-  max-width: 400px; /* Increased width as requested */
-  max-height: 60vh; /* Use viewport height for better adaptation */
+  width: max-content;
+  min-width: min(20rem, calc(100vw - 2rem));
+  max-width: min(40rem, calc(100vw - 2rem));
+  max-height: 60vh;
   overflow: hidden;
   padding: 8px;
-  position: absolute;
-  left: 0 !important; /* Keep it aligned to the left of its container */
-  right: auto !important; /* Prevent right positioning */
+}
+
+.chat-search-filter-menu {
+  width: max-content;
+  min-width: min(20rem, calc(100vw - 2rem));
+  max-width: min(40rem, calc(100vw - 2rem));
+  max-height: 60vh;
+  overflow: hidden;
 }
 
 .chat-search-panel {
@@ -593,10 +591,20 @@ body.sidebar-collapsed #chat-sidebar-inline-toggle {
 
 #scope-dropdown-items .dropdown-item,
 #tags-dropdown-items .dropdown-item {
+  min-width: 0;
   width: 100%;
   text-align: left;
 }
 
+#scope-dropdown-items .dropdown-item span,
+#tags-dropdown-items .dropdown-item span,
+#document-dropdown-items .dropdown-item span {
+  min-width: 0;
+  overflow: hidden;
+  text-overflow: ellipsis;
+  white-space: nowrap;
+}
+
 /* Document dropdown items must be explicitly displayed */
 #document-dropdown .dropdown-item {
   display: block !important;
@@ -608,6 +616,7 @@ body.sidebar-collapsed #chat-sidebar-inline-toggle {
   width: 100%; /* Ensure items take full width of their container */
   text-align: left;
   max-width: 100%; /* Ensure items don't exceed container width */
+  min-width: 0;
 }
 
 /* Only hide when explicitly told to */
diff --git a/application/single_app/static/js/admin/admin_agents.js b/application/single_app/static/js/admin/admin_agents.js
index 6f9c41458..f06dd6444 100644
--- a/application/single_app/static/js/admin/admin_agents.js
+++ b/application/single_app/static/js/admin/admin_agents.js
@@ -201,6 +201,55 @@ async function openAgentModal(agent = null) {
     modal.show();
 }
 
+function makeAgentCopyName(name) {
+    const baseName = `${String(name || 'agent').trim() || 'agent'}_copy`;
+    const existingNames = new Set((agents || []).map((agent) => String(agent.name || '').trim().toLowerCase()));
+    if (!existingNames.has(baseName.toLowerCase())) {
+        return baseName;
+    }
+
+    let suffix = 2;
+    while (existingNames.has(`${baseName}_${suffix}`.toLowerCase())) {
+        suffix += 1;
+    }
+    return `${baseName}_${suffix}`;
+}
+
+function duplicateAgent(agent) {
+    const duplicate = JSON.parse(JSON.stringify(agent || {}));
+    delete duplicate.id;
+    duplicate.name = makeAgentCopyName(agent?.name || 'agent');
+    duplicate.display_name = `${agent?.display_name || agent?.name || 'Agent'} Copy`;
+    openAgentModal(duplicate);
+    if (window.agentModalStepper) {
+        window.agentModalStepper.isEditMode = false;
+        window.agentModalStepper.originalAgent = null;
+        const title = document.getElementById('agentModalLabel');
+        if (title) {
+            title.textContent = 'Add Agent';
+        }
+    }
+    window.editingAgentIndex = null;
+    window.editingAgentName = null;
+}
+
+function governAgent(agent) {
+    const agentId = String(agent?.id || '').trim();
+    if (!agentId) {
+        showToast('This agent does not have a stable ID for governance.', 'warning');
+        return;
+    }
+    if (typeof window.openGovernanceDelegatedItemEditor === 'function') {
+        window.openGovernanceDelegatedItemEditor({
+            entityType: 'global_agent',
+            itemId: agentId,
+            resourceLabel: agent.display_name || agent.name || agentId,
+        });
+    } else {
+        showToast('Governance editor is still loading. Try again in a moment.', 'warning');
+    }
+}
+
 // Utility: Show agent modal error
 function showAgentModalError(msg) {
     const errDiv = document.getElementById('agent-modal-error');
@@ -290,6 +339,8 @@ function renderAgentsTable() {
             <td>${selectedBadge}</td>
             <td>
                 <button type="button" class="btn btn-sm btn-secondary edit-agent-btn" data-index="${idx}">Edit</button>
+                <button type="button" class="btn btn-sm btn-outline-info govern-agent-btn" data-index="${idx}">Govern</button>
+                <button type="button" class="btn btn-sm btn-outline-secondary duplicate-agent-btn" data-index="${idx}">Duplicate</button>
                 <button type="button" class="btn btn-sm btn-danger delete-agent-btn" data-index="${idx}" ${isSelected ? 'disabled' : ''}>Delete</button>
             </td>
         `;
@@ -316,6 +367,16 @@ function handleAgentTableClick(e) {
                 deleteAgent(idx);
             }
         }
+    } else if (e.target.classList.contains('govern-agent-btn')) {
+        const idx = parseInt(e.target.getAttribute('data-index'), 10);
+        if (!isNaN(idx) && Array.isArray(agents)) {
+            governAgent(agents[idx]);
+        }
+    } else if (e.target.classList.contains('duplicate-agent-btn')) {
+        const idx = parseInt(e.target.getAttribute('data-index'), 10);
+        if (!isNaN(idx) && Array.isArray(agents)) {
+            duplicateAgent(agents[idx]);
+        }
     }
 }
 
diff --git a/application/single_app/static/js/admin/admin_governance.js b/application/single_app/static/js/admin/admin_governance.js
index 49a0ee7a6..bbd0d7f94 100644
--- a/application/single_app/static/js/admin/admin_governance.js
+++ b/application/single_app/static/js/admin/admin_governance.js
@@ -13,22 +13,34 @@ const GOVERNANCE_FEATURE_LABELS = {
 };
 
 const GOVERNANCE_ITEM_ENTITY_LABELS = {
-    endpoint: 'Endpoint',
+    global_endpoint: 'Global Endpoint',
     global_agent: 'Global Agent',
     global_action: 'Global Action',
 };
 
 const GOVERNANCE_ITEM_LOOKUP_HINTS = {
-    endpoint: 'Select an endpoint configured in Admin Settings.',
+    global_endpoint: 'Select an endpoint configured in Admin Settings.',
     global_agent: 'Select a global agent available for delegation.',
     global_action: 'Select a global action available for delegation.',
 };
 
+const GOVERNANCE_PRIMARY_TOGGLE_MAP = {
+    governance_user_endpoints: 'toggle-allow-user-custom-endpoints',
+    governance_group_endpoints: 'toggle-allow-group-custom-endpoints',
+    governance_user_agents: 'toggle-allow-user-agents',
+    governance_group_agents: 'toggle-allow-group-agents',
+    governance_global_agents_usage: 'toggle-enable-agents-agents',
+    governance_user_actions: 'toggle-allow-user-plugins',
+    governance_group_actions: 'toggle-allow-group-plugins',
+    governance_global_actions_usage: 'toggle-enable-agents-agents',
+};
+
 const GOVERNANCE_ALLOWLIST_PAGE_SIZE_DEFAULT = 50;
 const GOVERNANCE_ALLOWLIST_PAGE_SIZES = [10, 25, 50, 100];
 const GOVERNANCE_ALLOWLIST_TRUNCATE_ID_LENGTH = 35;
 
 const GOVERNANCE_ITEM_REVIEW_DEFAULT_PAGE_SIZE = 25;
+const GOVERNANCE_ITEM_EDITOR_PAGE_SIZE_DEFAULT = 50;
 
 const governanceItemReviewState = {
     search: '',
@@ -37,13 +49,13 @@ const governanceItemReviewState = {
     perPage: GOVERNANCE_ITEM_REVIEW_DEFAULT_PAGE_SIZE,
 };
 
-let governanceItemReviewModal = null;
 let governanceAllowListEditorModal = null;
 let governanceAllowListEditorContext = null;
 let governanceItemPolicyDeleteModal = null;
 let governanceItemPolicyDeleteContext = null;
+let governanceItemPolicyEditorModal = null;
 const governanceItemLookupState = {
-    endpoint: [],
+    global_endpoint: [],
     global_agent: [],
     global_action: [],
 };
@@ -61,6 +73,19 @@ const governanceAllowListSelectionViewState = {
     },
 };
 
+const governanceItemEditorSelectionViewState = {
+    users: {
+        search: '',
+        page: 1,
+        pageSize: GOVERNANCE_ITEM_EDITOR_PAGE_SIZE_DEFAULT,
+    },
+    groups: {
+        search: '',
+        page: 1,
+        pageSize: GOVERNANCE_ITEM_EDITOR_PAGE_SIZE_DEFAULT,
+    },
+};
+
 const governanceAllowListDisplayNameCache = {
     users: {},
     groups: {},
@@ -156,6 +181,28 @@ function getItemIdInput() {
     return document.getElementById('governance-item-id');
 }
 
+function getItemPolicyIdInput() {
+    return document.getElementById('governance-item-policy-id');
+}
+
+function getItemPolicyNameInput() {
+    return document.getElementById('governance-item-policy-name');
+}
+
+function getItemResourceLabelInput() {
+    return document.getElementById('governance-item-resource-label');
+}
+
+function getItemLookupFilterInput() {
+    return document.getElementById('governance-item-id-filter');
+}
+
+function buildDefaultItemPolicyName(entityType, itemId, resourceLabel = '') {
+    const label = String(resourceLabel || itemId || 'Resource').trim();
+    const entityLabel = buildItemPolicyEntityLabel(entityType) || 'Delegated Item';
+    return `${label} ${entityLabel} Policy`;
+}
+
 function setGovernanceItemLookupStatus(message, level = 'muted') {
     const status = document.getElementById('governance-item-id-status');
     if (!status) {
@@ -264,7 +311,7 @@ async function fetchAdminGlobalActionLookupOptions() {
 }
 
 async function loadGovernanceItemLookup(entityType, forceReload = false) {
-    const normalizedEntityType = String(entityType || '').trim();
+    const normalizedEntityType = normalizeGovernanceItemEntityType(entityType);
     if (!normalizedEntityType) {
         return [];
     }
@@ -273,9 +320,9 @@ async function loadGovernanceItemLookup(entityType, forceReload = false) {
         return governanceItemLookupState[normalizedEntityType];
     }
 
-    if (normalizedEntityType === 'endpoint') {
-        governanceItemLookupState.endpoint = getAdminEndpointLookupOptionsFromWindow();
-        return governanceItemLookupState.endpoint;
+    if (normalizedEntityType === 'global_endpoint') {
+        governanceItemLookupState.global_endpoint = getAdminEndpointLookupOptionsFromWindow();
+        return governanceItemLookupState.global_endpoint;
     }
     if (normalizedEntityType === 'global_agent') {
         governanceItemLookupState.global_agent = await fetchAdminGlobalAgentLookupOptions();
@@ -297,19 +344,26 @@ function renderGovernanceItemLookupOptions(entityType, preferredValue = '') {
 
     const options = Array.isArray(governanceItemLookupState[entityType]) ? governanceItemLookupState[entityType] : [];
     const currentValue = String(preferredValue || '').trim();
+    const filterValue = String(getItemLookupFilterInput()?.value || '').trim().toLowerCase();
+    const visibleOptions = filterValue
+        ? options.filter((option) => {
+            const optionText = `${option.value || ''} ${option.label || ''} ${option.subtitle || ''}`.toLowerCase();
+            return optionText.includes(filterValue);
+        })
+        : options;
 
     itemIdInput.innerHTML = '';
 
     const placeholder = document.createElement('option');
     placeholder.value = '';
-    placeholder.textContent = options.length > 0 ? 'Select an item' : 'No items available';
+    placeholder.textContent = visibleOptions.length > 0 ? 'Select an item' : 'No items available';
     itemIdInput.appendChild(placeholder);
 
-    options.forEach((option) => {
+    visibleOptions.forEach((option) => {
         itemIdInput.appendChild(buildGovernanceItemLookupOption(option));
     });
 
-    if (currentValue && options.some((option) => option.value === currentValue)) {
+    if (currentValue && visibleOptions.some((option) => option.value === currentValue)) {
         itemIdInput.value = currentValue;
     } else {
         itemIdInput.value = '';
@@ -317,7 +371,8 @@ function renderGovernanceItemLookupOptions(entityType, preferredValue = '') {
 
     const hint = GOVERNANCE_ITEM_LOOKUP_HINTS[entityType] || 'Select a delegated item.';
     if (options.length > 0) {
-        setGovernanceItemLookupStatus(`${hint} Loaded ${options.length} item${options.length === 1 ? '' : 's'}.`, 'muted');
+        const filterSummary = filterValue ? ` Showing ${visibleOptions.length} of ${options.length}.` : '';
+        setGovernanceItemLookupStatus(`${hint} Loaded ${options.length} item${options.length === 1 ? '' : 's'}.${filterSummary}`, 'muted');
     } else {
         setGovernanceItemLookupStatus(`${hint} No items found for this type.`, 'warning');
     }
@@ -389,7 +444,6 @@ function applyFeatureAllowAllUiState(row) {
 
 function applyItemAllowAllUiState() {
     const allowAllInput = getItemAllowAllInput();
-    const editButton = document.getElementById('governance-edit-item-allowlist-btn');
     const allowedPrincipalsControls = document.getElementById('governance-item-allowed-principals-controls');
     const usersInput = getItemUsersInput();
     const groupsInput = getItemGroupsInput();
@@ -402,15 +456,12 @@ function applyItemAllowAllUiState() {
         groupsInput.value = '';
     }
 
-    if (editButton) {
-        editButton.disabled = allowAllInput.checked;
-    }
-
     if (allowedPrincipalsControls) {
         allowedPrincipalsControls.classList.toggle('d-none', allowAllInput.checked);
     }
 
     updateItemAllowListSummary();
+    renderGovernanceItemEditorSelections();
 }
 
 async function governanceLookupUsers(query) {
@@ -452,7 +503,13 @@ window.governancePrincipalLookup = {
 };
 
 function buildItemPolicyEntityLabel(entityType) {
-    return GOVERNANCE_ITEM_ENTITY_LABELS[entityType] || entityType || '';
+    const normalizedEntityType = normalizeGovernanceItemEntityType(entityType);
+    return GOVERNANCE_ITEM_ENTITY_LABELS[normalizedEntityType] || normalizedEntityType || '';
+}
+
+function normalizeGovernanceItemEntityType(entityType) {
+    const normalizedEntityType = String(entityType || '').trim();
+    return normalizedEntityType === 'endpoint' ? 'global_endpoint' : normalizedEntityType;
 }
 
 function mapGovernanceLevelToToastVariant(level = 'info') {
@@ -540,6 +597,35 @@ function getGovernanceFeatureToggle(featureKey) {
     return toggle instanceof HTMLInputElement ? toggle : null;
 }
 
+function isGovernanceFeatureApplicable(featureKey) {
+    if (featureKey === 'governance_global_endpoints') {
+        return true;
+    }
+
+    const primaryToggleId = GOVERNANCE_PRIMARY_TOGGLE_MAP[featureKey];
+    if (!primaryToggleId) {
+        return true;
+    }
+
+    const primaryToggle = document.getElementById(primaryToggleId);
+    if (!(primaryToggle instanceof HTMLInputElement)) {
+        return true;
+    }
+
+    return primaryToggle.checked;
+}
+
+function syncGovernanceFeatureToggleVisibility() {
+    Object.keys(GOVERNANCE_FEATURE_LABELS).forEach((featureKey) => {
+        const featureToggle = getGovernanceFeatureToggle(featureKey);
+        const wrapper = featureToggle?.closest('.form-check');
+        if (!wrapper) {
+            return;
+        }
+        wrapper.classList.toggle('d-none', !isGovernanceFeatureApplicable(featureKey));
+    });
+}
+
 function syncGovernanceFeaturePolicyRowVisibility(row) {
     const featureKey = String(row?.dataset?.featureKey || '').trim();
     if (!row || !featureKey) {
@@ -547,11 +633,12 @@ function syncGovernanceFeaturePolicyRowVisibility(row) {
     }
 
     const featureToggle = getGovernanceFeatureToggle(featureKey);
-    const shouldShow = !featureToggle || featureToggle.checked;
+    const shouldShow = isGovernanceFeatureApplicable(featureKey) && (!featureToggle || featureToggle.checked);
     row.classList.toggle('d-none', !shouldShow);
 }
 
 function syncGovernanceFeaturePolicyVisibility() {
+    syncGovernanceFeatureToggleVisibility();
     Array.from(document.querySelectorAll('#governance-feature-policies-body tr')).forEach((row) => {
         syncGovernanceFeaturePolicyRowVisibility(row);
     });
@@ -683,17 +770,31 @@ async function saveFeaturePolicies() {
 function buildItemPolicyRow(policy) {
     const row = document.createElement('tr');
 
+    const policyCell = document.createElement('td');
     const entityTypeCell = document.createElement('td');
-    const entityType = String(policy.entity_type || '');
+    const entityType = normalizeGovernanceItemEntityType(policy.entity_type);
     const itemId = String(policy.item_id || '');
+    const policyId = String(policy.policy_id || '');
+    const resourceLabel = String(policy.resource_label || '').trim();
+    const policyName = String(policy.policy_name || '').trim() || buildDefaultItemPolicyName(entityType, itemId, resourceLabel);
     const allowAll = Boolean(policy.allow_all);
     const allowedUsers = Array.isArray(policy.allowed_users) ? policy.allowed_users : [];
     const allowedGroups = Array.isArray(policy.allowed_groups) ? policy.allowed_groups : [];
 
+    const policyNameEl = document.createElement('div');
+    policyNameEl.className = 'fw-semibold';
+    policyNameEl.textContent = policyName;
+    policyCell.appendChild(policyNameEl);
+
+    policyCell.title = policyId ? `Policy ID: ${policyId}` : policyName;
+
     entityTypeCell.textContent = buildItemPolicyEntityLabel(entityType);
 
     const itemIdCell = document.createElement('td');
-    itemIdCell.textContent = itemId;
+    const itemLabelEl = document.createElement('div');
+    itemLabelEl.textContent = resourceLabel || itemId;
+    itemLabelEl.title = itemId;
+    itemIdCell.appendChild(itemLabelEl);
 
     const allowAllCell = document.createElement('td');
     allowAllCell.textContent = allowAll ? 'Yes' : 'No';
@@ -712,6 +813,9 @@ function buildItemPolicyRow(policy) {
     editButton.textContent = 'Edit';
     editButton.dataset.entityType = entityType;
     editButton.dataset.itemId = itemId;
+    editButton.dataset.policyId = policyId;
+    editButton.dataset.policyName = policyName;
+    editButton.dataset.resourceLabel = resourceLabel;
     editButton.dataset.allowAll = allowAll ? 'true' : 'false';
     editButton.dataset.allowedUsers = JSON.stringify(allowedUsers);
     editButton.dataset.allowedGroups = JSON.stringify(allowedGroups);
@@ -723,8 +827,11 @@ function buildItemPolicyRow(policy) {
     deleteButton.textContent = 'Delete';
     deleteButton.dataset.entityType = entityType;
     deleteButton.dataset.itemId = itemId;
+    deleteButton.dataset.policyId = policyId;
+    deleteButton.dataset.policyName = policyName;
     actionsCell.appendChild(deleteButton);
 
+    row.appendChild(policyCell);
     row.appendChild(entityTypeCell);
     row.appendChild(itemIdCell);
     row.appendChild(allowAllCell);
@@ -772,118 +879,977 @@ function renderGovernancePrincipalReviewCell(cell, listType, ids, hydrateMissing
             missingIds.push(idValue);
         }
 
-        cell.appendChild(wrapper);
-    });
+        cell.appendChild(wrapper);
+    });
+
+    if (hydrateMissing && missingIds.length > 0) {
+        void hydrateGovernanceDisplayNames(listType, missingIds).then(() => {
+            renderGovernancePrincipalReviewCell(cell, listType, normalizedIds, false);
+        }).catch(() => {
+            renderGovernancePrincipalReviewCell(cell, listType, normalizedIds, false);
+        });
+    }
+}
+
+function parseGovernancePrincipalDataset(value) {
+    try {
+        const parsed = JSON.parse(value || '[]');
+        return uniquePrincipalList(Array.isArray(parsed) ? parsed : []);
+    } catch (error) {
+        return [];
+    }
+}
+
+function ensureGovernanceItemIdOption(itemIdInput, itemId, label = '') {
+    const normalizedItemId = String(itemId || '').trim();
+    if (!itemIdInput || !normalizedItemId) {
+        return;
+    }
+
+    const hasOption = Array.from(itemIdInput.options || []).some((option) => option.value === normalizedItemId);
+    if (!hasOption) {
+        const option = document.createElement('option');
+        option.value = normalizedItemId;
+        option.textContent = label ? `${label} (${truncateGovernanceId(normalizedItemId)})` : normalizedItemId;
+        itemIdInput.appendChild(option);
+    }
+    itemIdInput.value = normalizedItemId;
+}
+
+function resetGovernanceItemEditorSelectionViewState() {
+    governanceItemEditorSelectionViewState.users.search = '';
+    governanceItemEditorSelectionViewState.users.page = 1;
+    governanceItemEditorSelectionViewState.users.pageSize = GOVERNANCE_ITEM_EDITOR_PAGE_SIZE_DEFAULT;
+
+    governanceItemEditorSelectionViewState.groups.search = '';
+    governanceItemEditorSelectionViewState.groups.page = 1;
+    governanceItemEditorSelectionViewState.groups.pageSize = GOVERNANCE_ITEM_EDITOR_PAGE_SIZE_DEFAULT;
+}
+
+function syncGovernanceItemEditorSelectionControls() {
+    const userSearchInput = document.getElementById('governance-item-selected-user-search');
+    const userPageSizeSelect = document.getElementById('governance-item-selected-user-page-size');
+    const groupSearchInput = document.getElementById('governance-item-selected-group-search');
+    const groupPageSizeSelect = document.getElementById('governance-item-selected-group-page-size');
+
+    if (userSearchInput) {
+        userSearchInput.value = governanceItemEditorSelectionViewState.users.search;
+    }
+    if (userPageSizeSelect) {
+        userPageSizeSelect.value = String(governanceItemEditorSelectionViewState.users.pageSize);
+    }
+    if (groupSearchInput) {
+        groupSearchInput.value = governanceItemEditorSelectionViewState.groups.search;
+    }
+    if (groupPageSizeSelect) {
+        groupPageSizeSelect.value = String(governanceItemEditorSelectionViewState.groups.pageSize);
+    }
+}
+
+function getGovernanceItemEditorSelectedIds(listType) {
+    const input = listType === 'groups' ? getItemGroupsInput() : getItemUsersInput();
+    return splitPrincipalList(input?.value || '');
+}
+
+function setGovernanceItemEditorSelectedIds(listType, values) {
+    const input = listType === 'groups' ? getItemGroupsInput() : getItemUsersInput();
+    if (!input) {
+        return;
+    }
+    input.value = joinPrincipalList(uniquePrincipalList(values));
+    updateItemAllowListSummary();
+    renderGovernanceItemEditorSelections();
+}
+
+function getFilteredGovernanceItemEditorSelectedIds(listType) {
+    const allIds = getGovernanceItemEditorSelectedIds(listType);
+    const state = governanceItemEditorSelectionViewState[listType];
+    const searchValue = String(state?.search || '').trim().toLowerCase();
+    if (!searchValue) {
+        return allIds;
+    }
+    return allIds.filter((value) => {
+        const idText = String(value || '').toLowerCase();
+        const displayName = String(getGovernanceDisplayName(listType, value) || '').toLowerCase();
+        return idText.includes(searchValue) || displayName.includes(searchValue);
+    });
+}
+
+function setGovernanceItemEditorStatus(message, level = 'muted') {
+    const status = document.getElementById('governance-item-editor-status');
+    if (!status) {
+        return;
+    }
+
+    status.classList.remove('text-muted', 'text-success', 'text-warning', 'text-danger');
+    const className = {
+        muted: 'text-muted',
+        success: 'text-success',
+        warning: 'text-warning',
+        danger: 'text-danger',
+    }[level] || 'text-muted';
+    status.classList.add(className);
+    status.textContent = String(message || '');
+}
+
+function renderGovernanceItemEditorSelectedList(options) {
+    const {
+        listType,
+        containerId,
+        checkboxClass,
+        emptyMessage,
+        summaryId,
+        prevButtonId,
+        nextButtonId,
+    } = options;
+
+    const tbody = document.getElementById(containerId);
+    const summary = document.getElementById(summaryId);
+    const prevButton = document.getElementById(prevButtonId);
+    const nextButton = document.getElementById(nextButtonId);
+    const state = governanceItemEditorSelectionViewState[listType];
+
+    if (!tbody || !state) {
+        return;
+    }
+
+    const filteredIds = getFilteredGovernanceItemEditorSelectedIds(listType);
+    const pageSize = normalizeGovernanceAllowListPageSize(state.pageSize);
+    state.pageSize = pageSize;
+    const totalItems = filteredIds.length;
+    const totalPages = Math.max(1, Math.ceil(totalItems / pageSize));
+    state.page = Math.min(Math.max(1, state.page), totalPages);
+    const startIndex = (state.page - 1) * pageSize;
+    const visibleIds = filteredIds.slice(startIndex, startIndex + pageSize);
+
+    tbody.innerHTML = '';
+    if (visibleIds.length === 0) {
+        const row = document.createElement('tr');
+        const cell = document.createElement('td');
+        cell.colSpan = 3;
+        cell.className = 'text-center text-muted';
+        cell.textContent = emptyMessage;
+        row.appendChild(cell);
+        tbody.appendChild(row);
+    } else {
+        visibleIds.forEach((idValue) => {
+            const row = document.createElement('tr');
+
+            const checkCell = document.createElement('td');
+            const checkbox = document.createElement('input');
+            checkbox.type = 'checkbox';
+            checkbox.className = checkboxClass;
+            checkbox.value = idValue;
+            checkCell.appendChild(checkbox);
+
+            const displayName = getGovernanceDisplayName(listType, idValue);
+            const truncatedId = truncateGovernanceId(idValue);
+            const displayText = displayName ? `${displayName} (${truncatedId})` : truncatedId;
+
+            const infoCell = document.createElement('td');
+            infoCell.className = 'small';
+            infoCell.textContent = displayText;
+            infoCell.title = idValue;
+
+            const copyCell = document.createElement('td');
+            copyCell.className = 'text-center';
+            const copyButton = document.createElement('button');
+            copyButton.type = 'button';
+            copyButton.className = 'btn btn-sm btn-link p-0';
+            copyButton.innerHTML = '<i class="bi bi-clipboard"></i>';
+            copyButton.title = 'Copy ID';
+            copyButton.addEventListener('click', (event) => {
+                event.preventDefault();
+                event.stopPropagation();
+                const originalHtml = copyButton.innerHTML;
+                navigator.clipboard.writeText(idValue).then(() => {
+                    copyButton.innerHTML = '<i class="bi bi-check"></i>';
+                    setTimeout(() => {
+                        copyButton.innerHTML = originalHtml;
+                    }, 1500);
+                }).catch(() => {
+                    copyButton.innerHTML = '<i class="bi bi-x"></i>';
+                    setTimeout(() => {
+                        copyButton.innerHTML = originalHtml;
+                    }, 1500);
+                });
+            });
+            copyCell.appendChild(copyButton);
+
+            row.appendChild(checkCell);
+            row.appendChild(infoCell);
+            row.appendChild(copyCell);
+            tbody.appendChild(row);
+        });
+    }
+
+    if (summary) {
+        const viewStart = totalItems === 0 ? 0 : startIndex + 1;
+        const viewEnd = totalItems === 0 ? 0 : Math.min(startIndex + visibleIds.length, totalItems);
+        summary.textContent = `Showing ${viewStart}-${viewEnd} of ${totalItems} selected (${state.page}/${totalPages}).`;
+    }
+
+    if (prevButton) {
+        prevButton.disabled = state.page <= 1 || totalItems === 0;
+    }
+    if (nextButton) {
+        nextButton.disabled = state.page >= totalPages || totalItems === 0;
+    }
+}
+
+function renderGovernanceItemEditorSelections() {
+    const users = getGovernanceItemEditorSelectedIds('users');
+    const groups = getGovernanceItemEditorSelectedIds('groups');
+
+    void hydrateGovernanceDisplayNames('users', users);
+    void hydrateGovernanceDisplayNames('groups', groups);
+
+    renderGovernanceItemEditorSelectedList({
+        listType: 'users',
+        containerId: 'governance-item-selected-users',
+        checkboxClass: 'governance-item-selected-user-checkbox',
+        emptyMessage: 'No users selected.',
+        summaryId: 'governance-item-selected-users-summary',
+        prevButtonId: 'governance-item-selected-users-prev-btn',
+        nextButtonId: 'governance-item-selected-users-next-btn',
+    });
+    renderGovernanceItemEditorSelectedList({
+        listType: 'groups',
+        containerId: 'governance-item-selected-groups',
+        checkboxClass: 'governance-item-selected-group-checkbox',
+        emptyMessage: 'No groups selected.',
+        summaryId: 'governance-item-selected-groups-summary',
+        prevButtonId: 'governance-item-selected-groups-prev-btn',
+        nextButtonId: 'governance-item-selected-groups-next-btn',
+    });
+}
+
+async function openGovernanceItemPolicyEditor(policy = null) {
+    const modalElement = ensureGovernanceItemPolicyEditorModal();
+    if (!modalElement) {
+        return;
+    }
+
+    const title = document.getElementById('governance-item-policy-editor-title');
+    const policyIdInput = getItemPolicyIdInput();
+    const policyNameInput = getItemPolicyNameInput();
+    const resourceLabelInput = getItemResourceLabelInput();
+    const entityTypeInput = getItemEntityTypeInput();
+    const itemIdInput = getItemIdInput();
+    const itemFilterInput = getItemLookupFilterInput();
+    const allowAllInput = getItemAllowAllInput();
+    const usersInput = getItemUsersInput();
+    const groupsInput = getItemGroupsInput();
+
+    if (!entityTypeInput || !itemIdInput || !allowAllInput || !usersInput || !groupsInput) {
+        return;
+    }
+
+    const entityType = normalizeGovernanceItemEntityType(policy?.entity_type) || 'global_agent';
+    const itemId = String(policy?.item_id || '').trim();
+    const resourceLabel = String(policy?.resource_label || '').trim();
+    const policyName = String(policy?.policy_name || '').trim() || buildDefaultItemPolicyName(entityType, itemId, resourceLabel);
+
+    if (title) {
+        title.textContent = policy?.policy_id ? 'Edit Delegated Item Policy' : 'New Delegated Item Policy';
+    }
+    if (itemFilterInput) {
+        itemFilterInput.value = '';
+    }
+
+    entityTypeInput.value = entityType;
+    if (policyIdInput) {
+        policyIdInput.value = String(policy?.policy_id || '').trim();
+    }
+    if (policyNameInput) {
+        policyNameInput.value = policyName;
+    }
+    if (resourceLabelInput) {
+        resourceLabelInput.value = resourceLabel;
+    }
+    resetGovernanceItemEditorSelectionViewState();
+    syncGovernanceItemEditorSelectionControls();
+    renderGovernanceItemEditorUserResults([]);
+    renderGovernanceItemEditorGroupResults([]);
+    setGovernanceItemEditorStatus('');
+
+    await refreshGovernanceItemLookup(entityType, false, itemId);
+    ensureGovernanceItemIdOption(itemIdInput, itemId, resourceLabel);
+
+    allowAllInput.checked = policy ? Boolean(policy.allow_all) : true;
+    usersInput.value = joinPrincipalList(policy?.allowed_users || []);
+    groupsInput.value = joinPrincipalList(policy?.allowed_groups || []);
+
+    applyItemAllowAllUiState();
+    governanceItemPolicyEditorModal?.show();
+    itemIdInput.focus();
+}
+
+async function openGovernanceDelegatedItemEditorFromResource(options = {}) {
+    const entityType = normalizeGovernanceItemEntityType(options.entityType || options.entity_type || '');
+    const itemId = String(options.itemId || options.item_id || '').trim();
+    const resourceLabel = String(options.resourceLabel || options.resource_label || '').trim();
+    const policyName = String(options.policyName || options.policy_name || '').trim() || buildDefaultItemPolicyName(entityType, itemId, resourceLabel);
+
+    if (!entityType || !itemId) {
+        setGovernanceStatus('Unable to open delegated item policy editor without a resource ID.', 'warning');
+        return;
+    }
+
+    if (typeof window.openAdminSettingsTab === 'function') {
+        window.openAdminSettingsTab('#governance');
+    }
+
+    await openGovernanceItemPolicyEditor({
+        entity_type: entityType,
+        item_id: itemId,
+        policy_name: policyName,
+        resource_label: resourceLabel,
+        allow_all: true,
+        allowed_users: [],
+        allowed_groups: [],
+    });
+}
+
+window.openGovernanceDelegatedItemEditor = openGovernanceDelegatedItemEditorFromResource;
+
+function ensureGovernanceItemPolicyEditorModal() {
+    let modalElement = document.getElementById('governance-item-policy-editor-modal');
+    if (!modalElement) {
+        const modalMarkup = `
+            <div class="modal fade" id="governance-item-policy-editor-modal" tabindex="-1" aria-hidden="true">
+                <div class="modal-dialog modal-xl modal-dialog-scrollable">
+                    <div class="modal-content">
+                        <div class="modal-header">
+                            <div>
+                                <h5 class="modal-title mb-1" id="governance-item-policy-editor-title">Edit Delegated Item Policy</h5>
+                                <div class="small text-muted">Choose the delegated item, then search or bulk-load allowed users and groups.</div>
+                            </div>
+                            <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
+                        </div>
+                        <div class="modal-body">
+                            <div class="alert alert-info py-2 small" role="alert">
+                                Delegated item policies are OR combined whitelists. Membership in any policy for this item grants access after the matching feature policy passes.
+                            </div>
+                            <div class="row g-3 mb-3">
+                                <div class="col-lg-8">
+                                    <label class="form-label" for="governance-item-policy-name">Policy Name</label>
+                                    <input type="text" class="form-control" id="governance-item-policy-name" placeholder="Friendly name for this whitelist">
+                                </div>
+                                <div class="col-lg-4">
+                                    <label class="form-label" for="governance-item-resource-label">Resource Label</label>
+                                    <input type="text" class="form-control" id="governance-item-resource-label" placeholder="Shown in the policy list" readonly>
+                                </div>
+                            </div>
+                            <div class="row g-3 align-items-start">
+                                <div class="col-lg-3 col-md-4">
+                                    <label class="form-label" for="governance-item-entity-type">Entity Type</label>
+                                    <select class="form-select" id="governance-item-entity-type">
+                                        <option value="global_agent" selected>Global Agent</option>
+                                        <option value="global_action">Global Action</option>
+                                        <option value="global_endpoint">Global Endpoint</option>
+                                    </select>
+                                </div>
+                                <div class="col-lg-6 col-md-8">
+                                    <label class="form-label" for="governance-item-id-filter">Delegated Item</label>
+                                    <input type="search" class="form-control mb-2" id="governance-item-id-filter" placeholder="Filter delegated items by name or ID">
+                                    <div class="input-group">
+                                        <select class="form-select" id="governance-item-id">
+                                            <option value="">Loading items...</option>
+                                        </select>
+                                        <button type="button" class="btn btn-outline-secondary" id="governance-item-id-refresh-btn" title="Refresh lookup" aria-label="Refresh delegated item lookup">
+                                            <i class="bi bi-arrow-clockwise"></i>
+                                        </button>
+                                    </div>
+                                    <div class="form-text" id="governance-item-id-status">Choose an entity type to load available delegated items.</div>
+                                </div>
+                                <div class="col-lg-3 col-md-4">
+                                    <label class="form-label" for="governance-item-allow-all">Access</label>
+                                    <div class="border rounded px-3 py-2 bg-body h-100 d-flex align-items-center">
+                                        <div class="form-check form-switch mb-0">
+                                            <input class="form-check-input" type="checkbox" role="switch" id="governance-item-allow-all" checked>
+                                            <label class="form-check-label ms-2" for="governance-item-allow-all">Allow All</label>
+                                        </div>
+                                    </div>
+                                </div>
+                            </div>
+
+                            <div class="mt-3">
+                                <label class="form-label" for="governance-item-allowlist-summary">Allowed Principals</label>
+                                <input type="text" class="form-control" id="governance-item-allowlist-summary" placeholder="No explicit users or groups configured" readonly>
+                            </div>
+
+                            <div class="mt-3 pt-3 border-top d-none" id="governance-item-allowed-principals-controls">
+                                <div class="row g-3">
+                                    <div class="col-lg-6">
+                                        <h6 class="mb-2">User Lookup</h6>
+                                        <div class="input-group mb-2">
+                                            <input type="search" class="form-control" id="governance-item-user-search" placeholder="Search users by name or email">
+                                            <button type="button" class="btn btn-outline-primary" id="governance-item-user-search-btn">Search</button>
+                                        </div>
+                                        <div class="table-responsive border rounded">
+                                            <table class="table table-sm align-middle mb-0">
+                                                <thead>
+                                                    <tr>
+                                                        <th style="width: 40px;"><input type="checkbox" id="governance-item-select-all-user-results"></th>
+                                                        <th>User</th>
+                                                        <th>Email</th>
+                                                    </tr>
+                                                </thead>
+                                                <tbody id="governance-item-user-results"></tbody>
+                                            </table>
+                                        </div>
+                                        <div class="d-flex justify-content-end mt-2">
+                                            <button type="button" class="btn btn-sm btn-primary" id="governance-item-add-selected-users-btn">Add Selected Users</button>
+                                        </div>
+                                    </div>
+
+                                    <div class="col-lg-6">
+                                        <h6 class="mb-2">Group Lookup</h6>
+                                        <div class="input-group mb-2">
+                                            <input type="search" class="form-control" id="governance-item-group-search" placeholder="Search groups by name">
+                                            <button type="button" class="btn btn-outline-primary" id="governance-item-group-search-btn">Search</button>
+                                        </div>
+                                        <div class="table-responsive border rounded">
+                                            <table class="table table-sm align-middle mb-0">
+                                                <thead>
+                                                    <tr>
+                                                        <th style="width: 40px;"><input type="checkbox" id="governance-item-select-all-group-results"></th>
+                                                        <th>Group</th>
+                                                        <th>Group ID</th>
+                                                    </tr>
+                                                </thead>
+                                                <tbody id="governance-item-group-results"></tbody>
+                                            </table>
+                                        </div>
+                                        <div class="d-flex justify-content-end mt-2">
+                                            <button type="button" class="btn btn-sm btn-primary" id="governance-item-add-selected-groups-btn">Add Selected Groups</button>
+                                        </div>
+                                    </div>
+                                </div>
+
+                                <hr>
+
+                                <div class="row g-3">
+                                    <div class="col-lg-6">
+                                        <h6 class="mb-2">Selected Users</h6>
+                                        <div class="row g-2 align-items-end mb-2">
+                                            <div class="col-8">
+                                                <label class="form-label small mb-1" for="governance-item-selected-user-search">Find in Selected Users</label>
+                                                <input type="search" class="form-control form-control-sm" id="governance-item-selected-user-search" placeholder="Filter by user ID or email">
+                                            </div>
+                                            <div class="col-4">
+                                                <label class="form-label small mb-1" for="governance-item-selected-user-page-size">Page Size</label>
+                                                <select class="form-select form-select-sm" id="governance-item-selected-user-page-size">
+                                                    <option value="10">10</option>
+                                                    <option value="25">25</option>
+                                                    <option value="50" selected>50</option>
+                                                    <option value="100">100</option>
+                                                </select>
+                                            </div>
+                                        </div>
+                                        <div class="table-responsive border rounded" style="max-height: 260px; overflow-y: auto;">
+                                            <table class="table table-sm align-middle mb-0">
+                                                <thead>
+                                                    <tr>
+                                                        <th style="width: 40px;"><input type="checkbox" id="governance-item-select-all-selected-users"></th>
+                                                        <th>User</th>
+                                                        <th style="width: 40px;"></th>
+                                                    </tr>
+                                                </thead>
+                                                <tbody id="governance-item-selected-users"></tbody>
+                                            </table>
+                                        </div>
+                                        <div class="d-flex align-items-center justify-content-between mt-2">
+                                            <div class="small text-muted" id="governance-item-selected-users-summary"></div>
+                                            <div class="btn-group btn-group-sm" role="group" aria-label="Selected item users pagination">
+                                                <button type="button" class="btn btn-outline-secondary" id="governance-item-selected-users-prev-btn">Previous</button>
+                                                <button type="button" class="btn btn-outline-secondary" id="governance-item-selected-users-next-btn">Next</button>
+                                            </div>
+                                        </div>
+                                        <div class="d-flex justify-content-end mt-2 gap-2">
+                                            <button type="button" class="btn btn-sm btn-outline-danger" id="governance-item-remove-selected-users-btn">Remove Selected</button>
+                                            <button type="button" class="btn btn-sm btn-outline-secondary" id="governance-item-clear-users-btn">Clear Users</button>
+                                        </div>
+                                    </div>
+
+                                    <div class="col-lg-6">
+                                        <h6 class="mb-2">Selected Groups</h6>
+                                        <div class="row g-2 align-items-end mb-2">
+                                            <div class="col-8">
+                                                <label class="form-label small mb-1" for="governance-item-selected-group-search">Find in Selected Groups</label>
+                                                <input type="search" class="form-control form-control-sm" id="governance-item-selected-group-search" placeholder="Filter by group ID or name">
+                                            </div>
+                                            <div class="col-4">
+                                                <label class="form-label small mb-1" for="governance-item-selected-group-page-size">Page Size</label>
+                                                <select class="form-select form-select-sm" id="governance-item-selected-group-page-size">
+                                                    <option value="10">10</option>
+                                                    <option value="25">25</option>
+                                                    <option value="50" selected>50</option>
+                                                    <option value="100">100</option>
+                                                </select>
+                                            </div>
+                                        </div>
+                                        <div class="table-responsive border rounded" style="max-height: 260px; overflow-y: auto;">
+                                            <table class="table table-sm align-middle mb-0">
+                                                <thead>
+                                                    <tr>
+                                                        <th style="width: 40px;"><input type="checkbox" id="governance-item-select-all-selected-groups"></th>
+                                                        <th>Group</th>
+                                                        <th style="width: 40px;"></th>
+                                                    </tr>
+                                                </thead>
+                                                <tbody id="governance-item-selected-groups"></tbody>
+                                            </table>
+                                        </div>
+                                        <div class="d-flex align-items-center justify-content-between mt-2">
+                                            <div class="small text-muted" id="governance-item-selected-groups-summary"></div>
+                                            <div class="btn-group btn-group-sm" role="group" aria-label="Selected item groups pagination">
+                                                <button type="button" class="btn btn-outline-secondary" id="governance-item-selected-groups-prev-btn">Previous</button>
+                                                <button type="button" class="btn btn-outline-secondary" id="governance-item-selected-groups-next-btn">Next</button>
+                                            </div>
+                                        </div>
+                                        <div class="d-flex justify-content-end mt-2 gap-2">
+                                            <button type="button" class="btn btn-sm btn-outline-danger" id="governance-item-remove-selected-groups-btn">Remove Selected</button>
+                                            <button type="button" class="btn btn-sm btn-outline-secondary" id="governance-item-clear-groups-btn">Clear Groups</button>
+                                        </div>
+                                    </div>
+                                </div>
+
+                                <hr>
+
+                                <div>
+                                    <h6 class="mb-2">CSV Import</h6>
+                                    <div class="row g-2 align-items-end">
+                                        <div class="col-md-3">
+                                            <label class="form-label" for="governance-item-csv-target">Target</label>
+                                            <select class="form-select" id="governance-item-csv-target">
+                                                <option value="users">Users</option>
+                                                <option value="groups">Groups</option>
+                                            </select>
+                                        </div>
+                                        <div class="col-md-3">
+                                            <label class="form-label" for="governance-item-csv-mode">Mode</label>
+                                            <select class="form-select" id="governance-item-csv-mode">
+                                                <option value="merge">Merge</option>
+                                                <option value="replace">Replace</option>
+                                            </select>
+                                        </div>
+                                        <div class="col-md-6 d-grid">
+                                            <button type="button" class="btn btn-outline-primary" id="governance-item-csv-apply-btn">Apply CSV</button>
+                                        </div>
+                                    </div>
+                                    <textarea class="form-control mt-2" id="governance-item-csv-input" rows="4" placeholder="Paste one ID per line or comma-separated IDs"></textarea>
+                                    <div class="form-text">Use this for quick bulk updates when IDs are already known.</div>
+                                </div>
+                            </div>
+
+                            <div class="small text-muted mt-3" id="governance-item-editor-status"></div>
+
+                            <div class="d-none" aria-hidden="true">
+                                <input type="text" class="form-control" id="governance-item-policy-id">
+                                <input type="text" class="form-control" id="governance-item-users">
+                                <input type="text" class="form-control" id="governance-item-groups">
+                            </div>
+                        </div>
+                        <div class="modal-footer">
+                            <button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Cancel</button>
+                            <button type="button" class="btn btn-primary" id="governance-save-item-policy-btn">Save Item Policy</button>
+                        </div>
+                    </div>
+                </div>
+            </div>
+        `;
+
+        const wrapper = document.createElement('div');
+        wrapper.innerHTML = modalMarkup.trim();
+        modalElement = wrapper.firstElementChild;
+        document.body.appendChild(modalElement);
+    }
+
+    if (!governanceItemPolicyEditorModal) {
+        governanceItemPolicyEditorModal = bootstrap.Modal.getOrCreateInstance(modalElement);
+    }
+
+    if (!modalElement.dataset.wired) {
+        modalElement.dataset.wired = 'true';
+        wireGovernanceItemPolicyEditorHandlers(modalElement);
+    }
+
+    return modalElement;
+}
+
+function renderGovernanceItemEditorUserResults(users) {
+    const tbody = document.getElementById('governance-item-user-results');
+    if (!tbody) {
+        return;
+    }
+
+    tbody.innerHTML = '';
+    if (!Array.isArray(users) || users.length === 0) {
+        const row = document.createElement('tr');
+        const cell = document.createElement('td');
+        cell.colSpan = 3;
+        cell.className = 'text-center text-muted';
+        cell.textContent = 'No users found.';
+        row.appendChild(cell);
+        tbody.appendChild(row);
+        return;
+    }
+
+    users.forEach((user) => {
+        const userId = String(user.id || '').trim();
+        const upn = String(user.userPrincipalName || user.mail || user.email || '').trim();
+        const displayName = String(user.displayName || upn || '(no name)').trim();
+        const userLabel = buildGovernanceUserLabel(user);
+
+        if (userId && userLabel) {
+            setGovernanceDisplayName('users', userId, userLabel);
+        }
+
+        const row = document.createElement('tr');
+
+        const selectCell = document.createElement('td');
+        const checkbox = document.createElement('input');
+        checkbox.type = 'checkbox';
+        checkbox.className = 'governance-item-user-result-checkbox';
+        checkbox.value = userId;
+        checkbox.dataset.displayLabel = userLabel;
+        selectCell.appendChild(checkbox);
+
+        const userCell = document.createElement('td');
+        userCell.textContent = displayName;
+
+        const emailCell = document.createElement('td');
+        emailCell.textContent = upn;
+
+        row.appendChild(selectCell);
+        row.appendChild(userCell);
+        row.appendChild(emailCell);
+        tbody.appendChild(row);
+    });
+}
+
+function renderGovernanceItemEditorGroupResults(groups) {
+    const tbody = document.getElementById('governance-item-group-results');
+    if (!tbody) {
+        return;
+    }
+
+    tbody.innerHTML = '';
+    if (!Array.isArray(groups) || groups.length === 0) {
+        const row = document.createElement('tr');
+        const cell = document.createElement('td');
+        cell.colSpan = 3;
+        cell.className = 'text-center text-muted';
+        cell.textContent = 'No groups found.';
+        row.appendChild(cell);
+        tbody.appendChild(row);
+        return;
+    }
+
+    groups.forEach((group) => {
+        const groupId = String(group.id || '').trim();
+        const groupName = String(group.name || 'Unnamed Group');
+
+        if (groupId && groupName) {
+            setGovernanceDisplayName('groups', groupId, groupName);
+        }
+
+        const row = document.createElement('tr');
+
+        const selectCell = document.createElement('td');
+        const checkbox = document.createElement('input');
+        checkbox.type = 'checkbox';
+        checkbox.className = 'governance-item-group-result-checkbox';
+        checkbox.value = groupId;
+        checkbox.dataset.displayLabel = groupName;
+        selectCell.appendChild(checkbox);
+
+        const nameCell = document.createElement('td');
+        nameCell.textContent = groupName;
+
+        const idCell = document.createElement('td');
+        idCell.textContent = groupId;
+
+        row.appendChild(selectCell);
+        row.appendChild(nameCell);
+        row.appendChild(idCell);
+        tbody.appendChild(row);
+    });
+}
+
+async function loadGovernanceItemEditorUserResults() {
+    const searchInput = document.getElementById('governance-item-user-search');
+    const query = String(searchInput?.value || '').trim();
+    if (!query) {
+        setGovernanceItemEditorStatus('Enter a user search term.', 'warning');
+        renderGovernanceItemEditorUserResults([]);
+        return;
+    }
+
+    const users = await governanceLookupUsers(query);
+    renderGovernanceItemEditorUserResults(users);
+    renderGovernanceItemEditorSelections();
+    setGovernanceItemEditorStatus('User results updated.', 'success');
+}
+
+async function loadGovernanceItemEditorGroupResults() {
+    const searchInput = document.getElementById('governance-item-group-search');
+    const query = String(searchInput?.value || '').trim();
+    const groups = await governanceLookupGroups(query);
+    renderGovernanceItemEditorGroupResults(groups);
+    renderGovernanceItemEditorSelections();
+    setGovernanceItemEditorStatus('Group results updated.', 'success');
+}
+
+function wireGovernanceItemPolicyEditorHandlers(modalElement) {
+    const saveButton = modalElement.querySelector('#governance-save-item-policy-btn');
+    if (saveButton) {
+        saveButton.addEventListener('click', async (event) => {
+            clearGovernanceStatus();
+            try {
+                await saveItemPolicy(event);
+            } catch (error) {
+                setGovernanceItemEditorStatus(error.message || 'Failed to save item policy.', 'danger');
+                setGovernanceStatus(error.message || 'Failed to save item policy.', 'danger');
+            }
+        });
+    }
+
+    const entityTypeInput = modalElement.querySelector('#governance-item-entity-type');
+    if (entityTypeInput) {
+        entityTypeInput.addEventListener('change', async () => {
+            const entityType = String(entityTypeInput.value || '').trim();
+            const filterInput = getItemLookupFilterInput();
+            if (filterInput) {
+                filterInput.value = '';
+            }
+            await refreshGovernanceItemLookup(entityType, false, '');
+        });
+    }
+
+    const itemLookupRefreshButton = modalElement.querySelector('#governance-item-id-refresh-btn');
+    if (itemLookupRefreshButton) {
+        itemLookupRefreshButton.addEventListener('click', async () => {
+            const entityType = String(getItemEntityTypeInput()?.value || '').trim();
+            await refreshGovernanceItemLookup(entityType, true, String(getItemIdInput()?.value || '').trim());
+        });
+    }
+
+    const itemLookupFilterInput = modalElement.querySelector('#governance-item-id-filter');
+    if (itemLookupFilterInput) {
+        itemLookupFilterInput.addEventListener('input', () => {
+            const entityType = String(getItemEntityTypeInput()?.value || '').trim();
+            renderGovernanceItemLookupOptions(entityType, String(getItemIdInput()?.value || '').trim());
+        });
+    }
+
+    const allowAllInput = modalElement.querySelector('#governance-item-allow-all');
+    if (allowAllInput) {
+        allowAllInput.addEventListener('change', () => {
+            applyItemAllowAllUiState();
+        });
+    }
+
+    const userSearchButton = modalElement.querySelector('#governance-item-user-search-btn');
+    if (userSearchButton) {
+        userSearchButton.addEventListener('click', async () => {
+            try {
+                await loadGovernanceItemEditorUserResults();
+            } catch (error) {
+                setGovernanceItemEditorStatus(error.message || 'Failed to load user results.', 'danger');
+            }
+        });
+    }
+
+    const groupSearchButton = modalElement.querySelector('#governance-item-group-search-btn');
+    if (groupSearchButton) {
+        groupSearchButton.addEventListener('click', async () => {
+            try {
+                await loadGovernanceItemEditorGroupResults();
+            } catch (error) {
+                setGovernanceItemEditorStatus(error.message || 'Failed to load group results.', 'danger');
+            }
+        });
+    }
+
+    const addSelectedUsersButton = modalElement.querySelector('#governance-item-add-selected-users-btn');
+    if (addSelectedUsersButton) {
+        addSelectedUsersButton.addEventListener('click', () => {
+            const selectedUserIds = readCheckedValues('.governance-item-user-result-checkbox');
+            selectedUserIds.forEach((userId) => {
+                const userCheckbox = Array.from(document.querySelectorAll('.governance-item-user-result-checkbox')).find(
+                    (checkbox) => checkbox.value === userId
+                );
+                const displayLabel = String(userCheckbox?.dataset.displayLabel || '').trim();
+                if (displayLabel) {
+                    setGovernanceDisplayName('users', userId, displayLabel);
+                }
+            });
+            setGovernanceItemEditorSelectedIds('users', [...getGovernanceItemEditorSelectedIds('users'), ...selectedUserIds]);
+            setGovernanceItemEditorStatus(`Added ${selectedUserIds.length} user${selectedUserIds.length === 1 ? '' : 's'}.`, 'success');
+        });
+    }
+
+    const addSelectedGroupsButton = modalElement.querySelector('#governance-item-add-selected-groups-btn');
+    if (addSelectedGroupsButton) {
+        addSelectedGroupsButton.addEventListener('click', () => {
+            const selectedGroupIds = readCheckedValues('.governance-item-group-result-checkbox');
+            selectedGroupIds.forEach((groupId) => {
+                const groupCheckbox = Array.from(document.querySelectorAll('.governance-item-group-result-checkbox')).find(
+                    (checkbox) => checkbox.value === groupId
+                );
+                const displayLabel = String(groupCheckbox?.dataset.displayLabel || '').trim();
+                if (displayLabel) {
+                    setGovernanceDisplayName('groups', groupId, displayLabel);
+                }
+            });
+            setGovernanceItemEditorSelectedIds('groups', [...getGovernanceItemEditorSelectedIds('groups'), ...selectedGroupIds]);
+            setGovernanceItemEditorStatus(`Added ${selectedGroupIds.length} group${selectedGroupIds.length === 1 ? '' : 's'}.`, 'success');
+        });
+    }
 
-    if (hydrateMissing && missingIds.length > 0) {
-        void hydrateGovernanceDisplayNames(listType, missingIds).then(() => {
-            renderGovernancePrincipalReviewCell(cell, listType, normalizedIds, false);
-        }).catch(() => {
-            renderGovernancePrincipalReviewCell(cell, listType, normalizedIds, false);
+    const removeSelectedUsersButton = modalElement.querySelector('#governance-item-remove-selected-users-btn');
+    if (removeSelectedUsersButton) {
+        removeSelectedUsersButton.addEventListener('click', () => {
+            const selectedUserIds = readCheckedValues('.governance-item-selected-user-checkbox');
+            setGovernanceItemEditorSelectedIds('users', removeCheckedFromList(getGovernanceItemEditorSelectedIds('users'), selectedUserIds));
+            setGovernanceItemEditorStatus(`Removed ${selectedUserIds.length} user${selectedUserIds.length === 1 ? '' : 's'}.`, 'success');
         });
     }
-}
 
-function parseGovernancePrincipalDataset(value) {
-    try {
-        const parsed = JSON.parse(value || '[]');
-        return uniquePrincipalList(Array.isArray(parsed) ? parsed : []);
-    } catch (error) {
-        return [];
+    const removeSelectedGroupsButton = modalElement.querySelector('#governance-item-remove-selected-groups-btn');
+    if (removeSelectedGroupsButton) {
+        removeSelectedGroupsButton.addEventListener('click', () => {
+            const selectedGroupIds = readCheckedValues('.governance-item-selected-group-checkbox');
+            setGovernanceItemEditorSelectedIds('groups', removeCheckedFromList(getGovernanceItemEditorSelectedIds('groups'), selectedGroupIds));
+            setGovernanceItemEditorStatus(`Removed ${selectedGroupIds.length} group${selectedGroupIds.length === 1 ? '' : 's'}.`, 'success');
+        });
     }
-}
 
-function ensureGovernanceItemIdOption(itemIdInput, itemId) {
-    const normalizedItemId = String(itemId || '').trim();
-    if (!itemIdInput || !normalizedItemId) {
-        return;
+    const clearUsersButton = modalElement.querySelector('#governance-item-clear-users-btn');
+    if (clearUsersButton) {
+        clearUsersButton.addEventListener('click', () => {
+            setGovernanceItemEditorSelectedIds('users', []);
+            setGovernanceItemEditorStatus('Cleared selected users.', 'success');
+        });
     }
 
-    const hasOption = Array.from(itemIdInput.options || []).some((option) => option.value === normalizedItemId);
-    if (!hasOption) {
-        const option = document.createElement('option');
-        option.value = normalizedItemId;
-        option.textContent = normalizedItemId;
-        itemIdInput.appendChild(option);
+    const clearGroupsButton = modalElement.querySelector('#governance-item-clear-groups-btn');
+    if (clearGroupsButton) {
+        clearGroupsButton.addEventListener('click', () => {
+            setGovernanceItemEditorSelectedIds('groups', []);
+            setGovernanceItemEditorStatus('Cleared selected groups.', 'success');
+        });
     }
-    itemIdInput.value = normalizedItemId;
-}
 
-async function loadGovernanceItemPolicyIntoEditor(policy) {
-    const entityTypeInput = document.getElementById('governance-item-entity-type');
-    const itemIdInput = document.getElementById('governance-item-id');
-    const allowAllInput = document.getElementById('governance-item-allow-all');
-    const usersInput = getItemUsersInput();
-    const groupsInput = getItemGroupsInput();
+    const csvApplyButton = modalElement.querySelector('#governance-item-csv-apply-btn');
+    if (csvApplyButton) {
+        csvApplyButton.addEventListener('click', () => {
+            const targetSelect = document.getElementById('governance-item-csv-target');
+            const modeSelect = document.getElementById('governance-item-csv-mode');
+            const csvInput = document.getElementById('governance-item-csv-input');
+            const target = String(targetSelect?.value || 'users');
+            const mode = String(modeSelect?.value || 'merge');
+            const importedValues = uniquePrincipalList(parseCsvPrincipalLines(csvInput?.value || ''));
 
-    if (!entityTypeInput || !itemIdInput || !allowAllInput || !usersInput || !groupsInput) {
-        return;
+            if (importedValues.length === 0) {
+                setGovernanceItemEditorStatus('No CSV values detected.', 'warning');
+                return;
+            }
+
+            const existingValues = getGovernanceItemEditorSelectedIds(target);
+            const nextValues = mode === 'replace' ? importedValues : uniquePrincipalList([...existingValues, ...importedValues]);
+            setGovernanceItemEditorSelectedIds(target, nextValues);
+            setGovernanceItemEditorStatus(`CSV ${mode} completed for ${target}. Imported ${importedValues.length} ID${importedValues.length === 1 ? '' : 's'}.`, 'success');
+        });
     }
 
-    const entityType = String(policy?.entity_type || '').trim();
-    const itemId = String(policy?.item_id || '').trim();
-    if (!entityType || !itemId) {
-        return;
+    const selectedUserSearchInput = modalElement.querySelector('#governance-item-selected-user-search');
+    if (selectedUserSearchInput) {
+        selectedUserSearchInput.addEventListener('input', () => {
+            governanceItemEditorSelectionViewState.users.search = String(selectedUserSearchInput.value || '').trim();
+            governanceItemEditorSelectionViewState.users.page = 1;
+            renderGovernanceItemEditorSelections();
+        });
     }
 
-    entityTypeInput.value = entityType;
-    await refreshGovernanceItemLookup(entityType, false, itemId);
-    ensureGovernanceItemIdOption(itemIdInput, itemId);
+    const selectedGroupSearchInput = modalElement.querySelector('#governance-item-selected-group-search');
+    if (selectedGroupSearchInput) {
+        selectedGroupSearchInput.addEventListener('input', () => {
+            governanceItemEditorSelectionViewState.groups.search = String(selectedGroupSearchInput.value || '').trim();
+            governanceItemEditorSelectionViewState.groups.page = 1;
+            renderGovernanceItemEditorSelections();
+        });
+    }
 
-    allowAllInput.checked = Boolean(policy.allow_all);
-    usersInput.value = joinPrincipalList(policy.allowed_users || []);
-    groupsInput.value = joinPrincipalList(policy.allowed_groups || []);
+    const selectedUserPageSizeSelect = modalElement.querySelector('#governance-item-selected-user-page-size');
+    if (selectedUserPageSizeSelect) {
+        selectedUserPageSizeSelect.addEventListener('change', () => {
+            governanceItemEditorSelectionViewState.users.pageSize = normalizeGovernanceAllowListPageSize(selectedUserPageSizeSelect.value);
+            governanceItemEditorSelectionViewState.users.page = 1;
+            renderGovernanceItemEditorSelections();
+        });
+    }
 
-    updateItemAllowListSummary();
-    applyItemAllowAllUiState();
-    document.getElementById('governance-item-policy-form')?.scrollIntoView({ behavior: 'smooth', block: 'center' });
-    itemIdInput.focus();
-}
+    const selectedGroupPageSizeSelect = modalElement.querySelector('#governance-item-selected-group-page-size');
+    if (selectedGroupPageSizeSelect) {
+        selectedGroupPageSizeSelect.addEventListener('change', () => {
+            governanceItemEditorSelectionViewState.groups.pageSize = normalizeGovernanceAllowListPageSize(selectedGroupPageSizeSelect.value);
+            governanceItemEditorSelectionViewState.groups.page = 1;
+            renderGovernanceItemEditorSelections();
+        });
+    }
 
-function openCurrentDelegatedItemAllowListEditor() {
-    const usersInput = getItemUsersInput();
-    const groupsInput = getItemGroupsInput();
-    const entityTypeInput = document.getElementById('governance-item-entity-type');
-    const itemIdInput = document.getElementById('governance-item-id');
+    const selectedUsersPrevButton = modalElement.querySelector('#governance-item-selected-users-prev-btn');
+    if (selectedUsersPrevButton) {
+        selectedUsersPrevButton.addEventListener('click', () => {
+            governanceItemEditorSelectionViewState.users.page = Math.max(1, governanceItemEditorSelectionViewState.users.page - 1);
+            renderGovernanceItemEditorSelections();
+        });
+    }
 
-    if (!usersInput || !groupsInput) {
-        return;
+    const selectedUsersNextButton = modalElement.querySelector('#governance-item-selected-users-next-btn');
+    if (selectedUsersNextButton) {
+        selectedUsersNextButton.addEventListener('click', () => {
+            governanceItemEditorSelectionViewState.users.page += 1;
+            renderGovernanceItemEditorSelections();
+        });
     }
 
-    const entityType = String(entityTypeInput?.value || '').trim();
-    const itemId = String(itemIdInput?.value || '').trim();
-    const contextSuffix = entityType && itemId
-        ? ` (${GOVERNANCE_ITEM_ENTITY_LABELS[entityType] || entityType}: ${itemId})`
-        : '';
-
-    openGovernanceAllowListEditor({
-        title: `Edit Delegated Item Allow List${contextSuffix}`,
-        description: 'Manage explicitly allowed users and groups for this delegated item policy.',
-        getUsers: () => splitPrincipalList(usersInput.value),
-        getGroups: () => splitPrincipalList(groupsInput.value),
-        setValues: (users, groups) => {
-            usersInput.value = joinPrincipalList(users);
-            groupsInput.value = joinPrincipalList(groups);
-            const allowAllInput = getItemAllowAllInput();
-            if (allowAllInput) {
-                allowAllInput.checked = false;
-            }
-            applyItemAllowAllUiState();
-        },
-    });
-}
+    const selectedGroupsPrevButton = modalElement.querySelector('#governance-item-selected-groups-prev-btn');
+    if (selectedGroupsPrevButton) {
+        selectedGroupsPrevButton.addEventListener('click', () => {
+            governanceItemEditorSelectionViewState.groups.page = Math.max(1, governanceItemEditorSelectionViewState.groups.page - 1);
+            renderGovernanceItemEditorSelections();
+        });
+    }
 
-function openCurrentDelegatedItemAllowListEditorAfterReviewModalCloses() {
-    const reviewModalElement = document.getElementById('governance-item-policies-review-modal');
-    if (!reviewModalElement?.classList.contains('show')) {
-        openCurrentDelegatedItemAllowListEditor();
-        return;
+    const selectedGroupsNextButton = modalElement.querySelector('#governance-item-selected-groups-next-btn');
+    if (selectedGroupsNextButton) {
+        selectedGroupsNextButton.addEventListener('click', () => {
+            governanceItemEditorSelectionViewState.groups.page += 1;
+            renderGovernanceItemEditorSelections();
+        });
     }
 
-    reviewModalElement.addEventListener('hidden.bs.modal', () => {
-        openCurrentDelegatedItemAllowListEditor();
-    }, { once: true });
-    governanceItemReviewModal?.hide();
+    const selectAllMappings = [
+        ['governance-item-select-all-user-results', '.governance-item-user-result-checkbox'],
+        ['governance-item-select-all-group-results', '.governance-item-group-result-checkbox'],
+        ['governance-item-select-all-selected-users', '.governance-item-selected-user-checkbox'],
+        ['governance-item-select-all-selected-groups', '.governance-item-selected-group-checkbox'],
+    ];
+
+    selectAllMappings.forEach(([masterId, checkboxSelector]) => {
+        const master = modalElement.querySelector(`#${masterId}`);
+        if (!master) {
+            return;
+        }
+        master.addEventListener('change', () => {
+            toggleCheckboxes(checkboxSelector, master.checked);
+        });
+    });
 }
 
 function ensureGovernanceItemPolicyDeleteModal() {
@@ -937,9 +1903,11 @@ function ensureGovernanceItemPolicyDeleteModal() {
     return modalElement;
 }
 
-function openGovernanceItemPolicyDeleteModal(entityType, itemId) {
-    const normalizedEntityType = String(entityType || '').trim();
+function openGovernanceItemPolicyDeleteModal(entityType, itemId, policyId = '', policyName = '') {
+    const normalizedEntityType = normalizeGovernanceItemEntityType(entityType);
     const normalizedItemId = String(itemId || '').trim();
+    const normalizedPolicyId = String(policyId || '').trim();
+    const normalizedPolicyName = String(policyName || '').trim();
     if (!normalizedEntityType || !normalizedItemId) {
         return;
     }
@@ -947,12 +1915,14 @@ function openGovernanceItemPolicyDeleteModal(entityType, itemId) {
     governanceItemPolicyDeleteContext = {
         entityType: normalizedEntityType,
         itemId: normalizedItemId,
+        policyId: normalizedPolicyId,
     };
 
     ensureGovernanceItemPolicyDeleteModal();
     const summary = document.getElementById('governance-item-policy-delete-summary');
     if (summary) {
-        summary.textContent = `${buildItemPolicyEntityLabel(normalizedEntityType)}: ${normalizedItemId}`;
+        const policyPrefix = normalizedPolicyName ? `${normalizedPolicyName} - ` : '';
+        summary.textContent = `${policyPrefix}${buildItemPolicyEntityLabel(normalizedEntityType)}: ${normalizedItemId}`;
     }
     governanceItemPolicyDeleteModal?.show();
 }
@@ -962,9 +1932,12 @@ async function deleteGovernanceItemPolicyFromContext() {
         return;
     }
 
-    const { entityType, itemId } = governanceItemPolicyDeleteContext;
+    const { entityType, itemId, policyId } = governanceItemPolicyDeleteContext;
+    const deleteUrl = policyId
+        ? `/api/admin/governance/item-policies/${encodeURIComponent(entityType)}/${encodeURIComponent(itemId)}/${encodeURIComponent(policyId)}`
+        : `/api/admin/governance/item-policies/${encodeURIComponent(entityType)}/${encodeURIComponent(itemId)}`;
     const response = await fetch(
-        `/api/admin/governance/item-policies/${encodeURIComponent(entityType)}/${encodeURIComponent(itemId)}`,
+        deleteUrl,
         {
             method: 'DELETE',
             headers: {
@@ -982,10 +1955,22 @@ async function deleteGovernanceItemPolicyFromContext() {
 
     const entityTypeInput = document.getElementById('governance-item-entity-type');
     const itemIdInput = document.getElementById('governance-item-id');
-    if (entityTypeInput?.value === entityType && itemIdInput?.value === itemId) {
+    const policyIdInput = getItemPolicyIdInput();
+    if (entityTypeInput?.value === entityType && itemIdInput?.value === itemId && (!policyId || policyIdInput?.value === policyId)) {
         const allowAllInput = getItemAllowAllInput();
         const usersInput = getItemUsersInput();
         const groupsInput = getItemGroupsInput();
+        const policyNameInput = getItemPolicyNameInput();
+        const resourceLabelInput = getItemResourceLabelInput();
+        if (policyIdInput) {
+            policyIdInput.value = '';
+        }
+        if (policyNameInput) {
+            policyNameInput.value = '';
+        }
+        if (resourceLabelInput) {
+            resourceLabelInput.value = '';
+        }
         if (allowAllInput) {
             allowAllInput.checked = true;
         }
@@ -999,115 +1984,52 @@ async function deleteGovernanceItemPolicyFromContext() {
     }
 
     await loadItemPolicies();
-    await loadGovernanceItemPolicyReview();
     showGovernanceToast('Delegated item policy deleted.', 'success');
 }
 
-function ensureGovernanceItemReviewModal() {
-    const existingModal = document.getElementById('governance-item-policies-review-modal');
-    if (existingModal) {
-        wireGovernanceItemReviewHandlers(existingModal);
-        return existingModal;
+function ensureGovernanceItemReviewPanel() {
+    const panelElement = document.getElementById('governance-item-policies-section');
+    if (panelElement) {
+        wireGovernanceItemReviewHandlers(panelElement);
     }
+    return panelElement;
+}
 
-    const modalMarkup = `
-        <div class="modal fade" id="governance-item-policies-review-modal" tabindex="-1" aria-hidden="true">
-            <div class="modal-dialog modal-xl modal-dialog-scrollable">
-                <div class="modal-content">
-                    <div class="modal-header">
-                        <div>
-                            <h5 class="modal-title mb-1">Configured Delegated Items</h5>
-                            <div class="text-muted small">Search and page through the configured item policies.</div>
-                        </div>
-                        <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
-                    </div>
-                    <div class="modal-body">
-                        <div class="row g-2 align-items-end mb-3">
-                            <div class="col-md-5">
-                                <label class="form-label" for="governance-item-review-search">Search</label>
-                                <input type="search" class="form-control" id="governance-item-review-search" placeholder="Search users, groups, endpoint IDs, or item IDs">
-                            </div>
-                            <div class="col-md-3">
-                                <label class="form-label" for="governance-item-review-entity-type">Entity Type</label>
-                                <select class="form-select" id="governance-item-review-entity-type">
-                                    <option value="">All</option>
-                                    <option value="endpoint">Endpoint</option>
-                                    <option value="global_agent">Global Agent</option>
-                                    <option value="global_action">Global Action</option>
-                                </select>
-                            </div>
-                            <div class="col-md-2">
-                                <label class="form-label" for="governance-item-review-page-size">Page Size</label>
-                                <select class="form-select" id="governance-item-review-page-size">
-                                    <option value="10">10</option>
-                                    <option value="25" selected>25</option>
-                                    <option value="50">50</option>
-                                </select>
-                            </div>
-                            <div class="col-md-2 d-grid gap-2">
-                                <button type="button" class="btn btn-primary" id="governance-item-review-search-btn">Search</button>
-                                <button type="button" class="btn btn-outline-secondary" id="governance-item-review-reset-btn">Reset</button>
-                            </div>
-                        </div>
-
-                        <div class="table-responsive">
-                            <table class="table table-sm table-striped align-middle">
-                                <thead>
-                                    <tr>
-                                        <th>Entity Type</th>
-                                        <th>Item ID</th>
-                                        <th>Allow All</th>
-                                        <th>Allowed Users</th>
-                                        <th>Allowed Groups</th>
-                                        <th>Actions</th>
-                                    </tr>
-                                </thead>
-                                <tbody id="governance-item-policies-review-body"></tbody>
-                            </table>
-                        </div>
+function openGovernanceItemReviewModal() {
+    const panelElement = ensureGovernanceItemReviewPanel();
+    if (!panelElement) {
+        return;
+    }
 
-                        <div class="d-flex align-items-center justify-content-between gap-2 mt-3">
-                            <div class="text-muted small" id="governance-item-review-summary"></div>
-                            <div class="btn-group" role="group" aria-label="Delegated item policy pagination">
-                                <button type="button" class="btn btn-outline-secondary btn-sm" id="governance-item-review-prev-btn">Previous</button>
-                                <button type="button" class="btn btn-outline-secondary btn-sm" id="governance-item-review-next-btn">Next</button>
-                            </div>
-                        </div>
-                    </div>
-                    <div class="modal-footer">
-                        <button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Close</button>
-                    </div>
-                </div>
-            </div>
-        </div>
-    `;
-
-    const wrapper = document.createElement('div');
-    wrapper.innerHTML = modalMarkup.trim();
-    const modalElement = wrapper.firstElementChild;
-    document.body.appendChild(modalElement);
-    wireGovernanceItemReviewHandlers(modalElement);
-    return modalElement;
+    panelElement.scrollIntoView({ behavior: 'smooth', block: 'start' });
+    loadGovernanceItemPolicyReview().catch((error) => {
+        setGovernanceStatus(error.message || 'Failed to load delegated item policies.', 'danger');
+    });
 }
 
-function wireGovernanceItemReviewHandlers(modalElement) {
-    if (!modalElement || modalElement.dataset.reviewWired) {
+function wireGovernanceItemReviewHandlers(panelElement) {
+    if (!panelElement || panelElement.dataset.reviewWired) {
         return;
     }
 
-    const itemPolicyReviewBody = modalElement.querySelector('#governance-item-policies-review-body');
+    const itemPolicyReviewBody = panelElement.querySelector('#governance-item-policies-review-body');
     if (!itemPolicyReviewBody) {
         return;
     }
 
-    modalElement.dataset.reviewWired = 'true';
+    panelElement.dataset.reviewWired = 'true';
     itemPolicyReviewBody.addEventListener('click', async (event) => {
         const target = event.target;
         const editButton = target instanceof HTMLElement ? target.closest('.governance-edit-item-policy-btn') : null;
         const deleteButton = target instanceof HTMLElement ? target.closest('.governance-delete-item-policy-btn') : null;
 
         if (deleteButton) {
-            openGovernanceItemPolicyDeleteModal(deleteButton.dataset.entityType, deleteButton.dataset.itemId);
+            openGovernanceItemPolicyDeleteModal(
+                deleteButton.dataset.entityType,
+                deleteButton.dataset.itemId,
+                deleteButton.dataset.policyId,
+                deleteButton.dataset.policyName,
+            );
             return;
         }
 
@@ -1118,13 +2040,19 @@ function wireGovernanceItemReviewHandlers(modalElement) {
         const policy = {
             entity_type: editButton.dataset.entityType || '',
             item_id: editButton.dataset.itemId || '',
+            policy_id: editButton.dataset.policyId || '',
+            policy_name: editButton.dataset.policyName || '',
+            resource_label: editButton.dataset.resourceLabel || '',
             allow_all: editButton.dataset.allowAll === 'true',
             allowed_users: parseGovernancePrincipalDataset(editButton.dataset.allowedUsers),
             allowed_groups: parseGovernancePrincipalDataset(editButton.dataset.allowedGroups),
         };
 
-        await loadGovernanceItemPolicyIntoEditor(policy);
-        openCurrentDelegatedItemAllowListEditorAfterReviewModalCloses();
+        try {
+            await openGovernanceItemPolicyEditor(policy);
+        } catch (error) {
+            setGovernanceStatus(error.message || 'Failed to open delegated item policy editor.', 'danger');
+        }
     });
 }
 
@@ -1154,7 +2082,7 @@ function renderGovernanceItemReviewRows(itemPolicies) {
     if (!Array.isArray(itemPolicies) || itemPolicies.length === 0) {
         const emptyRow = document.createElement('tr');
         const emptyCell = document.createElement('td');
-        emptyCell.colSpan = 6;
+        emptyCell.colSpan = 7;
         emptyCell.className = 'text-center text-muted';
         emptyCell.textContent = 'No delegated item policies found.';
         emptyRow.appendChild(emptyCell);
@@ -1231,24 +2159,6 @@ async function loadGovernanceItemPolicyReview(page = governanceItemReviewState.p
     updateGovernanceItemReviewPagination(payload.pagination);
 }
 
-function openGovernanceItemReviewModal() {
-    const modalElement = ensureGovernanceItemReviewModal();
-    if (!modalElement) {
-        return;
-    }
-
-    if (!governanceItemReviewModal) {
-        governanceItemReviewModal = bootstrap.Modal.getOrCreateInstance(modalElement);
-    }
-
-    governanceItemReviewState.page = 1;
-    syncGovernanceItemReviewControls();
-    governanceItemReviewModal.show();
-    loadGovernanceItemPolicyReview().catch((error) => {
-        setGovernanceStatus(error.message || 'Failed to load delegated item policy review.', 'danger');
-    });
-}
-
 function ensureGovernanceAllowListEditorModal() {
     let modalElement = document.getElementById('governanceAllowListEditorModal');
     if (!modalElement) {
@@ -1637,8 +2547,13 @@ async function hydrateGovernanceDisplayNames(listType, ids) {
         }
     }));
 
-    if (hasUpdates && governanceAllowListEditorContext) {
-        renderGovernanceAllowListEditorSelections();
+    if (hasUpdates) {
+        if (governanceAllowListEditorContext) {
+            renderGovernanceAllowListEditorSelections();
+        }
+        if (document.getElementById('governance-item-policy-editor-modal')?.classList.contains('show')) {
+            renderGovernanceItemEditorSelections();
+        }
     }
 }
 
@@ -2262,29 +3177,7 @@ function wireGovernanceAllowListEditorHandlers() {
 }
 
 async function loadItemPolicies() {
-    const tbody = document.getElementById('governance-item-policies-body');
-    if (!tbody) {
-        return;
-    }
-
-    const response = await fetch('/api/admin/governance/item-policies', {
-        method: 'GET',
-        headers: {
-            Accept: 'application/json',
-        },
-    });
-
-    if (!response.ok) {
-        throw new Error('Unable to load governance item policies.');
-    }
-
-    const payload = await response.json();
-    const itemPolicies = Array.isArray(payload.item_policies) ? payload.item_policies : [];
-
-    tbody.innerHTML = '';
-    itemPolicies.forEach((policy) => {
-        tbody.appendChild(buildItemPolicyRow(policy));
-    });
+    await loadGovernanceItemPolicyReview(1);
 }
 
 async function saveItemPolicy(event) {
@@ -2294,6 +3187,9 @@ async function saveItemPolicy(event) {
 
     const entityTypeInput = document.getElementById('governance-item-entity-type');
     const itemIdInput = document.getElementById('governance-item-id');
+    const policyIdInput = getItemPolicyIdInput();
+    const policyNameInput = getItemPolicyNameInput();
+    const resourceLabelInput = getItemResourceLabelInput();
     const allowAllInput = document.getElementById('governance-item-allow-all');
     const usersInput = document.getElementById('governance-item-users');
     const groupsInput = document.getElementById('governance-item-groups');
@@ -2302,15 +3198,25 @@ async function saveItemPolicy(event) {
         return;
     }
 
-    const entityType = String(entityTypeInput.value || '').trim();
+    const entityType = normalizeGovernanceItemEntityType(entityTypeInput.value);
     const itemId = String(itemIdInput.value || '').trim();
+    const resourceLabel = String(resourceLabelInput?.value || '').trim();
+    const policyName = String(policyNameInput?.value || '').trim() || buildDefaultItemPolicyName(entityType, itemId, resourceLabel);
 
     if (!entityType || !itemId) {
-        setGovernanceStatus('Entity type and item ID are required for item governance policies.', 'warning');
+        setGovernanceItemEditorStatus('Entity type and item ID are required for item governance policies.', 'warning');
+        return;
+    }
+
+    if (!policyName) {
+        setGovernanceItemEditorStatus('Policy name is required for delegated item policies.', 'warning');
         return;
     }
 
     const payload = {
+        policy_id: String(policyIdInput?.value || '').trim(),
+        policy_name: policyName,
+        resource_label: resourceLabel,
         allow_all: allowAllInput.checked,
         allowed_users: allowAllInput.checked ? [] : splitPrincipalList(usersInput.value),
         allowed_groups: allowAllInput.checked ? [] : splitPrincipalList(groupsInput.value),
@@ -2333,11 +3239,8 @@ async function saveItemPolicy(event) {
     }
 
     await loadItemPolicies();
-    const reviewModalElement = document.getElementById('governance-item-policies-review-modal');
-    if (reviewModalElement?.classList.contains('show')) {
-        await loadGovernanceItemPolicyReview();
-    }
     updateItemAllowListSummary();
+    governanceItemPolicyEditorModal?.hide();
     clearGovernanceStatus();
     showGovernanceToast('Item governance policy saved successfully.', 'success');
 }
@@ -2353,6 +3256,35 @@ function wireGovernanceHandlers() {
         });
     });
 
+    Object.values(GOVERNANCE_PRIMARY_TOGGLE_MAP).forEach((primaryToggleId) => {
+        const primaryToggle = document.getElementById(primaryToggleId);
+        if (!(primaryToggle instanceof HTMLInputElement)) {
+            return;
+        }
+        primaryToggle.addEventListener('change', () => {
+            syncGovernanceFeaturePolicyVisibility();
+        });
+    });
+
+    document.querySelectorAll('.governance-primary-link').forEach((linkButton) => {
+        linkButton.addEventListener('click', () => {
+            const targetId = String(linkButton.getAttribute('data-governance-target') || '').trim();
+            if (typeof window.openAdminSettingsTab === 'function') {
+                window.openAdminSettingsTab('#governance');
+            }
+            window.setTimeout(() => {
+                const target = document.getElementById(targetId);
+                const wrapper = target?.closest('.form-check');
+                if (wrapper?.classList.contains('d-none')) {
+                    setGovernanceStatus('Enable the matching primary feature before configuring governance for it.', 'warning');
+                    return;
+                }
+                target?.scrollIntoView({ behavior: 'smooth', block: 'center' });
+                target?.focus();
+            }, 100);
+        });
+    });
+
     const featurePolicyTableBody = document.getElementById('governance-feature-policies-body');
     if (featurePolicyTableBody) {
         featurePolicyTableBody.addEventListener('change', (event) => {
@@ -2411,74 +3343,15 @@ function wireGovernanceHandlers() {
         });
     }
 
-    const saveItemPolicyButton = document.getElementById('governance-save-item-policy-btn');
-    if (saveItemPolicyButton) {
-        saveItemPolicyButton.addEventListener('click', async (event) => {
+    const newItemPolicyButton = document.getElementById('governance-new-item-policy-btn');
+    if (newItemPolicyButton) {
+        newItemPolicyButton.addEventListener('click', async () => {
             clearGovernanceStatus();
             try {
-                await saveItemPolicy(event);
+                await openGovernanceItemPolicyEditor();
             } catch (error) {
-                setGovernanceStatus(error.message || 'Failed to save item policy.', 'danger');
-            }
-        });
-    }
-
-    const itemEntityTypeInput = getItemEntityTypeInput();
-    if (itemEntityTypeInput) {
-        itemEntityTypeInput.addEventListener('change', async () => {
-            const entityType = String(itemEntityTypeInput.value || '').trim();
-            await refreshGovernanceItemLookup(entityType, false, '');
-        });
-    }
-
-    const itemLookupRefreshButton = document.getElementById('governance-item-id-refresh-btn');
-    if (itemLookupRefreshButton) {
-        itemLookupRefreshButton.addEventListener('click', async () => {
-            const entityType = String(getItemEntityTypeInput()?.value || '').trim();
-            await refreshGovernanceItemLookup(entityType, true, String(getItemIdInput()?.value || '').trim());
-        });
-    }
-
-    const itemAllowAllInput = getItemAllowAllInput();
-    if (itemAllowAllInput) {
-        itemAllowAllInput.addEventListener('change', () => {
-            applyItemAllowAllUiState();
-        });
-    }
-
-    const itemEditAllowListButton = document.getElementById('governance-edit-item-allowlist-btn');
-    if (itemEditAllowListButton) {
-        itemEditAllowListButton.addEventListener('click', () => {
-            const usersInput = getItemUsersInput();
-            const groupsInput = getItemGroupsInput();
-            const entityTypeInput = document.getElementById('governance-item-entity-type');
-            const itemIdInput = document.getElementById('governance-item-id');
-
-            if (!usersInput || !groupsInput) {
-                return;
+                setGovernanceStatus(error.message || 'Failed to open delegated item policy editor.', 'danger');
             }
-
-            const entityType = String(entityTypeInput?.value || '').trim();
-            const itemId = String(itemIdInput?.value || '').trim();
-            const contextSuffix = entityType && itemId
-                ? ` (${GOVERNANCE_ITEM_ENTITY_LABELS[entityType] || entityType}: ${itemId})`
-                : '';
-
-            openGovernanceAllowListEditor({
-                title: `Edit Delegated Item Allow List${contextSuffix}`,
-                description: 'Manage explicitly allowed users and groups for this delegated item policy.',
-                getUsers: () => splitPrincipalList(usersInput.value),
-                getGroups: () => splitPrincipalList(groupsInput.value),
-                setValues: (users, groups) => {
-                    usersInput.value = joinPrincipalList(users);
-                    groupsInput.value = joinPrincipalList(groups);
-                    const allowAllInput = getItemAllowAllInput();
-                    if (allowAllInput) {
-                        allowAllInput.checked = false;
-                    }
-                    applyItemAllowAllUiState();
-                },
-            });
         });
     }
 
@@ -2495,14 +3368,6 @@ function wireGovernanceHandlers() {
         });
     }
 
-    const reviewItemPoliciesButton = document.getElementById('governance-review-item-policies-btn');
-    if (reviewItemPoliciesButton) {
-        reviewItemPoliciesButton.addEventListener('click', () => {
-            clearGovernanceStatus();
-            openGovernanceItemReviewModal();
-        });
-    }
-
     const reviewSearchButton = document.getElementById('governance-item-review-search-btn');
     if (reviewSearchButton) {
         reviewSearchButton.addEventListener('click', async () => {
@@ -2576,15 +3441,13 @@ async function initializeGovernanceTab() {
     wireGovernanceHandlers();
     clearGovernanceStatus();
 
-    ensureGovernanceItemReviewModal();
+    ensureGovernanceItemReviewPanel();
     ensureGovernanceAllowListEditorModal();
+    ensureGovernanceItemPolicyEditorModal();
 
     try {
         await loadFeaturePolicies();
         await loadItemPolicies();
-        const initialEntityType = String(getItemEntityTypeInput()?.value || 'global_agent').trim();
-        await refreshGovernanceItemLookup(initialEntityType, false, String(getItemIdInput()?.value || '').trim());
-        applyItemAllowAllUiState();
     } catch (error) {
         setGovernanceStatus(error.message || 'Unable to initialize governance settings.', 'danger');
     }
diff --git a/application/single_app/static/js/admin/admin_model_endpoints.js b/application/single_app/static/js/admin/admin_model_endpoints.js
index 2943795de..bf0a7d541 100644
--- a/application/single_app/static/js/admin/admin_model_endpoints.js
+++ b/application/single_app/static/js/admin/admin_model_endpoints.js
@@ -81,6 +81,8 @@ let modelEndpoints = Array.isArray(window.modelEndpoints) ? [...window.modelEndp
 let modalModels = [];
 let pendingDeleteEndpointId = null;
 let pendingDeleteTimeout = null;
+let pendingEndpointDuplicate = null;
+let endpointDuplicateKeyModal = null;
 let defaultModelSelection = window.defaultModelSelection && typeof window.defaultModelSelection === "object"
     ? { ...window.defaultModelSelection }
     : {};
@@ -293,6 +295,8 @@ function renderEndpoints() {
             <td class="text-end">
                 <div class="btn-group btn-group-sm" role="group">
                     <button type="button" class="btn btn-outline-primary" data-action="edit" data-endpoint-id="${endpoint.id}">Edit</button>
+                    <button type="button" class="btn btn-outline-info" data-action="govern" data-endpoint-id="${endpoint.id}">Govern</button>
+                    <button type="button" class="btn btn-outline-secondary" data-action="duplicate" data-endpoint-id="${endpoint.id}">Duplicate</button>
                     <button type="button" class="btn btn-outline-${endpoint.enabled ? "warning" : "success"}" data-action="toggle" data-endpoint-id="${endpoint.id}">${toggleLabel}</button>
                     <button type="button" class="btn btn-outline-danger" data-action="delete" data-endpoint-id="${endpoint.id}">Delete</button>
                 </div>
@@ -438,6 +442,9 @@ function updateAuthVisibility() {
 }
 
 function resetModal() {
+    if (endpointModalEl) {
+        endpointModalEl.dataset.duplicateDisabledDefault = '';
+    }
     if (endpointIdInput) endpointIdInput.value = "";
     if (endpointNameInput) endpointNameInput.value = "";
     if (endpointProviderSelect) endpointProviderSelect.value = "aoai";
@@ -515,6 +522,105 @@ function openModalForEndpoint(endpoint) {
     endpointModal.show();
 }
 
+function makeEndpointCopyName(name) {
+    const baseName = `${String(name || 'Endpoint').trim() || 'Endpoint'} Copy`;
+    const existingNames = new Set((modelEndpoints || []).map((endpoint) => String(endpoint.name || '').trim().toLowerCase()));
+    if (!existingNames.has(baseName.toLowerCase())) {
+        return baseName;
+    }
+
+    let suffix = 2;
+    while (existingNames.has(`${baseName} ${suffix}`.toLowerCase())) {
+        suffix += 1;
+    }
+    return `${baseName} ${suffix}`;
+}
+
+function cloneEndpointForDuplicate(endpoint) {
+    const duplicate = JSON.parse(JSON.stringify(endpoint || {}));
+    duplicate.id = generateId();
+    duplicate.name = makeEndpointCopyName(endpoint?.name || 'Endpoint');
+    duplicate.enabled = false;
+    duplicate.models = Array.isArray(duplicate.models)
+        ? duplicate.models.map((model) => ({ ...model, id: generateId() }))
+        : [];
+
+    if (duplicate.auth?.type === 'api_key') {
+        duplicate.auth.api_key = '';
+        duplicate.has_api_key = false;
+    }
+
+    return duplicate;
+}
+
+function ensureEndpointDuplicateKeyModal() {
+    let modalElement = document.getElementById('endpoint-duplicate-key-confirm-modal');
+    if (!modalElement) {
+        const modalMarkup = `
+            <div class="modal fade" id="endpoint-duplicate-key-confirm-modal" tabindex="-1" aria-hidden="true">
+                <div class="modal-dialog modal-dialog-centered">
+                    <div class="modal-content">
+                        <div class="modal-header">
+                            <h5 class="modal-title">Duplicate Key-Based Endpoint</h5>
+                            <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
+                        </div>
+                        <div class="modal-body">
+                            <p class="mb-2">This endpoint uses API key authentication.</p>
+                            <div class="alert alert-warning mb-0" role="alert">The duplicated endpoint will be disabled and will not include the API key. Re-enter the API key before enabling it.</div>
+                        </div>
+                        <div class="modal-footer">
+                            <button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Cancel</button>
+                            <button type="button" class="btn btn-primary" id="endpoint-duplicate-key-confirm-btn">Continue</button>
+                        </div>
+                    </div>
+                </div>
+            </div>
+        `;
+        const wrapper = document.createElement('div');
+        wrapper.innerHTML = modalMarkup.trim();
+        modalElement = wrapper.firstElementChild;
+        document.body.appendChild(modalElement);
+    }
+
+    if (!endpointDuplicateKeyModal) {
+        endpointDuplicateKeyModal = bootstrap.Modal.getOrCreateInstance(modalElement);
+    }
+
+    if (!modalElement.dataset.wired) {
+        modalElement.dataset.wired = 'true';
+        modalElement.querySelector('#endpoint-duplicate-key-confirm-btn')?.addEventListener('click', () => {
+            const duplicate = pendingEndpointDuplicate;
+            pendingEndpointDuplicate = null;
+            endpointDuplicateKeyModal?.hide();
+            if (duplicate) {
+                openDuplicateEndpointModal(duplicate);
+            }
+        });
+    }
+
+    return modalElement;
+}
+
+function openDuplicateEndpointModal(duplicateEndpoint) {
+    openModalForEndpoint(duplicateEndpoint);
+    if (endpointModalEl) {
+        endpointModalEl.dataset.duplicateDisabledDefault = 'true';
+    }
+    showToast('Duplicated endpoint starts disabled. Review and save it, then enable intentionally.', 'info');
+}
+
+function duplicateEndpoint(endpoint) {
+    const duplicate = cloneEndpointForDuplicate(endpoint);
+    if (endpoint?.auth?.type === 'api_key' || endpoint?.has_api_key) {
+        pendingEndpointDuplicate = duplicate;
+        ensureEndpointDuplicateKeyModal();
+        endpointDuplicateKeyModal?.show();
+        return;
+    }
+
+    openDuplicateEndpointModal(duplicate);
+}
+
 function renderModalModels(models) {
     if (!modelsListEl) {
         return;
@@ -792,7 +898,9 @@ function saveEndpoint() {
             id: endpointId,
             name: payload.name,
             provider: payload.provider,
-            enabled: true,
+            enabled: endpointModalEl?.dataset.duplicateDisabledDefault === 'true'
+                ? false
+                : (existingEndpoint ? existingEndpoint.enabled !== false : true),
             auth: payload.auth,
             connection: payload.connection,
             management: payload.management,
@@ -873,6 +981,24 @@ function handleTableClick(event) {
         return;
     }
 
+    if (action === "govern") {
+        if (typeof window.openGovernanceDelegatedItemEditor === 'function') {
+            window.openGovernanceDelegatedItemEditor({
+                entityType: 'global_endpoint',
+                itemId: endpoint.id,
+                resourceLabel: endpoint.name || endpoint.id,
+            });
+        } else {
+            showToast('Governance editor is still loading. Try again in a moment.', 'warning');
+        }
+        return;
+    }
+
+    if (action === "duplicate") {
+        duplicateEndpoint(endpoint);
+        return;
+    }
+
     if (action === "toggle") {
         endpoint.enabled = !endpoint.enabled;
         renderEndpoints();
diff --git a/application/single_app/static/js/admin/admin_plugins.js b/application/single_app/static/js/admin/admin_plugins.js
index 97dc39ec0..c684906e4 100644
--- a/application/single_app/static/js/admin/admin_plugins.js
+++ b/application/single_app/static/js/admin/admin_plugins.js
@@ -26,6 +26,8 @@ async function loadPlugins() {
             tbodySelector: '#admin-plugins-table-body',
             onEdit: name => editPlugin(name),
             onDelete: name => deletePlugin(name),
+            onGovern: name => governPlugin(name, plugins),
+            onDuplicate: name => duplicatePlugin(name, plugins),
             ensureTable: false,
             isAdmin: true
         });
@@ -47,6 +49,61 @@ function openPluginModal(plugin = null) {
     }
 }
 
+function makePluginCopyName(name, plugins = []) {
+    const baseName = `${String(name || 'action').trim() || 'action'}_copy`;
+    const existingNames = new Set((plugins || []).map((plugin) => String(plugin.name || '').trim().toLowerCase()));
+    if (!existingNames.has(baseName.toLowerCase())) {
+        return baseName;
+    }
+
+    let suffix = 2;
+    while (existingNames.has(`${baseName}_${suffix}`.toLowerCase())) {
+        suffix += 1;
+    }
+    return `${baseName}_${suffix}`;
+}
+
+function duplicatePlugin(name, plugins = []) {
+    const plugin = (plugins || []).find(p => p.name === name);
+    if (!plugin) {
+        showToast(`Action "${name}" not found`, 'danger');
+        return;
+    }
+
+    const duplicate = JSON.parse(JSON.stringify(plugin));
+    delete duplicate.id;
+    duplicate.name = makePluginCopyName(plugin.name, plugins);
+    duplicate.display_name = `${plugin.display_name || plugin.name || 'Action'} Copy`;
+    const modal = window.pluginModalStepper?.showModal(duplicate);
+    if (window.pluginModalStepper) {
+        window.pluginModalStepper.isEditMode = false;
+        window.pluginModalStepper.originalPlugin = null;
+        const title = document.getElementById('plugin-modal-title');
+        if (title) {
+            title.textContent = 'Add Action';
+        }
+    }
+    setupSaveHandler(null, modal);
+}
+
+function governPlugin(name, plugins = []) {
+    const plugin = (plugins || []).find(p => p.name === name);
+    const pluginId = String(plugin?.id || '').trim();
+    if (!pluginId) {
+        showToast('This action does not have a stable ID for governance.', 'warning');
+        return;
+    }
+    if (typeof window.openGovernanceDelegatedItemEditor === 'function') {
+        window.openGovernanceDelegatedItemEditor({
+            entityType: 'global_action',
+            itemId: pluginId,
+            resourceLabel: plugin.display_name || plugin.name || pluginId,
+        });
+    } else {
+        showToast('Governance editor is still loading. Try again in a moment.', 'warning');
+    }
+}
+
 function setupSaveHandler(plugin, modal) {
     const saveBtn = document.getElementById('save-plugin-btn');
     if (saveBtn) {
diff --git a/application/single_app/static/js/chat/chat-documents.js b/application/single_app/static/js/chat/chat-documents.js
index 40be40e6c..40a7dec48 100644
--- a/application/single_app/static/js/chat/chat-documents.js
+++ b/application/single_app/static/js/chat/chat-documents.js
@@ -89,6 +89,9 @@ const tagsSearchController = initializeFilterableDropdownSearch({
 });
 
 const SEARCH_DOCUMENTS_MOBILE_MEDIA_QUERY = '(max-width: 991.98px)';
+const SEARCH_DROPDOWN_VIEWPORT_PADDING = 16;
+const SEARCH_FILTER_DESKTOP_MIN_WIDTH = 320;
+const SEARCH_FILTER_DESKTOP_MAX_WIDTH = 640;
 
 function isSearchDocumentsMobileDrawerViewport() {
   return typeof window !== 'undefined' && window.matchMedia(SEARCH_DOCUMENTS_MOBILE_MEDIA_QUERY).matches;
@@ -194,22 +197,35 @@ function refreshDocumentsAndTags({ source = null, showLoading = true } = {}) {
     });
 }
 
-function getSearchDocumentsDropdownConfig() {
+function getSearchDocumentsDropdownConfig({ openUpOnDesktop = false } = {}) {
   return {
     boundary: 'viewport',
     reference: 'toggle',
     autoClose: 'outside',
-    popperConfig: {
-      strategy: 'fixed',
-      modifiers: [
-        {
-          name: 'preventOverflow',
-          options: {
-            boundary: 'viewport',
-            padding: 10,
+    popperConfig(defaultConfig) {
+      const shouldOpenUp = openUpOnDesktop && !isSearchDocumentsMobileDrawerViewport();
+      const defaultModifiers = Array.isArray(defaultConfig.modifiers) ? defaultConfig.modifiers : [];
+      const modifiers = defaultModifiers.filter(modifier => !['preventOverflow', 'flip'].includes(modifier.name));
+
+      return {
+        ...defaultConfig,
+        placement: shouldOpenUp ? 'top-start' : 'bottom-start',
+        strategy: 'fixed',
+        modifiers: [
+          ...modifiers,
+          {
+            name: 'preventOverflow',
+            options: {
+              boundary: 'viewport',
+              padding: 10,
+            },
           },
-        },
-      ],
+          {
+            name: 'flip',
+            enabled: !shouldOpenUp,
+          },
+        ],
+      };
     },
   };
 }
@@ -220,15 +236,31 @@ function sizeSearchFilterDropdown(buttonEl, menuEl, itemsContainerEl) {
   }
 
   const fieldContainer = buttonEl.closest('.chat-search-panel-field');
-  const containerWidth = fieldContainer ? fieldContainer.offsetWidth : buttonEl.offsetWidth || 280;
-
-  menuEl.style.width = `${containerWidth}px`;
-  menuEl.style.maxWidth = `${containerWidth}px`;
+  const containerWidth = fieldContainer ? fieldContainer.offsetWidth : buttonEl.offsetWidth || SEARCH_FILTER_DESKTOP_MIN_WIDTH;
+  const viewportWidth = window.innerWidth || document.documentElement.clientWidth || SEARCH_FILTER_DESKTOP_MAX_WIDTH;
+  const viewportMaxWidth = Math.max(160, viewportWidth - (SEARCH_DROPDOWN_VIEWPORT_PADDING * 2));
+  const isMobileDrawer = isSearchDocumentsMobileDrawerViewport();
+  const minWidth = isMobileDrawer
+    ? Math.min(containerWidth, viewportMaxWidth)
+    : Math.min(Math.max(containerWidth, SEARCH_FILTER_DESKTOP_MIN_WIDTH), viewportMaxWidth);
+  const maxWidth = isMobileDrawer
+    ? minWidth
+    : Math.min(Math.max(containerWidth, SEARCH_FILTER_DESKTOP_MAX_WIDTH), viewportMaxWidth);
+
+  menuEl.style.width = isMobileDrawer ? `${Math.round(minWidth)}px` : 'max-content';
+  menuEl.style.minWidth = `${Math.round(minWidth)}px`;
+  menuEl.style.maxWidth = `${Math.round(maxWidth)}px`;
   menuEl.style.zIndex = '1060';
 
   const menuRect = menuEl.getBoundingClientRect();
+  const buttonRect = buttonEl.getBoundingClientRect();
   const viewportHeight = window.innerHeight;
-  const maxPossibleHeight = Math.max(180, viewportHeight - menuRect.top - 10);
+  const popperPlacement = menuEl.getAttribute('data-popper-placement') || '';
+  const opensUp = popperPlacement.startsWith('top') && !isMobileDrawer;
+  const availableHeight = opensUp
+    ? buttonRect.top - SEARCH_DROPDOWN_VIEWPORT_PADDING
+    : viewportHeight - menuRect.top - SEARCH_DROPDOWN_VIEWPORT_PADDING;
+  const maxPossibleHeight = Math.max(opensUp ? 120 : 180, availableHeight);
 
   menuEl.style.maxHeight = `${maxPossibleHeight}px`;
 
@@ -246,6 +278,7 @@ function resetSearchFilterDropdownStyles(menuEl, itemsContainerEl) {
   if (menuEl) {
     menuEl.style.maxHeight = '';
     menuEl.style.maxWidth = '';
+    menuEl.style.minWidth = '';
     menuEl.style.width = '';
     menuEl.style.zIndex = '';
   }
@@ -263,13 +296,14 @@ function initializeSearchFilterDropdown({
   itemsContainerEl,
   searchInputEl,
   searchController,
+  openUpOnDesktop = false,
   onShown,
 }) {
   if (!dropdownEl || !buttonEl || !menuEl) {
     return;
   }
 
-  new bootstrap.Dropdown(buttonEl, getSearchDocumentsDropdownConfig());
+  new bootstrap.Dropdown(buttonEl, getSearchDocumentsDropdownConfig({ openUpOnDesktop }));
 
   dropdownEl.addEventListener('show.bs.dropdown', function() {
     if (searchInputEl) {
@@ -283,6 +317,12 @@ function initializeSearchFilterDropdown({
     sizeSearchFilterDropdown(buttonEl, menuEl, itemsContainerEl);
     onShown?.();
 
+    try {
+      bootstrap.Dropdown.getInstance(buttonEl)?.update();
+    } catch (error) {
+      console.error('Error updating search filter dropdown placement:', error);
+    }
+
     if (searchInputEl) {
       setTimeout(() => searchInputEl.focus(), 50);
     }
@@ -1309,27 +1349,7 @@ function initializeDocumentDropdown() {
   filterDocumentsBySelectedTags();
   documentSearchController?.applyFilter(docSearchInput ? docSearchInput.value : '');
 
-  // Size the dropdown to fill its parent container
-  const parentContainer = docDropdownButton.closest('.flex-grow-1');
-  const maxWidth = parentContainer ? parentContainer.offsetWidth : 400;
-
-  docDropdownMenu.style.maxWidth = `${maxWidth}px`;
-  docDropdownMenu.style.width = `${maxWidth}px`;
-
-  // Ensure dropdown stays within viewport bounds
-  const menuRect = docDropdownMenu.getBoundingClientRect();
-  const viewportHeight = window.innerHeight;
-
-  if (menuRect.bottom > viewportHeight) {
-    const maxPossibleHeight = viewportHeight - menuRect.top - 10;
-    docDropdownMenu.style.maxHeight = `${maxPossibleHeight}px`;
-
-    if (docDropdownItems) {
-      const searchContainer = docDropdownMenu.querySelector('.document-search-container');
-      const searchHeight = searchContainer ? searchContainer.offsetHeight : 40;
-      docDropdownItems.style.maxHeight = `${maxPossibleHeight - searchHeight}px`;
-    }
-  }
+  sizeSearchFilterDropdown(docDropdownButton, docDropdownMenu, docDropdownItems);
 }
 /* ---------------------------------------------------------------------------
    Load Tags for Selected Scope
@@ -2014,6 +2034,7 @@ document.addEventListener('DOMContentLoaded', function() {
           itemsContainerEl: docDropdownItems,
           searchInputEl: docSearchInput,
           searchController: documentSearchController,
+          openUpOnDesktop: true,
           onShown: initializeDocumentDropdown,
         });
       }
diff --git a/application/single_app/static/js/plugin_common.js b/application/single_app/static/js/plugin_common.js
index e50278d4d..ce9c94da3 100644
--- a/application/single_app/static/js/plugin_common.js
+++ b/application/single_app/static/js/plugin_common.js
@@ -64,7 +64,7 @@ export function escapeHtml(str) {
 }
 
 // Render plugins table (parameterized for tbody selector and button handlers)
-export function renderPluginsTable({plugins, tbodySelector, onEdit, onDelete, onView, ensureTable = true, isAdmin = false}) {
+export function renderPluginsTable({plugins, tbodySelector, onEdit, onDelete, onView, onGovern, onDuplicate, ensureTable = true, isAdmin = false}) {
   // Optionally ensure the table is present before rendering
   if (ensureTable) {
     ensurePluginsTableInRoot();
@@ -97,6 +97,12 @@ export function renderPluginsTable({plugins, tbodySelector, onEdit, onDelete, on
           <button type="button" class="btn btn-sm btn-outline-secondary edit-plugin-btn" data-plugin-name="${safeName}" title="Edit action">
             <i class="bi bi-pencil"></i>
           </button>
+          ${isAdmin ? `<button type="button" class="btn btn-sm btn-outline-info govern-plugin-btn" data-plugin-name="${safeName}" title="Govern action">
+            <i class="bi bi-shield-check"></i>
+          </button>` : ''}
+          ${isAdmin ? `<button type="button" class="btn btn-sm btn-outline-secondary duplicate-plugin-btn" data-plugin-name="${safeName}" title="Duplicate action">
+            <i class="bi bi-files"></i>
+          </button>` : ''}
           <button type="button" class="btn btn-sm btn-outline-danger delete-plugin-btn" data-plugin-name="${safeName}" title="Delete action">
             <i class="bi bi-trash"></i>
           </button>`;
@@ -116,6 +122,20 @@ export function renderPluginsTable({plugins, tbodySelector, onEdit, onDelete, on
   tbody.querySelectorAll('.delete-plugin-btn').forEach(btn => {
     btn.onclick = () => onDelete(btn.getAttribute('data-plugin-name'));
   });
+  tbody.querySelectorAll('.govern-plugin-btn').forEach(btn => {
+    btn.onclick = () => {
+      if (onGovern) {
+        onGovern(btn.getAttribute('data-plugin-name'));
+      }
+    };
+  });
+  tbody.querySelectorAll('.duplicate-plugin-btn').forEach(btn => {
+    btn.onclick = () => {
+      if (onDuplicate) {
+        onDuplicate(btn.getAttribute('data-plugin-name'));
+      }
+    };
+  });
   tbody.querySelectorAll('.view-plugin-btn').forEach(btn => {
     btn.onclick = () => {
       if (onView) {
diff --git a/application/single_app/templates/_governance_info.html b/application/single_app/templates/_governance_info.html
new file mode 100644
index 000000000..e6d6da40e
--- /dev/null
+++ b/application/single_app/templates/_governance_info.html
@@ -0,0 +1,339 @@
+<!-- Governance Configuration Information Modal -->
+<div class="modal fade" id="governanceInfoModal" tabindex="-1" aria-labelledby="governanceInfoModalLabel" aria-hidden="true">
+    <div class="modal-dialog modal-xl modal-dialog-scrollable">
+        <div class="modal-content">
+            <div class="modal-header">
+                <h5 class="modal-title" id="governanceInfoModalLabel">
+                    <i class="bi bi-diagram-3 me-2"></i>
+                    Governance Configuration Guide
+                </h5>
+                <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
+            </div>
+            <div class="modal-body">
+                <div class="alert alert-info" role="alert">
+                    <i class="bi bi-info-circle me-2"></i>
+                    <strong>Governance controls who can use capabilities and delegated resources.</strong>
+                    Feature policies decide whether a user can use a class of capability, while delegated item policies decide whether a user can use a specific global endpoint, global agent, or global action.
+                </div>
+                <div class="alert alert-secondary" role="alert">
+                    <strong>Governance Boundary:</strong>
+                    SimpleChat application-level features are governed by identity and app roles. Capabilities and resources configured inside SimpleChat, including agents, actions, endpoints, and delegated items added by admins or users, are governed by in-app governance rules. Use app roles for platform access boundaries, and use in-app governance for resources and capabilities created inside SimpleChat.
+                </div>
+
+                <ul class="nav nav-tabs mb-3" id="governanceInfoTabs" role="tablist">
+                    <li class="nav-item" role="presentation">
+                        <button class="nav-link active" id="governance-info-overview-tab" data-bs-toggle="tab" data-bs-target="#governance-info-overview" type="button" role="tab" aria-controls="governance-info-overview" aria-selected="true">Overview</button>
+                    </li>
+                    <li class="nav-item" role="presentation">
+                        <button class="nav-link" id="governance-info-feature-policies-tab" data-bs-toggle="tab" data-bs-target="#governance-info-feature-policies" type="button" role="tab" aria-controls="governance-info-feature-policies" aria-selected="false">Feature Policies</button>
+                    </li>
+                    <li class="nav-item" role="presentation">
+                        <button class="nav-link" id="governance-info-workspace-cohorts-tab" data-bs-toggle="tab" data-bs-target="#governance-info-workspace-cohorts" type="button" role="tab" aria-controls="governance-info-workspace-cohorts" aria-selected="false">Workspace Cohorts</button>
+                    </li>
+                    <li class="nav-item" role="presentation">
+                        <button class="nav-link" id="governance-info-delegated-items-tab" data-bs-toggle="tab" data-bs-target="#governance-info-delegated-items" type="button" role="tab" aria-controls="governance-info-delegated-items" aria-selected="false">Delegated Items</button>
+                    </li>
+                    <li class="nav-item" role="presentation">
+                        <button class="nav-link" id="governance-info-flow-tab" data-bs-toggle="tab" data-bs-target="#governance-info-flow" type="button" role="tab" aria-controls="governance-info-flow" aria-selected="false">Evaluation Flow</button>
+                    </li>
+                    <li class="nav-item" role="presentation">
+                        <button class="nav-link" id="governance-info-troubleshooting-tab" data-bs-toggle="tab" data-bs-target="#governance-info-troubleshooting" type="button" role="tab" aria-controls="governance-info-troubleshooting" aria-selected="false">Troubleshooting</button>
+                    </li>
+                </ul>
+
+                <div class="tab-content" id="governanceInfoTabContent">
+                    <div class="tab-pane fade show active" id="governance-info-overview" role="tabpanel" aria-labelledby="governance-info-overview-tab" tabindex="0">
+                        <div class="card mb-3">
+                            <div class="card-header">
+                                <h6 class="mb-0"><i class="bi bi-layers me-2"></i>Two Layers of Governance</h6>
+                            </div>
+                            <div class="card-body">
+                                <div class="row g-3">
+                                    <div class="col-lg-6">
+                                        <div class="border rounded p-3 h-100">
+                                            <h6 class="mb-2">1. Feature Policies</h6>
+                                            <p class="small mb-2">Feature policies answer: <strong>Can this user use this type of capability?</strong></p>
+                                            <ul class="small mb-0">
+                                                <li>Personal agents, actions, and endpoints</li>
+                                                <li>Group agents, actions, and endpoints</li>
+                                                <li>Global agent, action, and endpoint usage</li>
+                                            </ul>
+                                        </div>
+                                    </div>
+                                    <div class="col-lg-6">
+                                        <div class="border rounded p-3 h-100">
+                                            <h6 class="mb-2">2. Delegated Item Policies</h6>
+                                            <p class="small mb-2">Delegated item policies answer: <strong>Can this user use this exact delegated resource?</strong></p>
+                                            <ul class="small mb-0">
+                                                <li>A specific global endpoint</li>
+                                                <li>A specific global agent</li>
+                                                <li>A specific global action</li>
+                                            </ul>
+                                        </div>
+                                    </div>
+                                </div>
+                                <div class="alert alert-secondary mt-3 mb-0" role="alert">
+                                    <strong>Rule of thumb:</strong> The user must pass the feature policy first. Delegated item policies are additive whitelists inside that feature gate; they do not override feature-level governance.
+                                </div>
+                            </div>
+                        </div>
+                    </div>
+
+                    <div class="tab-pane fade" id="governance-info-feature-policies" role="tabpanel" aria-labelledby="governance-info-feature-policies-tab" tabindex="0">
+                        <div class="card mb-3">
+                            <div class="card-header">
+                                <h6 class="mb-0"><i class="bi bi-sliders2 me-2"></i>How Feature Policies Work</h6>
+                            </div>
+                            <div class="card-body">
+                                <p class="small">Feature toggles enable enforcement for a capability. The matching feature policy then decides who passes that check.</p>
+                                <div class="table-responsive">
+                                    <table class="table table-sm table-bordered align-middle">
+                                        <thead>
+                                            <tr>
+                                                <th>Setting</th>
+                                                <th>What It Governs</th>
+                                            </tr>
+                                        </thead>
+                                        <tbody>
+                                            <tr>
+                                                <td><code>Govern Personal Endpoints</code></td>
+                                                <td>Whether a user can use model endpoints configured in their personal workspace.</td>
+                                            </tr>
+                                            <tr>
+                                                <td><code>Govern Personal Agents</code></td>
+                                                <td>Whether a user can create, view, or use agents in their personal workspace.</td>
+                                            </tr>
+                                            <tr>
+                                                <td><code>Govern Personal Actions</code></td>
+                                                <td>Whether a user can create, view, or use actions in their personal workspace.</td>
+                                            </tr>
+                                            <tr>
+                                                <td><code>Govern Group Endpoints</code></td>
+                                                <td>Whether a user can use model endpoints configured in group workspaces.</td>
+                                            </tr>
+                                            <tr>
+                                                <td><code>Govern Group Agents</code></td>
+                                                <td>Whether a user can use agent capabilities in group workspaces where group agent features are enabled.</td>
+                                            </tr>
+                                            <tr>
+                                                <td><code>Govern Group Actions</code></td>
+                                                <td>Whether a user can use action capabilities in group workspaces where group action features are enabled.</td>
+                                            </tr>
+                                            <tr>
+                                                <td><code>Govern Global Endpoints</code></td>
+                                                <td>Whether a user can use global model endpoints shared by admins.</td>
+                                            </tr>
+                                            <tr>
+                                                <td><code>Govern Global Agents</code></td>
+                                                <td>Whether a user can select or use global agents shared by admins.</td>
+                                            </tr>
+                                            <tr>
+                                                <td><code>Govern Global Actions</code></td>
+                                                <td>Whether a user can use global actions shared by admins.</td>
+                                            </tr>
+                                        </tbody>
+                                    </table>
+                                </div>
+                                <div class="alert alert-warning mb-0" role="alert">
+                                    <strong>Important:</strong> If <code>Allow All</code> is off, add at least one allowed user or allowed group when you intend to restrict access. Empty explicit lists are treated permissively for backward compatibility.
+                                </div>
+                            </div>
+                        </div>
+                    </div>
+
+                    <div class="tab-pane fade" id="governance-info-workspace-cohorts" role="tabpanel" aria-labelledby="governance-info-workspace-cohorts-tab" tabindex="0">
+                        <div class="card mb-3 border-primary">
+                            <div class="card-header bg-primary text-white">
+                                <h6 class="mb-0"><i class="bi bi-people me-2"></i>Using Workspaces as Governance Cohorts</h6>
+                            </div>
+                            <div class="card-body">
+                                <div class="alert alert-primary" role="alert">
+                                    <strong>A group workspace can be used as a reusable group of users for governance.</strong>
+                                    In this context, the workspace membership is used as an access cohort, not as a content-sharing permission.
+                                </div>
+                                <p class="small">This is useful when admins want to pilot personal features with a defined set of people without managing every user ID in every governance policy.</p>
+                                <div class="row g-3">
+                                    <div class="col-lg-6">
+                                        <div class="border rounded p-3 h-100">
+                                            <h6 class="text-success">What It Does</h6>
+                                            <ul class="small mb-0">
+                                                <li>Uses group workspace membership as a reusable allow-list cohort.</li>
+                                                <li>Allows members of that workspace to pass selected feature policies.</li>
+                                                <li>Works for personal feature policies such as personal agents, personal actions, and personal endpoints.</li>
+                                            </ul>
+                                        </div>
+                                    </div>
+                                    <div class="col-lg-6">
+                                        <div class="border rounded p-3 h-100">
+                                            <h6 class="text-danger">What It Does Not Do</h6>
+                                            <ul class="small mb-0">
+                                                <li>It does not grant access to that group workspace's documents.</li>
+                                                <li>It does not grant access to group agents or group actions by itself.</li>
+                                                <li>It does not move personal agents into the group workspace.</li>
+                                            </ul>
+                                        </div>
+                                    </div>
+                                </div>
+                                <div class="card bg-body-tertiary mt-3">
+                                    <div class="card-body">
+                                        <h6 class="mb-2">Example: Personal Agents Pilot</h6>
+                                        <ol class="small mb-0">
+                                            <li>Create a group workspace named <strong>Personal Agents Pilot Users</strong>.</li>
+                                            <li>Add the users who should test personal agents.</li>
+                                            <li>Open <strong>Governance &gt; Feature Policies</strong>.</li>
+                                            <li>Edit <strong>Personal Agents</strong>, turn off <strong>Allow All</strong>, and add the <strong>Personal Agents Pilot Users</strong> workspace ID as an allowed group.</li>
+                                            <li>Members can now use personal agents in their own personal workspaces. They do not automatically receive access to group documents, group agents, or delegated global resources.</li>
+                                        </ol>
+                                    </div>
+                                </div>
+                            </div>
+                        </div>
+                    </div>
+
+                    <div class="tab-pane fade" id="governance-info-delegated-items" role="tabpanel" aria-labelledby="governance-info-delegated-items-tab" tabindex="0">
+                        <div class="card mb-3">
+                            <div class="card-header">
+                                <h6 class="mb-0"><i class="bi bi-list-check me-2"></i>Delegated Item Policies</h6>
+                            </div>
+                            <div class="card-body">
+                                <p class="small">Delegated item policies are resource-specific checks for global resources. They are evaluated after the matching feature policy passes.</p>
+                                <div class="alert alert-warning py-2 small" role="alert">
+                                    <strong>Important:</strong> Item delegation cannot grant access by itself. If a user is allowed by an item policy for Agent X but does not pass <strong>Govern Global Agents</strong>, the user is blocked from Agent X.
+                                </div>
+                                <div class="row g-3">
+                                    <div class="col-lg-4">
+                                        <div class="border rounded p-3 h-100">
+                                            <h6>Global Endpoints</h6>
+                                            <p class="small mb-0">Restrict a specific global model endpoint to selected users or groups.</p>
+                                        </div>
+                                    </div>
+                                    <div class="col-lg-4">
+                                        <div class="border rounded p-3 h-100">
+                                            <h6>Global Agents</h6>
+                                            <p class="small mb-0">Restrict a specific global agent to selected users or groups.</p>
+                                        </div>
+                                    </div>
+                                    <div class="col-lg-4">
+                                        <div class="border rounded p-3 h-100">
+                                            <h6>Global Actions</h6>
+                                            <p class="small mb-0">Restrict a specific global action to selected users or groups.</p>
+                                        </div>
+                                    </div>
+                                </div>
+                                <div class="alert alert-info mt-3 mb-0" role="alert">
+                                    <strong>Tip:</strong> Use delegated item policies when a feature is broadly available, but a particular global resource should only be available to a narrower audience.
+                                </div>
+                            </div>
+                        </div>
+                    </div>
+
+                    <div class="tab-pane fade" id="governance-info-flow" role="tabpanel" aria-labelledby="governance-info-flow-tab" tabindex="0">
+                        <div class="card mb-3">
+                            <div class="card-header">
+                                <h6 class="mb-0"><i class="bi bi-arrow-right-circle me-2"></i>Evaluation Flow</h6>
+                            </div>
+                            <div class="card-body">
+                                <ol class="small mb-3">
+                                    <li>The backend identifies the signed-in user.</li>
+                                    <li>The relevant governance setting is checked. If governance is off for that feature, access is allowed.</li>
+                                    <li>The user's governance groups are resolved from group workspace and public workspace memberships.</li>
+                                    <li>The feature policy is evaluated against <code>Allow All</code>, allowed users, and allowed groups.</li>
+                                    <li>If the request targets a delegated global endpoint, global agent, or global action, matching item policies are evaluated only after the feature policy passes.</li>
+                                    <li>If the feature policy blocks the user, item-level delegation is not considered and cannot override the denial.</li>
+                                    <li>The backend allows or denies the operation. Frontend filtering only improves the experience and is not the security boundary.</li>
+                                </ol>
+                                <div class="alert alert-secondary mb-0" role="alert">
+                                    <strong>Performance note:</strong> Governance decisions use request-level memoization, short-lived process caching, and shared cache-version invalidation when Redis is available.
+                                </div>
+                            </div>
+                        </div>
+                    </div>
+
+                    <div class="tab-pane fade" id="governance-info-troubleshooting" role="tabpanel" aria-labelledby="governance-info-troubleshooting-tab" tabindex="0">
+                        <div class="card">
+                            <div class="card-header">
+                                <h6 class="mb-0"><i class="bi bi-tools me-2"></i>Common Questions</h6>
+                            </div>
+                            <div class="card-body">
+                                <div class="accordion" id="governanceInfoTroubleshootingAccordion">
+                                    <div class="accordion-item">
+                                        <h2 class="accordion-header" id="governanceInfoTroubleOne">
+                                            <button class="accordion-button collapsed" type="button" data-bs-toggle="collapse" data-bs-target="#governanceInfoTroubleOneCollapse" aria-expanded="false" aria-controls="governanceInfoTroubleOneCollapse">
+                                                A user is in an allowed workspace cohort but still cannot use a feature
+                                            </button>
+                                        </h2>
+                                        <div id="governanceInfoTroubleOneCollapse" class="accordion-collapse collapse" aria-labelledby="governanceInfoTroubleOne" data-bs-parent="#governanceInfoTroubleshootingAccordion">
+                                            <div class="accordion-body small">
+                                                Confirm the base feature is enabled in Admin Settings, the matching governance toggle is enabled, and the feature policy includes the correct workspace ID under Allowed Groups. For delegated global resources, also confirm the item policy allows the same user or group.
+                                            </div>
+                                        </div>
+                                    </div>
+                                    <div class="accordion-item">
+                                        <h2 class="accordion-header" id="governanceInfoTroubleTwo">
+                                            <button class="accordion-button collapsed" type="button" data-bs-toggle="collapse" data-bs-target="#governanceInfoTroubleTwoCollapse" aria-expanded="false" aria-controls="governanceInfoTroubleTwoCollapse">
+                                                Adding a group workspace to Personal Agents seems unusual
+                                            </button>
+                                        </h2>
+                                        <div id="governanceInfoTroubleTwoCollapse" class="accordion-collapse collapse" aria-labelledby="governanceInfoTroubleTwo" data-bs-parent="#governanceInfoTroubleshootingAccordion">
+                                            <div class="accordion-body small">
+                                                Treat the group workspace as a named cohort. Its membership list is reused for the personal feature policy, but the personal feature remains personal. The users still create and use personal agents in their own workspace.
+                                            </div>
+                                        </div>
+                                    </div>
+                                    <div class="accordion-item">
+                                        <h2 class="accordion-header" id="governanceInfoTroubleThree">
+                                            <button class="accordion-button collapsed" type="button" data-bs-toggle="collapse" data-bs-target="#governanceInfoTroubleThreeCollapse" aria-expanded="false" aria-controls="governanceInfoTroubleThreeCollapse">
+                                                The UI hides an option but the API still matters
+                                            </button>
+                                        </h2>
+                                        <div id="governanceInfoTroubleThreeCollapse" class="accordion-collapse collapse" aria-labelledby="governanceInfoTroubleThree" data-bs-parent="#governanceInfoTroubleshootingAccordion">
+                                            <div class="accordion-body small">
+                                                The UI filters unavailable options to reduce confusion, but backend enforcement is the source of truth. API routes still check governance before allowing governed operations.
+                                            </div>
+                                        </div>
+                                    </div>
+                                    <div class="accordion-item">
+                                        <h2 class="accordion-header" id="governanceInfoTroubleFour">
+                                            <button class="accordion-button collapsed" type="button" data-bs-toggle="collapse" data-bs-target="#governanceInfoTroubleFourCollapse" aria-expanded="false" aria-controls="governanceInfoTroubleFourCollapse">
+                                                A user is allowed for a specific item but not for the feature
+                                            </button>
+                                        </h2>
+                                        <div id="governanceInfoTroubleFourCollapse" class="accordion-collapse collapse" aria-labelledby="governanceInfoTroubleFour" data-bs-parent="#governanceInfoTroubleshootingAccordion">
+                                            <div class="accordion-body small">
+                                                The user is blocked. Feature policy is evaluated first. Item-level whitelists only narrow or organize access after the user passes the feature policy, so they cannot grant access to a feature the user is not allowed to use.
+                                            </div>
+                                        </div>
+                                    </div>
+                                </div>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+            </div>
+            <div class="modal-footer">
+                <button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Close</button>
+            </div>
+        </div>
+    </div>
+</div>
+
+<script>
+document.addEventListener('DOMContentLoaded', function() {
+    const governanceInfoModal = document.getElementById('governanceInfoModal');
+    const overviewTab = document.getElementById('governance-info-overview-tab');
+    const overviewPane = document.getElementById('governance-info-overview');
+
+    if (!governanceInfoModal || !overviewTab || !overviewPane) {
+        return;
+    }
+
+    governanceInfoModal.addEventListener('shown.bs.modal', function() {
+        if (window.bootstrap?.Tab) {
+            bootstrap.Tab.getOrCreateInstance(overviewTab).show();
+        }
+        overviewTab.classList.add('active');
+        overviewTab.setAttribute('aria-selected', 'true');
+        overviewPane.classList.add('show', 'active');
+    });
+});
+</script>
\ No newline at end of file
diff --git a/application/single_app/templates/_sidebar_nav.html b/application/single_app/templates/_sidebar_nav.html
index ace3323b9..d00ebc1c1 100644
--- a/application/single_app/templates/_sidebar_nav.html
+++ b/application/single_app/templates/_sidebar_nav.html
@@ -521,7 +521,7 @@
           </li>
           <li class="nav-item">
             <a class="nav-link d-flex align-items-center admin-nav-tab" href="#" data-tab="governance">
-              <i class="bi bi-shield-lock me-2"></i><span class="nav-text">Governance</span>
+              <i class="bi bi-braces-asterisk me-2"></i><span class="nav-text">Governance</span>
             </a>
           </li>
           <li class="nav-item">
diff --git a/application/single_app/templates/admin_settings.html b/application/single_app/templates/admin_settings.html
index 7e88f4d2e..bdb887388 100644
--- a/application/single_app/templates/admin_settings.html
+++ b/application/single_app/templates/admin_settings.html
@@ -1065,6 +1065,8 @@ <h5 class="card-title">
                         <input class="form-check-input" type="checkbox" role="switch" id="toggle-enable-agents-agents" name="enable_semantic_kernel" {% if settings.enable_semantic_kernel %}checked{% endif %}>
                         <label class="form-check-label ms-2" for="toggle-enable-agents-agents">Enable Agents</label>
                         <i class="bi bi-info-circle ms-2" data-bs-toggle="tooltip" title="Enable the agents system powered by Semantic Kernel for AI-driven task automation and orchestration."></i>
+                        <button type="button" class="btn btn-outline-info btn-sm ms-2 governance-primary-link" data-governance-target="governance_global_agents_usage">Govern Global Agents</button>
+                        <button type="button" class="btn btn-outline-info btn-sm ms-2 governance-primary-link" data-governance-target="governance_global_actions_usage">Govern Global Actions</button>
                     </div>
                     <div id="per-user-sk-restart-msg" class="text-muted small mb-2" style="display:none;">Requires a restart to take effect.</div>
                 </div>
@@ -1087,21 +1089,25 @@ <h6 class="mb-2">Workspace Feature Toggles</h6>
                                     <input class="form-check-input" type="checkbox" role="switch" id="toggle-allow-user-agents" name="allow_user_agents" {% if settings.allow_user_agents %}checked{% endif %}>
                                     <label class="form-check-label ms-2" for="toggle-allow-user-agents">Allow User Agents</label>
                                     <i class="bi bi-info-circle ms-2" data-bs-toggle="tooltip" title="Allow users to create and manage their own workspace-level agents for personal use and customization."></i>
+                                    <button type="button" class="btn btn-outline-info btn-sm ms-2 governance-primary-link" data-governance-target="governance_user_agents">Govern</button>
                                 </div>
                                 <div class="form-check form-switch mb-2">
                                     <input class="form-check-input" type="checkbox" role="switch" id="toggle-allow-group-agents" name="allow_group_agents" {% if settings.allow_group_agents %}checked{% endif %}>
                                     <label class="form-check-label ms-2" for="toggle-allow-group-agents">Allow Group Agents</label>
                                     <i class="bi bi-info-circle ms-2" data-bs-toggle="tooltip" title="Allow users to create and manage group-level agents that can be shared within workgroups and teams."></i>
+                                    <button type="button" class="btn btn-outline-info btn-sm ms-2 governance-primary-link" data-governance-target="governance_group_agents">Govern</button>
                                 </div>
                                 <div class="form-check form-switch mb-2">
                                     <input class="form-check-input" type="checkbox" role="switch" id="toggle-allow-user-custom-endpoints" name="allow_user_custom_endpoints" {% if settings.allow_user_custom_endpoints %}checked{% endif %}>
                                     <label class="form-check-label ms-2" for="toggle-allow-user-custom-endpoints">Allow User Custom Endpoints</label>
                                     <i class="bi bi-info-circle ms-2" data-bs-toggle="tooltip" title="Allow users to configure custom endpoints for their personal workspace agents and model endpoints."></i>
+                                    <button type="button" class="btn btn-outline-info btn-sm ms-2 governance-primary-link" data-governance-target="governance_user_endpoints">Govern</button>
                                 </div>
                                 <div class="form-check form-switch mb-2">
                                     <input class="form-check-input" type="checkbox" role="switch" id="toggle-allow-group-custom-endpoints" name="allow_group_custom_endpoints" {% if settings.allow_group_custom_endpoints %}checked{% endif %}>
                                     <label class="form-check-label ms-2" for="toggle-allow-group-custom-endpoints">Allow Group Custom Endpoints</label>
                                     <i class="bi bi-info-circle ms-2" data-bs-toggle="tooltip" title="Allow users to configure custom endpoints for group workspace agents and model endpoints."></i>
+                                    <button type="button" class="btn btn-outline-info btn-sm ms-2 governance-primary-link" data-governance-target="governance_group_endpoints">Govern</button>
                                 </div>
                                 <div class="form-check form-switch mb-2">
                                     <input class="form-check-input" type="checkbox" role="switch" id="toggle-merge-global-sk" name="merge_global_semantic_kernel_with_workspace" {% if settings.merge_global_semantic_kernel_with_workspace %}checked{% endif %}>
@@ -1207,7 +1213,7 @@ <h5 class="mb-1">
                 <!-- Actions Configuration Section -->
                 <div class="card p-3 mb-4" id="actions-configuration">
                     <h5 class="card-title">
-                        <i class="bi bi-plugin me-2"></i>Actions Configuration
+                        <i class="bi bi-plugin me-2"></i>Global Actions Configuration
                     </h5>
                     <p class="text-muted small">
                         Configure custom actions and tools to extend functionality with integrations and specialized capabilities.
@@ -1229,13 +1235,15 @@ <h6>Global Actions</h6>
                                     <h6 class="mb-2">Workspace Action Feature Toggles</h6>
                                     <div class="form-check form-switch mb-2">
                                         <input class="form-check-input" type="checkbox" role="switch" id="toggle-allow-user-plugins" name="allow_user_plugins" {% if settings.allow_user_plugins %}checked{% endif %}>
-                                        <label class="form-check-label ms-2" for="toggle-allow-user-plugins">Allow User Actions</label>
+                                        <label class="form-check-label ms-2" for="toggle-allow-user-plugins">Allow Personal Actions</label>
                                         <i class="bi bi-info-circle ms-2" data-bs-toggle="tooltip" title="Allow users to create and manage their own workspace-level actions/plugins for personal use."></i>
+                                        <button type="button" class="btn btn-outline-info btn-sm ms-2 governance-primary-link" data-governance-target="governance_user_actions">Govern</button>
                                     </div>
                                     <div class="form-check form-switch mb-2">
                                         <input class="form-check-input" type="checkbox" role="switch" id="toggle-allow-group-plugins" name="allow_group_plugins" {% if settings.allow_group_plugins %}checked{% endif %}>
                                         <label class="form-check-label ms-2" for="toggle-allow-group-plugins">Allow Group Actions</label>
                                         <i class="bi bi-info-circle ms-2" data-bs-toggle="tooltip" title="Allow users to create and manage group-level actions/plugins that can be shared within workgroups."></i>
+                                        <button type="button" class="btn btn-outline-info btn-sm ms-2 governance-primary-link" data-governance-target="governance_group_actions">Govern</button>
                                     </div>
                                 </div>
                             {% endif %}
@@ -1304,30 +1312,35 @@ <h6 class="mb-2">Core Action Toggles</h6>
 
             <!-- Governance Tab Content -->
             <div class="tab-pane fade" id="governance" role="tabpanel" aria-labelledby="governance-tab">
-                <p class="text-muted">
-                    Configure governance enforcement for endpoint, agent, and action creation or usage. Governance is disabled by default and only enforced when toggled on.
-                </p>
+                <div class="d-flex flex-column flex-lg-row justify-content-between align-items-lg-start gap-2 mb-3">
+                    <p class="text-muted mb-0">
+                        Configure governance enforcement for endpoint, agent, and action creation or usage. Governance is disabled by default and only enforced when toggled on.
+                    </p>
+                    <button type="button" class="btn btn-outline-info btn-sm flex-shrink-0" id="governance-info-guide-btn" data-bs-toggle="modal" data-bs-target="#governanceInfoModal">
+                        <i class="bi bi-info-circle me-1"></i>Configuration Guide
+                    </button>
+                </div>
 
                 <div class="card p-3 mb-3" id="governance-feature-toggles-section">
                     <h5>
-                        <i class="bi bi-shield-lock me-2"></i>Governance Feature Toggles
+                        <i class="bi bi-braces-asterisk me-2"></i>Governance Feature Toggles
                     </h5>
                     <p class="text-muted">Turn on governance checks for each feature area. Save with the main Settings button to persist these toggles.</p>
 
                     <div class="row">
                         <div class="col-md-4">
-                            <div class="fw-semibold mb-2">User Scope</div>
+                            <div class="fw-semibold mb-2">Personal Scope</div>
                             <div class="form-check form-switch mb-2">
                                 <input class="form-check-input" type="checkbox" role="switch" id="governance_user_endpoints" name="governance_user_endpoints" {% if settings.governance_user_endpoints %}checked{% endif %}>
-                                <label class="form-check-label ms-2" for="governance_user_endpoints">Govern User Endpoints</label>
+                                <label class="form-check-label ms-2" for="governance_user_endpoints">Govern Personal Endpoints</label>
                             </div>
                             <div class="form-check form-switch mb-2">
                                 <input class="form-check-input" type="checkbox" role="switch" id="governance_user_agents" name="governance_user_agents" {% if settings.governance_user_agents %}checked{% endif %}>
-                                <label class="form-check-label ms-2" for="governance_user_agents">Govern User Agents</label>
+                                <label class="form-check-label ms-2" for="governance_user_agents">Govern Personal Agents</label>
                             </div>
                             <div class="form-check form-switch mb-2">
                                 <input class="form-check-input" type="checkbox" role="switch" id="governance_user_actions" name="governance_user_actions" {% if settings.governance_user_actions %}checked{% endif %}>
-                                <label class="form-check-label ms-2" for="governance_user_actions">Govern User Actions</label>
+                                <label class="form-check-label ms-2" for="governance_user_actions">Govern Personal Actions</label>
                             </div>
                         </div>
                         <div class="col-md-4">
@@ -1348,8 +1361,9 @@ <h5>
                         <div class="col-md-4">
                             <div class="fw-semibold mb-2">Global Scope</div>
                             <div class="form-check form-switch mb-2">
-                                <input class="form-check-input" type="checkbox" role="switch" id="governance_global_endpoints" name="governance_global_endpoints" {% if settings.governance_global_endpoints %}checked{% endif %}>
+                                <input class="form-check-input" type="checkbox" role="switch" id="governance_global_endpoints" name="governance_global_endpoints" checked disabled data-governance-locked="true">
                                 <label class="form-check-label ms-2" for="governance_global_endpoints">Govern Global Endpoints</label>
+                                <span class="badge bg-info text-dark ms-2">Always On</span>
                             </div>
                             <div class="form-check form-switch mb-2">
                                 <input class="form-check-input" type="checkbox" role="switch" id="governance_global_agents_usage" name="governance_global_agents_usage" {% if settings.governance_global_agents_usage %}checked{% endif %}>
@@ -1388,82 +1402,67 @@ <h5 class="mb-0"><i class="bi bi-sliders2 me-2"></i>Feature Policies</h5>
                     <div class="d-flex justify-content-between align-items-center mb-2">
                         <h5 class="mb-0"><i class="bi bi-list-check me-2"></i>Delegated Item Policies</h5>
                         <div class="d-flex gap-2">
-                            <button type="button" class="btn btn-outline-primary btn-sm" id="governance-review-item-policies-btn">Review Configured List</button>
+                            <button type="button" class="btn btn-primary btn-sm" id="governance-new-item-policy-btn">New Policy</button>
                             <button type="button" class="btn btn-outline-secondary btn-sm" id="governance-refresh-item-policies-btn">Refresh</button>
                         </div>
                     </div>
-                    <p class="text-muted">Manage per-item governance for global endpoints, agents, and actions that admins delegate to specific users or groups.</p>
+                    <p class="text-muted mb-1">Manage per-item governance for global endpoints, agents, and actions that admins delegate to specific users or groups.</p>
+                    <div class="alert alert-info py-2 small" role="alert">
+                        Delegated item policies are OR combined whitelists. A user can access a delegated item when they are allowed by any policy for that item.
+                    </div>
 
-                    <div id="governance-item-policy-form" class="border rounded p-3 bg-body-tertiary mb-3">
-                        <div class="row g-3 align-items-start">
-                            <div class="col-lg-3 col-md-4">
-                                <label class="form-label" for="governance-item-entity-type">Entity Type</label>
-                                <select class="form-select" id="governance-item-entity-type">
-                                    <option value="global_agent" selected>Global Agent</option>
-                                    <option value="global_action">Global Action</option>
-                                    <option value="endpoint">Endpoint</option>
-                                </select>
-                            </div>
-                            <div class="col-lg-5 col-md-8">
-                                <label class="form-label" for="governance-item-id">Delegated Item</label>
-                                <div class="input-group">
-                                    <select class="form-select" id="governance-item-id">
-                                        <option value="">Loading items...</option>
-                                    </select>
-                                    <button type="button" class="btn btn-outline-secondary" id="governance-item-id-refresh-btn" title="Refresh lookup" aria-label="Refresh delegated item lookup">
-                                        <i class="bi bi-arrow-clockwise"></i>
-                                    </button>
-                                </div>
-                                <div class="form-text" id="governance-item-id-status">Choose an entity type to load available delegated items.</div>
-                            </div>
-                            <div class="col-lg-2 col-md-4">
-                                <label class="form-label" for="governance-item-allow-all">Access</label>
-                                <div class="border rounded px-3 py-2 bg-body h-100 d-flex align-items-center">
-                                    <div class="form-check form-switch mb-0">
-                                        <input class="form-check-input" type="checkbox" role="switch" id="governance-item-allow-all" checked>
-                                        <label class="form-check-label ms-2" for="governance-item-allow-all">Allow All</label>
-                                    </div>
-                                </div>
-                            </div>
-                            <div class="col-lg-2 col-md-4 d-grid">
-                                <label class="form-label invisible" aria-hidden="true">Save</label>
-                                <button type="button" class="btn btn-primary" id="governance-save-item-policy-btn">Save Item Policy</button>
-                            </div>
+                    <div class="row g-2 align-items-end mb-3" id="governance-item-policy-card-controls">
+                        <div class="col-lg-5 col-md-6">
+                            <label class="form-label" for="governance-item-review-search">Search</label>
+                            <input type="search" class="form-control" id="governance-item-review-search" placeholder="Search users, groups, endpoint IDs, or item IDs">
                         </div>
-
-                        <div class="row g-3 mt-2 pt-3 border-top d-none" id="governance-item-allowed-principals-controls">
-                            <div class="col-lg-9">
-                                <label class="form-label" for="governance-item-allowlist-summary">Allowed Principals</label>
-                                <input type="text" class="form-control" id="governance-item-allowlist-summary" placeholder="No explicit users or groups configured" readonly>
-                            </div>
-                            <div class="col-lg-3 d-grid align-items-end">
-                                <button type="button" class="btn btn-outline-primary" id="governance-edit-item-allowlist-btn">Edit List</button>
-                            </div>
+                        <div class="col-lg-3 col-md-6">
+                            <label class="form-label" for="governance-item-review-entity-type">Entity Type</label>
+                            <select class="form-select" id="governance-item-review-entity-type">
+                                <option value="">All</option>
+                                <option value="global_endpoint">Global Endpoint</option>
+                                <option value="global_agent">Global Agent</option>
+                                <option value="global_action">Global Action</option>
+                            </select>
                         </div>
-
-                        <div class="d-none" aria-hidden="true">
-                            <input type="text" class="form-control" id="governance-item-users" placeholder="user-id-1,user-id-2">
-                            <input type="text" class="form-control" id="governance-item-groups" placeholder="group-id-1,group-id-2">
+                        <div class="col-lg-2 col-md-4">
+                            <label class="form-label" for="governance-item-review-page-size">Page Size</label>
+                            <select class="form-select" id="governance-item-review-page-size">
+                                <option value="10">10</option>
+                                <option value="25" selected>25</option>
+                                <option value="50">50</option>
+                            </select>
+                        </div>
+                        <div class="col-lg-2 col-md-8 d-flex gap-2">
+                            <button type="button" class="btn btn-primary flex-fill" id="governance-item-review-search-btn">Search</button>
+                            <button type="button" class="btn btn-outline-secondary flex-fill" id="governance-item-review-reset-btn">Reset</button>
                         </div>
                     </div>
 
-                    
-
-                    <div class="table-responsive d-none">
-                        <table class="table table-sm table-striped" id="governance-item-policies-table">
+                    <div class="table-responsive">
+                        <table class="table table-sm table-striped align-middle" id="governance-item-policies-table">
                             <thead>
                                 <tr>
+                                    <th>Policy</th>
                                     <th>Entity Type</th>
-                                    <th>Item ID</th>
+                                    <th>Item</th>
                                     <th>Allow All</th>
                                     <th>Allowed Users</th>
                                     <th>Allowed Groups</th>
                                     <th>Actions</th>
                                 </tr>
                             </thead>
-                            <tbody id="governance-item-policies-body"></tbody>
+                            <tbody id="governance-item-policies-review-body"></tbody>
                         </table>
                     </div>
+
+                    <div class="d-flex align-items-center justify-content-between gap-2 mt-3">
+                        <div class="text-muted small" id="governance-item-review-summary"></div>
+                        <div class="btn-group" role="group" aria-label="Delegated item policy pagination">
+                            <button type="button" class="btn btn-outline-secondary btn-sm" id="governance-item-review-prev-btn">Previous</button>
+                            <button type="button" class="btn btn-outline-secondary btn-sm" id="governance-item-review-next-btn">Next</button>
+                        </div>
+                    </div>
                 </div>
 
                 <div id="governance-status" class="alert d-none" role="alert"></div>
@@ -3365,7 +3364,7 @@ <h6 class="mb-1"><i class="bi bi-info-circle me-2"></i>Agent Default Model Revie
 
                     <div id="model-endpoints-wrapper" class="{% if not settings.enable_multi_model_endpoints %}d-none{% endif %}">
                         <div class="d-flex justify-content-between align-items-center mb-2">
-                            <h6 class="mb-0">Configured Endpoints</h6>
+                            <h6 class="mb-0">Global Endpoints</h6>
                             <button type="button" class="btn btn-sm btn-outline-primary" id="add-model-endpoint-btn">
                                 <i class="bi bi-plus-circle me-1"></i>Add Endpoint
                             </button>
@@ -6272,6 +6271,9 @@ <h5 class="mb-1">
         <!-- Control Center Roles Info Modal -->
         {% include '_control_center_roles_info.html' %}
 
+        <!-- Governance Info Modal -->
+        {% include '_governance_info.html' %}
+
         <!-- Swagger Info Modal -->
         <div class="modal fade" id="swaggerInfoModal" tabindex="-1" aria-labelledby="swaggerInfoModalLabel" aria-hidden="true">
             <div class="modal-dialog modal-lg">
diff --git a/application/single_app/templates/chats.html b/application/single_app/templates/chats.html
index dfcb11385..a1b11e8b6 100644
--- a/application/single_app/templates/chats.html
+++ b/application/single_app/templates/chats.html
@@ -563,7 +563,7 @@ <h5 class="offcanvas-title" id="searchDocumentsDrawerLabel">Grounded Search</h5>
                                         aria-expanded="false">
                                     <span class="selected-scope-text text-truncate">All</span>
                                 </button>
-                                <div class="dropdown-menu p-2" id="scope-dropdown-menu" style="width: 280px; max-height: 400px; overflow-y: auto;">
+                                <div class="dropdown-menu p-2 chat-search-filter-menu" id="scope-dropdown-menu">
                                     <div class="chat-dropdown-search mb-2">
                                         <input type="text"
                                                class="form-control form-control-sm"
@@ -594,7 +594,7 @@ <h5 class="offcanvas-title" id="searchDocumentsDrawerLabel">Grounded Search</h5>
                                         <span class="selected-tags-text text-truncate">Loading tags...</span>
                                     </span>
                                 </button>
-                                <div class="dropdown-menu p-2" id="tags-dropdown-menu" style="width: 250px; max-height: 300px; overflow-y: auto;">
+                                <div class="dropdown-menu p-2 chat-search-filter-menu" id="tags-dropdown-menu">
                                     <div class="chat-dropdown-search mb-2">
                                         <input type="text"
                                                class="form-control form-control-sm"
@@ -621,7 +621,7 @@ <h5 class="offcanvas-title" id="searchDocumentsDrawerLabel">Grounded Search</h5>
                                         aria-expanded="false">
                                     <span class="selected-document-text">All Documents</span>
                                 </button>
-                                <div class="dropdown-menu p-2" id="document-dropdown-menu" style="width: 100%;">
+                                <div class="dropdown-menu p-2 chat-search-filter-menu" id="document-dropdown-menu">
                                     <div class="document-search-container mb-2">
                                         <input type="text" class="form-control form-control-sm" placeholder="Search documents..." id="document-search-input">
                                     </div>
diff --git a/docs/explanation/features/v0.242.001/GOVERNANCE.md b/docs/explanation/features/v0.242.001/GOVERNANCE.md
index 3098cab54..a9db06325 100644
--- a/docs/explanation/features/v0.242.001/GOVERNANCE.md
+++ b/docs/explanation/features/v0.242.001/GOVERNANCE.md
@@ -1,11 +1,13 @@
 # Governance
 
-Implemented/Updated in version: **0.242.011**
+Implemented/Updated in version: **0.242.022**
 
 ## Overview
 
 Governance provides administrative controls for limiting access to user, group, and global resources across endpoints, agents, and actions. It combines coarse feature-level controls with optional delegated item-level controls so administrators can decide whether a capability is open to all users or restricted to explicit users and groups.
 
+SimpleChat application-level features are governed by identity and app roles. Capabilities and resources configured inside SimpleChat, including agents, actions, endpoints, and delegated items added by admins or users, are governed by in-app governance rules. Use app roles for platform access boundaries, and use in-app governance for resources and capabilities created inside SimpleChat.
+
 The current implementation keeps backend enforcement as the source of truth. Frontend governance UI and Jinja rendering gates improve user experience by hiding disabled workspace modules before their JavaScript loads, but they are not treated as the authorization boundary.
 
 ## Purpose
@@ -14,7 +16,7 @@ Governance is intended to:
 
 - Restrict access to user endpoints, group endpoints, global endpoints, user agents, group agents, global agent usage, user actions, group actions, and global action usage.
 - Support allow lists containing explicit user IDs and group IDs.
-- Support delegated item policies for specific endpoints, global agents, and global actions.
+- Support one or more delegated item whitelist policies for specific endpoints, global agents, and global actions.
 - Provide admin tooling that scales to large allow lists.
 - Minimize repeated governance reads on hot API paths through request-level memoization and short-lived process caching.
 
@@ -60,7 +62,11 @@ Item policies add a second layer of control for specific delegated resources. Su
 - `global_agent`
 - `global_action`
 
-Item policies use the same `allow_all`, `allowed_users`, and `allowed_groups` structure as feature policies. During enforcement, the user must pass the feature policy first and then the item policy when one is provided.
+Item policies use the same `allow_all`, `allowed_users`, and `allowed_groups` structure as feature policies, and also include a `policy_id`, `policy_name`, and optional `resource_label`. During enforcement, the user must pass the feature policy first and then at least one item policy when policies exist for the selected resource.
+
+Multiple delegated item policies for the same resource are OR combined whitelists. A user is allowed when they are a member of any matching delegated item whitelist for that resource.
+
+Delegated item policies do not override feature-level governance. A user must pass the matching feature policy first. For example, if a user is allowed by an item policy for a specific global agent but does not pass the Global Agent Usage feature policy, the user remains blocked from that global agent.
 
 ## Admin API Endpoints
 
@@ -71,6 +77,7 @@ Governance administration is exposed through these backend routes:
 - `GET /api/admin/governance/item-policies`
 - `GET /api/admin/governance/item-policies/review`
 - `PUT /api/admin/governance/item-policies/<entity_type>/<item_id>`
+- `DELETE /api/admin/governance/item-policies/<entity_type>/<item_id>/<policy_id>`
 
 All governance admin routes are protected with Swagger security, login enforcement, and admin authorization.
 
@@ -85,9 +92,10 @@ The flow is:
 3. Read settings and exit early if the relevant governance setting is disabled.
 4. Resolve the user's governance group IDs from group workspaces and public workspaces.
 5. Read and evaluate the feature policy.
-6. If an item entity type and item ID are provided, read and evaluate the item policy.
-7. Cache successful decisions for the remainder of the request.
-8. Raise `PermissionError` if the feature or item policy blocks access.
+6. If an item entity type and item ID are provided, read all matching item policies and allow access if any item policy passes.
+7. If the feature policy fails, skip item policy evaluation and deny access. Item-level whitelists are additive only after the feature policy passes.
+8. Cache successful decisions for the remainder of the request.
+9. Raise `PermissionError` if the feature or item policy blocks access.
 
 The policy pass rules are:
 
@@ -119,7 +127,7 @@ A process-level cache stores feature policies, item policies, and user governanc
 Process cache keys include the data type and normalized identifiers, for example:
 
 - `("feature_policy", feature_key)`
-- `("item_policy", entity_type, item_id)`
+- `("item_policies", entity_type, item_id)`
 - `("user_governance_group_ids", user_id)`
 
 The cache is guarded by an `RLock`. Each entry is stamped with the current shared governance cache version before it is stored. On read, entries are trusted only when their stamped version matches the current shared governance version and the entry has not expired.
@@ -133,10 +141,11 @@ The governance cache version is exposed through `app_settings_cache.py`:
 
 The backing store is selected automatically by the existing app cache configuration:
 
-- Redis disabled or unavailable: version is stored in local process memory.
 - Redis enabled and app cache configured successfully: version is stored in Redis under `GOVERNANCE_CACHE_VERSION` and bumped with Redis `INCR`.
+- Redis disabled: version is stored in a Cosmos-backed document in the governance policies container when Cosmos is available.
+- Redis and Cosmos versioning unavailable: version falls back to local process memory.
 
-This keeps the governance process cache fast while allowing Redis-enabled deployments to invalidate stale process-cache entries across App Service instances and workers.
+The Cosmos version document ID is `governance_cache_version`, and each worker checks it with a local `15` second version-read TTL. This keeps the governance process cache fast while allowing both Redis-enabled and non-Redis deployments to invalidate stale process-cache entries across App Service workers.
 
 ### Invalidation
 
@@ -146,7 +155,7 @@ This keeps the governance process cache fast while allowing Redis-enabled deploy
 - an item policy is upserted
 - default feature policies are bootstrapped
 
-When Redis is enabled, other processes observe the bumped shared version before trusting their local process-cache entries. Stale entries are dropped lazily on their next read. When Redis is disabled or unavailable, the version is process-local and other processes converge when their short TTL expires.
+When Redis is enabled, other processes observe the bumped Redis version before trusting their local process-cache entries. When Redis is disabled, other workers observe the bumped Cosmos version document after their local version-read TTL expires. Stale entries are dropped lazily on their next read. If both Redis and the Cosmos version read/write fail, the code falls back to process-local versioning and workers converge when their short data-cache TTL expires.
 
 ## Admin UI
 
@@ -156,15 +165,37 @@ Major UI areas include:
 
 - Governance feature toggles grouped by User, Group, and Global scope.
 - Feature policy table for all configured governance feature keys.
-- Delegated item policy form for endpoints, global agents, and global actions.
-- Delegated item review modal with search, entity-type filtering, paging, and page size selection.
+- Delegated item policy card with on-page search, entity-type filtering, paging, and page size selection.
+- Dedicated delegated item edit modal for endpoints, global agents, and global actions.
 - Allow-list editor modal for managing users and groups.
+- Governance Configuration Guide modal explaining feature policies, workspace cohorts, delegated item policies, and evaluation flow.
+- Govern buttons on configured global endpoints, global agents, and global actions that open a prefilled delegated item policy editor.
+- Duplicate buttons for configured endpoints, agents, and actions. Endpoint duplicates start disabled, and key-based endpoint duplicates require the key to be re-entered.
 - Bootstrap toast notifications for governance status messages.
 
 Governance feature toggles also control the visible Feature Policies table. When a governance feature toggle is disabled, its matching policy row is hidden. Re-enabling the toggle immediately shows that policy row again.
 
+## Governance Configuration Guide
+
+The Governance tab includes a Configuration Guide modal. It follows the same explanatory modal pattern used by other Admin Settings areas and gives admins a compact reference for how governance works.
+
+The guide covers:
+
+- the difference between feature policies and delegated item policies;
+- how feature toggles relate to all personal, group, and global feature policy rows;
+- how group workspace membership can be reused as a governance cohort;
+- how delegated item policies narrow access to specific global resources;
+- backend evaluation order and caching behavior;
+- troubleshooting guidance for common access surprises.
+
+The most important concept is workspace cohorts. A group workspace can be used as a reusable group of users in an allow list. For example, admins can create a group workspace named **Personal Agents Pilot Users**, add pilot users to that workspace, then add that workspace ID to the **Personal Agents** feature policy's Allowed Groups list. Members can then use personal agents in their own personal workspaces.
+
+Using a group workspace as a governance cohort does **not** grant access to that workspace's documents, does **not** grant access to group agents or group actions, and does **not** move personal agents into the group workspace. It only reuses membership as an access cohort for the selected governance policy.
+
 ## Delegated Item Lookup
 
+The item policy editor is a dedicated Bootstrap modal opened from the Delegated Item Policies card. The card itself lists configured policies and supports search, entity-type filtering, paging, and page size selection so admins can manage large policy sets without opening a review modal.
+
 The item policy editor uses dropdown lookup data instead of requiring admins to type IDs manually.
 
 Lookup behavior:
@@ -173,15 +204,18 @@ Lookup behavior:
 - Global agents are loaded from `/api/admin/agents`.
 - Global actions are loaded from `/api/admin/plugins`.
 - The refresh button reloads lookup values for the selected entity type.
+- The delegated item filter narrows large lookup lists by item name, ID, or subtitle before selection.
 - Empty or failed lookups show status text near the delegated item selector.
 
-Delegated item policies are saved through a dedicated JavaScript handler instead of a nested HTML form, so saving a delegated item rule updates the governance item policy API rather than submitting the full Admin Settings form.
+Delegated item policies are saved through a dedicated JavaScript handler in the edit modal instead of a nested HTML form, so saving a delegated item rule updates the governance item policy API rather than submitting the full Admin Settings form.
+
+Existing delegated item policies can be edited from the on-page configured policy list. The row action opens the dedicated edit modal with the selected policy loaded, including entity type, item ID, allow-all state, and explicit users/groups.
 
-Existing delegated item policies can be edited from the configured-list review modal. The modal row action loads the selected policy back into the delegated item editor, including entity type, item ID, allow-all state, and explicit users/groups, then automatically opens the allow-list editor modal.
+When Allow All is disabled for a delegated item policy, the edit modal shows a direct principal editor. This editor supports user lookup, group lookup, CSV import, independent selected-user and selected-group search, paging, page size options, hydrated display labels, truncated IDs, and copy buttons. This keeps item policy editing usable when a delegated item contains hundreds or thousands of allowed principals.
 
-Existing delegated item policies can also be deleted from the review modal. Deletion uses a Bootstrap confirmation modal, calls the delegated item policy DELETE API, clears matching editor state, refreshes the configured policy list, and writes governance audit activity.
+Existing delegated item policies can also be deleted from the configured policy list. Deletion uses a Bootstrap confirmation modal, calls the delegated item policy DELETE API, clears matching editor state, refreshes the configured policy list, and writes governance audit activity.
 
-The configured-list review modal shows hydrated user and group labels above the raw IDs. User entries show the best available display name and UPN/email, while group entries show group names. Raw IDs remain visible below the labels for traceability.
+The configured policy list shows hydrated user and group labels above the raw IDs. User entries show the best available display name and UPN/email, while group entries show group names. Raw IDs remain visible below the labels for traceability.
 
 ## Workspace Jinja Gating
 
@@ -257,6 +291,7 @@ User hydration:
 
 - First tries `/api/userSearch` with the selected user ID.
 - Falls back to `/api/user/info/<user_id>`.
+- The user info endpoint first checks local user settings, then falls back to Microsoft Graph `/users/<user_id>` so selected users can display name and UPN/email even when an admin has not manually searched for that user during the current browser session.
 - Stores display name and UPN/email in the selected-list display cache.
 
 Group hydration:
diff --git a/docs/explanation/features/v0.242.020/APP_SETTINGS_CACHE_VERSIONING.md b/docs/explanation/features/v0.242.020/APP_SETTINGS_CACHE_VERSIONING.md
new file mode 100644
index 000000000..55c038a88
--- /dev/null
+++ b/docs/explanation/features/v0.242.020/APP_SETTINGS_CACHE_VERSIONING.md
@@ -0,0 +1,79 @@
+# App Settings Cache Versioning
+
+Implemented in version: **0.242.020**
+
+## Overview
+
+App settings cache versioning improves consistency across multiple workers while keeping settings reads fast. It preserves the existing Redis-backed shared cache for Redis deployments and adds a Cosmos-backed shared version document for non-Redis deployments.
+
+## Purpose
+
+The app reads settings frequently across routes, background work, model calls, governance checks, and UI rendering. Without Redis, each Python worker has its own in-memory settings cache. A settings update in one worker does not automatically update another worker's process memory.
+
+The versioning layer bounds that stale window without forcing every request to read the full settings document from Cosmos DB.
+
+## Cache Layers
+
+### Redis Enabled
+
+When Redis cache is enabled:
+
+- app settings are still written to Redis under `APP_SETTINGS_CACHE`;
+- a Redis version key, `APP_SETTINGS_CACHE_VERSION`, tracks settings updates;
+- each worker keeps a local in-process copy of settings;
+- each worker rechecks the shared Redis version after the local version-read TTL expires;
+- when the version changes, the worker refreshes its local settings cache from Redis.
+
+### Redis Disabled
+
+When Redis cache is disabled:
+
+- app settings are cached in each worker process;
+- the shared version document is stored in the existing `cosmos_settings_container`;
+- the version document ID is `app_settings_cache_version`;
+- each worker checks the shared Cosmos version at most once per `15` seconds;
+- when the version changes, the worker reloads the app settings document from Cosmos.
+
+The version document shape is:
+
+```json
+{
+    "id": "app_settings_cache_version",
+    "type": "cache_version",
+    "version": 42,
+    "updated_at": "2026-06-04T00:00:00.000000"
+}
+```
+
+## Write Flow
+
+When app settings are persisted:
+
+1. The `app_settings` document is upserted to Cosmos DB.
+2. The shared app settings cache version is bumped.
+3. The current worker updates its local cache immediately.
+4. Other workers observe the version change after their local version-read TTL expires.
+
+## Staleness Window
+
+The shared version read TTL is `15` seconds. In non-Redis deployments, workers can serve stale settings for up to roughly that window after another worker saves settings. This is intentional to avoid a Cosmos read on every settings lookup while still preventing indefinite worker-local staleness.
+
+## Governance Separation
+
+Governance policy cache versioning uses a separate version document in the governance policies container. App settings changes do not invalidate governance policy caches, and governance policy changes do not force workers to reload the full app settings document.
+
+## Primary Files
+
+- `application/single_app/app_settings_cache.py`
+- `application/single_app/functions_settings.py`
+- `functional_tests/test_app_settings_cache_versioning.py`
+
+## Validation
+
+Validation includes marker coverage for:
+
+- Redis app settings version keys;
+- Cosmos app settings version document IDs;
+- `15` second shared-version read TTL;
+- settings write paths that bump the shared version;
+- governance cache version fallback separation.
diff --git a/docs/explanation/fixes/CHAT_DROPDOWN_RESPONSIVE_WIDTH_FIX.md b/docs/explanation/fixes/CHAT_DROPDOWN_RESPONSIVE_WIDTH_FIX.md
new file mode 100644
index 000000000..b6844952d
--- /dev/null
+++ b/docs/explanation/fixes/CHAT_DROPDOWN_RESPONSIVE_WIDTH_FIX.md
@@ -0,0 +1,50 @@
+# Chat Dropdown Responsive Width Fix
+
+Fixed in version: **0.242.017**
+
+## Issue Description
+
+The chat pane workspace scope, tags, and document dropdown menus were capped to narrow trigger widths. Long workspace names, tag labels, and document titles were truncated too aggressively, especially when users opened the grounded search controls from the compact chat toolbar.
+
+## Root Cause Analysis
+
+The dropdown menu width was controlled in several places at once: inline template styles, fixed CSS max-width rules, and JavaScript runtime sizing that set each popup menu `maxWidth` to the trigger field width. Because the same controls are reused in the mobile grounded-search drawer, the behavior affected desktop and mobile layouts.
+
+## Technical Details
+
+Files modified:
+
+- `application/single_app/templates/chats.html`
+- `application/single_app/static/css/chats.css`
+- `application/single_app/static/js/chat/chat-documents.js`
+- `ui_tests/test_chat_search_panel_mobile_drawer.py`
+- `functional_tests/test_chat_searchable_selectors.py`
+- `application/single_app/config.py`
+
+Code changes summary:
+
+- Replaced inline dropdown menu widths with a shared `chat-search-filter-menu` class.
+- Updated the shared search-filter dropdown sizing helper to use viewport-aware desktop bounds and full drawer-width mobile sizing.
+- Configured the document dropdown to open upward on desktop and downward in the mobile grounded-search drawer using Popper placement instead of CSS-forced positioning.
+- Refreshed Bootstrap dropdown placement after responsive sizing so the desktop document menu remains visible above the composer.
+- Added label overflow rules so long item text truncates inside the expanded popup instead of forcing viewport overflow.
+
+## Testing Approach
+
+- Extended the Playwright chat grounded-search drawer test to validate dropdown bounds in both desktop and mobile viewports.
+- Extended the chat searchable selector functional test to verify the responsive sizing helper and prevent the old `maxWidth = containerWidth` cap from returning.
+
+## Impact Analysis
+
+Desktop dropdown menus can now grow beyond narrow trigger fields while staying within the viewport. The document dropdown opens upward from the desktop composer through Bootstrap/Popper placement so it remains interactive above the message box. Mobile dropdowns remain constrained to the grounded-search drawer width and open downward inside that drawer, so the change improves readability without causing offcanvas overflow.
+
+## Validation
+
+Before the fix, scope, tags, and document menus could be hard capped to widths like 250px or the narrow trigger field width. After the fix, desktop menus use a wider responsive popup and mobile menus stay aligned to the drawer fields.
+
+Related tests:
+
+- `ui_tests/test_chat_search_panel_mobile_drawer.py`
+- `functional_tests/test_chat_searchable_selectors.py`
+
+Config version updated in `application/single_app/config.py` to **0.242.017**.
\ No newline at end of file
diff --git a/docs/explanation/release_notes.md b/docs/explanation/release_notes.md
index db17633db..b630d55c1 100644
--- a/docs/explanation/release_notes.md
+++ b/docs/explanation/release_notes.md
@@ -4,6 +4,16 @@ This page tracks notable Simple Chat releases and organizes the detailed change
 
 For feature-focused and fix-focused drill-downs by version, see [Features by Version](/explanation/features/) and [Fixes by Version](/explanation/fixes/).
 
+### **(v0.242.022)**
+
+#### New Features
+
+*   **Pull Request Preparation Prompt**
+    *   Added a reusable Copilot prompt for preparing SimpleChat branches for pull requests into `Development`.
+    *   The workflow verifies branch freshness against `Development`, runs repo-aligned validation checks, updates release notes when needed, and gates push or PR creation behind explicit user confirmation.
+    *   Optional merge or rebase from `Development` is supported only when requested, with conflicts resolved interactively by the agent after explaining each side of the conflict.
+    *   (Ref: `.github/prompts/prepare-for-pull-request.prompt.md`, PR readiness workflow, Development branch validation)
+
 ### **(v0.241.007)**
 
 ## New Feature
diff --git a/functional_tests/test_app_settings_cache_versioning.py b/functional_tests/test_app_settings_cache_versioning.py
new file mode 100644
index 000000000..302b7ec62
--- /dev/null
+++ b/functional_tests/test_app_settings_cache_versioning.py
@@ -0,0 +1,111 @@
+# test_app_settings_cache_versioning.py
+#!/usr/bin/env python3
+"""
+Functional test for shared app settings and governance cache versioning.
+Version: 0.242.020
+Implemented in: 0.242.020
+
+This test ensures Redis deployments keep shared version keys and non-Redis
+multi-worker deployments use Cosmos-backed version documents with bounded local
+version-read TTLs for app settings and governance policy caches.
+"""
+
+import os
+import sys
+
+
+ROOT_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+SINGLE_APP_DIR = os.path.join(ROOT_DIR, "application", "single_app")
+if SINGLE_APP_DIR not in sys.path:
+    sys.path.append(SINGLE_APP_DIR)
+
+
+def _read(*parts):
+    path = os.path.join(ROOT_DIR, *parts)
+    with open(path, "r", encoding="utf-8") as handle:
+        return handle.read()
+
+
+def test_app_settings_cache_shared_version_contract():
+    print("Testing app settings shared cache version contract...")
+
+    cache_content = _read("application", "single_app", "app_settings_cache.py")
+    settings_content = _read("application", "single_app", "functions_settings.py")
+
+    for marker in [
+        "APP_SETTINGS_CACHE_VERSION_KEY",
+        "APP_SETTINGS_CACHE_VERSION_DOC_ID",
+        "CACHE_VERSION_READ_TTL_SECONDS = 15",
+        "get_app_settings_cache_version_redis",
+        "bump_app_settings_cache_version_redis",
+        "get_app_settings_cache_version_mem",
+        "bump_app_settings_cache_version_mem",
+        "cosmos_settings_container",
+        "_get_ttl_cached_cosmos_version(",
+        "APP_SETTINGS_SHARED_VERSION_CACHE",
+    ]:
+        assert marker in cache_content, f"Missing app settings cache version marker: {marker}"
+
+    assert "bump_app_settings_cache_version" in settings_content, (
+        "Expected app settings writes to bump shared app settings cache version"
+    )
+    assert "_refresh_app_settings_cache_after_write(merged, context=\"merge_upsert\")" in settings_content, (
+        "Expected merge upsert path to refresh and version app settings cache"
+    )
+    assert "_refresh_app_settings_cache_after_write(settings_item, context=\"update_settings\")" in settings_content, (
+        "Expected update_settings path to refresh and version app settings cache"
+    )
+    assert "before_version_bump" in settings_content and "after_version_bump" in settings_content, (
+        "Expected cache refresh helper to write payload before and after version bump"
+    )
+
+    print("PASS: app settings shared cache version contract verified")
+
+
+def test_governance_cache_cosmos_fallback_contract():
+    print("Testing governance cache Cosmos fallback contract...")
+
+    cache_content = _read("application", "single_app", "app_settings_cache.py")
+    governance_content = _read("application", "single_app", "functions_governance.py")
+
+    for marker in [
+        "GOVERNANCE_CACHE_VERSION_KEY",
+        "GOVERNANCE_CACHE_VERSION_DOC_ID",
+        "APP_GOVERNANCE_SHARED_VERSION_CACHE",
+        "get_governance_cache_version_redis",
+        "bump_governance_cache_version_redis",
+        "get_governance_cache_version_mem",
+        "bump_governance_cache_version_mem",
+        "cosmos_governance_policies_container",
+    ]:
+        assert marker in cache_content, f"Missing governance cache version marker: {marker}"
+
+    for marker in [
+        "_get_shared_governance_cache_version()",
+        "_bump_shared_governance_cache_version()",
+        "entry.get(\"version\") != current_version",
+        "invalidate_governance_cache()",
+    ]:
+        assert marker in governance_content, f"Missing governance shared version usage marker: {marker}"
+
+    print("PASS: governance Cosmos fallback cache version contract verified")
+
+
+if __name__ == "__main__":
+    tests = [
+        test_app_settings_cache_shared_version_contract,
+        test_governance_cache_cosmos_fallback_contract,
+    ]
+    results = []
+
+    for test in tests:
+        try:
+            test()
+            results.append(True)
+        except Exception as exc:
+            print(f"FAIL: {test.__name__} -> {exc}")
+            results.append(False)
+
+    passed = sum(1 for result in results if result)
+    print(f"Results: {passed}/{len(results)} tests passed")
+    sys.exit(0 if all(results) else 1)
diff --git a/functional_tests/test_chat_searchable_selectors.py b/functional_tests/test_chat_searchable_selectors.py
index 5c709d52e..5094fd5f6 100644
--- a/functional_tests/test_chat_searchable_selectors.py
+++ b/functional_tests/test_chat_searchable_selectors.py
@@ -2,15 +2,18 @@
 # test_chat_searchable_selectors.py
 """
 Functional test for grouped searchable chat selectors.
-Version: 0.241.031
-Implemented in: 0.241.031
+Version: 0.242.017
+Implemented in: 0.242.017
 
 This test ensures that the chat page exposes grouped searchable selectors for
 documents, prompts, models, and agents, that grouped headers are preserved by
 the shared renderer during search, and that chat prompt data is preloaded for
 personal, group, and public workspace scopes while locked conversations hide
 unavailable agents and models while grounded search becomes a mobile drawer
-with an explicit mobile close control and a visible loading state for tags.
+with an explicit mobile close control, a visible loading state for tags, and
+responsive scope, tag, and document dropdown menu sizing.
+It also verifies that the document dropdown opens upward on desktop and down in
+the mobile grounded-search drawer.
 """
 
 import os
@@ -128,6 +131,7 @@ def test_chat_template_contains_searchable_selectors():
             'class="chat-search-panel-grid"',
             'id="search-documents-mobile-close"',
             'class="chat-search-panel-mobile-footer d-lg-none"',
+            'chat-search-filter-menu',
             'id="tags-dropdown-loading-spinner"',
             'Loading tags...',
             'class="chat-toolbar mb-2"',
@@ -417,8 +421,23 @@ def test_scope_tag_and_document_search_are_wired_in_chat_documents():
             'const scopeSearchInput = document.getElementById("scope-search-input");',
             'const tagsSearchInput = document.getElementById("tags-search-input");',
             'const SEARCH_DOCUMENTS_MOBILE_MEDIA_QUERY = \u0027(max-width: 991.98px)\u0027;',
-            'function getSearchDocumentsDropdownConfig() {',
+            'const SEARCH_DROPDOWN_VIEWPORT_PADDING = 16;',
+            'const SEARCH_FILTER_DESKTOP_MIN_WIDTH = 320;',
+            'const SEARCH_FILTER_DESKTOP_MAX_WIDTH = 640;',
             'function initializeSearchFilterDropdown({',
+            'openUpOnDesktop = false,',
+            'function getSearchDocumentsDropdownConfig({ openUpOnDesktop = false } = {}) {',
+            "placement: shouldOpenUp ? 'top-start' : 'bottom-start',",
+            "name: 'flip',",
+            'enabled: !shouldOpenUp,',
+            'const isMobileDrawer = isSearchDocumentsMobileDrawerViewport();',
+            "const popperPlacement = menuEl.getAttribute('data-popper-placement') || '';",
+            "const opensUp = popperPlacement.startsWith('top') && !isMobileDrawer;",
+            '? buttonRect.top - SEARCH_DROPDOWN_VIEWPORT_PADDING',
+            "bootstrap.Dropdown.getInstance(buttonEl)?.update();",
+            "menuEl.style.width = isMobileDrawer ? `${Math.round(minWidth)}px` : 'max-content';",
+            'menuEl.style.minWidth = `${Math.round(minWidth)}px`;',
+            'menuEl.style.maxWidth = `${Math.round(maxWidth)}px`;',
             "boundary: 'viewport',",
             "strategy: 'fixed',",
             'export async function showSearchDocumentsPanel() {',
@@ -430,6 +449,7 @@ def test_scope_tag_and_document_search_are_wired_in_chat_documents():
             'searchController: scopeSearchController,',
             'searchController: tagsSearchController,',
             'searchController: documentSearchController,',
+            'openUpOnDesktop: true,',
             "allItem.setAttribute('data-search-role', 'action');",
             "item.setAttribute('data-search-role', 'item');",
             'function appendDocumentSection(sectionLabel, documents, sectionIndex) {',
@@ -444,6 +464,7 @@ def test_scope_tag_and_document_search_are_wired_in_chat_documents():
 
         missing = [snippet for snippet in required_snippets if snippet not in content]
         assert not missing, f'Missing scope/tag/document search wiring: {missing}'
+        assert 'menuEl.style.maxWidth = `${containerWidth}px`;' not in content, 'Expected dropdown max width to avoid being capped to the trigger container'
 
         print('✅ Scope/tag/document grouped search wiring passed')
         return True
@@ -583,7 +604,7 @@ def test_version_bumped_for_grouped_chat_selector_change():
 
     try:
         config_content = read_file(CONFIG_FILE)
-        assert 'VERSION = "0.241.031"' in config_content, 'Expected config.py version 0.241.031'
+        assert 'VERSION = "0.242.017"' in config_content, 'Expected config.py version 0.242.017'
 
         print('✅ Config version bump passed')
         return True
diff --git a/functional_tests/test_governance_route_and_wiring_coverage.py b/functional_tests/test_governance_route_and_wiring_coverage.py
index 6ab531513..4b41eff3c 100644
--- a/functional_tests/test_governance_route_and_wiring_coverage.py
+++ b/functional_tests/test_governance_route_and_wiring_coverage.py
@@ -2,8 +2,8 @@
 #!/usr/bin/env python3
 """
 Functional test for governance route and enforcement wiring coverage.
-Version: 0.242.011
-Implemented in: 0.242.011
+Version: 0.242.019
+Implemented in: 0.242.011; 0.242.012; 0.242.013; 0.242.014; 0.242.018; 0.242.019
 
 This test ensures governance routes are registered and guarded, and that
 updated backend modules include governance enforcement hooks for endpoint,
@@ -45,6 +45,7 @@ def test_governance_route_registration_and_guards():
         "/api/admin/governance/item-policies",
         "/api/admin/governance/item-policies/review",
         "/api/admin/governance/item-policies/<entity_type>/<item_id>",
+        "/api/admin/governance/item-policies/<entity_type>/<item_id>/<policy_id>",
     ]
     for route in expected_routes:
         assert route in route_content, f"Missing governance route: {route}"
@@ -78,8 +79,10 @@ def test_governance_enforcement_hooks_across_changed_routes():
     frontend_chats_content = _read("application", "single_app", "route_frontend_chats.py")
     models_content = _read("application", "single_app", "route_backend_models.py")
     admin_settings_route_content = _read("application", "single_app", "route_frontend_admin_settings.py")
+    users_route_content = _read("application", "single_app", "route_backend_users.py")
     settings_content = _read("application", "single_app", "functions_settings.py")
     admin_settings_template_content = _read("application", "single_app", "templates", "admin_settings.html")
+    governance_info_template_content = _read("application", "single_app", "templates", "_governance_info.html")
     admin_governance_js_content = _read("application", "single_app", "static", "js", "admin", "admin_governance.js")
 
     # Agents route: user/group/global agent governance and endpoint governance hooks.
@@ -106,7 +109,7 @@ def test_governance_enforcement_hooks_across_changed_routes():
     for key in ["governance_user_endpoints", "governance_group_endpoints", "governance_global_endpoints"]:
         assert key in chats_content, f"Missing governance key in route_backend_chats.py: {key}"
         assert key in models_content, f"Missing governance key in route_backend_models.py: {key}"
-    assert "item_entity_type=\"endpoint\"" in models_content or "item_entity_type='endpoint'" in models_content, (
+    assert "item_entity_type=\"global_endpoint\"" in models_content or "item_entity_type='global_endpoint'" in models_content, (
         "Expected endpoint item delegation enforcement in route_backend_models.py"
     )
 
@@ -129,17 +132,57 @@ def test_governance_enforcement_hooks_across_changed_routes():
         "id=\"governance\"",
         "governance-feature-policies-table",
         "governance-item-policies-table",
+        "governance-item-policy-card-controls",
+        "governance-item-policies-review-body",
         "governance-save-feature-policies-btn",
-        "governance-save-item-policy-btn",
+        "governance-new-item-policy-btn",
+        "governance-info-guide-btn",
+        "data-bs-target=\"#governanceInfoModal\"",
+        "{% include '_governance_info.html' %}",
+        "Delegated item policies are OR combined whitelists",
+        "btn btn-outline-info btn-sm ms-2 governance-primary-link",
     ]:
         assert marker in admin_settings_template_content, f"Missing governance UI marker in admin_settings.html: {marker}"
 
+    for marker in [
+        "governanceInfoModal",
+        "Governance Configuration Guide",
+        "Governance Boundary:",
+        "SimpleChat application-level features are governed by identity and app roles",
+        "resources and capabilities created inside SimpleChat",
+        "shown.bs.modal",
+        "bootstrap.Tab.getOrCreateInstance(overviewTab).show()",
+        "Using Workspaces as Governance Cohorts",
+        "workspace membership is used as an access cohort",
+        "they do not override feature-level governance",
+        "does not pass <strong>Govern Global Agents</strong>",
+        "Govern Personal Endpoints",
+        "Govern Personal Actions",
+        "Govern Group Endpoints",
+        "Govern Group Actions",
+        "Govern Global Endpoints",
+        "It does not grant access to that group workspace's documents",
+        "Personal Agents Pilot Users",
+    ]:
+        assert marker in governance_info_template_content, f"Missing governance guide marker: {marker}"
+
     for endpoint in [
         "/api/admin/governance/policies",
         "/api/admin/governance/item-policies",
         "/api/admin/governance/item-policies/review",
+        "/api/user/info/",
+    ]:
+        if endpoint == "/api/user/info/":
+            assert endpoint in admin_governance_js_content, "Missing user info hydration API call in admin_governance.js"
+        else:
+            assert endpoint in admin_governance_js_content, f"Missing governance API call in admin_governance.js: {endpoint}"
+
+    for marker in [
+        "def _get_graph_user_info_by_id(user_id):",
+        "get_graph_endpoint(f\"/users/{quote(normalized_user_id, safe='')}\")",
+        '"$select": "id,displayName,mail,userPrincipalName"',
     ]:
-        assert endpoint in admin_governance_js_content, f"Missing governance API call in admin_governance.js: {endpoint}"
+        assert marker in users_route_content, f"Missing user info Graph hydration marker: {marker}"
 
     for marker in [
         "syncGovernanceFeaturePolicyVisibility()",
@@ -152,8 +195,14 @@ def test_governance_enforcement_hooks_across_changed_routes():
         "governance-edit-item-policy-btn",
         "governance-delete-item-policy-btn",
         "governance-item-policy-delete-confirm-modal",
-        "loadGovernanceItemPolicyIntoEditor",
-        "openCurrentDelegatedItemAllowListEditorAfterReviewModalCloses",
+        "governance-item-policy-editor-modal",
+        "ensureGovernanceItemPolicyEditorModal",
+        "openGovernanceItemPolicyEditor",
+        "renderGovernanceItemEditorSelections",
+        "governance-item-selected-user-search",
+        "openGovernanceDelegatedItemEditor",
+        "governance-item-policy-name",
+        "governance-item-policy-id",
         "deleteGovernanceItemPolicyFromContext",
         "renderGovernancePrincipalReviewCell",
         "wireGovernanceItemReviewHandlers",
@@ -162,12 +211,39 @@ def test_governance_enforcement_hooks_across_changed_routes():
             f"Missing governance UI visibility marker: {marker}"
         )
 
-    assert '<div id="governance-item-policy-form"' in admin_settings_template_content, (
-        "Delegated item policy editor must not be a nested form inside Admin Settings"
+    assert '<div id="governance-item-policy-form"' not in admin_settings_template_content, (
+        "Delegated item policy editor should live in the dedicated edit modal, not inline in Admin Settings"
     )
-    assert 'type="button" class="btn btn-primary" id="governance-save-item-policy-btn"' in admin_settings_template_content, (
-        "Delegated item policy save button must not submit the global settings form"
+    assert 'id="governance-save-item-policy-btn"' not in admin_settings_template_content, (
+        "Delegated item policy save button should not be inside the global settings form"
     )
+    assert 'id="governance-save-item-policy-btn"' in admin_governance_js_content, (
+        "Delegated item policy save button should be rendered inside the dedicated edit modal"
+    )
+
+    governance_content = _read("application", "single_app", "functions_governance.py")
+    route_content = _read("application", "single_app", "route_backend_governance.py")
+    for marker in [
+        "def get_item_policies(entity_type: str, item_id: str)",
+        "any(_passes_policy(item_policy, normalized_user_id, user_group_ids) for item_policy in item_policies)",
+        "policy_id",
+        "policy_name",
+        "resource_label",
+    ]:
+        assert marker in governance_content or marker in route_content, f"Missing multi-policy delegation marker: {marker}"
+
+    model_endpoint_js_content = _read("application", "single_app", "static", "js", "admin", "admin_model_endpoints.js")
+    admin_agents_js_content = _read("application", "single_app", "static", "js", "admin", "admin_agents.js")
+    admin_plugins_js_content = _read("application", "single_app", "static", "js", "admin", "admin_plugins.js")
+    plugin_common_js_content = _read("application", "single_app", "static", "js", "plugin_common.js")
+    for marker in ["data-action=\"govern\"", "data-action=\"duplicate\"", "endpoint-duplicate-key-confirm-modal"]:
+        assert marker in model_endpoint_js_content, f"Missing endpoint governance/duplicate marker: {marker}"
+    for marker in ["govern-agent-btn", "duplicate-agent-btn", "governAgent", "duplicateAgent"]:
+        assert marker in admin_agents_js_content, f"Missing agent governance/duplicate marker: {marker}"
+    for marker in ["governPlugin", "duplicatePlugin"]:
+        assert marker in admin_plugins_js_content, f"Missing action governance/duplicate marker: {marker}"
+    for marker in ["govern-plugin-btn", "duplicate-plugin-btn"]:
+        assert marker in plugin_common_js_content, f"Missing shared action table marker: {marker}"
 
     print("PASS: governance enforcement hooks and admin governance wiring verified")
 
@@ -203,7 +279,7 @@ def test_governance_cache_optimization_hooks():
     assert "get_feature_policy(" in governance_content and "(\"feature_policy\"," in governance_content, (
         "Expected feature policy reads to use governance cache keys"
     )
-    assert "get_item_policy(" in governance_content and "(\"item_policy\"," in governance_content, (
+    assert "get_item_policies(" in governance_content and "(\"item_policies\"," in governance_content, (
         "Expected item policy reads to use governance cache keys"
     )
     assert "delete_item_policy(" in governance_content and "item_policy_delete" in governance_content, (
@@ -234,7 +310,8 @@ def test_workspace_jinja_governance_gating_hooks():
     for marker in [
         "def is_governance_access_allowed(",
         "def filter_governed_model_endpoints(",
-        "item_entity_type=\"endpoint\"",
+        "item_entity_type=\"global_endpoint\"",
+        "LEGACY_ITEM_POLICY_ENTITY_TYPE_ALIASES",
     ]:
         assert marker in governance_content, f"Missing workspace governance helper marker: {marker}"
 
diff --git a/ui_tests/test_admin_governance_tab.py b/ui_tests/test_admin_governance_tab.py
index b77dd5933..1d1a7a94e 100644
--- a/ui_tests/test_admin_governance_tab.py
+++ b/ui_tests/test_admin_governance_tab.py
@@ -2,8 +2,8 @@
 """
 UI test for admin governance tab rendering and API wiring.
 
-Version: 0.241.025
-Implemented in: 0.241.009; 0.241.025
+Version: 0.242.019
+Implemented in: 0.241.009; 0.241.025; 0.242.012; 0.242.013; 0.242.014; 0.242.018; 0.242.019
 
 This test ensures the Governance tab is present in admin settings, the
 sidebar navigation exposes the same destination, feature policy fetch/save
@@ -33,9 +33,9 @@ def test_admin_governance_tab_and_api_wiring():
 
     feature_get_requests = []
     feature_put_requests = []
-    item_get_requests = []
     item_review_get_requests = []
     item_put_requests = []
+    user_info_requests = []
     agent_lookup_requests = []
     action_lookup_requests = []
 
@@ -68,24 +68,6 @@ def fulfill_feature_put(route):
         feature_put_requests.append(route.request.url)
         route.fulfill(status=200, content_type="application/json", body='{"policy": {"ok": true}}')
 
-    def fulfill_item_get(route):
-        item_get_requests.append(route.request.url)
-        route.fulfill(
-            status=200,
-            content_type="application/json",
-            body=json.dumps({
-                "item_policies": [
-                    {
-                        "entity_type": "global_agent",
-                        "item_id": "global-agent-1",
-                        "allow_all": False,
-                        "allowed_users": ["entra-user-123"],
-                        "allowed_groups": ["workspace-group-abc"],
-                    }
-                ]
-            }),
-        )
-
     def fulfill_item_review_get(route):
         item_review_get_requests.append(route.request.url)
         route.fulfill(
@@ -94,8 +76,11 @@ def fulfill_item_review_get(route):
             body=json.dumps({
                 "item_policies": [
                     {
-                        "entity_type": "endpoint",
+                        "entity_type": "global_endpoint",
                         "item_id": "endpoint-1",
+                        "policy_id": "policy-1",
+                        "policy_name": "Endpoint Pilot Users",
+                        "resource_label": "Endpoint One",
                         "allow_all": False,
                         "allowed_users": ["entra-user-123"],
                         "allowed_groups": ["workspace-group-abc"],
@@ -118,6 +103,27 @@ def fulfill_item_put(route):
         item_put_requests.append(route.request.url)
         route.fulfill(status=200, content_type="application/json", body='{"policy": {"ok": true}}')
 
+    def fulfill_empty_user_search(route):
+        route.fulfill(status=200, content_type="application/json", body="[]")
+
+    def fulfill_user_info(route):
+        user_info_requests.append(route.request.url)
+        route.fulfill(
+            status=200,
+            content_type="application/json",
+            body=json.dumps({
+                "id": "entra-user-123",
+                "user_id": "entra-user-123",
+                "displayName": "Paul Lizer",
+                "display_name": "Paul Lizer",
+                "email": "paullizer@swiftiesandbox1.onmicrosoft.us",
+                "userPrincipalName": "paullizer@swiftiesandbox1.onmicrosoft.us",
+            }),
+        )
+
+    def fulfill_empty_group_discovery(route):
+        route.fulfill(status=200, content_type="application/json", body="[]")
+
     def fulfill_admin_agents_lookup(route):
         agent_lookup_requests.append(route.request.url)
         route.fulfill(
@@ -162,9 +168,11 @@ def fulfill_admin_plugins_lookup(route):
         try:
             page.route("**/api/admin/governance/policies", fulfill_feature_get)
             page.route("**/api/admin/governance/policies/*", fulfill_feature_put)
-            page.route("**/api/admin/governance/item-policies", fulfill_item_get)
             page.route("**/api/admin/governance/item-policies/review**", fulfill_item_review_get)
             page.route("**/api/admin/governance/item-policies/*/*", fulfill_item_put)
+            page.route("**/api/userSearch**", fulfill_empty_user_search)
+            page.route("**/api/user/info/entra-user-123", fulfill_user_info)
+            page.route("**/api/groups/discover**", fulfill_empty_group_discovery)
             page.route("**/api/admin/agents", fulfill_admin_agents_lookup)
             page.route("**/api/admin/plugins", fulfill_admin_plugins_lookup)
 
@@ -176,35 +184,45 @@ def fulfill_admin_plugins_lookup(route):
             page.get_by_role("tab", name="Governance").click()
             page.wait_for_selector("#governance-feature-policies-table")
 
-            page.get_by_role("button", name="Review Configured List").click()
-            page.wait_for_selector("#governance-item-policies-review-modal.show")
+            page.locator("#governance-info-guide-btn").click()
+            page.wait_for_selector("#governanceInfoModal.show")
+            assert "SimpleChat application-level features are governed by identity and app roles" in page.locator("#governanceInfoModal").inner_text()
+            assert "Using Workspaces as Governance Cohorts" in page.locator("#governanceInfoModal").inner_text()
+            page.locator("#governanceInfoModal .btn-close").click()
+            page.wait_for_selector("#governanceInfoModal.show", state="hidden")
+
             page.wait_for_selector("#governance-item-policies-review-body tr")
+            page.get_by_text("Paul Lizer (paullizer@swiftiesandbox1.onmicrosoft.us)").wait_for()
 
             page.get_by_role("button", name="Save Feature Policies").click()
             page.wait_for_timeout(300)
 
+            page.get_by_role("button", name="New Policy").click()
+            page.wait_for_selector("#governance-item-policy-editor-modal.show")
+            page.wait_for_selector("#governance-item-id option[value='global-agent-2']")
             page.locator("#governance-item-id").select_option("global-agent-2")
-            page.get_by_role("button", name="Edit List").click()
-            page.wait_for_selector("#governanceAllowListEditorModal.show")
-
-            page.locator("#governance-allowlist-csv-target").select_option("users")
-            page.locator("#governance-allowlist-csv-mode").select_option("merge")
-            page.locator("#governance-allowlist-csv-input").fill("entra-user-123")
-            page.get_by_role("button", name="Apply CSV").click()
+            page.locator("#governance-item-allow-all").uncheck()
 
-            page.locator("#governance-allowlist-csv-target").select_option("groups")
-            page.locator("#governance-allowlist-csv-input").fill("workspace-group-abc")
-            page.get_by_role("button", name="Apply CSV").click()
+            page.locator("#governance-item-csv-target").select_option("users")
+            page.locator("#governance-item-csv-mode").select_option("merge")
+            page.locator("#governance-item-csv-input").fill("entra-user-123")
+            page.locator("#governance-item-csv-apply-btn").click()
+            page.locator("#governance-item-selected-user-search").fill("entra-user")
+            assert "entra-user-123" in page.locator("#governance-item-selected-users").inner_text()
 
-            page.get_by_role("button", name="Apply to Policy").click()
-            page.wait_for_selector("#governanceAllowListEditorModal.show", state="hidden")
+            page.locator("#governance-item-csv-target").select_option("groups")
+            page.locator("#governance-item-csv-input").fill("workspace-group-abc")
+            page.locator("#governance-item-csv-apply-btn").click()
+            page.locator("#governance-item-selected-group-search").fill("workspace-group")
+            assert "workspace-group-abc" in page.locator("#governance-item-selected-groups").inner_text()
 
             page.get_by_role("button", name="Save Item Policy").click()
+            page.wait_for_selector("#governance-item-policy-editor-modal.show", state="hidden")
             page.wait_for_timeout(300)
 
             assert feature_get_requests, "Expected governance feature policies GET request"
-            assert item_get_requests, "Expected governance item policies GET request"
             assert item_review_get_requests, "Expected governance item policy review GET request"
+            assert user_info_requests, "Expected selected user hydration through user info fallback"
             assert feature_put_requests, "Expected governance feature policies PUT request"
             assert item_put_requests, "Expected governance item policy PUT request"
             assert agent_lookup_requests, "Expected global agent lookup GET request"
diff --git a/ui_tests/test_chat_search_panel_mobile_drawer.py b/ui_tests/test_chat_search_panel_mobile_drawer.py
index 0d0e26e18..0d93376cd 100644
--- a/ui_tests/test_chat_search_panel_mobile_drawer.py
+++ b/ui_tests/test_chat_search_panel_mobile_drawer.py
@@ -1,11 +1,14 @@
 # test_chat_search_panel_mobile_drawer.py
 """
 UI test for the mobile grounded-search drawer.
-Version: 0.241.022
-Implemented in: 0.241.022
+Version: 0.242.017
+Implemented in: 0.242.017
 
 This test ensures the grounded search panel stays behind the toolbar on mobile,
-opens as an end-side drawer, and closes cleanly through its mobile close button.
+opens as an end-side drawer, closes cleanly through its mobile close button,
+and keeps scope, tag, and document dropdown menus usable on desktop and mobile.
+On desktop, the document dropdown opens upward from the composer; on mobile, it
+opens downward inside the grounded-search drawer.
 """
 
 import os
@@ -18,6 +21,7 @@
 BASE_URL = os.getenv("SIMPLECHAT_UI_BASE_URL", "").rstrip("/")
 STORAGE_STATE = os.getenv("SIMPLECHAT_UI_STORAGE_STATE", "")
 MOBILE_VIEWPORT = {"width": 430, "height": 932}
+DESKTOP_VIEWPORT = {"width": 1440, "height": 900}
 
 
 def _require_authenticated_chat_env():
@@ -27,6 +31,105 @@ def _require_authenticated_chat_env():
         pytest.skip("Set SIMPLECHAT_UI_STORAGE_STATE to a valid authenticated Playwright storage state file.")
 
 
+def _open_grounded_search(page):
+    search_button = page.locator("#search-documents-btn")
+    search_panel = page.locator("#search-documents-container")
+
+    if search_button.count() == 0 or search_panel.count() == 0:
+        pytest.skip("Grounded search is not enabled for this environment.")
+
+    expect(search_button).to_be_visible()
+    search_button.click()
+    expect(search_panel).to_be_visible()
+
+
+def _seed_dropdown_items(page):
+    page.evaluate(
+        """
+        () => {
+            const tagsButton = document.getElementById('tags-dropdown-button');
+            const tagsItems = document.getElementById('tags-dropdown-items');
+            const documentItems = document.getElementById('document-dropdown-items');
+
+            if (tagsButton) {
+                tagsButton.disabled = false;
+                tagsButton.removeAttribute('disabled');
+                tagsButton.setAttribute('aria-disabled', 'false');
+            }
+
+            if (tagsItems && tagsItems.children.length === 0) {
+                const item = document.createElement('button');
+                item.type = 'button';
+                item.className = 'dropdown-item d-flex align-items-center';
+                item.setAttribute('data-search-role', 'item');
+                item.dataset.searchLabel = 'very long procurement readiness classification tag';
+
+                const checkbox = document.createElement('input');
+                checkbox.type = 'checkbox';
+                checkbox.className = 'form-check-input me-2 tag-checkbox';
+                checkbox.style.pointerEvents = 'none';
+
+                const label = document.createElement('span');
+                label.textContent = 'very long procurement readiness classification tag (12)';
+
+                item.appendChild(checkbox);
+                item.appendChild(label);
+                tagsItems.appendChild(item);
+            }
+
+            if (documentItems && documentItems.children.length === 0) {
+                const item = document.createElement('button');
+                item.type = 'button';
+                item.className = 'dropdown-item d-flex align-items-center';
+                item.setAttribute('data-document-id', 'synthetic-long-document');
+                item.setAttribute('data-search-role', 'item');
+
+                const checkbox = document.createElement('input');
+                checkbox.type = 'checkbox';
+                checkbox.className = 'form-check-input me-2 doc-checkbox';
+                checkbox.style.pointerEvents = 'none';
+
+                const label = document.createElement('span');
+                label.textContent = 'Very Long Workspace Document Title For Procurement Readiness And Compliance Review.pdf';
+
+                item.appendChild(checkbox);
+                item.appendChild(label);
+                documentItems.appendChild(item);
+            }
+        }
+        """
+    )
+
+
+def _assert_dropdown_bounds(page, button_selector, menu_selector, viewport_width, *, should_expand, expected_direction=None):
+    page.keyboard.press("Escape")
+    button = page.locator(button_selector)
+    menu = page.locator(menu_selector)
+
+    expect(button).to_be_visible()
+    button_box = button.bounding_box()
+    assert button_box is not None, f"Expected {button_selector} to have a bounding box."
+
+    button.click()
+    expect(menu).to_be_visible()
+    menu_box = menu.bounding_box()
+    assert menu_box is not None, f"Expected {menu_selector} to have a bounding box."
+
+    assert menu_box["x"] >= -1, f"Expected {menu_selector} to stay within the left viewport edge."
+    assert menu_box["x"] + menu_box["width"] <= viewport_width + 1, f"Expected {menu_selector} to stay within the right viewport edge."
+    assert menu_box["width"] >= button_box["width"] - 2, f"Expected {menu_selector} to be at least as wide as its trigger."
+
+    if should_expand:
+        assert menu_box["width"] >= button_box["width"] + 40, f"Expected {menu_selector} to expand beyond the narrow trigger width."
+
+    if expected_direction == "up":
+        assert menu_box["y"] + menu_box["height"] <= button_box["y"] + 1, f"Expected {menu_selector} to open above its trigger."
+    elif expected_direction == "down":
+        assert menu_box["y"] >= button_box["y"] + button_box["height"] - 1, f"Expected {menu_selector} to open below its trigger."
+
+    page.keyboard.press("Escape")
+
+
 @pytest.mark.ui
 def test_chat_search_panel_uses_mobile_drawer(playwright):
     """Validate that grounded search opens in an end-side mobile drawer."""
@@ -61,6 +164,48 @@ def test_chat_search_panel_uses_mobile_drawer(playwright):
         expect(close_button).to_be_visible()
         close_button.click()
         expect(page.locator("#search-documents-container.show")).to_have_count(0)
+    finally:
+        context.close()
+        browser.close()
+
+
+@pytest.mark.ui
+@pytest.mark.parametrize(
+    ("viewport", "should_expand"),
+    [
+        (DESKTOP_VIEWPORT, True),
+        (MOBILE_VIEWPORT, False),
+    ],
+)
+def test_chat_search_filter_dropdowns_are_responsive(playwright, viewport, should_expand):
+    """Validate grounded-search dropdown menus are not capped to narrow trigger widths."""
+    _require_authenticated_chat_env()
+
+    browser = playwright.chromium.launch()
+    context = browser.new_context(
+        storage_state=STORAGE_STATE,
+        viewport=viewport,
+    )
+    page = context.new_page()
+
+    try:
+        response = page.goto(f"{BASE_URL}/chats", wait_until="networkidle")
+        assert response is not None and response.ok, "Expected /chats to load successfully."
+
+        _open_grounded_search(page)
+        _seed_dropdown_items(page)
+
+        viewport_width = viewport["width"]
+        _assert_dropdown_bounds(page, "#scope-dropdown-button", "#scope-dropdown-menu", viewport_width, should_expand=should_expand)
+        _assert_dropdown_bounds(page, "#tags-dropdown-button", "#tags-dropdown-menu", viewport_width, should_expand=should_expand)
+        _assert_dropdown_bounds(
+            page,
+            "#document-dropdown-button",
+            "#document-dropdown-menu",
+            viewport_width,
+            should_expand=False,
+            expected_direction="down" if viewport == MOBILE_VIEWPORT else "up",
+        )
     finally:
         context.close()
         browser.close()
\ No newline at end of file

From a5e2456139c71f548d8926d0f932074dc6b21e7d Mon Sep 17 00:00:00 2001
From: Bionic711 <nadoyle@microsoft.com>
Date: Sun, 7 Jun 2026 21:15:23 -0500
Subject: [PATCH 03/12] upd PR prompt

---
 .github/prompts/prepare-for-pull-request.prompt.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/prompts/prepare-for-pull-request.prompt.md b/.github/prompts/prepare-for-pull-request.prompt.md
index 6e2d78fef..22a9fc3a1 100644
--- a/.github/prompts/prepare-for-pull-request.prompt.md
+++ b/.github/prompts/prepare-for-pull-request.prompt.md
@@ -13,7 +13,7 @@ The default outcome is a verified PR-readiness report. You may push the branch o
 
 ## Repository Policy
 
-- Work in the SimpleChat repo, normally `c:\Repos\simplechatmsft`.
+- Work in the SimpleChat repository.
 - Target contributor PRs to `Development`, not `main` or `Staging`.
 - Treat `Development` and `Staging` as case-sensitive branch names.
 - Prefer the remote named `upstream` when it exists and has `Development`; otherwise use `origin/Development`.

From b3f2a7117f788ed366e1208f33ee4e8c01345123 Mon Sep 17 00:00:00 2001
From: Bionic711 <nadoyle@microsoft.com>
Date: Sun, 7 Jun 2026 22:04:58 -0500
Subject: [PATCH 04/12] fix security findings/init prepare run

---
 .gitignore                                    |   2 +-
 .../static/js/admin/admin_agents.js           |  57 ++++++---
 .../static/js/admin/admin_governance.js       |  32 +++--
 .../static/js/admin/admin_model_endpoints.js  |  74 +++++++++---
 .../single_app/static/js/plugin_common.js     | 114 +++++++++---------
 ...OVERNANCE_ADMIN_RENDERING_XSS_HARDENING.md |  47 ++++++++
 docs/explanation/release_notes.md             |  17 +++
 .../test_governance_enforcement_logic.py      |  20 +--
 ...st_governance_route_and_wiring_coverage.py |   2 +-
 9 files changed, 247 insertions(+), 118 deletions(-)
 create mode 100644 docs/explanation/fixes/GOVERNANCE_ADMIN_RENDERING_XSS_HARDENING.md

diff --git a/.gitignore b/.gitignore
index 7faa6693f..1c45c6547 100644
--- a/.gitignore
+++ b/.gitignore
@@ -52,4 +52,4 @@ nul
 /artifacts/tmp
 scripts/agent.json
 scripts/me.json
-.github/instructions/local.instructions.md
+.github/instructions/local.instructions.md
diff --git a/application/single_app/static/js/admin/admin_agents.js b/application/single_app/static/js/admin/admin_agents.js
index f06dd6444..1f6493164 100644
--- a/application/single_app/static/js/admin/admin_agents.js
+++ b/application/single_app/static/js/admin/admin_agents.js
@@ -328,22 +328,47 @@ function renderAgentsTable() {
         // Use global_selected_agent for badge logic (compare by name)
         const isSelected = selectedAgent && agent.name === selectedAgent;
         const tr = document.createElement('tr');
-        let selectedBadge = isSelected ? '<span class="badge bg-primary ms-1">Selected</span>' : '';
-        const safeName = escapeHtml(agent.name || '');
-        const safeDisplayName = escapeHtml(agent.display_name || '');
-        const safeDescription = escapeHtml(agent.description || '');
-        tr.innerHTML = `
-            <td>${safeName}</td>
-            <td>${safeDisplayName}</td>
-            <td>${safeDescription}</td>
-            <td>${selectedBadge}</td>
-            <td>
-                <button type="button" class="btn btn-sm btn-secondary edit-agent-btn" data-index="${idx}">Edit</button>
-                <button type="button" class="btn btn-sm btn-outline-info govern-agent-btn" data-index="${idx}">Govern</button>
-                <button type="button" class="btn btn-sm btn-outline-secondary duplicate-agent-btn" data-index="${idx}">Duplicate</button>
-                <button type="button" class="btn btn-sm btn-danger delete-agent-btn" data-index="${idx}" ${isSelected ? 'disabled' : ''}>Delete</button>
-            </td>
-        `;
+
+        const nameCell = document.createElement('td');
+        nameCell.textContent = agent.name || '';
+
+        const displayNameCell = document.createElement('td');
+        displayNameCell.textContent = agent.display_name || '';
+
+        const descriptionCell = document.createElement('td');
+        descriptionCell.textContent = agent.description || '';
+
+        const selectedCell = document.createElement('td');
+        if (isSelected) {
+            const selectedBadge = document.createElement('span');
+            selectedBadge.className = 'badge bg-primary ms-1';
+            selectedBadge.textContent = 'Selected';
+            selectedCell.appendChild(selectedBadge);
+        }
+
+        const actionsCell = document.createElement('td');
+        const createAgentButton = (className, text, disabled = false) => {
+            const button = document.createElement('button');
+            button.type = 'button';
+            button.className = className;
+            button.dataset.index = String(idx);
+            button.textContent = text;
+            button.disabled = disabled;
+            return button;
+        };
+        actionsCell.appendChild(createAgentButton('btn btn-sm btn-secondary edit-agent-btn', 'Edit'));
+        actionsCell.appendChild(document.createTextNode(' '));
+        actionsCell.appendChild(createAgentButton('btn btn-sm btn-outline-info govern-agent-btn', 'Govern'));
+        actionsCell.appendChild(document.createTextNode(' '));
+        actionsCell.appendChild(createAgentButton('btn btn-sm btn-outline-secondary duplicate-agent-btn', 'Duplicate'));
+        actionsCell.appendChild(document.createTextNode(' '));
+        actionsCell.appendChild(createAgentButton('btn btn-sm btn-danger delete-agent-btn', 'Delete', isSelected));
+
+        tr.appendChild(nameCell);
+        tr.appendChild(displayNameCell);
+        tr.appendChild(descriptionCell);
+        tr.appendChild(selectedCell);
+        tr.appendChild(actionsCell);
         agentsTableBody.appendChild(tr);
     });
     // Attach event listeners for edit and delete buttons (event delegation)
diff --git a/application/single_app/static/js/admin/admin_governance.js b/application/single_app/static/js/admin/admin_governance.js
index bbd0d7f94..c243b0b14 100644
--- a/application/single_app/static/js/admin/admin_governance.js
+++ b/application/single_app/static/js/admin/admin_governance.js
@@ -105,6 +105,13 @@ function escapeHtml(value) {
         .replace(/'/g, '&#39;');
 }
 
+function setBootstrapIcon(element, iconClass) {
+    element.replaceChildren();
+    const icon = document.createElement('i');
+    icon.className = iconClass;
+    element.appendChild(icon);
+}
+
 function splitPrincipalList(value) {
     if (!value) {
         return [];
@@ -1056,21 +1063,20 @@ function renderGovernanceItemEditorSelectedList(options) {
             const copyButton = document.createElement('button');
             copyButton.type = 'button';
             copyButton.className = 'btn btn-sm btn-link p-0';
-            copyButton.innerHTML = '<i class="bi bi-clipboard"></i>';
+            setBootstrapIcon(copyButton, 'bi bi-clipboard');
             copyButton.title = 'Copy ID';
             copyButton.addEventListener('click', (event) => {
                 event.preventDefault();
                 event.stopPropagation();
-                const originalHtml = copyButton.innerHTML;
                 navigator.clipboard.writeText(idValue).then(() => {
-                    copyButton.innerHTML = '<i class="bi bi-check"></i>';
+                    setBootstrapIcon(copyButton, 'bi bi-check');
                     setTimeout(() => {
-                        copyButton.innerHTML = originalHtml;
+                        setBootstrapIcon(copyButton, 'bi bi-clipboard');
                     }, 1500);
                 }).catch(() => {
-                    copyButton.innerHTML = '<i class="bi bi-x"></i>';
+                    setBootstrapIcon(copyButton, 'bi bi-x');
                     setTimeout(() => {
-                        copyButton.innerHTML = originalHtml;
+                        setBootstrapIcon(copyButton, 'bi bi-clipboard');
                     }, 1500);
                 });
             });
@@ -1462,6 +1468,7 @@ function ensureGovernanceItemPolicyEditorModal() {
         `;
 
         const wrapper = document.createElement('div');
+    // xss-check: ignore - modalMarkup is a static Bootstrap shell; untrusted values are populated with DOM APIs.
         wrapper.innerHTML = modalMarkup.trim();
         modalElement = wrapper.firstElementChild;
         document.body.appendChild(modalElement);
@@ -1877,6 +1884,7 @@ function ensureGovernanceItemPolicyDeleteModal() {
         `;
 
         const wrapper = document.createElement('div');
+    // xss-check: ignore - modalMarkup is a static Bootstrap shell; untrusted values are populated with DOM APIs.
         wrapper.innerHTML = modalMarkup.trim();
         modalElement = wrapper.firstElementChild;
         document.body.appendChild(modalElement);
@@ -2351,6 +2359,7 @@ function ensureGovernanceAllowListEditorModal() {
         `;
 
         const wrapper = document.createElement('div');
+    // xss-check: ignore - modalMarkup is a static Bootstrap shell; untrusted values are populated with DOM APIs.
         wrapper.innerHTML = modalMarkup.trim();
         modalElement = wrapper.firstElementChild;
         document.body.appendChild(modalElement);
@@ -2621,21 +2630,20 @@ function renderGovernanceSelectedList(options) {
             const copyButton = document.createElement('button');
             copyButton.type = 'button';
             copyButton.className = 'btn btn-sm btn-link p-0';
-            copyButton.innerHTML = '<i class="bi bi-clipboard"></i>';
+            setBootstrapIcon(copyButton, 'bi bi-clipboard');
             copyButton.title = 'Copy ID';
             copyButton.addEventListener('click', (e) => {
                 e.preventDefault();
                 e.stopPropagation();
-                const originalHtml = copyButton.innerHTML;
                 navigator.clipboard.writeText(idValue).then(() => {
-                    copyButton.innerHTML = '<i class="bi bi-check"></i>';
+                    setBootstrapIcon(copyButton, 'bi bi-check');
                     setTimeout(() => {
-                        copyButton.innerHTML = originalHtml;
+                        setBootstrapIcon(copyButton, 'bi bi-clipboard');
                     }, 1500);
                 }).catch(() => {
-                    copyButton.innerHTML = '<i class="bi bi-x"></i>';
+                    setBootstrapIcon(copyButton, 'bi bi-x');
                     setTimeout(() => {
-                        copyButton.innerHTML = originalHtml;
+                        setBootstrapIcon(copyButton, 'bi bi-clipboard');
                     }, 1500);
                 });
             });
diff --git a/application/single_app/static/js/admin/admin_model_endpoints.js b/application/single_app/static/js/admin/admin_model_endpoints.js
index bf0a7d541..07206a245 100644
--- a/application/single_app/static/js/admin/admin_model_endpoints.js
+++ b/application/single_app/static/js/admin/admin_model_endpoints.js
@@ -282,26 +282,59 @@ function renderEndpoints() {
         const statusClass = endpoint.enabled ? "success" : "secondary";
         const toggleLabel = endpoint.enabled ? "Disable" : "Enable";
 
-        row.innerHTML = `
-            <td>
-                <div class="fw-semibold">${escapeHtml(endpoint.name || "Unnamed Endpoint")}</div>
-                <div class="text-muted small">${escapeHtml(endpoint.connection?.endpoint || "")}</div>
-            </td>
-            <td>${escapeHtml(formatProviderLabel(endpoint.provider))}</td>
-            <td>
-                <span title="${escapeHtml(selectedModels)}">${escapeHtml(selectedModels)}</span>
-            </td>
-            <td><span class="badge bg-${statusClass}">${statusLabel}</span></td>
-            <td class="text-end">
-                <div class="btn-group btn-group-sm" role="group">
-                    <button type="button" class="btn btn-outline-primary" data-action="edit" data-endpoint-id="${endpoint.id}">Edit</button>
-                    <button type="button" class="btn btn-outline-info" data-action="govern" data-endpoint-id="${endpoint.id}">Govern</button>
-                    <button type="button" class="btn btn-outline-secondary" data-action="duplicate" data-endpoint-id="${endpoint.id}">Duplicate</button>
-                    <button type="button" class="btn btn-outline-${endpoint.enabled ? "warning" : "success"}" data-action="toggle" data-endpoint-id="${endpoint.id}">${toggleLabel}</button>
-                    <button type="button" class="btn btn-outline-danger" data-action="delete" data-endpoint-id="${endpoint.id}">Delete</button>
-                </div>
-            </td>
-        `;
+        const endpointCell = document.createElement("td");
+        const endpointName = document.createElement("div");
+        endpointName.className = "fw-semibold";
+        endpointName.textContent = endpoint.name || "Unnamed Endpoint";
+        const endpointUrl = document.createElement("div");
+        endpointUrl.className = "text-muted small";
+        endpointUrl.textContent = endpoint.connection?.endpoint || "";
+        endpointCell.appendChild(endpointName);
+        endpointCell.appendChild(endpointUrl);
+
+        const providerCell = document.createElement("td");
+        providerCell.textContent = formatProviderLabel(endpoint.provider);
+
+        const modelsCell = document.createElement("td");
+        const modelsSpan = document.createElement("span");
+        modelsSpan.title = selectedModels;
+        modelsSpan.textContent = selectedModels;
+        modelsCell.appendChild(modelsSpan);
+
+        const statusCell = document.createElement("td");
+        const statusBadge = document.createElement("span");
+        statusBadge.className = `badge bg-${statusClass}`;
+        statusBadge.textContent = statusLabel;
+        statusCell.appendChild(statusBadge);
+
+        const actionsCell = document.createElement("td");
+        actionsCell.className = "text-end";
+        const actionsGroup = document.createElement("div");
+        actionsGroup.className = "btn-group btn-group-sm";
+        actionsGroup.setAttribute("role", "group");
+
+        const createEndpointButton = (action, label, className) => {
+            const button = document.createElement("button");
+            button.type = "button";
+            button.className = className;
+            button.dataset.action = action;
+            button.dataset.endpointId = endpoint.id || "";
+            button.textContent = label;
+            return button;
+        };
+
+        actionsGroup.appendChild(createEndpointButton("edit", "Edit", "btn btn-outline-primary"));
+        actionsGroup.appendChild(createEndpointButton("govern", "Govern", "btn btn-outline-info"));
+        actionsGroup.appendChild(createEndpointButton("duplicate", "Duplicate", "btn btn-outline-secondary"));
+        actionsGroup.appendChild(createEndpointButton("toggle", toggleLabel, `btn btn-outline-${endpoint.enabled ? "warning" : "success"}`));
+        actionsGroup.appendChild(createEndpointButton("delete", "Delete", "btn btn-outline-danger"));
+        actionsCell.appendChild(actionsGroup);
+
+        row.appendChild(endpointCell);
+        row.appendChild(providerCell);
+        row.appendChild(modelsCell);
+        row.appendChild(statusCell);
+        row.appendChild(actionsCell);
 
         endpointsTbody.appendChild(row);
     });
@@ -577,6 +610,7 @@ function ensureEndpointDuplicateKeyModal() {
             </div>
         `;
         const wrapper = document.createElement('div');
+        // xss-check: ignore - modalMarkup is a static Bootstrap shell; untrusted values are not interpolated.
         wrapper.innerHTML = modalMarkup.trim();
         modalElement = wrapper.firstElementChild;
         document.body.appendChild(modalElement);
diff --git a/application/single_app/static/js/plugin_common.js b/application/single_app/static/js/plugin_common.js
index ce9c94da3..dba421a09 100644
--- a/application/single_app/static/js/plugin_common.js
+++ b/application/single_app/static/js/plugin_common.js
@@ -75,74 +75,70 @@ export function renderPluginsTable({plugins, tbodySelector, onEdit, onDelete, on
     return;
   }
   tbody.innerHTML = '';
+
+  const createActionButton = (className, title, iconClass, handler, pluginName) => {
+    const button = document.createElement('button');
+    button.type = 'button';
+    button.className = className;
+    button.dataset.pluginName = pluginName;
+    button.title = title;
+    const icon = document.createElement('i');
+    icon.className = iconClass;
+    button.appendChild(icon);
+    button.addEventListener('click', () => {
+      if (handler) {
+        handler(pluginName);
+      }
+    });
+    return button;
+  };
+
   plugins.forEach(plugin => {
     const tr = document.createElement('tr');
-    const safeName = escapeHtml(plugin.name);
+    const pluginName = plugin.name || '';
     const displayName = humanizeName(plugin.display_name || plugin.name);
-    const safeDisplayName = escapeHtml(displayName);
     const description = plugin.description || 'No description available';
-    const truncatedDesc = escapeHtml(truncateDescription(description, 90));
-    let actionButtons = '';
-    let globalBadge = plugin.is_global ? ' <span class="badge bg-info text-dark">Global</span>' : '';
-    
-    // View button always shown
-    let viewButton = `<button type="button" class="btn btn-sm btn-outline-info view-plugin-btn me-1" data-plugin-name="${safeName}" title="View details">
-            <i class="bi bi-eye"></i>
-          </button>`;
-    
-    // Edit/Delete buttons based on context
+    const truncatedDesc = truncateDescription(description, 90);
+
+    const nameCell = document.createElement('td');
+    const nameStrong = document.createElement('strong');
+    nameStrong.title = plugin.display_name || plugin.name || '';
+    nameStrong.textContent = displayName;
+    nameCell.appendChild(nameStrong);
+    if (plugin.is_global) {
+      nameCell.appendChild(document.createTextNode(' '));
+      const globalBadge = document.createElement('span');
+      globalBadge.className = 'badge bg-info text-dark';
+      globalBadge.textContent = 'Global';
+      nameCell.appendChild(globalBadge);
+    }
+
+    const descriptionCell = document.createElement('td');
+    descriptionCell.className = 'text-muted small';
+    descriptionCell.title = description;
+    descriptionCell.textContent = truncatedDesc;
+
+    const actionsCell = document.createElement('td');
+    const actionButtons = document.createElement('div');
+    actionButtons.className = 'd-flex gap-1';
+    actionButtons.appendChild(createActionButton('btn btn-sm btn-outline-info view-plugin-btn me-1', 'View details', 'bi bi-eye', onView, pluginName));
+
     let editDeleteButtons = '';
     if (isAdmin || !plugin.is_global) {
-      editDeleteButtons = `
-          <button type="button" class="btn btn-sm btn-outline-secondary edit-plugin-btn" data-plugin-name="${safeName}" title="Edit action">
-            <i class="bi bi-pencil"></i>
-          </button>
-          ${isAdmin ? `<button type="button" class="btn btn-sm btn-outline-info govern-plugin-btn" data-plugin-name="${safeName}" title="Govern action">
-            <i class="bi bi-shield-check"></i>
-          </button>` : ''}
-          ${isAdmin ? `<button type="button" class="btn btn-sm btn-outline-secondary duplicate-plugin-btn" data-plugin-name="${safeName}" title="Duplicate action">
-            <i class="bi bi-files"></i>
-          </button>` : ''}
-          <button type="button" class="btn btn-sm btn-outline-danger delete-plugin-btn" data-plugin-name="${safeName}" title="Delete action">
-            <i class="bi bi-trash"></i>
-          </button>`;
+      actionButtons.appendChild(createActionButton('btn btn-sm btn-outline-secondary edit-plugin-btn', 'Edit action', 'bi bi-pencil', onEdit, pluginName));
+      if (isAdmin) {
+        actionButtons.appendChild(createActionButton('btn btn-sm btn-outline-info govern-plugin-btn', 'Govern action', 'bi bi-shield-check', onGovern, pluginName));
+        actionButtons.appendChild(createActionButton('btn btn-sm btn-outline-secondary duplicate-plugin-btn', 'Duplicate action', 'bi bi-files', onDuplicate, pluginName));
+      }
+      actionButtons.appendChild(createActionButton('btn btn-sm btn-outline-danger delete-plugin-btn', 'Delete action', 'bi bi-trash', onDelete, pluginName));
     }
-    actionButtons = `<div class="d-flex gap-1">${viewButton}${editDeleteButtons}</div>`;
-    tr.innerHTML = `
-      <td><strong title="${escapeHtml(plugin.display_name || plugin.name || '')}">${safeDisplayName}</strong>${globalBadge}</td>
-      <td class="text-muted small" title="${escapeHtml(description)}">${truncatedDesc}</td>
-      <td>${actionButtons}</td>
-    `;
+
+    actionsCell.appendChild(actionButtons);
+    tr.appendChild(nameCell);
+    tr.appendChild(descriptionCell);
+    tr.appendChild(actionsCell);
     tbody.appendChild(tr);
   });
-  // Attach event handlers
-  tbody.querySelectorAll('.edit-plugin-btn').forEach(btn => {
-    btn.onclick = () => onEdit(btn.getAttribute('data-plugin-name'));
-  });
-  tbody.querySelectorAll('.delete-plugin-btn').forEach(btn => {
-    btn.onclick = () => onDelete(btn.getAttribute('data-plugin-name'));
-  });
-  tbody.querySelectorAll('.govern-plugin-btn').forEach(btn => {
-    btn.onclick = () => {
-      if (onGovern) {
-        onGovern(btn.getAttribute('data-plugin-name'));
-      }
-    };
-  });
-  tbody.querySelectorAll('.duplicate-plugin-btn').forEach(btn => {
-    btn.onclick = () => {
-      if (onDuplicate) {
-        onDuplicate(btn.getAttribute('data-plugin-name'));
-      }
-    };
-  });
-  tbody.querySelectorAll('.view-plugin-btn').forEach(btn => {
-    btn.onclick = () => {
-      if (onView) {
-        onView(btn.getAttribute('data-plugin-name'));
-      }
-    };
-  });
 }
 
 // Render plugins grid (card-based view)
diff --git a/docs/explanation/fixes/GOVERNANCE_ADMIN_RENDERING_XSS_HARDENING.md b/docs/explanation/fixes/GOVERNANCE_ADMIN_RENDERING_XSS_HARDENING.md
new file mode 100644
index 000000000..fe391d9f0
--- /dev/null
+++ b/docs/explanation/fixes/GOVERNANCE_ADMIN_RENDERING_XSS_HARDENING.md
@@ -0,0 +1,47 @@
+# Governance Admin Rendering XSS Hardening
+
+Fixed/Implemented in version: **0.242.022**
+
+## Issue
+
+The PR readiness XSS sink check flagged changed admin browser-rendering paths where governance, endpoint, agent, and plugin metadata could reach dynamic HTML sinks or interpolated `data-*` attributes.
+
+## Root Cause
+
+Several changed JavaScript renderers built table rows and action buttons with template strings. Even when values were escaped, the repository guardrail requires new browser-rendering code to prefer DOM node creation, `textContent`, and inert `dataset` assignments for untrusted data.
+
+## Technical Details
+
+Files modified:
+
+- `application/single_app/static/js/admin/admin_agents.js`
+- `application/single_app/static/js/admin/admin_governance.js`
+- `application/single_app/static/js/admin/admin_model_endpoints.js`
+- `application/single_app/static/js/plugin_common.js`
+- `functional_tests/test_governance_enforcement_logic.py`
+- `functional_tests/test_governance_route_and_wiring_coverage.py`
+
+Code changes summary:
+
+- Replaced dynamic admin agent, model endpoint, and plugin table row HTML with DOM nodes and `textContent`.
+- Replaced icon-only `innerHTML` swaps with a Bootstrap icon helper that creates `i` elements directly.
+- Kept static Bootstrap modal shells in place with narrow `xss-check: ignore` comments that document the safe boundary.
+- Updated governance functional tests to align with multi-policy item access and DOM-based endpoint button wiring.
+
+## Validation
+
+Validation run:
+
+- `git diff --check origin/Development`
+- `python -m py_compile` for tracked `application/single_app` Python files
+- `python scripts/check_swagger_routes.py <changed application Python files>`
+- `python scripts/check_xss_sinks.py --base-sha origin/Development --head-sha HEAD <changed browser files>`
+- `python scripts/check_broken_access_control.py --base-sha origin/Development --head-sha HEAD <changed application Python files>`
+- `python -m pytest` for the changed functional test files
+- `python -m pytest` for the changed UI test files
+
+Result: static validation passed, changed functional tests passed, and changed UI tests produced one pass with environment-gated skips for authenticated Playwright scenarios.
+
+## Impact
+
+Admin governance and related endpoint, agent, and action management tables now follow the repository XSS-safe rendering pattern for changed surfaces while preserving the existing user workflows.
\ No newline at end of file
diff --git a/docs/explanation/release_notes.md b/docs/explanation/release_notes.md
index b630d55c1..6033abd7a 100644
--- a/docs/explanation/release_notes.md
+++ b/docs/explanation/release_notes.md
@@ -8,12 +8,29 @@ For feature-focused and fix-focused drill-downs by version, see [Features by Ver
 
 #### New Features
 
+*   **Governance Controls for Endpoints, Agents, and Actions**
+    *   Added in-app governance policies that let administrators control access to personal, group, and global endpoints, agents, and actions.
+    *   Added feature-level policies, delegated item policies, review workflows, backend enforcement, and Admin Settings UI for managing governance allowlists.
+    *   (Ref: governance policies, delegated item policies, Admin Settings Governance tab)
+
+*   **Governance and App Settings Cache Versioning**
+    *   Added cache-version coordination so settings and governance policy changes can invalidate stale worker process caches across Redis-enabled and non-Redis deployments.
+    *   Keeps hot-path settings and governance checks fast while reducing stale reads after admin changes.
+    *   (Ref: app settings cache, governance cache versioning)
+
 *   **Pull Request Preparation Prompt**
     *   Added a reusable Copilot prompt for preparing SimpleChat branches for pull requests into `Development`.
     *   The workflow verifies branch freshness against `Development`, runs repo-aligned validation checks, updates release notes when needed, and gates push or PR creation behind explicit user confirmation.
     *   Optional merge or rebase from `Development` is supported only when requested, with conflicts resolved interactively by the agent after explaining each side of the conflict.
     *   (Ref: `.github/prompts/prepare-for-pull-request.prompt.md`, PR readiness workflow, Development branch validation)
 
+#### Bug Fixes
+
+*   **Governance Admin Rendering XSS Hardening**
+    *   Reworked changed admin governance, model endpoint, agent, and plugin table rendering paths so untrusted names, descriptions, IDs, and labels are populated with DOM APIs and `textContent` instead of interpolated HTML attributes.
+    *   Added narrow reviewed XSS guardrail suppressions only for static Bootstrap modal shells that do not interpolate untrusted values.
+    *   (Ref: governance admin UI, model endpoint table, plugin table rendering, XSS sink validation)
+
 ### **(v0.241.007)**
 
 ## New Feature
diff --git a/functional_tests/test_governance_enforcement_logic.py b/functional_tests/test_governance_enforcement_logic.py
index cbac63d21..044b62391 100644
--- a/functional_tests/test_governance_enforcement_logic.py
+++ b/functional_tests/test_governance_enforcement_logic.py
@@ -2,8 +2,8 @@
 #!/usr/bin/env python3
 """
 Functional test for governance enforcement logic.
-Version: 0.241.010
-Implemented in: 0.241.010
+Version: 0.242.022
+Implemented in: 0.241.010; updated in 0.242.022
 
 This test ensures ensure_governance_access correctly allows and denies access
 based on feature toggles, feature policies, item policies, and caller groups.
@@ -55,7 +55,7 @@ def test_ensure_governance_access_enforces_feature_and_item_policies():
 
     original_get_settings = governance.get_settings
     original_get_feature_policy = governance.get_feature_policy
-    original_get_item_policy = governance.get_item_policy
+    original_get_item_policies = governance.get_item_policies
     original_get_user_governance_group_ids = governance.get_user_governance_group_ids
 
     try:
@@ -67,11 +67,13 @@ def test_ensure_governance_access_enforces_feature_and_item_policies():
             "allowed_groups": ["group-a"],
         }
 
-        governance.get_item_policy = lambda _entity_type, _item_id: {
-            "allow_all": False,
-            "allowed_users": ["user-allowed"],
-            "allowed_groups": [],
-        }
+        governance.get_item_policies = lambda _entity_type, _item_id: [
+            {
+                "allow_all": False,
+                "allowed_users": ["user-allowed"],
+                "allowed_groups": [],
+            }
+        ]
 
         # 1) Allowed by feature policy via group membership and by item policy via user allowlist.
         governance.get_user_governance_group_ids = lambda _user_id: {"group-a"}
@@ -115,7 +117,7 @@ def test_ensure_governance_access_enforces_feature_and_item_policies():
     finally:
         governance.get_settings = original_get_settings
         governance.get_feature_policy = original_get_feature_policy
-        governance.get_item_policy = original_get_item_policy
+        governance.get_item_policies = original_get_item_policies
         governance.get_user_governance_group_ids = original_get_user_governance_group_ids
 
 
diff --git a/functional_tests/test_governance_route_and_wiring_coverage.py b/functional_tests/test_governance_route_and_wiring_coverage.py
index 4b41eff3c..f1f4f729d 100644
--- a/functional_tests/test_governance_route_and_wiring_coverage.py
+++ b/functional_tests/test_governance_route_and_wiring_coverage.py
@@ -236,7 +236,7 @@ def test_governance_enforcement_hooks_across_changed_routes():
     admin_agents_js_content = _read("application", "single_app", "static", "js", "admin", "admin_agents.js")
     admin_plugins_js_content = _read("application", "single_app", "static", "js", "admin", "admin_plugins.js")
     plugin_common_js_content = _read("application", "single_app", "static", "js", "plugin_common.js")
-    for marker in ["data-action=\"govern\"", "data-action=\"duplicate\"", "endpoint-duplicate-key-confirm-modal"]:
+    for marker in ["createEndpointButton(\"govern\"", "createEndpointButton(\"duplicate\"", "endpoint-duplicate-key-confirm-modal"]:
         assert marker in model_endpoint_js_content, f"Missing endpoint governance/duplicate marker: {marker}"
     for marker in ["govern-agent-btn", "duplicate-agent-btn", "governAgent", "duplicateAgent"]:
         assert marker in admin_agents_js_content, f"Missing agent governance/duplicate marker: {marker}"

From 3201a44c3c8936de3196b2fa72009d38fbe53799 Mon Sep 17 00:00:00 2001
From: Bionic711 <nadoyle@microsoft.com>
Date: Sun, 7 Jun 2026 22:05:47 -0500
Subject: [PATCH 05/12] upd gitignore

---
 .gitignore | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index 1c45c6547..7faa6693f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -52,4 +52,4 @@ nul
 /artifacts/tmp
 scripts/agent.json
 scripts/me.json
-.github/instructions/local.instructions.md
+.github/instructions/local.instructions.md

From 08f6ebeeecfbbc5f5d4fb4b29df09e8c6e268f4f Mon Sep 17 00:00:00 2001
From: Bionic711 <nadoyle@microsoft.com>
Date: Wed, 10 Jun 2026 10:23:49 -0500
Subject: [PATCH 06/12] add custom pages with default access

---
 .gitignore                                    | 110 +--
 application/single_app/app.py                 |  11 +
 application/single_app/config.py              |   8 +-
 .../single_app/custom_page_extension.py       |  39 ++
 .../single_app/custom_pages/assets/.gitkeep   |   0
 .../single_app/custom_pages/css/.gitkeep      |   0
 .../custom_pages/css/request-access.css       |  39 ++
 .../single_app/custom_pages/html/.gitkeep     |   0
 .../custom_pages/html/request-access.html     |  16 +
 .../single_app/custom_pages/js/.gitkeep       |   0
 .../single_app/custom_pages/json/.gitkeep     |   0
 .../single_app/custom_pages/python/.gitkeep   |   0
 .../single_app/docs/how-to/custom_pages.md    | 162 +++++
 .../single_app/functions_custom_pages.py      | 428 ++++++++++++
 application/single_app/functions_documents.py | 192 +++++-
 application/single_app/functions_settings.py  |  13 +
 application/single_app/route_custom_pages.py  | 273 ++++++++
 .../route_frontend_admin_settings.py          | 127 +++-
 .../single_app/static/css/navigation.css      |  34 +
 application/single_app/static/css/sidebar.css |  46 ++
 .../static/js/admin/admin_custom_pages.js     | 631 ++++++++++++++++++
 .../static/js/admin/admin_model_endpoints.js  | 165 ++++-
 .../static/js/admin/admin_sidebar_nav.js      |   1 +
 .../templates/_custom_pages_drawer.html       |  55 ++
 .../single_app/templates/_sidebar_nav.html    |  83 +++
 .../single_app/templates/_top_nav.html        |  67 ++
 .../single_app/templates/admin_settings.html  | 335 +++++++++-
 application/single_app/templates/base.html    |   1 +
 .../templates/custom_page_shell.html          |  28 +
 application/single_app/templates/index.html   |   5 +
 docs/explanation/features/CUSTOM_PAGES.md     | 129 ++++
 docs/explanation/release_notes.md             |   9 +
 docs/how-to/custom_pages.md                   |  40 ++
 .../example-python-dashboard.css              |  62 ++
 .../example-python-dashboard.html             |  45 ++
 .../example-python-dashboard.js               |  55 ++
 .../example_python_dashboard.py               |  80 +++
 .../simple-html/example-simple.html           |  12 +
 .../static-html-css-js/cat.mp4                | Bin 0 -> 107659 bytes
 .../static-html-css-js/example-static.css     |  98 +++
 .../static-html-css-js/example-static.html    |  45 ++
 .../static-html-css-js/example-static.js      |  30 +
 docs/how-to/index.md                          |   2 +-
 functional_tests/test_custom_pages_wiring.py  | 284 ++++++++
 44 files changed, 3630 insertions(+), 130 deletions(-)
 create mode 100644 application/single_app/custom_page_extension.py
 create mode 100644 application/single_app/custom_pages/assets/.gitkeep
 create mode 100644 application/single_app/custom_pages/css/.gitkeep
 create mode 100644 application/single_app/custom_pages/css/request-access.css
 create mode 100644 application/single_app/custom_pages/html/.gitkeep
 create mode 100644 application/single_app/custom_pages/html/request-access.html
 create mode 100644 application/single_app/custom_pages/js/.gitkeep
 create mode 100644 application/single_app/custom_pages/json/.gitkeep
 create mode 100644 application/single_app/custom_pages/python/.gitkeep
 create mode 100644 application/single_app/docs/how-to/custom_pages.md
 create mode 100644 application/single_app/functions_custom_pages.py
 create mode 100644 application/single_app/route_custom_pages.py
 create mode 100644 application/single_app/static/js/admin/admin_custom_pages.js
 create mode 100644 application/single_app/templates/_custom_pages_drawer.html
 create mode 100644 application/single_app/templates/custom_page_shell.html
 create mode 100644 docs/explanation/features/CUSTOM_PAGES.md
 create mode 100644 docs/how-to/custom_pages.md
 create mode 100644 docs/how-to/custom_pages_examples/python-jinja-api/example-python-dashboard.css
 create mode 100644 docs/how-to/custom_pages_examples/python-jinja-api/example-python-dashboard.html
 create mode 100644 docs/how-to/custom_pages_examples/python-jinja-api/example-python-dashboard.js
 create mode 100644 docs/how-to/custom_pages_examples/python-jinja-api/example_python_dashboard.py
 create mode 100644 docs/how-to/custom_pages_examples/simple-html/example-simple.html
 create mode 100644 docs/how-to/custom_pages_examples/static-html-css-js/cat.mp4
 create mode 100644 docs/how-to/custom_pages_examples/static-html-css-js/example-static.css
 create mode 100644 docs/how-to/custom_pages_examples/static-html-css-js/example-static.html
 create mode 100644 docs/how-to/custom_pages_examples/static-html-css-js/example-static.js
 create mode 100644 functional_tests/test_custom_pages_wiring.py

diff --git a/.gitignore b/.gitignore
index 7faa6693f..31e151b24 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,55 +1,55 @@
-
-# Azure Functions artifacts
-bin
-obj
-appsettings.json
-local.settings.json
-
-# Azurite artifacts
-__blobstorage__
-__queuestorage__
-__azurite_db*__.json
-.python_packages
-__pycache__
-.venv
-
-# Azure App Service artifacts
-.env
-.pem
-.deployment
-
-# macOS  custom attributes file
-.ds_store
-
-# Configured custom script extensions, powershell scripts, and linux scripts
-priv-*
-
-# Visual Studio Code
-.vscode
-
-# temporary files
-flask_session
-
-# node modules
-/node_modules
-/package-lock.json
-/package.json
-application/single_app/static/.DS_Store
-application/external_apps/bulkloader/map.csv
-
-flask_session
-**/abd_proto.py
-**/my_chart.png
-**/sample_pie.csv
-**/sample_stacked_column.csv
-tmp**cwd
-/tmp_images
-nul
-/.github/plans
-*.xlsx
-/artifacts/tests
-/artifacts/tmp/*
-/artifacts/tmp
-scripts/agent.json
-scripts/me.json
-.github/instructions/local.instructions.md
+
+# Azure Functions artifacts
+bin
+obj
+appsettings.json
+local.settings.json
+
+# Azurite artifacts
+__blobstorage__
+__queuestorage__
+__azurite_db*__.json
+.python_packages
+__pycache__
+.venv
+
+# Azure App Service artifacts
+.env
+.pem
+.deployment
+
+# macOS  custom attributes file
+.ds_store
+
+# Configured custom script extensions, powershell scripts, and linux scripts
+priv-*
+
+# Visual Studio Code
+.vscode
+
+# temporary files
+flask_session
+
+# node modules
+/node_modules
+/package-lock.json
+/package.json
+application/single_app/static/.DS_Store
+application/external_apps/bulkloader/map.csv
+
+flask_session
+**/abd_proto.py
+**/my_chart.png
+**/sample_pie.csv
+**/sample_stacked_column.csv
+tmp**cwd
+/tmp_images
+nul
+/.github/plans
+*.xlsx
+/artifacts/tests
+/artifacts/tmp/*
+/artifacts/tmp
+scripts/agent.json
+scripts/me.json
+.github/instructions/local.instructions.md
diff --git a/application/single_app/app.py b/application/single_app/app.py
index 5433d5266..711931da8 100644
--- a/application/single_app/app.py
+++ b/application/single_app/app.py
@@ -52,6 +52,7 @@
 from route_frontend_feedback import *
 from route_frontend_support import *
 from route_frontend_notifications import *
+from route_custom_pages import register_route_custom_pages
 
 from route_backend_chats import *
 from route_backend_conversations import *
@@ -85,6 +86,7 @@
 from route_openapi import register_openapi_routes
 from route_migration import bp_migration
 from route_plugin_logging import bpl as plugin_logging_bp
+from functions_custom_pages import get_custom_pages_nav
 from functions_debug import debug_print
 
 from opentelemetry.instrumentation.flask import FlaskInstrumentor
@@ -545,6 +547,11 @@ def inject_settings():
     public_settings = sanitize_settings_for_user(settings)
     idle_timeout_enabled = is_idle_timeout_enabled(settings)
     idle_timeout_minutes, idle_warning_minutes = get_idle_timeout_settings(settings)
+    custom_pages_nav = []
+    try:
+        custom_pages_nav = get_custom_pages_nav(settings)
+    except Exception as e:
+        log_event(f"[CustomPages] Error injecting custom page navigation: {e}", level=logging.ERROR, exceptionTraceback=True)
     # Inject per-user settings if logged in
     user_settings = {}
     try:
@@ -559,6 +566,7 @@ def inject_settings():
     return dict(
         app_settings=public_settings,
         user_settings=user_settings,
+        custom_pages_nav=custom_pages_nav,
         idle_timeout_enabled=idle_timeout_enabled,
         idle_timeout_minutes=idle_timeout_minutes,
         idle_warning_minutes=idle_warning_minutes
@@ -890,6 +898,9 @@ def list_semantic_kernel_plugins():
 # ------------------- Notifications Routes --------------
 register_route_frontend_notifications(app)
 
+# ------------------- Custom Pages Routes ---------------
+register_route_custom_pages(app)
+
 # ------------------- API Chat Routes --------------------
 register_route_backend_chats(app)
 
diff --git a/application/single_app/config.py b/application/single_app/config.py
index ead06b3d7..30f615f0d 100644
--- a/application/single_app/config.py
+++ b/application/single_app/config.py
@@ -94,7 +94,7 @@
 EXECUTOR_TYPE = 'thread'
 EXECUTOR_MAX_WORKERS = 30
 SESSION_TYPE = 'filesystem'
-VERSION = "0.242.022"
+VERSION = "0.242.037"
 
 SECRET_KEY = os.getenv('SECRET_KEY', 'dev-secret-key-change-in-production')
 
@@ -358,6 +358,12 @@ def get_redis_cache_infrastructure_endpoint(redis_hostname: str) -> str:
     partition_key=PartitionKey(path="/id")
 )
 
+cosmos_custom_pages_container_name = "custom_pages"
+cosmos_custom_pages_container = cosmos_database.create_container_if_not_exists(
+    id=cosmos_custom_pages_container_name,
+    partition_key=PartitionKey(path="/id")
+)
+
 cosmos_groups_container_name = "groups"
 cosmos_groups_container = cosmos_database.create_container_if_not_exists(
     id=cosmos_groups_container_name,
diff --git a/application/single_app/custom_page_extension.py b/application/single_app/custom_page_extension.py
new file mode 100644
index 000000000..a2afa8c9f
--- /dev/null
+++ b/application/single_app/custom_page_extension.py
@@ -0,0 +1,39 @@
+# custom_page_extension.py
+"""
+Trusted custom page extension contract for deployment-time SimpleChat customizations.
+"""
+
+from typing import Any, Dict, Optional
+
+
+def custom_page(**metadata):
+    """Attach SimpleChat custom page metadata to an extension class or factory."""
+    def decorator(extension_object):
+        extension_object.__simplechat_custom_page__ = metadata
+        return extension_object
+
+    return decorator
+
+
+class CustomPageExtension:
+    """Base class for trusted Python-backed custom pages."""
+
+    metadata: Dict[str, Any] = {}
+
+    def __init__(self, metadata_override: Optional[Dict[str, Any]] = None):
+        if metadata_override:
+            merged_metadata = dict(self.metadata or {})
+            merged_metadata.update(metadata_override)
+            self.metadata = merged_metadata
+
+    def render(self, context: Dict[str, Any]):
+        """Render the custom page response."""
+        raise NotImplementedError("Custom page extensions must implement render(context).")
+
+    def handle_api(self, operation: str, context: Dict[str, Any]):
+        """Handle a custom page API operation."""
+        raise NotImplementedError("This custom page does not expose API operations.")
+
+    def health_check(self, context: Dict[str, Any]) -> Dict[str, Any]:
+        """Return optional health details for the extension."""
+        return {"healthy": True}
\ No newline at end of file
diff --git a/application/single_app/custom_pages/assets/.gitkeep b/application/single_app/custom_pages/assets/.gitkeep
new file mode 100644
index 000000000..e69de29bb
diff --git a/application/single_app/custom_pages/css/.gitkeep b/application/single_app/custom_pages/css/.gitkeep
new file mode 100644
index 000000000..e69de29bb
diff --git a/application/single_app/custom_pages/css/request-access.css b/application/single_app/custom_pages/css/request-access.css
new file mode 100644
index 000000000..3c5c4ef7d
--- /dev/null
+++ b/application/single_app/custom_pages/css/request-access.css
@@ -0,0 +1,39 @@
+/* request-access.css */
+.request-access-page {
+    display: flex;
+    justify-content: center;
+    padding: 3rem 1rem;
+}
+
+.request-access-page__content {
+    width: min(100%, 42rem);
+    border: 1px solid var(--bs-border-color);
+    border-radius: 8px;
+    padding: 2rem;
+    background: var(--bs-body-bg);
+    text-align: center;
+}
+
+.request-access-page__eyebrow {
+    margin-bottom: 0.5rem;
+    color: var(--bs-secondary-color);
+    font-size: 0.8125rem;
+    font-weight: 700;
+    letter-spacing: 0.08em;
+    text-transform: uppercase;
+}
+
+.request-access-page__title {
+    margin-bottom: 0.75rem;
+    font-size: 2rem;
+}
+
+.request-access-page__summary {
+    margin: 0 auto 1.5rem;
+    max-width: 34rem;
+    color: var(--bs-secondary-color);
+}
+
+.request-access-page__button {
+    min-width: 12rem;
+}
\ No newline at end of file
diff --git a/application/single_app/custom_pages/html/.gitkeep b/application/single_app/custom_pages/html/.gitkeep
new file mode 100644
index 000000000..e69de29bb
diff --git a/application/single_app/custom_pages/html/request-access.html b/application/single_app/custom_pages/html/request-access.html
new file mode 100644
index 000000000..bccb0fb9e
--- /dev/null
+++ b/application/single_app/custom_pages/html/request-access.html
@@ -0,0 +1,16 @@
+<!-- request-access.html -->
+<section class="request-access-page">
+    <div class="request-access-page__content">
+        <p class="request-access-page__eyebrow">SimpleChat access</p>
+        <h1 class="request-access-page__title">Request access to SimpleChat</h1>
+        <p class="request-access-page__summary">
+            Your account is signed in, but it does not yet have the base user role required to use this SimpleChat instance.
+        </p>
+        <a
+            class="btn btn-primary btn-lg request-access-page__button"
+            href="mailto:accessrequest@example.com?subject=SimpleChat%20Access%20Request&body=Please%20grant%20me%20the%20user%20role%20in%20simplechat%20so%20that%20I%20may%20start%20using%20this%20wonderful%20tool"
+        >
+            Request Access
+        </a>
+    </div>
+</section>
\ No newline at end of file
diff --git a/application/single_app/custom_pages/js/.gitkeep b/application/single_app/custom_pages/js/.gitkeep
new file mode 100644
index 000000000..e69de29bb
diff --git a/application/single_app/custom_pages/json/.gitkeep b/application/single_app/custom_pages/json/.gitkeep
new file mode 100644
index 000000000..e69de29bb
diff --git a/application/single_app/custom_pages/python/.gitkeep b/application/single_app/custom_pages/python/.gitkeep
new file mode 100644
index 000000000..e69de29bb
diff --git a/application/single_app/docs/how-to/custom_pages.md b/application/single_app/docs/how-to/custom_pages.md
new file mode 100644
index 000000000..dd57bf00b
--- /dev/null
+++ b/application/single_app/docs/how-to/custom_pages.md
@@ -0,0 +1,162 @@
+# Create Custom Pages
+
+Custom Pages let deployment teams add trusted pages under `/custom` without editing the core SimpleChat route table. Use this guide for the built-in Request Access page and the three supported patterns: simple HTML, static HTML/CSS/JS, and Python-backed Jinja/API pages.
+
+Custom Pages are trusted deployment-time content. They are not runtime user uploads. Static page metadata is stored in the `custom_pages` Cosmos container, while files live in the deployed artifact under `application/single_app/custom_pages/`.
+
+## Before You Start
+
+1. Deploy files under `application/single_app/custom_pages/` in the matching folders: `html`, `css`, `js`, `assets`, `json`, and `python`.
+2. Enable Custom Pages in Admin Settings > Custom Pages.
+3. Acknowledge the restart requirement when enabling the feature from a disabled state.
+4. Restart the App Service or local Flask process after deploying new files or Python-backed pages.
+
+The canonical route format is `/custom/<slug>`. Static-looking aliases such as `/custom/<slug>.html` are also supported.
+
+## Built-In Request Access Page
+
+SimpleChat includes a practical static page that helps signed-in users request the base `User` role. It is not automatically inserted into Cosmos DB. Admins can instantiate it from Admin Settings > Custom Pages by selecting **Add Request Access Page**.
+
+The one-click action creates static page metadata and enables the access-denied button on the home page for signed-in users who do not yet have an app role.
+
+Request Access metadata:
+
+| Field | Value |
+| --- | --- |
+| Slug | `request-access` |
+| Title | `Request SimpleChat Access` |
+| Description | `A signed-in access request page for users who need the base User role.` |
+| Navigation Label | `Request Access` |
+| Bootstrap Icon | `bi-person-plus` |
+| Order | `5` |
+| Access Level | `Any signed-in user` |
+| Allowed Roles | leave blank |
+| HTML File | `request-access.html` |
+| CSS Files | add `request-access.css` |
+| JavaScript Files | no files |
+| Asset Files | no files |
+| JSON Files | no files |
+| Enabled | on |
+| Show in Navigation | off |
+| Open in New Tab | off |
+
+The page opens the user's email client with:
+
+- To: `accessrequest@example.com`
+- Subject: `SimpleChat Access Request`
+- Body: `Please grant me the user role in simplechat so that I may start using this wonderful tool`
+
+## Access Levels
+
+Static page metadata has an Access Level field:
+
+- `App users only`: requires the signed-in user to have `User` or `Admin` before page-specific roles are checked.
+- `Any signed-in user`: requires login, but does not require the base app role before page-specific roles are checked.
+
+Use `Any signed-in user` sparingly. It is intended for bootstrap flows like Request Access. Most custom pages should stay `App users only`.
+
+## Pattern 1: Simple HTML Page
+
+Use this when the page only needs trusted HTML and Bootstrap classes already available from the SimpleChat shell.
+
+Place the HTML fragment in `application/single_app/custom_pages/html/`.
+
+Example file: `example-simple.html`
+
+Sample source: `docs/how-to/custom_pages_examples/simple-html/example-simple.html`
+
+Metadata editor values:
+
+| Field | Value |
+| --- | --- |
+| Slug | `example-simple` |
+| Title | `Simple HTML Example` |
+| Description | `A minimal custom page loaded from a trusted HTML fragment.` |
+| Navigation Label | `Simple HTML` |
+| Bootstrap Icon | `bi-file-earmark-text` |
+| Order | `10` |
+| Allowed Roles | leave blank for all signed-in users, or use a role such as `User` |
+| HTML File | `example-simple.html` |
+| CSS Files | no files |
+| JavaScript Files | no files |
+| Asset Files | no files |
+| JSON Files | no files |
+| Enabled | on |
+| Show in Navigation | on |
+| Open in New Tab | off |
+
+After saving metadata, test `/custom/example-simple` and `/custom/example-simple.html`.
+
+## Pattern 2: Static HTML, CSS, and JavaScript Page
+
+Use this when a static page needs page-specific styling or client-side behavior.
+
+Place files in these folders:
+
+- HTML in `application/single_app/custom_pages/html/`
+- CSS in `application/single_app/custom_pages/css/`
+- JavaScript modules in `application/single_app/custom_pages/js/`
+- Images and other static files in `application/single_app/custom_pages/assets/`
+- JSON data in `application/single_app/custom_pages/json/`
+
+Example files:
+
+- `html/example-static.html`
+- `css/example-static.css`
+- `js/example-static.js`
+- `assets/cat.mp4`
+
+Sample source folder: `docs/how-to/custom_pages_examples/static-html-css-js/`
+
+Metadata editor values:
+
+| Field | Value |
+| --- | --- |
+| Slug | `example-static` |
+| Title | `Static HTML with CSS/JS Example` |
+| Description | `A custom static page with deployed HTML, CSS, and JavaScript.` |
+| Navigation Label | `Static Example` |
+| Bootstrap Icon | `bi-window` |
+| Order | `20` |
+| Allowed Roles | leave blank for all signed-in users, or use a role such as `User` |
+| HTML File | `example-static.html` |
+| CSS Files | add `example-static.css` |
+| JavaScript Files | add `example-static.js` |
+| Asset Files | add `cat.mp4` |
+| JSON Files | add only JSON or CSV files the page must fetch through `/custom/assets/...` |
+| Enabled | on |
+| Show in Navigation | on |
+| Open in New Tab | off |
+
+The metadata designer stores CSS, JavaScript, asset, and JSON references as arrays. Add one file at a time in the modal so the page only serves files explicitly declared by metadata.
+
+## Pattern 3: Python-Backed Jinja Page with Backend API
+
+Use this when the page needs server-side rendering, access to request context, or a custom backend operation.
+
+Place the Python extension in `application/single_app/custom_pages/python/`. The extension must subclass `CustomPageExtension` and provide metadata with a unique `slug`. It can render a template from `custom_pages/html/` and handle API operations through `/api/custom/<slug>/<operation>`.
+
+Example files:
+
+- `python/example_python_dashboard.py`
+- `html/example-python-dashboard.html`
+- `css/example-python-dashboard.css`
+- `js/example-python-dashboard.js`
+
+Sample source folder: `docs/how-to/custom_pages_examples/python-jinja-api/`
+
+Do not create Python-backed pages in the metadata editor. Python-backed pages are discovered from code at app startup. Restart the App Service after deploying or changing Python-backed page files.
+
+The example page appears at `/custom/example-python-dashboard`, and its sample API endpoint is `/api/custom/example-python-dashboard/status`.
+
+## Role Behavior
+
+Leave Allowed Roles blank to allow any signed-in user. Use role names such as `User` to restrict access. `Admin` satisfies `User` because `User` is the base application role. For any other role, every user, including admins, must have at least one exact matching role in their current SimpleChat session. A role name that does not exist in the app registration will not appear in user tokens, so it will deny access unless the role is otherwise present in the session.
+
+## Troubleshooting
+
+- If a static page does not appear in navigation, verify the metadata is enabled and `Show in Navigation` is on.
+- If a static page returns `Not Found`, verify the slug, HTML file name, feature toggle, and App Service restart state.
+- If CSS or JavaScript does not load, verify the file is listed in metadata and exists in the matching folder.
+- If a Python-backed page does not appear, restart the App Service after deploying the Python file.
+- If `/custom/<slug>` works but `/custom/<slug>.html` does not, restart the app to load the latest route registration.
\ No newline at end of file
diff --git a/application/single_app/functions_custom_pages.py b/application/single_app/functions_custom_pages.py
new file mode 100644
index 000000000..fad7e96f3
--- /dev/null
+++ b/application/single_app/functions_custom_pages.py
@@ -0,0 +1,428 @@
+# functions_custom_pages.py
+"""Custom Pages registry, validation, discovery, and navigation helpers."""
+
+import importlib.util
+import inspect
+import logging
+import os
+import re
+from datetime import datetime
+from typing import Any, Dict, List, Optional, Tuple
+
+from azure.cosmos import exceptions
+from flask import has_app_context, session, url_for
+
+from config import cosmos_custom_pages_container
+from custom_page_extension import CustomPageExtension
+from functions_appinsights import log_event
+
+
+CUSTOM_PAGES_DIR = os.path.join(os.path.dirname(__file__), "custom_pages")
+CUSTOM_PAGE_SOURCE_COSMOS = "cosmos"
+CUSTOM_PAGE_SOURCE_PYTHON = "python"
+SLUG_PATTERN = re.compile(r"^[a-z0-9][a-z0-9_-]{0,63}$")
+ENTRY_TYPES = {"static", "python"}
+ACCESS_LEVELS = {"app_user", "authenticated"}
+ASSET_FOLDERS = {
+    "html": {".html", ".htm"},
+    "css": {".css"},
+    "js": {".js", ".mjs"},
+    "assets": {
+        ".png", ".jpg", ".jpeg", ".gif", ".webp", ".svg", ".ico",
+        ".woff", ".woff2", ".ttf", ".otf", ".pdf", ".mp4", ".webm",
+    },
+    "json": {".json", ".csv"},
+}
+LIST_FIELDS = ("roles", "css_files", "js_files", "asset_files", "json_files")
+PYTHON_EXTENSION_CACHE: Optional[Dict[str, Dict[str, Any]]] = None
+
+
+def is_custom_pages_enabled(settings: Optional[Dict[str, Any]] = None) -> bool:
+    """Return True when custom pages are globally enabled."""
+    return bool((settings or {}).get("enable_custom_pages", False))
+
+
+def is_safe_slug(slug: str) -> bool:
+    """Return True when a slug is safe for URL and lookup use."""
+    return isinstance(slug, str) and bool(SLUG_PATTERN.fullmatch(slug.strip()))
+
+
+def normalize_custom_page_metadata(
+    metadata: Dict[str, Any],
+    source: str = CUSTOM_PAGE_SOURCE_COSMOS,
+) -> Dict[str, Any]:
+    """Normalize a custom page metadata payload into the persisted contract."""
+    page = dict(metadata or {})
+    slug = str(page.get("slug") or page.get("id") or "").strip().lower()
+    title = str(page.get("title") or page.get("nav_label") or slug).strip()
+    nav_label = str(page.get("nav_label") or title or slug).strip()
+    entry_type = str(page.get("entry_type") or "static").strip().lower()
+
+    normalized = {
+        "id": slug,
+        "slug": slug,
+        "title": title,
+        "description": str(page.get("description") or "").strip(),
+        "enabled": _coerce_bool(page.get("enabled", True)),
+        "entry_type": entry_type,
+        "access_level": str(page.get("access_level") or "app_user").strip().lower(),
+        "nav_label": nav_label,
+        "nav_icon": _normalize_icon(page.get("nav_icon")),
+        "nav_order": _coerce_int(page.get("nav_order"), 100),
+        "roles": _normalize_string_list(page.get("roles")),
+        "show_in_nav": _coerce_bool(page.get("show_in_nav", True)),
+        "open_in_new_tab": _coerce_bool(page.get("open_in_new_tab", False)),
+        "render_jinja": _coerce_bool(page.get("render_jinja", False)),
+        "html_file": _normalize_optional_path(page.get("html_file")),
+        "css_files": _normalize_string_list(page.get("css_files")),
+        "js_files": _normalize_string_list(page.get("js_files")),
+        "asset_files": _normalize_string_list(page.get("asset_files")),
+        "json_files": _normalize_string_list(page.get("json_files")),
+        "source": source,
+    }
+
+    for optional_key in ("module", "class_name", "decorated_extension_id", "blueprint_name"):
+        if page.get(optional_key):
+            normalized[optional_key] = str(page.get(optional_key)).strip()
+
+    return normalized
+
+
+def validate_custom_page_metadata(metadata: Dict[str, Any], require_static_html: bool = False) -> List[str]:
+    """Validate a custom page metadata payload and return error messages."""
+    page = normalize_custom_page_metadata(metadata, source=metadata.get("source", CUSTOM_PAGE_SOURCE_COSMOS))
+    errors = []
+
+    if not is_safe_slug(page.get("slug")):
+        errors.append("Slug must start with a lowercase letter or number and use only lowercase letters, numbers, hyphens, or underscores.")
+    if not page.get("title"):
+        errors.append("Title is required.")
+    if page.get("entry_type") not in ENTRY_TYPES:
+        errors.append("entry_type must be either static or python.")
+    if page.get("access_level") not in ACCESS_LEVELS:
+        errors.append("access_level must be either app_user or authenticated.")
+    if page.get("entry_type") == "static" and require_static_html and not page.get("html_file"):
+        errors.append("Static custom pages require an HTML file.")
+
+    if page.get("html_file"):
+        errors.extend(validate_custom_page_file_reference("html", page["html_file"]))
+    for file_name in page.get("css_files", []):
+        errors.extend(validate_custom_page_file_reference("css", file_name))
+    for file_name in page.get("js_files", []):
+        errors.extend(validate_custom_page_file_reference("js", file_name))
+    for file_name in page.get("asset_files", []):
+        errors.extend(validate_custom_page_file_reference("assets", file_name))
+    for file_name in page.get("json_files", []):
+        errors.extend(validate_custom_page_file_reference("json", file_name))
+
+    return errors
+
+
+def validate_custom_page_file_reference(folder: str, file_name: str) -> List[str]:
+    """Validate a metadata file reference without requiring file existence."""
+    errors = []
+    if folder not in ASSET_FOLDERS:
+        return [f"Unsupported custom page folder: {folder}"]
+    if not isinstance(file_name, str) or not file_name.strip():
+        return [f"{folder} file reference cannot be empty."]
+    normalized = file_name.replace("\\", "/").strip()
+    if normalized.startswith("/") or ".." in normalized.split("/"):
+        errors.append(f"Unsafe {folder} file path: {file_name}")
+    extension = os.path.splitext(normalized)[1].lower()
+    if extension not in ASSET_FOLDERS[folder]:
+        errors.append(f"Unsupported {folder} file extension for {file_name}.")
+    return errors
+
+
+def list_custom_pages(include_python: bool = True) -> List[Dict[str, Any]]:
+    """Return custom page metadata from Cosmos and optional Python extensions."""
+    pages = {}
+    for page in list_cosmos_custom_pages():
+        pages[page["slug"]] = page
+
+    if include_python:
+        for slug, page in discover_python_custom_pages().items():
+            pages[slug] = page
+
+    return sorted(pages.values(), key=lambda item: (item.get("nav_order", 100), item.get("nav_label", "").lower()))
+
+
+def list_cosmos_custom_pages() -> List[Dict[str, Any]]:
+    """Return static custom page metadata stored in Cosmos DB."""
+    try:
+        items = list(cosmos_custom_pages_container.query_items(
+            query="SELECT * FROM c",
+            enable_cross_partition_query=True,
+        ))
+        return [normalize_custom_page_metadata(_strip_cosmos_fields(item), source=CUSTOM_PAGE_SOURCE_COSMOS) for item in items]
+    except exceptions.CosmosResourceNotFoundError:
+        return []
+    except Exception as ex:
+        log_event(
+            "[CustomPages] Failed to list custom pages.",
+            extra={"error": str(ex)},
+            level=logging.ERROR,
+            exceptionTraceback=True,
+        )
+        return []
+
+
+def get_custom_page(slug: str, include_python: bool = True) -> Optional[Dict[str, Any]]:
+    """Return a custom page by slug from Cosmos or Python discovery."""
+    if not is_safe_slug(slug):
+        return None
+    normalized_slug = slug.strip().lower()
+
+    if include_python:
+        python_pages = discover_python_custom_pages()
+        if normalized_slug in python_pages:
+            return python_pages[normalized_slug]
+
+    try:
+        item = cosmos_custom_pages_container.read_item(item=normalized_slug, partition_key=normalized_slug)
+        return normalize_custom_page_metadata(_strip_cosmos_fields(item), source=CUSTOM_PAGE_SOURCE_COSMOS)
+    except exceptions.CosmosResourceNotFoundError:
+        return None
+    except Exception as ex:
+        log_event(
+            "[CustomPages] Failed to read custom page.",
+            extra={"slug": normalized_slug, "error": str(ex)},
+            level=logging.ERROR,
+            exceptionTraceback=True,
+        )
+        return None
+
+
+def save_custom_page(metadata: Dict[str, Any], user_id: str = "system") -> Dict[str, Any]:
+    """Create or update a static custom page metadata record."""
+    page = normalize_custom_page_metadata(metadata, source=CUSTOM_PAGE_SOURCE_COSMOS)
+    page["entry_type"] = "static"
+    errors = validate_custom_page_metadata(page, require_static_html=True)
+    if errors:
+        raise ValueError("; ".join(errors))
+
+    now = datetime.utcnow().isoformat()
+    existing = get_custom_page(page["slug"], include_python=False)
+    page["created_by"] = existing.get("created_by", user_id) if existing else user_id
+    page["created_at"] = existing.get("created_at", now) if existing else now
+    page["modified_by"] = user_id
+    page["modified_at"] = now
+    result = cosmos_custom_pages_container.upsert_item(body=page)
+    return normalize_custom_page_metadata(_strip_cosmos_fields(result), source=CUSTOM_PAGE_SOURCE_COSMOS)
+
+
+def delete_custom_page(slug: str) -> bool:
+    """Delete a static custom page metadata record."""
+    if not is_safe_slug(slug):
+        return False
+    try:
+        cosmos_custom_pages_container.delete_item(item=slug, partition_key=slug)
+        return True
+    except exceptions.CosmosResourceNotFoundError:
+        return False
+    except Exception as ex:
+        log_event(
+            "[CustomPages] Failed to delete custom page.",
+            extra={"slug": slug, "error": str(ex)},
+            level=logging.ERROR,
+            exceptionTraceback=True,
+        )
+        raise
+
+
+def discover_python_custom_pages(force_refresh: bool = False) -> Dict[str, Dict[str, Any]]:
+    """Discover trusted Python custom page extensions from custom_pages/python."""
+    global PYTHON_EXTENSION_CACHE
+    if PYTHON_EXTENSION_CACHE is not None and not force_refresh:
+        return PYTHON_EXTENSION_CACHE
+
+    discovered = {}
+    python_dir = os.path.join(CUSTOM_PAGES_DIR, "python")
+    if not os.path.isdir(python_dir):
+        PYTHON_EXTENSION_CACHE = discovered
+        return discovered
+
+    for file_name in sorted(os.listdir(python_dir)):
+        if not file_name.endswith(".py") or file_name.startswith("_"):
+            continue
+        module_path = os.path.join(python_dir, file_name)
+        module_name = f"simplechat_custom_pages_{os.path.splitext(file_name)[0]}"
+        try:
+            spec = importlib.util.spec_from_file_location(module_name, module_path)
+            module = importlib.util.module_from_spec(spec)
+            spec.loader.exec_module(module)
+            for _, obj in inspect.getmembers(module):
+                metadata, extension_instance = _extract_python_extension(obj)
+                if not metadata:
+                    continue
+                page = normalize_custom_page_metadata(metadata, source=CUSTOM_PAGE_SOURCE_PYTHON)
+                page["entry_type"] = "python"
+                page["module"] = file_name
+                page["extension"] = extension_instance
+                errors = validate_custom_page_metadata(page)
+                if errors:
+                    log_event(
+                        "[CustomPages] Ignored invalid Python custom page.",
+                        extra={"module": file_name, "errors": errors},
+                        level=logging.WARNING,
+                    )
+                    continue
+                discovered[page["slug"]] = page
+        except Exception as ex:
+            log_event(
+                "[CustomPages] Failed to import Python custom page module.",
+                extra={"module": file_name, "error": str(ex)},
+                level=logging.ERROR,
+                exceptionTraceback=True,
+            )
+
+    PYTHON_EXTENSION_CACHE = discovered
+    return discovered
+
+
+def get_custom_pages_nav(settings: Dict[str, Any]) -> List[Dict[str, Any]]:
+    """Return authorized custom page navigation items for the current request."""
+    if not is_custom_pages_enabled(settings):
+        return []
+
+    roles = _current_user_roles()
+    nav_items = []
+    for page in list_custom_pages(include_python=True):
+        if not page.get("enabled", True) or not page.get("show_in_nav", True):
+            continue
+        if not is_custom_page_authorized(page, roles):
+            continue
+        if has_app_context():
+            href = url_for("custom_page", slug=page["slug"])
+        else:
+            href = f"/custom/{page['slug']}"
+        nav_items.append({
+            "slug": page["slug"],
+            "label": page.get("nav_label") or page.get("title") or page["slug"],
+            "icon": page.get("nav_icon") or "bi-file-earmark-text",
+            "url": href,
+            "href": href,
+            "open_in_new_tab": bool(page.get("open_in_new_tab", False)),
+            "order": page.get("nav_order", 100),
+        })
+
+    return sorted(nav_items, key=lambda item: (item.get("order", 100), item.get("label", "").lower()))
+
+
+def is_custom_page_authorized(page: Dict[str, Any], roles: Optional[List[str]] = None) -> bool:
+    """Return True when the current user roles satisfy custom page metadata."""
+    role_set = set(roles if roles is not None else _current_user_roles())
+    access_level = page.get("access_level") or "app_user"
+    if access_level != "authenticated" and not ({"User", "Admin"}.intersection(role_set)):
+        return False
+
+    required_roles = page.get("roles") or []
+    if not required_roles:
+        return True
+    required_role_set = set(required_roles)
+    if role_set.intersection(required_role_set):
+        return True
+    return "Admin" in role_set and "User" in required_role_set
+
+
+def resolve_custom_page_file(page: Dict[str, Any], folder: str, file_name: str) -> Tuple[Optional[str], Optional[str]]:
+    """Resolve a custom page file reference to an absolute path if allowed."""
+    errors = validate_custom_page_file_reference(folder, file_name)
+    if errors:
+        return None, "; ".join(errors)
+
+    normalized_name = file_name.replace("\\", "/").strip()
+    base_dir = os.path.abspath(os.path.join(CUSTOM_PAGES_DIR, folder))
+    candidate = os.path.abspath(os.path.join(base_dir, normalized_name))
+    if os.path.commonpath([base_dir, candidate]) != base_dir:
+        return None, "File path is outside the allowed custom page folder."
+
+    if not _file_reference_is_declared(page, folder, normalized_name):
+        return None, "File is not declared by the custom page metadata."
+
+    if not os.path.exists(candidate) or not os.path.isfile(candidate):
+        return None, "File does not exist."
+    return candidate, None
+
+
+def build_custom_page_context(page: Dict[str, Any], settings: Dict[str, Any]) -> Dict[str, Any]:
+    """Build the safe request context passed to trusted custom page extensions."""
+    return {
+        "page": {key: value for key, value in page.items() if key != "extension"},
+        "settings": settings,
+        "user": session.get("user", {}),
+        "roles": _current_user_roles(),
+    }
+
+
+def _extract_python_extension(obj: Any) -> Tuple[Optional[Dict[str, Any]], Optional[CustomPageExtension]]:
+    if inspect.isclass(obj) and issubclass(obj, CustomPageExtension) and obj is not CustomPageExtension:
+        instance = obj()
+        metadata = getattr(obj, "__simplechat_custom_page__", None) or getattr(instance, "metadata", None)
+        return metadata, instance
+
+    metadata = getattr(obj, "__simplechat_custom_page__", None)
+    if metadata and inspect.isclass(obj):
+        instance = obj()
+        return metadata, instance
+    if metadata and callable(obj):
+        extension = obj()
+        if isinstance(extension, CustomPageExtension):
+            return metadata, extension
+    return None, None
+
+
+def _file_reference_is_declared(page: Dict[str, Any], folder: str, file_name: str) -> bool:
+    if folder == "html":
+        return page.get("html_file") == file_name
+    field_name = {
+        "css": "css_files",
+        "js": "js_files",
+        "assets": "asset_files",
+        "json": "json_files",
+    }.get(folder)
+    return file_name in set(page.get(field_name, [])) if field_name else False
+
+
+def _normalize_optional_path(value: Any) -> str:
+    return str(value or "").replace("\\", "/").strip()
+
+
+def _normalize_string_list(value: Any) -> List[str]:
+    if isinstance(value, list):
+        return [str(item).replace("\\", "/").strip() for item in value if str(item).strip()]
+    if isinstance(value, str) and value.strip():
+        return [item.replace("\\", "/").strip() for item in value.split(",") if item.strip()]
+    return []
+
+
+def _normalize_icon(value: Any) -> str:
+    icon = str(value or "bi-file-earmark-text").strip()
+    if not re.fullmatch(r"bi-[a-z0-9-]+", icon):
+        return "bi-file-earmark-text"
+    return icon
+
+
+def _coerce_bool(value: Any) -> bool:
+    if isinstance(value, bool):
+        return value
+    if isinstance(value, str):
+        return value.strip().lower() in {"1", "true", "yes", "on"}
+    return bool(value)
+
+
+def _coerce_int(value: Any, default: int) -> int:
+    try:
+        return int(value)
+    except (TypeError, ValueError):
+        return default
+
+
+def _strip_cosmos_fields(item: Dict[str, Any]) -> Dict[str, Any]:
+    return {key: value for key, value in (item or {}).items() if not key.startswith("_")}
+
+
+def _current_user_roles() -> List[str]:
+    user = session.get("user", {}) if has_app_context() else {}
+    roles = user.get("roles", []) if isinstance(user, dict) else []
+    return roles if isinstance(roles, list) else []
\ No newline at end of file
diff --git a/application/single_app/functions_documents.py b/application/single_app/functions_documents.py
index 362729ffd..6bdb813c0 100644
--- a/application/single_app/functions_documents.py
+++ b/application/single_app/functions_documents.py
@@ -9,6 +9,7 @@
 from functions_logging import *
 from functions_authentication import *
 from functions_debug import *
+from functions_keyvault import SecretReturnType, keyvault_model_endpoint_get_helper
 import azure.cognitiveservices.speech as speechsdk
 
 def allowed_file(filename, allowed_extensions=None):
@@ -18,6 +19,161 @@ def allowed_file(filename, allowed_extensions=None):
            filename.rsplit('.', 1)[1].lower() in allowed_extensions
 
 
+def _normalize_model_endpoint_selection(selection):
+    if not isinstance(selection, dict):
+        selection = {}
+
+    return {
+        "endpoint_id": str(selection.get("endpoint_id") or "").strip(),
+        "model_id": str(selection.get("model_id") or "").strip(),
+        "provider": str(selection.get("provider") or "").strip().lower(),
+    }
+
+
+def _resolve_model_endpoint_authority(auth_settings):
+    management_cloud = str(auth_settings.get("management_cloud") or "public").lower()
+    if management_cloud == "government":
+        return "https://login.microsoftonline.us"
+    if management_cloud == "custom":
+        custom_authority = auth_settings.get("custom_authority") or ""
+        return custom_authority.strip() or None
+    return None
+
+
+def _resolve_model_endpoint_scope(provider, auth_settings, endpoint=None):
+    custom_scope = str(auth_settings.get("foundry_scope") or "").strip()
+    if custom_scope:
+        return custom_scope
+
+    normalized_provider = str(provider or "aoai").lower()
+    if normalized_provider not in ("aifoundry", "new_foundry"):
+        return cognitive_services_scope
+
+    management_cloud = str(auth_settings.get("management_cloud") or "public").lower()
+    if management_cloud in ("government", "usgovernment", "usgov"):
+        return "https://ai.azure.us/.default"
+    if management_cloud == "china":
+        return "https://ai.azure.cn/.default"
+    if management_cloud == "germany":
+        return "https://ai.azure.de/.default"
+
+    endpoint_value = str(endpoint or "").lower()
+    if "azure.us" in endpoint_value:
+        return "https://ai.azure.us/.default"
+    if "azure.cn" in endpoint_value:
+        return "https://ai.azure.cn/.default"
+    if "azure.de" in endpoint_value:
+        return "https://ai.azure.de/.default"
+
+    return "https://ai.azure.com/.default"
+
+
+def _build_model_endpoint_client(auth_settings, provider, endpoint, api_version):
+    auth_settings = auth_settings or {}
+    auth_type = str(auth_settings.get("type") or "managed_identity").lower()
+
+    if auth_type in ("api_key", "key"):
+        api_key = auth_settings.get("api_key")
+        if not api_key:
+            raise ValueError("Selected metadata extraction endpoint is missing an API key.")
+        return AzureOpenAI(
+            api_version=api_version,
+            azure_endpoint=endpoint,
+            api_key=api_key,
+        )
+
+    if auth_type == "service_principal":
+        credential = ClientSecretCredential(
+            tenant_id=auth_settings.get("tenant_id"),
+            client_id=auth_settings.get("client_id"),
+            client_secret=auth_settings.get("client_secret"),
+            authority=_resolve_model_endpoint_authority(auth_settings),
+        )
+    else:
+        managed_identity_client_id = auth_settings.get("managed_identity_client_id") or None
+        credential = DefaultAzureCredential(managed_identity_client_id=managed_identity_client_id)
+
+    scope = _resolve_model_endpoint_scope(provider, auth_settings, endpoint=endpoint)
+    token_provider = get_bearer_token_provider(credential, scope)
+    return AzureOpenAI(
+        api_version=api_version,
+        azure_endpoint=endpoint,
+        azure_ad_token_provider=token_provider,
+    )
+
+
+def _resolve_metadata_extraction_client(settings):
+    selection = _normalize_model_endpoint_selection(settings.get("metadata_extraction_model_selection"))
+
+    if (
+        settings.get("enable_multi_model_endpoints", False)
+        and selection["endpoint_id"]
+        and selection["model_id"]
+    ):
+        endpoints, _ = normalize_model_endpoints(settings.get("model_endpoints", []) or [])
+        endpoint_cfg = next((e for e in endpoints if e.get("id") == selection["endpoint_id"]), None)
+        if not endpoint_cfg:
+            raise LookupError("Selected metadata extraction endpoint could not be found.")
+        if not endpoint_cfg.get("enabled", True):
+            raise ValueError("Selected metadata extraction endpoint is disabled.")
+
+        endpoint_cfg = keyvault_model_endpoint_get_helper(
+            endpoint_cfg,
+            endpoint_cfg.get("id") or selection["endpoint_id"],
+            scope="global",
+            return_type=SecretReturnType.VALUE,
+        )
+
+        models = endpoint_cfg.get("models", []) or []
+        model_cfg = next((m for m in models if m.get("id") == selection["model_id"]), None)
+        if not model_cfg:
+            raise LookupError("Selected metadata extraction model could not be found on the endpoint.")
+        if not model_cfg.get("enabled", True):
+            raise ValueError("Selected metadata extraction model is disabled.")
+
+        provider = str(endpoint_cfg.get("provider") or selection["provider"] or "aoai").lower()
+        connection = endpoint_cfg.get("connection", {}) or {}
+        auth_settings = endpoint_cfg.get("auth", {}) or {}
+        deployment = str(model_cfg.get("deploymentName") or model_cfg.get("deployment") or "").strip()
+        endpoint = str(connection.get("endpoint") or "").strip()
+        api_version = str(connection.get("openai_api_version") or connection.get("api_version") or "").strip()
+
+        if provider not in ("aoai", "aifoundry", "new_foundry"):
+            raise ValueError(f"Selected metadata extraction provider '{provider}' is not supported.")
+        if not endpoint or not api_version or not deployment:
+            raise ValueError("Selected metadata extraction endpoint is missing endpoint, API version, or deployment configuration.")
+
+        return _build_model_endpoint_client(auth_settings, provider, endpoint, api_version), deployment
+
+    gpt_model = settings.get('metadata_extraction_model')
+    if not gpt_model:
+        raise ValueError("No metadata extraction model is selected.")
+
+    if settings.get('enable_gpt_apim', False):
+        return AzureOpenAI(
+            api_version=settings.get('azure_apim_gpt_api_version'),
+            azure_endpoint=settings.get('azure_apim_gpt_endpoint'),
+            api_key=settings.get('azure_apim_gpt_subscription_key')
+        ), gpt_model
+
+    if settings.get('azure_openai_gpt_authentication_type') == 'managed_identity':
+        token_provider = get_bearer_token_provider(
+            DefaultAzureCredential(),
+            cognitive_services_scope
+        )
+        return AzureOpenAI(
+            api_version=settings.get('azure_openai_gpt_api_version'),
+            azure_endpoint=settings.get('azure_openai_gpt_endpoint'),
+            azure_ad_token_provider=token_provider
+        ), gpt_model
+
+    return AzureOpenAI(
+        api_version=settings.get('azure_openai_gpt_api_version'),
+        azure_endpoint=settings.get('azure_openai_gpt_endpoint'),
+        api_key=settings.get('azure_openai_gpt_key')
+    ), gpt_model
+
+
 ARCHIVED_SCOPE_PREFIX = "__archived__::"
 CURRENT_ALIAS_BLOB_PATH_MODE = "current_alias"
 ARCHIVED_REVISION_BLOB_PATH_MODE = "archived_revision"
@@ -3318,7 +3474,6 @@ def extract_document_metadata(document_id, user_id, group_id=None, public_worksp
     """
 
     settings = get_settings()
-    enable_gpt_apim = settings.get('enable_gpt_apim', False)
     enable_user_workspace = settings.get('enable_user_workspace', False)
     enable_group_workspaces = settings.get('enable_group_workspaces', False)
 
@@ -3608,34 +3763,17 @@ def extract_document_metadata(document_id, user_id, group_id=None, public_worksp
         print(f"Error processing Hybrid search for document {document_id}: {e}")
         search_results = "No Hybrid results"
 
-    gpt_model = settings.get('metadata_extraction_model')
-
     # --- Step 5: Prepare GPT Client ---
-    if enable_gpt_apim:
-        # APIM-based GPT client
-        gpt_client = AzureOpenAI(
-            api_version=settings.get('azure_apim_gpt_api_version'),
-            azure_endpoint=settings.get('azure_apim_gpt_endpoint'),
-            api_key=settings.get('azure_apim_gpt_subscription_key')
+    try:
+        gpt_client, gpt_model = _resolve_metadata_extraction_client(settings)
+    except Exception as e:
+        add_file_task_to_file_processing_log(
+            document_id=document_id,
+            user_id=group_id if is_group else user_id,
+            content=f"Error resolving metadata extraction model for document {document_id}: {e}"
         )
-    else:
-        # Standard Azure OpenAI approach
-        if settings.get('azure_openai_gpt_authentication_type') == 'managed_identity':
-            token_provider = get_bearer_token_provider(
-                DefaultAzureCredential(), 
-                cognitive_services_scope
-            )
-            gpt_client = AzureOpenAI(
-                api_version=settings.get('azure_openai_gpt_api_version'),
-                azure_endpoint=settings.get('azure_openai_gpt_endpoint'),
-                azure_ad_token_provider=token_provider
-            )
-        else:
-            gpt_client = AzureOpenAI(
-                api_version=settings.get('azure_openai_gpt_api_version'),
-                azure_endpoint=settings.get('azure_openai_gpt_endpoint'),
-                api_key=settings.get('azure_openai_gpt_key')
-            )
+        print(f"Error resolving metadata extraction model for document {document_id}: {e}")
+        return meta_data
 
     # --- Step 6: GPT Prompt and JSON Parsing ---
     try:
diff --git a/application/single_app/functions_settings.py b/application/single_app/functions_settings.py
index 558968d5e..8f5a65e07 100644
--- a/application/single_app/functions_settings.py
+++ b/application/single_app/functions_settings.py
@@ -278,6 +278,11 @@ def get_settings(use_cosmos=False, include_source=False):
         # Metadata Extraction
         'enable_extract_meta_data': False,
         'metadata_extraction_model': '',
+        'metadata_extraction_model_selection': {
+            'endpoint_id': '',
+            'model_id': '',
+            'provider': ''
+        },
         
         # Multimodal Vision
         'enable_multimodal_vision': False,
@@ -308,6 +313,11 @@ def get_settings(use_cosmos=False, include_source=False):
             {"label": "Prompt Ideas", "url": "https://example.com/prompts"}
         ],
 
+        # Custom Pages
+        'enable_custom_pages': False,
+        'custom_pages_menu_name': 'Custom Pages',
+        'custom_pages_force_menu': False,
+
         # Support Menu
         'enable_support_menu': False,
         'support_menu_name': 'Support',
@@ -434,6 +444,9 @@ def get_settings(use_cosmos=False, include_source=False):
         # Access denied message shown on the home page for signed-in users who lack required roles.
         # Default is hard-coded; admins can override via Admin Settings (persisted in Cosmos DB).
         'access_denied_message': 'You are logged in but do not have the required permissions to access this application.\nPlease contact an administrator for access.',
+        'access_request_button_enabled': False,
+        'access_request_button_text': 'Request Access',
+        'access_request_page_url': '/custom/request-access',
         'enable_file_processing_logs': True,
         'file_processing_logs_timer_enabled': False,
         'file_timer_value': 1,
diff --git a/application/single_app/route_custom_pages.py b/application/single_app/route_custom_pages.py
new file mode 100644
index 000000000..d65165d5d
--- /dev/null
+++ b/application/single_app/route_custom_pages.py
@@ -0,0 +1,273 @@
+# route_custom_pages.py
+"""Routes for trusted deployment-time custom pages."""
+
+import mimetypes
+import os
+import logging
+
+from flask import Response, jsonify, render_template, request, send_file, session
+
+from functions_appinsights import log_event
+from functions_authentication import admin_required, login_required
+from functions_custom_pages import (
+    build_custom_page_context,
+    delete_custom_page,
+    get_custom_page,
+    is_custom_page_authorized,
+    is_custom_pages_enabled,
+    list_custom_pages,
+    resolve_custom_page_file,
+    save_custom_page,
+    validate_custom_page_metadata,
+)
+from functions_settings import get_settings, sanitize_settings_for_user, update_settings
+from swagger_wrapper import get_auth_security, swagger_route
+
+
+def _custom_pages_disabled_response():
+    return "Not Found", 404
+
+
+def _load_enabled_custom_page_or_404(slug):
+    settings = get_settings()
+    if not is_custom_pages_enabled(settings):
+        return None, settings, _custom_pages_disabled_response()
+
+    page = get_custom_page(slug, include_python=True)
+    if not page or not page.get("enabled", True):
+        return None, settings, ("Not Found", 404)
+
+    if not is_custom_page_authorized(page):
+        return None, settings, ("Forbidden", 403)
+
+    return page, settings, None
+
+
+def _current_admin_user_id():
+    user = session.get("user", {}) if session else {}
+    if not isinstance(user, dict):
+        return "admin"
+    return str(user.get("oid") or user.get("preferred_username") or user.get("email") or "admin")
+
+
+def _get_custom_pages_developer_guide_path():
+    """Return the path for the canonical in-app Custom Pages developer guide."""
+    app_root = os.path.dirname(__file__)
+    guide_path = os.path.abspath(os.path.join(app_root, "docs", "how-to", "custom_pages.md"))
+    return guide_path if os.path.isfile(guide_path) else None
+
+
+def _strip_markdown_front_matter(markdown_text):
+    """Remove Jekyll front matter before rendering markdown inside the app."""
+    if not markdown_text.startswith("---"):
+        return markdown_text
+    parts = markdown_text.split("---", 2)
+    if len(parts) == 3:
+        return parts[2].lstrip()
+    return markdown_text
+
+
+def _render_custom_page_response(slug):
+    """Render a custom page response for canonical and compatibility routes."""
+    page, settings, error_response = _load_enabled_custom_page_or_404(slug)
+    if error_response:
+        return error_response
+
+    if page.get("entry_type") == "python":
+        extension = page.get("extension")
+        if not extension or not hasattr(extension, "render"):
+            return "Not Found", 404
+        return extension.render(build_custom_page_context(page, sanitize_settings_for_user(settings)))
+
+    html_file = page.get("html_file")
+    html_path, error = resolve_custom_page_file(page, "html", html_file)
+    if error:
+        log_event(
+            "[CustomPages] Unable to resolve custom page HTML.",
+            extra={"slug": slug, "error": error},
+            level=logging.WARNING,
+        )
+        return "Not Found", 404
+
+    with open(html_path, "r", encoding="utf-8") as html_handle:
+        trusted_html = html_handle.read()
+
+    return render_template(
+        "custom_page_shell.html",
+        custom_page=page,
+        custom_page_html=trusted_html,
+        settings=sanitize_settings_for_user(settings),
+    )
+
+
+def register_route_custom_pages(app):
+    @app.route("/custom/<slug>", methods=["GET"])
+    @swagger_route(security=get_auth_security())
+    @login_required
+    def custom_page(slug):
+        """Render a trusted custom page."""
+        return _render_custom_page_response(slug)
+
+    @app.route("/custom/<slug>.html", methods=["GET"])
+    @swagger_route(security=get_auth_security())
+    @login_required
+    def custom_page_html_alias(slug):
+        """Render a trusted custom page from a familiar .html URL alias."""
+        return _render_custom_page_response(slug)
+
+    @app.route("/custom/assets/<slug>/<folder>/<path:filename>", methods=["GET"])
+    @swagger_route(security=get_auth_security())
+    @login_required
+    def custom_page_asset(slug, folder, filename):
+        """Serve a declared custom page asset."""
+        page, _, error_response = _load_enabled_custom_page_or_404(slug)
+        if error_response:
+            return error_response
+
+        file_path, error = resolve_custom_page_file(page, folder, filename)
+        if error:
+            log_event(
+                "[CustomPages] Blocked custom page asset request.",
+                extra={"slug": slug, "folder": folder, "filename": filename, "error": error},
+                level=logging.WARNING,
+            )
+            return "Not Found", 404
+
+        mimetype = mimetypes.guess_type(file_path)[0] or "application/octet-stream"
+        response = send_file(file_path, mimetype=mimetype, conditional=True)
+        if os.path.splitext(file_path)[1].lower() == ".mjs":
+            response.headers["Content-Type"] = "application/javascript"
+        return response
+
+    @app.route("/api/custom/<slug>/<path:operation>", methods=["GET", "POST", "PUT", "PATCH", "DELETE"])
+    @swagger_route(security=get_auth_security())
+    @login_required
+    def custom_page_api(slug, operation):
+        """Dispatch a trusted Python-backed custom page API operation."""
+        page, settings, error_response = _load_enabled_custom_page_or_404(slug)
+        if error_response:
+            return error_response
+        if page.get("entry_type") != "python" or not page.get("extension"):
+            return jsonify({"error": "Custom page API not found"}), 404
+        try:
+            return page["extension"].handle_api(
+                operation,
+                build_custom_page_context(page, sanitize_settings_for_user(settings)),
+            )
+        except NotImplementedError:
+            return jsonify({"error": "Custom page API not found"}), 404
+
+    @app.route("/api/admin/custom-pages", methods=["GET"])
+    @swagger_route(security=get_auth_security())
+    @login_required
+    @admin_required
+    def admin_list_custom_pages():
+        """List custom page metadata for the Admin Settings designer."""
+        settings = get_settings()
+        include_python = is_custom_pages_enabled(settings)
+        pages = list_custom_pages(include_python=include_python)
+        safe_pages = [{key: value for key, value in page.items() if key != "extension"} for page in pages]
+        return jsonify({"pages": safe_pages})
+
+    @app.route("/api/admin/custom-pages/developer-guide", methods=["GET"])
+    @swagger_route(security=get_auth_security())
+    @login_required
+    @admin_required
+    def admin_custom_pages_developer_guide():
+        """Return the canonical Custom Pages developer guide markdown for the in-app modal."""
+        guide_path = _get_custom_pages_developer_guide_path()
+        if not guide_path:
+            return jsonify({"error": "Custom Pages developer guide was not found."}), 404
+
+        try:
+            with open(guide_path, "r", encoding="utf-8") as guide_handle:
+                markdown_text = _strip_markdown_front_matter(guide_handle.read())
+            return jsonify({"markdown": markdown_text})
+        except Exception as ex:
+            log_event(
+                "[CustomPages] Failed to load developer guide.",
+                extra={"error": str(ex)},
+                level=logging.ERROR,
+                exceptionTraceback=True,
+            )
+            return jsonify({"error": "Custom Pages developer guide could not be loaded."}), 500
+
+    @app.route("/api/admin/custom-pages", methods=["POST"])
+    @swagger_route(security=get_auth_security())
+    @login_required
+    @admin_required
+    def admin_create_custom_page():
+        """Create static custom page metadata."""
+        payload = request.get_json(silent=True) or {}
+        errors = validate_custom_page_metadata(payload, require_static_html=True)
+        if errors:
+            return jsonify({"error": "; ".join(errors)}), 400
+        slug = str(payload.get("slug") or payload.get("id") or "").strip().lower()
+        if get_custom_page(slug, include_python=True):
+            return jsonify({"error": "A custom page with this slug already exists."}), 409
+        saved = save_custom_page(payload, user_id=_current_admin_user_id())
+        return jsonify(saved), 201
+
+    @app.route("/api/admin/custom-pages/request-access-example", methods=["POST"])
+    @swagger_route(security=get_auth_security())
+    @login_required
+    @admin_required
+    def admin_create_request_access_custom_page():
+        """Create or update the optional Request Access custom page metadata."""
+        request_access_page = {
+            "slug": "request-access",
+            "title": "Request SimpleChat Access",
+            "description": "A signed-in access request page for users who need the base User role.",
+            "entry_type": "static",
+            "access_level": "authenticated",
+            "nav_label": "Request Access",
+            "nav_icon": "bi-person-plus",
+            "nav_order": 5,
+            "roles": [],
+            "show_in_nav": False,
+            "open_in_new_tab": False,
+            "html_file": "request-access.html",
+            "css_files": ["request-access.css"],
+            "js_files": [],
+            "asset_files": [],
+            "json_files": [],
+            "enabled": True,
+        }
+        errors = validate_custom_page_metadata(request_access_page, require_static_html=True)
+        if errors:
+            return jsonify({"error": "; ".join(errors)}), 400
+
+        saved = save_custom_page(request_access_page, user_id=_current_admin_user_id())
+        update_settings({
+            "access_request_button_enabled": True,
+            "access_request_button_text": "Request Access",
+            "access_request_page_url": "/custom/request-access",
+        })
+        return jsonify({"page": saved, "access_request_button_enabled": True}), 201
+
+    @app.route("/api/admin/custom-pages/<slug>", methods=["PUT"])
+    @swagger_route(security=get_auth_security())
+    @login_required
+    @admin_required
+    def admin_update_custom_page(slug):
+        """Update static custom page metadata."""
+        payload = request.get_json(silent=True) or {}
+        payload["slug"] = slug
+        errors = validate_custom_page_metadata(payload, require_static_html=True)
+        if errors:
+            return jsonify({"error": "; ".join(errors)}), 400
+        saved = save_custom_page(payload, user_id=_current_admin_user_id())
+        return jsonify(saved), 200
+
+    @app.route("/api/admin/custom-pages/<slug>", methods=["DELETE"])
+    @swagger_route(security=get_auth_security())
+    @login_required
+    @admin_required
+    def admin_delete_custom_page(slug):
+        """Delete static custom page metadata."""
+        page = get_custom_page(slug, include_python=True)
+        if page and page.get("source") == "python":
+            return jsonify({"error": "Python-backed custom pages are managed in code."}), 400
+        if not delete_custom_page(slug):
+            return jsonify({"error": "Custom page not found."}), 404
+        return Response(status=204)
\ No newline at end of file
diff --git a/application/single_app/route_frontend_admin_settings.py b/application/single_app/route_frontend_admin_settings.py
index f0094fab7..53ac424f9 100644
--- a/application/single_app/route_frontend_admin_settings.py
+++ b/application/single_app/route_frontend_admin_settings.py
@@ -64,6 +64,12 @@ def admin_settings():
                 'model_id': '',
                 'provider': ''
             }
+        if 'metadata_extraction_model_selection' not in settings or not isinstance(settings.get('metadata_extraction_model_selection'), dict):
+            settings['metadata_extraction_model_selection'] = {
+                'endpoint_id': '',
+                'model_id': '',
+                'provider': ''
+            }
         if 'multi_endpoint_migrated_at' not in settings:
             settings['multi_endpoint_migrated_at'] = None
         if 'multi_endpoint_migration_notice' not in settings or not isinstance(settings.get('multi_endpoint_migration_notice'), dict):
@@ -115,6 +121,18 @@ def admin_settings():
                 {"label": "Acceptable Use Policy", "url": "https://example.com/policy"},
                 {"label": "Prompt Ideas", "url": "https://example.com/prompts"}
             ]
+        if 'enable_custom_pages' not in settings:
+            settings['enable_custom_pages'] = False
+        if 'custom_pages_menu_name' not in settings:
+            settings['custom_pages_menu_name'] = 'Custom Pages'
+        if 'custom_pages_force_menu' not in settings:
+            settings['custom_pages_force_menu'] = False
+        if 'access_request_button_enabled' not in settings:
+            settings['access_request_button_enabled'] = False
+        if 'access_request_button_text' not in settings:
+            settings['access_request_button_text'] = 'Request Access'
+        if 'access_request_page_url' not in settings:
+            settings['access_request_page_url'] = '/custom/request-access'
         if 'enable_support_menu' not in settings:
             settings['enable_support_menu'] = False
         if 'support_menu_name' not in settings:
@@ -563,6 +581,20 @@ def parse_admin_int(raw_value, fallback_value, field_name="unknown", hard_defaul
                 # Keep existing external links from the database instead of overwriting with bad data
                 parsed_external_links = settings.get('external_links', []) # Fallback to existing
 
+            enable_custom_pages = form_data.get('enable_custom_pages') == 'on'
+            custom_pages_was_enabled = bool(settings.get('enable_custom_pages', False))
+            custom_pages_restart_acknowledged = form_data.get('custom_pages_restart_acknowledged') == 'on'
+            if enable_custom_pages and not custom_pages_was_enabled and not custom_pages_restart_acknowledged:
+                flash(
+                    'Custom Pages requires acknowledgement that the App Service must be restarted before it is fully enabled. The feature was not enabled.',
+                    'danger'
+                )
+                enable_custom_pages = False
+            custom_pages_menu_name = form_data.get('custom_pages_menu_name', 'Custom Pages').strip()
+            if not custom_pages_menu_name:
+                custom_pages_menu_name = 'Custom Pages'
+            custom_pages_force_menu = form_data.get('custom_pages_force_menu') == 'on'
+
             enable_support_menu = form_data.get('enable_support_menu') == 'on'
             support_menu_name = form_data.get('support_menu_name', 'Support').strip()
             if not support_menu_name:
@@ -829,6 +861,75 @@ def parse_admin_int(raw_value, fallback_value, field_name="unknown", hard_defaul
                     'provider': ''
                 }
 
+            metadata_selection_json = form_data.get('metadata_extraction_model_selection_json', '{}')
+            parsed_metadata_model_selection = {}
+            try:
+                parsed_metadata_model_selection_raw = (
+                    json.loads(metadata_selection_json) if metadata_selection_json else {}
+                )
+                if isinstance(parsed_metadata_model_selection_raw, dict):
+                    parsed_metadata_model_selection = parsed_metadata_model_selection_raw
+                else:
+                    raise ValueError("Invalid format: metadata_extraction_model_selection must be an object.")
+            except (json.JSONDecodeError, ValueError) as e:
+                print(f"Error processing metadata_extraction_model_selection_json: {e}")
+                flash(f"Error processing metadata extraction model selection: {e}. Changes not saved.", 'danger')
+                parsed_metadata_model_selection = settings.get('metadata_extraction_model_selection', {})
+
+            normalized_metadata_model_selection = {
+                'endpoint_id': str(parsed_metadata_model_selection.get('endpoint_id') or '').strip(),
+                'model_id': str(parsed_metadata_model_selection.get('model_id') or '').strip(),
+                'provider': str(parsed_metadata_model_selection.get('provider') or '').strip().lower()
+            }
+            metadata_extraction_model_deployment = ''
+
+            if not enable_multi_model_endpoints:
+                normalized_metadata_model_selection = {
+                    'endpoint_id': '',
+                    'model_id': '',
+                    'provider': ''
+                }
+            elif normalized_metadata_model_selection['endpoint_id'] and normalized_metadata_model_selection['model_id']:
+                endpoint_cfg = next(
+                    (e for e in parsed_model_endpoints if e.get('id') == normalized_metadata_model_selection['endpoint_id']),
+                    None
+                )
+                if not endpoint_cfg or not endpoint_cfg.get('enabled', True):
+                    flash('Metadata extraction model endpoint is not available. Please select a valid endpoint.', 'warning')
+                    normalized_metadata_model_selection = {
+                        'endpoint_id': '',
+                        'model_id': '',
+                        'provider': ''
+                    }
+                else:
+                    models = endpoint_cfg.get('models', []) or []
+                    model_cfg = next(
+                        (m for m in models if m.get('id') == normalized_metadata_model_selection['model_id']),
+                        None
+                    )
+                    if not model_cfg or not model_cfg.get('enabled', True):
+                        flash('Metadata extraction model is not available. Please select a valid model.', 'warning')
+                        normalized_metadata_model_selection = {
+                            'endpoint_id': '',
+                            'model_id': '',
+                            'provider': ''
+                        }
+                    else:
+                        endpoint_provider = (endpoint_cfg.get('provider') or '').strip().lower()
+                        if endpoint_provider:
+                            normalized_metadata_model_selection['provider'] = endpoint_provider
+                        metadata_extraction_model_deployment = str(
+                            model_cfg.get('deploymentName')
+                            or model_cfg.get('deployment')
+                            or ''
+                        ).strip()
+            else:
+                normalized_metadata_model_selection = {
+                    'endpoint_id': '',
+                    'model_id': '',
+                    'provider': ''
+                }
+
             # --- Extract banner fields from form_data ---
             classification_banner_enabled = form_data.get('classification_banner_enabled') == 'on'
             classification_banner_text = form_data.get('classification_banner_text', '').strip()
@@ -1230,6 +1331,14 @@ def is_valid_url(url):
                 'external_links_force_menu': external_links_force_menu,
                 'external_links': parsed_external_links, # Store the PARSED LIST
 
+                # *** Custom Pages ***
+                'enable_custom_pages': enable_custom_pages,
+                'custom_pages_menu_name': custom_pages_menu_name,
+                'custom_pages_force_menu': custom_pages_force_menu,
+                'access_request_button_enabled': bool(settings.get('access_request_button_enabled', False)),
+                'access_request_button_text': settings.get('access_request_button_text', 'Request Access'),
+                'access_request_page_url': settings.get('access_request_page_url', '/custom/request-access'),
+
                 # *** Support Menu ***
                 'enable_support_menu': enable_support_menu,
                 'support_menu_name': support_menu_name,
@@ -1362,7 +1471,8 @@ def is_valid_url(url):
                 # Text-to-speech chat output
                 'enable_text_to_speech': form_data.get('enable_text_to_speech') == 'on',
 
-                'metadata_extraction_model': form_data.get('metadata_extraction_model', '').strip(),
+                'metadata_extraction_model': metadata_extraction_model_deployment,
+                'metadata_extraction_model_selection': normalized_metadata_model_selection,
 
                 # Multi-modal vision settings
                 'enable_multimodal_vision': form_data.get('enable_multimodal_vision') == 'on',
@@ -1655,6 +1765,21 @@ def is_valid_url(url):
             # new_settings now contains either the new logo/favicon base64 or the original ones
             if update_settings(new_settings):
                 flash("Admin settings updated successfully.", "success")
+                if enable_custom_pages and not custom_pages_was_enabled and custom_pages_restart_acknowledged:
+                    log_general_admin_action(
+                        admin_user_id=user_id,
+                        admin_email=admin_email,
+                        action='custom_pages_enabled_acknowledged',
+                        description='Custom Pages enabled after restart acknowledgement.',
+                        additional_context={
+                            'feature': 'custom_pages',
+                            'enabled': True,
+                            'restart_required': True,
+                            'acknowledgement': 'Admin acknowledged that the App Service must be restarted before Custom Pages is fully enabled.',
+                            'custom_pages_menu_name': custom_pages_menu_name,
+                            'custom_pages_force_menu': custom_pages_force_menu,
+                        }
+                    )
                 # Reconfigure Application Insights logging immediately if the setting changed
                 from functions_appinsights import setup_appinsights_logging
                 setup_appinsights_logging(get_settings())
diff --git a/application/single_app/static/css/navigation.css b/application/single_app/static/css/navigation.css
index 3b17d9dc0..866361ece 100644
--- a/application/single_app/static/css/navigation.css
+++ b/application/single_app/static/css/navigation.css
@@ -135,6 +135,40 @@ body {
   background: rgba(13, 110, 253, 0.08);
 }
 
+.custom-pages-dropdown-menu {
+  max-height: min(24rem, 70vh);
+  overflow-y: auto;
+}
+
+.custom-pages-mobile-list {
+  max-height: min(24rem, 55vh);
+  overflow-y: auto;
+  padding-right: 0.25rem;
+}
+
+.custom-pages-top-drawer-trigger {
+  align-items: center;
+  border-radius: 999px;
+  display: inline-flex;
+  gap: 0.25rem;
+  text-decoration: none;
+}
+
+.custom-pages-drawer {
+  max-width: min(92vw, 26rem);
+}
+
+.custom-pages-drawer-list {
+  max-height: calc(100vh - 9rem);
+  overflow-y: auto;
+}
+
+.custom-pages-drawer-item {
+  align-items: center;
+  display: flex;
+  gap: 0.25rem;
+}
+
 .top-nav-user-nav {
   align-items: center;
   flex-direction: row;
diff --git a/application/single_app/static/css/sidebar.css b/application/single_app/static/css/sidebar.css
index ab7e652ce..bcaf45934 100644
--- a/application/single_app/static/css/sidebar.css
+++ b/application/single_app/static/css/sidebar.css
@@ -294,6 +294,52 @@ body.sidebar-nav-enabled.has-classification-banner .container-fluid {
   padding-bottom: 0.25rem !important;
 }
 
+/* Custom Pages navigation menu */
+.custom-pages-menu-toggle,
+.custom-pages-inline-label {
+  border: 0;
+  cursor: pointer;
+  font-weight: 600;
+  letter-spacing: 0.02em;
+  padding: 0.35rem 0.5rem 0.35rem 1rem;
+  user-select: none;
+}
+
+.custom-pages-menu-toggle {
+  background: rgba(13, 110, 253, 0.06);
+  border: 1px solid var(--bs-border-color-translucent);
+  border-radius: 0.5rem;
+}
+
+.custom-pages-menu-list {
+  max-height: min(18rem, 45vh);
+  overflow-y: auto;
+  padding-right: 0.25rem;
+}
+
+.custom-pages-menu-list::-webkit-scrollbar {
+  width: 6px;
+}
+
+.custom-pages-menu-list::-webkit-scrollbar-thumb {
+  background: var(--bs-border-color);
+  border-radius: 999px;
+}
+
+.custom-pages-count-badge {
+  font-size: 0.65rem;
+  min-width: 1.5rem;
+}
+
+.custom-pages-caret {
+  font-size: 0.9em;
+  transition: transform 0.2s;
+}
+
+[data-bs-theme="dark"] .custom-pages-menu-toggle {
+  background: rgba(13, 110, 253, 0.14);
+}
+
 .sidebar-resize-handle {
   position: absolute;
   top: 0;
diff --git a/application/single_app/static/js/admin/admin_custom_pages.js b/application/single_app/static/js/admin/admin_custom_pages.js
new file mode 100644
index 000000000..a55685dfc
--- /dev/null
+++ b/application/single_app/static/js/admin/admin_custom_pages.js
@@ -0,0 +1,631 @@
+// admin_custom_pages.js
+import { showToast } from "../chat/chat-toast.js";
+
+let customPages = Array.isArray(window.customPages) ? window.customPages : [];
+
+const enableCustomPagesToggle = document.getElementById("enable_custom_pages");
+const customPagesSettings = document.getElementById("custom_pages_settings");
+const customPagesTbody = document.getElementById("custom-pages-tbody");
+const customPageModalElement = document.getElementById("customPageDesignerModal");
+const customPageForm = document.getElementById("custom-page-designer-form");
+const addCustomPageButton = document.getElementById("add-custom-page-btn");
+const createRequestAccessPageButton = document.getElementById("create-request-access-page-btn");
+const customPageModalTitle = document.getElementById("customPageDesignerModalLabel");
+const customPageSaveButton = document.querySelector("[form='custom-page-designer-form'][type='submit']");
+const restartAcknowledgementField = document.getElementById("custom_pages_restart_acknowledged");
+const restartModalElement = document.getElementById("customPagesRestartModal");
+const restartAcknowledgeButton = document.getElementById("custom-pages-restart-acknowledge-btn");
+const restartCancelButton = document.getElementById("custom-pages-restart-cancel-btn");
+const guideButton = document.getElementById("custom-pages-guide-btn");
+const guideModalElement = document.getElementById("customPagesGuideModal");
+const guideStatus = document.getElementById("custom-pages-guide-status");
+const guideContent = document.getElementById("custom-pages-guide-content");
+const requestAccessCreatedModalElement = document.getElementById("requestAccessPageCreatedModal");
+const customPageSlugField = document.getElementById("custom_page_slug");
+const customPageSlugFeedback = document.getElementById("custom-page-slug-feedback");
+
+let customPageModal = null;
+let restartModal = null;
+let guideModal = null;
+let requestAccessCreatedModal = null;
+let guideMarkdownLoaded = false;
+const fileListFields = ["css_files", "js_files", "asset_files", "json_files"];
+const fileListControls = {
+    css_files: {
+        inputId: "custom_page_css_file_entry",
+        addButtonId: "custom_page_css_file_add",
+        hiddenId: "custom_page_css_files",
+        listId: "custom_page_css_files_list"
+    },
+    js_files: {
+        inputId: "custom_page_js_file_entry",
+        addButtonId: "custom_page_js_file_add",
+        hiddenId: "custom_page_js_files",
+        listId: "custom_page_js_files_list"
+    },
+    asset_files: {
+        inputId: "custom_page_asset_file_entry",
+        addButtonId: "custom_page_asset_file_add",
+        hiddenId: "custom_page_asset_files",
+        listId: "custom_page_asset_files_list"
+    },
+    json_files: {
+        inputId: "custom_page_json_file_entry",
+        addButtonId: "custom_page_json_file_add",
+        hiddenId: "custom_page_json_files",
+        listId: "custom_page_json_files_list"
+    }
+};
+const customPageFileLists = {
+    css_files: [],
+    js_files: [],
+    asset_files: [],
+    json_files: []
+};
+
+document.addEventListener("DOMContentLoaded", () => {
+    if (!customPagesTbody) {
+        return;
+    }
+
+    if (customPageModalElement && typeof bootstrap !== "undefined" && bootstrap.Modal) {
+        customPageModal = bootstrap.Modal.getOrCreateInstance(customPageModalElement);
+    }
+    if (restartModalElement && typeof bootstrap !== "undefined" && bootstrap.Modal) {
+        restartModal = bootstrap.Modal.getOrCreateInstance(restartModalElement);
+    }
+    if (guideModalElement && typeof bootstrap !== "undefined" && bootstrap.Modal) {
+        guideModal = bootstrap.Modal.getOrCreateInstance(guideModalElement);
+    }
+    if (requestAccessCreatedModalElement && typeof bootstrap !== "undefined" && bootstrap.Modal) {
+        requestAccessCreatedModal = bootstrap.Modal.getOrCreateInstance(requestAccessCreatedModalElement);
+    }
+
+    setupCustomPagesToggle();
+    setupCustomPagesGuide();
+    setupCustomPageFileListEditors();
+    setupCustomPageSlugValidation();
+    renderCustomPagesTable();
+    refreshCustomPages();
+
+    if (addCustomPageButton) {
+        addCustomPageButton.addEventListener("click", () => openCustomPageDesigner());
+    }
+
+    if (createRequestAccessPageButton) {
+        createRequestAccessPageButton.addEventListener("click", createRequestAccessPage);
+    }
+
+    if (customPageForm) {
+        customPageForm.addEventListener("submit", saveCustomPageFromDesigner);
+    }
+});
+
+function setupCustomPagesToggle() {
+    if (!enableCustomPagesToggle || !customPagesSettings) {
+        return;
+    }
+
+    const initiallyEnabled = window.customPagesInitiallyEnabled === true;
+
+    function syncCustomPagesVisibility() {
+        customPagesSettings.classList.toggle("d-none", !enableCustomPagesToggle.checked);
+    }
+
+    enableCustomPagesToggle.addEventListener("change", () => {
+        if (restartAcknowledgementField && !enableCustomPagesToggle.checked) {
+            restartAcknowledgementField.value = "";
+        }
+
+        syncCustomPagesVisibility();
+
+        if (enableCustomPagesToggle.checked && !initiallyEnabled && restartModal) {
+            restartModal.show();
+        }
+    });
+
+    if (restartAcknowledgeButton) {
+        restartAcknowledgeButton.addEventListener("click", () => {
+            if (restartAcknowledgementField) {
+                restartAcknowledgementField.value = "on";
+            }
+            if (restartModal) {
+                restartModal.hide();
+            }
+        });
+    }
+
+    if (restartCancelButton) {
+        restartCancelButton.addEventListener("click", () => {
+            enableCustomPagesToggle.checked = false;
+            if (restartAcknowledgementField) {
+                restartAcknowledgementField.value = "";
+            }
+            syncCustomPagesVisibility();
+            if (restartModal) {
+                restartModal.hide();
+            }
+        });
+    }
+
+    syncCustomPagesVisibility();
+}
+
+async function refreshCustomPages() {
+    try {
+        const response = await fetch("/api/admin/custom-pages");
+        const payload = await response.json();
+        if (!response.ok) {
+            throw new Error(payload.error || "Failed to load custom pages.");
+        }
+        customPages = Array.isArray(payload.pages) ? payload.pages : [];
+        renderCustomPagesTable();
+        syncRequestAccessPageButtonState();
+    } catch (error) {
+        showToast(`Custom pages could not be loaded: ${error.message}`, "warning");
+    }
+}
+
+function renderCustomPagesTable() {
+    if (!customPagesTbody) {
+        return;
+    }
+
+    customPagesTbody.textContent = "";
+
+    if (!customPages.length) {
+        const row = document.createElement("tr");
+        const cell = document.createElement("td");
+        cell.colSpan = 8;
+        cell.className = "text-muted text-center";
+        cell.textContent = "No custom pages are registered.";
+        row.appendChild(cell);
+        customPagesTbody.appendChild(row);
+        return;
+    }
+
+    customPages.forEach(page => {
+        const row = document.createElement("tr");
+        appendTextCell(row, page.slug || "");
+        appendTextCell(row, page.title || "");
+        appendTextCell(row, page.entry_type || "static");
+        appendTextCell(row, page.access_level === "authenticated" ? "Any signed-in user" : "App users only");
+        appendTextCell(row, Array.isArray(page.roles) && page.roles.length ? page.roles.join(", ") : "Any eligible user");
+        appendTextCell(row, page.enabled ? "Enabled" : "Disabled");
+        appendTextCell(row, page.show_in_nav ? "Shown" : "Hidden");
+
+        const actionCell = document.createElement("td");
+        const isPythonPage = page.source === "python";
+
+        const editButton = document.createElement("button");
+        editButton.type = "button";
+        editButton.className = "btn btn-sm btn-outline-primary me-1";
+        editButton.textContent = isPythonPage ? "View" : "Edit";
+        editButton.addEventListener("click", () => openCustomPageDesigner(page, isPythonPage));
+        actionCell.appendChild(editButton);
+
+        if (!isPythonPage) {
+            const deleteButton = document.createElement("button");
+            deleteButton.type = "button";
+            deleteButton.className = "btn btn-sm btn-outline-danger";
+            deleteButton.textContent = "Delete";
+            deleteButton.addEventListener("click", () => deleteCustomPage(page.slug));
+            actionCell.appendChild(deleteButton);
+        }
+
+        row.appendChild(actionCell);
+        customPagesTbody.appendChild(row);
+    });
+    syncRequestAccessPageButtonState();
+}
+
+function requestAccessPageExists() {
+    return customPages.some(page => (page.slug || "").toLowerCase() === "request-access");
+}
+
+function syncRequestAccessPageButtonState() {
+    if (!createRequestAccessPageButton) {
+        return;
+    }
+
+    const exists = requestAccessPageExists();
+    createRequestAccessPageButton.disabled = exists;
+    createRequestAccessPageButton.title = exists
+        ? "The request-access custom page already exists."
+        : "Create the optional Request Access page metadata.";
+}
+
+function setupCustomPageSlugValidation() {
+    if (!customPageSlugField) {
+        return;
+    }
+
+    customPageSlugField.addEventListener("blur", validateCustomPageSlugUniqueness);
+    customPageSlugField.addEventListener("input", () => {
+        customPageSlugField.classList.remove("is-invalid");
+        if (customPageSlugFeedback) {
+            customPageSlugFeedback.textContent = "A custom page with this slug already exists.";
+        }
+    });
+}
+
+function getNormalizedSlugValue() {
+    return (customPageSlugField?.value || "").trim().toLowerCase();
+}
+
+function customPageSlugExists(slug) {
+    if (!slug) {
+        return false;
+    }
+
+    const originalSlug = customPageForm?.dataset.originalSlug || "";
+    return customPages.some(page => {
+        const pageSlug = (page.slug || "").toLowerCase();
+        return pageSlug === slug && pageSlug !== originalSlug;
+    });
+}
+
+function validateCustomPageSlugUniqueness() {
+    if (!customPageSlugField) {
+        return true;
+    }
+
+    const slug = getNormalizedSlugValue();
+    const isDuplicate = customPageSlugExists(slug);
+    customPageSlugField.classList.toggle("is-invalid", isDuplicate);
+    if (isDuplicate && customPageSlugFeedback) {
+        customPageSlugFeedback.textContent = `A custom page with slug "${slug}" already exists.`;
+    }
+    return !isDuplicate;
+}
+
+function appendTextCell(row, value) {
+    const cell = document.createElement("td");
+    cell.textContent = value;
+    row.appendChild(cell);
+}
+
+function setupCustomPageFileListEditors() {
+    fileListFields.forEach(fieldName => {
+        const controls = fileListControls[fieldName];
+        const addButton = document.getElementById(controls.addButtonId);
+        const input = document.getElementById(controls.inputId);
+
+        if (addButton) {
+            addButton.addEventListener("click", () => addCustomPageFile(fieldName));
+        }
+
+        if (input) {
+            input.addEventListener("keydown", event => {
+                if (event.key === "Enter") {
+                    event.preventDefault();
+                    addCustomPageFile(fieldName);
+                }
+            });
+        }
+
+        setFileListValues(fieldName, []);
+    });
+}
+
+function addCustomPageFile(fieldName) {
+    const controls = fileListControls[fieldName];
+    const input = controls ? document.getElementById(controls.inputId) : null;
+    if (!input) {
+        return;
+    }
+
+    const fileName = input.value.trim();
+    if (!fileName) {
+        return;
+    }
+
+    const currentFiles = customPageFileLists[fieldName] || [];
+    if (!currentFiles.includes(fileName)) {
+        currentFiles.push(fileName);
+        setFileListValues(fieldName, currentFiles);
+    }
+
+    input.value = "";
+    input.focus();
+}
+
+function removeCustomPageFile(fieldName, fileName) {
+    const currentFiles = customPageFileLists[fieldName] || [];
+    setFileListValues(fieldName, currentFiles.filter(currentFileName => currentFileName !== fileName));
+}
+
+function setFileListValues(fieldName, values) {
+    customPageFileLists[fieldName] = normalizeFileList(values);
+    syncFileListHiddenField(fieldName);
+    renderCustomPageFileList(fieldName);
+}
+
+function normalizeFileList(values) {
+    if (!Array.isArray(values)) {
+        return [];
+    }
+
+    const seen = new Set();
+    const normalizedValues = [];
+    values.forEach(value => {
+        const fileName = String(value || "").trim();
+        if (fileName && !seen.has(fileName)) {
+            seen.add(fileName);
+            normalizedValues.push(fileName);
+        }
+    });
+    return normalizedValues;
+}
+
+function syncFileListHiddenField(fieldName) {
+    const controls = fileListControls[fieldName];
+    const hiddenField = controls ? document.getElementById(controls.hiddenId) : null;
+    if (hiddenField) {
+        hiddenField.value = (customPageFileLists[fieldName] || []).join(", ");
+    }
+}
+
+function renderCustomPageFileList(fieldName) {
+    const controls = fileListControls[fieldName];
+    const listElement = controls ? document.getElementById(controls.listId) : null;
+    if (!listElement) {
+        return;
+    }
+
+    listElement.textContent = "";
+    const files = customPageFileLists[fieldName] || [];
+
+    if (!files.length) {
+        const emptyItem = document.createElement("li");
+        emptyItem.className = "list-group-item text-muted small";
+        emptyItem.textContent = "No files added.";
+        listElement.appendChild(emptyItem);
+        return;
+    }
+
+    files.forEach(fileName => {
+        const item = document.createElement("li");
+        item.className = "list-group-item d-flex align-items-center justify-content-between gap-2";
+
+        const label = document.createElement("span");
+        label.className = "text-break";
+        label.textContent = fileName;
+        item.appendChild(label);
+
+        const removeButton = document.createElement("button");
+        removeButton.type = "button";
+        removeButton.className = "btn btn-sm btn-outline-danger";
+        removeButton.textContent = "Remove";
+        removeButton.addEventListener("click", () => removeCustomPageFile(fieldName, fileName));
+        item.appendChild(removeButton);
+
+        listElement.appendChild(item);
+    });
+}
+
+function openCustomPageDesigner(page = null, readOnly = false) {
+    if (!customPageForm || !customPageModal) {
+        return;
+    }
+
+    customPageForm.reset();
+    customPageForm.dataset.mode = page ? "edit" : "create";
+    customPageForm.dataset.originalSlug = page?.slug || "";
+    if (customPageSlugField) {
+        customPageSlugField.classList.remove("is-invalid");
+    }
+
+    if (customPageModalTitle) {
+        customPageModalTitle.textContent = readOnly ? "View Custom Page" : (page ? "Edit Custom Page" : "New Custom Page");
+    }
+
+    setFieldValue("custom_page_slug", page?.slug || "");
+    setFieldValue("custom_page_title", page?.title || "");
+    setFieldValue("custom_page_description", page?.description || "");
+    setFieldValue("custom_page_nav_label", page?.nav_label || page?.title || "");
+    setFieldValue("custom_page_nav_icon", page?.nav_icon || "bi-file-earmark-text");
+    setFieldValue("custom_page_nav_order", page?.nav_order ?? 100);
+    setFieldValue("custom_page_roles", Array.isArray(page?.roles) ? page.roles.join(", ") : "");
+    setFieldValue("custom_page_html_file", page?.html_file || "");
+    setFieldValue("custom_page_access_level", page?.access_level || "app_user");
+    setFileListValues("css_files", Array.isArray(page?.css_files) ? page.css_files : []);
+    setFileListValues("js_files", Array.isArray(page?.js_files) ? page.js_files : []);
+    setFileListValues("asset_files", Array.isArray(page?.asset_files) ? page.asset_files : []);
+    setFileListValues("json_files", Array.isArray(page?.json_files) ? page.json_files : []);
+    setCheckedValue("custom_page_enabled", page?.enabled !== false);
+    setCheckedValue("custom_page_show_in_nav", page?.show_in_nav !== false);
+    setCheckedValue("custom_page_open_in_new_tab", page?.open_in_new_tab === true);
+
+    customPageForm.querySelectorAll("input, textarea, button").forEach(element => {
+        element.disabled = readOnly;
+    });
+    if (customPageSaveButton) {
+        customPageSaveButton.disabled = readOnly;
+    }
+
+    customPageModal.show();
+}
+
+function setFieldValue(id, value) {
+    const field = document.getElementById(id);
+    if (field) {
+        field.value = value;
+    }
+}
+
+function setCheckedValue(id, value) {
+    const field = document.getElementById(id);
+    if (field) {
+        field.checked = Boolean(value);
+    }
+}
+
+async function saveCustomPageFromDesigner(event) {
+    event.preventDefault();
+    if (!validateCustomPageSlugUniqueness()) {
+        showToast("Choose a unique slug before saving this custom page.", "warning");
+        return;
+    }
+
+    const originalSlug = customPageForm.dataset.originalSlug || "";
+    const payload = readCustomPageDesignerPayload();
+    const mode = customPageForm.dataset.mode || "create";
+    const url = mode === "edit" && originalSlug
+        ? `/api/admin/custom-pages/${encodeURIComponent(originalSlug)}`
+        : "/api/admin/custom-pages";
+    const method = mode === "edit" && originalSlug ? "PUT" : "POST";
+
+    try {
+        const response = await fetch(url, {
+            method,
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify(payload)
+        });
+        const result = response.status === 204 ? {} : await response.json();
+        if (!response.ok) {
+            throw new Error(result.error || "Failed to save custom page.");
+        }
+        showToast("Custom page saved.", "success");
+        customPageModal.hide();
+        await refreshCustomPages();
+    } catch (error) {
+        showToast(error.message, "danger");
+    }
+}
+
+function readCustomPageDesignerPayload() {
+    return {
+        slug: getFieldValue("custom_page_slug").trim().toLowerCase(),
+        title: getFieldValue("custom_page_title").trim(),
+        description: getFieldValue("custom_page_description").trim(),
+        nav_label: getFieldValue("custom_page_nav_label").trim(),
+        nav_icon: getFieldValue("custom_page_nav_icon").trim() || "bi-file-earmark-text",
+        nav_order: Number.parseInt(getFieldValue("custom_page_nav_order"), 10) || 100,
+        roles: splitCsv(getFieldValue("custom_page_roles")),
+        access_level: getFieldValue("custom_page_access_level") || "app_user",
+        html_file: getFieldValue("custom_page_html_file").trim(),
+        css_files: customPageFileLists.css_files,
+        js_files: customPageFileLists.js_files,
+        asset_files: customPageFileLists.asset_files,
+        json_files: customPageFileLists.json_files,
+        enabled: Boolean(document.getElementById("custom_page_enabled")?.checked),
+        show_in_nav: Boolean(document.getElementById("custom_page_show_in_nav")?.checked),
+        open_in_new_tab: Boolean(document.getElementById("custom_page_open_in_new_tab")?.checked),
+        entry_type: "static"
+    };
+}
+
+function getFieldValue(id) {
+    return document.getElementById(id)?.value || "";
+}
+
+function splitCsv(value) {
+    return String(value || "")
+        .split(",")
+        .map(item => item.trim())
+        .filter(Boolean);
+}
+
+async function deleteCustomPage(slug) {
+    if (!slug) {
+        return;
+    }
+
+    try {
+        const response = await fetch(`/api/admin/custom-pages/${encodeURIComponent(slug)}`, {
+            method: "DELETE"
+        });
+        if (!response.ok) {
+            const payload = await response.json();
+            throw new Error(payload.error || "Failed to delete custom page.");
+        }
+        showToast("Custom page deleted.", "success");
+        await refreshCustomPages();
+    } catch (error) {
+        showToast(error.message, "danger");
+    }
+}
+
+function setupCustomPagesGuide() {
+    if (!guideButton || !guideModal) {
+        return;
+    }
+
+    guideButton.addEventListener("click", async () => {
+        guideModal.show();
+        if (!guideMarkdownLoaded) {
+            await loadCustomPagesGuide();
+        }
+    });
+}
+
+async function loadCustomPagesGuide() {
+    if (guideStatus) {
+        guideStatus.classList.remove("d-none");
+        guideStatus.textContent = "Loading guide...";
+    }
+    if (guideContent) {
+        guideContent.classList.add("d-none");
+        guideContent.textContent = "";
+    }
+
+    try {
+        const response = await fetch("/api/admin/custom-pages/developer-guide", { credentials: "same-origin" });
+        const payload = await response.json();
+        if (!response.ok) {
+            throw new Error(payload.error || "Developer guide could not be loaded.");
+        }
+
+        const markdown = payload.markdown || "";
+        if (guideContent && typeof marked !== "undefined" && typeof DOMPurify !== "undefined") {
+            guideContent.innerHTML = DOMPurify.sanitize(marked.parse(markdown));
+            guideContent.classList.remove("d-none");
+            guideMarkdownLoaded = true;
+            if (guideStatus) {
+                guideStatus.classList.add("d-none");
+            }
+            return;
+        }
+
+        if (guideContent) {
+            guideContent.textContent = markdown;
+            guideContent.classList.remove("d-none");
+            guideMarkdownLoaded = true;
+        }
+        if (guideStatus) {
+            guideStatus.classList.add("d-none");
+        }
+    } catch (error) {
+        if (guideStatus) {
+            guideStatus.textContent = error.message;
+        }
+    }
+}
+
+async function createRequestAccessPage() {
+    if (!createRequestAccessPageButton) {
+        return;
+    }
+
+    createRequestAccessPageButton.disabled = true;
+    try {
+        const response = await fetch("/api/admin/custom-pages/request-access-example", {
+            method: "POST",
+            headers: { "Content-Type": "application/json" }
+        });
+        const payload = await response.json();
+        if (!response.ok) {
+            throw new Error(payload.error || "Failed to create Request Access page.");
+        }
+        showToast("Request Access page created and access-denied button enabled.", "success");
+        await refreshCustomPages();
+        if (requestAccessCreatedModal) {
+            requestAccessCreatedModal.show();
+        }
+    } catch (error) {
+        showToast(error.message, "danger");
+    } finally {
+        syncRequestAccessPageButtonState();
+    }
+}
\ No newline at end of file
diff --git a/application/single_app/static/js/admin/admin_model_endpoints.js b/application/single_app/static/js/admin/admin_model_endpoints.js
index 07206a245..3ce1ced8e 100644
--- a/application/single_app/static/js/admin/admin_model_endpoints.js
+++ b/application/single_app/static/js/admin/admin_model_endpoints.js
@@ -10,6 +10,8 @@ const endpointsInput = document.getElementById("model_endpoints_json");
 const defaultModelSelect = document.getElementById("default-model-selection");
 const defaultModelInput = document.getElementById("default_model_selection_json");
 const defaultModelWrapper = document.getElementById("default-model-selection-wrapper");
+const metadataExtractionModelSelect = document.getElementById("metadata_extraction_model");
+const metadataExtractionModelInput = document.getElementById("metadata_extraction_model_selection_json");
 const migrationPanel = document.getElementById("agent-default-model-migration-panel");
 const migrationStatus = document.getElementById("agent-default-model-migration-status");
 const migrationCallout = document.getElementById("agent-default-model-migration-callout");
@@ -86,6 +88,10 @@ let endpointDuplicateKeyModal = null;
 let defaultModelSelection = window.defaultModelSelection && typeof window.defaultModelSelection === "object"
     ? { ...window.defaultModelSelection }
     : {};
+let metadataExtractionModelSelection = window.metadataExtractionModelSelection && typeof window.metadataExtractionModelSelection === "object"
+    ? { ...window.metadataExtractionModelSelection }
+    : {};
+const legacyMetadataExtractionModel = String(window.legacyMetadataExtractionModel || "").trim();
 let migrationPreviewState = null;
 let migrationSelectedKeys = new Set();
 
@@ -134,6 +140,13 @@ function updateDefaultModelInput() {
     defaultModelInput.value = JSON.stringify(defaultModelSelection || {});
 }
 
+function updateMetadataExtractionModelInput() {
+    if (!metadataExtractionModelInput) {
+        return;
+    }
+    metadataExtractionModelInput.value = JSON.stringify(metadataExtractionModelSelection || {});
+}
+
 function isAdminSettingsFormModified() {
     return typeof window.isAdminSettingsFormModified === "function" && window.isAdminSettingsFormModified();
 }
@@ -272,6 +285,7 @@ function renderEndpoints() {
         `;
         updateHiddenInput();
         buildDefaultModelOptions();
+        buildMetadataExtractionModelOptions();
         return;
     }
 
@@ -341,6 +355,39 @@ function renderEndpoints() {
 
     updateHiddenInput();
     buildDefaultModelOptions();
+    buildMetadataExtractionModelOptions();
+}
+
+function buildEndpointModelOption(endpoint, model) {
+    const modelId = model.id
+        || model.deploymentName
+        || model.deployment
+        || model.modelName
+        || model.name
+        || generateId();
+    if (!model.id) {
+        model.id = modelId;
+    }
+
+    const endpointLabel = endpoint.name || endpoint.connection?.endpoint || "Endpoint";
+    const provider = (endpoint.provider || "aoai").toLowerCase();
+    const providerLabel = formatProviderLabel(provider);
+    const endpointEnabled = endpoint.enabled !== false;
+    const modelEnabled = model.enabled !== false;
+    const modelLabel = model.displayName || model.deploymentName || model.modelName || "Unnamed model";
+    const option = document.createElement("option");
+    option.value = `${endpoint.id}:${modelId}`;
+    option.dataset.endpointId = endpoint.id || "";
+    option.dataset.modelId = modelId || "";
+    option.dataset.provider = provider;
+    option.dataset.deploymentName = model.deploymentName || model.deployment || "";
+    option.disabled = !(endpointEnabled && modelEnabled);
+    option.textContent = `${endpointLabel} — ${modelLabel} (${providerLabel})`;
+    if (option.disabled) {
+        option.textContent += " (disabled)";
+    }
+
+    return option;
 }
 
 function buildDefaultModelOptions() {
@@ -357,40 +404,79 @@ function buildDefaultModelOptions() {
 
     modelEndpoints.forEach((endpoint) => {
         const models = Array.isArray(endpoint.models) ? endpoint.models : [];
-        const endpointLabel = endpoint.name || endpoint.connection?.endpoint || "Endpoint";
-        const provider = (endpoint.provider || "aoai").toLowerCase();
-        const providerLabel = formatProviderLabel(provider);
-        const endpointEnabled = endpoint.enabled !== false;
 
         models.forEach((model) => {
-            const modelId = model.id
-                || model.deploymentName
-                || model.deployment
-                || model.modelName
-                || model.name
-                || generateId();
-            if (!model.id) {
-                model.id = modelId;
-            }
-            const modelEnabled = model.enabled !== false;
-            const modelLabel = model.displayName || model.deploymentName || model.modelName || "Unnamed model";
-            const option = document.createElement("option");
-            option.value = `${endpoint.id}:${modelId}`;
-            option.dataset.endpointId = endpoint.id || "";
-            option.dataset.modelId = modelId || "";
-            option.dataset.provider = provider;
-            option.disabled = !(endpointEnabled && modelEnabled);
-            option.textContent = `${endpointLabel} — ${modelLabel} (${providerLabel})`;
-            if (option.disabled) {
-                option.textContent += " (disabled)";
-            }
-            defaultModelSelect.appendChild(option);
+            defaultModelSelect.appendChild(buildEndpointModelOption(endpoint, model));
         });
     });
 
     applyDefaultModelSelection(defaultModelSelection);
 }
 
+function buildMetadataExtractionModelOptions() {
+    if (!metadataExtractionModelSelect) {
+        return;
+    }
+
+    metadataExtractionModelSelect.innerHTML = "";
+
+    const emptyOption = document.createElement("option");
+    emptyOption.value = "";
+    emptyOption.textContent = "No metadata extraction model selected";
+    metadataExtractionModelSelect.appendChild(emptyOption);
+
+    modelEndpoints.forEach((endpoint) => {
+        const models = Array.isArray(endpoint.models) ? endpoint.models : [];
+        models.forEach((model) => {
+            metadataExtractionModelSelect.appendChild(buildEndpointModelOption(endpoint, model));
+        });
+    });
+
+    applyMetadataExtractionModelSelection(metadataExtractionModelSelection);
+}
+
+function applyMetadataExtractionModelSelection(selection) {
+    if (!metadataExtractionModelSelect) {
+        return;
+    }
+
+    metadataExtractionModelSelection = normalizeDefaultModelSelection(selection);
+    const hasSelection = metadataExtractionModelSelection.endpoint_id && metadataExtractionModelSelection.model_id;
+    let matchingOption = null;
+
+    if (hasSelection) {
+        matchingOption = Array.from(metadataExtractionModelSelect.options).find((option) => {
+            return option.dataset.endpointId === metadataExtractionModelSelection.endpoint_id
+                && option.dataset.modelId === metadataExtractionModelSelection.model_id;
+        });
+    } else if (legacyMetadataExtractionModel) {
+        matchingOption = Array.from(metadataExtractionModelSelect.options).find((option) => {
+            return option.dataset.deploymentName === legacyMetadataExtractionModel;
+        });
+        if (matchingOption && !matchingOption.disabled) {
+            metadataExtractionModelSelection = {
+                endpoint_id: matchingOption.dataset.endpointId || "",
+                model_id: matchingOption.dataset.modelId || "",
+                provider: matchingOption.dataset.provider || ""
+            };
+        }
+    }
+
+    if (!matchingOption || matchingOption.disabled) {
+        metadataExtractionModelSelection = {
+            endpoint_id: "",
+            model_id: "",
+            provider: ""
+        };
+        metadataExtractionModelSelect.value = "";
+        updateMetadataExtractionModelInput();
+        return;
+    }
+
+    metadataExtractionModelSelect.value = matchingOption.value;
+    updateMetadataExtractionModelInput();
+}
+
 function applyDefaultModelSelection(selection) {
     if (!defaultModelSelect) {
         return;
@@ -450,6 +536,29 @@ function handleDefaultModelChange() {
     handleMigrationConfigurationChange();
 }
 
+function handleMetadataExtractionModelChange() {
+    if (!metadataExtractionModelSelect) {
+        return;
+    }
+
+    const selectedOption = metadataExtractionModelSelect.selectedOptions[0];
+    if (!selectedOption || !selectedOption.value) {
+        metadataExtractionModelSelection = {
+            endpoint_id: "",
+            model_id: "",
+            provider: ""
+        };
+    } else {
+        metadataExtractionModelSelection = {
+            endpoint_id: selectedOption.dataset.endpointId || "",
+            model_id: selectedOption.dataset.modelId || "",
+            provider: selectedOption.dataset.provider || ""
+        };
+    }
+    updateMetadataExtractionModelInput();
+    markModified();
+}
+
 function updateAuthVisibility() {
     const authType = endpointAuthTypeSelect?.value || "managed_identity";
     const provider = endpointProviderSelect?.value || "aoai";
@@ -1499,6 +1608,10 @@ function init() {
         defaultModelSelect.addEventListener("change", handleDefaultModelChange);
     }
 
+    if (metadataExtractionModelSelect) {
+        metadataExtractionModelSelect.addEventListener("change", handleMetadataExtractionModelChange);
+    }
+
     if (previewMigrationBtn) {
         previewMigrationBtn.addEventListener("click", () => {
             openMigrationReviewModal();
diff --git a/application/single_app/static/js/admin/admin_sidebar_nav.js b/application/single_app/static/js/admin/admin_sidebar_nav.js
index 3c3a17505..88a98183f 100644
--- a/application/single_app/static/js/admin/admin_sidebar_nav.js
+++ b/application/single_app/static/js/admin/admin_sidebar_nav.js
@@ -183,6 +183,7 @@ function scrollToSection(sectionId) {
         'home-page-text-section': 'home-page-text-section',
         'appearance-section': 'appearance-section',
         'classification-banner-section': 'classification-banner-section',
+        'custom-pages-section': 'custom-pages-section',
         'external-links-section': 'external-links-section',
         'health-check-section': 'health-check-section',
         'system-settings-section': 'system-settings-section',
diff --git a/application/single_app/templates/_custom_pages_drawer.html b/application/single_app/templates/_custom_pages_drawer.html
new file mode 100644
index 000000000..c0e70b1b2
--- /dev/null
+++ b/application/single_app/templates/_custom_pages_drawer.html
@@ -0,0 +1,55 @@
+{% if session.get('user') and session['user'].get('roles') and ('Admin' in session['user']['roles'] or 'User' in session['user']['roles']) and app_settings.enable_custom_pages %}
+<div class="offcanvas offcanvas-end custom-pages-drawer" tabindex="-1" id="customPagesDrawer" aria-labelledby="customPagesDrawerLabel">
+    <div class="offcanvas-header border-bottom">
+        <div>
+            <h5 class="offcanvas-title" id="customPagesDrawerLabel">{{ app_settings.custom_pages_menu_name or 'Custom Pages' }}</h5>
+            <div class="text-muted small">{{ custom_pages_nav|length }} page{% if custom_pages_nav|length != 1 %}s{% endif %}</div>
+        </div>
+        <button type="button" class="btn-close" data-bs-dismiss="offcanvas" aria-label="Close"></button>
+    </div>
+    <div class="offcanvas-body">
+        {% if custom_pages_nav %}
+            <div class="list-group custom-pages-drawer-list">
+                {% for page in custom_pages_nav %}
+                    <a class="list-group-item list-group-item-action custom-pages-drawer-item" href="{{ page.url }}" {% if page.open_in_new_tab %}target="_blank" rel="noopener noreferrer"{% endif %}>
+                        <i class="bi {{ page.icon }} me-2"></i>
+                        <span>{{ page.label }}</span>
+                    </a>
+                {% endfor %}
+            </div>
+        {% else %}
+            <div class="text-muted d-flex align-items-center gap-2">
+                <i class="bi bi-info-circle"></i>
+                <span>No custom pages registered</span>
+            </div>
+        {% endif %}
+    </div>
+</div>
+<script>
+    document.addEventListener('click', function(event) {
+        const trigger = event.target.closest('[data-custom-pages-open-drawer]');
+        if (!trigger) {
+            return;
+        }
+
+        event.preventDefault();
+        const drawerElement = document.getElementById('customPagesDrawer');
+        if (!drawerElement || typeof bootstrap === 'undefined' || !bootstrap.Offcanvas) {
+            return;
+        }
+
+        const drawer = bootstrap.Offcanvas.getOrCreateInstance(drawerElement);
+        const openOffcanvas = document.querySelector('.offcanvas.show:not(#customPagesDrawer)');
+        if (!openOffcanvas) {
+            drawer.show();
+            return;
+        }
+
+        const openInstance = bootstrap.Offcanvas.getInstance(openOffcanvas) || bootstrap.Offcanvas.getOrCreateInstance(openOffcanvas);
+        openOffcanvas.addEventListener('hidden.bs.offcanvas', function() {
+            drawer.show();
+        }, { once: true });
+        openInstance.hide();
+    });
+</script>
+{% endif %}
\ No newline at end of file
diff --git a/application/single_app/templates/_sidebar_nav.html b/application/single_app/templates/_sidebar_nav.html
index d00ebc1c1..5753a47e3 100644
--- a/application/single_app/templates/_sidebar_nav.html
+++ b/application/single_app/templates/_sidebar_nav.html
@@ -190,6 +190,64 @@
     </div>
     {% endif %}
 
+    <!-- Custom Pages Section - Show header when enabled, even before pages are registered -->
+    {% if session.get('user') and session['user'].get('roles') and ('Admin' in session['user']['roles'] or 'User' in session['user']['roles']) and app_settings.enable_custom_pages %}
+    <div class="overflow-auto custom-pages-menu-wrapper">
+      {% set custom_page_count = custom_pages_nav|length %}
+      {% set custom_pages_drawer_threshold = 5 %}
+      {% set custom_pages_use_drawer = custom_page_count > custom_pages_drawer_threshold %}
+      {% set custom_pages_should_force_menu = app_settings.custom_pages_force_menu or custom_page_count >= 3 %}
+      {% if custom_pages_use_drawer %}
+        <button type="button" class="custom-pages-menu-toggle mt-2 mb-1 text-muted small d-flex align-items-center w-100" data-custom-pages-open-drawer aria-controls="customPagesDrawer">
+          <span class="nav-text flex-grow-1 text-start">{{ app_settings.custom_pages_menu_name or 'Custom Pages' }}</span>
+          <span class="badge rounded-pill text-bg-secondary custom-pages-count-badge">{{ custom_page_count }}</span>
+          <i class="bi bi-layout-sidebar-inset-reverse ms-2 custom-pages-caret"></i>
+        </button>
+      {% elif custom_pages_should_force_menu or custom_page_count == 0 %}
+        <div id="custom-pages-toggle" class="custom-pages-menu-toggle mt-2 mb-1 text-muted small d-flex align-items-center">
+          <span class="nav-text flex-grow-1">{{ app_settings.custom_pages_menu_name or 'Custom Pages' }}</span>
+          <span class="badge rounded-pill text-bg-secondary custom-pages-count-badge">{{ custom_page_count }}</span>
+          <i id="custom-pages-caret" class="bi bi-caret-down-fill ms-2 transition custom-pages-caret"></i>
+        </div>
+        <div id="custom-pages-links-section" class="custom-pages-menu-list">
+          <ul class="nav flex-column mb-2">
+            {% if custom_page_count == 0 %}
+            <li class="nav-item">
+              <span class="nav-link d-flex align-items-center text-muted">
+                <i class="bi bi-info-circle me-2" style="font-size: 0.8em;"></i>
+                <span class="nav-text">No custom pages registered</span>
+              </span>
+            </li>
+            {% endif %}
+            {% for page in custom_pages_nav %}
+            <li class="nav-item">
+              <a class="nav-link d-flex align-items-center" href="{{ page.url }}" {% if page.open_in_new_tab %}target="_blank" rel="noopener noreferrer"{% endif %}>
+                <i class="bi {{ page.icon }} me-2" style="font-size: 0.8em;"></i>
+                <span class="nav-text">{{ page.label }}</span>
+              </a>
+            </li>
+            {% endfor %}
+          </ul>
+        </div>
+      {% else %}
+        <div class="custom-pages-inline-label mt-2 mb-1 text-muted small d-flex align-items-center">
+          <span class="nav-text flex-grow-1">{{ app_settings.custom_pages_menu_name or 'Custom Pages' }}</span>
+          <span class="badge rounded-pill text-bg-secondary custom-pages-count-badge">{{ custom_page_count }}</span>
+        </div>
+        <ul class="nav flex-column mb-2">
+          {% for page in custom_pages_nav %}
+          <li class="nav-item">
+            <a class="nav-link d-flex align-items-center" href="{{ page.url }}" {% if page.open_in_new_tab %}target="_blank" rel="noopener noreferrer"{% endif %}>
+              <i class="bi {{ page.icon }} me-2" style="font-size: 0.8em;"></i>
+              <span class="nav-text">{{ page.label }}</span>
+            </a>
+          </li>
+          {% endfor %}
+        </ul>
+      {% endif %}
+    </div>
+    {% endif %}
+
     <!-- Support Menu Section - Only show when a signed-in app user can access at least one support destination -->
     {% set support_menu_role_allowed = session.get('user') and session['user'].get('roles') and ('Admin' in session['user']['roles'] or 'User' in session['user']['roles']) %}
     {% if support_menu_role_allowed and app_settings.enable_support_menu %}
@@ -431,6 +489,18 @@
               </li>
             </ul>
           </li>
+          <li class="nav-item">
+            <a class="nav-link d-flex align-items-center admin-nav-tab" href="#" data-tab="custom-pages">
+              <i class="bi bi-window-plus me-2"></i><span class="nav-text">Custom Pages</span>
+            </a>
+            <ul class="nav flex-column ms-3" style="display: none;" id="custom-pages-submenu">
+              <li class="nav-item">
+                <a class="nav-link d-flex align-items-center admin-nav-section" href="#" data-tab="custom-pages" data-section="custom-pages-section">
+                  <i class="bi bi-file-earmark-richtext me-2" style="font-size: 0.8em;"></i><span class="nav-text">Static Pages</span>
+                </a>
+              </li>
+            </ul>
+          </li>
           <li class="nav-item">
             <a class="nav-link d-flex align-items-center admin-nav-tab" href="#" data-tab="ai-models">
               <i class="bi bi-cpu me-2"></i><span class="nav-text">AI Models</span>
@@ -982,6 +1052,19 @@
           supportMenuCaret.style.transform = supportMenuCollapsed ? 'rotate(-90deg)' : 'rotate(0deg)';
         });
       }
+
+      // Collapsible Custom Pages Section
+      var customPagesToggle = document.getElementById('custom-pages-toggle');
+      var customPagesSection = document.getElementById('custom-pages-links-section');
+      var customPagesCaret = document.getElementById('custom-pages-caret');
+      var customPagesCollapsed = false;
+      if (customPagesToggle && customPagesSection && customPagesCaret) {
+        customPagesToggle.addEventListener('click', function() {
+          customPagesCollapsed = !customPagesCollapsed;
+          customPagesSection.classList.toggle('d-none', customPagesCollapsed);
+          customPagesCaret.style.transform = customPagesCollapsed ? 'rotate(-90deg)' : 'rotate(0deg)';
+        });
+      }
     });
 
   </script>
diff --git a/application/single_app/templates/_top_nav.html b/application/single_app/templates/_top_nav.html
index a20b78694..da36c6f9d 100644
--- a/application/single_app/templates/_top_nav.html
+++ b/application/single_app/templates/_top_nav.html
@@ -53,6 +53,46 @@
                     <a class="nav-link" href="{{ url_for('chats') }}">Chat</a>
                 </div>
 
+                {% if app_settings.enable_custom_pages %}
+                    {% set custom_page_count = custom_pages_nav|length %}
+                    {% set custom_pages_drawer_threshold = 5 %}
+                    {% set custom_pages_use_drawer = custom_page_count > custom_pages_drawer_threshold %}
+                    {% set custom_pages_should_force_menu = app_settings.custom_pages_force_menu or custom_page_count >= 3 %}
+                    {% if custom_pages_use_drawer %}
+                        <div class="nav-item">
+                            <button type="button" class="nav-link btn btn-link custom-pages-top-drawer-trigger" data-custom-pages-open-drawer aria-controls="customPagesDrawer">
+                                {{ app_settings.custom_pages_menu_name or 'Custom Pages' }}
+                                <span class="badge rounded-pill text-bg-secondary ms-1">{{ custom_page_count }}</span>
+                            </button>
+                        </div>
+                    {% elif custom_pages_should_force_menu or custom_page_count == 0 %}
+                        <div class="nav-item dropdown">
+                            <a class="nav-link dropdown-toggle" href="#" id="customPagesDropdown" role="button" data-bs-toggle="dropdown" aria-expanded="false">
+                                {{ app_settings.custom_pages_menu_name or 'Custom Pages' }}
+                                <span class="badge rounded-pill text-bg-secondary ms-1">{{ custom_page_count }}</span>
+                            </a>
+                            <div class="dropdown-menu custom-pages-dropdown-menu" aria-labelledby="customPagesDropdown">
+                                {% if custom_page_count == 0 %}
+                                    <span class="dropdown-item text-muted">No custom pages registered</span>
+                                {% endif %}
+                                {% for page in custom_pages_nav %}
+                                    <a class="dropdown-item" href="{{ page.url }}" {% if page.open_in_new_tab %}target="_blank" rel="noopener noreferrer"{% endif %}>
+                                        <i class="bi {{ page.icon }} me-2"></i>{{ page.label }}
+                                    </a>
+                                {% endfor %}
+                            </div>
+                        </div>
+                    {% else %}
+                        {% for page in custom_pages_nav %}
+                            <div class="nav-item">
+                                <a class="nav-link" href="{{ page.url }}" {% if page.open_in_new_tab %}target="_blank" rel="noopener noreferrer"{% endif %}>
+                                    {{ page.label }}
+                                </a>
+                            </div>
+                        {% endfor %}
+                    {% endif %}
+                {% endif %}
+
                 {% set support_menu_role_allowed = 'Admin' in session['user']['roles'] or 'User' in session['user']['roles'] %}
                 {% if support_menu_role_allowed and app_settings.enable_support_menu %}
                     {% set show_support_latest_features = app_settings.enable_support_latest_features and app_settings.support_latest_features_has_visible_items %}
@@ -247,6 +287,33 @@ <h5 class="offcanvas-title" id="topNavMobileMenuLabel">Navigation</h5>
                 </a>
             </div>
 
+            {% if app_settings.enable_custom_pages %}
+                {% set custom_page_count = custom_pages_nav|length %}
+                {% set custom_pages_drawer_threshold = 5 %}
+                {% set custom_pages_use_drawer = custom_page_count > custom_pages_drawer_threshold %}
+                <div class="top-nav-mobile-section-label">{{ app_settings.custom_pages_menu_name or 'Custom Pages' }}</div>
+                {% if custom_pages_use_drawer %}
+                    <div class="list-group list-group-flush top-nav-mobile-list">
+                        <button type="button" class="list-group-item list-group-item-action" data-custom-pages-open-drawer aria-controls="customPagesDrawer">
+                            <i class="bi bi-layout-sidebar-inset-reverse me-2"></i>Browse {{ custom_page_count }} custom pages
+                        </button>
+                    </div>
+                {% else %}
+                <div class="list-group list-group-flush top-nav-mobile-list">
+                    {% if not custom_pages_nav %}
+                        <span class="list-group-item text-muted">
+                            <i class="bi bi-info-circle me-2"></i>No custom pages registered
+                        </span>
+                    {% endif %}
+                    {% for page in custom_pages_nav %}
+                        <a class="list-group-item list-group-item-action" href="{{ page.url }}" {% if page.open_in_new_tab %}target="_blank" rel="noopener noreferrer"{% endif %}>
+                            <i class="bi {{ page.icon }} me-2"></i>{{ page.label }}
+                        </a>
+                    {% endfor %}
+                </div>
+                {% endif %}
+            {% endif %}
+
             {% set support_menu_role_allowed = 'Admin' in session['user']['roles'] or 'User' in session['user']['roles'] %}
             {% if support_menu_role_allowed and app_settings.enable_support_menu %}
                 {% set show_support_latest_features = app_settings.enable_support_latest_features and app_settings.support_latest_features_has_visible_items %}
diff --git a/application/single_app/templates/admin_settings.html b/application/single_app/templates/admin_settings.html
index bdb887388..48a8dd56c 100644
--- a/application/single_app/templates/admin_settings.html
+++ b/application/single_app/templates/admin_settings.html
@@ -885,6 +885,12 @@ <h4>12. Enhanced Citations and Image Generation</h4>
                     General
                 </button>
             </li>
+            <li class="nav-item" role="presentation">
+                <button class="nav-link" id="custom-pages-tab" data-bs-toggle="tab" data-bs-target="#custom-pages"
+                    type="button" role="tab" aria-controls="custom-pages" aria-selected="false">
+                    Custom Pages
+                </button>
+            </li>
             
             <!-- AI Models Group -->
             <li class="nav-item" role="presentation">
@@ -3204,6 +3210,88 @@ <h6 class="mb-1"><i class="bi {{ feature.icon }} me-2"></i>{{ feature.title }}</
                 {% endfor %}
             </div>
 
+            <div class="tab-pane fade" id="custom-pages" role="tabpanel" aria-labelledby="custom-pages-tab">
+                <p class="text-muted">
+                    Enable trusted deployment-time custom pages and manage metadata for simple static pages served from the application custom_pages folders.
+                </p>
+
+                <div class="card p-3 mb-3" id="custom-pages-section">
+                    <div class="d-flex flex-column flex-md-row align-items-md-center justify-content-between gap-2 mb-3">
+                        <h5 class="mb-0">
+                            <i class="bi bi-window-plus me-2"></i>Custom Pages
+                        </h5>
+                        <button type="button" class="btn btn-sm btn-outline-info" id="custom-pages-guide-btn">
+                            <i class="bi bi-book me-1"></i>Developer Guide
+                        </button>
+                    </div>
+                    <div class="form-check form-switch mb-2">
+                        <input class="form-check-input" type="checkbox" id="enable_custom_pages" name="enable_custom_pages"
+                            {% if settings.enable_custom_pages %}checked{% endif %}>
+                        <input type="hidden" id="custom_pages_restart_acknowledged" name="custom_pages_restart_acknowledged" value="">
+                        <label class="form-check-label ms-2" for="enable_custom_pages">
+                            Enable Custom Pages
+                        </label>
+                        <i class="bi bi-info-circle ms-2" data-bs-toggle="tooltip" title="Allow trusted custom pages deployed under application/single_app/custom_pages to appear in navigation and be served under /custom."></i>
+                    </div>
+                    <p class="text-muted small">When disabled, /custom routes return Not Found before loading custom metadata, files, or Python extensions.</p>
+
+                    <div id="custom_pages_settings" class="{% if not settings.enable_custom_pages %}d-none{% endif %}">
+                        <div class="mb-3">
+                            <label for="custom_pages_menu_name" class="form-label">Menu Name</label>
+                            <input type="text" class="form-control" id="custom_pages_menu_name" name="custom_pages_menu_name"
+                                value="{{ settings.custom_pages_menu_name or 'Custom Pages' }}" placeholder="Custom Pages">
+                            <small class="form-text text-muted">This name appears when custom pages are grouped into a menu.</small>
+                        </div>
+
+                        <div class="form-check form-switch mb-3">
+                            <input class="form-check-input" type="checkbox" id="custom_pages_force_menu" name="custom_pages_force_menu"
+                                {% if settings.custom_pages_force_menu %}checked{% endif %}>
+                            <label class="form-check-label ms-2" for="custom_pages_force_menu">
+                                Force Menu Display
+                            </label>
+                            <small class="form-text text-muted d-block">When disabled, 1-2 custom pages show as top-level nav items and 3+ pages show as a menu.</small>
+                        </div>
+
+                        <div class="d-flex align-items-center justify-content-between mb-2">
+                            <div>
+                                <h6 class="mb-1">Static Page Metadata</h6>
+                                <p class="text-muted small mb-0">Create metadata contracts for simple pages that use files from custom_pages/html, css, js, assets, and json.</p>
+                            </div>
+                            <div class="d-flex flex-wrap gap-2 justify-content-end">
+                                <button type="button" class="btn btn-sm btn-outline-success" id="create-request-access-page-btn">
+                                    <i class="bi bi-person-plus me-1"></i>Add Request Access Page
+                                </button>
+                                <button type="button" class="btn btn-sm btn-outline-primary" id="add-custom-page-btn">
+                                    <i class="bi bi-plus-circle me-1"></i>New Static Page
+                                </button>
+                            </div>
+                        </div>
+
+                        <div class="table-responsive">
+                            <table class="table table-sm table-bordered align-middle">
+                                <thead>
+                                    <tr>
+                                        <th>Slug</th>
+                                        <th>Title</th>
+                                        <th>Type</th>
+                                        <th>Access</th>
+                                        <th>Roles</th>
+                                        <th>Status</th>
+                                        <th>Nav</th>
+                                        <th>Actions</th>
+                                    </tr>
+                                </thead>
+                                <tbody id="custom-pages-tbody">
+                                    <tr>
+                                        <td colspan="8" class="text-muted text-center">Loading custom pages...</td>
+                                    </tr>
+                                </tbody>
+                            </table>
+                        </div>
+                    </div>
+                </div>
+            </div>
+
             
             <div class="tab-pane fade" id="ai-models" role="tabpanel" aria-labelledby="ai-models-tab">
                 
@@ -4283,25 +4371,14 @@ <h5>
                   
                     <div id="metadata_extraction_model_settings" class="mb-3"
                          {% if not settings.enable_extract_meta_data %}style="display: none;"{% endif %}>
-                      <label for="metadata_extraction_model" class="form-label">Extraction Model</label>
-                      <select class="form-select" id="metadata_extraction_model" name="metadata_extraction_model"
-                              data-prev="{{ settings.metadata_extraction_model or '' }}">
-                        {% if settings.enable_gpt_apim %}
-                          {% for d in (settings.azure_apim_gpt_deployment or '').split(',') if d %}
-                            <option value="{{ d }}"
-                              {% if settings.metadata_extraction_model == d %}selected{% endif %}>
-                              {{ d }}
-                            </option>
-                          {% endfor %}
-                        {% else %}
-                          {% for m in settings.gpt_model.selected %}
-                            <option value="{{ m.deploymentName }}"
-                              {% if settings.metadata_extraction_model == m.deploymentName %}selected{% endif %}>
-                              {{ m.deploymentName }} ({{ m.modelName }})
-                            </option>
-                          {% endfor %}
-                        {% endif %}
-                      </select>
+                                            <label for="metadata_extraction_model" class="form-label">Extraction Model</label>
+                                            <select class="form-select" id="metadata_extraction_model" name="metadata_extraction_model">
+                                                <option value="">No metadata extraction model selected</option>
+                                            </select>
+                                            <input type="hidden" name="metadata_extraction_model_selection_json" id="metadata_extraction_model_selection_json" />
+                                            <div class="form-text">
+                                                Uses enabled models from Global Endpoints. Configure endpoints in AI Models first.
+                                            </div>
                     </div>
                 </div>
 
@@ -6251,6 +6328,221 @@ <h5 class="mb-1">
     <button type="submit" form="admin-settings-form" class="btn btn-secondary floating-save-btn" id="floating-save-btn" disabled>
         <i class="bi bi-floppy"></i> Save Settings
     </button>
+
+    <div class="modal fade" id="customPagesRestartModal" tabindex="-1" aria-labelledby="customPagesRestartModalLabel" aria-hidden="true" data-bs-backdrop="static" data-bs-keyboard="false">
+        <div class="modal-dialog">
+            <div class="modal-content">
+                <div class="modal-header">
+                    <h5 class="modal-title" id="customPagesRestartModalLabel">Restart Required</h5>
+                </div>
+                <div class="modal-body">
+                    <p>
+                        Custom Pages uses deployment-time files and Python discovery. After saving this setting, restart the App Service to fully enable newly deployed custom page files and Python-backed pages.
+                    </p>
+                    <p class="mb-0 text-muted small">
+                        Your acknowledgement will be written to the activity log when the setting is saved.
+                    </p>
+                </div>
+                <div class="modal-footer">
+                    <button type="button" class="btn btn-outline-secondary" id="custom-pages-restart-cancel-btn">Cancel</button>
+                    <button type="button" class="btn btn-primary" id="custom-pages-restart-acknowledge-btn">I Understand</button>
+                </div>
+            </div>
+        </div>
+    </div>
+
+    <div class="modal fade" id="customPagesGuideModal" tabindex="-1" aria-labelledby="customPagesGuideModalLabel" aria-hidden="true">
+        <div class="modal-dialog modal-xl modal-dialog-scrollable">
+            <div class="modal-content">
+                <div class="modal-header">
+                    <h5 class="modal-title" id="customPagesGuideModalLabel">Custom Pages Developer Guide</h5>
+                    <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
+                </div>
+                <div class="modal-body">
+                    <div id="custom-pages-guide-status" class="text-muted">Loading guide...</div>
+                    <div id="custom-pages-guide-content" class="d-none"></div>
+                </div>
+                <div class="modal-footer">
+                    <button type="button" class="btn btn-primary" data-bs-dismiss="modal">Close</button>
+                </div>
+            </div>
+        </div>
+    </div>
+
+    <div class="modal fade" id="requestAccessPageCreatedModal" tabindex="-1" aria-labelledby="requestAccessPageCreatedModalLabel" aria-hidden="true">
+        <div class="modal-dialog modal-lg">
+            <div class="modal-content">
+                <div class="modal-header">
+                    <h5 class="modal-title" id="requestAccessPageCreatedModalLabel">Request Access Page Created</h5>
+                    <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
+                </div>
+                <div class="modal-body">
+                    <p>
+                        The optional Request Access page metadata has been created with slug <code>request-access</code>, and the access-denied home page button has been enabled.
+                    </p>
+                    <div class="border rounded p-3 mb-3">
+                        <div class="fw-semibold mb-2">Change the request email address</div>
+                        <p class="mb-2">
+                            Edit this deployed file:
+                        </p>
+                        <code>application/single_app/custom_pages/html/request-access.html</code>
+                        <p class="mt-3 mb-2">
+                            Find and replace this email address:
+                        </p>
+                        <code>accessrequest@example.com</code>
+                    </div>
+                    <p class="mb-0 text-muted small">
+                        The mailto subject and body are also in the same file if your deployment team wants to customize the generated email text.
+                    </p>
+                </div>
+                <div class="modal-footer">
+                    <a class="btn btn-outline-primary" href="/custom/request-access" target="_blank" rel="noopener noreferrer">
+                        <i class="bi bi-box-arrow-up-right me-1"></i>Open Page
+                    </a>
+                    <button type="button" class="btn btn-primary" data-bs-dismiss="modal">Close</button>
+                </div>
+            </div>
+        </div>
+    </div>
+
+    <div class="modal fade" id="customPageDesignerModal" tabindex="-1" aria-labelledby="customPageDesignerModalLabel" aria-hidden="true">
+        <div class="modal-dialog modal-lg modal-dialog-scrollable">
+            <div class="modal-content">
+                <div class="modal-header">
+                    <h5 class="modal-title" id="customPageDesignerModalLabel">Custom Page</h5>
+                    <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
+                </div>
+                <div class="modal-body">
+                    <form id="custom-page-designer-form" autocomplete="off">
+                        <div class="row g-3">
+                            <div class="col-md-6">
+                                <label for="custom_page_slug" class="form-label">Slug</label>
+                                <input type="text" class="form-control" id="custom_page_slug" placeholder="team-dashboard" required>
+                                <div class="invalid-feedback" id="custom-page-slug-feedback">A custom page with this slug already exists.</div>
+                                <small class="form-text text-muted">Lowercase letters, numbers, and hyphens only. Served at /custom/&lt;slug&gt;.</small>
+                            </div>
+                            <div class="col-md-6">
+                                <label for="custom_page_title" class="form-label">Title</label>
+                                <input type="text" class="form-control" id="custom_page_title" required>
+                            </div>
+                            <div class="col-12">
+                                <label for="custom_page_description" class="form-label">Description</label>
+                                <textarea class="form-control" id="custom_page_description" rows="2"></textarea>
+                            </div>
+                            <div class="col-md-6">
+                                <label for="custom_page_nav_label" class="form-label">Navigation Label</label>
+                                <input type="text" class="form-control" id="custom_page_nav_label">
+                            </div>
+                            <div class="col-md-3">
+                                <label for="custom_page_nav_icon" class="form-label">Bootstrap Icon</label>
+                                <input type="text" class="form-control" id="custom_page_nav_icon" placeholder="bi-file-earmark-text">
+                            </div>
+                            <div class="col-md-3">
+                                <label for="custom_page_nav_order" class="form-label">Order</label>
+                                <input type="number" class="form-control" id="custom_page_nav_order" value="100">
+                            </div>
+                            <div class="col-md-6">
+                                <label for="custom_page_roles" class="form-label">Allowed Roles</label>
+                                <input type="text" class="form-control" id="custom_page_roles" placeholder="Admin, User">
+                                <small class="form-text text-muted">Leave blank to allow all signed-in users. Admins can view custom pages for testing and management.</small>
+                            </div>
+                            <div class="col-md-6">
+                                <label for="custom_page_html_file" class="form-label">HTML File</label>
+                                <input type="text" class="form-control" id="custom_page_html_file" placeholder="my-page.html" required>
+                            </div>
+                            <div class="col-md-6">
+                                <label for="custom_page_access_level" class="form-label">Access Level</label>
+                                <select class="form-select" id="custom_page_access_level">
+                                    <option value="app_user">App users only</option>
+                                    <option value="authenticated">Any signed-in user</option>
+                                </select>
+                            </div>
+                            <div class="col-12">
+                                <div class="border rounded p-3">
+                                    <h6 class="mb-3">Deployed Files</h6>
+                                    <div class="row g-3">
+                                        <div class="col-md-6">
+                                            <label for="custom_page_css_file_entry" class="form-label">CSS Files</label>
+                                            <input type="hidden" id="custom_page_css_files" value="">
+                                            <div class="input-group mb-2">
+                                                <input type="text" class="form-control" id="custom_page_css_file_entry" data-custom-page-file-input="css_files" placeholder="my-page.css">
+                                                <button type="button" class="btn btn-outline-secondary" id="custom_page_css_file_add" data-custom-page-file-add="css_files">
+                                                    <i class="bi bi-plus-circle me-1"></i>Add
+                                                </button>
+                                            </div>
+                                            <ul class="list-group" id="custom_page_css_files_list" data-custom-page-file-list="css_files"></ul>
+                                        </div>
+                                        <div class="col-md-6">
+                                            <label for="custom_page_js_file_entry" class="form-label">JavaScript Files</label>
+                                            <input type="hidden" id="custom_page_js_files" value="">
+                                            <div class="input-group mb-2">
+                                                <input type="text" class="form-control" id="custom_page_js_file_entry" data-custom-page-file-input="js_files" placeholder="my-page.js">
+                                                <button type="button" class="btn btn-outline-secondary" id="custom_page_js_file_add" data-custom-page-file-add="js_files">
+                                                    <i class="bi bi-plus-circle me-1"></i>Add
+                                                </button>
+                                            </div>
+                                            <ul class="list-group" id="custom_page_js_files_list" data-custom-page-file-list="js_files"></ul>
+                                        </div>
+                                        <div class="col-md-6">
+                                            <label for="custom_page_asset_file_entry" class="form-label">Asset Files</label>
+                                            <input type="hidden" id="custom_page_asset_files" value="">
+                                            <div class="input-group mb-2">
+                                                <input type="text" class="form-control" id="custom_page_asset_file_entry" data-custom-page-file-input="asset_files" placeholder="logo.png">
+                                                <button type="button" class="btn btn-outline-secondary" id="custom_page_asset_file_add" data-custom-page-file-add="asset_files">
+                                                    <i class="bi bi-plus-circle me-1"></i>Add
+                                                </button>
+                                            </div>
+                                            <ul class="list-group" id="custom_page_asset_files_list" data-custom-page-file-list="asset_files"></ul>
+                                        </div>
+                                        <div class="col-md-6">
+                                            <label for="custom_page_json_file_entry" class="form-label">JSON Files</label>
+                                            <input type="hidden" id="custom_page_json_files" value="">
+                                            <div class="input-group mb-2">
+                                                <input type="text" class="form-control" id="custom_page_json_file_entry" data-custom-page-file-input="json_files" placeholder="config.json">
+                                                <button type="button" class="btn btn-outline-secondary" id="custom_page_json_file_add" data-custom-page-file-add="json_files">
+                                                    <i class="bi bi-plus-circle me-1"></i>Add
+                                                </button>
+                                            </div>
+                                            <ul class="list-group" id="custom_page_json_files_list" data-custom-page-file-list="json_files"></ul>
+                                        </div>
+                                    </div>
+                                </div>
+                            </div>
+                            <div class="col-12">
+                                <div class="border rounded p-3">
+                                    <h6 class="mb-3">Publishing</h6>
+                                    <div class="row g-3">
+                                        <div class="col-md-4">
+                                            <div class="form-check form-switch d-flex align-items-center gap-2 mb-0">
+                                                <input class="form-check-input mt-0" type="checkbox" id="custom_page_enabled" checked>
+                                                <label class="form-check-label" for="custom_page_enabled">Enabled</label>
+                                            </div>
+                                        </div>
+                                        <div class="col-md-4">
+                                            <div class="form-check form-switch d-flex align-items-center gap-2 mb-0">
+                                                <input class="form-check-input mt-0" type="checkbox" id="custom_page_show_in_nav" checked>
+                                                <label class="form-check-label" for="custom_page_show_in_nav">Show in Navigation</label>
+                                            </div>
+                                        </div>
+                                        <div class="col-md-4">
+                                            <div class="form-check form-switch d-flex align-items-center gap-2 mb-0">
+                                                <input class="form-check-input mt-0" type="checkbox" id="custom_page_open_in_new_tab">
+                                                <label class="form-check-label" for="custom_page_open_in_new_tab">Open in New Tab</label>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </div>
+                            </div>
+                        </div>
+                    </form>
+                </div>
+                <div class="modal-footer">
+                    <button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Cancel</button>
+                    <button type="submit" form="custom-page-designer-form" class="btn btn-primary">Save Page</button>
+                </div>
+            </div>
+        </div>
+    </div>
     
     <div>
         <!-- Plugin Modal (moved outside form) -->
@@ -6612,6 +6904,8 @@ <h5 class="modal-title" id="userAgreementPreviewModalLabel">
     window.enableMultiModelEndpoints = {{ 'true' if settings.enable_multi_model_endpoints else 'false' }};
     window.modelEndpoints = {{ settings.model_endpoints|default([], true)|tojson|safe }};
     window.defaultModelSelection = {{ settings.default_model_selection|default({}, true)|tojson|safe }};
+    window.metadataExtractionModelSelection = {{ settings.metadata_extraction_model_selection|default({}, true)|tojson|safe }};
+    window.legacyMetadataExtractionModel = {{ settings.metadata_extraction_model|default('', true)|tojson|safe }};
 
     if (!Array.isArray(window.gptSelected)) {
         window.gptSelected = [];
@@ -6655,6 +6949,8 @@ <h5 class="modal-title" id="userAgreementPreviewModalLabel">
     window.enableExternalLinks = "{{ enable_external_links }}";
     window.externalLinksMenuName = "{{ settings.external_links_menu_name or 'External Links' }}";
     window.externalLinksForceMenu = "{{ settings.external_links_force_menu }}";
+    window.customPages = [];
+    window.customPagesInitiallyEnabled = {{ 'true' if settings.enable_custom_pages else 'false' }};
     window.releaseNotificationsRegistration = {
         registered: {{ 'true' if settings.release_notifications_registered else 'false' }},
         name: {{ (settings.release_notifications_name or session.get('user', {}).get('name', ''))|tojson|safe }},
@@ -6671,6 +6967,7 @@ <h5 class="modal-title" id="userAgreementPreviewModalLabel">
 <script type="module" src="{{ url_for('static', filename='js/admin/admin_model_endpoints.js') }}"></script>
 <script type="module" src="{{ url_for('static', filename='js/admin/admin_governance.js') }}"></script>
 <script type="module" src="{{ url_for('static', filename='js/admin/admin_sidebar_nav.js') }}"></script>
+<script type="module" src="{{ url_for('static', filename='js/admin/admin_custom_pages.js') }}"></script>
 <script type="module" src="{{ url_for('static', filename='js/plugin_modal_stepper.js') }}"></script>
 {% if settings.enable_semantic_kernel %}
 <script type="module" src="{{ url_for('static', filename='js/admin/admin_plugins.js') }}"></script>
diff --git a/application/single_app/templates/base.html b/application/single_app/templates/base.html
index 43d13363f..f3d351952 100644
--- a/application/single_app/templates/base.html
+++ b/application/single_app/templates/base.html
@@ -285,6 +285,7 @@
       {% set left_sidebar_enabled = true %}
     {% endif %}
   {% endif %}
+  {% include "_custom_pages_drawer.html" %}
 
   <!-- Main Content Area -->
   <div class="container main-content{% if left_sidebar_enabled %} sidebar-padding{% endif %}" id="main-content">
diff --git a/application/single_app/templates/custom_page_shell.html b/application/single_app/templates/custom_page_shell.html
new file mode 100644
index 000000000..907de4c17
--- /dev/null
+++ b/application/single_app/templates/custom_page_shell.html
@@ -0,0 +1,28 @@
+{% extends "base.html" %}
+
+{% block head %}
+    {% for stylesheet in custom_page.css_files %}
+        <link rel="stylesheet" href="{{ url_for('custom_page_asset', slug=custom_page.slug, folder='css', filename=stylesheet) }}" />
+    {% endfor %}
+{% endblock %}
+
+{% block content %}
+<section class="custom-page" data-custom-page-slug="{{ custom_page.slug }}">
+    <header class="mb-4">
+        <h1>{{ custom_page.title }}</h1>
+        {% if custom_page.description %}
+            <p class="text-muted">{{ custom_page.description }}</p>
+        {% endif %}
+    </header>
+    <div class="custom-page-content">
+        {# xss-check: ignore - Custom page HTML files are deployment-time trusted app-team content loaded from the deployed artifact, not end-user input. #}
+        {{ custom_page_html | safe }}
+    </div>
+</section>
+{% endblock %}
+
+{% block scripts %}
+    {% for script in custom_page.js_files %}
+        <script type="module" src="{{ url_for('custom_page_asset', slug=custom_page.slug, folder='js', filename=script) }}"></script>
+    {% endfor %}
+{% endblock %}
\ No newline at end of file
diff --git a/application/single_app/templates/index.html b/application/single_app/templates/index.html
index c3c2abc60..db467ae2d 100644
--- a/application/single_app/templates/index.html
+++ b/application/single_app/templates/index.html
@@ -64,6 +64,11 @@
             <p class="lead">
                 {{ app_settings.access_denied_message | nl2br }}
             </p>
+            {% if app_settings.access_request_button_enabled and app_settings.access_request_page_url %}
+                <a href="{{ app_settings.access_request_page_url }}" class="btn btn-primary btn-lg">
+                    {{ app_settings.access_request_button_text or 'Request Access' }}
+                </a>
+            {% endif %}
         {% else %}
             <div>
                 {{ landing_html | safe }}
diff --git a/docs/explanation/features/CUSTOM_PAGES.md b/docs/explanation/features/CUSTOM_PAGES.md
new file mode 100644
index 000000000..65ac93467
--- /dev/null
+++ b/docs/explanation/features/CUSTOM_PAGES.md
@@ -0,0 +1,129 @@
+# Custom Pages
+
+Current version: **0.242.037**
+
+Implemented in version: **0.242.023**
+
+Example pages added in version: **0.242.024**
+
+Restart acknowledgement implemented in version: **0.242.025**
+
+File list editor implemented in version: **0.242.026**
+
+Admin access and `.html` alias implemented in version: **0.242.027**
+
+Single-source developer guide modal implemented in version: **0.242.028**
+
+In-app canonical guide source implemented in version: **0.242.029**
+
+Large menu handling implemented in version: **0.242.030**
+
+Drawer menu threshold implemented in version: **0.242.031**
+
+Drawer trigger handoff implemented in version: **0.242.032**
+
+Static asset video example implemented in version: **0.242.033**
+
+Literal role enforcement implemented in version: **0.242.034**
+
+Admin-as-User role hierarchy implemented in version: **0.242.035**
+
+Request Access example and access levels implemented in version: **0.242.036**
+
+Request Access guidance modal and duplicate slug checks implemented in version: **0.242.037**
+
+## Overview
+
+Custom Pages let app teams that deploy SimpleChat add trusted, deployment-time pages under the `/custom` namespace without changing the core application route code. The feature is controlled by the Admin Settings toggle `enable_custom_pages` and fails closed when disabled.
+
+## Dependencies
+
+- Flask host routes in `application/single_app/route_custom_pages.py`
+- Cosmos DB metadata container `custom_pages`, configured in `application/single_app/config.py`
+- Static file folders under `application/single_app/custom_pages/`: `assets`, `css`, `html`, `js`, `json`, and `python`
+- Admin Settings metadata designer in `application/single_app/templates/admin_settings.html`
+
+## Technical Specifications
+
+Custom Pages uses always-registered host routes and request-time dispatch. Static page metadata is stored in Cosmos DB so simple page definitions persist across container lifecycle events. Python-backed pages are trusted code shipped with the deployed artifact and discovered from `custom_pages/python` using `CustomPageExtension` subclasses or the `@custom_page` decorator.
+
+The host routes are:
+
+- `/custom/<slug>` for page rendering
+- `/custom/<slug>.html` as a familiar static-page alias for page rendering
+- `/custom/assets/<slug>/<folder>/<path:filename>` for declared static assets
+- `/api/custom/<slug>/<path:operation>` for Python-backed custom page operations
+- `/api/admin/custom-pages` for Admin Settings metadata management
+
+Static pages are rendered through `custom_page_shell.html` after the host route applies `@login_required` and `@user_required`. Static HTML content is treated as trusted deployment-time app-team content and is not end-user supplied.
+
+## Configuration Options
+
+- `enable_custom_pages`: Enables or disables all `/custom` page and asset routes.
+- `custom_pages_menu_name`: Controls the navigation label when pages are grouped.
+- `custom_pages_force_menu`: Forces custom pages to display as a menu even when only one or two pages exist.
+
+The feature version was updated in `application/single_app/config.py` from `0.242.022` to `0.242.023`.
+
+The example page set was added with version `0.242.024`.
+
+Version `0.242.025` added a restart acknowledgement modal for first-time enablement and records the acknowledgement to `activity_logs` as `custom_pages_enabled_acknowledged`.
+
+Version `0.242.026` replaced comma-separated CSS, JavaScript, asset, and JSON text fields with explicit add/remove file list editors.
+
+Version `0.242.027` added `/custom/<slug>.html` as a compatibility alias and improved modal spacing for deployed files and publishing toggles.
+
+Version `0.242.028` added a single-source developer guide modal.
+
+Version `0.242.029` moved the canonical guide source into `application/single_app/docs/how-to/custom_pages.md` so non-container deployments and ACR-built containers receive the guide with the app artifact. The docs how-to page now links to that in-app source instead of duplicating the guide.
+
+Version `0.242.030` clarified forced menu behavior with page count badges and bounded scrolling in sidebar, top navigation, and mobile navigation menus.
+
+Version `0.242.031` changed large custom page sets to use a dedicated drawer when more than five pages are available. One or two pages can stay inline unless the menu is forced, three to five pages use a compact grouped menu, and six or more pages open the drawer with its own scroll area.
+
+Version `0.242.032` added a shared drawer trigger handler so mobile navigation closes before the Custom Pages drawer opens.
+
+Version `0.242.033` added `cat.mp4` as a declared asset in the static example page and renders it with an HTML video viewer.
+
+Version `0.242.034` removed the admin bypass from custom page authorization. When a page has Allowed Roles configured, every user must have at least one exact matching role in the current session.
+
+Version `0.242.035` treats `Admin` as satisfying the base `User` role while still requiring exact matches for all other page-specific roles.
+
+Version `0.242.036` added access levels, a repo-shipped Request Access static page, a one-click Admin Settings action to create its metadata, and an access-denied home-page button for signed-in users without app roles. The earlier learning examples were moved out of live custom pages into `application/single_app/docs/how-to/custom_pages_examples/`.
+
+Version `0.242.037` added post-create guidance for editing the Request Access email address, disables the one-click Request Access helper once `request-access` exists, and prevents duplicate slugs in both the Admin Settings modal and create API.
+
+## Usage Instructions
+
+Admins can open Admin Settings > Custom Pages to enable the feature and create metadata for simple static pages. Metadata references files already deployed under `application/single_app/custom_pages/html`, `css`, `js`, `assets`, and `json`.
+
+For CSS, JavaScript, asset, and JSON references, admins add one file at a time using the Add button in the metadata designer. The backend still persists those values as arrays in the `custom_pages` Cosmos container.
+
+When Allowed Roles is blank, any signed-in app user can access the custom page. When Allowed Roles has values, users must have at least one matching role in the current session. `Admin` satisfies `User`, but `Admin` does not satisfy arbitrary custom roles. Unknown role names do not grant access.
+
+Access Level controls the base gate before page-specific roles are checked. `App users only` requires `User` or `Admin`. `Any signed-in user` requires login but does not require the base app role, and is intended for bootstrap pages such as Request Access.
+
+When enabled, authorized pages appear in top and left navigation between Chat and the Support/External Links area. When disabled, `/custom` routes return Not Found before metadata lookup, file access, or Python extension dispatch.
+
+When Custom Pages is enabled but no custom page metadata or Python-backed pages are available, the navigation still shows the Custom Pages section with a `No custom pages registered` empty state.
+
+When an admin enables Custom Pages from a disabled state, the Admin Settings UI displays a restart acknowledgement modal. The setting is only accepted after acknowledgement, and the successful save writes an activity log record because App Service restart is required before newly deployed custom page files and Python-backed pages are fully active.
+
+## Example Pages
+
+The repository includes three deployment-time examples:
+
+- `example-simple.html`: A minimal HTML fragment that only needs metadata in the Admin Settings designer.
+- `example-static.html`, `example-static.css`, and `example-static.js`: A static page with page-specific CSS and JavaScript.
+- `example_python_dashboard.py`: A Python-backed page that renders `example-python-dashboard.html` as a Jinja template and exposes `/api/custom/example-python-dashboard/status` through the host dispatcher.
+
+The Python-backed example is discovered from code, so it should not be created in the metadata designer. Static examples are stored in Cosmos through the designer.
+
+## Testing and Validation
+
+Functional coverage was added in `functional_tests/test_custom_pages_wiring.py`. It validates version/configuration wiring, protected route registration, Admin Settings UI wiring, navigation integration, and the trusted HTML rendering boundary without requiring live Cosmos DB connectivity.
+
+Known limitations:
+
+- The Admin Settings designer manages metadata only; app teams still deploy the referenced files as part of the application artifact.
+- Python-backed pages are trusted deployment-time extensions, not arbitrary runtime code uploaded by users.
\ No newline at end of file
diff --git a/docs/explanation/release_notes.md b/docs/explanation/release_notes.md
index 6033abd7a..aac14500b 100644
--- a/docs/explanation/release_notes.md
+++ b/docs/explanation/release_notes.md
@@ -4,6 +4,15 @@ This page tracks notable Simple Chat releases and organizes the detailed change
 
 For feature-focused and fix-focused drill-downs by version, see [Features by Version](/explanation/features/) and [Fixes by Version](/explanation/fixes/).
 
+### **(v0.242.033)**
+
+#### New Features
+
+*   **Custom Pages**
+    *   Added administrator-managed custom pages with static HTML/CSS/JS assets, optional Python-backed page extensions, and authenticated host routes for publishing internal experiences inside SimpleChat.
+    *   Added Admin Settings controls, navigation wiring, example page templates, documentation, and functional coverage for disabled-by-default fail-closed behavior.
+    *   (Ref: custom pages, Admin Settings Custom Pages tab, `route_custom_pages.py`, `functions_custom_pages.py`)
+
 ### **(v0.242.022)**
 
 #### New Features
diff --git a/docs/how-to/custom_pages.md b/docs/how-to/custom_pages.md
new file mode 100644
index 000000000..6372f85c2
--- /dev/null
+++ b/docs/how-to/custom_pages.md
@@ -0,0 +1,40 @@
+---
+layout: showcase-page
+title: "Create Custom Pages"
+permalink: /how-to/custom_pages/
+menubar: docs_menu
+accent: teal
+eyebrow: "Developer How-To"
+description: "Custom Pages developer guidance is maintained in the SimpleChat app so the in-app guide and source documentation stay aligned."
+hero_icons:
+  - bi-window-plus
+  - bi-filetype-html
+  - bi-terminal
+hero_pills:
+  - Static HTML fragments
+  - Static HTML/CSS/JS pages
+  - Python-backed Jinja and API pages
+hero_links:
+  - label: "Canonical Markdown"
+    url: ../../application/single_app/docs/how-to/custom_pages.md
+    style: primary
+  - label: "Feature explanation"
+    url: /explanation/features/CUSTOM_PAGES/
+    style: secondary
+---
+
+# Create Custom Pages
+
+The canonical Custom Pages developer guide is maintained inside the application at:
+
+[application/single_app/docs/how-to/custom_pages.md](../../application/single_app/docs/how-to/custom_pages.md)
+
+Admin Settings > Custom Pages > Developer Guide renders that same Markdown in-app. Keeping the maintained copy inside `application/single_app` ensures the guide ships with non-container deployments, ACR-built containers, and any deployment process that sends only the app artifact.
+
+Use the linked source as the maintained guide for:
+
+- Simple HTML custom pages
+- Static HTML/CSS/JS custom pages
+- Python-backed Jinja custom pages with backend API operations
+
+Do not duplicate the full guide in this docs page. This page exists only to route developers to the same source the app renders.
\ No newline at end of file
diff --git a/docs/how-to/custom_pages_examples/python-jinja-api/example-python-dashboard.css b/docs/how-to/custom_pages_examples/python-jinja-api/example-python-dashboard.css
new file mode 100644
index 000000000..f92a81b79
--- /dev/null
+++ b/docs/how-to/custom_pages_examples/python-jinja-api/example-python-dashboard.css
@@ -0,0 +1,62 @@
+/* example-python-dashboard.css */
+.custom-python-example {
+    border: 1px solid var(--bs-border-color);
+    border-radius: 8px;
+    padding: 1.25rem;
+    background: var(--bs-body-bg);
+}
+
+.custom-python-example__header {
+    display: flex;
+    align-items: flex-start;
+    justify-content: space-between;
+    gap: 1rem;
+    margin-bottom: 1rem;
+}
+
+.custom-python-example__eyebrow,
+.custom-python-example__label {
+    color: var(--bs-secondary-color);
+    font-size: 0.8125rem;
+    text-transform: uppercase;
+}
+
+.custom-python-example__title {
+    margin-bottom: 0.5rem;
+    font-size: 1.5rem;
+}
+
+.custom-python-example__summary {
+    max-width: 52rem;
+    margin-bottom: 0;
+    color: var(--bs-secondary-color);
+}
+
+.custom-python-example__badge {
+    border: 1px solid var(--bs-info-border-subtle);
+    border-radius: 999px;
+    padding: 0.25rem 0.75rem;
+    color: var(--bs-info-text-emphasis);
+    background: var(--bs-info-bg-subtle);
+    white-space: nowrap;
+}
+
+.custom-python-example__grid {
+    display: grid;
+    grid-template-columns: repeat(auto-fit, minmax(180px, 1fr));
+    gap: 0.75rem;
+    margin-bottom: 1rem;
+}
+
+.custom-python-example__panel {
+    border: 1px solid var(--bs-border-color-translucent);
+    border-radius: 8px;
+    padding: 1rem;
+    background: var(--bs-tertiary-bg);
+}
+
+.custom-python-example__panel strong {
+    display: block;
+    margin-top: 0.25rem;
+    font-size: 1.1rem;
+}
\ No newline at end of file
diff --git a/docs/how-to/custom_pages_examples/python-jinja-api/example-python-dashboard.html b/docs/how-to/custom_pages_examples/python-jinja-api/example-python-dashboard.html
new file mode 100644
index 000000000..eb499a016
--- /dev/null
+++ b/docs/how-to/custom_pages_examples/python-jinja-api/example-python-dashboard.html
@@ -0,0 +1,45 @@
+<!-- example-python-dashboard.html -->
+{% extends "base.html" %}
+
+{% block head %}
+    <link rel="stylesheet" href="{{ stylesheet_url }}" />
+{% endblock %}
+
+{% block content %}
+<section class="custom-python-example" data-python-example data-api-status-url="{{ api_status_url }}">
+    <div class="custom-python-example__header">
+        <div>
+            <p class="custom-python-example__eyebrow">Python-backed Custom Page</p>
+            <h1 class="custom-python-example__title">{{ page_title }}</h1>
+            <p class="custom-python-example__summary">
+                This page is rendered from a Jinja template loaded by a trusted Python extension.
+                Its refresh button calls the custom page backend API dispatcher.
+            </p>
+        </div>
+        <span class="custom-python-example__badge" data-python-status>Waiting</span>
+    </div>
+
+    <div class="custom-python-example__grid">
+        <div class="custom-python-example__panel">
+            <span class="custom-python-example__label">Signed-in user</span>
+            <strong data-python-user>{{ user_name }}</strong>
+        </div>
+        <div class="custom-python-example__panel">
+            <span class="custom-python-example__label">Server time</span>
+            <strong data-python-server-time>Not loaded yet</strong>
+        </div>
+        <div class="custom-python-example__panel">
+            <span class="custom-python-example__label">Request count</span>
+            <strong data-python-request-count>0</strong>
+        </div>
+    </div>
+
+    <button type="button" class="btn btn-primary" data-python-refresh-button>
+        Refresh From Backend
+    </button>
+</section>
+{% endblock %}
+
+{% block scripts %}
+    <script type="module" src="{{ script_url }}"></script>
+{% endblock %}
\ No newline at end of file
diff --git a/docs/how-to/custom_pages_examples/python-jinja-api/example-python-dashboard.js b/docs/how-to/custom_pages_examples/python-jinja-api/example-python-dashboard.js
new file mode 100644
index 000000000..95d6887b4
--- /dev/null
+++ b/docs/how-to/custom_pages_examples/python-jinja-api/example-python-dashboard.js
@@ -0,0 +1,55 @@
+// example-python-dashboard.js
+const pythonExampleRoot = document.querySelector("[data-python-example]");
+
+if (pythonExampleRoot) {
+    const refreshButton = pythonExampleRoot.querySelector("[data-python-refresh-button]");
+    const statusValue = pythonExampleRoot.querySelector("[data-python-status]");
+    const userValue = pythonExampleRoot.querySelector("[data-python-user]");
+    const serverTimeValue = pythonExampleRoot.querySelector("[data-python-server-time]");
+    const requestCountValue = pythonExampleRoot.querySelector("[data-python-request-count]");
+    const apiStatusUrl = pythonExampleRoot.dataset.apiStatusUrl || "";
+
+    async function refreshStatus() {
+        if (!apiStatusUrl) {
+            if (statusValue) {
+                statusValue.textContent = "Missing API URL";
+            }
+            return;
+        }
+
+        if (statusValue) {
+            statusValue.textContent = "Loading";
+        }
+
+        try {
+            const response = await fetch(apiStatusUrl, { credentials: "same-origin" });
+            const payload = await response.json();
+            if (!response.ok) {
+                throw new Error(payload.error || "Backend refresh failed.");
+            }
+
+            if (userValue) {
+                userValue.textContent = payload.user_name || "Signed-in user";
+            }
+            if (serverTimeValue) {
+                serverTimeValue.textContent = payload.server_time || "Unknown";
+            }
+            if (requestCountValue) {
+                requestCountValue.textContent = String(payload.request_count || 0);
+            }
+            if (statusValue) {
+                statusValue.textContent = "Loaded";
+            }
+        } catch (error) {
+            if (statusValue) {
+                statusValue.textContent = error.message;
+            }
+        }
+    }
+
+    if (refreshButton) {
+        refreshButton.addEventListener("click", refreshStatus);
+    }
+
+    refreshStatus();
+}
\ No newline at end of file
diff --git a/docs/how-to/custom_pages_examples/python-jinja-api/example_python_dashboard.py b/docs/how-to/custom_pages_examples/python-jinja-api/example_python_dashboard.py
new file mode 100644
index 000000000..9dda916d3
--- /dev/null
+++ b/docs/how-to/custom_pages_examples/python-jinja-api/example_python_dashboard.py
@@ -0,0 +1,80 @@
+# example_python_dashboard.py
+"""Example Python-backed custom page with a Jinja template and backend API."""
+
+import os
+from datetime import datetime, timezone
+
+from flask import jsonify, render_template_string, url_for
+
+from custom_page_extension import CustomPageExtension
+
+
+EXAMPLE_REQUEST_COUNT = 0
+
+
+class ExamplePythonDashboard(CustomPageExtension):
+    """Render a Jinja-backed example page and serve a small backend API."""
+
+    metadata = {
+        "slug": "example-python-dashboard",
+        "title": "Python API Dashboard Example",
+        "description": "A trusted Python-backed page that renders Jinja and calls a backend API.",
+        "entry_type": "python",
+        "nav_label": "Python API",
+        "nav_icon": "bi-terminal",
+        "nav_order": 30,
+        "show_in_nav": True,
+        "enabled": True,
+        "html_file": "example-python-dashboard.html",
+        "css_files": ["example-python-dashboard.css"],
+        "js_files": ["example-python-dashboard.js"],
+    }
+
+    def render(self, context):
+        """Render the Jinja template from the deployed custom_pages/html folder."""
+        template_path = os.path.abspath(
+            os.path.join(os.path.dirname(__file__), "..", "html", "example-python-dashboard.html")
+        )
+        with open(template_path, "r", encoding="utf-8") as template_handle:
+            template_source = template_handle.read()
+
+        user = context.get("user", {}) if isinstance(context, dict) else {}
+        user_name = user.get("name") or user.get("preferred_username") or "Signed-in user"
+        slug = self.metadata["slug"]
+
+        return render_template_string(
+            template_source,
+            page_title=self.metadata["title"],
+            user_name=user_name,
+            api_status_url=url_for("custom_page_api", slug=slug, operation="status"),
+            stylesheet_url=url_for(
+                "custom_page_asset",
+                slug=slug,
+                folder="css",
+                filename="example-python-dashboard.css",
+            ),
+            script_url=url_for(
+                "custom_page_asset",
+                slug=slug,
+                folder="js",
+                filename="example-python-dashboard.js",
+            ),
+        )
+
+    def handle_api(self, operation, context):
+        """Handle API calls dispatched through /api/custom/example-python-dashboard/<operation>."""
+        global EXAMPLE_REQUEST_COUNT
+
+        if operation != "status":
+            raise NotImplementedError("Unsupported example operation.")
+
+        user = context.get("user", {}) if isinstance(context, dict) else {}
+        EXAMPLE_REQUEST_COUNT += 1
+
+        return jsonify({
+            "healthy": True,
+            "operation": operation,
+            "server_time": datetime.now(timezone.utc).isoformat(),
+            "user_name": user.get("name") or user.get("preferred_username") or "Signed-in user",
+            "request_count": EXAMPLE_REQUEST_COUNT,
+        })
\ No newline at end of file
diff --git a/docs/how-to/custom_pages_examples/simple-html/example-simple.html b/docs/how-to/custom_pages_examples/simple-html/example-simple.html
new file mode 100644
index 000000000..1cf464b9a
--- /dev/null
+++ b/docs/how-to/custom_pages_examples/simple-html/example-simple.html
@@ -0,0 +1,12 @@
+<!-- example-simple.html -->
+<section class="py-3">
+    <div class="p-4 border rounded bg-body-tertiary">
+        <p class="text-uppercase text-muted small mb-2">Simple HTML Example</p>
+        <h2 class="h4 mb-3">Hello from a custom HTML page</h2>
+        <p class="mb-0">
+            This page is a trusted deployment-time HTML fragment loaded from
+            <code>custom_pages/html/example-simple.html</code>. It does not require custom CSS,
+            JavaScript, or Python code.
+        </p>
+    </div>
+</section>
\ No newline at end of file
diff --git a/docs/how-to/custom_pages_examples/static-html-css-js/cat.mp4 b/docs/how-to/custom_pages_examples/static-html-css-js/cat.mp4
new file mode 100644
index 0000000000000000000000000000000000000000..82468e69147d630456e1d0df38ec969227a6bc8e
GIT binary patch
literal 107659
zcmeF3<C7=Lx39l#+qUiQX`9p5v~9b4+O}=m_Oxx=wvD^bxp%)fzjObCy)()Y8I_gK
zTAvlQDzg9p0H%qPyPdTiD>LA)^4Ffp+|kzhuR}^_XLBR163BPvXd$ptePj4B=%nPo
zuER1h(lgRCvokUNwFdxY-dG#yJN;MPzY5}CD=^f5ZPCF25WbbpzV)jDKo9@`$bT=O
zz5oCkGFhmv+=6G@3GW78<n;2W(Za@|+AQl9i~9rahZ<d;>9n}bWnJ?NAtT&gRWU4P
zBhaGK+gn)m;jfH_*IhvJ>sfU8n~u}FZeHp<^s)zm9gVBK!#?`?jfh>W8k{!NH%@C7
zW|2LyK;%@7E)u*TGEwQWtjTxDdgifmjTE+%KMOEsy&UiX$L~9f9*#5`<+Bdd<=qIN
z3{}=Lr`gJpji5ZfPrgsir}dkZHlLrFwd0uq>e<(}_r9C1)ML1BQNs)*Y+G}+a2z;N
zpU6x<YmSY64+eC2qCcd-g8$G|>s%=bQ7XOvQcWkB@zg(`m~yd$ifjB(JXG~*g?a7<
zJArY!l??nEpQp}CBZS4nGeD6{8Qcqms!OpE-ak-qt6DpQfKE`ifar?R@?RKlWoM!~
z-H-iP*2Fy?im0v^vP(UsAfoSTh1=xPMv=gHIY7qjm5vJ1WiZ6d`KpEtZv~df$MQmj
zl#Qb@U>#I8<KqBkzNW15FnOa&aEaQQ(zA%_N;6LoVY>_hS#N}UR#NO0gN$}fgzI)<
z9rzvuMhq*ju*VgQv@{aZ&o{jQ%hL=LJ0cP|nK|0%8gyBpCG(_6ljT7`WH+42x#u(&
zI@EGY5pL!oOFf}>H6>Dr!u%-18e&!x1P3D#t2N51C>>u+g5S6Jotag#V|!9U`fQ#Y
zo@3|Z+W(^Hie_iu5rS8qO7e4EUpsc3g6!vVdi(}7=q_O=XDpn*U#@rB$1qUAY&^6)
z^wgI-=xier7|B?m#{i-mx~}Z)o~8}N<VzF(k<hefnHvBE=G4T@m+Tjkc8%?+-K2%J
z3&8FtKieM9$gY8-r2v*WnVCd`9m-bO2IEN$m)<gaQ!rP4JqF*=Xx0TB<PbHU`w#@#
zcVyi@wbZ~wiH;IQrnDZxqn=Tu1a)H@l2RilriO`1to=b4BXz1SNUeUw(H`-gR@XBO
z{p+2|kmMJS<`QbC<$?F4bfoT~v=cpBeB&?wfh*K~VRc9lEC!?VVOgt}LquiMB_+AW
z+F!?16><uU3Y;7~pEFHz#Q8jT^a50an`rELg&ye%w9P;0Q)F`*+kWHg)^c#Mbhlyz
zv*2)mAF{4D>nNq%9UXCeGz9;Ite|D;<)KbaNZH?j?-GsqGNUS;IGNC32<n(fIp&{=
z9R%QM!cAE^hPZ}W2;LN|Rd`ygeG98Jz0<eD1F%h_BWy@gw~kM5F-n7u%sHs(_8#ZA
z*F328XNWZyQ{kN0&g`8Lk4W3<N(Q5=b>x-LPhIs%)k@!hz&9nyWy*9Myu4)OTNC6P
zd&HnJpcp-hszt|pNL{v|FRXoAg*+mUR4JHZTufP(2?FI+Qc?{GS9@t>9F@XRHrShn
z(8}c@?x%<N9=3Kv3m1)q!p$%r(1M>?PzRAy(~6&5Qq`Lw=e-Hzk0B_<On%WsSsv!p
z4!f^cxslLfqb;!9>#G^csY#rJ+9(?Dl)L`nO9ZoNnY})l!<+2Y&LlKRI|!9lx?)`R
zKp;RH`W1-2lUH;G1v`mK8`E^hAk8r2EuZ(pCo<1=;{F0VZ^+oq5U>q>LYba;SnGsJ
zW)oQ~Pe~$SIm%%>grj)JIE=LD%wFG6x`-(xac%uaoJIi<)51_qjDMiS&A%K?_s99|
zX@P!lEKSNU3hO0~b~3R&y&1C#$F=37Bx%)ia?!jT91+;bl?pjzT%(?K#tj=VG;>0K
z3a=R}xrqX1YX#B{f=eLyFzOE>k7|ZgL7n>IIoMT^WS%sgI2K6JxF8j1C;7AcPhGOP
z0cyC>C<+HRG>pmn<A9k}qqPYTTZ%DAHP0OdaG55EjZT$xH(wO}gCyqocVY+|G~Se6
z@^FG^Zk(aSw!Qcd``%%9m~8VhLwzVfpU}BCt>k*pHU@T9Cg?eLa@}B4glU`nXUcG%
z$Aj$}=z|SBu{lHaCW=26pEe!4BE9Bg<>#p2h)|gH8f;2hVHpVZUb(5B#KkKihf-W9
z@(cnEQ}OVa!DOVNUY#nrpNtDt=Q5mFqWha|KcAGnnRjXsFWT>)ZP=dt9`qlz=I_4g
zTGmG*w!mA{sN&c*c~|vweI$F^ey#-2H4*ZGQ>$qu2}CI1mY1(9D3;mUCT26t44(>x
zOSSu_Y?qNw=w5kc0b+n{UfqU_EtvFns6VQmh2wn|=Mg^(MV-Ro`C0{quy-^Y1_md%
zXXykQWfshZ5ipQ57D7`hmUmly$CZaBVWrt=JvyDfJ1P<}_`E<&y9Ki9`wW-3<woPe
zdGe~BON{Css)>hPi$Jqm>z{Y$N-rNuM7Z6aqmk9JCLJU;_0?acnV=)fqASMfvo>!F
z&1gmjth788_;-Z_01XT=XSslHwzVJPm&Jsjw%Y1j<8*AZzJ+=x(u{79_y#=8e@Srn
znQASd&T`B9cUVI=bpN#%i9~T%#)e$JxHyc&Jgz{6)ZXoq-DV$>BZTliD%!jOiaS>B
zc3!%6!$Cx}F7Y3lkQ`B%Cx1ee-)<qPM<R>s9lK=UKI)Jcc58R48oBbbzn&*>IwbC!
zx{7tBjPohLGXW<R+Pv;BgKbac+#IsR;Ck1*Qhxp!S(tIol$J(XT>c{sSuc6&MAa>&
z<u|^s>tj{4bXPGwbJ5H?q+h8$y*kUVjXV~9gyS|){E~Z1rTF`dbRO`>`Qjf@V2PTt
zvAz#^o~0wE`iZ~)5Ud6e$lR&o=YvYYq=)zX$@(B8BY3%IWCjFGL=>gRdy5y3mwzK*
z54X{4C+lOi80y0#9}LmC(zvY6aJX2EaKvu-N91hL5AmsPmVDTeklA=u1q&mMQ9P5I
zfW6(#CuAL@_5!5_rI~%6DJv!tks$SEnc*Qw8hd9o=pU8!EKy-)KlZ)6e*qU4<v@pb
z1g4v~E4_?$`7^t>mug@wIR+;#+>fgz$xB(o9LL#iBG0v*5r8F^+h6!YxpEapM!py3
zwpqsjuTWdPgVu1Xp|(4sE;<_kaMS7YSH>94MiRs0X!&3fjq(h;syp^h8ue(P{AT*W
zmm}GuUu&0=d8-_GZi(ECZ<k4t<ZClOlkk*UYuC9;)o`RMjhJgH2FOyR?6OlymOb`o
ziT>#1y2}0GI`xHi<cFIq8};MXPV?cP2x$Si;YEjaK5tImy#eZ`FtYaWEL0|zY6M|^
z4r72cYQNpbPi52Bmq^rRWd)kEt>Y)9+n3_u`!g4R__IwFqw?A`k_17v8JiHV2qYJ^
za}OOC>^4I3paT<inKvmXwa1ZKs<L2U*OG>ZKT$At$+pWNwO@pWV1;98Svj$fgJ#Ou
zTato6LYoDGlCZTY9|3k9Yd6uL$*9eS57+-P*XX6&3#nE?t>-J|JJn6m_cSg^cL!Bu
z6;zK>Rp6IZ;C*4-mV8~O0N9hBBmhLwOCye&p>ZMpj0?tAEz$*YvUEzYaP>I{%XC^S
z_bXnBrrcVif@&EFKcG2NbDyWbz)L2;V2DxNxCwouUaH1;?_;vt^%8Vafe%R9#sO@4
z!nyxrR+}t6*5%?C9lbfOy%~u_sa}c$Rf_OT@Hn{tR%>$EtR?3!VR-}ua|gti7YFvI
z27+sihgi($!uM8H5c125)v_~TG?tX@SaqSZ&(^EeFR3z?gObI`%;0XIhPM?-CS%4-
zD0N<(dz;7*a%*x78^yJ>p(s<e*UA{)3heik4z-v_6HTUmq=2{85lE|*9ZkaDJ!5o4
zdWXxDxzA=^U5U7#aY<X#jwT_s6`7gdiVzx~)6lZp%;Q66q-sW091|fto;kSlxR$_1
z^I&D<27VNYJB9G4V>XRoWd$#0{yk!>7a>#yhVY6X%+DbBUMeFjkP9aeHaS3(rG4%%
zn-{+4Z^(djcr4OoT8wq@JA1iKU4lVsO=y3<L^9N+L#1#iJ^LKE`|&vePWG6K3OIGH
zM$q2f1bl)BI{1oF?PU%26r*YQ<v!!+fthp$^VYBdWPqY7JMA0{w?TqJ;ChS(5bLl~
zZ^DjKAtW;h<Jd@{bb!Go<6>V=Ohx#Q;Ik>bEqF{IZMNHF*z~r1EwNSfma9{y`vo4c
ztp@}YD_5?2y}6!_kXvup2X;OQHyIyh?1I<mIbLyL!zq}F)YR}+Du|KtI32+EMYq{I
z9JEO$v0enxExrRy$Z`6)^DPepIdly%+FPd=vXmIAh=XyVqkWWU)L~-B{Um+aJunC|
zk?e`DcQ(a0&vIYi#XFSbXW9Iv*l>jY42%F%ufRDsCmv(!H=KpA&v;w25YSlLWcn6K
zwD8l{nw?+X<dsyM9EQZXj~^2wwMHI7j^tr?M77%ft~)@cjS@2glN|gu7*<pEfHf{o
zLgKUhcZ=X()gPEyPo)XUMuojCX^UHK1WpeqgwvR<e~9(Yu$_*QuybysV+vu=Hwr3l
z4a8@ZP~(6fDA`eyT#M7QyG+x&@{hT=SSSuK_8uUV{IoNJuy`PF)W8>1#lD1)f2Yq@
zd?%<cvveJ<4>`LdFVMb*+Ojqt1@HP2p{HMJB<H5)%RLj{bXCS1YDP+Oz0x~jSR-re
zLwy|%G(TlnbUGz$wr5ZfjI@p}Z}zs@f<e{d6fZoyRTUq&iggv(1j@WuAg;rod=L0^
zn;vdBr3z+#$2K;9{;8;Je1?^-cuP&GI*X)EQ=|?Uvu0&V`+7L*J??@fiP&|0i<C_p
z5sb#A2jKx?1M+HxHu9u!#p}OIuqk16%NH$A99D40p}=AadoqPV#)3CmuqF&audHjU
zW;$6g6wWrm;`8t*U5mGEZhXSjDK(_HrzmCe(rkbtc<$r0G$$<PTaw4@xqHWjA>;Ms
z!@xmG^}kH5S*{ZFAH72H7QYAuj=?5-fGafr@FfY)?qrJ5FQGY6kqa~mx%U|t<_CXb
zN=_xPKAsD{2g=*gR0co%T9%~niAHr$B~UC0H=)sP@sb0b!JYDP(YtEdkc~<~R4uma
zEs*mq?!)*PH^qW=E5{!g7#k3S4B$mO_sc<VK>XTWm#ml{>B%SNvxc5_8+14$N@e7v
z^0Q8#K<JP@`(t-rj#dXzw(z<Zz>Cr&t{5C;{%&{E1#(}0$O_y$d&<Xo$&!e~qInrS
zEm0limVL^)RPHKDdU1Oizw#Z>r{rdflz;BEdSg;=nFEMcuvr+J1E?h30*)m?xD<8o
zFHCfxSxM~eP5Kj>Va&t#*mzaRyk?Wtbm-`09v1HEg?~UHF@|ytndTfU++c4+VCHzO
zSJ8rKojyda!Sx3e3-s$6`E#Vj&0;kk!k^NEojQgm*=Gis5ciKNNVqZ9?;F1Ke9)Gw
zi-I3R38#7%tt8`(P?MpZc#W})ej*rgJAK-H>m26gR7)dOlNzGog(h|~)Z87-rFQyq
zL(peD(Raz>S0?!=na6u?#BZ75N~U;vDUO^R`9`p&)Z3yKO%+}E>$6`MR>8(C4R#0v
zM$0*aeqOXj&dCE^)1#QxL2!-TV@%95qOY9oFx(9D5{91NAZJxa@cToeF@R^ycf|8s
zWE~)(@i_RYFVUB5EVZsL4@irEJ*od9TY02U@p8{@EdMT}?@>tVTf#R~0(~QE$I#Mg
zAJS&2zF?h?XD(<JyyU-HmIg;ut_w#}!jm)r$`u@Q^r{RL3%DqBBnWUP<r{dg`;kKY
z&^xFBE5>!DX`r$m&PaL6`M|X-ny?CKI8Hf3qyCj8Pqh)Nw|8Am<VX3guk992ZEd-M
zvc_Vn=xBt0#rSQ)A*zlIcbFyAz(^H3n2}Z)kqBoc9-+7c8shX}`wOQ`k?ozCj10$I
z=I1-yME};(c|>GYWGMB6Po8>`0j8fy0lohn%SI9}`>`v=Ly+7rIRxbHSbO;fR}9*)
zj|t^{m{iBhjn~F_KW~%#!O;r;*zudxd@+mBbJn#eJ7IB-z0+r42Iy2Ye6H{TqbhCU
zhK2WrFv)TMj40VX4XXq$7tn*s0xoixc_r2T7qYe5okgixu%4{&U=B5*t{m<iV{0Xs
zbUWo4bpTg6M@wN#ymIXK6C)GEf?%N(gw;-B4JgNP=E{Z((px72Ub$kIsY9Q0F_uhj
z*^N=|A3JsdbAg#(wxS!dkKf#v2XgM8Bb79wQ!g>(mvk`5Ou`aTD=gd={46$Q{RDru
z@nwX8i3e1zUo(1^sY7t(YH@Vi7u%8H&2ZmDO~c4(%4_-Y!x)B*$CAb(p?^n1yGgi1
z=;!a}08_)Ai>`B>oow`4^yw6Y)FHQxt6)61&}`=%EY`*3o>2Jb?SBGgFdYm7xy$CI
zlu7DfX=bc9s*2QMRhF-s>`1C4h=l3_kJ+0gslm7v8Y>;Bd0x++o_y<)el!0fB^7`1
zBE;3>Njc0SIZ9&BM`qo!4)LCC;>;``1XJGOvDbyek(X3rj$KTt+Tpu%8{$WC?|vM7
zJnHk-VRZ-bT4CN$1xTN6b@$$u*6CG0{WK6Bx*pvq7Qm|qe~OoNlxd2uH^O&$qL2<F
zL56KGag&%n{aji#xc`VW7Dp&54__}%8C>IYXdWM2!dOrCOG1U8x}oxOMlEoEDq91{
z#9_mBbjy}PbpzsdsNnF+xm;%a3hHa>JFGHDPlou6;L2>{HsX0=nOC~gdPDu!9$igq
z8WcUIO0ib4V4%uD16OFfA#h|l&l>NbTKX|Ka!-55sWzy+-g9fU8Y*oJk|T>qhFXOl
z+}apNG}pCzP9Mff#Y17$wR-bLN9R-Iu6^)Uh*VHQD1WmWr_w;lHYn5a&!~VUy2@YU
z{`?jB5Q4q?MQ=sI_+x~Ps0FpUo4&6s9ZV-iDFnxPdNeP?%{w>TPE!135c70Evu_Us
zGs?Gu#4A3Pv5!adF$!5h`btA>Hb*+<Y{z$uK50y5cvA~(1jUx<`+fu1dsx=D2V=~U
zQ7(7+WaLQO*z$tOigCE$yT4^qbjiKI6#D+!tDH}TsiZ%2?UvPCF%y-6*>N|{1edWV
zIPlPkd`JMF>Gxx;eNWcA6Fk0bN>V?Yk;6<4Tr0C9pQ{2OGUxYsRED^P0;f3qW*YF}
zhRD3Y));*X6y4BPpgM(O=u^SZ7GZqBzVgU2RBQ}poN^!!pUMzdK+KvLgedP5!DzRR
z2<1T<Kp+A??96d3vtjuBJG<_{xey`gTgzkOXC0Iq+!Tns)$~0UJxYFR1SZX2`BGpg
z#=o|3;QyU01^%yWDX1?109r(p4$NN#-s#arTl4_Jn~zZzv}A>C;}TUECT_Mb1b8Ie
z(Ke;>89=gwdPoyaJE*UKrSwxn(^cj>ZySstIP#ev=H5#~(M47SG7zmGENH@iD(3(Y
zMdaU2HD?DUteWaC^QfJoc+*P>&6q}s=MvM2P5{sN$~ux_9}WHhxl8l}+eL2mwjCCa
z&iKq}wy96UxT5q=P1kz+fFKpyT@T5q@TLS8^&pvPWYW6YS}Q_umckQ8C#CTVNJ@uv
zGq^=8as%NgzK_xUY=~yNQM@`4zfR&cQsLYHX&~epG=KTD=PmVToYA0Q?RZL~sPG#S
z0l8#2n|Karo77}}FSaxk@%8XY7nHeCQn<gvP<CL&Y2?9<nLj$PbNf+7YW4Y{(#cLj
zU&t?s=gOHbG15<2${?0m2kHA7`{+XtY+_H&lZix}fyyPG0>mmM3R&!mq*whc#fx4f
zRZ<1RBv$zBlQQQ9@l+JfxKRHSnoC0EM|TA1%}?Q?HC8{B)GWsJ>+vcVOUlnkeRcoV
zR?N2~SYhbui=*$=L$fXopOAb#O>o2>Q7F@RNmQP!ChNSj=x7_~dZIX;?h3X0S4vjR
zUha_bH5l_OM45a$Ad`uweYBm1G8@P?cl2PQJ9Scft(jUP;C9t{>}t4$NF2c()Td$_
zlRchzd;F^*;ADN?&6iWI-)Z|Fcd^co$R~}kvYZASC#N$G7K{W*eXt_%Vy@icN;JW9
zoF&3h#Vs;i6=6Q0`*+!xv56=du~~8VuR{F7@-}PF!9T`zCQ#M1_~e>VI#+(W;WaBI
zU!T9PPyv+di9qxWRa1D3%@(4y^-1;JKe+8K`;J4R@{L9Fqt@G&X+PcDiR3zkU4MiB
z_}%Dbw50($;yj)1(plr_IEt8Y3P`7-<a&I5jb{|}wSh4&lF*NF8sCJC1gWt;Y8z-`
zt8d4qLXb!W??}w_{V?V++n$o;6kUZG*PWTE;<k7WlQAV7I(0Z0Y67&KRvMZp#gQ@L
zdO*uGhcR~Dof6ZF;~&Gut4!RzZQg1BWw>zbHQ#j$Cv7)^TEBfGXrLb2LsM^cSKUV1
zS~xv<`V7&X<d`iH*{VYT6Dlp-c6eqZbw*&-HY;P6PiqkU_629_iVn}RJ2T}iwuHFO
z^<JtRPHBO0U+cBw);fRQTQk*upqz>8JKKj4Z)7Tk@dS`u;4!^+7a3{e$f7;FTHp>9
z8o@ye48U4D!xFTMlzB5J<eB9}#y=QJFndN6M9uDkPnL|oG1d-dG>`{z9V;2{z+CUv
zLv5K9vR;)^Pix((_d;uz)_nwI?$u_E@i<JxGiPU*nf4Fn--7oDB75oC-TpEjH>14&
zSg-L0Z(pQ(FGXoU#kg`_I>c57yCss90Kwt0Iui^f7(s=FBTDFg_EV$dXt;AgVk(W{
zhNp`3TJeY_)2l9bQ9rO4U?qQZ)60gtBGlRN%yiwvUC!x(%jWL)q<8n11ik?G5Dw3{
zq$`+-NjQ3h;wz$a?cUQ1j;wMaUX5&7;vp_o%B>*)E&EZy>COQjyX2Ab#NsW-DaUio
zHGdNf^|r!_lblv50Qg(KVE<dcK>wC65Kf|WQ2q+}exYZYM{;c2qoH|lX9KZF!33&0
z*%3)dW5A_M(y;d1`FV2LvIzJFL%fBMtOOQFSy^*wNkF-+oVL&|;h@M0VpF6Uuf<RK
zP>_JFi@68b-_DvmgOdCYFX%6lw~C~$ckd8tU14Pjc$X}EV69Bz!o4tE<dFh($wa9*
z871hw$o=dBM;9d(6g>C3amE`&CcpQ=1!2Ssvr!Q`s!UVkXYQfb=uA|`xmb5HGyR4O
z$eiy4EWzpmCx?0KZdiX`Q38>y!1FeRtoplO%L84|RlJZ}_lvL+BX2VS>pk1L92qnH
zz)Vi!^AV!fSSK^T_zhB72&O(-qY_T@VmViJlGp7t&~jnlN%eY;p=y2M>yDpS#vB7<
zsFQDp2_+93v_`N7K0ckGlsamj=c@B(L^L~<r&@{*B%s*O`#$RX-~|V`yR`PndTueG
zRZVZA8Slw?_ZNZ$>djcnRF;)#szp|``2oxf%GPrA?~9E<F&{Va-XPmV#k;^t<L^ZD
zU<0l$S17A(VH$lJjhT3PZ^JF-NU$O|uo%=lMwRL+usKl8lU}C;Bj08iGV^Jdu^)=N
zBu-_6a*6BhMjm{z^`~tED2?|%+{H4fK6ogVbZ|fJgDwL}KR!d6gH54cuBYflP62Tk
z)XUPaBsK&N2OXqx63qFA)~IVTU39NJH>NX#xUmhtJ`8|@fDI=J4r4*J-hdRv3Kc?@
zV_3XFm^_39%9v4ttdM%EN>IJ5vyT;N8@7$+{0sU)*A7MPF&1=S@gANC$*PYdL(Lv0
zI)T_OLRXzbbw%BdX_*`gk_ziiq{lD>$rPo9pN|Z7QP1Gh0?~eT@l32b`DxfqGwD}H
zV7!!}o4C^P%f;E(@~HG)r)R;5N0YkXb(;2p9A-rXYY)A81Z29D5LJ-mKBA!9Y?qv1
zFG<gi2Hw{%_*e?72XS}fnn0odIEaRtObYes>?KK5-T>0e)#O@j9HS)eeE=b<26pLI
zn0rMi7EkZL(vwiITE)@5n&R+z9IViz-<i=vVC-rbetk+&bX$%<GiYY!|2Tf>mTvKn
zY#o)Vz)f?{_Y}mt0IS6mQQyz~503)>+oJ$dMCsuC0Cpl<_REKXC?2Q_rp8DAWy0a-
zamGSgu(UaB^*co<;75i%eC$P25)QDHMwR;f-zwBuVZ{zuC9So^kpT;+*~*h;^o0L$
z56Hjo0fIo34#{7k6g`o*t6)H7OUV7RPTty7fC9~@2!EjQasZ--aivQ|B>h<a;M;l>
zqGn&2cI6M!cH+}{l;g~=i%4iI7DGpyA?TNKivG}NrQw4;I;lpp9EJ1#N@4KMtIFqG
z|CL|aqP+B8r*sfsnz!!_jRScc5vwY44Rt0hx^n?9e;KsL*VC|Ba6zGk|6O7T9u^hA
z6i?1VRQzq=;Y3b3s36a@YB~nc`@R}q8kanOjgp>*7eg}eqA>zyrO(ai39!Yr0eLs4
z0Lh4;lLh*`M&z29?$o7QSjQ<8gVe$DxG&M(k>lF|2T2AdpMoMB7Z+$ZV&b8EkX}S`
zS;w$>aF=<m9zX~8u<f|9*Ag<R{xAk-9nW3Y8;=Qb6V4^C)VSZ>^n6KmRHLOwPD$?|
z{;@cV6-ahj&%<1zl0R53SV#KMw8!Zx-RI(N82*RFI`hiw9_qo=&92vOcjg?beS6YN
zyJNgSBH%X?+y+nF3B%AaF=fN=x8usnsXrty*}{SWw)m<$Tu7R$tC?j~{DRPq?P__|
zlS;D0HNms!$TryNYsx!mKSCnhq)%^A#DbTaQdsm=XYm!X!vg!fNO*S_jPm#L@Dc}1
zFc5hzC|XziS{>t@;b5dxe5c76+IWnFc{nOg>~9{fx7fCT?4EDqeZ^1d>xv&MjsxZU
z%1+>EvY`|lP(L-L6Dh*L?wOn?ZSB=a-!)t35KS8RC!o%5NB2>2ha5A=_&6!HBLsp{
z(>}UgKVP<HnGAp^l-9`)Dyz_g+xDAOOIT2^TqiTh7}z=AECXWcy|Zx#Tsc#a4rkS>
zQE+10ehftsVZPI#1FWlSbu4f0i6y*zA&`T4O%8c(o`vtV22xJ32k4KcwjNb45X{qf
zK3NNQ>867DyM*aCxAF%}L$-I^yl$?*=YDU;YfsId|2m0=a3;oES`!d2jv0|d*Qx-v
zQXciW+y4d%($ncL?NQ&s8$uX)0<Q*lhY{ei9cEs5vLGFY+rR_EhIk)&Aq6FfNO1De
z-sh4`FRmpK(^UQsM}hv^QGh0i(xLeW*Dmt!lpoHQOc#IVMl9BrSI^iBH<YifWz<+}
zb#9=RhWB+(3PPJUE;DZT_K5}=hbE9hgqQZ+=mx`dFUEyqXl&q}2-b0$SM7CG28dQU
zN%N1R_NnJA#)GaqGH+uj3lx4_M+IS4@UhR?gW+mpNrKllbi($Z$gCMD8firr^egyf
zi4;jdFp$g}9j;1WzyXoID5<4Fpb<Z%q20sOFjBx|yrg%#4#2ruj@$AZ&oj<8XQTzu
z=FUb#(W~)V1|npo!E<tcO3Ky6w3nmk>XRc^V2gfN3(dpR5`v<0C0>uxHzV>x@t?_?
zJNG}}1G@5VB0Txz8!UYQdf-yGb;|ATMC>yDy?jJ7_s$}9cw#?o1q~0FQb;ox$QlIi
zNZBT5{LbJ5aBU=%&rTs^9^ph)3SvwH&?RmM6!FLIRj}zw#U$qLx@_gn?Xj+DURolw
z#1=H$KRSJavpHZPT?gZn-AG%H$OCxt>MM@MN-Vo)vM<5R@P}+I#X^;{^-I84F!jXT
zpZ$1-C7XLiQ!__Dvwu+;bFMcLOOI&j{xT+5d>^Fmh3-zwI4`3~lgzox!Eoz=xU=%-
zZ_8ZHI84dD{Sf}u`yZHL|Hce{N0biB&*ZE_U}N6BT#8gol3cGkf%(fK2=c4v1j+2$
zz;u4yPDiLk^oO1^w0^pz8|M72WoJ|)@zYz<@~n#s`T`f5h>A@bXI@ewapP8)%ID5v
zZqO!p7Ce}qzteA!i^E)Z-u9Iy=83>P&$_4i5?N!2<!Q<F2<n&q{$PK{q0k%RO|Dx4
zLgfZjAJ_2~#;z3vSq*1c(+)SDHSP)x;P2e~URaMdX)v0z)`jjzua%t=FPF|ulifda
z=dvPi%C_lL);=q#4Dbl(fzowl+t?0T_>XLKTfC}4SG7Hvwn<#$yqz%Z&t(3EUj^y%
z97XE9b;BELpzu$Nol~@XtAdiuD{b(rRY?{CjoDy>NGOacc*Cs93}=BR;`>uv`WD~%
zi!Z|8{-D8-FJ4AIU1!{!%=rBnCXUS+i)ps7X^_@wfoTWsWKzlVx-c7*-pYaFc7{!p
zHUNWT^(S#|KIc)@X0O%oNc+fPhdz4(UX`kgS*`XL6|bVJjT`ncW;0<Wy=R-OJ22JL
ztQ;#poDH7^gSDM{Qo&Nc)2AO?5H!l$6!P4I!mm1%k#Eb&^SU4ps<jJs?56E=32+0m
zR_NkOH!4WDg6|l0k@k=_9V#F4G=-MN3m!ir{PGJU&dXAmKkx?IY<>>$@_up~oV7@B
z9x7euMk&OZVNiE>ze}daIb=y6N+71}F!5#2toa3)&L)SFS@o9PnEbRm89bq#54A6X
zw0rb>tg{C{y8>K>t^Advz?A9ah>x8p*7dp=N|yL5bU(EA^v5hy5ZqHoUdI*w^$Mzd
zk7qddoYX(Y(vR@4fT7VbHDUFQ-L>=qoAe&mRP!D>@fi{c@f}h(UbJuR4AYK%7CI1P
zypKpWf>I}q7@qggohOnb`}91cTNx77n7~Xj+~7D2OWtqS&I)U+R`KEsU47T(x{rFN
zHo*Ay&PtsNBD<~qG01jtsT_Ujh-!6=Z`;G#AM@i!9F!|f;GO|}3olw4P0<y*SBzST
z)0LWz$0Od%AA%;i>`wW1)kc0H<1`r7z!AHkuQWw$TvHPm2|Ve?3^0T$aO;2!!iPoB
z+ePPzef9eT-q^mS`|!q?Nw%M%VT9{N#rqRD=$=>>VC)66OnzX0kVWQ(dGEegeS#(C
zO-4&%2r8Pxl9<oMO$RkGSLgqj1-q%IlR!~oL$D|b?C&<V7$TbANV=2;G)shet{mW|
zMT~E<)H_CPJ1Ni2i)X&79_OT4|3D;$+Fcqwi~CRztf}OXe+YqSdFJIHuqaRNBZk4m
z>C85yRf7AWpK+qd=4J?AigfgDhA7W3D&MH$SHUSavbjO(PfLCgy8(c^5v=^vTn=)c
z#R=Y}E9ztNF5a7g1|jfqfSx5x{rSsecFl?muFhv6XWOaH15nT+hy6e+Y?JdXA_5+x
zq!*0|Xy&u9kiFSTb=JVsRDCpioLK5?9lL2^$q!6XoFOU!^Jacj#iK0<%~)ydI`io`
zt#QBI(>QhMmYvv)HAs@6{w*^;0DPB}t~)gR%wk=Zt`T44Os60agz<4)LrcH^l%#3U
zsPjPd0iPiCM-9hEHU;KeZf#$d3pEY9@7IlEq}{P%fn_;E89+!BxuaEj<zC+Iu^>ji
zvltnVRf1XhCqjfu%k7l{d$~oK-*6fk(~VyVh9ldFSe;CgxV#!gxPxX;(%seZAcx;v
zbCC-)jL7%mPj7GuwH2lU>9IFR-O-$5IfDyfTHHUvf&8*i51@wW)5oAoI#YhM2;E$Q
zbPH8YLMFLhNwB*Z7BCM!S6^2EV34KyAMiNM{*^vaokoOxnkh4*BIi%p#iC!w+nF^Q
zvGPButg&%bvK^X!3P$`;O(Ir#f%jc#Q7WA`>^I-a=e%j<>d)Z(_`?y`ZG?E;{K)ar
z^m4@w8>H?-Fm#USS*X+lX34K4o9joy*HUD;Kh3oB&T2V%I!|XHDk(o6F)2GPhk<{3
zRo{auT7Vgl)($QfUeGVR!8mUb?z-3*6zoy(jl>kZwMsihq^vHrRM<*5UJEEMcl0s>
z{=iMB0S!R8!jufC4tZO4WioBR%xHS?LBT1~qQ$>hI>g&G?bcXCV_1YITIV2<%S=s(
zgFeok^-^=z473V!OK3<w3k@zOQr|i?+#v&b8*&TfvH|JVSf`0^x$SzpI(<&#k{@Dk
zB9sr`<{(|dEl*aX+)9=4gh4nzfpl&!U4zW|18Y6x2VfGsxNFp0%jhz!h=iv^5muNw
zrA5Ar1n`Pl&|K1y*A`_MhTjCX$f6DF_`9qYN1>@~H9}PjPY;@;YH;M+U@|17dI|y~
z(TVLkE75CT2w%*Z^LW}Cx2e?^W_;qmY9*xe=DF(4$^J(yg#SAh0?QDk!}F8Tnp&Gp
zxzADucmRLFz>I*xWi&?B3q*ancfnOOV_Q{0=Unh)_fn0oX@8wGltHr?0?TS9OM79c
ze#|z}HGxlDa;l`*IX-9z;*}o@p{RFD(%#l!$wg%lqT<N`{lYmtD^MB~!q3U$>_wbH
zCDJCCAT>pq5TcP){iaPET;RB@MJJxv<6LegwvR%Nkk6~#(<VW6if~nws!Bv0u$QIF
z<wI=xaf-Ybz6I@8<f4oJbA!UvRBJU$D}f)vFKd9ZrUW;J7wu`0;z&(04-UTPVHtfv
zM4bGmzsY!{dBLyXPnG&<QZ2qa$~@&#tT8WDFTp*Hbp$K7y5Uc8+X+o_L%D(5y~r05
zmcCsfD8~lF7v3P3pNmzL4jdD-OfehVQZv8(x0byz=pe~S9pBrTy>0fWOfAAH#^8FN
z?iHDnVLQa}K%}GwkmP?hV7@u0=D5|ve#dbzI8vve9vw2v)IcL*=^jX6PVH;HenQ{i
zO@IA4i3;bdi4HiIYrvZHmN30jB^VTekDy9?1MlYmLMXEeDJo`|bt?u*waAqx#Dq{P
zA6Jaz7EM4j<Ymn$_a3|sZ|&JOVgmv=Mhe8NmOJBV=ez<bmqEL(Jx0{-l9=zm6Klu=
z2lnoRe9n;}szCoa6XFmuf&0`3ZC4pVb0lWS)4Pqg*W5C{xuhgLN+MF<4IIKh>kF;W
zj38uPmV2irCIYLE&u3&Ueb7<`C_dU)Ye8G)$yl)UOuRQ5#`_=98rlr2CB@9JeN>nV
zB+ZCDop;dwhn4*`ZutMDy|;+c5&3UF?q2EZ(MK)xr?hKrQGHF#PIMOzmTY@kLgozR
zc2fMZI_a%d7wp<M5h};cyfTf*h@Wz)J$pt^R<%Rf2ax+xKtmS4u2L%^f4p?kyTBU;
zxM1wvL0ybcE6#A%I{l#QOUCEQw$zfV%WUks7V^+th9EyaNOI!Jw%RH>kyB}{U0VKi
z3+apeWfWqJ82?>CzBz}YdU;pVVJ`Pbr_ep7@uQ-k`e^@Y)0Q7eB^T|IVG3>1vw@EO
zR~z;{OW!GOP%O3qeehsOgeOOoCFL!*`d+LLLq?C`j8-BB8mM!fn|fq+6Wk!~S4*nT
zI$PA1qD2@MU~4`J_?yaUK%2SsBcqAtc!O&)ki-(#+9jRtkq{N@eAq2^3(QiGM}U$0
zYetg&4=r-fd0D|-oH==Xoy+ZtXR~#=0g<6KWf7`IJ4ofYanY0_zZAost>mf4gTn}o
zICnI0w3|Hs{xg~2O13F+41Rjgf-M)0MA8L4Gsa#nuv|BH84^zVT93c5{%(~-Bx&9&
z+o)8J%9m0$6V;&;w%+C^ut-}S@v2$;M>nRO0=biJXjeBTHGB3{@(Tq|4Ki=5Y$WOw
zgxlF5QjzH|hycHEFmDmYiAFyfmZyuWsNw{+HlTy(F+PX6t>|6X4-U7d0L02eeE-Oa
zKSJxg5Rc%bg?Ni<xd-r>WzcZIlUTgsH>d`n!-!wAmF;0~b>ej7gtcDRkIa4u-;oRq
zGhdRoVD#&A(=RavMR~&CWsHs~D~1gZxGq2s1BZ5}HKbfcUu<hB8+$@9@nyH-+vFop
zuPa}zxCZ0P&m2I~no1H`BCq~(vlvzf;rwC56+E-I@g>rZD5;fPB9jqdrFjvioosqF
z2BGd>v$Xti6Q8kNN0L&+O&bwnK#qd$3+1~FOE#pnwjP?~*_Zc;G;MMa%w|e-zJ512
zH!ehgaai5pvqcl!Qk^kLAfv;LQtYopVB&a8D0VS+3d38--q|9l8T2#C=?OSo4BlEG
z%>V(?Mden1mX}Z|(nuI6UQcN^x4D)sZ-2(E&u&;8x+5e~@2QcDeKnG7hOXb%wMp)@
zl%3Pf`~zPQt3YKsl5<q@`gbf9+SNQRlrpMW#@_?SwL-=kZ(FC(yNtiMa9Pc&x@F69
zp7M1h*Et%eU`A>YXFX=N%j#BxJH8>NqK$_Av!5M<YiPnRz%FwwKAjV5*IQUF>V;%T
zHx;I$PlV<JB)fp{$nU4Kt53sjE%sGmAk#R(pz*@lt!O(SxBvJO%C1b{qxdvn!A&3Y
zI}03+9O{N&o?|81g1YU)pkA#?&sy1$$&~-pgZd`?VZL9?fvt;dW9zip0f3q?>STYF
z-7M%qKF-e9LMp?_%fG-^FmP_m&yHa!2n4BVg0RMdPqW?(Fp0qVbk6N@J_&oJJ*>;H
zr)AXW*bSdmng;KJz*>hxIjy@*8#+O<Rjc#su%zDUOrykDlst&I5JLwyCM?2_R-ZW0
zV8MBz_Z7JeyijkF$+(K*=gp$K5W6!G2mHRPqJvzkDY|dK|HHunWRo)uH&p?`p9d^L
zlzV$OOdF8BLgn5}L0~2pDw~ZHZiUQxVFDpGE15YQg7x7hi~<^NI}|jYK8+?o_@F>S
zQgV_=%O7dQ`dUCB_ULU)qep}Ybi#}C-Se0J{agND4{%)i{!{wG<6r*&8}&bkzw^KR
z|Iz&I{^kEK|9|8E|FnUB_5XkN$3N}tAH@G({r~?M_dkfg*T3=qe;dF*h`-Cf{QuGX
z9scG2kLK_AFaLiu|9|s8{~JHx9~A%p_5Xi1fA4?w|9>06Kgj?8{r>a6@&A+b-}SG@
z|G)D+|L=S$<iE$gfS?kkBl8y#N0BrTm`A$##@gp#IY7{sDy4+2p-TGY5PJzan6k`t
z0v))!vhVnHr$hXl@09ApgTMi^0>_fZX{Uyqk!o!YHS+fr)0^e=c7m7agf={((CTW(
z(J$?l_m>d^{`r1xl&g%vy2CKB?CeJ;v$It;heM1@eLbNF4>2qab^v|vGWC<Gep*T`
zybK?sd~XLrPAFM^g8(<x<YYOCZDX7X3R2;>Zu>rsF>N=w&V}R==|vAuV_6p~I_}z3
ze?9tC2nM5OMAnR|_$kYTJcH00IOaK<=-H=?g9~92e}}{x;^N4#_>jZAU@hLul2m($
z@T^<9a*?~4<->G49K4gbxu-!t!J!m|^d6>v;i3GiIxUbHjbB^rw+Vbt<NGNNK8V-m
zNaBr^NZJ0Trc7D_v?~!T!vc-HSTP4m0m2>}kG1#7nw#C0OUbpMS6dkan|)qAESag2
z3t_2-R{zB*xL58kGnMB=NfDdgzTcDxHRh9UI(X^R?gZ-wIvakk47IGYLtQ{eC%eY)
zHmP6?Q_q$Adu=+?!vLwC3kW%|3qAr;7PvbkC#6Fxl@y)=Lj|G{O~KJ;<JcPE5!t0T
z{51WKji#AF!+;X3xn6yw8d`ArRr1OT1xr|*w`k-Wh*L7v)<*7I%4<;X=X&=O0o*{~
zz+JEp9G!TbkqqEDC%@Jm1Mx9v(JNl;FE)4;wQ?GLm@&(!ws?0|cr=y+t07SjJ~ZOt
zUWWmJ2bSOZiW21m)T`?^Y+t`nOya}dM_kxtO~RU8H*>m;;Uam(DFx<Ie}>Q(Pl!V^
z)XvvFdY!#MW2rjk&t}YCKsFeK@+0z5r<s4l<rZ<cfkr}zZN+4N-5|EL|2Suv;WZp^
z1sMXZ(P*Tpdar1tx6zoC@%RC|25f0ZNVDC#-<#Px?WAtuqwhHeHb^gVeJr%mv;5?*
zo)4ixp^h0_U|$Lu#M8g?uoeZq^Z0~tg<N8ni5J2UX}H%ar*pyTpDgNF!KKS-C5s$Z
zJPf8&ofoq)cc3i~d;!cfW{fzQY=ivQyrlo(EvSEc3wRq*Ix0VtWBNX5gPF@PbWOA?
z)x)qSY_}O4mHuU$&(INbXR<ap7)$rk^^oDJmg{}j@~Um2>54+GdavdDyO;MAMlNS}
z4t+3rS=dBDVAKyI2UhW6Zt8fN)^@=yD_gsqSW?o|D2;xA&~FDomD0HoIk`8R_=h5W
zHKh+!L?pPc&5HOUi=jk5aS1iKdkQr0W1`v7J5Yyv?~FT1ZIxHehUKxuz2}j&PGO}7
z)VP>xe@)8%q$eY<6bZ^abwW>0bvszw%bU1)S)Yzv)Ik_DTY92heN1}qlSPqq@+BGu
zrjiK8hplwxjAwZTT!n54(m|n&SMg-t$QPmV_WYjOujOb~G(CvbB?9}RRU`~jk;6Yz
zs&8uR20`<&$@Um^z6KU#zT${ziO-9RV>wN|<J7-9&s*pT<PDeOV7djKiZS#(%NCB&
zgFZ;Ehe}fq+8t+1$F)87M&66ruT-tiP5@~Ak#JT5-y5-Rr}q9hHwSJ{rj0Q6FVw9}
zyGI-YiUB>j_T?f8G<stR=4I_*HiF>(d*;Bb*hLwQG25{Zc<gvJVdrm%3SgHhd}n@g
z><Q88PjhDxzSH=kp83}`9q>C5_uqOu&rHA4;$j;E(-dFuHfr%acbd%x(B|Ijb!~QB
zFzp~QHEtE2o>l$7Uqb$*NeXqZK;AsQ9qHFe1At$jv_ENedblMMJu<SeUVnmm7Phn?
zknPb>0jh6UP{C!iN^;2uq^k@h`?(D|t|A?C5m)97r@o7m4=(QN5o`q2s^6G>hVK#a
zgW@n>8(jpG04@IB23tFEryJ1-e*)VEpGZ(O#=@^lsO1-zE*yZuKWrhxt7UJ&gY!xJ
z3TXq;Y^=JFju5qToNX5`xC+AsCV9;Bc5yl!5@CzBd4o-_qCzT#M=)4fN+l}h=Nyk{
zN{ZOK5x0_uWV_VDi^l!W=-_Z`El>iWo@O_n8%TGJKYm6-A&`VR{t&eD4DzeRo=N|G
zi=EaDxT{kEx#p_N(C6rsApp7;!>g@N^iC5nuI}NQ<J3~;q@_AalmdFvoXO{#>>ATo
ziY$Yzu%ERH13tcK%VP(|3YzvUnV#^(@cueP=IxwT^z|KkVGnSz^Jh)tPw=N_VU|qc
z*S^jj^*tyOT$1O8rWy9z@K&VXE-^vF>%l7tSZy0EaTfyl`Qs08CsvC6c9+(BZ$cc0
zZ(M+fz25!yVTNYZ35}ZQg!1z?drYodk=fPI1y10U*)G~j2Ia<YEt`&CAKcGr%*571
zs5J|Lt;P;A*fYA??^F2eNOm`fi&QSDuQj|@ORco0ArByA^7)NxH}QeQ!P9Z2a<xIC
zF@3eDspV-+^}N0II}C+&a7|f*G@ubs9(7?SX6Wiiovm}MX1rQjzLXXG8ES5Z`k?8U
z{?C}(4Zj7Np{5?NmaNn}M-V3TBPP-dJz8U}r#fz;<1HjQ!qE5YHBXQBNe)Okyx)^k
z-G2^r1F1cf;9)o6Bm9Z)(ZVngy%Uf4E-FBcp@&}-owk=;y9mbXh*?@N(qbCmcP$4F
z1gEm80H+Yha*!|pM*nQYZUybPPVE!$haNsnmZbqU#B#Ra@e^IBDWG79Hg!E-k=e~J
z-<A8b3cN{T(xX7dsDxtiSQjjZuIfk%w1a6~r`wWpZiU@Zdz7RfmP%cgjPm>r1n0A1
zEEgSu+$HtN=M0k>?+4U-sG?qU#7J)+%Lo0T#=}g{y=k{<B4Su9LZV3qBB&4YV|CdA
zoH0$N#)+ZQCf!=nj@!TjDxnikE2wM1PK5oP-{P6`5JJAp6iKxv@fyH(CFE$bpJ?2P
z#EpmVeFZ0u&1a6)z;ZoJxjRRC5R0mE_uM`u+7`GBA<7bbxr{}rt#y4OFRm~x<>q4<
zFQ*Tv1-Y;zA(&+BLMq#Q8p9=Zr-lp7T2esSH}JmgzQE;$VE@JB%9c!p?iZF}n9{XV
zL)BoxLYYjz$g5u_>$plBXCzGr2!`GJ3V(2Z$?LY^zpX?wPI0FcE9JS2S5!Ub7^g)*
zlouiELub!dZ1+^XF(gQHn%|Fp)DPQsxXQI|!HiK;$x|5xQq`Qx!Av?VuV{%i{`kCZ
z_42XGW+|+#_o{b;Mi-))T7O)6-aO4AQ_qci59k6W#Bc;z@^9kBY<;IrTu2(S(&fAG
zw#p@uZR1_Tb7bXD+(63Qwmy)RqRcMp#+25;+%3=nVYMkI!vnT$1n+G$=;Ko+VkCm&
zav+7iD}k6MMSa!3-YT8Tj?<;)rTz-DiBlP|kb4VQF<0Ep+$rUWlmCy9hW>X*17s1U
zqw{m%9nlfoe2b2@5OydH!O&~XEmqRsdE|YD!h30KQ-ci6d#Id^p!-@byXF!JFvUyb
zoWFu3p8WMM3cbl%r7?~GFQ=ioW?Kz`gH!X<TZ6OK#R!=bcM=s>9Dw_LL8Ny~3`#(j
z7H{pC@~n9_jw){YTRv3&PQ8Q}tp$D416v>E0Pi1-Kh)zbz|F7Y#sMg*Hg1Q#WRw-x
z|IuvBzncwiN0g4q&ty7#P9E0Qynaw<a|#(HUqd|0u0aci+83CxJ@3>VB0@hDdv^Kd
z3UhCflgaAUA`Di~-__!s4P|Qa6a9<MqB|<s#z-HzFfNz%VOM~o*o9mVGMAfewlzM4
zSdFfSRRk1Ss+z=^2lt#-t6j$>h?C&B>v7Z>wBD|XR6FnoL6ioSqfgWdHRB%e2k>WY
zmz$B7Lz`ogX5f<{onPheNGvkGCs(xCksVF@67_@umunvn$+&Ds^~4n!mh!`TRR?im
zA*w6!!Ss`y<NbCdc*G1QPvm9R(fFeQ{i!#r69I{lGpi{if;KCt4AExUQjdhG(2aW(
z`=gkBS7agXGqEqJObVNDH<EVGdc5mTKX=(5p>ayUK%$4lVEW&>ucnmzA_?YdEYe%*
z&01xRD)tg-6(Iw0f{&VFF$x)bqxpCmK)^*{u|Y$$T*dkL$ML4zZsJf^!MzL_r1C#W
z4H3}HNev=7zMvXol4O}AOVA;4lHlCse-p0ooekhP{6gYj?at93Eu>T3WnsK_L(Ir6
zb+~w6a^{<pNld3hJWh~SIw5^Bj>>J<Un~71>o)(p(f)TaJ-UH!!OJg@<I_Ys450=l
zY=f?0e1QWdd(sW@V&xs?+*uCam@w3e^-HU@<`AZ_FAx~7y3|`Qz9c@^<jlnfrjBV-
zi=O963Goa?FPgD>C2_p$$>Z?=6R_V1w=x}f_Z4^4H(r{*&?gG~L~~j;q&>oEX+s;v
z(Z*!H5d3^}eYOUH%_Ag0Fu!%Q2+Tws)&sq%Q$yzXOk#J6$eA2F^*3DXRexaFRvNf?
z{)&Mx^o^F~$iq$>wHN3|gy*HG!CNPF(dW-x^%r=s>jSZ4vUeEe`Rk{HLQEHcFbe?N
zm+?bj-vyp2huz2&Xcw3gRVx1IN^5jJG$=p2p+ede=&-=0$ZQV)2wD_zR$?qFNWyDt
zL9FE}oNm*gv3xLljoMxryGqieNcXA<bfcxojNRKThzcS0gb7Trli`+vHT1|D3&`32
z9R6*v(!hJF^$&}pIH<q~A}<t`>n{A@A@T4vm1N%JK6@Mr+ftGCHNiP}UC|n5ci=$|
zyUM~Pyj;d@UP6ew5pr7TE>)^+Hy(EPZy3)cqz%J%Z#~=0i@vB#Ec@Fr>s^#i<xA3d
z2GXk1(ACif^u@1PSGMlND$k})X}hD!DRMRfE=s)ZuXN-gO%GPR<6W4Q3~(B`s>zh7
zU&x~(&i#{RQAKIL+I1hb+e}D8U>$C+Z0h_xUt#NOC$EKIqw0gYZ+rA-4AVDhi9$?u
z*9EKS4ocQg;9406Ab5^gJxEeT+7dH}(8fpcoFiU%bGf%E%4YWMUcPgqy1842S6b@i
zYUDT@?BV2Eb8G#{@|ELx_DlHLqA-ost5UZtdOcr6gC>ip*jN;+foU}$%zsBYSEguR
z@Ya0@`0~q+0D0Mz#YiXij%e}=9kgRs?c+-r<-qrLaKWG_%@8b0oX9B1=EBJ&+*F3}
z(SF<pA>2l`16&bRFqWAgcYB9GwomGbQN)->>?x<N3|{+)w*C)$-`FHt7HnCzZQHhO
z+qUhhTefZ6wr%^CdCPXybi|9EnCbTuy3e=$EpxBb$=JDa(}mqT@UFnBF7NqG0D_T7
zl2n$|O1;qsik{~)5SQys$;mEUCeE|tpni|xqy1EBLgEpz4{rYfyiu@^f4<d7w~k8J
z%$!!@$MG+=^iIVhcyHSi=;YktXjCJRDOaUf5S{+4SNzmmVxL2O<##V+1Y{xoJF02n
z(J}aUs4)nCE?-Vd;Wi(psBBFrBR5-DIK;vLKACD0JOR2%a&NhxshZIX<8uxc80!u$
zj9OXhkGIbaac)S)iwn5^70LywuTF)$T{l0>NUO=aKr38_mncAq;gILoWi9c8o~g{l
z$U%i&p5&g5g_0pRNT9xKq$RY6Bn*P1_4SD>8w8W}^c@ET9TfRZ!0z$~2l%*)8)?hw
z08)iXy$J5hK~;HQTVbVKq-Naq)*UR|0RF~ETMbT?O#%01uEVE9;jkB8Ux@H3m167z
zXL7!%Jm@>`{P}yth_CmTdSbI~;vCAy>4FJ=>L589o>rQ_=pP<$@eCZpKYs!yjqOl2
z)0_4T794ySgB4|+G0jb2d_C6v9QsCl?HGQLP+70j4Qpvr2lDKG&0j;sEa`LLx=vbp
zuL}UFJb9*}#On0Y9$-IKFU1Aiv#6@Aq-{DhT9lU-D9Z#K+Ri9vQyv}Z^yB;^6Jh<G
zi2yPQGqL!|twgD$C9f&x;=l`nh9hpG0m!8M<{XHfF~Y9AS(BBTFQu83)r1B2QWk&e
z<h+kSc^iQ$#ahnveGW&U3Ijt8`NLFopgcJ0XbIeO!82e#YyMy~?QFSE2*6mzY<7l_
z#u_X1%R&02IR3nML=z?P<0!!SbJ}3f>CGKLBm_w{(i^+mzG$zgc~g{}doSfO;2Swc
z1pGthzjXMYX(zC1!b}|gF<-YJ>DP+;I-qS!A=KOK>4=N0w?EvdT9-)oGNJcvB|*ix
z)WQUY_7je~MtW<+KLA1t<;}=$stt6F*6W*EFIQ??=+CJVv3B}BEkg!v=H$fJ+{R9I
z?8VH<_8J+1+%^70nOP9&kAcDc@h4s*bM-PUbaiQYCV-%Xg~tongQvvwFBC^d`QcX1
z1DlU=wfT(VhbDQgZs^-5d}_u3y^S@nQYVv?8S1Rou0Y`52JyOf44L?0jm92}-BmA3
zcB;k8pIkh*q?yfN!b@0dV$T2smwLwnUPDpPeqvmSFiM;2Omrk=sd$HZfL;BF1F%a9
zMa+gTYuO@v{klFfW|5AbNXQIbk5wYE$RHN?3XF`uEyy^YB;2V@x0bH0O6%Z7B96vn
zg@$)6Aq_AepjIt|jVdKQmD7)c4Gj!)S%Xm^c|?1IpeSq>MW5^Zfo~9p+<U=?{$ixa
zb(-J|gD0TTf1~$uW{s1R8kRJ$ja9=%U*uu$9BdpVRTZ8a?y-cB6Z$A|HsH&K0{a-U
z*2}OEWg#CK4U$&vdS8hTo3>m&T&)sdQ#=s`hWGZF?tGDZ7ehR<nxtPgPX-8fJkmKm
z8ZwKpRJvo_CpnWNi0BxFpNz_eE2Uk^ynW@!%9Gc%LoGUs9{=vGxxNTDK$@VZnbN?-
zPkmn>y?-_VfwgvCT}0C!^9*?wSc;F|BOg+5SOBbi6C(C^KB{UYBdJFhGxKhm7B^F8
zG8}Yyz8PF>d407vpYCir1XQke-!`>b;W+Md3}_y_3(p+-FpIV@Ki5mG2TmGC<ydtz
z==V^izkHNBYI`=gr=(x>agN6lj1VMPohV#kGzI9e(`$$Hk<y*XepHGp92{4|P();Y
z8h!18G)?+g5_=yRL+_D>^;qCFl*%bq1a$p)8sU#@;)hY5|JGoefQ+8SW3)-+))oD;
z^BDoJaXZb!ol|Y&|L3J$1@TcPXHn4VJQlLc^%peJ!~^b!h3SRDzID>M<Wj}C@tf2z
zi&|menGf-^V}-o$5C5l2-SDCwi{u8Ay2VJ_Dg)?t%q<@qU{uKk^>A&T*Yo0{+O1NG
z-Q~v4Ej(UGEYeef!7m7l>S?UI$<Cb=#?u@Kq$r)ey-hbx$aLEYb0O}2S~CAV`C4fS
zfzqj>V`O&Q<hE?_*?4B)AUh;6Bl&gxNSEFtkK@fO*QX-JuF}}1+N^_Ag~9u-Ap1`?
zI-1{|hui{oCcyrwC+SD`!nS(*inY00$Qyb7Es84#4v}1j53P4EwZaXaAUiV|A+#5<
zL#YC0RITYcF2SFgkA?3wGdv-DpI@Zy%~^Qqzu$ztz7#p04$so;3_xBbui6wSi#QhU
zgHx|J*1_(lOy`kz4^V}QDvQDhifXTDryd&;i`oILDRIV%A<Khk-c{3Q5~>JdWAQAP
zF=%sG<T&W`b!@%jk7qH5D2LRC{6>K@O0?*KGDLG{{~T5Q`nu)>959bt@(l&k92Jv+
z_A5$LOs$UxLHXt`p#6M)sDs~x!41*p-_1hja?5ao|K1rIrii!|P`|gw3}aaqTlrS0
z;ILl_A0kOcgsHkbgf{V$f#;CZBz1AYbB!K82aPnR2*v_-u?0QJyl#YP&p}ESl9LO6
zUqNU*|NMdYXp)sV#UCMU%`+-{Xia&4-Ms5Qd+wYIIx(p&0Xpy#-Z#=>ygW4)zGB|}
z<6L2`^TTPHJ_^iD*P$gyq74gINn<pe@m82z29Hs20ED%3XNsX2T@?Hnl$I+fP<yFb
zgP99Z#R>CUWAr1H3@}<cn#zv7VB9pHKhzoC_;n)02MJs4IgHzFj0^X{ixGKoW(s8=
z-s$9xH~1?PJy|;GhJmUrxF(a5$3cH|UG5N_Ur~)~VjhVBibDDqnh3OmgpDVKptMpa
z>By^;cuIjZ+5)}O$+kcw;djqlV}%M*0iZ$?57I$v<p8~68HsBT8m119Xa%=}<Sdau
z(Il05v-dZ=3>Td;?HBo2>t9@945^>vo9~L+u440KP;^Gf3A>+OsT@@Nls-ue7ZN;z
z(%(?4@Fwmip7hA!*n3Wta_ge)DcMf0)n@(cQYbFn<k5-K<R|HmKy-$GmWz`~(wY)D
ztN_oWhdq>?|3D1$<lDd2KZqUNh0;5>otbsJi+1{eV$&#j)CDSUi)fc!`{W`3jH`f|
zN9I<JmT}r-N7OUDy9|WNcBTK=<taJl820cDBUAXVf>D|2y292|#}+4pnsiC55Qw*4
z$3fY9@v!|Pi{bs9#Q?GiGx7Mz>?BDkDpGXL$>NR>ya_NHvc|G<ow1&SpSlElU%Wjw
zwU0$c*E29=Sl&XtXBLet4VB_+gTZ|$fl|0%%5KM+%S4EVWM-5w-?5B5INv$@v@?#Y
z_M1_+y~|lSSJVD#;E6l#UK{{ljrhF^AopFr@V;sRpx`Y-WYM)oob8FZY^1prjs$pY
z*HSGG)_)CLnL*|>Q6<LzLu!J*r3Q;3%p~9!RfZwV(?B^el%Hpy&=oM0iR0V3H}Q9p
zN6rfJoZTeL%AXMoowaX0MP~6%g%<Sk-Lr4x(#z6TdH>9prH)K#NxT$vTR4T}1u}Vl
zI3^r5#JtsEeAo|Jqm3{Hru{0L_4kkzfQ)rWrsTS>p-7k__ySb2P;>RvY#T8XHO?zN
zop&P(ak}$;=#?i|Q(<k{%Q5xts-#0uhVC?m6ITri5Ee^B#wPpV)y8u}y8&gF(6Zs^
zI4W<uo<q`zF1#6{qQL&EfK6Zd-M&?EEbO^(aGU0l>Fe+L@WrM&GgU>h{hfL@0`Cb%
zJDqk6NO^AH>{6pAOu=O)i9ZY!m4Pa3+njXFiwa2noGt$)m_qiI^{FsoOuysmY@$oF
z<ipzzoyLi>51H&qNeXPMxJXAzqZ(?xRZXF<3KZhM0dA*$jq@WenWpVVp=g6{JJ`e>
z+v^@Y7SOq6f(L2ZqCwCYoV+h!X9(lmfAJRw`aJaLZ@LM)IFRq_Q(%0a(}1P$N*}HT
zWz2S0z*59DDJ2oWFp{;?rrYuG^dc58+BtiV2hHu^u1JOVI|}GObI(6zoQCsl_Gqr2
z5gJ2@=sxM5!Qc<9KVUc==dnDBPB$oFu3}}Ixb@cn&x`w+#PR;8$va8LsWzbu(Sp#M
z1fTw>KX3@RBW&@?T{*FGIkv_e;b+RJ<>tvL?{Llr;5Dd|$(mFTgeA*aNELm&M;y7*
zHSs2c-1Wn=zNUTW_ADd?o1^)t_m%xuWlCo~0ovd7#ZXrGhk7x_)^QV25`G^&3;07>
zzYA#xc(Wv}tHcf|&_s-q04S?gqBSuauCa2RX^&09KAKB$bEx~~Hg`oVp~v?3<sNBL
zzc$**#I?DGltwzF$#{mhe$obya)85u>&BidjRP89i~S?G8%!nBxQW5|C<R2PPd{r1
zO6SRCS&N^jwQ+K}`FMl}I_$%l)ODu*;PNdr6}2mjCIbMdmVcdSS6XslJq|7_I)$T(
z+jiCm5Yug#L~*oE693+3s>8sH(xH~&78`BBWCtVrdE_x2kx44EtRcDEtX7dG{1g6^
zK}m#%ZbJ=NjBHQ87hN^Vr2KidWBEH=iZt-#HsF*g3utx6pnXWun9DYmK~GAAFbUiZ
z0EoIkg3&I9N~Te3Ib?Yr`@6^f9#n|aQ^5p8eMBAP1wEb-Ms4+hfh`8oC4~zHg?vYq
zVAyA*pmXw0Gi%~D&}+Vsf#Kt*Q_04f`|LKtZRH%L*l}7LLOPLcA)GwxiXt4#C<CW?
ztz+jm5^`<kQ6Ou+rcH|o|G1{}A%6@&Q$(^gZd2~}S0ydR+g*;1b_W%*q(IXeRYBZS
zOEEI=;JvuzrZX1tI*z-0Ai_CeCawGn#+1=$<@8?Gi+1C*17|~HBtKdU9i${rh%Tkn
zetMX}FVoHKHb9zH=agimTBvL?L_?nAK`obGv)gm2P1_llPT=$JIBQH~&^|Xts6#`?
z<{zd%c00?oGP|i0LfqX2EU>EOhKzy+T?ir=?n24d;$2y&?S|S&9K1_*!HaR6&|@85
z!%Ja`bz5;DB{^{JhqQeo6{sWx7Me^Ozg-QR`e{d#DU!-C(W5;(#z4DIRZ)+dw?>&o
z#g+l_uB!3|215Xx3e@CGOLBX=o#0;&s;>|$!L5ll?pOjW3mWzg4(qHPZRJglQa8ph
zGPJM)wZThN#j%rtPgp3@F;A6Zl3ZCn=|5s%!}|CTD)CW!2pnA`cdID)0A#~>m%CqB
zuX?U8MMRVCe9~bPsh;SF6o$LCH|4JH1SJjODr7R*uOPGm_jbGoZ-Htd5}Ine$4V70
zj`mqb?s&VcD1Tv&HBetQlvFV(5^DR|b_Sf=5K8FXNC{m+5uXpG+|uWxC#MplbO*<?
zmg_zC7~HmY-cGKoi2@xfaO713JWN05q!7*Ei(oWIo(YCUEGxjOX6<}RXVdaB7;*=H
znQTsLx2~q52(&RMVaWnlX@H=^xzO%G^3mAax;gZjm?wA_D2E<uo?Ug@M<p=bt~(@<
zqCV6;cl>e`c+ie+9(oz3TJ^j?#)Dh_UQni3wNtn-r@@OX%`#7#YgNaLOQub^&rCA4
z=`+x2FE)(r9|hIn@x>CZpX&9HA96AlobL^4-FfcbzI2F@;;pdVe@)*@|Apx`{8}F2
zIM_Y;Ffoeimf(>gKtfe)DlUaWYvrpMkRvH$1i138D8+8Ly4e4ZG)44xngVDd%q04&
zFMJb>f01A@_y^a0X-aN?PE2SDaXcD%^xXq>DVz&?B0{Id9`t&Rq1tXv{7;sO#8~I}
zolvb6WMbf$`l|IJg0H=RWW=(#@p8=Y-3Xh<bqb5L%a~BZ7v?i+lxR!C6q=;R!fA^D
zmM`JMs~m{OWmF+xV4t32$c3ck)N=DY8|zskZ0JgDDfSa22%mawa#&bAh=~0HX$%GQ
zy9$IZE1){s3x-1w4-1&SgN(pGlp*<B86aoEOcH)};dic66Jr`Hk&O9Gs%Ek+oh*a9
zWJ3rPTL3l8xr-;$+D{5E6mNcHyYm4d0<Ub3Si6)gT#ltbpjNwMVi9VSn$B%0;ieAF
zo%GB&)C?ymw#bY!i?@#z=B_Gxitatjl5x-jEy7H5S2xjeFEfD?DDU&pU1P^BH8|Kx
zRt@X(vUf%BEUUbcVhEsc1Xm6y6R+Wc9L=)z&<0<WmYp;%Cm;L+V|p33$t-q|2*yD%
z;%)wsvHs6#r7O*+4pTAY(MYr&r>3U_jG`kg_X@4JC%AKt`AJ?TVuS6Acb#|bqSZ%a
z90;W07z^gD3O`}<v-(kSAV`yk0Qln|U5Diu-MALMJa%wqT+*(wL2bDJAKUuD+<k68
zuS4>7Nd@f(Ej)whl;b|#XJ3-lsW|D_KLekrl*!PpZh1KNx?y0F7+g3<C8^D)<qN<l
zi5)2B>mN5)IX*8X_=@qGcRu`k@F=CJW5}bfi&;)#wR5^KhO6$^i6$SD(xYq3%}7|-
zXib|dmWpH8H%L$mr|B0@lR|?t1t+OhF^)<2bv7!>>w-K-*<l(0ItC}C$QJ?{qWxdm
z0+Dk1&^78N(h@uBddYAA&XOk8uNC<FqYQ_HT`DCO0$hA3Ucax=)a=V5fi)n}SO^Sv
z@{_|$())s;=!k|%u0J*5m&5DXhfK~JEwE<dwd4M%%Y4!haUauyK4ACtNi9_(;h9GF
zOvq3~^V9iZCYTo@ZLjjm#KBWAw*K~j^kipe0P&bq%@WLnMZxdWX+Kmrvzw+ZH%n04
z=CR}S{RIpxSw9{@A5zZ?F|>#e0KF;Cx{a7?3i40SBKzAIL0$<n$@n?$nQ3I$BBBtH
zjyz5G_qHf@vo}XQ@YHA5o8)||G2aU@z!_*Bh^^+DWPhs9*?-*dFPaF3M)jAtKl4!o
z-!d^KK<2`&jevy?-?;_Hd9^V<?Qxa5jQEpPHI;?v+hqrEy%=9Lr^Gs4y!~KOG;K|g
z5o2~3IgaGsP88_53_JI^K^=~59jjfUY^XF0XBCOz`M`{TI}Hfy<hUC3YD0EsdpIOT
zWN#`OU6fcU-{uhuLY`#nPk%<g1oMcumb)oHhHi&WB?wEEc<)*|Y|!{R`Frz*DGML^
z9*2;Ld5Vn4>rU<h_k9aHEL#)hhYLc(|FpnDfLfQ6rLj2ws&(G_X|Hd#`vKGwfEQJR
z`(>Bu14>Us_+*LW(U<630n%i2le1PR=3s7u_(NfSkvopbK$=<ij`Z~07G}++ZVMrJ
z8xi;W7YcZQew{nM2=!>u@-h}rncBH<DqcjwGr>c(3sIT13+*sMaO<VT6uH-%{Z`5h
zYXuH$!0zDC?0J^#l5pYD$x`=v^&Qq9pH$}$E*d91wd5Yj#XWGezKU|Ysb?9U1`_|y
z<hB<8NV6bmi(?P$sgNO$B~`yj+k{s4K*^Bv4tCCHzVKdDy<aWoOJdm4kYjS19wH-m
z<5GH870fKcz$ibVVD(2+mf|>6*7QLW?{S?%8F#*}b*Bq?05IVQ7d#~}#A|f;;aAQy
zB!#wsJ(5h{M3}o%kDs2xuF{>bT*TxdIOE1GT@VIM+m5Xl*|_}>Y7`TzoUsbdt-b;S
zO6M<ZR#P9`c+FsaK)npXEgl6iO#atSubL&MM8AIP*5Cwhpg`g8S<x&g_9kzLwS6^4
zpc}=*WA&EsRwy;sQQku&<?Z9JJA2+Expbm{U!L6jlG#_d-Pwo5;|HW>VEoDMiqi{d
zO5cFc|9UTS2L?EtPh;?spfJ%Q$~4}e|2n6i!H31uD?m2VEA}E-k4k<zgw~AGBmc%-
z*`eiVzkz<D>lz(HNwkhj_cx;4ImMYr-uTU8#sYG7*iR(ULKESa!rg>oM!O-GclZOW
zl$_ehEG2#(#!?tJgQ*UgUhJ(<<7Ch^O<?CC)zxbqaFqsQ$SGvT;F~<K)JcZQOVo16
z)E7AH>30OaH31a60%J6;{Rdy%uuYN$uN2Fla0Sth@r8%Xd*?W5YyPCAfZT1ifLR7k
z9a7^YdxDI~WavayZJGY1XhNHdr~chE6onM7^0{j<$$plo+hnkXhWKo?u&iBy-8Yu$
z)hSaBAGTqDByOf3Auv=Irr&3zY_|SSOxO-JR9TK+>1w|oXXwIDq$me!$l)UBH}94#
z1s)`$LN*fo`?1ZW*%^r55Ng?H|Ko-$IvMukF&j$)gG0i%{8!JK()nHPmuM9k?LNVg
zMlmfk8!pXph%_|~UfXRqm+bDI7NdK$SddXd>J)UhF3ob`;g-xAuYWA~r3#ucV8;^V
zL5TZwBATt#-lERCvVz)LZ~)20>vczhK`hwO^&mCkLxu&_Q9#K7ex76O;}L)phOv^?
zF=}-SbW9KQ!d4w2$3^SUeoka3I~oxu07q#QUw~a~>5yrF5AoIO<7!cb-rAsglf{gK
zhfZhkbn`{n6BAb}&-JZ69z;GzR1sCRzbk2JwFD?QbDcwnR<3m+{Yh-V8&Gysz0qec
z%M8oAcv&%RRSeeAe~*y=Dp3CM{r3p@9~bg3JN}3NzYOqysQWL%-~GS%{}1s0I{u6B
z_xKP0e>ML9kr4cE`2S7*|KAYufB64LLi!II_!s4W$N%#GKfwR%_%Fi$zajMh4gbFh
z|Nlsc{@wU{{ulrMw*mZ%;{SjBpZ^X2zbXFzSO5LH@&E7t|KE+j%U|mMza%si|Mx`<
z6k#R>KMRs#q2*F?CVc4c9)I&6%}@|B<k@ifs32Wue^9o}FuX}yf1gH1+e5XORX^lg
za>Xq`*Gc2rMWo3Q#xTr>F_VX+i<!r%GXKM~C-X9cIHn~bz4pzAJbY%8-1M<8dMbEJ
z(j90XV=yvYidKE<uk6ykld`*>?kX>qg~`*E_WF%^pDg~BuDdZaT=d@W?eTEu&zc3@
zEUVGZUUC3FH1z)JN}aRS&DM|@T3Qn~W{_pSVzgg70fe=xtcY>kRs%hZOt7pVvz;Va
z;d}+{;jgQMsnNaCVBVUe1@6bfem`-kxi9j<oh@qqAssp{*jqnA!`3f-BuaFW&ie}N
zDdcWxqiaPno7;te)Pe;zk7Y0Qhnatf-JPdQWcPY8fD3?mc*~lgI*39bD?TG^T2a(h
zkZ|$OB=weola?)52hENEx9XP7TsEZjnA)@{8Ni(h1=S}>Vp|t<+d77In5rs1#_EZ-
zZ}(Y3|Frx*-bg`%x{J^LyhgIG&cj)!y&9ZS6eD@*9Jtzw6u*M+`}OTn`qQ&%<+n@R
zN{l*mH;6kye&PMO^;SXxj?vKnhKYJW$;QraGdtcis*;eM(my5Q^sQ;hM!~UHynI!b
z;1%)e1LsdUcA$kFDi4uY-xl8M-}@(4Bc)oh(p<0)x-%rpaaa*7!+Y2}bnv!QNbNRu
z_#W17+s^XYymW*d0(4WQf!3Z6U7&N37cpGA=NqO5TKTG8t(z+icoO1)o4DKRt!Ywb
ze*w3=bKMvRlx5uqEA~F*V1(*Y^QQ#YP9w)$?ROl-ZQyZ9&P(f2v;0EvaK-Nn4U{kb
zF~6o}ZMLRrPl{OGE;*Dd;ZXP}(Y|b<&2l7h#!kOng4-*uSCvh$0K;>jTgLJ90?`cu
z-r4+}aJUxWz6@70k!MBr6BKi>Nb^EPO`3wY&6_kqswmaRYRo0ahk_C03nvc$8-{TE
z-${HRJQBL8kPNcwDzUcn1rC;<jlEZEt>}Mj5dJ9t?EP-Mom)Iai~qRxF)1RLq%X&h
zzFfb6sa(L|ECLn9IIK`BGJ0y;q|#M)6g=(WxFV*HO+OG_ro(svbYNv=Hm|ND;g`g^
zXD>55!|c|5rU$g+$BMkqSW5FQTfO8+%Rs;T)J&-p&U1@A1V?NkXB7SVz!MX_c^RXU
z=+SfGeB#a%xeb@l&v;*PW<=%m<Is?<9>FWC1NQRfZ;I8xPUF3K3ni8~SKY}YPf63r
z=Uj=|XRX75b^FFxWmx!FuQk)W0qDVx9ylu{f&1al+o^D-f<&PWAp^55p_s)nqN?TC
z2eM$+VZ|Ok$on2+3z9J}c<*=8n$o*dU%U}ZC3~eh6ib%tpI0eh?MaV$vIs~2Ya!eJ
z7bB?tjuF6rt;D6`=P&`Cg2z8Q;y%KXB3gFyo#6%Li}P;hSQGCX_;FXc@ONW`Lya_d
zVEh29-3X9-*HE4|G4F!VuvFUXse@Q^I8#;*aAoyj-mDE1DC)#l*~!D6>;^8mPR_Xv
z&nqsG@ojF0B}`BWUMj5a8I?L_3UZ4uhH=;*HCIxkJw!t#S`~1Z+e4R72}1Bfm17UO
zxSPhhXs6t|%+wn&`ICfFtAbVHn7+5yZlxFMDrUm04u;?&O8PUL-$R~Iy4K;<jJucu
zSas<Kp<HLTo%Chw{RaeLaLc1+a5;r#t;~`ztcqLwYGf7%Edu$>=pYg`@o~ON&hD8z
zBN0{`v0>QT(<P?*f`;780&`D{$xI%-b`W1Z$1Hx0jc&)z<;sHbv$N#IG85dItN`>R
zaDAk#NXJ=}0Ou=ch=*zogY$=%TK>Xqi~Q6)knpri?yJgQIHju8-cHrA>PVLp@U18C
zB0z?U<5g!j5MbSi{V?fh(A@p=VK?w~N&q}YHXAm!R@N{Yqvq=(5LjtK%B_au^ro^a
z<W&YLu0#T4rV9w^u~_dJiCthES=h-LapBu;(A0PQGlEkhJXw+9tYhntp-m)bJ`X==
zw1s%ed)au|O~P(IdX1o6V1)Rm7iN2Z4<%lUMcd&yromP*>EY8JUTa|Nc*+?&>=A2^
z%nQ4XW6uO!b+i&0?rHjkBg4>!P$zKb0EF`kHpiM}D%qTANaK^(QO)GAuPg-7761*D
ztB+lw(rO`CPDPs16Ycgl=6C{yR{1rz?yF`G+%8z;n0<1hsMRqVC+GKi`K+kQ_z`lN
zBk7*8G}82w#RCyjp&Co28~`G^b|_28MkeW0jZHbuU1T1a$kT+^k{AQr(c^n^>Q*fS
zjCi=($FsSU^+Eluc89YIpRb?wA*Eh`TYI;eX3I%a$jLzcjiv4HckRq;3Apn$X&AH+
zPt=9dgB>=R-B=z-tI_FhJ28nZp8bsH%S_@70dS>~c(2f#(v8hRo|(T!idWOiK#A0(
zadch75;>SD!?v@xRN~6O!2-J_{f{mB;^kTGdAllw+<dIfbemeD$#ZYUAqaa-sAqOP
z0d_2H%L(k#X>w_n03tmLaIx#k*_c?hQ5^sv+6vW;aR=)tFe1$G@g}TnyD@vZf{95)
za_yCXew}(bjq=>+Q|DeD0odqm^%!JXJFM9ReI|>YrPZowt<^Z&>TGwFprxqm<9+w9
zZ)!M@Qq@Ytc*PiFPM8r^0O@RSw{P-R2$FSiBok_Z5l}y6N)M{l;1GIezBgJRq}>71
z>U|KIS!`c6wa@SR=<l%^Zi~@W)6yv<T6fuw_u`}fBNqI%yzzg=mx0y^GimtQ_N8@x
z1K$gnFGEY7Yqmr>L$Q@|6)7}G%6-Dk1z_L+3@>Jgqc+GKV}`*T7^_771Z+D2bH{n8
zXBF?pEZ~-QakF?R<2!$B3~7U~1yu|kwK|ZX_}OBx%3k;??ylml>b~J!FI(r<;jbQh
zKE3@`Rg(l5`~f;+q5z1cLKF$=C~ajh;C4CMa6$&Hbk4>n5c@<7-jB5Xdd0=WCPI65
zgMO`QDA5yRPfhhLyNo~X>fj0X^=-{I9-#XbKlo^(U&H{FG6yE2KE)9PQOI`8cAunt
z;v1tpn%k;7S5fd}2gInOg;qka9#g>FXiaOP307aRkUC)T<ZseGg0ErKXfbPNVO@DF
z=<_n<0N4CzM}wqN8lZ>v1se#F`iyDrt$GU^TJDJ(`Q=%w-?8U$m1xc5$l?u<LtYkE
z)(H+3<t@GmHRypAOdpnURwAkdn1Qj1etTUkMkea%wBqQN0Kf=Sg1`Q>KFg#H!NJ*Q
zca$GmK^JHk_Q2I7#8{&JRJJo_>}kQc0gkxNw8Sgi?+q$rQJw#NcX~jCO46M-gwMz}
zWSHLwRw83K{RF6O?lC?DfmAcIesUr?3^=AHHQD`RDUYoIYmVnqm4ZH^bJjtMztLi(
zh=L^XT&Hf@e_%wrPq(Pj;wylWNgHsWa*1&G$wj4trvy2>&e(On-huhP%*3?=PlL9B
z@&Ev>+23HGykGdI3FH%#uUw%UA7vq#H*OEaNUHgHqil&eJd#Avc}WkJAVN%cp5xT{
zS5WWp%gKIxwE1l6SkLE)mMlzVV74Xo#x3Z!|8~%$TV2c}U-H)b;qpl*$oK4uClP_4
z#FPx!ETqP1Po(s#b}}2t3tz!PE(?RebCvt+8@L23bzCprKqt<StkG!A&yz*hkJM_x
zmLH4kcHur9#EE}AEQ*9nK0>(YW5KccO8O41B`=-w;m&MLNzGI8JH4>LKP;Z^|62S9
zVJ00vhb*~_av)56b2pB&<Ls7k4pRcIMfDU(tdJm15*mhT2|Lq?i{B{+WhB{om|83r
z^$(K4tDH62O}(r=zV??o6a8J*2;+;Qb00TW{qPcjPR$G+AI6^SxE}D#MD^0ZSSevU
z2Pvx+|HNvi_q>s~;*jJXy{CZJj*YId1M|45ba9nD{}X^bnbC~^duUUCg7kYrDsizx
zvu89O1u~U{6EAL(-)6xYtZvdvP02z(dseze?nWZ?PD^MP1xOB*dEdo{U$Zr^OAOo7
zCn7f9S=HoT#n2hyo6V@nv3B+FQcvk(7hrT-U8cg7O4FP6z?f3dqb#-jGBQZDK54L}
zy@TJANl4TbVi<pcgk<hhy9)Wj7Ce8B@>zEYwCFsO5}#mU(Z$SXtqz>mZmNdr<>?_-
zoH&t&g~wB-O^|CSSeQ|j;%bs}2r#RFqO|3C`A#o_if>8YVzsT3F?&9m6aEPT=5rZS
zY3T`4toU&fO(rku#&zifYEfJwX}xapNAG87P2HDMk(!huZwJ-;m8fGGl6{I;6Q%MQ
z3#ZxfB!q=0OZGNizD*;WnBv<&wV|X|>bacx6*Ej|iCMhl$DqU|k*LoPju6wVwNb1V
zY~*E=eA$3RzG(fK#BasEpwz+|s0#n?8tWrhSIHY)8oyD8X|bOatUq?BP{oCYv^yZk
za6A%SCwvzi{jF!P-@1OTD6j*EBTJ}e-T->h&0`Tg-m&Vh&>en~h8|w<tKLN4;1WS3
z%(VoIGcV88Z_(JYJg1psQu-sl&RP#zHA3MNZWx{%^c0I!U=?lqPgFAxSLaYp3SB}^
zt^v!eNoqn!_QBni*D|VtjNB+)oY7}-7rfP6i}XWA!AEME^1vsd0wEh;F?zKCzsTT&
z&=k>{H?ErVdB=@QxLwBrVM``6g9Ec@rRJIw0`jgj5VFztL<8^J)KsPE3)Bg)c5RKv
zO3M0sQ-91dK5UptE!(G%V4c~dUPzd6lo_HyspFK#vPv)i;S>yiI|YOeVI~8AxiG=%
zYpZ0d$<e}GM=3X{aeXW4y1-Cxg28MEL<!^UMjSc#A5V$_%Oju~+0)P82#b98xa7Kv
z@7BT8*(as6^Dkgkvcd?CU+##Vy$Z}%GFJT90dlRX>G8TW(}2er{M2J!@_Md2VCxUW
z!l8olOV)%x1xH@H_wV6+7m>csPnUA>_=2kl)=^R>0ao!x_R$VX=}9fMsIoCH11QOm
z<nJb!MgAd9Y3vr8k0EfJ5I}lGdt=D*`W1AJ#K}|;B!PIttrt)*{-SCJglww!(buXr
zq+Xt$8oP>OOxmTW;|bF<;D)hR!@7b5AdsFMP@1k^vEem{dzt&tkoZN1Tbx1SF34Nj
zCb$~9Mr5}8ZI@~hFKKsUD#anpvTTG9P(V2&A|K9*sxFPitlsPbjcqkAHicbUY-7tS
zDl8)UT(c!`Y0Um`E#kk(Ie-S^kl>md#D#`_8geR=Usr8*l7JFix$~Xxva~49ZtFoc
z?|rk8#Vq}e<QCdk2?a?q4D4~D7}<LTW(C{Pbe_)u(F&AY(V?p^;QZ8jEt$*`qghg9
z=b1VY^}g$PQ>gVKi7cS)pk~?!+B43$Z_P&|iCaYTZfh3Q&kU{m>J_m?wI^KTBUexD
zS&?-Phf@|M2w^N?Ot`^n%$g33g~?}u>0J;VO3!o4v25vqDuvx-pz}|hDz@JJ&_-gn
zlmS(Mo$*sFsM^Jm7ZmH8{mr~2h7{a0yii#BNM|TJVD6nqcains_I-fMSB(~>g(tvU
zMn^OVP;kJ^V+e1*{ZVbH9?FTX*+%C*xYNol>QNn0gvXw?!hxSm6;2pSCJvWQ`?Yv4
z=$t70$=9`gklI^I`90f)PB-tTg%Ny9pyRho0&(7h5x0|y+D#)#TO}MK5sQi+`jSMC
zFPwe}Y?$jnD|d8*K|8v!57IJV4<$|^&hncqQ(7DPxJozL&R<jE5XJ`;U5V&ffrgQ`
zVv81I#OEWJUl*Tq_*7@)q5G&o#-5GO4TlmneC~Tp+z2j09b*{5r3T<I3LccAc8rV?
zgv+}4k75LTo<$$75~=v<knP#1h8#N%2o+608fJNV+$N^7P>B-scX$N}o`vb<$$>=6
zCQhjxRdtP!a?U;N9zT;?PsvF=KqBtDK&C3Ob`4<)uHPuc-=J38o^?(T9$-GyVm5xr
z+!;Y~V_UlKC7mgFS!01Ls)0%m6SZhpM;Xk)Z45Qnx3@yQoXc<Y2H4pv1sU+EN_>P{
zR%FUZ6e&X!33OZsC}OGFZ?)~Fu=3Q8g*fne21r|d2@N>9)sFE^^buA#v9A%S&gqB9
zW+(#Y_G#TyU_F#qpOMRHt1R)Y!!Qqpe4!?SYoqUXEtK!q*G%+MiWOqJjBl#Z#nQx?
z1MIwA{66hZNdI&OfPfj@y@Mr3$SaBf{c}*<K<e2x{xZ$W&p_N73sG%|_*5$9Vei`~
z40fMTczA)8i>p=EdkxaKzFAVN9ngfNkdH??gG_?eQqj$d%>-}r_U`{cfdXQjHow-g
z^$Ax0y<S;{uSU#E6#?MC%N5S>B*af5o%6=EcsA<8weMD`fVUVn<O*oncCmc)N23hm
z>YhQc?Z^<KaLAiM1AO`oMj4!UU(3$eB)S~O+sI-to#X8ZOE0vEyz>lw2r(ATfVEx>
zGeFY>^?@WQwe7-r&d7-{3*5$g2oL@Yw3OHWU>96;X=%zhd?6(ayolK1%Usz4r<++y
z{&xH^_ujQ!HmaVRW?!!#3k%HrnHn=UZXDGb971dCT8_CZrqnVKGt&?GJlKZrjit~C
zE1iwjx-5AG`WaFoS%5!vPfqgkxwPBqfkw>cyAv6Yff_<ahRI1(l7QwZDGF0T6}ST-
zi_-QoQrf~5S_pl7=wK>LKO~tEpcd+DIEPR%>lsH?I3>YfmLY1_J^`n<dLMgO>jYi@
z8+_9Ll6+s^@trmU5+<wVk|{<2<|SV*t-K>=p$#WyS<fe}6TL!tS9LK32<47f4e_fj
zmY67^AHq}-&&wDRrOr0gN!zdd%5TLQ;zNXWv>)Hop5Jd>TUnk}(~F+p?H8jC9Qj`q
zZyK9-h41co3AzxB+CsGuDuNr+xYNGyT{Mx5Kj1D;ndxa1woFQ>@wF1V5*T7gREk-i
z2{i|v${AGTPc*lz%G_dT-4I)in-#Jze4)>y&wAHIlONN=<?Xj^>;QC>ij(lKdh8sT
zLGCeJvP-`ypukf4bM7l0#y*XtrUgpnRv(O_ejR9U(VVDZ9hnR$s^WriSE_%bu2G)N
z^YR|+x#{Wx?Z7#vPiOwlM61(}02N@X8?mMQ7zO{szjc2yw3N@A!~8t?8E+sOYJCC$
zxJbT0k6AU49PIj>V`r{*?xB64V^=ju{se^@HvKszx1IbQxMld;-ERL>prDNoZE<e%
zV>ZPKNE_tqlOsH~t9d`+s+Papl3|M(w-2u{4OZ$f%UAg8r#f|WmnX#=PB^itLE?$y
zd|=a%-S9L)sQ(T1&PiRi?k;Npn4ZN??#;ghD&K!3#J2|gB8AC3lVwRzUqm63(c36m
zXP6-Se4)_hJ#)LC&(jrcbPmIBiTPIlRo2OMa8(p;a}ODf2&?oG9t$GVxzk+T0Pa<v
zacj;_db1?Kcit8-3bV!M{h&@a)3^I$qB63L-XI{4QUK1(ljC<z+T|2f`<t7}7xBs$
zu28C$1``ydP__Yql6>#k*$<V^4ag<iPeM$qLxd}*R*Y^mknemyA^936E#A0F2I1$u
z%+On*^N6aIt@VOUgv3N26ejh4q*VHsaI4)j))!_Ci}I#a9C57MuQbR+*-f>%>g$cU
zlYoCz9ZY{$9RR_EnN0l1sKLK}0@f3S@KflG1mBU#VN2N0BHbKaUn&B$ip6Hjnaq+K
zQ6hEXfyq&|g0SVp4ipWHewXx!Rh%h<;4-u)ARi+q^T4(esqAYQy3_#T2pwyDt!Am_
z-IVU5>zw#_=k%4*e&5z9!F5+;R4_`Hv0F(6TaGlU>;pA)Kf3(0CSv(pI*53}Ocs8X
z$@`sL;uT#X95gU^#L@j|tH;+rZG6h_uTl61o{xZH_Nps!qJey0Ho_)Gu?ovbrli|~
zzQCLJcu%i*UqS2>#0uinJg;h%^I}9=Iy2T|x%5yhq!QI{?#-|QF5a^j@{GI>qq6N4
zjtkZK^C`DfzGn$3*6gT*u!opGC-)!nT}ykwv!WLC1SMozCk=~t%4!0pvq%+r=ItS1
zBeP@+D+Vj$1yF8Bv&WJZ=8a28B9~P|ene5m9PW-gbR__9E@c|FHW@WG{S81&($Q>e
zH^RWonZ@xoCeX>dhgzfv(IrL<jSwL{__u>6KU2MBN~1y#;+gj)Bekhmifx)?e0s~%
zX@^9DV@0l=LhysSFp=vWAK8XrZ#PiHVrCn&dd7PPR|lZZm*aYmAx;oCzpvXboY%wF
z^(?(6#0)ZH%6F0sgc0!{k9C&@iX$VcY0?VOB|hProz9UN&F@J&{VUTTb`15#8E@YY
zD32tTQz7)VhZq>5rY+OFQ!ZT)sE-uEhj*92+^1}9<WxoJ)iJJhlfqeE<jhpk5g2<#
zcT@Ih(1Xln>7pI|*oMEbSFe4oOKn(7L&IZ(D<{61WG16la@4Bp_jrT&V0p6iJD^B@
zsJmL_Ea@B;y(!la_O4PWH5-QbXl+}qu3qmZTiL5IO*d~+Fj_{T-n|9iJi?NfGdp~o
zyLAxG@OSg5pnbXu`Y6j^miEuP#o>=yt8gZiAK3QAuKwC;Z)^=lgME);_M6D@{>G#r
zk&%Iv2cF8$qqfqKv1G-7mF!XX{19jtI78x$0;lM0*4GSVGyctKOTN+@@v7!SGy(BI
zFb!OZ&qfQ&RDc9y99G`B`NJ*Gp<I3#rIKKE^{!>1XutNJkgDyP1yp3o9``sCue!~P
zW7-9$>6b-QiKqdvoL57m|8M-y&r6cXTWQi{rlGy8EQ`sZ2FAmxyd)=V^sy5lqtOxl
zXxPR@KonPE7FnhF6d=uEGXx7(lJ+n*mx>pUv%=il-=m}!F_*K{J2*!7*jyhc%O|+G
zkfn+^m(LSEbBHED4ISVqzfMJ&oL`=JHc&Ofn>bu0psdNHZq3Ey4(6_Eht&_m6f1!g
zDZhw8SEI!uB^Y)AEsL5_+|XXq#=4LRm!={p`|7aA^K>wZk|xlgDyNJ4O(ojB-E>ai
z!Tr$HWc&aX{CPMryv1p*Bz`dE8}lO8HD+4{y!~WB5#ZwvS^T--+W11w0KvvnkIh2I
zW(;}ZZ4r@h!sR3y2({l>p@eCgKj$Q`a<lhjFBqANCA{?O`rG6|B?;w!#Frp)p7RUm
zK_gfI(s&WxZAQiWXqU;KmPkR;hw8_5LH+T7XhK9a3`{pzt@xlja=sVSy@(?~Ne`vW
zmZ#B)?f2mDenUTyJ}gPrs-9j7T0PB6syCV8ELZ5OT4bhO?}%K0UbCk(2GXs2f-j{&
zD_z~Qqow68#LX<1HE+ZeR_AmJ=xz>9D;q@A-var+YS70Y8#NaRwRFdEj*j|$K76p%
zK=Qv)`oQ=~_nu>!LfH;yMNWD0_D<ydGT|Mp0R_D(_XZ3;u>-rDDbzvLlb{@>5Su50
zF%~K$L?r~3nq+3nX0@b3cIdyEDcCBfQTlPA)DFLdNsRxqNFfLv1Mx^%iYfeAm@yXw
z-^itX<nGF7cEPm1@(T--f(FN$Gb{s<hDbm<<3bp3qFg!HpYTVoU~wpB2$&)J3*UXT
z6~Z{5nRG*a7G#E2+aknL>x{R2^xgo});O?lcu5eUrqSvHkL3u-mz}O5pJc5-oRB}O
zsa|8}isv<k^B~TXnHa0*Xoa{<v+>GrN}3^s6~Yb1n;6+W@iXZ><qruma$UM6+$IG1
z;-<=x1r1YF&7ExQB7iMEZsz8N)LRK|zzFz6@Uhw!v)4dHPCWuJUgyc_59d?9KUOHp
zC&;NnAF&@ImL-?}LBTsM4aVIX>jfT%E|P9Aiv925gJz6<wCddB+X&p<**L4Ca~OV+
zAj9v?!ImmKi4dfFVqS_mYGDk7F~}S3IxZOHe)28S(wKQZXl9^2Y4qYT*`okOwGB2z
z04FBdmjlSMx`LJ2K`uqC@-H*}`J^YgTdK@MupvsEjYFwU$*7s2m*krzgt9_y`r{{C
zuuFgH?5Ogmr3!WvcR?H7z%mUw*dzT@Q4~UYVZI_9JM&=-FF&SYos?C~4ddI<=DlW#
zINrkspYPhlBi*V{?cSRbOaBIT@u|#vEU6z65p6Nj4iFSt&*VGD<^e?O)YO{qm@wj?
zT|t70g7C=95RC`fR|&oTy3el>J|1^8>z<E&|7lVsd_O`H1Ai=XvIm2ThG=Jq%LZDu
zN-E8rx!a(gl~|7*A(E?gdRTmNp@yI|wzNm6fUye8pPF<5utSU_jE2f5HAfUQcHbLo
zI5b@Sv|fl=>1Tj%h_OT7U^js%l2hE@YlmkKaU##l&0?Igc7#zmn7gfB{R^<e8<91c
z1IH&41@62S(cla-WU^YY_QGj+i{A!vQB;R#e8?x=`-c^=w}-5%2?zHTf8D;it;dHe
z*tr{$i>q#HSiV!%TdbL{H~mu8gAt*;t!$x}<D6)PcO=Io4tF8tcb5m8fZ!`)UYA7T
zteJP<ZUPC1+rUcMzSMxJ_uR4Pq>u4H8$3Er@`~;gWn%IM@A1N~_7$?S!?ndYNmPo;
zJr3)g3dLD0@rfPO=rlOwS0<I-yQ1PkzyPnh9-EXVqp3hZMgDMB);BeY+cn4{z9YU8
z1TaE^<@xubA4xWvoonW{`c7-E<K1NOfpq9AVgxHXFrB+ai`{Bm>lzTtpPcNyeVFPC
zfhLQ!=9bwe0$}tdS@7g8<O5ZbD;T{faQ2@>PigsWBh|y&jxQk^jR5|i?(}++>R+ag
zruaO%|E#0_VsrbSCO$wIVI~_tc9-$kW?M$TwSEOhKw`h@7%<BV1*1%40K<dm5Ga#!
z-FYUANZ1FQzsYvFQUr=UnMe(okjCNH9!h>*RqBdrz#q>1s}*rI93=rRghco6%$n?d
z<-KrN+Sw+CgP&e=W~4~<YEz1`5YnR6jNE4&Z%_Ux-c13kUx+10%mA#+jynG&YUB7@
zK!_y5Ob&jvtd~kN4!%Dc+fd;ldj|@<9yXKw+_bE1wj?@f;bZD}39!4Qe7t4Gyv?G$
z!SsP1M9*BLz2(t#uc9tnTt?3IQH-tY6mEtSN!3@3KdYgH4QtR#vrs_*Ss;}e@h6Pg
zyI1qa5Aft9_6a@|NfRA^YPj;?Uw;PP5Ptz7J2zSt)epTtDzW}rJ_JAXlbfJ>@fQb@
zX{>eFf(@4-I#^J4a}rWkk6t_Z3d&cc2LmYkg?KGkyCr3H(y-V3(}*P#;@>|eFcv#C
z98mXr^MNXP0p1Iwd8g%6Zg`(YGVDY<7;B@Q<u`g$XUq2Z#r4)YIOUD6OLwDVEr`lZ
z9>XLD6xxb%LH5M+gZgfpqR(K*Nq(Op%<|2^1z{a+$z0)z*OW!Xk4u*QqB?`Vjw4OM
zha5>{I{+%OCtm(yw)>^)H`(f-^erC&<{_zz`PB2%9W8W-H*MZc@9+#T)r#Sn{;_M3
z#8><K{;d=iDlKUeWcGDp**=yn|1S#o`3G=8N6ijB8_u)p9dewxdgG3|mr<)!lnjSx
zYY)4UnTXo~qrwVxVRBamkLDKbE2}QCjN0gaSkJzQZXcA+gx1C~WGK?f+s@e@<FxE3
zp6IlV<Kl#|GdDHrH|M*Wf`j^o+Na&b*k{Mb&$D*4UwVm1vJ@J66_3ztKafBP&xR{9
zP0VbO7#q3JILzxy50^b@gc?2<$e~8i{{FhUl4|P%sGo2C&c5&`_nx^zu5FP{;e&Q@
zyvK9Hzi|KBRx`gMOwVW6KzVciW^Iu_ULpQ5R0Lu@Q<L^iLV-s%a=&S=@AGb%ylqps
zFs&5U8LERqO=3x7OO;t2Glp~u$DlaLnO>>2>qe#I0kxfD_bF2CHQ4~VxATV{mp2Ss
zcV^g*u+qGLhhIXA1%_H!uq%V>l6afCZcHa;hXptYHY>a8ivr49CchmYs#Cms%!<v<
zr%P+j=tm(;=Bwq3g^sA^#U~}g>{u}gO0U~_Z{>bFtV>|n(~ZLKZOL`kx6#!_^w=IE
z3(l<<b5_S_iHQe5T+l^VT0g7XBY^v*IFqg^<eSN(Vc(g^VqG7B_gly~t{OHl-NCGF
zuD8S$ec-aH-xnMJZUa%9RNS4oXsYo!s|h34#LHKL366~H=i`w<#{!gWtEK*=!>Fx5
zLC)?b#^C!@(nV>liLtX~?70eFRi`im$*ULl_;M-T!}G{}SpE|=YK_`W^dYMAMqAY-
zxn;8~Mq|o8dtL3tQj4xL*bY8gJ5r5aKg3}q!Wwr_v7Ib+K||m>7Oo0fU*y1{sLQ`(
zXMpn-vXpl&RmQ3vHIq9JnmGuHbMR1Gu?78V{eo+b4>3UwLAj35B+9pQAbAkuWIy%u
zO>d5<Yy3{K3w2$_C9;emw&fITrZh^IV#`o8iOzP+W}k7-U){tq*#0l}n9pIzHCM_N
zk3aRlPQRE?(Owkn!OW1)6~h?Bu5J<%n?rJndzv$o%Zh-KuWnSO<_l?vr(6rxdjn1B
zwa{)KW@;J<DC>Z^L{+Q8-^;!GR#JvahcJlP1TQMZc5><j^#H2_;#78oP|3Rod|UIp
z>7dtC6MLNYWF$tOtH*w1A9La>i9V{QfpccJ)Bq5@Kr3o%9T`tJa)J|YJUtJ~QMrb0
z6>bL`;kkksfN_N>j4g+V`<B&BOB}AP-uiLdRwM0t`~u-XV-ecsL7p{5rNx}OVH3Wl
zQFvsKz2*eOM#Gjp6JB+>6&R%``hF<o@8??S0oP{-cAZ3?=S*O~P+d!AIpmS%qXFWm
z`vOBDhX<TAQ<98#gUEG28X@DZ1J9jm;9fKe<&jn%xr>*r8BwarpsBqP@ETZAw!owa
zMDRTLeb0YUd{)eFe^_Het}~BIhPOIT-(Q!ttXY?@G>Pdhs9}>7iac9K*j8aVf-5U^
z2Bs%}xHe;DsIfBddIm!|`6{Hau}l;(oK9hyxx@%{l4kRbtY>q4``2-E$cGzFCPXl(
zV}pkh;KX(9V=Rf<X_%#?3oqM{zZvOW@M$8lKHyy1&{;VzEY?<@q7rh&(VAdI)bY0R
z&)a1*UYh<%HE_vLd*qzfhSc;i@6ZGzQCD-_Y~+AXz~0<rI_Tufdmoug7SEL<R*h<g
z+|zgm3uBy-pmpOhPJ`H7+dLOv#r<s~a~VsKkIHNL)@wu=HF-NTX`Jiny9>P>MN>G0
z-VslvUrYqdGr0OTk;7#sz#L?<&F6zQjh!zW7C5A8vf0hyadzfFoFk1t_`oBh28DwE
zfNwu`v2!*~Lgp^}`&NJnFY*8lMTWSbw-q5UM%1x>cmpp*D=81x_!6$s^cYRuTbBA|
zjtkDqo38Gz{8~FawxZv6(|W!#!5|Fte1IPJ&S}8330<K$c7M3VkRN|`4M>o1w#1u~
zO&)^rKEZh79$C3Iv+<J*(SQMW9$6zGXVL2|g)e3J8{a-X0a0gqkb%o%M~@lvY3_z>
z*itWlZp-{uR0M0ibS^mvj}@*jt8)-(Ja%jOLVti?)T?xc_1XRZu=h?~f^1E=ZrQeN
z+qSxF+qP}nwr$(CtIOyzyL{HZSZD0BzVi>d^DgruM`S)TVn*c1Hv&@-?<kfMyJbba
z`ql)X1clzrrTcZmc@j}e@k=H1A!y92PoW}rH63Hv02yeXN14uM#>R)C%nL!<MW*n%
zN+?*12Ei~uWYp40Jn8zm0HIdW4EbjyG*D3Wur5*|hW<Q*Wy{d}dtuI#!)LV4Q$@b`
zcl<{pO}gZStBCG3?l{%12l7+o*<%V=RLMSlrfXb|ST0{r^wt9D{DOj=L{n`p73~7i
zbqe$|23~~$zyPrPc9=+iSMe0rqtLCfsN`MM^T~FI^VPFENUf(P>13ROqBxe-eW16v
zD1RQ(Rl8={CoC<XkB8@$4`h)(M@_HO2sCn_QdG|uq?ea&FFbW_sG~*#)_|iof6~F3
zWv`DTH&H#_P>ZP?m~%g5@-L9&zY>anzRUgR_=6-A&VTv;2mU{&e-MA~zx@Ab{(gV?
z|Iz&I|MLH%`Tv#B{xAMNY5)H_$NkUd|F?zKpUvOt@BaV43*c}4_rLGtPrC94@&7BK
z|NmLoe-Qt__5YvE|8EPeKb!yG{O`}^|F{18v-x}c^Z5UF3mvY1e^vtsAk5_AXB%5V
z?HWvgV}^n1otXa)4(C@M{upYt)d+1aJ0PH2(!`*6;L_}ZRKH?0ie^=>QLF|IK0!)Q
zP>`!O<eUANj?Ifl2gID3)8}oPGImwaHGXDrzxuXtk^!%gkTOGgI{EPSSNl-WOFF~R
z^1tz6Ed|eQd)PS=HrpXfn*EPyJpY;o@z1;~9{zG69SM*pI8XP7RpNt6lCqrhR^C@-
zeiO0ybbez|oSkoJJ)YrbA^h&p`@GBEuu9I_SAed5IFu!ft66n5kluumpCn)ofsNe;
zSa;geXOdoH&K%=Re1-;@&g*Y+qfQWbADhU|<QXjS@O1B)R%Kez6j5CH0piCm#m@zU
zoh*7VNI!rk&%_Sx9+TgA*kKIY5`$Nco?ykWV4G`~^!I;Fz1gsB#_<>iuJ;7hmvA=G
z$ESxCuL>}RR?sLCkkGlG^FM#7V{R{vn-W~jZ#ry3gU3<gM?cqtd`+v##w^gZ7+iUN
z1$UbnfI;Y$ef393SI%?XhOa^;pJJ{<NOMi`JjgSH>XXCDWW;E9jtaZp5AU>py-<$L
zm7I~B8iE_0Jzq^g&3BUiNSSJ$KWxDddq=y5aN+>0(Z~d<rp-;h?zu=%aCACJVb>$f
zuoA*0ZJWRw-IUyx)0WCHv~&4AaS|Kzo1Y6=Sssq&Rzw;E1zeG#k6q^2i`3&{Zz%0_
zO<YY64Bw!1349>PTT>a1WX4p+k2OCGbu5!N3%^bR*mxk}3d?k5BX5+g6f$tqQ#yHJ
zVbdGb1tkph_in(~aQgXBQ*#Fn*3%c9#VtyhO^<+=X0{m^a-Ls0id^G4khGGZatAQU
zLMGzKKNIh+8MzM~?C1haGN$Oklp^=t#|_#!ZtK%b<;?|IA*^>R1%xC^rgrGsb0jU3
zkJUL0To!+LfyC0rJ*pfyHMuR8i<+~aSjjz3p;t6fmVhG9J^fIGm*2>OYOTaq%~{r#
ziQeHg_i)U#wV|<#wn(MExKpLjF(&7=Nhcf(OE?u+ku3NztBk};^`H>FX5ox;E|_NC
z*VGJON66}!>Q!FrBVS!Sr?e-Ab17JJ&vB<(sYisFreV^pHuwA4r@`?S7Y^(oiry`R
z_QiQBp^_1$LV`?PXUBavFR10kFzr?(i7gNE$oi5)4!H$W*r-DvTvW^M3`l$Mi~WZ@
z60Gl+Mr{|$c2k<e3n|KgP|hzk0tH9%)#WU7j|%S=y8)or%Pn{MdSR?f7PK77htY_;
zn->rXyID75wV!0A1az*0S-TsiT00ur5oSG;x_+PJELYg*L5}!!lCOHW%w1`*m$?M+
z1M>Fohrk>Oi<m+%Qr5~83wySq+A&nI$mS69@pJ6Ph~W#YNgP(k+KTxglu}|W{a#*D
z+s_N&%2MP1jOEq27Cz_SG;IpXyuyA+9r=I{N6D?FYRg=~7Qt%Ct&&{8Z>}(rgbRL5
zd^rpK=GWcdVB3W9ur+yO=NSpWevB>W1_V<LGkvcl8rDd;9<B-?B&~-SR1tM@LNXPq
z;yqicfEhguLvz_&GnHl&|FR-ngmwzTqWm`V8(elag?byJ$kV-1QRybO=fVWlULh^B
z!`?VBxR?)-&fO8|OW^E^*K@7N2Ate#6@XJ_iTp<g?H7J=ZG~YY7rXWjIKR!*r#s;`
zQhxdsRSI}H>bZ7-JV5BzuJ+kM!fL}TO%09~@e^E`3ih5GNGR~2GgW4PzDtIVskoPE
zy{9bkc`ouAyWq{y^6Q^bR)Y=jmZ-(cN-GoZ0lh(hye3BQYW`zXUC>g$Rm)h|!&~ga
zA#5R1+L>ZGhmFA$xtglx5|c24@*D*87<cOe>z*nf_D-9R6ex#I<-Z3}$OKWD!=LCl
zx@IdSe#K6W<f&VdL{(P`SuuS3MJ7E6;@FlPRQ{tHa>mgg!K^&FsRfzFb2HsZhwDHQ
z3j0Z3%9*A_@E)-Lvni9w;O!v}JYwAxuI)4RbD7ACrh!@jZi-`5Is8Ed<Q(F|z)P=g
z%hzO&RU6<jh~C5nnCwblJ661f+cxbL)*agA(YK-Wt5j7GlykmS&bJ6N<38l701h<k
z3}B(MY<wF`nRuo+0yU>Ovo;hLi0JM|#fU0<5g_id_B0NU2P4;h{WqV{uss?5<pGpk
zO0lR4JXe|X<nP^KQn0T1=Q`0tj|c5V1y%p@UP{LbMoEnqPXk%=hK>P|rd0T0Y_%+$
zO<iuvD7IpM;r2`$&_zdbD)*8`wRUyKJx**rFko))%5VZ)1IS=U|2R^mN!|}KpsmJ#
zbXT6earYkMsPHdp_GBV_&=E@#V<lYTJTTSfm~(^(>mywbFBejP;ivOEwC6S~dJ-xy
z(ki-o+z-bxj<>=#Jm#hBpMLe{-33WJ9I&Fy=KwU5fzAIkhLF&e87*w{*aIk$?TJNO
z2_g~{bz3CC6|-r5B7uVajf{7SONdO?jEb_=PucXsx;IUyTWN6>$ge%CwL?E94{-JH
z>!Q2|CSzUM{JUbc;&WzKH=7EPt8&!?{z`an&QK9Ze{Jfa10PY%6t_Tk&#K29*t5Z+
zRCr;?<Uzn&4OCr$`XifT@s*3lz*7xhk^=|gvQ%)ZlM!_TocqFC((=6Cb75dN5cXsD
zpcvp=vNOL6VrZ&*s9v$5DP5KEWbqE75Ujb{i!DaDFH5kZiLFw&)0-tfYl^XCddgU#
zMM&l?1^G7#MNqBMHD?4aNzqf<F@UIIMU4FEDg6tuJ9^g!ZJ90_Zrjq80~_$+lJlF7
zy3)?$sP%4fI&(=sc8J#QW<E&a*AE8fVt;|B6-x5&{DIcr+P$#Lxpy0y;Xl#(xS6~<
z{Xk3`xG{dMgCEPT+WVTe?3G79!^ZK4$*aGnRd1%t=wwBsA+hxD6RnSkR&-NEu~TO^
zz*e!6&p&J(`sp__fHFPSHW}f-t}yIgxL;pnkeN><K9~R}m6v#qAkH(0<HTm8s)D>{
zg`GG;!ib~ErH?VNO#SF4FwS|dW&-3zsWYo>9*3JPQx6p`cM6+{RYP5wW#fE?zoxfj
z?=RHuG8;cQ9_|mP-J@`dD6?#dqoFHDl+AHYBTiIlF0PLn=w4_H2D9f|<tW~<($iAu
zpn5&WR}fY|aLSAJG`l9u+-l%UU@1DM)*rLY&Ukg%wBJcSUq;h+x-l3tWWUst{+3@D
zIB9lq=%sC^mjrSf-{6Ozttkr}co*-uzzKuVh6fjC5?Lhmly6V{Pe#P|Z$|WgB&2-&
z;I$mT)m45OPQ~e#{4UYLs^}!lPWC$Io!PkN(clHeIHTk%z?|Q-L{YQF7%R=061h^z
zUBTNAy=f-S)f_*r@)}*o+WyHHAPa_X=I`ltV(o+I$zIY}4*tnZ2<Mp}I+3n18K|X@
zo-ytFb4ZoRNg)X?RJY2GBCX7e*Iya^_kXMt_}4mMdBRKq{xD_4A&50^4>L2jme9n{
z;9eQCAZHf@mxr>--UAO@RlRHvFSmFrHRklaK}X#N91Q1~V5NGvG9lhLOyM}nI2Nj^
zC?=zmZ6824BxIKTa?uS%)Lc&h1z%Lt_N^AO81ioDR=Ch11NL*2;M=uI)*ux`HYPqY
z$`lOHQS8yJAB<g+^P?g_EF3)YTo6Cq;(Rudp6Abf2i*Z4r_4%3YI@qLk0O?1#XxkB
zpP`kZ(M(#9z{9kBXj5kcEf{6E;}8~b)AwT*xC>U*lewQuz<?04h0QC5p=li;$oHr{
zX%&~$yi>cKR|a)gItX#$u|vr3fz7Hfv!rM?HAkzScu_hgRhVt9lt*ML3w&vfx3n%}
z3w0THzwseH;JYNM7VUJ%HMfES<-!KjbbL7MOTk{E{clA5^_~V#O9yn$`0V8y8I($q
zNE=bhy1plReg-qm^hEqd%!(t~I!xxC7x0WWlsX#sKSKjKR(I`o-WHk@yVIDSUMD#A
zIa=J#pwQCC&KDQ0VH_``as`YJ(0eC;mQd*QH#Mz{s8R0A$`A+}9ftJ1p4q1Nf=Ah=
z$Z=q78-EfM-WgVvo1|&A+C{+lKyE3H=|*(9_Y{9C2M>t(*vV)-_>5GE${0GlrAh-~
zU?hlCu=6fDG6f%WcJyP(OjZ9-)L=I1>^9L9^VJfhsBkBWT2Jv2L73u}4r|?qhJrU^
zyQK-c58Xy`fvVMb;HQb=w*$lb9laPchg3C9pV2}mW+?QVG(t@i7Bs{%)P~K>ZjhVG
za4F&#bsfd7kyN#w`P26n<2wgsDRgC%Zd^(qgXV%>5~|NddVv05(=7xf(TWRa6cQTo
zD>mksl0v?*N{5=bhA?m!(N&kHK29ou4x(f9#;xkCo9BIW!oE&}6Su>Ynp)g{k9@65
z0E&7Y5j=kTIrq^3s(hS(Os<*UsB2!wUWOVXO~`E?oW4`Oss0Ur2@$|du}b#0B<q%~
z+4?a-%Fj-}_$<ZR=8H3Z+~S`Xqcr*PlDD4dpgITX<2WTYt|9y7>4@J?hmPPw`1-RY
zH_BP}>&cGEFauD><rMBgtxcU|2~)qQ<G^(y82z{~_}dTaBIKyPgCZ=tM=&sE$^Y@J
z|4-2-^slD@a1dq+@nff<&WeWl#k#Vo*tEH^98~s;=M5}aAbGEw-{9df%_M_#@%WkV
zb|&?@zd2RozJ_Q$`~T;TBLChI*o-h!gnvfW&HA)@Rqr4=6WuQR@}vLMfOqjheh8z3
zKW4yRXx`EX!HAB21ja!(f=`UX<!Ur-jPo)>y*Vg{+p7aou_Y^^z5m%4g-W;UU1$@T
z&0>FafC_TgO3%bSdkC8Sr6WI?1_+slZk;B1P0)jaPGJ)QXv$=l#*1Zn2xFNVIN#Rw
zR4L2BsL=b#HZcjMLAWCWQN6w!^jBMk9qdx|wiwE(b~XkK{}xaQyU1XER@A&Xux#P;
z7u|GlksIrL?dkID8NP3|kvp)V{iYwwk@GTi9qAE-%3aW1_=ZC19wL0N8PTn#H%{F^
zs;TQ6KS}=mHfJugaa?{9u2oSzn$h}ffgt+;Uw!SDMpwRp<wo1_l16gr=yk*(>s<H@
zZZe}=WZ^XU7g}pXb>-Bwo3qL~v>US-Iecr^Nj6>h)28k_@UZ>)8l)!bo)sYv8e_S>
zo3lo5=6M}PB;U~}F&&T}g#qFjNJLT=T~V-2w+a!>HdK&3vhOXVrkRB^!l=1ZKmO(m
zlqrQ6)Wv;(CdXW#oC`L4xFZ`;`fSAG6sqJn37fe0)Dk23ZZwj~Y(Di@6B6daYE#ut
zXxKS8Oo)AgG<m@E;Jx)%qPG0_T)ehZcgKMS$4%!pLn@y7V8!M^n8cJb)AdrCq9_rH
zRki{y`nQRu$gW7OlKQMN<ur`{luJPPkMxTj@FPkf-B$`3*hNV0&aOeYS8j`*N#&BV
zhIYxPHEp^DfN#31fhhWyecxi-Jqait3BU+n(hXsh6Mhk0n>`oCQ=!mU#Ligv4gHcP
z#~N2u+P#1@oJM8<m1kzq61@p;c>c%8P;`HFuE4aDa*{&&j`}b(T&iWkY^ISz=Q}h?
zwgmyC)I(zBh9x2r;>PT*%nM|Qxmt6N{EgPmLM3S>cR$vhNegf_h3U-Q{IWQBRkpeV
zhC)`^18(!qmH`kMbjCB<%QuHwhW)G?;Q4Pnz5?)ZiUM7-B}7sbhG<zUUaqu@pS+7n
zd)wp0{h1fiKBOG?yQr4^(()CK&M5oX-lS4h;mOIcIgncmZ0=h}cRe?^?~agP<SB4{
zH@`^~jfoGp6GxDDrAmio06@PvLKZ?7La7;9wYGh11{}Cqge!2OT1+}YR*mxtj38Xs
zdS1#FrX=oz(*NUtV*ffIzzSie7(e?#-W1--%F<pIx8gR8)Z2?Fq-*;?gZ3tSjp9vF
zxSl*$xPqe5^gAn0lQAGhY160rKgv;^sLPOZ_8^~L`mEqW2{2uYhP%g8*;MZcIvH5f
z>*q4z{qQxe5kMhb_V}iRHfzDl_Npg0pUXfm6B!Cc?FmgW8Es1?<b=X_3v<-~&C{6%
z3Al22d4gQ&P}2`#otwd*hNyn;z9Amk4|HN#ZB|<J#AiH=qH3%&<}Hs&_zrTw5b({s
zQ4ay_C15mw1(-&f73Y%%h=XI%qR0Q$NJ{+sxFB+bnG*bqL&M8c3f;Kn6KGv%A~n|=
z>8%BtNx7p4egtZqbPXA#!o-+sdyI6kefG!Y&bUAfIy<G}LuJDEP~_Sh%4Ai6<?eO0
zc~hpJIYFHLb6G(XT=c&O>R(m&VjT@qUro`h?<~$j32D)_v2^mjcXJcAb1Y4r)14A?
zLHOBvBxDx&OwWA29oQ%tl@iJrZNSK%_U0{;IKWnb%0XbZqIMasZHu*Nq=a>3V!=`j
zv)9dQ_sqg8gA=I}+9-Ey_Dd!rtw=@$BNp)xg6!THTLA6_HL&Sc67dsrBk!%*w7W_7
z<k8|Z5~%OdtgqBtP6zv9S>bDhGLOXM-AAIMpO1@xeV-jMjCZYvQC;r|TB=y@n?#oT
z+4V=;4xSgU#Sd&d=(MJ;3J953w?#=4pApeXG6)4J)=M+jdoOgaPiuT+2>GL8EI|(v
zmxmWA%;|b!$k-QKp@E5c-@%B;nAh}54&Pd}uL%pB9MQPSFlRLsG#0J+VXn`H6PF2h
zvP4|6-Z;yeWkB!VtLr%=qeMo>-|Dl!vH(SXC&HzFyEZVw98G~7Cc#_cIrDU-)^a)=
z=70}oJi0a;r#2Iw93tqxl<?Y(TGUNu3KW`pzGic{e8_p}o}MQe*cFlF9nVeg)zX1|
z2gROVvZ1~HIA5zeB5}%O7>JLAsQE4o1HDEGt}fb9tDR>wIq~c~7;Tg(RV5v374ZwO
ziP0q%`N>v1AGocT!t%p5FT5{)ZUS9KXC|KOs&tU#<V=TBIU(bdQLO_Je_dE<z1ypM
zy9|x24*c-vR60&jpAXxl;Zd(QC`YcEWIV|urXwg@2k~wTi@g0vko2c^7)2ISXufY{
ztk9wr%nKvMyBD2DQK(3*QFPKFmn6^WMibN?BI0y+*-$DeSL?NYfv~ITkhaT&48&z+
zOxRGVnncw&o`|2l)mqbBYe^BHE_6nx0(UUhR0AsQKSkts%ySodBOrC@BSsO2?Abe+
z?K1TcL&$k&r960uGEA%R2phx+;;zNVl#v~Y#O60d+SDmC35(|YPMWrP`sQiZj$LK<
z?onxnQ<GK2*}6d(d=QqnvOUEnayuwL8ew^{fX~H|IB!)^oF%EW`l~j5VHpcW4UEy4
z1;&Z!K=1_Mg`5vmpqsA}PUTU&r(|%{hjJ%8x_%&sSv$62$7+2R0<yJITZA^Ofs)R{
zDeWhk4d^eoBQeeTnJXXb*!=)o$atkkezM8A(84&cidi4M#nwm_Lf4XZo$pEut%ZPy
zaOx$}181scz~V?#w2ae2dvo<rG6<^cx;?&qKJg!c%(68TJf;K?fKmZfMVqpo^nRH*
zK{n=y+q}e91FRt6Y`$ug?-hkfjFOp?*17$@fHRpy^5Q3K$CH7!pkG%h;-ioZM-Fnz
z!?JQv#&UW=8fbPITk{9p_pHyZ>U5aK57J$m)mSbzhWc&xjnO;>&r{X^iK|loZ=j(k
z%#`9E!+eTBWLat9VVq}o6%Xq`35bM9BCGEWjrSfW*CI~XI#@MQ<D*FP1F(P=>W8Qs
z?~AvBgD=DLqH0y3e^VoZ-O{m5D7}UyyC^EyeUKDj^+>!9QV!lzN1d~7E=l~h6G%4R
z_8%+y1eckl{7Lsyh3VB4s!MZY)U;S64PLOo2eG9d*f8qMeYv+D?)P$(W~!Iuj;<F;
zj1vM?o}H|qy?s1C(CvKoLH(J3>_KtK4?xOoC<KQ>a%h|~4lg?bv#)Y-N~E9(b}-2J
zmZF4ZeE%ta7C>ZjQA^LhCprtrF7o>2yO$yb??C)Sf`0cr4Tp_fw__Aa1&SsKLhFya
zBoTQ@{a`OO<*~$`8~$~11*KfG<%R%&_)g&4AP}L-F45KHO3A#9N*994ni@~jZ7{l;
zQ^KZlNciFM#*mt9kf4<YPGuA1+)RU+fCVHto|TlHPp4lJy_=gnU|~PvFia%wfb!r_
zu?Br%luuG2fhO@Dk@QE15y)*~YYty2Gzh^i%#DgQ`x%h}fBVh(NE>a$<@5?&bkdGK
zVH-(7T3Nx(V<RI*MpswC9gwAB2PD)L^FI8LS>$n1_O_NeS9Fj2baByA4xhPnz{rYi
zCEHJvHM2Ong9x6Ou*4uoa@RYVkHO;Xg|@Tay+6*>ximKiHq=o59mmv8w#Wni;q!Sm
zfx@lkI9NUb2#C2}W*WDXYI6PCRIh}dGlPbB#@RlLrCnNVCOB~Q`qADd@cyw~7C@5^
zOnZ9{^SxMcS^4+Jruh|1e0Rnhf8*|jZp>TbIYG0Y>@Y{LP)8PvN!R0O{9)d#qja=S
z0I(ZniC6npw^R?Ae4aKp5(=58=J(?^6DEm#*_SfPRP;^qYxvy8hs~<Q-V}!sAZ_aC
zaZzTsw2O-&_X4Wc+IWdWr0>P=?5R}>8fK*)5{r^!t-&Ks#USX&Kne#Di1dddbw=In
zUe$g1qQ)RlM&3&U6e5A;fk|ME7%bha%8+{ZB%tltXf&g%Gax%<47Ki;0ofX1p&cN9
zD)_KG`-cbtbOcc)8&q0a8wq)fHCI`ucoX&C<rhEFZhvhNobVi^2D1AriNQ!JN9sp+
zBqhU3^Z$ezk%~*mH%NU{OJUd6L_dSZZOze#Fb$o9?AiLEEJLZ^aj3r1WJllXA;KJ=
zZ;Js)ant};x|)WL><F6}NH-!gzrrrt9hWpBew~lH=zP#5S(9SZ?^r_V*mY*sl}8_e
zThh8l7iTMVV^lZm8tnf3<6O!+9>g264WYp(`nXCmezBa|ya0(k&9lpVUPCE4ch1U1
zCPd^1NOcV@Q<%DRQkoSg-aYo94+a&Sy5N_-84nWx7xo(q3ZLO-D=yISTi8^6Tm5|d
zvT%uKAf3rNPR$_p*n#dUG<!djUr4Uj^gnIN%XJ>Z|63u+{2NFhDF`!V_^X><3)gq~
zm!6G+x5$5@2J4!jlOHR@7?n{do#M^9w_RW0h117J+7{#8m`|%(k>LkxS7;%Fr&EXT
zpa3h`&d5phbg{fSlSzxAWE#U7Cn3i+sx>Ubzlu;=!H%vg&`CIFs<=(30RGAlTY0*S
zbDgbw*iXb)G<T=oYk_)@poYk5UGlx(aTs`2tPQ(Rm?a9NA|WN$4=+AdejG*sbHd9&
zquQ?~*NShdEtaAy@<&^z3p#68TCi~-F<Rbm6PKRxt0kb7lfsIjYi4rDY<qy_D~xMt
zU0)LLiC{~M!~As2SXcvb!4+OgFBSgWKQi$CVhNOAix>zN`L!1`(jvF*?VkE6vA&9v
zG}gWWrG9Wb2?1ox7Q#rA%yxGGAU;*SH%9nIL-5|X{>AhryNFIFox3iaZfpo!C}3eC
zAX!{TW^0@NYdP_dSbRK_H8$sc-)YNU8uvJ+3(%S)8ZOgX<YFb-5Rx-K#+JT-X5tQY
zw6;36g=pOB6CqjWw5~XK7-VB}ep$zb#wQCc)IwMOi$Z?jM?=lKlq197RB|UlquI&e
zwt>t~0Y<u=Er?w;z1975f-9gx$x&&BqPQ3sJ$Ny*G4Hetd|!e<xd3pf#K+y#X|e0L
z+CFt*7*1z9M=zuWm<s=jp7it0d`yj-Yghx&auK7Dn%<N>n&&xb2BH-o4mfZB<hZFz
z@R%BWE9ZI=eP2CWCMiFP>2~u#5dp!DCqmsu;rZ-W27882(=AAt1N>I_y1g~FhK5kZ
z-vR!T?RaU409NVQp@o_4X7CgiK-_!ib<3W9ni+4aB3}8xuM_~8{(haVJHl)BQ7NKP
zfn}F6jT!VSA=$r#3@YS&jWmtU>3&?c-sKm@;24}WPiM&*=at1OJuJkbX%KVIuQ)JW
zx4c;Ob5roS0)2s))Z94n5f!9N^S$T)qhMbqN%lW?n<WLM(C+_^ap;6OU<81S>`*bn
ze+xJkG1WLuac$0%ePklG&<gqb)d4$DVK`LIx=yDLLVpG?k6_v2Zyip0;tcn`tNECh
z<AnvduUsDN9b|dv>~5M*->V*=?UmXH2v19!@aW<ddVRS4xcZ%KmC_Pj8IZL+k9j(%
zC`@V=1o?b_<a|334N=Ba!I|?qK}QAHv;ZM(7MV|50#%mR=h<~r*U!bCM*Dq2dM%$w
zZHKRafK~W>Q6%dxKtS-*+>j^9Md32*(-sO6m{&VuW0_rD=RL32Am0_c^_TeUgi<#h
z!OF&?dm(;Urcd$hl3?R#s6V>AJ1y3oRTQ^%qWBLs9(hA*lTdjxx#dw>9|p1xDYy;J
z%iFa)`EPG9R7cWpgRF_1ItJ?#$V24xM`^sHNh;JhA|*}Fq|l{QUP>=QpY|Lk3fL?`
z!b14a?({@fwu(si5!-3(pqw5MK;TJ&Zbozy4C3>AY%!VB({7B~71?WLcKqr#zbR4n
zE&;#FI|qK^s}#QTo~S-Do;Vd{A=DO4<rY^BxA;_ZAn=^32I};Tm@!jYcryxc$n@n1
zhA7;;=R9!)6Iw-|cW~ndly*Y_a>2)+Y?SR@`*|HkKDNNRqP8!jc@ewBL#aaV2}^}P
zu2ZO=R_=G-n&nS(6Bc!L5goC63xUNwnnIuOp9Vo&d;41mu^WO;knOP8iX?EqMOBVD
zRMUec+~X8{0{rAu?80zc*J#gJ>$kJAeDI(z^F|0YO3o;Lh@tT#A|}Sd0#OXrlvgs<
z4rD{=3kV40z>vWke9g%MsOIdG^B1y}Y>m<NcAteIM086cJ499g0+AH==FX)jd<<T}
z3n$|_xi+9Y@jl5zhb11cLcycLjkRo^gfC;;Xp8(R%&u6s`u-efi)yP3XT6mM?Djpk
zls@ak5bJ;nTQvojRY1GLPLKoxrUQi{^wnC4(k57419?-A|6F*#4$K#6Ov`>-i_Rb;
z14EmuEh;cZ*44-Iu?)SUW@m5N>8ByWFxY;TKVJE#AsH`?MK{Ftk&6S<5>!h+qM)>l
zV})BQG$$-VkKJsCU>1FvggGXZa+a?bo-o(KrjMQUTXAZ`ZBP`9{a9+GDG_x$oQ~!X
z=iCRSeD`sr6$lzE3S_xPS4efnY8!yN9bK@iK5jpSq>_;r$X#Or)+zceKd}nwXn_q0
z8MyRvKJdDslFN52#Vxb*O3{>J{1}SL&Pm3?6iGAJh!AiO0#Zy19W4Mu)^14(*>>ML
za--g=a?sD7d)K~ayAclOUJPl62|4i~4}w?jYV+m|QAy(>V1ku%DAxM1Csw`;j5(0>
z9$P3_VsDMSveg1r2xdA<GS^KPGss6w5hTBn>>#GQ4nX8k4=w`Wi}s)CCL1mRx_7*N
zaBQ1iKS#C<KW@?Bkv=drQ1g*)z`zO4FeB06xT0&Jzt{zBwyonkm_Y+$Lk24Iqp0^)
zMpO@_Q@-ALy9*wNNZXZ3<cLw1AX;^$l2_#9We9GU%u7<LP|#EnXyg0M@EPUm(+)J3
ztp{yz%Q=TQO2O6IbGP{pHU%RHCF_dWr7SuMtX&52n#p-DJ+fWj;ybEpOHSUFLO1B>
z)$?QZ6s|}n0vT4}ouyo*NvvW=9YQ7ZZcI1A8jo$10Za9*5x|LJa1dkVB6ueBZcwN@
z(mZd(R1Rtnf1@?W`trj|*`|ApuVfj?;Wu!&3#AJF#<5$yy>Dn4Q93(d7RaA6*gmeR
zL4)>bgeYWXoij6<CV<C<=f~JWIfSVmueddIe%PBd{s}|ua^84RxX;X^F~8Uv-BBsI
zlyAAN)6`TP7Y@SX?ub?enYUBPwYqS?cu!o#hZMQmk{n+%76V9|+@eAstMSX4Po+WW
zr+nw8IL*azPQ_dGt2~c;Rhb4WbQhYdI5#-lu*7^sCNazcv2Ltp1sgmUjj0O73?PHj
zNI2_COpb_p>k_0(@Lg(QLL#FbsAV3xNGEfNJYQ@o{_4=-o`Y^%p}y*5Lck-aGcOUA
z3svKHOmqmWm6P>v1lV+c<vQ1679s^`OB2$#qeOY#t|<|$L@DS_%~iUR=Plm_z_w7o
zrU@e(9rGSx=Lip<Rx-dD$|yBb>ET0%V{a#JUuGM7ldNa9OGBf|RW|j?XO5P-{=ZU_
ze~Qun9DmTS=6|II|6%`sPX8eOe_M_G+5G=XjsI-^fBpZ@=KptE^PkP%_iz6HzYE|G
z%K!dKP5&4FpOpW5{q_I<T>yWO|NoU5|1bVO$^ZYhn)|c)|NZ{=XY>CX|Nm_Me_Kub
z+5G>;|390*+dq&0f47>D{r3+#fIPxXS$_F^i0#R=*=q)t!os4y+azdD@yh}nBagEY
z`RBGGO-@G83B~8QH@=l$w+QF3A}FH3KS&TS69ZVVWxkJkNzqApg(PWzK`(^I*5SB6
z&Dy1F$s8>cnFcO+2U-8NT!9#zA#+feJ3iq2a=Yw-9d&UD#6U%@Es9o!sQcwJ{iyy^
zT07B1je)$#ImOavXbl9{ODBXhuPjoNujN06%l~UQI5A<SJpXU;XmO_Fq<u`>R^G_5
zl0<<?IW%T%%lu#_i)$}JSF`Al+-5NHJ(#oKT>+Ww+>sbMd|6{IXu|AzQT8OOElYFb
zDuXnudziA#D8du6yqBaqeB5s?nho<Bl4sE@3{3l-`X>s?#&-EKlE%*{Lzp*qiqguV
zCnzu3WLSYm<j9OMkE!0^@UYsEjE2u~UsUcOiJ>~+J4ACaS8Rx-4_&pv>BSDoM>3OQ
z{5dg^9-o#~)&xhWKfa@jiKb(gZ^z6CQ#fq*n-S5Ny)ch@q&NGH{rW<IJn1hTv43ci
z?-1b;SJ8X?B7|O8!XhD{7-DdI&ig<YqBu9B4NQc_oEoN_8f`>CKKb!=_%Kzni0_>$
zmv-xiT_0tDaX1DoX!lz-qv6Yzf5#(HbwNR~{o$!lvHQbjfVvKqnjylJ1*LZ6t%s_q
z%U9eG#YyYl6C}A!+IcD{%qmSGxOMu$M^Ath8<}`hkOWepx-H?WJ-j>M^krcFAsDbC
z^39UDf|&<FZx|BXkeFHI4i(oonK16nYeYLTt)cJz&XYcR`ep|$zUk~OaCQ8XY~w(V
zxv;Kb9NJ(abIl;zm#su@vIZksn}ZG0a|7Kot6qqb;b!xY7Fn#Q=dycE<z@ug-(Vrc
z0KbsbQhw@=_H)jh3PoZmWU}_>_@kCuQKM+$uCi_xLCypjcY)FebSt{fiq3D?%G^#z
zveFnRX0ss>E4`kJ#6w|iyfuHI=g?nk%WrGdrW@7p_B9HG<EG0@Kh?}@xJYb)#-lDd
zxPHQ8brKGpwnQHq8D27mS1APOS#XBe!k_jSNeydp2TkW@wa7&*@rbu8124{K*!lL8
z&^x%fA0@$9*y?aCHgaz1P#AjkS{HplbO{&d!SB1wZK4?#ABEPmt6G^a->;344~*9o
zYiQWaA23rxl=3~HSJ4lyCS><71_#l$2}LS5gcuG0E_4U-p>gqW@{5?~hF(g}GSZci
zbKXMRd^1zZ61AzFi6oE}8xF$u-QzTY;ml`We!+~(Bc8B;B2{5m=+)&hkxviM2@=Oz
zJEnolkr+7%`&(gX03u6N8$vH-45ZhO>3tuBv3QLQ=!u-~Rz6R4D8&%XzeajPs58rR
zDM_L4JplY@f^vkRTfCX-WuT<z9+DOW0rwX06%KzKIL2bcYk%-c?A9&j<(pwEF}!@q
zFAgv=+=ZQ&GDudwpXUi_J`1W1J{Z$f)^sG9Bnp8`u3r?iJa@xW`&tVwUiLu1-&I(S
z8o|=c)u|LM5gV$O)u|leO_4nn^7AZUq`iE-Ub>>ZvT{lrbaTOB+vU9BGP9Gvys>@c
zC^6N{+gDFmj#}b#q=EypKl5g-&?j?}!DF#9vjnUb`mIJMg=QOBMP13Gc9@V7OC%T?
z!@dtbSDJ(C@CqwN_3W>0<&YbHrq^_}kiFpguxa5^h^Mr{7o<4$8rH1$G>UwKdI^4-
zXHV2lNqNc`<k%lFn=qy7Ck#N{DaFE{{~%Z{?Kp!X_slgi>LO{KV|@p0Vb~-#L3c$E
zIZ%s;I(C1InMfgJN?7WS25|wI0nRg8m-;h>)O?2n$#Fd$_vew$-i{#6!~CwuV}y%+
z*!><^iesTFMB34!1QWF#7iYVcNk6z9k%)>VhVUZp?iLncO@X8)K=Qdi`1Tu$3Ib5b
z%)=Qv^6aG!ky~k4KOb>7kjwqe`<be*+;)^X(EQ{Ff=mu55(NBGZ(K!&l?51jEZN9G
z25jpBoVhJdiFb{R3aD3>o)wE7N*_rlvL1rVk8~Ti*%&~gS5Ocgm9;iAQ{9DO8j45j
zJgTRR(t;UqmaNa9{#gaV-Hjv=AN}xVW21sT+1gzC*<5T5MafdQ8o3;KpAaw~g}f}6
z-ny~h;v+a;KJJxhM+cDH;b0?lU70Ow%v}Cb74Y0O?`eb$qkanjpO3)1BWr^x`_H`<
z<A|N#$ef#yfT$dk3ZXYq17PkWF{dZ<I(vYrno9R>+)>)3WI7KlpEB26V5I`0`K>K!
zejV}L9<-4caDr1lylp?Y4U@l|3e0D#y#vP<w{$B{Sk^%*$D%FSWx$gN5AYl;FT*dF
z9h8^I!Jqk`6ln?uu`Lu|xqYO%SZSHYUp#!070-~=FxGhd_^GPst*clS^K4<z7#A>W
z`xxzc9n*h+c(I%PzVGA!wEYqxnHG!F0Py3?zABN8A&){8U4rT#vF#%8YUXJ{L1l?I
zrEm-0z7JZ!K@n;~!rE<T%w9SvIjs>bwX1E=sVt+vB?`&w;n=kQ5L-D7kV45loho~5
zUIHW{i3zc;!Q0Zw?5a&Tym<7_t{c`<75d%lr@}k?uy_dfrnEg~Q5OzLxIzI_7L9kW
z+{%^L2q-T{@PHvEY5?sj1e=TgVdSnPo|BegMKRfH`mzl=bgnz&(T0WapUqS8-^~-C
zgfLT)UvWO-H0?gO3(Z-xBfHR~aaq<=Vtr!H>8Mn5gN{_onZzNRaa;z6wcwGnTH7)2
z?rPJ~&g)K(0d?hN(x<FVBWwHwUjj9MMDi}howTHf3Z5?{#V1<E29Br(O5Boy7rDv+
zNFBqFgJ7jTPnvj*p1uk%z^s=s7ak-Kd3>cGbB;U=I5f4-`&H-6Ox|+LnT6r?<6+^&
zdHnv~uw4<u^WZ<`EB|XgP$*%hGJlOG7Z@oc>(9YKQhQOBltXgPRs0d=J6)RG9$m3d
zjwii*X#%%cdXpBqy?TAZg;aIy@)>W&q1@+I!aY&0GgNr+O01jI#qaZ*LX+}}k)r!V
zFdA|rXtNhO4&JaW$xe61Z-S03WrqG$p3S&504YzsbG*G}0J$jJ(0equRQUO`9Elzh
zQ(Wq`REp=2IDKOF`$oQa&%H#QGxeoPAHH@BB$|RM6o^xyrr3l*UDy*ot>I`wMe7I4
zEkc+jSvjJ5<3lL(-Tp8{+3P?z0FB=V#{2<AWN<f%krWFSn%C@`tn51V^<qY&yL3d`
z2JV2K!yX8ng&hpL;34vxyXLUBZqU9VX3RO|@yR>#D`NisOSI7x%plJvSVtq7so09r
z?J?IsUL;$d*lKH7_f;<Nw?`P7%dJ;Hb>K{T$@@qMr?%U!v)luG1O+=_v&G`p2SytK
zW@qKmJ5asxe}2vf$A5)Z*agtrVGkyxwVBhs+7`t?{1Zz28&2W<;&#CvirKSpg7x^A
zCncLNHsx71!^HyVd(op{*UR8q>&--ic^h5p>ynn9VW(a_3Bbm5rN{*a%GQeRawIKs
z%DkS~EMGh_&gu+L<3`<m)`!Zp)O7l8`x5iZAycWE%8ran;i9o%d*wAlBADI*4JOVy
zY~h`=EJMx=3$J*Ri%-HleMI3|YfxTVsugumcbdI~A1k}%KtGygHw2{Oi#Yo7L1B97
zf=xv?$MlB<x~+9D5a<H#W=vhUbs71`ejvWP!suMxM}FJr3p3pW1aoAc*_M3ouwMHQ
z;mfG8(wEv@F)v?mOc)H3+=`RkgS5%kc!DfnQ^Al~(>j%sE2znz{AYct{<}T_H3&0R
z`NuH!Qmz%Gp{`e*<fq8A?x(7LMm&?L9*Yd}yHGW|US1hOlO-kJDts+krW#30R;`|~
zvg^&W!Z1KSuk2pN!S(B8AfOizJ?PqtgWn|$1r}Ou)tlln${=*&D4#BWfZqv3m|k+g
z%Ch>8{rDIl{=5OwR>F|bFqGNO92~#9ao4c_*<jk^G-mv3O+|lXNKEPMS^EX<T$rt<
z9^Y1zFq6*8;(Q1BL&eqBU3TX%rh-x880%o2P24uXDGPj^tGS@cShN<Ye_4f)s45<~
zh+c3VDEsN3VU-5X`S)J3yjgej`%Q-2gRKOFn-;%FO4TD5)ajfwiO#!If<HTdhY@W?
zOJbd)7D5Ie=vJa$UD}BMDjdL#_Cq#^BWl_WK6%>(?_TGRHe*0n@Q*kNlg%?mm#-JO
zRlCdFd_7z<iJ)U5%vJ(92XA#6JfRbzzk6|u<uTL$&ns8|_mzX-5@xFN&tb(ww~9uV
zw++#MAk6G(#YC=RL>PR1GTImVwU}7tzdkpGH={BP)6A<5Z??3u*9I7JQk|0p7^qN?
zt(1xp3$lso_Y54uya=>8ZsAHlALpZ%7KPHfOPwR#={5oN*%6X|Abb~WR4e|3+5V@`
zMR9`l&EDq1Kds2LU+sP<eo4DJBraJ)ba`jv+1ukdsu*e}eby(Fj6j#xXhTg$Ogd{Y
zkof5XLXEejV5^9=#oZGv4nrKS6(}m<ZdSW_MU>q^J*wuE2?<jhZ+ocWhmSV5XAHsE
zDZM4^j7D>1ZZ^Hop5_2|XhL*%0_PHj2mMx=Qpu#YT!WrX$R}axL)DpE%qsKW|3u|9
z^hTb6cx_#sR-dVW=2cugCkmAKW&L?%L1Xzt2FRDq3B~8SDbHG2okWb>a6b6Z-A-Ms
zX)<Q4$IDrXyqoC~B#mmyf643wlS)-1KBzUGe_la#7R6%=!+a&WWXYSBg#K*xS7qOR
zfr_#_j%vNbLgJDd0xa~2jRH|Srhz;JvloJHt+|q@>~jdVA1wptO&+WLyyW3rvHQ5n
znOBO&t!{mebT*E-2)|enByQmu=OU7eboD{=Nr3&M4`qIW{7Q3=92sbZxgp0_NKX5W
zXEu26SYD=*EtMKAyEmd9w9yTIx)z&e7&0b?Tyd8-h<ips-<yESQlL|}2m`z1a3ZIt
z18Qy(7!x;+f{(jxgzhW}KN_(f*O5bu8*jQjZx3$rlcl%uo@EX=nQUCjGuEBq$C*PQ
zmhcF-upnSKqydb4vD_J>3D$XD8*#LuYP_ucJ~%Xzb}4&=SwlMgI-QRq+}adSkYsF8
z%md50#KW@fLgKr_$l5J6=W_8vjyUkfn+(8`9ZQVaN%etPt#!l*QFUKvDAQ#_CR%2|
zvm5~U$XAsW_&r4znLBmp;Lf=ns-DTJ8@d$+^AN=6h7np^+3AFT@~<w9iY8`72XS}$
zEO}I1pAsk(Twq3%&(04sw$ZRz5eT4Sf>M|3r|{U-3N%S$^uC&~IK9GxfUE^iPSm~c
z<87vPErjB`)bZf5c7iv6oYa-UzDoFHKIAHrBOEED(_@u^f<nL^RB*80ht_0g8+JS!
zQUt>>_hZV=d$c=hhB_F?Ng6CfaN>}4E;Q~yVPn^=;me&YaG~$wEtuviE_<yjS)wao
z&b)e$$+)rb<cS~^^25`c!Ug<FfXd#s)CZ`1LY8K&acp)Kv~3oVSuP%9W)@B-Kh#Za
z9jZEEUm&eJbde0o9Z%KfxXC7n`owHrQWF^s%`*xFiI%T5KxyNT0#+8!u?p~fy-KSL
z*xoftECBrSPL}c(aZ+qb9%@qURsDLbXErSw0rd!_FwcH#Q&}fB>Dno4l<G8W9Xy0x
z>aG0zPuS4>H*5es5oT)sqeNzPSlRXU!zbnbXGZ!?UG3(&m0d-rxD6}NF>_h$^Ht^V
zdqwZ*%;?Rz9U~Q2`B3`Lk?1$ujnNfOsrVni;3TE(-_R<{QDd8?ITm?cox302M&rV#
z(<10K<?<U0M+=O@a%9fXC0*Dw>`_MDN<$Tn)6WrXmV`%nu&$@=R4hT$;cUz$SPNz-
zR38tSw!Xhrm6kYuV#*sbZO$OEJ|@Y$ISih#!e#@Hf{$RPM6E|tO?fE*z4%RZy`db0
zBZ~Wah?e8MTGKV2lJIH|UXr(tdwMDDx-6j#==W|KrIi0-pH+SDPgq{^b~fv#7=yUX
zKl<DuOn?a0BB!`&$F#`PM;d$_-t1#~8NTnh4zYvzHCdR&2!_=3vOAfOQ>zLk1O&{O
zzRPGt0Cr@0RQ_v*(d|*4?Kv4TY-_~7FAKW-$U_26V=(f^z5+5cbqhxT%*McAe<<9%
zdP>Jgo{w`BbkaDD$)2p@4JDc7skhe@3o1dCtR!Y9@sI1CSOkx5_j6Zra-r)yR0_%q
zs#-0M&l?^I=^@yq>veQiHucz$@;q5=N|hP{*W($Vf*$b+mZFi;iwcyM-Wa9OURASF
zwP`s1Fp1~%U>CVfXTdo667<crJ1LdXliDv9V&`L&smzx)2U)Ua@XOcL!QqS&$#JLe
z@~$T>HtHq<rfp)yVX`Jsuj4YunBaIPBBO>LfcR!Ai-EKu0c8jEuO;VM{v~w%Dck1F
zY=LZTj%SbUWNAlf0O-3uw&F%r8ciV7A<qo#4A|4_o@~8MGx(%7ykUmwQ%?neBp}Z`
zZWvaxQZy1nqo`jCt#uf(SoKHTx0F!~z6OOj+fT0)qLo29cDvUFFAIm?n+&KOQag~i
z25!zS?{4|^=!N_(PYn7kRzmY^2&V&+CeDiF*_wJC45;GBGln^)$8H@Xj{f~MP^EX=
zYBOlB(Z7O=Oa~tAkP>jY&V->iO(JoUr>vE!3Rpc#PE-iai5J=&0D1mf7ij<M4&X$D
zncDyCqNPmOigtM*N_~Kg0-0>Pp(V>>4#-a#UCQKW+ERre-t|2uH%q3jD@Q=VepmA5
z=s24MTnV${ppU>wBh!XF)u^Psf^#*o+CPEmQ@R-(#_;%=0%BzCS)fjWJB1z;cv0{i
zc{VE2#*cd11@PZE>FUR2TN<Ww=+q6dWM~)+ANx}7&dxSahqZs<pJ3H)Ytc8Fcvr?X
z#r%{2VbSjoxLJ<GMlT?)_a#QI7}32U#0rsT-qb|0sg=w~cGk{Ty;3VuTd$MCOYmB-
z?gMnY;v>1^i-TJBtFPB1iFsOWc#2pOnTAL;uSwm{^g{p^Fh@4MkK@O-RmLeJ4p0#+
zzD_ZL?UU)8N$djOBe~mDAKLEH!R9WOzZ1XMP8Eg|Qt@J5<XkX2ib8mJCrt6%jB{6F
z^DAwf$36_6m!0D%czA*ISZU<;jL-g#SEA#{|GJp`Ra;m27^~|^D0LNDJBfc~I}$WW
z;S3V>GYIQP{M=>h$_kwxr959yBDw#YV_(osEou0ZyC`QM8$49LoLfzaweehS>Ie*A
ze0h4K(WdLkkpA*`CKMw&l3t71GqMiwV5)3y>dM<HFk1B9`A{Aoe)_M}_0Rx`?^A>2
zsZR$WCwSj~2GoP7&#6#Y(%x3LBF7{T<0A@0NQj8V*f+iX%8CK4U+}}^TGL*!&6g*)
zY~sK6_*I8+gcw?#0_0;5=a~=hHV%bTR0$P?`y>{+!>4rYYd9E7Q^8H$y`Z<3f3ejc
zIKkivZl<U>7R9(kW$1(}Ew~G0#4bA~c~e4**xi^Rsr&f2bniO}>`Id%<O3(BRt&tx
z&M<DeJ)rQd0atJ;j#;5h!LOX2%~oSFA7)a5>mHp%o+yCGe4R`}9IWk{c?YXLK5JQX
zpuRQg4vB|$Zq6s9SoX@$?X%q5n8zxz%Uv3T;fzf&c$~wbXt}gt<k0H>m6#*e`5kjm
zt@1b;z$c2G*+rT(9Ni-2+zx*9%m9}w;Cfj%3^^A6pobYm$a#+fs)13{g{;IHcJ%;J
z^0Pw@EXWrz<JiG`o8hLj!9#ji{#rrMc?P|Gua%8=S1IcL#DSE?gSrINAKlB5IE3V6
z!1W!lO?N|1gdX2@#c9vL1l3T;%YTd4coJd#Cne-O6+TkQQmFyx+N^uvD$1N;SD6>T
z<RQtT;FNNr9<2AePa-l%$2!RCEPV2o1Xy|naUygI$zC-_^$5muu99GCt!Tg^xL$d(
z3^D)fq1-Z%#oYK-w~Y=#9Tioo&h-&47)c;o-q^y*G7svC2du^y4_X8i8_1WZv{&tB
zY~!Z=^9^RT_4VaP&((2<u?iQX3$_I2Q}r*ws^`_%NY@C*nWLm#zhb;z^BBMtuPZ5y
zUW91Z_A_l{IlrHs@>g5Y0rMGIq+e)?Zs<y4U$S$Rm|0lWcqbdtLKpc<YhxqJPfp)7
zm|zD^jPLcZ6`UmNk|4I{RB^bifSIZX7YB2<DECocu0ze4ozJ5T;33tEWOkTdEX<B>
z1-|CuAjTP0Tgh@wgoU{aDHXS35*e>~y0_9JFD0K1v#^ly^hqs2Bm-hDOT^0!3Vrl?
z6q*f#WYmi}u8(v#nr^D3$9g*>3f~R$g2J{^b033Nk()J=F^b^(9KGW;Oil}|srUWh
z?_o>0N9x0m@C}<>r_WACtU7a5pblFE5MZcOlColp9Qyr{4LRXcoQ)=um3J{JChb1R
zA?hq#PBrLxELu~wnNCMFmf@%*6xAO{y}bGF78qrxXUh+yJfxCxh*d9RRIZOe+P4SR
zO#l-;52=-vo$Q`>Io?@HH=QAg;J5q?2in2ut$DyY;I1{nR6x0`^F{3Nng(=mqa?*x
zH;P<hFTfG38o%VZR}DYlyc~}`eSufEv+?g*I2r|l=ZHn-IXjK$1+9&4c^zT2CqErZ
zQ+fuD?;}AWdxn=@e(y{ga~#tmTXoGKiRNO;eD3!=BQr7X<AoPYEZ<uP7-bRl$i}DK
z$6aqhfqJKCLUyRL$UAgJg8JyMaOd3M7l9Y5VT_y?AC0yMJRJo<*jfT#(y9<&T7oQB
zUXAZgUletm8REQf3gpFEhSaT}<gLuQUK$9sw(dNM*nvM2s#zM%tg_Yr9*X2iJrSU-
zu&pPlH}b{e4`??&t>Jc;a{ELg;TlSZ7x}?8&6?7ZDo?~lX$Z-T`Dp?99ltAyePC;L
zogz)Y4Y)#2$uInYUMHmC2-C%HbIl<CoR~#R{IcEE+41>WTcRM(k&=$$HM=#l_}RW#
zB<72J5z=tOYN6wQ{}{EUq*pE6HmhUX>sL?g4S#nN4;?Jq*^@gEai<;i1e^3!ujmNL
zJ6iVr&EznHcf}4Mk%{&K{icO@6`KYI<j77L&J7@D8YJ|*Sy0S)C8aVpm_Dfu4q`P%
z4G^2%*jRG=pHx!!-@Ox{k}y-39~sW0WHr?9dNGbGE#xj8BQ?E$CM&qVx$@J!WOa#X
zpet4$7bS@!G28>YFpiu2gAX7UM)^FDJ$rJ4o!P*lpE>?O#GZX{q)JD+QkdFsVN1@+
zh1w~QH$|G53iS@eX^D!?7k8`hAho9=0{L^CxK0lJ|7q_lqvC3oc4u%8?k>SKXmANm
za0_n1-9m6rAh-mVV8Pur!GaUqo!}M-!TC0?oO3?jbMLyp?jPtiJ=I<9{Z#edv!<&X
zkIsnt6-}e2oJ0cR4}+h?n`2;5dzyr%UuG@7a>q@?Q&M<30=EMA8QV;j0pk}MuW_dy
zcY^{b-g6IVH>m3){`bHKq7Mjv&qw?pH2#m)fd7R5A?g34HORxp|Ir%!5&unog4?$L
zG7S%w^?=_0JRaZw{wd}U2>-|TzkkC2klz0u@qgI(Kb{8iu<?J?|A&qL<7prd8~;aZ
zz=w_hqc!lu#@_=N{(oA7>i_*8HUzM7U0<+ag*$RbQG9x46~SSYaKg-Y&Ecw9*#zyp
z{T&gx4%$jY12RNt*ybR)*VYw1HcDoL=(C+5XX;Slcml~Q9r2gjx{2pHFw))J#vj-S
z!~+~~;97APsS#;(1XUccMdSwghA;C^BMB@{SZ$xoJ^$?BKy>0IVzZ*}kS@?z$=~sA
zg5{S!=8RpN3iKlL8_4mW{P`c>aLse3Ww}4?i|Wdz5qhsf^vVcriUk#NC|#LF#cam@
z_lis5oHnAddU9+wZy2gw&RUg&?W?r)3y;K$<CJ+D=c+pIc&wp|Ha(K9vOzJTZapTn
zg`apnF553wcQ349<~YoQ*?ezkI_Sc9j0g9ZHoX*|9>ew!tw72}w|lT+x6kB7H2UN?
z_fp2_fA-AZvHzv69=wx(!A}`<<XaVxj@r41CIo@h&Xn#P*_l8lBf+S6K)Sz=FZGs$
zq;Ext_RuxDY!<DJkAkNr;4=DBAXK^Va5=(!wHBGS8=XTd%db)=IdZ^8#~35yWjpoL
zswM4sR=tV7l?0dP;U}`eQE$^t-YZu9CMIE`arZTBK7_Y>UsW90d@8~VyF87HW*^s^
zOR>rFE{nQ}2Jcvv1}Zk#n#tTdpR{ww?FOCgG{9A1VBxm5;RKB?H};2D`EM8P@|+Ws
zj5h^>ThZde^gCw`Y&v%BBk%Uz4WgjTvPQC+lnp0F#<%OWFXKHb2Q}!M8=tI$2H;M@
z+4OO5?Wj3r@rre8*ZtQ<1BZgg+mvF3Ds;1MuB1Y8f2i&fjQS=B<?P>l2_Va2I(LM$
zHhaP6b5G<9{}wrLG+C0Npm(QjQz3Sd!&)9PKHXc156yjzU9I82K3Ri<=6%G!Z}iLf
z?ObSZjOVEPc%rnzI~=;<9dnsd*~NuXf^8wMCC!#3piMC>`b0^gsgL+Iw<Zdky4C{w
z+t^vHhki@fU`FiQa1$u-wdthpspG)O?W5+9k9t4hZQW#F!9@8wkkr(D77^FUs-n5L
zBI$I%ma5o&xjf0CG$cKsPkq+fw|%&Z%*2e;YjTYCWxI2|!1u_0Un+~Ldow{CZM4rn
zg&fu-BSWluv+8Mg42kl*o23dXMGl4KyIPU;lr`{1V9CPP0%+Vc(iwrN@Q~n|pSYhp
z9#>~yp%;}fq%{CpLZu39fT6E5%RUy&3*5~NRSv?257=Y_QD#OV78BOQPto;MTe&hO
z4*5?f9l5r*h$K&$!u#B4HA#e$nzWzo!+gy;oYk$XLt0}0g27YZ&PQE(5YumSuFp}-
zIOdyTl_CizUK)5p!)=l4(HRauFc?Fbpo;ZMPQwGvyY}4HR{nHI@`AO3kC+0Xq&XS>
z9#+PGV+9FKmSikA7~u!yOy2Cy_tK)QT63&|U0Q{7<%HUZS}l(o2T42_D-4EghGs#g
zs&bDt)=^sEV&h`e+jH+lm^okDju*!O{I3P(sK%vOh>&O!e?OkQ4TN_}*6OVpF;Nl0
zZ0+j3i}tYPp~42?9q7$&!hTu?$;+egS#?3WV-q<{gUF{;qQ~*V5bX>-_6#Xg;l2py
z!tXXPh<-Eu_EC%qo^bcG&3G|j4vwjhx?)mM%q?v}9U{2u$_nrbmRI5`T@~BW4sP$s
zz$;7l$Tssr?GW;*KZ^PN8-%CbNOhIpw5g}kE{iWmB56-E^npaJQD51MaWjgqIQ$Cv
zlTo8(u$)Wu4D=qO05Z3oATuHPQgukh8RND|gd_tAr11j0`|ff9R&33Zi3yBn4^yU_
z)Mq4?O)J)n+ahukE~5j{B*Py6p)a~xM&MJABXlQ~9abc^tQIe^)*t=e+(+HcBQDJ;
z#+L_^jU{qrjyBCWo>O9GCIssonu*AzxIuGMl8W_X!sMn_uO}SV@GfsDr{79Zc!Dkk
zH=NfH%~vXw1j!X+^!d8%%7~0$C4AD1OW?aSAv92mlYXE5pduWGZ6Z(PmDSptbt6y;
zAQ|#(Av7$g-8tMSNA_~v>BPzV!s-!;my3h~c@q4p`L>PS<-I5T)^|pCbsdJH$mvzD
z=VS8S%EuN1Et-vm__{<QeT2AG2I`}UUN>Y7bW~za8ec!knX1yPLZN>sdPYM%c<3+c
z`*QjQ=hWzVZn<-m9;$snCG^KSE=a;@;TLW^M0P68erg&`DS;Ylx#liq$u>MK28dO)
zGq6SN@aRuWx-#d!)9ab*p2kYY`8^W`?r$%^_!dcT=lT73aFM~t!bfDf$5p%j0IAeQ
zQGze77}q4r3uy?EV>}mu_?aidH!b9VBP25-9})_pn88vek%=PPreFb_NUetDynW>3
z#<cWR-S4K9Ctdug>La$PI<ph`S{*LRcr?PAaFAB^tm4_D3Wib=x9m7&Lp2rMa!^Kl
zMyy8E8TZuV_223N>LW{fEl3SUs!S6~5u#i>o>8XOt4&*Msa4E-KM)jh_@d#;`xT8^
zn)YeM)hpQT+@etNfTl?4`VkU8_sbh*jZEY%^XeOzjjH(1YS?jxNS_0fVe}p9@H*sU
z*UKgKpq<|Y&oN3#Lk_Yz!Q(NstXMGWESXLr%fxwl`+q)n5gGVC<;7=lMY<AJe^scu
z7oaP$(Ln@vl&Kj+6Wl$M=~;)ZTY}V1JC2}75-v@`;hn15<z~U$bF?_iu-|Tq%G?|3
zjwg8`I1%dqjPKqc&Hf%Flm%Imnczqxy?Mz{Zm$5f<!p3FfM$q<K$a>FR-|FRPUpDz
zt5<MbWmeS&<LMQyt4w9rAC(%zFywVhg)pR2$J5LEb3bKda!ZxsPmCT?GNuHlz4ZfA
zWnJgB+e<N^?SxX}-~@SaS>(i)t`E$;*nDLxm7M@$LMfu(kyPo*NGj?&TKRD(@E-TM
zsK%r*#D0<@&uXM>XIg%B&NrvUnj))R&rCy?DjE?4+1xIpN)}OQ)vOGV$f<PcnV3MV
z^4nj{c9U4K`pSCYj^COneialo8uuhmf8BzV8M%q`l87p?(=FRa8e}a?`tBSyFpvN*
zIH+ka)5yl4Mw)XSm-*ou#gJW)JbV33XHRMUTO)5e3XhLsuob4AqVz^NhSwuzd%<}a
z{RTS7@xDxiqRIQb{pj36{pzDO@3L0=ONSc;e2!`azn!kkm|_lWk1`ZXMY(?beh3{C
z6k-%peqy^mfxJSCN6ep<mjY2WL(w5SS&%&@O83<G%2-iFVw(kH)+y&lfT))j{f>fG
zfdZpkoR>6)kXz#sU;6G7VY|a)4-d%M;@{iTvh;_s=}%u`G@iSFHRo>1N>1bn1H#MN
z$WCpqmXSVdS4og|yf(pJRO?$u*;>Wq)>QZb95g|*uvXNAItr~Bp^DDyf-pw#X4*Mg
z2o63q1X)hw!!A8@`yLZ^`0+CZucYNtwcs}p{c-Jfm4hg?;!sLd(EEtYsjj5&0*$!J
z&3mFhr8y815!0|9bM^2ChS}p`5{U1wnaxgSOFeyq`+HQ66=dm!jEY<Fo>0FUC#SBJ
zGtNz?HoN?XZTGNC*UZr2C^0T0xSKVPdXbo#pl7FrZ%KMYw$ASL$OM@QabZlr7pGKJ
zI>Mrf;#IkB@M|mx*r}%XN(f&RGf;&pTux*IXNi3B{F7#iZloYuOr!PGT(+bg0*9sh
z25eXbxUNG<e@3sH#dB3TrEgeA!4nIjGUv$bzcSJ|;D#B~xpDucQCe+<LF;R=Vi^$_
z)>!^UNA%qun`%1pz@X8n@Tb8(exvas-9B1m85*+EZ)FKlEtHr{9+;`ffu<JUscsQY
zY(G}^zBf}^7u%1OCVeu^aN23rX*MhL{G725te7C{M$r`_$Kv2lcFk;zgFBq2ne6Jh
zCR#-YPE9i~u_0bFOyzQs^y4U+{9+&3X2B&H+J(X@MX)mv8iI4HH2N7iG&hinB8beF
zJ6W?d9(kCFuEQz5X%LqIj>oLVJjXz{(c(FJwN_s-<$`M;$6*LrWuTA!lX}`=0uYtz
z5+9*Mwu$RlcroKv{T$6JP^8+$&rr4~qoCMppQ-m@MbP3Ce0YVNLPuLx@Se{{nJiej
zUC!g+WYToJJbxjyEeMv1=^Bes;2$v}U3$U1HiC^e5#fGXds4*$ZxZC^penm^{0&LT
zFG$l+V@SMy*!d+IsQ}g%@(_ii(wTUjC66MUFp6{slGkXBp1Jl>M#+M0Oy<{<c2Rtb
zcMj+&D}08v0bW1a?yW%<f3HE1*JMc+g5MaP5%<rHIz{5^ix4#x%|E{$g1^Mi|M8Aj
znMQb!O5#w1zdjrqL;xADpgZoa;!0pI6lLP{^LrD|a`MvvW*To0Ck)jKyzG!bTq%o2
zcI0eRW*@QO@Y|ZgUox8K4m-5WcrJ0>3u#2?$p;*#I?9nY(k`{dU>keqS_MLDu>k)M
ztG?36xp|)yyijM|4;#A-p`CuPXDVxQ6Hx7WApmw?{@#4K1w)(^Y0Z6uAHbQX$TIGA
zhd0*@?0p~5<V&F)uEWB3$>`6fz|VJd3l(d@Sjj?Jr(}IMAJ(Mk2T7Rq2w5DjRZ^Th
z{X{T7R3YOBq+@A~p)3?VFQbRH%o6557kV--dUW|kj66wC@k}1NDBVvup1r7PP2jve
zG^)AE|IpKO_VV(h9@eWCjZoeOaXZ!XpC2OmOQW=)H7+EyZ&Da=J*T2+q+Y!sYtKV^
zf|kTE`pK3ZeQ#Idl=&+CNpzJT%QJCIgX>q<H=W{R@i4S%-p}Nnc|MrxD)jo6Vk$Ut
zkHTCM%ZuCYJW-AK7Mnny(<|-O1zFNq^OFd!8zjb3x)O0q_$}*qhCX3r)5oQA%MD-Z
z0`?ERHl9q{GF-5Jrt5~e()*N@>hneiwO3kY$C)kaMAN6w8F+Q0bLKbbT253K{m7eY
zIs$ta-`p%n<L4Nsq9(hViW+=`+Cf&Iqv7lu!(C*&;q~(^7P)%&9l5&fm1%g$l7fSQ
zy=?1*smV?6<!1ys!{t&xGr`4{B?uGbHmLJS_zKnv;2y*J`CyoQTIIz>LWG;T%!%=e
zWE*<{<GPk({#kyNeW-41pU}j!flB4YPYJ83HKW%|vXKx-+jLIc1LB>IBHOn6=`oU8
z`4MmhAp@VOOe`&XTH(`A_1S%~OG@*Rn4&Ti9J|oJox+k{4i_Jes!BC@KbdzM<?+jT
z&L2iYxo<OnhBdAI%&1ZqE=28F^lWUXWaN$BbhlS)cL{hwzmm?&=Q2!6G6KSHp>;#c
z)pR=mXGW>jRt7znRd`(F;NbY_bRLShL)DR3kV3&Li(Q<w{>GE`a|D=qXaCh*8%bh@
z%N5md&-UDt-eI3Ul@Lw?Qa)7bFoZ54UR&u6CrRe!lOHhPig{#5&`SMu{RA%>wCOI1
z$~$8D8KO^h<m_L}^5eKfy((sZc{|FvludrU;q)t=6hcHuE5N-R9Npp#u(350!G=N)
z&G0p|xUNWfyXrP!s}q7ooBn<$aI%eWFk$z!m2(}Z^EWL`>q+baFPNfP(FjMdbS%I*
zxn*gxca*V6K9r1Bl#`$Qk{c~Ni{=nw-t&qJkH@l~Qk!rd{x^I*M)u3!inY~={W#g~
z4TK}rn5!P+8TXb2tG|~8m@cv;E5Tw;#U$*idaCeO6hpeFZZK96A_Hi29bRg(wTHO|
z&eV&SHd`XOdku*mhCYhS&o%On=H^RT;^BY&YV4wIliyFzXuaVp;?=Rsw{gwMENQkE
z5nm{uJwVklO`@@PO!>5dorxl6S2Mk68kyKFyf+Tdn(nrHixRKFF$3$zQw~WEhA7)T
ztU=`Mk*(Jx#jc$`+lBBjHQ;KnbvSYbqm&epkBrkda3z`C)E>N=ax{s9d3%*(vy%pK
zy{htw*ulQ2XCZ&&m^_jFsw`QyFi@_R_&cP4OMJ%DnWXs{eohln(FQ|bZleh#t`xt)
zYZHeRc>krN#Ei2yF0<Pi&nuM>N9l{9ua0XHret9K9H=|am32vWWltOHEOGHGeDb+J
z(pMSM`*$+$Pb+)Sv4!v;E&K+xe&=o{%XCx6{92&@ndm9|sDN#B_m6rx(xK?eTj@`Q
z8DXb5%2o?OI*V5*VNE7dZPokE9R%B?FeO7NE&an9^>ydoy)vLtW^0EIbt#Mq5?mbR
zcfygTo<-M=BV6-&r(d8XbC6b1d9LZcmb&cr2OX6Ne$B{RTC&6%x5KZK5c|F<L7VF3
zg-B-wXE=Nl;TnuvNWp|K-7h9G7?<8!!&Ku1-;%Sc?Vd~uBN~qwETNL>9NemGDdEuS
zO|5MgpJMb~ZKSO$=jBX<%|)K9kaL+%yg+IS1Z)>40f#{I*FkG7{lkfo6v@|psV{M0
ze+n9H=1eZ9KU1RAq8AE^6UWmjWbJ4&l?z2t!rHTCb4*!8`I%>c!9WnBQjjoC-Z0Bn
zDq18ky`<fY-D5((sKph|uzsMzaD6nhcoYjkl|3ofF^g8$YuW=9rr=?=j9I1s=>%4L
zSUT@q%4R+Z?ia5Ms}v@r>zV1tFO<o%3JR>%^RDbKzjOF@8Y^>d<#gM!<*4KIa?3#k
zH#@x+eKYLdm*ydSRnnP#K;PA-MISv8L$~YKe07rKq9?>T8`i^3u5?OSsGE@B>$a$@
zkx@-zqB=cnF#UYq<ANS>ym06<$xO04nEh7rxCQbOxiaZ1rGxV*W8$Rt^Jh;ZU|ye*
z2eyUCBCC$dEX$<vx5g2}P@d+4oGDM}y*(g6(NeG`brzRxN0n_jg@*1^NL2`1r9z}o
z)^SP%I<$;wfmQY>yYfLC7L%&ADOEMc2v@R%+Ffq=2T~*zWlqodFHyqVoIv4;hKY)i
z>(Ul%Hafz+++N4T;=`7nyT|UEJ{g_w3kz`<Z`%;cjaaPsZcT9K*OFuu^Uj1F)np1J
zkLfl~=2znNVP2NG85onwgeuk|SR7rvoZ$4I8_`lI8s{)~33MyK<eijYt0-&cVY}Jc
zwmwU7U3dyM;#bakt-wE%uD+?~dfq#!<>Pr-GhXg!di<tEFNF58o{74<T1JXDzUWiy
z3J)SxGxNvOd>t;horddt^)Wsn@7s@?)X1-+&czu0W8X_pkfb6m1-tWGEPD~SND%wh
z&z7<oH5YHUw6l|zIqj<2=?G2HGYBoe+&2zeffp?fd>Or*NZ5dn;A9xG1iM3b9sUkP
zbHJjnztw45Sqq5?`PTbs!lxV?rJlkA+)5iYd{KDk#z9Rg-8uTbg`8$D`2K;ybtNLs
zKH|0hy<vN+3|HPZ`%kRohe-%;RI)cdg~E7p*6D1m`*&+G1j}gpB6hPyMYwz=Ur3&9
zuQn%2*C5tKLOObVg3Y3$?@2iPo&<MN9)Goc`*!zZWwNh+fjIweEf+^nFh2(Z*Rsda
zN6~^8c0*9rhhp;Z8jk0dMRRY|^**nPb+nnLT`IJ}3P|;~9nvU~?c~f85}-M9E^zWx
zx^$7$Uqcvr3st~~u8~cqKf%y=g_9{`31?Eou9108t=*O(t#1h;+}Y_@pNln)ofqKY
z3^u@XNBqUg-Ht-heZJ{ih9RFDhv#m;@if`!D)S(kKsJN+o9jD&qh;-Roti}}@~IB}
zcE|`38w3IE?(1*dVXh}f4Ejn010^<L5#A>k;pCLal9y*VMb*z*h{>Y)m)YuT*oLSE
zUbC-2M{^$~hkd}JKiI{Zs#n3T9xS7=-DLjZ9VC>sIflWLdozNa=L0?$GN<v@HSn2X
zEG6~FxZr6L65XaylGL}~fO*d5+afBL{e39g*B7SSRQ&ZwnBI~C_WYr3lY+QhQ#(}A
z=Ea!D+H$>!tX6mAV%%pVs$+0^4D^p(c-n)8NwdZE*mwS^SPd8LcqvnhVIA-$!sA8!
z;fxe4`kxu4Uca=th4Y{dT!BD{B26G=g54yMzV%p|lGmJ%`ogW<PiEU>EF*O9`DXL?
z^9{m<EXhXDJ$FP&GGUPWeI4luc@KQ}r^bqKYTqpSL?ui-Io{b-5ar4I+LpKPJ`?td
zyQjtq(%xs)8rHqy?MWR9)e!X${?1;ltURyf?Y>#H4UQPW5R9Zn`>b+zZ_d>Oe^_M;
z`GyW-k7k%u;jE$cGiADnnLA;_*=v!NU)!%}G#4xXJ#?D(OongAOVzs92{HR61(9g)
znMA%xSHOQ|b|A=tGk6Jpl0gWs<Yv&gk0jtwDI*?s8`x1hg%Z~#2y%e5GA;Mb(e$10
z%6h3b%4s)siU`tZL2a|A>#D~~4#G6&9=C*jwlzzVNg^HaU0L9DhIMhGkZ>kbD%SX%
zLV4X7*1{WMgP(Fo9cRx{-hEt)A>?){FeMBxsbAdW_=fJ9me^khd0C$F?8?{xy>WA@
zm!|}&)08l@Hev(X3S5%;Az`P*mUp-gYBfDauUdRc9P1PrVWg~OFB5ADp22~`aqb!V
zrxh2Zh?=Ios>7F>^Z2Df`-9f1b1)U*X%V)c;IW=)EKK9YNYFI$q1dOa<fG~xML?>s
zLKRLin^n9;qf7m)jv5E!24WBvnLvV3fV094NhVDUY#8_Znh;LkLYj0wZC2(^4{Nv+
z_St&K_FaBun=qzKS9ycq?jd~~KQ&4}YYnkieJg(6HlC!lh>hPXoQS<jq;th+*vl*Y
zo~LRYjlZsOpCZ{7Tf6C9$cNRrs7;4R921+MlfC`Y|6X-73q|l*Z2EDl+0hk_PRx^~
zIa*ka7Cmyi+D{|gT-y;ijzp$g!{*VFOr3`9#!y@2h-SJtJZI=WyJQ8K!92m=KVV7*
z*@=-9C+d<JsHbS_^p@J)lSd#934-zgfuLE*lI#RMFb-q5esfP7wxhti(l>Etjba)9
z@Cva*Ktht(!2cEBQ9-7(Zk{f4P_T1|U+czYTOtU}Y1Yu(c<_@Z)dJ?q8BMaM@V9L|
z-G&E)Sle&ppJz;HZvv9LjES_*wy#xp3+RQdwO3yZ=YJDr9>*U+;`sSBHNbqErfcQm
zFa=CSOVvhR`dpe6p;9(Z+aGH?Xyx2E;f>=IDIb0m*SK%P7)3n`1TN($Mh6T;(Oh~#
z_4@gQQ-7b^7w9xGc?|_ay|e=C7xc9nM>{J&Sw)!&_<px)zNoiU6cO&Wr}VbfXZ%L}
zP8Q<D79D2j2yDNt$)R%dXv+@adZTB?V9S@EJ6Q#_k)Acte3MUYhJ}+Vd}v}`2Df7b
zKzEL@!@Qm4+D*5@7lSTmLUv+k@}E|&kQWFVCmGk59;OiN_UOFH<>w;xG1MIbe{~(I
z&%PqkDX^s+EK$zX>QtXBw^$H>GMB2X&z5ho=~g@8M`huFHFfXlwMKbsC<-jSummuX
zmmu<|iD(icKf*`MeEZZwmfh{Ua=e&~PAGYe^p7tNz9{GrAh&joDN%8%_={unM)|^j
z`G6qja|AI}6J1`?E$4K;peCk24B-<$0fD!9!d3C{=9n*s)LwZ1r4G3EaC1T_ZzE@1
z95tWOnQynMz}%;Q4*P=y*6J8_jvNWh+)|_viwvZx0@3K3=^`^_hPLn5pDP`fdvEnB
zSJl5)#rKRkWHFj;EGRV_1bqxD9(v=t*3msQqW^Jw{nA~|rxWtDopIB5Iv?k_OG)D8
z49t5vHKUi?d9c2p+=ITa^9ta_HK+|l3Fl?xhD(E_gQPA>`j69z3s3YCojuLh4eZpb
zbH($BESH^sikRo`8ks@&K0DpK%r7Dxh8V~A`QlBCfY%nYVpHDQD4yWwo|WtT(1v2F
zPiMMUh|D_Mxs~ULZhOJ0#xoGS+d3c9aUyQ8Hi<qssLLasqn9$4EM*q8p;X#*b0(0|
z@8x9o(j$zBJ-1@JWr}R_!TYMp`7JYo3x@zJ(8bw457sp%<VAHie|FYK1^g7I$%}xL
z8F6^%jN}inPqSyb`?`Gid{HS#Sd1q5MMTJOTftO;xRRY(13hrfnjF5k0f#g=VQz);
zJU_KLGY2Y6Bb1=t2mN+mYxz!J$c>aa0{&KBtaT>WPjmQ$zyM)!&9Ix$j;e;(e$L01
z9gF-m?o!~APNj69kE7Y_+9(-35iztI7v>^8r^ts}j$MavVm#pzSJkC=q%uf&JQ{FK
z$?1J+8)@G-n2re5f09s8k$~jjXU)4$iWWSGxGTiCHk~3O1H}fP!Ge2tNwOPNenY8;
zc+AX%J%{yo-)8k#e-lVsE|k?z+4yYRV{$!_rSl9n3nAQqcyl)MefZ9L-sjQQS5IW|
zC2Y3`JeYbtHEF8f9r~P*f6oVb1}0yYr#k3*cj6)bc8yw!k@e9-lFPvo`|+Mc!=5j2
zw7BMr>+N|Ic9mMEZgQms5&m1bu-M~;DSM|7&E7qx<Moo)7joVj;Xbm<k##F3HXPn@
zzY~A-Yxi~{)3C_p`-Q#IS0$DmB&qx;c^-W0b0HXWnqyFnRFT7gJQC<A;BWK;T0z8O
z?1%*g(pW4{nq+!k7WZ|il%JqNo#A-?NMW-swao%Jm-Kmt`Wol$b40Nj&Wr{)%cb~K
z9dd3htpkP6cAQ<AlkH;Dgt~~V7RU-;4x~6O>RMGcB!u?IT6NBfR9<@km-G_XfGcCd
z!kad}y%o8dgBkPAh?u8++;|T>Ozyb{wDJDY@Zui!chN`u|I4I2Al3uI-|cbz|EFL-
zAp9Q>Uic^c4{7~>yoT*z<L~mg{{K?|9?<&#`2PP-_#e{x|K?Hu|0w_uNdF%VZ~h7Y
zL(>1pgZCab{*TwNK5YCS_5Wex|ET{D8~?}Oe~<V-9=vx?1|HDwzsG}D?_qxzeL(m>
z9=!Un@qYsX!D?CC+PVPKU}f!M23XdEK<n4T!*?D8YV-kt9dAKk(B0?X?teu9_Pw~!
zzjOY#5G1f&lgG)yz!FH*cC!4VP4K_l{Hr#w@jt7%*Uo=!cMYiZ?jB4K#JIJwxd9L$
zwKl##E@u`HXyLPJ$6Y=UqnWXl!yh5w%f;N-<nQnuRRiL-k_I-$Rwj3OAbhONZ2<df
z5T=XupB=x;^p~SF{xglx*ums3&z-yLGLo}{73rU02q8x&L%===l;P;)_{U`b$p=Lm
zxEQel;X8MKm>|#^FeFJJ<<8$ZFoLj}D5<C|(4gs`ocrInx3>W6IZ&%8SPq1Iy9^?y
z254Ny(T!Uf+TDg(pcP0E-=+{p8>E)|!Wpk<pb8iSO|$>U$rvD9M<*x8zbd`!4-b%g
z6QHs{zm5LlLj&|K?e2JnI|>1K#J|D-$p7L)0bzu{_;+Rg&VL5f^%jW#?SMA0I6)w&
zHlQuwW?&F7KajLQ)f<42A_3I{a|(3^@R&d#m{B0T7N8*jtpaElKx+V+2haf^Zy2x}
z7#+w@3HZCRKY?;sAQ0T0pr-+}0HB!wEe2>Z&?O-69Ul@f=>!37L;3>r04Qq?cqt%V
z1c=uI{on^^D^Ons&@W(qptyj%PXPX%d3p!H2YBEjfJXwv*Mal^z~cb@S_0A{fj-Fq
zd>Th5BU^ypIT*kzfI#v<zv3=Ipm_lhm?R$r)&#}|!UX2$KQRF27}EUzqBwW+f7h)$
z<p1S>LICey(LV$C;zIu`84~*ctT>H6clG}_#c{NC2J8a<?UaGI@qZ{z*<Xr->iDPP
z{GIdvMQNP=QX1oXN~2<J$8PXfMgJZW1PJwx2Xyt$v6wg-|1pV>K0ZEos6YV}QwZyB
z<{|d~@X!DU0xc2-d^dsj1z!g!0kA>1M*mwO0RA5i0P|l8aaaDXAAmsoLGQr56D)uS
zes@pUf%13RAN~K|Ik>NUtbpRV0*coPC>|J4Jl<Lm*bR6(fL=HoJKf0^hqcKc6bORI
b{_{xzD2c-z^FJM&xs{_6z<|>L)bxJ<ohvHF

literal 0
HcmV?d00001

diff --git a/docs/how-to/custom_pages_examples/static-html-css-js/example-static.css b/docs/how-to/custom_pages_examples/static-html-css-js/example-static.css
new file mode 100644
index 000000000..90dba7cd2
--- /dev/null
+++ b/docs/how-to/custom_pages_examples/static-html-css-js/example-static.css
@@ -0,0 +1,98 @@
+/* example-static.css */
+.custom-static-example {
+    border: 1px solid var(--bs-border-color);
+    border-radius: 8px;
+    padding: 1.25rem;
+    background: var(--bs-body-bg);
+}
+
+.custom-static-example__hero {
+    display: flex;
+    align-items: flex-start;
+    justify-content: space-between;
+    gap: 1rem;
+    margin-bottom: 1rem;
+}
+
+.custom-static-example__eyebrow,
+.custom-static-example__label {
+    color: var(--bs-secondary-color);
+    font-size: 0.8125rem;
+    text-transform: uppercase;
+}
+
+.custom-static-example__title {
+    margin-bottom: 0.5rem;
+    font-size: 1.5rem;
+}
+
+.custom-static-example__summary {
+    max-width: 48rem;
+    margin-bottom: 0;
+    color: var(--bs-secondary-color);
+}
+
+.custom-static-example__badge {
+    border: 1px solid var(--bs-success-border-subtle);
+    border-radius: 999px;
+    padding: 0.25rem 0.75rem;
+    color: var(--bs-success-text-emphasis);
+    background: var(--bs-success-bg-subtle);
+    white-space: nowrap;
+}
+
+.custom-static-example__grid {
+    display: grid;
+    grid-template-columns: repeat(auto-fit, minmax(180px, 1fr));
+    gap: 0.75rem;
+    margin-bottom: 1rem;
+}
+
+.custom-static-example__panel {
+    border: 1px solid var(--bs-border-color-translucent);
+    border-radius: 8px;
+    padding: 1rem;
+    background: var(--bs-tertiary-bg);
+}
+
+.custom-static-example__metric {
+    display: block;
+    margin-bottom: 0.25rem;
+    font-size: 1.25rem;
+    font-weight: 700;
+}
+
+.custom-static-example__viewer {
+    border: 1px solid var(--bs-border-color-translucent);
+    border-radius: 8px;
+    margin-bottom: 1rem;
+    overflow: hidden;
+    background: var(--bs-tertiary-bg);
+}
+
+.custom-static-example__viewer-header {
+    display: flex;
+    align-items: center;
+    justify-content: space-between;
+    gap: 1rem;
+    padding: 0.75rem 1rem;
+    border-bottom: 1px solid var(--bs-border-color-translucent);
+}
+
+.custom-static-example__viewer-file {
+    color: var(--bs-secondary-color);
+    font-size: 0.875rem;
+}
+
+.custom-static-example__video {
+    display: block;
+    width: 100%;
+    max-height: 28rem;
+    background: #000;
+}
+
+.custom-static-example__actions {
+    display: flex;
+    flex-wrap: wrap;
+    gap: 0.5rem;
+}
\ No newline at end of file
diff --git a/docs/how-to/custom_pages_examples/static-html-css-js/example-static.html b/docs/how-to/custom_pages_examples/static-html-css-js/example-static.html
new file mode 100644
index 000000000..21fcf3b59
--- /dev/null
+++ b/docs/how-to/custom_pages_examples/static-html-css-js/example-static.html
@@ -0,0 +1,45 @@
+<!-- example-static.html -->
+<section class="custom-static-example" data-static-example>
+    <div class="custom-static-example__hero">
+        <div>
+            <p class="custom-static-example__eyebrow">Static HTML, CSS, and JS</p>
+            <h2 class="custom-static-example__title">Custom static experience</h2>
+            <p class="custom-static-example__summary">
+                This page combines a deployed HTML fragment, a page-specific stylesheet,
+                and a JavaScript module served through the Custom Pages asset route.
+            </p>
+        </div>
+        <span class="custom-static-example__badge" data-static-status>Ready</span>
+    </div>
+
+    <div class="custom-static-example__grid">
+        <div class="custom-static-example__panel">
+            <span class="custom-static-example__metric" data-static-counter-value>0</span>
+            <span class="custom-static-example__label">Button clicks</span>
+        </div>
+        <div class="custom-static-example__panel">
+            <span class="custom-static-example__metric" data-static-time>Not refreshed yet</span>
+            <span class="custom-static-example__label">Last client refresh</span>
+        </div>
+    </div>
+
+    <div class="custom-static-example__viewer" aria-label="Cat video viewer">
+        <div class="custom-static-example__viewer-header">
+            <span class="custom-static-example__label">Asset viewer</span>
+            <span class="custom-static-example__viewer-file">cat.mp4</span>
+        </div>
+        <video class="custom-static-example__video" controls preload="metadata">
+            <source src="/custom/assets/example-static/assets/cat.mp4" type="video/mp4">
+            Your browser does not support the video element.
+        </video>
+    </div>
+
+    <div class="custom-static-example__actions">
+        <button type="button" class="btn btn-primary" data-static-counter-button>
+            Count Click
+        </button>
+        <button type="button" class="btn btn-outline-secondary" data-static-time-button>
+            Refresh Time
+        </button>
+    </div>
+</section>
\ No newline at end of file
diff --git a/docs/how-to/custom_pages_examples/static-html-css-js/example-static.js b/docs/how-to/custom_pages_examples/static-html-css-js/example-static.js
new file mode 100644
index 000000000..9343dd768
--- /dev/null
+++ b/docs/how-to/custom_pages_examples/static-html-css-js/example-static.js
@@ -0,0 +1,30 @@
+// example-static.js
+const staticExampleRoot = document.querySelector("[data-static-example]");
+
+if (staticExampleRoot) {
+    const counterButton = staticExampleRoot.querySelector("[data-static-counter-button]");
+    const counterValue = staticExampleRoot.querySelector("[data-static-counter-value]");
+    const timeButton = staticExampleRoot.querySelector("[data-static-time-button]");
+    const timeValue = staticExampleRoot.querySelector("[data-static-time]");
+    const statusValue = staticExampleRoot.querySelector("[data-static-status]");
+    let clickCount = 0;
+
+    if (counterButton && counterValue) {
+        counterButton.addEventListener("click", () => {
+            clickCount += 1;
+            counterValue.textContent = String(clickCount);
+            if (statusValue) {
+                statusValue.textContent = "Interactive";
+            }
+        });
+    }
+
+    if (timeButton && timeValue) {
+        timeButton.addEventListener("click", () => {
+            timeValue.textContent = new Date().toLocaleTimeString();
+            if (statusValue) {
+                statusValue.textContent = "Updated";
+            }
+        });
+    }
+}
\ No newline at end of file
diff --git a/docs/how-to/index.md b/docs/how-to/index.md
index 52ff1dea2..1a9ea0e07 100644
--- a/docs/how-to/index.md
+++ b/docs/how-to/index.md
@@ -18,7 +18,7 @@ How-to guides assume you already know what area of the product you are working i
         <div class="latest-release-card-icon"><i class="bi bi-file-earmark-arrow-up"></i></div>
         <h2>Content and agents</h2>
         <p>Add documents, create agents, and use the ServiceNow agent guides when your work is centered on user workflows and external system actions.</p>
-        <p><a href="{{ '/how-to/add_documents/' | relative_url }}">Add documents</a> · <a href="{{ '/how-to/create_agents/' | relative_url }}">Create agents</a> · <a href="{{ '/how-to/agents/ServiceNow/' | relative_url }}">ServiceNow guides</a></p>
+        <p><a href="{{ '/how-to/add_documents/' | relative_url }}">Add documents</a> · <a href="{{ '/how-to/create_agents/' | relative_url }}">Create agents</a> · <a href="{{ '/how-to/custom_pages/' | relative_url }}">Create custom pages</a> · <a href="{{ '/how-to/agents/ServiceNow/' | relative_url }}">ServiceNow guides</a></p>
     </article>
     <article class="latest-release-card">
         <div class="latest-release-card-icon"><i class="bi bi-person-badge"></i></div>
diff --git a/functional_tests/test_custom_pages_wiring.py b/functional_tests/test_custom_pages_wiring.py
new file mode 100644
index 000000000..3578c7c3e
--- /dev/null
+++ b/functional_tests/test_custom_pages_wiring.py
@@ -0,0 +1,284 @@
+# test_custom_pages_wiring.py
+"""
+Functional test for Custom Pages wiring.
+Version: 0.242.037
+Implemented in: 0.242.023
+
+This test ensures that the Custom Pages feature is wired through settings,
+navigation, admin metadata management, and fail-closed host routes without
+requiring live Cosmos DB connectivity.
+"""
+
+from pathlib import Path
+import sys
+
+
+REPO_ROOT = Path(__file__).resolve().parents[1]
+APP_ROOT = REPO_ROOT / "application" / "single_app"
+
+
+def read_text(relative_path):
+    """Read a repository file as UTF-8 text."""
+    return (REPO_ROOT / relative_path).read_text(encoding="utf-8")
+
+
+def assert_contains(content, expected, description):
+    """Assert that expected text is present in content."""
+    if expected not in content:
+        raise AssertionError(f"Missing {description}: {expected}")
+
+
+def assert_not_contains(content, unexpected, description):
+    """Assert that unexpected text is not present in content."""
+    if unexpected in content:
+        raise AssertionError(f"Unexpected {description}: {unexpected}")
+
+
+def test_custom_pages_configuration():
+    """Validate version, settings defaults, and Cosmos container wiring."""
+    config = read_text("application/single_app/config.py")
+    settings = read_text("application/single_app/functions_settings.py")
+
+    assert_contains(config, 'VERSION = "0.242.037"', "version bump")
+    assert_contains(config, 'cosmos_custom_pages_container_name = "custom_pages"', "custom pages container name")
+    assert_contains(config, 'cosmos_custom_pages_container = cosmos_database.create_container_if_not_exists', "custom pages container creation")
+    assert_contains(settings, "'enable_custom_pages': False", "custom pages disabled default")
+    assert_contains(settings, "'custom_pages_menu_name': 'Custom Pages'", "custom pages menu name default")
+    assert_contains(settings, "'custom_pages_force_menu': False", "custom pages force menu default")
+    assert_contains(settings, "'access_request_button_enabled': False", "access request button disabled default")
+    assert_contains(settings, "'access_request_page_url': '/custom/request-access'", "access request page URL default")
+
+
+def test_custom_pages_routes_and_access_controls():
+    """Validate that host routes are protected and fail closed when disabled."""
+    routes = read_text("application/single_app/route_custom_pages.py")
+    app = read_text("application/single_app/app.py")
+    base_template = read_text("application/single_app/templates/base.html")
+
+    for route in (
+        '@app.route("/custom/<slug>", methods=["GET"])',
+        '@app.route("/custom/<slug>.html", methods=["GET"])',
+        '@app.route("/custom/assets/<slug>/<folder>/<path:filename>", methods=["GET"])',
+        '@app.route("/api/custom/<slug>/<path:operation>", methods=["GET", "POST", "PUT", "PATCH", "DELETE"])',
+        '@app.route("/api/admin/custom-pages", methods=["GET"])',
+        '@app.route("/api/admin/custom-pages/developer-guide", methods=["GET"])',
+    ):
+        assert_contains(routes, route, f"route declaration {route}")
+
+    assert_contains(routes, "@swagger_route(security=get_auth_security())", "Swagger security decorator")
+    assert_contains(routes, "@login_required", "login requirement")
+    assert_not_contains(routes, "@user_required", "blanket user requirement on custom page routes")
+    assert_contains(routes, "@admin_required", "admin requirement")
+    assert_contains(routes, "if not is_custom_pages_enabled(settings):", "feature flag gate")
+    assert_contains(routes, "return None, settings, _custom_pages_disabled_response()", "fail-closed disabled response")
+    assert_contains(routes, "def custom_page_html_alias", "HTML alias custom page route")
+    assert_contains(routes, "request-access", "request access metadata helper route")
+    assert_contains(routes, "access_request_button_enabled", "access request button settings update")
+    assert_contains(routes, "A custom page with this slug already exists.", "duplicate slug create guard")
+    assert_contains(app, "register_route_custom_pages(app)", "custom page route registration")
+    assert_contains(app, "custom_pages_nav=custom_pages_nav", "custom page navigation context")
+    assert_contains(base_template, "_custom_pages_drawer.html", "custom pages drawer include")
+
+
+def test_custom_pages_admin_and_navigation_wiring():
+    """Validate Admin Settings and user navigation templates include Custom Pages."""
+    admin_template = read_text("application/single_app/templates/admin_settings.html")
+    admin_route = read_text("application/single_app/route_frontend_admin_settings.py")
+    top_nav = read_text("application/single_app/templates/_top_nav.html")
+    sidebar_nav = read_text("application/single_app/templates/_sidebar_nav.html")
+    admin_js = read_text("application/single_app/static/js/admin/admin_custom_pages.js")
+
+    for element_id in (
+        "custom-pages-tab",
+        "custom-pages-section",
+        "enable_custom_pages",
+        "custom_pages_menu_name",
+        "custom_pages_force_menu",
+        "custom_pages_restart_acknowledged",
+        "customPagesRestartModal",
+        "custom-pages-restart-acknowledge-btn",
+        "custom-pages-guide-btn",
+        "customPagesGuideModal",
+        "custom-pages-guide-content",
+        "customPageDesignerModal",
+        "custom-pages-tbody",
+        "add-custom-page-btn",
+        "create-request-access-page-btn",
+        "requestAccessPageCreatedModal",
+        "custom_page_access_level",
+        "custom-page-slug-feedback",
+        "data-custom-page-file-input",
+        "data-custom-page-file-add",
+        "data-custom-page-file-list",
+        "Deployed Files",
+        "Publishing",
+    ):
+        assert_contains(admin_template, element_id, f"admin template element {element_id}")
+
+    assert_contains(admin_template, "admin_custom_pages.js", "custom pages admin script include")
+    assert_contains(admin_route, "enable_custom_pages = form_data.get('enable_custom_pages') == 'on'", "custom pages toggle save")
+    assert_contains(admin_route, "custom_pages_restart_acknowledged = form_data.get('custom_pages_restart_acknowledged') == 'on'", "custom pages restart acknowledgement parsing")
+    assert_contains(admin_route, "custom_pages_enabled_acknowledged", "custom pages restart acknowledgement activity log")
+    assert_contains(admin_route, "'custom_pages_menu_name': custom_pages_menu_name", "custom pages menu name save")
+    assert_contains(admin_route, "'access_request_button_enabled': bool(settings.get('access_request_button_enabled', False))", "access request setting preservation")
+    index_template = read_text("application/single_app/templates/index.html")
+    assert_contains(index_template, "access_request_button_enabled", "access denied request access button")
+    assert_contains(top_nav, "custom_pages_nav", "top navigation custom pages")
+    assert_contains(top_nav, "custom-pages-dropdown-menu", "bounded custom pages top navigation menu")
+    assert_contains(top_nav, "custom_pages_drawer_threshold = 5", "custom pages drawer threshold")
+    assert_contains(top_nav, "custom-pages-top-drawer-trigger", "top navigation drawer trigger")
+    assert_contains(top_nav, "data-custom-pages-open-drawer", "top navigation drawer trigger attribute")
+    assert_contains(top_nav, "No custom pages registered", "top navigation empty custom pages state")
+    assert_contains(sidebar_nav, "custom-pages-links-section", "sidebar custom pages section")
+    assert_contains(sidebar_nav, "custom-pages-count-badge", "sidebar custom pages count badge")
+    assert_contains(sidebar_nav, "custom-pages-menu-list", "sidebar custom pages scrollable menu")
+    assert_contains(sidebar_nav, "custom_pages_drawer_threshold = 5", "sidebar custom pages drawer threshold")
+    assert_contains(sidebar_nav, "data-custom-pages-open-drawer", "sidebar drawer trigger")
+    assert_contains(sidebar_nav, "No custom pages registered", "sidebar empty custom pages state")
+    assert_contains(admin_js, "fetch(\"/api/admin/custom-pages\")", "admin API list call")
+    assert_contains(admin_js, "createRequestAccessPage", "request access one-click helper")
+    assert_contains(admin_js, "/api/admin/custom-pages/request-access-example", "request access helper API call")
+    assert_contains(admin_js, "requestAccessPageExists", "request access duplicate button state")
+    assert_contains(admin_js, "validateCustomPageSlugUniqueness", "custom page slug uniqueness validation")
+    assert_contains(admin_js, "Choose a unique slug before saving this custom page.", "custom page duplicate slug save guard")
+    assert_contains(admin_js, "customPagesInitiallyEnabled", "custom pages restart modal initial state")
+    assert_contains(admin_js, "restartAcknowledgementField.value = \"on\"", "custom pages restart acknowledgement client flag")
+    assert_contains(admin_js, "loadCustomPagesGuide", "custom pages developer guide modal loader")
+    assert_contains(admin_js, "DOMPurify.sanitize(marked.parse(markdown))", "custom pages developer guide sanitized markdown rendering")
+    assert_contains(admin_js, "setupCustomPageFileListEditors", "custom pages file list editor setup")
+    assert_contains(admin_js, "addCustomPageFile", "custom pages file list add action")
+    assert_contains(admin_js, "removeCustomPageFile", "custom pages file list remove action")
+    assert_contains(admin_js, "textContent", "safe DOM text rendering")
+
+    drawer_template = read_text("application/single_app/templates/_custom_pages_drawer.html")
+    assert_contains(drawer_template, "customPagesDrawer", "custom pages drawer id")
+    assert_contains(drawer_template, "custom-pages-drawer-list", "custom pages drawer scroll list")
+    assert_contains(drawer_template, "data-custom-pages-open-drawer", "custom pages drawer trigger handler")
+
+
+def test_custom_pages_trusted_rendering_boundary():
+    """Validate the trusted static HTML shell documents the XSS boundary."""
+    shell = read_text("application/single_app/templates/custom_page_shell.html")
+    helpers = read_text("application/single_app/functions_custom_pages.py")
+
+    assert_contains(shell, "xss-check: ignore", "trusted HTML XSS suppression")
+    assert_contains(shell, "deployment-time trusted app-team content", "trusted HTML explanation")
+    assert_contains(shell, "{{ custom_page_html | safe }}", "trusted HTML render boundary")
+    assert_contains(helpers, "SLUG_PATTERN", "slug validation")
+    assert_contains(helpers, "validate_custom_page_file_reference", "file reference validation")
+    assert_contains(helpers, "ACCESS_LEVELS", "custom page access level validation")
+    assert_contains(helpers, '"access_level": str(page.get("access_level") or "app_user").strip().lower()', "custom page access level normalization")
+    assert_contains(helpers, 'access_level != "authenticated"', "app-user access level enforcement")
+    assert_contains(helpers, "os.path.commonpath", "path traversal guard")
+    assert_contains(helpers, "_file_reference_is_declared", "asset declaration guard")
+    assert_not_contains(helpers, 'if "Admin" in role_set:', "Admin custom page authorization override")
+    assert_contains(helpers, "required_role_set = set(required_roles)", "custom page required role set")
+    assert_contains(helpers, "if role_set.intersection(required_role_set):", "custom page exact role match")
+    assert_contains(helpers, 'return "Admin" in role_set and "User" in required_role_set', "Admin implies User custom page role")
+
+
+def test_custom_pages_examples_and_request_access_page():
+    """Validate docs-only examples and the live Request Access page."""
+    docs_example_files = [
+        "docs/how-to/custom_pages_examples/simple-html/example-simple.html",
+        "docs/how-to/custom_pages_examples/static-html-css-js/example-static.html",
+        "docs/how-to/custom_pages_examples/static-html-css-js/example-static.css",
+        "docs/how-to/custom_pages_examples/static-html-css-js/example-static.js",
+        "docs/how-to/custom_pages_examples/static-html-css-js/cat.mp4",
+        "docs/how-to/custom_pages_examples/python-jinja-api/example-python-dashboard.html",
+        "docs/how-to/custom_pages_examples/python-jinja-api/example-python-dashboard.css",
+        "docs/how-to/custom_pages_examples/python-jinja-api/example-python-dashboard.js",
+        "docs/how-to/custom_pages_examples/python-jinja-api/example_python_dashboard.py",
+    ]
+
+    live_request_access_files = [
+        "application/single_app/custom_pages/html/request-access.html",
+        "application/single_app/custom_pages/css/request-access.css",
+    ]
+
+    for relative_path in docs_example_files + live_request_access_files:
+        if not (REPO_ROOT / relative_path).exists():
+            raise AssertionError(f"Missing custom page file: {relative_path}")
+
+    removed_live_examples = [
+        "application/single_app/custom_pages/html/example-simple.html",
+        "application/single_app/custom_pages/html/example-static.html",
+        "application/single_app/custom_pages/html/example-python-dashboard.html",
+        "application/single_app/custom_pages/css/example-static.css",
+        "application/single_app/custom_pages/js/example-static.js",
+        "application/single_app/custom_pages/python/example_python_dashboard.py",
+        "application/single_app/docs/how-to/custom_pages_examples/simple-html/example-simple.html",
+        "application/single_app/docs/how-to/custom_pages_examples/static-html-css-js/example-static.html",
+        "application/single_app/docs/how-to/custom_pages_examples/static-html-css-js/cat.mp4",
+        "application/single_app/docs/how-to/custom_pages_examples/python-jinja-api/example_python_dashboard.py",
+    ]
+    for relative_path in removed_live_examples:
+        if (REPO_ROOT / relative_path).exists():
+            raise AssertionError(f"Example file should live in docs, not live custom_pages: {relative_path}")
+
+    simple_html = read_text("docs/how-to/custom_pages_examples/simple-html/example-simple.html")
+    static_html = read_text("docs/how-to/custom_pages_examples/static-html-css-js/example-static.html")
+    static_js = read_text("docs/how-to/custom_pages_examples/static-html-css-js/example-static.js")
+    python_extension = read_text("docs/how-to/custom_pages_examples/python-jinja-api/example_python_dashboard.py")
+    python_template = read_text("docs/how-to/custom_pages_examples/python-jinja-api/example-python-dashboard.html")
+    request_access_html = read_text("application/single_app/custom_pages/html/request-access.html")
+
+    assert_contains(simple_html, "Hello from a custom HTML page", "simple HTML example content")
+    assert_contains(static_html, "data-static-example", "static example root hook")
+    assert_contains(static_html, "/custom/assets/example-static/assets/cat.mp4", "static example video asset URL")
+    assert_contains(static_html, "<video", "static example video viewer")
+    assert_contains(static_js, "addEventListener", "static example JavaScript behavior")
+    assert_contains(python_extension, '"slug": "example-python-dashboard"', "Python example slug metadata")
+    assert_contains(python_extension, "def handle_api", "Python example backend API handler")
+    assert_contains(python_template, "{% extends \"base.html\" %}", "Python example Jinja template")
+    assert_contains(request_access_html, "accessrequest@example.com", "request access mail recipient")
+    assert_contains(request_access_html, "SimpleChat%20Access%20Request", "request access mail subject")
+
+
+def test_custom_pages_developer_guide_single_source():
+    """Validate the Custom Pages how-to is the source for the in-app guide."""
+    dockerfile = read_text("application/single_app/Dockerfile")
+    app_guide = read_text("application/single_app/docs/how-to/custom_pages.md")
+    docs_guide = read_text("docs/how-to/custom_pages.md")
+    index = read_text("docs/how-to/index.md")
+
+    if "docs/how-to/custom_pages.md" in dockerfile:
+        raise AssertionError("Dockerfile should not depend on repository-level docs for Custom Pages guide content.")
+    assert_contains(app_guide, "# Create Custom Pages", "custom pages canonical app guide title")
+    assert_contains(app_guide, "Pattern 1: Simple HTML Page", "simple HTML guide section")
+    assert_contains(app_guide, "Pattern 2: Static HTML, CSS, and JavaScript Page", "static page guide section")
+    assert_contains(app_guide, "Pattern 3: Python-Backed Jinja Page with Backend API", "Python-backed page guide section")
+    assert_contains(docs_guide, "application/single_app/docs/how-to/custom_pages.md", "docs how-to pointer to in-app guide")
+    assert_contains(docs_guide, "Do not duplicate the full guide", "docs how-to duplication warning")
+    assert_contains(index, "/how-to/custom_pages/", "how-to index custom pages link")
+
+
+def run_tests():
+    """Run all Custom Pages wiring tests."""
+    tests = [
+        test_custom_pages_configuration,
+        test_custom_pages_routes_and_access_controls,
+        test_custom_pages_admin_and_navigation_wiring,
+        test_custom_pages_trusted_rendering_boundary,
+        test_custom_pages_examples_and_request_access_page,
+        test_custom_pages_developer_guide_single_source,
+    ]
+    results = []
+
+    for test in tests:
+        print(f"Running {test.__name__}...")
+        try:
+            test()
+            print(f"Passed {test.__name__}")
+            results.append(True)
+        except Exception as ex:
+            print(f"Failed {test.__name__}: {ex}")
+            results.append(False)
+
+    print(f"Results: {sum(results)}/{len(results)} tests passed")
+    return all(results)
+
+
+if __name__ == "__main__":
+    success = run_tests()
+    sys.exit(0 if success else 1)
\ No newline at end of file

From 71805e12b6edbe0ab5ea774b5f244d8faadd968d Mon Sep 17 00:00:00 2001
From: Bionic711 <nadoyle@microsoft.com>
Date: Wed, 10 Jun 2026 11:46:47 -0500
Subject: [PATCH 07/12] fix for metadata extraction model selection for
 multiendpoint

---
 application/single_app/config.py              |  2 +-
 .../route_frontend_admin_settings.py          |  2 +-
 .../static/js/admin/admin_model_endpoints.js  | 65 +++++++++++++++++++
 .../static/js/admin/admin_settings.js         | 36 ----------
 .../single_app/templates/admin_settings.html  |  2 +-
 5 files changed, 68 insertions(+), 39 deletions(-)

diff --git a/application/single_app/config.py b/application/single_app/config.py
index 30f615f0d..773b69a7e 100644
--- a/application/single_app/config.py
+++ b/application/single_app/config.py
@@ -94,7 +94,7 @@
 EXECUTOR_TYPE = 'thread'
 EXECUTOR_MAX_WORKERS = 30
 SESSION_TYPE = 'filesystem'
-VERSION = "0.242.037"
+VERSION = "0.242.039"
 
 SECRET_KEY = os.getenv('SECRET_KEY', 'dev-secret-key-change-in-production')
 
diff --git a/application/single_app/route_frontend_admin_settings.py b/application/single_app/route_frontend_admin_settings.py
index 53ac424f9..b4249d3a1 100644
--- a/application/single_app/route_frontend_admin_settings.py
+++ b/application/single_app/route_frontend_admin_settings.py
@@ -881,7 +881,7 @@ def parse_admin_int(raw_value, fallback_value, field_name="unknown", hard_defaul
                 'model_id': str(parsed_metadata_model_selection.get('model_id') or '').strip(),
                 'provider': str(parsed_metadata_model_selection.get('provider') or '').strip().lower()
             }
-            metadata_extraction_model_deployment = ''
+            metadata_extraction_model_deployment = form_data.get('metadata_extraction_model', '').strip()
 
             if not enable_multi_model_endpoints:
                 normalized_metadata_model_selection = {
diff --git a/application/single_app/static/js/admin/admin_model_endpoints.js b/application/single_app/static/js/admin/admin_model_endpoints.js
index 3ce1ced8e..41a764ed1 100644
--- a/application/single_app/static/js/admin/admin_model_endpoints.js
+++ b/application/single_app/static/js/admin/admin_model_endpoints.js
@@ -12,6 +12,8 @@ const defaultModelInput = document.getElementById("default_model_selection_json"
 const defaultModelWrapper = document.getElementById("default-model-selection-wrapper");
 const metadataExtractionModelSelect = document.getElementById("metadata_extraction_model");
 const metadataExtractionModelInput = document.getElementById("metadata_extraction_model_selection_json");
+const legacyGptApimToggle = document.getElementById("enable_gpt_apim");
+const legacyApimGptDeploymentInput = document.getElementById("azure_apim_gpt_deployment");
 const migrationPanel = document.getElementById("agent-default-model-migration-panel");
 const migrationStatus = document.getElementById("agent-default-model-migration-status");
 const migrationCallout = document.getElementById("agent-default-model-migration-callout");
@@ -147,6 +149,10 @@ function updateMetadataExtractionModelInput() {
     metadataExtractionModelInput.value = JSON.stringify(metadataExtractionModelSelection || {});
 }
 
+function isMultiEndpointModeEnabled() {
+    return !!enableMultiEndpointToggle?.checked;
+}
+
 function isAdminSettingsFormModified() {
     return typeof window.isAdminSettingsFormModified === "function" && window.isAdminSettingsFormModified();
 }
@@ -425,6 +431,11 @@ function buildMetadataExtractionModelOptions() {
     emptyOption.textContent = "No metadata extraction model selected";
     metadataExtractionModelSelect.appendChild(emptyOption);
 
+    if (!isMultiEndpointModeEnabled()) {
+        buildLegacyMetadataExtractionModelOptions();
+        return;
+    }
+
     modelEndpoints.forEach((endpoint) => {
         const models = Array.isArray(endpoint.models) ? endpoint.models : [];
         models.forEach((model) => {
@@ -435,6 +446,40 @@ function buildMetadataExtractionModelOptions() {
     applyMetadataExtractionModelSelection(metadataExtractionModelSelection);
 }
 
+function buildLegacyMetadataExtractionModelOptions() {
+    metadataExtractionModelSelection = {
+        endpoint_id: "",
+        model_id: "",
+        provider: ""
+    };
+    updateMetadataExtractionModelInput();
+
+    if (legacyGptApimToggle?.checked) {
+        const deployments = String(legacyApimGptDeploymentInput?.value || "")
+            .split(",")
+            .map((deployment) => deployment.trim())
+            .filter(Boolean);
+
+        deployments.forEach((deployment) => {
+            metadataExtractionModelSelect.add(new Option(deployment, deployment));
+        });
+    } else {
+        const legacyModels = Array.isArray(window.gptSelected) ? window.gptSelected : [];
+        legacyModels.forEach((model) => {
+            const deploymentName = model?.deploymentName || "";
+            if (!deploymentName) {
+                return;
+            }
+            const modelName = model?.modelName || deploymentName;
+            metadataExtractionModelSelect.add(new Option(`${deploymentName} (${modelName})`, deploymentName));
+        });
+    }
+
+    if (legacyMetadataExtractionModel) {
+        metadataExtractionModelSelect.value = legacyMetadataExtractionModel;
+    }
+}
+
 function applyMetadataExtractionModelSelection(selection) {
     if (!metadataExtractionModelSelect) {
         return;
@@ -541,6 +586,17 @@ function handleMetadataExtractionModelChange() {
         return;
     }
 
+    if (!isMultiEndpointModeEnabled()) {
+        metadataExtractionModelSelection = {
+            endpoint_id: "",
+            model_id: "",
+            provider: ""
+        };
+        updateMetadataExtractionModelInput();
+        markModified();
+        return;
+    }
+
     const selectedOption = metadataExtractionModelSelect.selectedOptions[0];
     if (!selectedOption || !selectedOption.value) {
         metadataExtractionModelSelection = {
@@ -1183,6 +1239,7 @@ function handleToggleChange() {
     if (!enabled) {
         setElementVisibility(migrationResults, false);
     }
+    buildMetadataExtractionModelOptions();
     markModified();
     handleMigrationConfigurationChange();
 }
@@ -1612,6 +1669,14 @@ function init() {
         metadataExtractionModelSelect.addEventListener("change", handleMetadataExtractionModelChange);
     }
 
+    if (legacyGptApimToggle) {
+        legacyGptApimToggle.addEventListener("change", buildMetadataExtractionModelOptions);
+    }
+
+    if (legacyApimGptDeploymentInput) {
+        legacyApimGptDeploymentInput.addEventListener("input", buildMetadataExtractionModelOptions);
+    }
+
     if (previewMigrationBtn) {
         previewMigrationBtn.addEventListener("click", () => {
             openMigrationReviewModal();
diff --git a/application/single_app/static/js/admin/admin_settings.js b/application/single_app/static/js/admin/admin_settings.js
index 7861b8017..657fede79 100644
--- a/application/single_app/static/js/admin/admin_settings.js
+++ b/application/single_app/static/js/admin/admin_settings.js
@@ -3675,37 +3675,6 @@ if (audioServiceDiv) {
 // Metadata Extraction UI
 const extractToggle = document.getElementById('enable_extract_meta_data');
 const extractModelDiv = document.getElementById('metadata_extraction_model_settings');
-const extractSelect   = document.getElementById('metadata_extraction_model');
-
-function populateExtractionModels() {
-  // remember previously chosen value
-  const prev = extractSelect.getAttribute('data-prev') || '';
-
-  // clear out old options
-  extractSelect.innerHTML = '';
-
-  if (document.getElementById('enable_gpt_apim').checked) {
-    // use comma-separated APIM deployments
-    const text = document.getElementById('azure_apim_gpt_deployment').value || '';
-    text.split(',')
-        .map(s => s.trim())
-        .filter(s => s)
-        .forEach(d => {
-          const opt = new Option(d, d);
-          extractSelect.add(opt);
-        });
-  } else {
-    // use direct GPT selected deployments
-    (window.gptSelected || []).forEach(m => {
-      const label = `${m.deploymentName} (${m.modelName})`;
-      const opt = new Option(label, m.deploymentName);
-      extractSelect.add(opt);
-    });
-  }
-
-  // restore previous
-  extractSelect.value = prev;
-}
 
 if (extractToggle) {
     // show/hide the model dropdown
@@ -3798,17 +3767,12 @@ if (visionSelect) {
 const apimToggle = document.getElementById('enable_gpt_apim');
 if (apimToggle) {
     apimToggle.addEventListener('change', () => {
-        populateExtractionModels();
         populateVisionModels();
     });
 }
 
 // on load, stash previous & populate
 document.addEventListener('DOMContentLoaded', () => {
-    if (extractSelect) {
-        extractSelect.setAttribute('data-prev', extractSelect.value);
-        populateExtractionModels();
-    }
     if (visionSelect) {
         visionSelect.setAttribute('data-prev', visionSelect.value);
         populateVisionModels();
diff --git a/application/single_app/templates/admin_settings.html b/application/single_app/templates/admin_settings.html
index 48a8dd56c..0dba025a3 100644
--- a/application/single_app/templates/admin_settings.html
+++ b/application/single_app/templates/admin_settings.html
@@ -4377,7 +4377,7 @@ <h5>
                                             </select>
                                             <input type="hidden" name="metadata_extraction_model_selection_json" id="metadata_extraction_model_selection_json" />
                                             <div class="form-text">
-                                                Uses enabled models from Global Endpoints. Configure endpoints in AI Models first.
+                                                Uses Global Endpoints when multi-endpoint model management is enabled; otherwise uses the legacy GPT/APIM deployment settings.
                                             </div>
                     </div>
                 </div>

From d0d7e2a2da8c798da931ee07079e5a5f4615a501 Mon Sep 17 00:00:00 2001
From: Bionic711 <nadoyle@microsoft.com>
Date: Wed, 10 Jun 2026 15:15:14 -0500
Subject: [PATCH 08/12] fix for metadata extraction and nav

---
 application/single_app/config.py              |  2 +-
 .../static/js/admin/admin_model_endpoints.js  |  6 ++-
 .../templates/_custom_pages_drawer.html       | 25 +++++-------
 .../single_app/templates/_sidebar_nav.html    | 14 ++-----
 .../single_app/templates/_top_nav.html        | 38 +++++++++++++------
 docs/explanation/features/CUSTOM_PAGES.md     |  6 ++-
 functional_tests/test_custom_pages_wiring.py  | 12 ++++--
 7 files changed, 58 insertions(+), 45 deletions(-)

diff --git a/application/single_app/config.py b/application/single_app/config.py
index 773b69a7e..e31703fb9 100644
--- a/application/single_app/config.py
+++ b/application/single_app/config.py
@@ -94,7 +94,7 @@
 EXECUTOR_TYPE = 'thread'
 EXECUTOR_MAX_WORKERS = 30
 SESSION_TYPE = 'filesystem'
-VERSION = "0.242.039"
+VERSION = "0.242.041"
 
 SECRET_KEY = os.getenv('SECRET_KEY', 'dev-secret-key-change-in-production')
 
diff --git a/application/single_app/static/js/admin/admin_model_endpoints.js b/application/single_app/static/js/admin/admin_model_endpoints.js
index 41a764ed1..c6ae24451 100644
--- a/application/single_app/static/js/admin/admin_model_endpoints.js
+++ b/application/single_app/static/js/admin/admin_model_endpoints.js
@@ -150,7 +150,11 @@ function updateMetadataExtractionModelInput() {
 }
 
 function isMultiEndpointModeEnabled() {
-    return !!enableMultiEndpointToggle?.checked;
+    if (enableMultiEndpointToggle) {
+        return !!enableMultiEndpointToggle.checked;
+    }
+
+    return window.enableMultiModelEndpoints === true || window.enableMultiModelEndpoints === "true";
 }
 
 function isAdminSettingsFormModified() {
diff --git a/application/single_app/templates/_custom_pages_drawer.html b/application/single_app/templates/_custom_pages_drawer.html
index c0e70b1b2..6e932e701 100644
--- a/application/single_app/templates/_custom_pages_drawer.html
+++ b/application/single_app/templates/_custom_pages_drawer.html
@@ -1,4 +1,4 @@
-{% if session.get('user') and session['user'].get('roles') and ('Admin' in session['user']['roles'] or 'User' in session['user']['roles']) and app_settings.enable_custom_pages %}
+{% if session.get('user') and app_settings.enable_custom_pages and custom_pages_nav %}
 <div class="offcanvas offcanvas-end custom-pages-drawer" tabindex="-1" id="customPagesDrawer" aria-labelledby="customPagesDrawerLabel">
     <div class="offcanvas-header border-bottom">
         <div>
@@ -8,21 +8,14 @@ <h5 class="offcanvas-title" id="customPagesDrawerLabel">{{ app_settings.custom_p
         <button type="button" class="btn-close" data-bs-dismiss="offcanvas" aria-label="Close"></button>
     </div>
     <div class="offcanvas-body">
-        {% if custom_pages_nav %}
-            <div class="list-group custom-pages-drawer-list">
-                {% for page in custom_pages_nav %}
-                    <a class="list-group-item list-group-item-action custom-pages-drawer-item" href="{{ page.url }}" {% if page.open_in_new_tab %}target="_blank" rel="noopener noreferrer"{% endif %}>
-                        <i class="bi {{ page.icon }} me-2"></i>
-                        <span>{{ page.label }}</span>
-                    </a>
-                {% endfor %}
-            </div>
-        {% else %}
-            <div class="text-muted d-flex align-items-center gap-2">
-                <i class="bi bi-info-circle"></i>
-                <span>No custom pages registered</span>
-            </div>
-        {% endif %}
+        <div class="list-group custom-pages-drawer-list">
+            {% for page in custom_pages_nav %}
+                <a class="list-group-item list-group-item-action custom-pages-drawer-item" href="{{ page.url }}" {% if page.open_in_new_tab %}target="_blank" rel="noopener noreferrer"{% endif %}>
+                    <i class="bi {{ page.icon }} me-2"></i>
+                    <span>{{ page.label }}</span>
+                </a>
+            {% endfor %}
+        </div>
     </div>
 </div>
 <script>
diff --git a/application/single_app/templates/_sidebar_nav.html b/application/single_app/templates/_sidebar_nav.html
index 5753a47e3..4902d0846 100644
--- a/application/single_app/templates/_sidebar_nav.html
+++ b/application/single_app/templates/_sidebar_nav.html
@@ -190,8 +190,8 @@
     </div>
     {% endif %}
 
-    <!-- Custom Pages Section - Show header when enabled, even before pages are registered -->
-    {% if session.get('user') and session['user'].get('roles') and ('Admin' in session['user']['roles'] or 'User' in session['user']['roles']) and app_settings.enable_custom_pages %}
+    <!-- Custom Pages Section - Show only when the signed-in user has visible custom pages -->
+    {% if session.get('user') and app_settings.enable_custom_pages and custom_pages_nav %}
     <div class="overflow-auto custom-pages-menu-wrapper">
       {% set custom_page_count = custom_pages_nav|length %}
       {% set custom_pages_drawer_threshold = 5 %}
@@ -203,7 +203,7 @@
           <span class="badge rounded-pill text-bg-secondary custom-pages-count-badge">{{ custom_page_count }}</span>
           <i class="bi bi-layout-sidebar-inset-reverse ms-2 custom-pages-caret"></i>
         </button>
-      {% elif custom_pages_should_force_menu or custom_page_count == 0 %}
+      {% elif custom_pages_should_force_menu %}
         <div id="custom-pages-toggle" class="custom-pages-menu-toggle mt-2 mb-1 text-muted small d-flex align-items-center">
           <span class="nav-text flex-grow-1">{{ app_settings.custom_pages_menu_name or 'Custom Pages' }}</span>
           <span class="badge rounded-pill text-bg-secondary custom-pages-count-badge">{{ custom_page_count }}</span>
@@ -211,14 +211,6 @@
         </div>
         <div id="custom-pages-links-section" class="custom-pages-menu-list">
           <ul class="nav flex-column mb-2">
-            {% if custom_page_count == 0 %}
-            <li class="nav-item">
-              <span class="nav-link d-flex align-items-center text-muted">
-                <i class="bi bi-info-circle me-2" style="font-size: 0.8em;"></i>
-                <span class="nav-text">No custom pages registered</span>
-              </span>
-            </li>
-            {% endif %}
             {% for page in custom_pages_nav %}
             <li class="nav-item">
               <a class="nav-link d-flex align-items-center" href="{{ page.url }}" {% if page.open_in_new_tab %}target="_blank" rel="noopener noreferrer"{% endif %}>
diff --git a/application/single_app/templates/_top_nav.html b/application/single_app/templates/_top_nav.html
index da36c6f9d..c35bf7109 100644
--- a/application/single_app/templates/_top_nav.html
+++ b/application/single_app/templates/_top_nav.html
@@ -52,8 +52,9 @@
                 <div class="nav-item">
                     <a class="nav-link" href="{{ url_for('chats') }}">Chat</a>
                 </div>
+            {% endif %}
 
-                {% if app_settings.enable_custom_pages %}
+                {% if session.get('user') and app_settings.enable_custom_pages and custom_pages_nav %}
                     {% set custom_page_count = custom_pages_nav|length %}
                     {% set custom_pages_drawer_threshold = 5 %}
                     {% set custom_pages_use_drawer = custom_page_count > custom_pages_drawer_threshold %}
@@ -65,16 +66,13 @@
                                 <span class="badge rounded-pill text-bg-secondary ms-1">{{ custom_page_count }}</span>
                             </button>
                         </div>
-                    {% elif custom_pages_should_force_menu or custom_page_count == 0 %}
+                    {% elif custom_pages_should_force_menu %}
                         <div class="nav-item dropdown">
                             <a class="nav-link dropdown-toggle" href="#" id="customPagesDropdown" role="button" data-bs-toggle="dropdown" aria-expanded="false">
                                 {{ app_settings.custom_pages_menu_name or 'Custom Pages' }}
                                 <span class="badge rounded-pill text-bg-secondary ms-1">{{ custom_page_count }}</span>
                             </a>
                             <div class="dropdown-menu custom-pages-dropdown-menu" aria-labelledby="customPagesDropdown">
-                                {% if custom_page_count == 0 %}
-                                    <span class="dropdown-item text-muted">No custom pages registered</span>
-                                {% endif %}
                                 {% for page in custom_pages_nav %}
                                     <a class="dropdown-item" href="{{ page.url }}" {% if page.open_in_new_tab %}target="_blank" rel="noopener noreferrer"{% endif %}>
                                         <i class="bi {{ page.icon }} me-2"></i>{{ page.label }}
@@ -93,6 +91,7 @@
                     {% endif %}
                 {% endif %}
 
+            {% if session.get('user') and session['user'].get('roles') and ('Admin' in session['user']['roles'] or 'User' in session['user']['roles']) %}
                 {% set support_menu_role_allowed = 'Admin' in session['user']['roles'] or 'User' in session['user']['roles'] %}
                 {% if support_menu_role_allowed and app_settings.enable_support_menu %}
                     {% set show_support_latest_features = app_settings.enable_support_latest_features and app_settings.support_latest_features_has_visible_items %}
@@ -287,7 +286,7 @@ <h5 class="offcanvas-title" id="topNavMobileMenuLabel">Navigation</h5>
                 </a>
             </div>
 
-            {% if app_settings.enable_custom_pages %}
+            {% if app_settings.enable_custom_pages and custom_pages_nav %}
                 {% set custom_page_count = custom_pages_nav|length %}
                 {% set custom_pages_drawer_threshold = 5 %}
                 {% set custom_pages_use_drawer = custom_page_count > custom_pages_drawer_threshold %}
@@ -300,11 +299,6 @@ <h5 class="offcanvas-title" id="topNavMobileMenuLabel">Navigation</h5>
                     </div>
                 {% else %}
                 <div class="list-group list-group-flush top-nav-mobile-list">
-                    {% if not custom_pages_nav %}
-                        <span class="list-group-item text-muted">
-                            <i class="bi bi-info-circle me-2"></i>No custom pages registered
-                        </span>
-                    {% endif %}
                     {% for page in custom_pages_nav %}
                         <a class="list-group-item list-group-item-action" href="{{ page.url }}" {% if page.open_in_new_tab %}target="_blank" rel="noopener noreferrer"{% endif %}>
                             <i class="bi {{ page.icon }} me-2"></i>{{ page.label }}
@@ -346,11 +340,33 @@ <h5 class="offcanvas-title" id="topNavMobileMenuLabel">Navigation</h5>
                 </div>
             {% endif %}
         {% else %}
+            {% if session.get('user') and app_settings.enable_custom_pages and custom_pages_nav %}
+                {% set custom_page_count = custom_pages_nav|length %}
+                {% set custom_pages_drawer_threshold = 5 %}
+                {% set custom_pages_use_drawer = custom_page_count > custom_pages_drawer_threshold %}
+                <div class="top-nav-mobile-section-label">{{ app_settings.custom_pages_menu_name or 'Custom Pages' }}</div>
+                {% if custom_pages_use_drawer %}
+                    <div class="list-group list-group-flush top-nav-mobile-list">
+                        <button type="button" class="list-group-item list-group-item-action" data-custom-pages-open-drawer aria-controls="customPagesDrawer">
+                            <i class="bi bi-layout-sidebar-inset-reverse me-2"></i>Browse {{ custom_page_count }} custom pages
+                        </button>
+                    </div>
+                {% else %}
+                    <div class="list-group list-group-flush top-nav-mobile-list">
+                        {% for page in custom_pages_nav %}
+                            <a class="list-group-item list-group-item-action" href="{{ page.url }}" {% if page.open_in_new_tab %}target="_blank" rel="noopener noreferrer"{% endif %}>
+                                <i class="bi {{ page.icon }} me-2"></i>{{ page.label }}
+                            </a>
+                        {% endfor %}
+                    </div>
+                {% endif %}
+            {% elif not session.get('user') %}
             <div class="list-group list-group-flush top-nav-mobile-list">
                 <a class="list-group-item list-group-item-action" href="{{ url_for('login') }}">
                     <i class="bi bi-box-arrow-in-right me-2"></i>Login
                 </a>
             </div>
+            {% endif %}
         {% endif %}
     </div>
 </div>
diff --git a/docs/explanation/features/CUSTOM_PAGES.md b/docs/explanation/features/CUSTOM_PAGES.md
index 65ac93467..692512c31 100644
--- a/docs/explanation/features/CUSTOM_PAGES.md
+++ b/docs/explanation/features/CUSTOM_PAGES.md
@@ -1,6 +1,6 @@
 # Custom Pages
 
-Current version: **0.242.037**
+Current version: **0.242.040**
 
 Implemented in version: **0.242.023**
 
@@ -32,6 +32,8 @@ Request Access example and access levels implemented in version: **0.242.036**
 
 Request Access guidance modal and duplicate slug checks implemented in version: **0.242.037**
 
+Authenticated custom page navigation fix implemented in version: **0.242.040**
+
 ## Overview
 
 Custom Pages let app teams that deploy SimpleChat add trusted, deployment-time pages under the `/custom` namespace without changing the core application route code. The feature is controlled by the Admin Settings toggle `enable_custom_pages` and fails closed when disabled.
@@ -93,6 +95,8 @@ Version `0.242.036` added access levels, a repo-shipped Request Access static pa
 
 Version `0.242.037` added post-create guidance for editing the Request Access email address, disables the one-click Request Access helper once `request-access` exists, and prevents duplicate slugs in both the Admin Settings modal and create API.
 
+Version `0.242.040` changed navigation rendering so Custom Pages appears for any signed-in user only when `custom_pages_nav` contains at least one enabled, visible, authorized page. This allows `access_level=authenticated` pages such as Request Access to render for signed-in users without `User` or `Admin`, while hiding the pane when no custom page is available.
+
 ## Usage Instructions
 
 Admins can open Admin Settings > Custom Pages to enable the feature and create metadata for simple static pages. Metadata references files already deployed under `application/single_app/custom_pages/html`, `css`, `js`, `assets`, and `json`.
diff --git a/functional_tests/test_custom_pages_wiring.py b/functional_tests/test_custom_pages_wiring.py
index 3578c7c3e..fbb81d5d8 100644
--- a/functional_tests/test_custom_pages_wiring.py
+++ b/functional_tests/test_custom_pages_wiring.py
@@ -1,7 +1,7 @@
 # test_custom_pages_wiring.py
 """
 Functional test for Custom Pages wiring.
-Version: 0.242.037
+Version: 0.242.040
 Implemented in: 0.242.023
 
 This test ensures that the Custom Pages feature is wired through settings,
@@ -39,7 +39,7 @@ def test_custom_pages_configuration():
     config = read_text("application/single_app/config.py")
     settings = read_text("application/single_app/functions_settings.py")
 
-    assert_contains(config, 'VERSION = "0.242.037"', "version bump")
+    assert_contains(config, 'VERSION = "0.242.040"', "version bump")
     assert_contains(config, 'cosmos_custom_pages_container_name = "custom_pages"', "custom pages container name")
     assert_contains(config, 'cosmos_custom_pages_container = cosmos_database.create_container_if_not_exists', "custom pages container creation")
     assert_contains(settings, "'enable_custom_pages': False", "custom pages disabled default")
@@ -124,17 +124,19 @@ def test_custom_pages_admin_and_navigation_wiring():
     index_template = read_text("application/single_app/templates/index.html")
     assert_contains(index_template, "access_request_button_enabled", "access denied request access button")
     assert_contains(top_nav, "custom_pages_nav", "top navigation custom pages")
+    assert_contains(top_nav, "session.get('user') and app_settings.enable_custom_pages and custom_pages_nav", "top navigation custom pages visibility gate")
     assert_contains(top_nav, "custom-pages-dropdown-menu", "bounded custom pages top navigation menu")
     assert_contains(top_nav, "custom_pages_drawer_threshold = 5", "custom pages drawer threshold")
     assert_contains(top_nav, "custom-pages-top-drawer-trigger", "top navigation drawer trigger")
     assert_contains(top_nav, "data-custom-pages-open-drawer", "top navigation drawer trigger attribute")
-    assert_contains(top_nav, "No custom pages registered", "top navigation empty custom pages state")
+    assert_not_contains(top_nav, "No custom pages registered", "top navigation empty custom pages state")
     assert_contains(sidebar_nav, "custom-pages-links-section", "sidebar custom pages section")
+    assert_contains(sidebar_nav, "session.get('user') and app_settings.enable_custom_pages and custom_pages_nav", "sidebar custom pages visibility gate")
     assert_contains(sidebar_nav, "custom-pages-count-badge", "sidebar custom pages count badge")
     assert_contains(sidebar_nav, "custom-pages-menu-list", "sidebar custom pages scrollable menu")
     assert_contains(sidebar_nav, "custom_pages_drawer_threshold = 5", "sidebar custom pages drawer threshold")
     assert_contains(sidebar_nav, "data-custom-pages-open-drawer", "sidebar drawer trigger")
-    assert_contains(sidebar_nav, "No custom pages registered", "sidebar empty custom pages state")
+    assert_not_contains(sidebar_nav, "No custom pages registered", "sidebar empty custom pages state")
     assert_contains(admin_js, "fetch(\"/api/admin/custom-pages\")", "admin API list call")
     assert_contains(admin_js, "createRequestAccessPage", "request access one-click helper")
     assert_contains(admin_js, "/api/admin/custom-pages/request-access-example", "request access helper API call")
@@ -154,6 +156,8 @@ def test_custom_pages_admin_and_navigation_wiring():
     assert_contains(drawer_template, "customPagesDrawer", "custom pages drawer id")
     assert_contains(drawer_template, "custom-pages-drawer-list", "custom pages drawer scroll list")
     assert_contains(drawer_template, "data-custom-pages-open-drawer", "custom pages drawer trigger handler")
+    assert_contains(drawer_template, "session.get('user') and app_settings.enable_custom_pages and custom_pages_nav", "drawer custom pages visibility gate")
+    assert_not_contains(drawer_template, "No custom pages registered", "drawer empty custom pages state")
 
 
 def test_custom_pages_trusted_rendering_boundary():

From 2b3df34370d127ce470fc8a776f0bf5a0b408639 Mon Sep 17 00:00:00 2001
From: Bionic711 <nadoyle@microsoft.com>
Date: Wed, 10 Jun 2026 15:59:23 -0500
Subject: [PATCH 09/12] fix xss

---
 application/single_app/config.py                          | 2 +-
 .../single_app/static/js/workspace/workspace-documents.js | 5 +++++
 application/single_app/templates/workspace.html           | 8 ++++----
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/application/single_app/config.py b/application/single_app/config.py
index e31703fb9..a3ad1d579 100644
--- a/application/single_app/config.py
+++ b/application/single_app/config.py
@@ -94,7 +94,7 @@
 EXECUTOR_TYPE = 'thread'
 EXECUTOR_MAX_WORKERS = 30
 SESSION_TYPE = 'filesystem'
-VERSION = "0.242.041"
+VERSION = "0.242.042"
 
 SECRET_KEY = os.getenv('SECRET_KEY', 'dev-secret-key-change-in-production')
 
diff --git a/application/single_app/static/js/workspace/workspace-documents.js b/application/single_app/static/js/workspace/workspace-documents.js
index 1b686b996..683e98c97 100644
--- a/application/single_app/static/js/workspace/workspace-documents.js
+++ b/application/single_app/static/js/workspace/workspace-documents.js
@@ -29,6 +29,7 @@ const docMetadataModalEl = document.getElementById("docMetadataModal") ? new boo
 const docMetadataForm = document.getElementById("doc-metadata-form");
 const docsSharedOnlyFilter = document.getElementById("docs-shared-only-filter");
 const deleteSelectedBtn = document.getElementById("delete-selected-btn");
+const chatSelectedBtn = document.getElementById("chat-selected-btn");
 const clearSelectionBtn = document.getElementById("clear-selection-btn");
 const documentDeleteModalElement = document.getElementById("documentDeleteModal");
 const documentDeleteModal = documentDeleteModalElement ? new bootstrap.Modal(documentDeleteModalElement) : null;
@@ -2061,6 +2062,10 @@ document.addEventListener('DOMContentLoaded', function() {
     if (deleteSelectedBtn) {
         deleteSelectedBtn.addEventListener('click', window.deleteSelectedDocuments);
     }
+
+    if (chatSelectedBtn) {
+        chatSelectedBtn.addEventListener('click', window.chatWithSelected);
+    }
     
     // Clear selection button
     if (clearSelectionBtn) {
diff --git a/application/single_app/templates/workspace.html b/application/single_app/templates/workspace.html
index ae842b70b..53a993ad1 100644
--- a/application/single_app/templates/workspace.html
+++ b/application/single_app/templates/workspace.html
@@ -715,7 +715,7 @@ <h2 class="workspace-page-title">Personal Workspace</h2>
                 <button type="button" class="btn btn-sm btn-primary" id="manage-tags-btn">
                   <i class="bi bi-tags me-1"></i>Tag Assignment
                 </button>
-                <button type="button" class="btn btn-sm btn-primary ms-2" id="chat-selected-btn" onclick="window.chatWithSelected()">
+                <button type="button" class="btn btn-sm btn-primary ms-2" id="chat-selected-btn">
                   <i class="bi bi-chat-dots-fill me-1"></i>Chat with Selected
                 </button>
                 <button type="button" class="btn btn-sm btn-danger ms-2" id="delete-selected-btn">
@@ -1643,8 +1643,8 @@ <h5 class="modal-title" id="approveSharedModalLabel">Approve Shared Document</h5
   <script>
     window.enableMultiModelEndpoints = {{ 'true' if settings.enable_multi_model_endpoints else 'false' }};
     window.modelEndpointScope = 'user';
-      window.workspaceModelEndpoints = {{ personal_model_endpoints|default([], true)|tojson|safe }};
-      window.globalModelEndpoints = {{ global_model_endpoints|default([], true)|tojson|safe }};
+      window.workspaceModelEndpoints = {{ personal_model_endpoints|default([], true)|tojson }};
+      window.globalModelEndpoints = {{ global_model_endpoints|default([], true)|tojson }};
   </script>
   {% if settings.per_user_semantic_kernel and settings.enable_semantic_kernel and settings.allow_user_custom_endpoints and settings.enable_multi_model_endpoints and workspace_governance.user_endpoints %}
   <script type="module" src="{{ url_for('static', filename='js/workspace/workspace_model_endpoints.js') }}"></script>
@@ -1655,7 +1655,7 @@ <h5 class="modal-title" id="approveSharedModalLabel">Approve Shared Document</h5
 
   <script>
     // Pass settings/flags needed by JS
-    window.classification_categories = {{ settings.document_classification_categories|default([], true)|tojson(indent=None)|safe }};
+    window.classification_categories = {{ settings.document_classification_categories|default([], true)|tojson(indent=None) }};
     if (!Array.isArray(window.classification_categories)) {
         window.classification_categories = [];
     }

From 2b83f786ce5b78d87a96b88d2407dd2c0e373ef8 Mon Sep 17 00:00:00 2001
From: Bionic711 <nadoyle@microsoft.com>
Date: Wed, 10 Jun 2026 16:15:13 -0500
Subject: [PATCH 10/12] fix xss

---
 application/single_app/config.py                     | 2 +-
 application/single_app/templates/admin_settings.html | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/application/single_app/config.py b/application/single_app/config.py
index a3ad1d579..d5fc1498b 100644
--- a/application/single_app/config.py
+++ b/application/single_app/config.py
@@ -94,7 +94,7 @@
 EXECUTOR_TYPE = 'thread'
 EXECUTOR_MAX_WORKERS = 30
 SESSION_TYPE = 'filesystem'
-VERSION = "0.242.042"
+VERSION = "0.242.043"
 
 SECRET_KEY = os.getenv('SECRET_KEY', 'dev-secret-key-change-in-production')
 
diff --git a/application/single_app/templates/admin_settings.html b/application/single_app/templates/admin_settings.html
index 0dba025a3..2019d6674 100644
--- a/application/single_app/templates/admin_settings.html
+++ b/application/single_app/templates/admin_settings.html
@@ -6904,8 +6904,8 @@ <h5 class="modal-title" id="userAgreementPreviewModalLabel">
     window.enableMultiModelEndpoints = {{ 'true' if settings.enable_multi_model_endpoints else 'false' }};
     window.modelEndpoints = {{ settings.model_endpoints|default([], true)|tojson|safe }};
     window.defaultModelSelection = {{ settings.default_model_selection|default({}, true)|tojson|safe }};
-    window.metadataExtractionModelSelection = {{ settings.metadata_extraction_model_selection|default({}, true)|tojson|safe }};
-    window.legacyMetadataExtractionModel = {{ settings.metadata_extraction_model|default('', true)|tojson|safe }};
+    window.metadataExtractionModelSelection = {{ settings.metadata_extraction_model_selection|default({}, true)|tojson }};
+    window.legacyMetadataExtractionModel = {{ settings.metadata_extraction_model|default('', true)|tojson }};
 
     if (!Array.isArray(window.gptSelected)) {
         window.gptSelected = [];

From fb5afed7cd5f6d2536dbaa94f0303cf4e8aa5f5d Mon Sep 17 00:00:00 2001
From: Bionic711 <nadoyle@microsoft.com>
Date: Fri, 12 Jun 2026 19:50:37 -0500
Subject: [PATCH 11/12] init user settings cache improvements

---
 application/single_app/app.py                 |   4 +-
 application/single_app/app_settings_cache.py  |  56 +++++-
 application/single_app/config.py              |   2 +-
 application/single_app/functions_settings.py  | 164 ++++++++++++++++--
 .../route_backend_retention_policy.py         |   1 +
 application/single_app/static/js/dark-mode.js |  44 +++--
 application/single_app/static/js/sidebar.js   |   9 +-
 application/single_app/templates/base.html    |   1 +
 .../USER_SETTINGS_CACHE_OPTIMIZATION.md       |  89 ++++++++++
 .../test_user_settings_cache_optimization.py  | 155 +++++++++++++++++
 10 files changed, 491 insertions(+), 34 deletions(-)
 create mode 100644 docs/explanation/features/USER_SETTINGS_CACHE_OPTIMIZATION.md
 create mode 100644 functional_tests/test_user_settings_cache_optimization.py

diff --git a/application/single_app/app.py b/application/single_app/app.py
index 711931da8..d8561195d 100644
--- a/application/single_app/app.py
+++ b/application/single_app/app.py
@@ -557,8 +557,8 @@ def inject_settings():
     try:
         user_id = get_current_user_id()
         if user_id:
-            from functions_settings import get_user_settings
-            user_settings = get_user_settings(user_id) or {}
+            from functions_settings import get_user_ui_settings
+            user_settings = get_user_ui_settings(user_id) or {}
     except Exception as e:
         print(f"Error injecting user settings: {e}")
         log_event(f"Error injecting user settings: {e}", level=logging.ERROR)
diff --git a/application/single_app/app_settings_cache.py b/application/single_app/app_settings_cache.py
index 44e28367a..5f3f24e4e 100644
--- a/application/single_app/app_settings_cache.py
+++ b/application/single_app/app_settings_cache.py
@@ -6,6 +6,7 @@
 """
 import json
 import logging
+import copy
 import threading
 import time
 from datetime import datetime
@@ -19,6 +20,7 @@
 _settings = None
 _logger = logging.getLogger(__name__)
 APP_SETTINGS_CACHE = {}
+APP_USER_UI_SETTINGS_CACHE = {}
 APP_STREAM_SESSION_METADATA = {}
 APP_STREAM_SESSION_EVENTS = {}
 APP_SETTINGS_CACHE_VERSION = 0
@@ -28,6 +30,8 @@
 APP_SETTINGS_CACHE_KEY = 'APP_SETTINGS_CACHE'
 APP_SETTINGS_CACHE_VERSION_KEY = 'APP_SETTINGS_CACHE_VERSION'
 APP_SETTINGS_CACHE_VERSION_DOC_ID = 'app_settings_cache_version'
+USER_UI_SETTINGS_CACHE_KEY_PREFIX = 'USER_UI_SETTINGS'
+USER_UI_SETTINGS_CACHE_TTL_SECONDS = 120
 GOVERNANCE_CACHE_VERSION_KEY = 'GOVERNANCE_CACHE_VERSION'
 GOVERNANCE_CACHE_VERSION_DOC_ID = 'governance_cache_version'
 CACHE_VERSION_DOC_TYPE = 'cache_version'
@@ -42,6 +46,9 @@
 append_stream_session_event = None
 get_stream_session_events = None
 delete_stream_session_cache = None
+get_user_ui_settings_cache = None
+set_user_ui_settings_cache = None
+delete_user_ui_settings_cache = None
 get_governance_cache_version = None
 bump_governance_cache_version = None
 app_cache_is_using_redis = False
@@ -119,11 +126,12 @@ def _set_ttl_cached_version(version_cache, version):
 
 def configure_app_cache(settings, redis_cache_endpoint=None):
     global _settings, update_settings_cache, get_settings_cache, APP_SETTINGS_CACHE
-    global APP_STREAM_SESSION_METADATA, APP_STREAM_SESSION_EVENTS
+    global APP_USER_UI_SETTINGS_CACHE, APP_STREAM_SESSION_METADATA, APP_STREAM_SESSION_EVENTS
     global APP_SETTINGS_CACHE_VERSION, APP_GOVERNANCE_CACHE_VERSION
     global APP_SETTINGS_SHARED_VERSION_CACHE, APP_GOVERNANCE_SHARED_VERSION_CACHE
     global initialize_stream_session_cache, set_stream_session_meta, get_stream_session_meta
     global append_stream_session_event, get_stream_session_events, delete_stream_session_cache
+    global get_user_ui_settings_cache, set_user_ui_settings_cache, delete_user_ui_settings_cache
     global get_app_settings_cache_version, bump_app_settings_cache_version
     global get_governance_cache_version, bump_governance_cache_version
     global app_cache_is_using_redis
@@ -288,6 +296,24 @@ def delete_stream_session_cache_redis(cache_key):
                 get_stream_session_events_key(cache_key),
             )
 
+        def get_user_ui_settings_cache_key(user_id):
+            return f'{USER_UI_SETTINGS_CACHE_KEY_PREFIX}:{user_id}'
+
+        def get_user_ui_settings_cache_redis(user_id):
+            cached = redis_client.get(get_user_ui_settings_cache_key(user_id))
+            return json.loads(cached) if cached else None
+
+        def set_user_ui_settings_cache_redis(user_id, ui_settings, ttl_seconds=None):
+            ttl = int(ttl_seconds or USER_UI_SETTINGS_CACHE_TTL_SECONDS)
+            redis_client.setex(
+                get_user_ui_settings_cache_key(user_id),
+                ttl,
+                json.dumps(ui_settings or {})
+            )
+
+        def delete_user_ui_settings_cache_redis(user_id):
+            redis_client.delete(get_user_ui_settings_cache_key(user_id))
+
         def get_governance_cache_version_redis():
             cached = redis_client.get(GOVERNANCE_CACHE_VERSION_KEY)
             if cached is None:
@@ -308,6 +334,9 @@ def bump_governance_cache_version_redis():
         append_stream_session_event = append_stream_session_event_redis
         get_stream_session_events = get_stream_session_events_redis
         delete_stream_session_cache = delete_stream_session_cache_redis
+        get_user_ui_settings_cache = get_user_ui_settings_cache_redis
+        set_user_ui_settings_cache = set_user_ui_settings_cache_redis
+        delete_user_ui_settings_cache = delete_user_ui_settings_cache_redis
         get_governance_cache_version = get_governance_cache_version_redis
         bump_governance_cache_version = bump_governance_cache_version_redis
 
@@ -408,6 +437,28 @@ def delete_stream_session_cache_mem(cache_key):
                 APP_STREAM_SESSION_METADATA.pop(cache_key, None)
                 APP_STREAM_SESSION_EVENTS.pop(cache_key, None)
 
+        def get_user_ui_settings_cache_mem(user_id):
+            with _app_cache_lock:
+                entry = APP_USER_UI_SETTINGS_CACHE.get(user_id)
+                if _is_expired(entry):
+                    APP_USER_UI_SETTINGS_CACHE.pop(user_id, None)
+                    return None
+                return copy.deepcopy(entry.get('value') or {})
+
+        def set_user_ui_settings_cache_mem(user_id, ui_settings, ttl_seconds=None):
+            expiration_timestamp = _get_expiration_timestamp(
+                ttl_seconds or USER_UI_SETTINGS_CACHE_TTL_SECONDS
+            )
+            with _app_cache_lock:
+                APP_USER_UI_SETTINGS_CACHE[user_id] = {
+                    'value': copy.deepcopy(ui_settings or {}),
+                    'expires_at': expiration_timestamp,
+                }
+
+        def delete_user_ui_settings_cache_mem(user_id):
+            with _app_cache_lock:
+                APP_USER_UI_SETTINGS_CACHE.pop(user_id, None)
+
         def get_app_settings_cache_version_mem():
             global APP_SETTINGS_CACHE_VERSION
             try:
@@ -494,5 +545,8 @@ def bump_governance_cache_version_mem():
         append_stream_session_event = append_stream_session_event_mem
         get_stream_session_events = get_stream_session_events_mem
         delete_stream_session_cache = delete_stream_session_cache_mem
+        get_user_ui_settings_cache = get_user_ui_settings_cache_mem
+        set_user_ui_settings_cache = set_user_ui_settings_cache_mem
+        delete_user_ui_settings_cache = delete_user_ui_settings_cache_mem
         get_governance_cache_version = get_governance_cache_version_mem
         bump_governance_cache_version = bump_governance_cache_version_mem
\ No newline at end of file
diff --git a/application/single_app/config.py b/application/single_app/config.py
index d5fc1498b..eccf5e18c 100644
--- a/application/single_app/config.py
+++ b/application/single_app/config.py
@@ -94,7 +94,7 @@
 EXECUTOR_TYPE = 'thread'
 EXECUTOR_MAX_WORKERS = 30
 SESSION_TYPE = 'filesystem'
-VERSION = "0.242.043"
+VERSION = "0.242.044"
 
 SECRET_KEY = os.getenv('SECRET_KEY', 'dev-secret-key-change-in-production')
 
diff --git a/application/single_app/functions_settings.py b/application/single_app/functions_settings.py
index 8f5a65e07..626c9dd15 100644
--- a/application/single_app/functions_settings.py
+++ b/application/single_app/functions_settings.py
@@ -1,6 +1,6 @@
 # functions_settings.py
 
-from flask import has_request_context
+from flask import g, has_request_context
 
 from config import *
 from functions_appinsights import log_event
@@ -14,6 +14,101 @@
 )
 
 
+USER_SETTINGS_REQUEST_CACHE_ATTR = "simplechat_user_settings_request_cache"
+USER_UI_SETTINGS_KEYS = (
+    "profileImage",
+    "navLayout",
+    "darkModeEnabled",
+    "showTutorialButtons",
+    "chatLayout",
+    "streamingEnabled",
+    "notifications_per_page",
+)
+
+
+def _clone_user_settings_doc(doc):
+    return copy.deepcopy(doc or {})
+
+
+def _get_user_settings_request_cache():
+    if not has_request_context():
+        return None
+
+    cache = getattr(g, USER_SETTINGS_REQUEST_CACHE_ATTR, None)
+    if cache is None:
+        cache = {}
+        setattr(g, USER_SETTINGS_REQUEST_CACHE_ATTR, cache)
+    return cache
+
+
+def _get_request_cached_user_settings(user_id):
+    cache = _get_user_settings_request_cache()
+    if cache is None or user_id not in cache:
+        return None
+    return _clone_user_settings_doc(cache[user_id])
+
+
+def _set_request_cached_user_settings(user_id, doc):
+    cache = _get_user_settings_request_cache()
+    if cache is not None:
+        cache[user_id] = _clone_user_settings_doc(doc)
+
+
+def _delete_request_cached_user_settings(user_id):
+    cache = _get_user_settings_request_cache()
+    if cache is not None:
+        cache.pop(user_id, None)
+
+
+def _extract_user_ui_settings(doc):
+    settings = (doc or {}).get('settings', {})
+    if not isinstance(settings, dict):
+        settings = {}
+    return {
+        key: copy.deepcopy(settings[key])
+        for key in USER_UI_SETTINGS_KEYS
+        if key in settings
+    }
+
+
+def _delete_user_ui_settings_cache(user_id):
+    cache_deleter = getattr(app_settings_cache, "delete_user_ui_settings_cache", None)
+    if callable(cache_deleter):
+        try:
+            cache_deleter(user_id)
+        except Exception as cache_error:
+            log_event(
+                "[UserSettingsCache] Failed to delete user UI settings cache.",
+                extra={
+                    "user_id": user_id,
+                    "error": str(cache_error)
+                },
+                level=logging.WARNING
+            )
+
+
+def _set_user_ui_settings_cache(user_id, doc):
+    cache_setter = getattr(app_settings_cache, "set_user_ui_settings_cache", None)
+    if callable(cache_setter):
+        try:
+            cache_setter(user_id, _extract_user_ui_settings(doc))
+        except Exception as cache_error:
+            log_event(
+                "[UserSettingsCache] Failed to set user UI settings cache.",
+                extra={
+                    "user_id": user_id,
+                    "error": str(cache_error)
+                },
+                level=logging.WARNING
+            )
+
+
+def invalidate_user_settings_caches(user_id):
+    """Clear request and lightweight UI caches for a user settings document."""
+    _delete_request_cached_user_settings(user_id)
+    _delete_user_ui_settings_cache(user_id)
+
+
 def is_tabular_processing_enabled(settings):
     """Tabular processing is available whenever enhanced citations is enabled."""
     return bool((settings or {}).get('enable_enhanced_citations', False))
@@ -54,17 +149,6 @@ def _should_sync_session_profile(target_user_id, actor_user_id, allow_cross_user
     normalized_target_user_id = str(target_user_id or '').strip()
     normalized_actor_user_id = str(actor_user_id or '').strip()
     return bool(normalized_target_user_id and normalized_actor_user_id and normalized_target_user_id == normalized_actor_user_id)
-import copy
-from support_menu_config import (
-    get_default_support_latest_features_visibility,
-    has_visible_support_latest_features,
-    normalize_support_latest_features_visibility,
-)
-
-
-def is_tabular_processing_enabled(settings):
-    """Tabular processing is available whenever enhanced citations is enabled."""
-    return bool((settings or {}).get('enable_enhanced_citations', False))
 
 
 def _refresh_app_settings_cache_after_write(settings_payload, context="app_settings_write"):
@@ -1129,6 +1213,11 @@ def get_user_settings(user_id, allow_cross_user=False):
         actor_user_id,
         allow_cross_user=allow_cross_user,
     )
+
+    cached_doc = _get_request_cached_user_settings(user_id)
+    if cached_doc is not None:
+        return cached_doc
+
     try:
         doc = cosmos_user_settings_container.read_item(item=user_id, partition_key=user_id)
         updated = False
@@ -1182,7 +1271,10 @@ def get_user_settings(user_id, allow_cross_user=False):
         
         if updated:
             cosmos_user_settings_container.upsert_item(body=doc)
-        return doc
+            _set_user_ui_settings_cache(user_id, doc)
+
+        _set_request_cached_user_settings(user_id, doc)
+        return _clone_user_settings_doc(doc)
     except exceptions.CosmosResourceNotFoundError:
         # Return a default structure if the user has no settings saved yet
         doc = {"id": user_id, "settings": {}}
@@ -1214,7 +1306,9 @@ def get_user_settings(user_id, allow_cross_user=False):
                 doc['settings']['profileImage'] = None
             
         cosmos_user_settings_container.upsert_item(body=doc)
-        return doc
+        _set_user_ui_settings_cache(user_id, doc)
+        _set_request_cached_user_settings(user_id, doc)
+        return _clone_user_settings_doc(doc)
     except Exception as e:
         log_event(
             "Error retrieving user settings.",
@@ -1226,6 +1320,44 @@ def get_user_settings(user_id, allow_cross_user=False):
             exceptionTraceback=True
         )
         raise # Re-raise the exception to be handled by the route
+
+
+def get_user_ui_settings(user_id, allow_cross_user=False):
+    """Return a lightweight, cacheable subset of user settings used by shared page chrome."""
+    _authorize_user_settings_access(user_id, "read UI settings", allow_cross_user=allow_cross_user)
+
+    cached_doc = _get_request_cached_user_settings(user_id)
+    if cached_doc is not None:
+        return {
+            'id': user_id,
+            'settings': _extract_user_ui_settings(cached_doc),
+        }
+
+    cache_getter = getattr(app_settings_cache, "get_user_ui_settings_cache", None)
+    if callable(cache_getter):
+        try:
+            cached_ui_settings = cache_getter(user_id)
+            if cached_ui_settings is not None:
+                return {
+                    'id': user_id,
+                    'settings': copy.deepcopy(cached_ui_settings or {}),
+                }
+        except Exception as cache_error:
+            log_event(
+                "[UserSettingsCache] Failed to read user UI settings cache.",
+                extra={
+                    "user_id": user_id,
+                    "error": str(cache_error)
+                },
+                level=logging.WARNING
+            )
+
+    doc = get_user_settings(user_id, allow_cross_user=allow_cross_user)
+    _set_user_ui_settings_cache(user_id, doc)
+    return {
+        'id': user_id,
+        'settings': _extract_user_ui_settings(doc),
+    }
     
 def update_user_settings(user_id, settings_to_update, allow_cross_user=False):
     """
@@ -1382,6 +1514,8 @@ def update_user_settings(user_id, settings_to_update, allow_cross_user=False):
 
         # Upsert the modified document
         cosmos_user_settings_container.upsert_item(body=doc) # Use body=doc for clarity
+        _set_request_cached_user_settings(user_id, doc)
+        _delete_user_ui_settings_cache(user_id)
 
         return True
 
@@ -1550,6 +1684,7 @@ def add_search_to_history(user_id, search_term):
         
         doc['search_history'] = search_history
         cosmos_user_settings_container.upsert_item(body=doc)
+        invalidate_user_settings_caches(user_id)
         
         return search_history
     except Exception as e:
@@ -1574,6 +1709,7 @@ def clear_user_search_history(user_id):
         
         doc['search_history'] = []
         cosmos_user_settings_container.upsert_item(body=doc)
+        invalidate_user_settings_caches(user_id)
         
         return True
     except Exception as e:
diff --git a/application/single_app/route_backend_retention_policy.py b/application/single_app/route_backend_retention_policy.py
index 60935f609..493207559 100644
--- a/application/single_app/route_backend_retention_policy.py
+++ b/application/single_app/route_backend_retention_policy.py
@@ -280,6 +280,7 @@ def force_push_retention_defaults():
                         user['settings'] = user_settings
                         
                         cosmos_user_settings_container.upsert_item(user)
+                        invalidate_user_settings_caches(user_id)
                         personal_count += 1
                     except Exception as e:
                         debug_print(f"Error updating user {user_id}: {e}")
diff --git a/application/single_app/static/js/dark-mode.js b/application/single_app/static/js/dark-mode.js
index 1fb06b2e2..c927597b7 100644
--- a/application/single_app/static/js/dark-mode.js
+++ b/application/single_app/static/js/dark-mode.js
@@ -30,6 +30,9 @@ async function saveDarkModeSetting(settingsToUpdate) {
         if (!response.ok) {
             console.error('Failed to save dark mode setting:', response.statusText);
         } else {
+            if (window.simplechatUserSettings && typeof window.simplechatUserSettings === 'object') {
+                Object.assign(window.simplechatUserSettings, settingsToUpdate);
+            }
             console.log('Dark mode setting saved successfully');
         }
     } catch (error) {
@@ -37,6 +40,13 @@ async function saveDarkModeSetting(settingsToUpdate) {
     }
 }
 
+function getInjectedUserSettings() {
+    if (window.simplechatUserSettings && typeof window.simplechatUserSettings === 'object') {
+        return window.simplechatUserSettings;
+    }
+    return {};
+}
+
 // Function to toggle dark mode
 function toggleDarkMode(e) {
     e && e.preventDefault && e.preventDefault();
@@ -90,21 +100,24 @@ async function loadDarkModePreference() {
             localTheme = 'dark';
         }
         
-        // Sync with server - which may override localStorage if user has multiple devices
-        const response = await fetch('/api/user/settings');
-        if (response.ok) {
-            const data = await response.json();
-            const settings = data.settings || {};
+        // Sync with server-provided settings first; fetch only when the page did not inject them.
+        let settings = getInjectedUserSettings();
+        if (!(USER_SETTINGS_KEY_DARK_MODE in settings)) {
+            const response = await fetch('/api/user/settings');
+            if (response.ok) {
+                const data = await response.json();
+                settings = data.settings || {};
+            }
+        }
+
+        // If user has a saved preference in their account, use it and update localStorage
+        if (USER_SETTINGS_KEY_DARK_MODE in settings) {
+            const serverTheme = settings[USER_SETTINGS_KEY_DARK_MODE] === true ? 'dark' : 'light';
             
-            // If user has a saved preference in their account, use it and update localStorage
-            if (USER_SETTINGS_KEY_DARK_MODE in settings) {
-                const serverTheme = settings[USER_SETTINGS_KEY_DARK_MODE] === true ? 'dark' : 'light';
-                
-                // Update localStorage if server setting differs
-                if (!localTheme || serverTheme !== localTheme) {
-                    localStorage.setItem(LOCAL_STORAGE_THEME_KEY, serverTheme);
-                    localTheme = serverTheme;
-                }
+            // Update localStorage if server setting differs
+            if (!localTheme || serverTheme !== localTheme) {
+                localStorage.setItem(LOCAL_STORAGE_THEME_KEY, serverTheme);
+                localTheme = serverTheme;
             }
         }
         
@@ -141,6 +154,7 @@ if (typeof module !== 'undefined' && module.exports) {
         loadDarkModePreference,
         getAllDarkModeToggles,
         getToggleParts,
-        saveDarkModeSetting
+        saveDarkModeSetting,
+        getInjectedUserSettings
     };
 }
\ No newline at end of file
diff --git a/application/single_app/static/js/sidebar.js b/application/single_app/static/js/sidebar.js
index 31b7b0888..34e3823f2 100644
--- a/application/single_app/static/js/sidebar.js
+++ b/application/single_app/static/js/sidebar.js
@@ -10,6 +10,10 @@
 
 // Utility functions for user settings
 async function getUserSettings() {
+  if (window.simplechatUserSettings && typeof window.simplechatUserSettings === 'object') {
+    return window.simplechatUserSettings;
+  }
+
   try {
     const resp = await fetch('/api/user/settings');
     if (!resp.ok) return {};
@@ -23,11 +27,14 @@ async function getUserSettings() {
 
 async function setUserNavLayout(navLayout) {
   try {
-    await fetch('/api/user/settings', {
+    const resp = await fetch('/api/user/settings', {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
       body: JSON.stringify({ settings: { navLayout } })
     });
+    if (resp.ok && window.simplechatUserSettings && typeof window.simplechatUserSettings === 'object') {
+      window.simplechatUserSettings.navLayout = navLayout;
+    }
     console.log('Nav layout setting saved successfully:', navLayout);
   } catch (e) {
     console.error('Error saving nav layout setting:', e);
diff --git a/application/single_app/templates/base.html b/application/single_app/templates/base.html
index f3d351952..006eee233 100644
--- a/application/single_app/templates/base.html
+++ b/application/single_app/templates/base.html
@@ -354,6 +354,7 @@
     }
     const appSettings = {{ app_settings|tojson|safe }};
     window.appSettings = appSettings;
+    window.simplechatUserSettings = {{ user_settings.get('settings', {}) | tojson | safe }};
   </script>
 
   <!-- Prism.js syntax highlighting script -->
diff --git a/docs/explanation/features/USER_SETTINGS_CACHE_OPTIMIZATION.md b/docs/explanation/features/USER_SETTINGS_CACHE_OPTIMIZATION.md
new file mode 100644
index 000000000..4f6a8f90d
--- /dev/null
+++ b/docs/explanation/features/USER_SETTINGS_CACHE_OPTIMIZATION.md
@@ -0,0 +1,89 @@
+# User Settings Cache Optimization
+
+Implemented in version: **0.242.044**
+
+## Overview
+
+User settings cache optimization reduces repeated Cosmos DB reads for user-specific UI preferences while keeping security-sensitive user settings fresh. The implementation supports both single App Service deployments without Redis and scaled-out App Service deployments with Redis.
+
+## Purpose
+
+SimpleChat reads user settings during shared page rendering and from frontend scripts that initialize theme, navigation, profile image, and tutorial controls. Without caching, a single page load can read the same user settings document multiple times.
+
+This feature adds request-scoped memoization for full user settings and a lightweight UI settings cache for non-security browser chrome preferences.
+
+## Dependencies
+
+- Flask request context for request-scoped memoization
+- Existing app cache configuration in `application/single_app/app_settings_cache.py`
+- Optional Redis cache when `enable_redis_cache` is enabled
+- Cosmos DB user settings container as the source of truth
+
+## Technical Specifications
+
+### Cache Layers
+
+1. Request-scoped cache for full user settings documents.
+2. Lightweight UI settings cache for shared page chrome fields.
+3. Redis-backed UI settings cache when Redis is enabled.
+4. Process-local TTL UI settings cache when Redis is disabled.
+
+### Cached UI Fields
+
+The lightweight UI cache includes fields such as:
+
+- `profileImage`
+- `navLayout`
+- `darkModeEnabled`
+- `showTutorialButtons`
+- `chatLayout`
+- `streamingEnabled`
+- `notifications_per_page`
+
+Security-sensitive fields such as access restrictions and file upload controls are not introduced into the lightweight UI cache contract.
+
+### No-Redis Behavior
+
+In a single App Service deployment without Redis, the UI settings cache is process-local with a short TTL. It does not use per-user Cosmos version documents, avoiding high-cardinality invalidation reads across multiple workers.
+
+### Redis Behavior
+
+In scaled-out deployments with Redis, the UI settings cache uses Redis keys shared by all workers and instances. User settings writes invalidate the lightweight UI cache so later page renders reload current values from Cosmos.
+
+## Primary Files
+
+- `application/single_app/app_settings_cache.py`
+- `application/single_app/functions_settings.py`
+- `application/single_app/app.py`
+- `application/single_app/templates/base.html`
+- `application/single_app/static/js/dark-mode.js`
+- `application/single_app/static/js/sidebar.js`
+- `functional_tests/test_user_settings_cache_optimization.py`
+
+## Usage Instructions
+
+No administrator action is required. The cache behavior follows the existing app Redis configuration:
+
+- Redis disabled: request cache plus process-local UI settings TTL cache.
+- Redis enabled: request cache plus Redis-backed UI settings cache.
+
+## Testing and Validation
+
+Functional coverage is provided by `functional_tests/test_user_settings_cache_optimization.py`.
+
+The test validates:
+
+- Full user settings request memoization markers.
+- Redis and no-Redis UI settings cache contracts.
+- Cache invalidation markers on user settings write paths.
+- Frontend reuse of injected user UI settings before full API fallback.
+
+## Known Limitations
+
+The no-Redis process-local UI cache is intentionally short-lived and per worker. It is designed for low-risk UI preferences, not immediate cross-worker propagation of security decisions.
+
+## Related Version Updates
+
+Implemented in version: **0.242.044**
+
+The application version was updated in `application/single_app/config.py` to track this feature.
diff --git a/functional_tests/test_user_settings_cache_optimization.py b/functional_tests/test_user_settings_cache_optimization.py
new file mode 100644
index 000000000..1e8b8ff76
--- /dev/null
+++ b/functional_tests/test_user_settings_cache_optimization.py
@@ -0,0 +1,155 @@
+# test_user_settings_cache_optimization.py
+#!/usr/bin/env python3
+"""
+Functional test for user settings cache optimization.
+Version: 0.242.044
+Implemented in: 0.242.044
+
+This test ensures user settings reads use request-scoped caching, shared UI settings
+caches support Redis and no-Redis deployments, and frontend scripts reuse injected
+user UI settings before fetching the full user settings document.
+"""
+
+import os
+import sys
+
+
+ROOT_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+SINGLE_APP_DIR = os.path.join(ROOT_DIR, "application", "single_app")
+if SINGLE_APP_DIR not in sys.path:
+    sys.path.append(SINGLE_APP_DIR)
+
+
+def _read(*parts):
+    path = os.path.join(ROOT_DIR, *parts)
+    with open(path, "r", encoding="utf-8") as handle:
+        return handle.read()
+
+
+def test_user_settings_request_cache_contract():
+    """Validate full user settings reads use request-scoped memoization."""
+    print("Testing user settings request cache contract...")
+
+    settings_content = _read("application", "single_app", "functions_settings.py")
+
+    for marker in [
+        "USER_SETTINGS_REQUEST_CACHE_ATTR",
+        "_get_user_settings_request_cache()",
+        "_get_request_cached_user_settings(user_id)",
+        "_set_request_cached_user_settings(user_id, doc)",
+        "_delete_request_cached_user_settings(user_id)",
+        "return _clone_user_settings_doc(doc)",
+    ]:
+        assert marker in settings_content, f"Missing request cache marker: {marker}"
+
+    assert "cached_doc = _get_request_cached_user_settings(user_id)" in settings_content, (
+        "Expected get_user_settings to check the request cache before Cosmos"
+    )
+
+    print("PASS: user settings request cache contract verified")
+
+
+def test_user_ui_settings_cache_contract():
+    """Validate UI settings cache supports Redis and process-local fallback."""
+    print("Testing user UI settings cache contract...")
+
+    cache_content = _read("application", "single_app", "app_settings_cache.py")
+    settings_content = _read("application", "single_app", "functions_settings.py")
+
+    for marker in [
+        "APP_USER_UI_SETTINGS_CACHE",
+        "USER_UI_SETTINGS_CACHE_KEY_PREFIX",
+        "USER_UI_SETTINGS_CACHE_TTL_SECONDS = 120",
+        "get_user_ui_settings_cache_redis",
+        "set_user_ui_settings_cache_redis",
+        "delete_user_ui_settings_cache_redis",
+        "get_user_ui_settings_cache_mem",
+        "set_user_ui_settings_cache_mem",
+        "delete_user_ui_settings_cache_mem",
+    ]:
+        assert marker in cache_content, f"Missing user UI cache marker: {marker}"
+
+    for marker in [
+        "USER_UI_SETTINGS_KEYS",
+        "def get_user_ui_settings(user_id, allow_cross_user=False):",
+        "_extract_user_ui_settings(doc)",
+        "invalidate_user_settings_caches(user_id)",
+        "_delete_user_ui_settings_cache(user_id)",
+    ]:
+        assert marker in settings_content, f"Missing user UI settings marker: {marker}"
+
+    assert "APP_SETTINGS_CACHE_VERSION_DOC_ID" in cache_content, "Expected existing app settings versioning to remain"
+    assert "USER_UI_SETTINGS_CACHE_VERSION_DOC_ID" not in cache_content, (
+        "User UI settings cache should not add per-user Cosmos version documents"
+    )
+
+    print("PASS: user UI settings cache contract verified")
+
+
+def test_user_settings_write_invalidation_contract():
+    """Validate user settings writes invalidate lightweight UI caches."""
+    print("Testing user settings write invalidation contract...")
+
+    settings_content = _read("application", "single_app", "functions_settings.py")
+    retention_content = _read("application", "single_app", "route_backend_retention_policy.py")
+
+    assert "_set_request_cached_user_settings(user_id, doc)" in settings_content, (
+        "Expected update_user_settings to refresh request cache after writes"
+    )
+    assert "_delete_user_ui_settings_cache(user_id)" in settings_content, (
+        "Expected update_user_settings to clear UI cache after writes"
+    )
+    assert settings_content.count("invalidate_user_settings_caches(user_id)") >= 2, (
+        "Expected direct search-history upserts to invalidate user settings caches"
+    )
+    assert "invalidate_user_settings_caches(user_id)" in retention_content, (
+        "Expected retention force-push direct upserts to invalidate user settings caches"
+    )
+
+    print("PASS: user settings write invalidation contract verified")
+
+
+def test_frontend_reuses_injected_user_ui_settings():
+    """Validate shared scripts use injected UI settings before API fallback."""
+    print("Testing frontend injected user UI settings reuse...")
+
+    base_content = _read("application", "single_app", "templates", "base.html")
+    dark_mode_content = _read("application", "single_app", "static", "js", "dark-mode.js")
+    sidebar_content = _read("application", "single_app", "static", "js", "sidebar.js")
+
+    assert "window.simplechatUserSettings" in base_content, (
+        "Expected base template to expose lightweight user UI settings to scripts"
+    )
+    assert "getInjectedUserSettings()" in dark_mode_content, (
+        "Expected dark mode script to read injected user settings"
+    )
+    assert "if (!(USER_SETTINGS_KEY_DARK_MODE in settings))" in dark_mode_content, (
+        "Expected dark mode script to fetch full settings only when injected data is missing"
+    )
+    assert "window.simplechatUserSettings && typeof window.simplechatUserSettings === 'object'" in sidebar_content, (
+        "Expected sidebar script to reuse injected user settings before API fallback"
+    )
+
+    print("PASS: frontend injected user UI settings reuse verified")
+
+
+if __name__ == "__main__":
+    tests = [
+        test_user_settings_request_cache_contract,
+        test_user_ui_settings_cache_contract,
+        test_user_settings_write_invalidation_contract,
+        test_frontend_reuses_injected_user_ui_settings,
+    ]
+    results = []
+
+    for test in tests:
+        try:
+            test()
+            results.append(True)
+        except Exception as exc:
+            print(f"FAIL: {test.__name__} -> {exc}")
+            results.append(False)
+
+    passed = sum(1 for result in results if result)
+    print(f"Results: {passed}/{len(results)} tests passed")
+    sys.exit(0 if all(results) else 1)

From ff732a7227245ac9dede83d603064b58edffd36e Mon Sep 17 00:00:00 2001
From: Bionic711 <nadoyle@microsoft.com>
Date: Tue, 16 Jun 2026 12:13:32 -0500
Subject: [PATCH 12/12] Prepare user settings cache PR

---
 application/single_app/templates/base.html | 8 ++++----
 docs/explanation/release_notes.md          | 9 +++++++++
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/application/single_app/templates/base.html b/application/single_app/templates/base.html
index 006eee233..ff8069a4d 100644
--- a/application/single_app/templates/base.html
+++ b/application/single_app/templates/base.html
@@ -345,16 +345,16 @@
       'displayName': session.get('user', {}).get('name'),
       'email': session.get('user', {}).get('preferred_username'),
       'roles': session.get('user', {}).get('roles', [])
-    } | tojson | safe }};
+    } | tojson }};
     window.currentUserIsAdmin = Array.isArray(window.userContext?.roles)
       ? window.userContext.roles.includes('Admin')
       : false;
     if (!window.current_user_id && window.userContext?.id) {
       window.current_user_id = window.userContext.id;
     }
-    const appSettings = {{ app_settings|tojson|safe }};
+    const appSettings = {{ app_settings|tojson }};
     window.appSettings = appSettings;
-    window.simplechatUserSettings = {{ user_settings.get('settings', {}) | tojson | safe }};
+    window.simplechatUserSettings = {{ user_settings.get('settings', {}) | tojson }};
   </script>
 
   <!-- Prism.js syntax highlighting script -->
@@ -416,7 +416,7 @@
       'heartbeatUrl': url_for('session_heartbeat'),
       'localLogoutUrl': url_for('local_logout'),
       'fullSsoLogoutUrl': url_for('logout')
-    } | tojson | safe }};
+    } | tojson }};
   </script>
   <script src="{{ url_for('static', filename='js/idle-logout-warning.js') }}"></script>
   {% endif %}
diff --git a/docs/explanation/release_notes.md b/docs/explanation/release_notes.md
index aac14500b..330081005 100644
--- a/docs/explanation/release_notes.md
+++ b/docs/explanation/release_notes.md
@@ -4,6 +4,15 @@ This page tracks notable Simple Chat releases and organizes the detailed change
 
 For feature-focused and fix-focused drill-downs by version, see [Features by Version](/explanation/features/) and [Fixes by Version](/explanation/fixes/).
 
+### **(v0.242.044)**
+
+#### New Features
+
+*   **User Settings Cache Optimization**
+    *   Added request-scoped memoization for full user settings reads and a lightweight user UI settings cache that works with Redis-enabled and no-Redis deployments.
+    *   Shared page scripts now reuse injected UI preferences for dark mode and navigation layout before falling back to the full user settings API.
+    *   (Ref: user settings cache, user UI settings cache, `functions_settings.py`, `app_settings_cache.py`, `dark-mode.js`, `sidebar.js`)
+
 ### **(v0.242.033)**
 
 #### New Features