diff --git a/.gitignore b/.gitignore
index af4d85f..0b70d75 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,3 +9,5 @@
 !/.nvmrc
 .vscode/
 *.DS_Store
+local_docs/
+.scannerwork/
diff --git a/README.md b/README.md
index 8327b5f..75f5233 100644
--- a/README.md
+++ b/README.md
@@ -1,19 +1,78 @@
-# Cloud Native
+# Cloud Native Configuration Management
 
-This repository contains a small full-stack workspace:
+Cloud Native Configuration Management is a full-stack configuration governance workspace for project, factory, environment, template, override, export, and change-history workflows.
 
-- `frontend/`: Vite + React application
-- `backend/`: Spring Boot API with PostgreSQL, Flyway, JPA, validation, and auth/configuration flows
-- `.github/workflows/`: CI definitions
+The repository is organized as a single workspace with a React frontend, a Spring Boot backend, PostgreSQL persistence, automated tests, coverage reports, and SonarQube quality analysis.
 
-## Quick Start
+## Project Overview
+
+The application helps teams manage reusable configuration templates and project-specific overrides across deployment scopes.
+
+Core capabilities:
+
+- user registration, login, JWT authentication, and role-aware screens;
+- configuration template creation, editing, inspection, import, export, and deletion;
+- project, factory, and environment scope browsing;
+- project scope configuration preview with inherited template values and overrides;
+- change-request and version-history support for configuration changes;
+- backend service tests and frontend component/page tests;
+- SonarQube quality gate validation with frontend and backend coverage.
+
+## Repository Structure
+
+```text
+.
+├── backend/                 Spring Boot API, domain logic, persistence, tests
+├── frontend/                Vite React UI, Vitest tests, frontend coverage
+├── deploy/                  Nginx and Docker Compose deployment references
+├── docs/                    Shared project documentation
+├── local_docs/              Local notes and presentation-only artifacts
+├── sonar-project.properties Root aggregate SonarQube scan configuration
+└── README.md                Main project guide
+```
+
+Important entry points:
+
+- [frontend/src](frontend/src): React application source
+- [frontend/tests](frontend/tests): frontend tests
+- [backend/src/main/java](backend/src/main/java): backend application source
+- [backend/src/test/java](backend/src/test/java): backend tests
+- [sonar-project.properties](sonar-project.properties): canonical SonarQube scan configuration
 
-### Requirements
+## Architecture
+
+Local development runs three main services:
+
+```text
+Browser
+  -> Vite dev server / frontend static build
+  -> Spring Boot backend API
+  -> PostgreSQL database
+```
+
+The production-oriented deployment model is stateless at the backend layer:
+
+```text
+Users
+  -> DNS / HTTPS
+  -> Load Balancer or Reverse Proxy
+      -> Frontend static app
+      -> Backend API replica pool
+          -> PostgreSQL / managed database
+```
+
+The backend uses JWT-based authentication and stores source-of-truth data in PostgreSQL, so backend replicas can be placed behind a load balancer without sticky sessions.
+
+Deployment references are in [deploy/README.md](deploy/README.md).
+
+## Requirements
 
 - Node.js `20.19+`
-- Java `21+` or newer
+- npm
+- Java `21+`
 - Maven
-- Docker, if you want to run PostgreSQL locally in a container
+- PostgreSQL `15+`, or Docker for local PostgreSQL
+- Optional: local or online SonarQube / SonarCloud access
 
 Default local ports:
 
@@ -21,11 +80,14 @@ Default local ports:
 Frontend:   http://127.0.0.1:5173
 Backend:    http://127.0.0.1:8080
 PostgreSQL: localhost:5432
+SonarQube:  http://localhost:9000, if running locally
 ```
 
+## Quick Start
+
 ### 1. Start PostgreSQL
 
-If you do not already have a local PostgreSQL database, start one with Docker:
+If PostgreSQL is not already available locally, start a Docker container:
 
 ```bash
 docker run --name cloud-native-postgres \
@@ -42,7 +104,7 @@ If the container already exists:
 docker start cloud-native-postgres
 ```
 
-The backend defaults to:
+The backend defaults are:
 
 ```text
 DATABASE_URL=jdbc:postgresql://localhost:5432/cloud_native_db
@@ -51,6 +113,8 @@ DATABASE_PASSWORD=cloudnative
 QUICK_ADMIN_PASSWORD=optional local quick-login password
 ```
 
+If your database runs on another port, export the variables before starting the backend.
+
 ### 2. Start Backend
 
 ```bash
@@ -60,15 +124,15 @@ mvn spring-boot:run -Dspring-boot.run.profiles=dev
 
 The backend runs on `http://127.0.0.1:8080`.
 
-Flyway applies database migrations on startup. Current seed data includes:
+Flyway applies database migrations on startup. The seed data includes template types, sample projects, factories, environments, and project scope template selections.
 
-- template types such as Application Config, Database Config, Cache Config, Security / Auth Config
-- an `AI Agent` project
-- 12 factories, `Factory A` through `Factory L`
-- 4 environments: Development, Testing, Staging, Production
-- sample template selections for project scope preview
+Health check:
 
-### Frontend
+```text
+GET http://127.0.0.1:8080/api/health
+```
+
+### 3. Start Frontend
 
 ```bash
 cd frontend
@@ -78,136 +142,155 @@ npm run dev
 
 The frontend runs on `http://127.0.0.1:5173`.
 
-### Backend Details
+## Application Flow
 
-See [backend/README.md](backend/README.md) for the full backend workflow, including PostgreSQL setup, Flyway notes, backend testing, and coverage usage.
+1. Open `http://127.0.0.1:5173`.
+2. Register or log in.
+3. Use `Search` to search configurations and templates.
+4. Use `Templates` to manage reusable configuration fragments.
+5. Use `Projects` to inspect project scope configuration by project, factory, and environment.
+6. Use export/import screens to move configuration data through supported formats.
 
-If you already have PostgreSQL ready:
+The main project inspection flow is:
 
-```bash
-cd backend
-mvn spring-boot:run -Dspring-boot.run.profiles=dev
+```text
+Project List -> Factory List -> Environment List -> Templates Used -> Effective Config Preview
 ```
 
-## How To Use The App
+The clone-source preview flow supports selecting a base project/factory/environment and optionally mixing individual template sources from other scopes before review.
 
-1. Open `http://127.0.0.1:5173`.
-2. Register or log in from the auth screen.
-3. Use `Search` to search backend configurations and templates.
-4. Use `Templates` to create, inspect, edit, and delete reusable config fragments.
-5. Use `Projects` to inspect project scope configuration.
+## Testing And Coverage
 
-The current Project flow is:
+### Frontend
 
-```text
-Project List -> Factory List -> Environment List -> Templates Used
+```bash
+cd frontend
+npm run test
+npm run test:coverage
 ```
 
-After selecting a project, factory, and environment, the right panel shows which template files are used by that scope.
-
-The `Clone Project` button opens a clone source picker:
+Coverage output:
 
 ```text
-Select base Project / Factory / Environment
-Review final config preview
-Optionally mix individual template sources from other Factory / Environment scopes
-View template details from each row
-Select Clone Source
+frontend/coverage/lcov.info
+frontend/coverage/coverage-summary.json
 ```
 
-The clone flow is currently a frontend workflow preview. It can compose and display a mixed clone source in the UI, but it does not yet persist a cloned project to the backend.
-
-## Testing
+The LCOV file is the frontend coverage input used by SonarQube.
 
-### Frontend tests
+### Backend
 
 ```bash
-cd frontend
-npm run test
+cd backend
+mvn clean verify
 ```
 
-### Backend tests
+This runs backend tests and generates JaCoCo coverage:
 
-```bash
-cd backend
-mvn verify
+```text
+backend/target/site/jacoco/index.html
+backend/target/site/jacoco/jacoco.xml
 ```
 
-This currently:
-
-- runs the regular backend test suite
-- generates a JaCoCo coverage report at `backend/target/site/jacoco/index.html`
+The XML report is the backend coverage input used by SonarQube.
 
-The backend PostgreSQL/Testcontainers integration test is intentionally tagged as `integration` and skipped by default for local runs. To include it:
+The PostgreSQL/Testcontainers integration test is tagged as `integration` and skipped by default. To include it:
 
 ```bash
 cd backend
 mvn verify -Dexcluded.test.tags=
 ```
 
-The detailed explanation and Docker-related notes live in [backend/README.md](backend/README.md).
+More backend setup details are in [backend/README.md](backend/README.md).
 
-## Deployment Architecture
+## SonarQube Quality Gate
 
-The target deployment architecture is:
+The canonical SonarQube project is the root aggregate project:
 
 ```text
-Users
-  -> DNS / HTTPS
-  -> Load Balancer / Reverse Proxy
-      -> Frontend static app
-      -> Backend API replica pool
-          -> PostgreSQL / Neon
+cloud-native
 ```
 
-The backend is designed to be stateless for request routing because it uses JWT
-authentication and stores source-of-truth data in PostgreSQL. That allows future
-backend replicas to sit behind a load balancer without sticky sessions.
+Run the scanner from the repository root after generating both frontend and backend coverage reports:
 
-Deployment references live in [deploy/README.md](deploy/README.md):
+```bash
+cd frontend
+npm run test:coverage
 
-- `deploy/nginx.production.conf`: production-oriented reverse proxy template
-- `deploy/production-like/`: runnable Docker Compose stack with frontend, backend replicas, reverse proxy, and PostgreSQL
-- `deploy/demo/`: local Docker Compose demo with Nginx and scaled backend replicas
+cd ../backend
+mvn clean verify
 
-The backend health endpoint for load balancers and uptime checks is:
+cd ..
+npx @sonar/scan \
+  -Dsonar.host.url=http://localhost:9000 \
+  -Dsonar.token=$SONAR_TOKEN
+```
+
+The root scan reads [sonar-project.properties](sonar-project.properties), including:
 
 ```text
-GET /api/health
+frontend/coverage/lcov.info
+backend/target/site/jacoco/jacoco.xml
 ```
 
-## Repository Structure
+Use the root `cloud-native` project for final quality gate evidence. Standalone project keys such as `cloud-native-frontend` and `cloud-native-backend` have separate baselines and issue history, so they can produce different results unless maintained intentionally.
 
-```text
-.
-├── .github/
-│   └── workflows/
-├── backend/
-│   ├── src/
-│   ├── target/
-│   └── README.md
-├── frontend/
-│   ├── src/
-│   └── tests/
-└── README.md
+Detailed SonarQube notes, online-scan requirements, and troubleshooting are in [docs/quality-and-sonarqube.md](docs/quality-and-sonarqube.md).
+
+## Code Quality Policy
+
+The project uses a conservative coverage and quality strategy:
+
+- test user-facing frontend flows and backend business logic
+- exclude low-value bootstrap, DTO, repository, controller, enum, static data, and framework-wiring files from coverage KPIs where appropriate
+- avoid committing generated output such as `coverage/`, `target/`, `.scannerwork/`, and `dist/`
+- treat security hotspots as review items that require either remediation or a clear explanation.
+
+Current local quality evidence should be regenerated from the commands above instead of relying on committed reports.
+
+## Security Scanning
+
+Dependency vulnerability scanning is documented as a manual workflow in [docs/security-scanning.md](docs/security-scanning.md).
+
+Common commands:
+
+```bash
+cd frontend
+npm audit --audit-level=high
+
+cd ../backend
+mvn org.owasp:dependency-check-maven:check
 ```
 
-## Documentation Guide
+These dependency scans complement application security tests for JWT authentication, role guards, and protected backend endpoints.
+
+## Deployment
+
+Deployment references live in [deploy/README.md](deploy/README.md):
+
+- `deploy/nginx.production.conf`: production-oriented reverse proxy template;
+- `deploy/production-like/`: Docker Compose stack with frontend, backend replicas, reverse proxy, and PostgreSQL;
+- `deploy/demo/`: local demo stack with Nginx and scaled backend replicas.
 
-- [backend/README.md](backend/README.md)
-  Backend setup, PostgreSQL, Flyway, local testing, and coverage
+The backend health endpoint for load balancers and uptime checks is:
 
-- [deploy/README.md](deploy/README.md)
-  Deployment topology, load balancing model, Nginx reverse proxy template, and production checklist
+```text
+GET /api/health
+```
+
+## Documentation Guide
 
-- [docs/security-scanning.md](docs/security-scanning.md)
-  Manual dependency vulnerability scanning commands for frontend and backend
+- [backend/README.md](backend/README.md): backend setup, PostgreSQL, Flyway, tests, and coverage
+- [deploy/README.md](deploy/README.md): deployment topology and production-like local stack
+- [docs/quality-and-sonarqube.md](docs/quality-and-sonarqube.md): coverage, SonarQube, online scan, and Quality Gate guidance
+- [docs/security-scanning.md](docs/security-scanning.md): manual dependency vulnerability scanning
 
 ## CI
 
-GitHub Actions runs separate frontend and backend jobs from [`.github/workflows/ci.yml`](.github/workflows/ci.yml).
+GitHub Actions runs separate frontend and backend jobs from [.github/workflows/ci.yml](.github/workflows/ci.yml).
 
-Today that means:
+The CI workflow currently covers:
 
-- frontend install, test, and build checks
-- backend Maven test execution
+- frontend dependency install, tests, and build;
+- backend Maven tests;
+- fast feedback for pull requests and branch updates.
diff --git a/backend/pom.xml b/backend/pom.xml
index 41712cb..499007f 100644
--- a/backend/pom.xml
+++ b/backend/pom.xml
@@ -108,6 +108,22 @@
                 <groupId>org.jacoco</groupId>
                 <artifactId>jacoco-maven-plugin</artifactId>
                 <version>0.8.12</version>
+                <configuration>
+                    <excludes>
+                        <exclude>com/cloudnative/**/*Application*</exclude>
+                        <exclude>com/cloudnative/**/dto/**</exclude>
+                        <exclude>com/cloudnative/config/**</exclude>
+                        <exclude>com/cloudnative/**/*Repository*</exclude>
+                        <exclude>com/cloudnative/**/*Controller*</exclude>
+                        <exclude>com/cloudnative/**/*Status*</exclude>
+                        <exclude>com/cloudnative/**/*Kind*</exclude>
+                        <exclude>com/cloudnative/**/*Format*</exclude>
+                        <exclude>com/cloudnative/**/UserRole*</exclude>
+                        <exclude>com/cloudnative/**/RestoreTarget*</exclude>
+                        <exclude>com/cloudnative/**/ChangeSessionType*</exclude>
+                        <exclude>com/cloudnative/**/ChangeRequestCommentType*</exclude>
+                    </excludes>
+                </configuration>
                 <executions>
                     <execution>
                         <id>prepare-agent</id>
diff --git a/backend/src/main/java/com/cloudnative/configuration/ConfigurationRepository.java b/backend/src/main/java/com/cloudnative/configuration/ConfigurationRepository.java
index 94141b9..4b814a8 100644
--- a/backend/src/main/java/com/cloudnative/configuration/ConfigurationRepository.java
+++ b/backend/src/main/java/com/cloudnative/configuration/ConfigurationRepository.java
@@ -30,4 +30,9 @@ Optional<Configuration> findFirstByKindAndTemplateType_IdOrderByCreatedAtAsc(
             ConfigurationKind kind,
             UUID templateTypeId
     );
+
+    boolean existsByKindAndTemplateType_IdAndDeletedAtIsNull(
+            ConfigurationKind kind,
+            UUID templateTypeId
+    );
 }
diff --git a/backend/src/main/java/com/cloudnative/configuration/SecretMaskingService.java b/backend/src/main/java/com/cloudnative/configuration/SecretMaskingService.java
index 6c6e9b0..27136f5 100644
--- a/backend/src/main/java/com/cloudnative/configuration/SecretMaskingService.java
+++ b/backend/src/main/java/com/cloudnative/configuration/SecretMaskingService.java
@@ -13,16 +13,11 @@
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
-import java.util.regex.Pattern;
 
 @Component
 public class SecretMaskingService {
     public static final String MASK = "********************";
 
-    private static final Pattern SENSITIVE_KEY_PATTERN = Pattern.compile(
-            "(?i).*(secret|password|token|api[-_]?key|private[-_]?key|credential).*"
-    );
-
     private final ObjectMapper jsonMapper;
     private final ObjectMapper yamlMapper;
 
@@ -81,7 +76,20 @@ private JsonNode maskField(String key, JsonNode value) {
     }
 
     public boolean isSensitiveKey(String key) {
-        return key != null && SENSITIVE_KEY_PATTERN.matcher(key).matches();
+        if (key == null) {
+            return false;
+        }
+        String normalized = key.toLowerCase();
+        return normalized.contains("secret")
+                || normalized.contains("password")
+                || normalized.contains("token")
+                || normalized.contains("apikey")
+                || normalized.contains("api_key")
+                || normalized.contains("api-key")
+                || normalized.contains("privatekey")
+                || normalized.contains("private_key")
+                || normalized.contains("private-key")
+                || normalized.contains("credential");
     }
 
     private String toProperties(JsonNode value) {
diff --git a/backend/src/main/java/com/cloudnative/configuration/TemplateType.java b/backend/src/main/java/com/cloudnative/configuration/TemplateType.java
index fe1c0e1..96ea37f 100644
--- a/backend/src/main/java/com/cloudnative/configuration/TemplateType.java
+++ b/backend/src/main/java/com/cloudnative/configuration/TemplateType.java
@@ -40,6 +40,11 @@ public TemplateType(String code, String name, String description) {
         this.description = description;
     }
 
+    public void update(String name, String description) {
+        this.name = name;
+        this.description = description;
+    }
+
     public UUID getId() {
         return id;
     }
diff --git a/backend/src/main/java/com/cloudnative/configuration/TemplateTypeController.java b/backend/src/main/java/com/cloudnative/configuration/TemplateTypeController.java
index fd47a2a..60b54d8 100644
--- a/backend/src/main/java/com/cloudnative/configuration/TemplateTypeController.java
+++ b/backend/src/main/java/com/cloudnative/configuration/TemplateTypeController.java
@@ -2,31 +2,43 @@
 
 import com.cloudnative.configuration.dto.TemplateTypeCreateRequest;
 import com.cloudnative.configuration.dto.TemplateTypeResponse;
+import com.cloudnative.configuration.dto.TemplateTypeUpdateRequest;
 import com.cloudnative.identity.security.AuthenticatedUser;
 import com.cloudnative.identity.security.RoleGuard;
 import jakarta.validation.Valid;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
+import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.PutMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.server.ResponseStatusException;
 
 import java.util.List;
+import java.util.UUID;
 
 import static org.springframework.http.HttpStatus.CONFLICT;
+import static org.springframework.http.HttpStatus.NOT_FOUND;
 
 @RestController
 @RequestMapping("/api/template-types")
 public class TemplateTypeController {
     private final TemplateTypeRepository templateTypeRepository;
+    private final ConfigurationRepository configurationRepository;
     private final RoleGuard roleGuard;
 
-    public TemplateTypeController(TemplateTypeRepository templateTypeRepository, RoleGuard roleGuard) {
+    public TemplateTypeController(
+            TemplateTypeRepository templateTypeRepository,
+            ConfigurationRepository configurationRepository,
+            RoleGuard roleGuard
+    ) {
         this.templateTypeRepository = templateTypeRepository;
+        this.configurationRepository = configurationRepository;
         this.roleGuard = roleGuard;
     }
 
@@ -46,10 +58,51 @@ public ResponseEntity<TemplateTypeResponse> create(
         if (templateTypeRepository.existsByCode(request.code())) {
             throw new ResponseStatusException(CONFLICT, "Template type code already exists");
         }
+        if (templateTypeRepository.existsByNameIgnoreCase(request.name())) {
+            throw new ResponseStatusException(CONFLICT, "Template type name already exists");
+        }
 
         TemplateType created = templateTypeRepository.save(
                 new TemplateType(request.code(), request.name(), request.description())
         );
         return ResponseEntity.status(HttpStatus.CREATED).body(TemplateTypeResponse.from(created));
     }
+
+    @PutMapping("/{id}")
+    public TemplateTypeResponse update(
+            @AuthenticationPrincipal AuthenticatedUser authenticatedUser,
+            @PathVariable UUID id,
+            @Valid @RequestBody TemplateTypeUpdateRequest request
+    ) {
+        roleGuard.requireWriterOrAdmin(authenticatedUser);
+        TemplateType templateType = templateTypeRepository.findById(id)
+                .orElseThrow(() -> new ResponseStatusException(NOT_FOUND, "Template type not found"));
+        if (templateTypeRepository.existsByNameIgnoreCaseAndIdNot(request.name(), id)) {
+            throw new ResponseStatusException(CONFLICT, "Template type name already exists");
+        }
+
+        templateType.update(request.name(), request.description());
+        return TemplateTypeResponse.from(templateTypeRepository.save(templateType));
+    }
+
+    @DeleteMapping("/{id}")
+    public ResponseEntity<Void> delete(
+            @AuthenticationPrincipal AuthenticatedUser authenticatedUser,
+            @PathVariable UUID id
+    ) {
+        roleGuard.requireWriterOrAdmin(authenticatedUser);
+        TemplateType templateType = templateTypeRepository.findById(id)
+                .orElseThrow(() -> new ResponseStatusException(NOT_FOUND, "Template type not found"));
+
+        boolean usedByTemplate = configurationRepository.existsByKindAndTemplateType_IdAndDeletedAtIsNull(
+                ConfigurationKind.template,
+                templateType.getId()
+        );
+        if (usedByTemplate) {
+            throw new ResponseStatusException(CONFLICT, "Template type is used by templates");
+        }
+
+        templateTypeRepository.delete(templateType);
+        return ResponseEntity.noContent().build();
+    }
 }
diff --git a/backend/src/main/java/com/cloudnative/configuration/TemplateTypeRepository.java b/backend/src/main/java/com/cloudnative/configuration/TemplateTypeRepository.java
index 242b756..c0ecabb 100644
--- a/backend/src/main/java/com/cloudnative/configuration/TemplateTypeRepository.java
+++ b/backend/src/main/java/com/cloudnative/configuration/TemplateTypeRepository.java
@@ -9,6 +9,10 @@
 public interface TemplateTypeRepository extends JpaRepository<TemplateType, UUID> {
     boolean existsByCode(String code);
 
+    boolean existsByNameIgnoreCase(String name);
+
+    boolean existsByNameIgnoreCaseAndIdNot(String name, UUID id);
+
     Optional<TemplateType> findByCode(String code);
 
     List<TemplateType> findAllByOrderByNameAsc();
diff --git a/backend/src/main/java/com/cloudnative/configuration/dto/TemplateTypeUpdateRequest.java b/backend/src/main/java/com/cloudnative/configuration/dto/TemplateTypeUpdateRequest.java
new file mode 100644
index 0000000..8f61776
--- /dev/null
+++ b/backend/src/main/java/com/cloudnative/configuration/dto/TemplateTypeUpdateRequest.java
@@ -0,0 +1,13 @@
+package com.cloudnative.configuration.dto;
+
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.Size;
+
+public record TemplateTypeUpdateRequest(
+        @NotBlank(message = "name is required")
+        @Size(max = 100, message = "name must be at most 100 characters")
+        String name,
+
+        String description
+) {
+}
diff --git a/backend/src/main/java/com/cloudnative/exporting/ConfigurationExportService.java b/backend/src/main/java/com/cloudnative/exporting/ConfigurationExportService.java
index 0f608a1..51ffab2 100644
--- a/backend/src/main/java/com/cloudnative/exporting/ConfigurationExportService.java
+++ b/backend/src/main/java/com/cloudnative/exporting/ConfigurationExportService.java
@@ -175,7 +175,20 @@ private JsonNode maskSensitiveValues(JsonNode value, String key) {
     }
 
     private boolean isSensitiveKey(String key) {
-        return key != null && key.matches("(?i).*(secret|password|token|api[-_]?key|private[-_]?key|credential).*");
+        if (key == null) {
+            return false;
+        }
+        String normalized = key.toLowerCase();
+        return normalized.contains("secret")
+                || normalized.contains("password")
+                || normalized.contains("token")
+                || normalized.contains("apikey")
+                || normalized.contains("api_key")
+                || normalized.contains("api-key")
+                || normalized.contains("privatekey")
+                || normalized.contains("private_key")
+                || normalized.contains("private-key")
+                || normalized.contains("credential");
     }
 
     private String serialize(ProjectScopeConfigResponse scopeConfig, JsonNode exportData, ExportFormat format) {
@@ -246,15 +259,30 @@ private String formatKey(String key, boolean envKey) {
         if (!envKey) {
             return key;
         }
-        return key
-                .replaceAll("([a-z0-9])([A-Z])", "$1_$2")
-                .replaceAll("[^A-Za-z0-9]+", "_")
-                .replaceAll("^_+|_+$", "")
-                .toUpperCase();
+        StringBuilder normalized = new StringBuilder();
+        char previous = 0;
+        for (int index = 0; index < key.length(); index++) {
+            char current = key.charAt(index);
+            if (Character.isUpperCase(current) && (Character.isLowerCase(previous) || Character.isDigit(previous))) {
+                normalized.append('_');
+            }
+            normalized.append(Character.isLetterOrDigit(current) ? current : '_');
+            previous = current;
+        }
+        return trim(normalized.toString(), '_').toUpperCase();
     }
 
     private String formatEnvValue(String value) {
-        return value.matches("[A-Za-z0-9_./:-]*") ? value : jsonQuote(value);
+        return value.chars().allMatch(ConfigurationExportService::isSafeEnvValueChar) ? value : jsonQuote(value);
+    }
+
+    private static boolean isSafeEnvValueChar(int character) {
+        return Character.isLetterOrDigit(character)
+                || character == '_'
+                || character == '.'
+                || character == '/'
+                || character == ':'
+                || character == '-';
     }
 
     private String writeToml(JsonNode value) {
@@ -344,11 +372,32 @@ private String buildFilename(ProjectScopeConfigResponse scopeConfig, ExportForma
     }
 
     private String slug(String value) {
-        return String.valueOf(value)
-                .trim()
-                .toLowerCase()
-                .replaceAll("[^a-z0-9]+", "-")
-                .replaceAll("^-+|-+$", "");
+        String lower = String.valueOf(value).trim().toLowerCase();
+        StringBuilder slug = new StringBuilder();
+        boolean previousDash = false;
+        for (int index = 0; index < lower.length(); index++) {
+            char current = lower.charAt(index);
+            if (Character.isLetterOrDigit(current)) {
+                slug.append(current);
+                previousDash = false;
+            } else if (!previousDash) {
+                slug.append('-');
+                previousDash = true;
+            }
+        }
+        return trim(slug.toString(), '-');
+    }
+
+    private String trim(String value, char trimChar) {
+        int start = 0;
+        int end = value.length();
+        while (start < end && value.charAt(start) == trimChar) {
+            start++;
+        }
+        while (end > start && value.charAt(end - 1) == trimChar) {
+            end--;
+        }
+        return value.substring(start, end);
     }
 
     private int countActiveOverrides(ProjectScopeConfigResponse scopeConfig) {
diff --git a/backend/src/main/java/com/cloudnative/project/OverrideService.java b/backend/src/main/java/com/cloudnative/project/OverrideService.java
index f0b5637..262c551 100644
--- a/backend/src/main/java/com/cloudnative/project/OverrideService.java
+++ b/backend/src/main/java/com/cloudnative/project/OverrideService.java
@@ -55,6 +55,7 @@ public OverrideState currentState(UUID projectId, UUID scopeId, UUID templateId,
      * Applies one override change under an already-created change session (a
      * change request being approved) and records it to version history.
      */
+    @SuppressWarnings("java:S107")
     @Transactional
     public void applyChange(
             UUID sessionId,
diff --git a/backend/src/main/java/com/cloudnative/versioning/VersionHistoryService.java b/backend/src/main/java/com/cloudnative/versioning/VersionHistoryService.java
index c4dbddd..dc916cf 100644
--- a/backend/src/main/java/com/cloudnative/versioning/VersionHistoryService.java
+++ b/backend/src/main/java/com/cloudnative/versioning/VersionHistoryService.java
@@ -96,6 +96,7 @@ public ChangeSession createSession(
      * Records one override mutation as an immutable history row. The override
      * write path calls this after it has written the live value.
      */
+    @SuppressWarnings("java:S107")
     @Transactional
     public ConfigurationOverrideHistory recordOverrideChange(
             UUID sessionId,
@@ -231,6 +232,7 @@ public Set<UUID> findSessionProjectIds(UUID sessionId) {
                 .collect(Collectors.toSet());
     }
 
+    @SuppressWarnings("java:S6809")
     @Transactional
     public UUID rollback(UUID sessionId, UUID actorId, String notes) {
         RestoreResult result = restoreSessionState(sessionId, RestoreTarget.before, actorId, notes);
diff --git a/backend/src/test/java/com/cloudnative/configuration/SecretMaskingServiceTest.java b/backend/src/test/java/com/cloudnative/configuration/SecretMaskingServiceTest.java
new file mode 100644
index 0000000..cb37ea4
--- /dev/null
+++ b/backend/src/test/java/com/cloudnative/configuration/SecretMaskingServiceTest.java
@@ -0,0 +1,68 @@
+package com.cloudnative.configuration;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.junit.jupiter.api.Test;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+class SecretMaskingServiceTest {
+    private final ObjectMapper objectMapper = new ObjectMapper();
+    private final SecretMaskingService service = new SecretMaskingService(objectMapper);
+
+    @Test
+    void masksSensitiveKeysRecursivelyInObjectsAndArrays() throws Exception {
+        var input = objectMapper.readTree("""
+                {
+                  "database": {
+                    "password": "secret",
+                    "users": [
+                      {"name": "alice", "api_key": "key-1"},
+                      {"name": "bob", "token": "token-2"}
+                    ]
+                  },
+                  "publicValue": "visible"
+                }
+                """);
+
+        var masked = service.mask(input);
+
+        assertThat(masked.path("database").path("password").asText()).isEqualTo(SecretMaskingService.MASK);
+        assertThat(masked.path("database").path("users").get(0).path("api_key").asText()).isEqualTo(SecretMaskingService.MASK);
+        assertThat(masked.path("database").path("users").get(1).path("token").asText()).isEqualTo(SecretMaskingService.MASK);
+        assertThat(masked.path("publicValue").asText()).isEqualTo("visible");
+    }
+
+    @Test
+    void masksRawContentForJsonYamlAndProperties() throws Exception {
+        var input = objectMapper.readTree("""
+                {
+                  "database": {"password": "secret", "host": "db.internal"},
+                  "tokens": ["one", "two"],
+                  "nullable": null
+                }
+                """);
+
+        assertThat(service.maskRawContent(ConfigurationFormat.json, input))
+                .contains(SecretMaskingService.MASK)
+                .doesNotContain("secret");
+        assertThat(service.maskRawContent(ConfigurationFormat.yaml, input))
+                .contains(SecretMaskingService.MASK)
+                .doesNotContain("secret");
+        assertThat(service.maskRawContent(ConfigurationFormat.properties, input))
+                .contains("database.password=" + SecretMaskingService.MASK)
+                .contains("tokens=" + SecretMaskingService.MASK)
+                .contains("nullable=");
+    }
+
+    @Test
+    void handlesNullScalarAndKeySpecificMasking() {
+        assertThat(service.mask(null)).isNull();
+        assertThat(service.mask(objectMapper.nullNode()).isNull()).isTrue();
+        assertThat(service.maskValueForKey("private-key", objectMapper.getNodeFactory().textNode("abc")).asText())
+                .isEqualTo(SecretMaskingService.MASK);
+        assertThat(service.maskValueForKey("displayName", objectMapper.getNodeFactory().textNode("Alice")).asText())
+                .isEqualTo("Alice");
+        assertThat(service.isSensitiveKey(null)).isFalse();
+        assertThat(service.isSensitiveKey("credentialsRef")).isTrue();
+    }
+}
diff --git a/backend/src/test/java/com/cloudnative/configuration/TemplateMetadataServiceTest.java b/backend/src/test/java/com/cloudnative/configuration/TemplateMetadataServiceTest.java
new file mode 100644
index 0000000..669203f
--- /dev/null
+++ b/backend/src/test/java/com/cloudnative/configuration/TemplateMetadataServiceTest.java
@@ -0,0 +1,71 @@
+package com.cloudnative.configuration;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.junit.jupiter.api.Test;
+
+import java.util.Optional;
+import java.util.UUID;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+class TemplateMetadataServiceTest {
+    private final ObjectMapper objectMapper = new ObjectMapper();
+
+    @Test
+    void reportsNoWarningWhenTemplateHasNoTypeOrBaseline() throws Exception {
+        ConfigurationRepository repository = mock(ConfigurationRepository.class);
+        TemplateMetadataService service = new TemplateMetadataService(repository, new TemplateKeyPathExtractor());
+
+        Configuration untyped = template("app.yaml", null, "{\"service\":{\"port\":8080}}", ConfigurationStatus.active);
+
+        assertThat(service.describe(untyped).keyConsistency().consistent()).isTrue();
+
+        TemplateType type = new TemplateType("app", "Application", "App config");
+        UUID typeId = UUID.randomUUID();
+        org.springframework.test.util.ReflectionTestUtils.setField(type, "id", typeId);
+        Configuration typed = template("app-prod.yaml", type, "{\"service\":{\"port\":8080}}", ConfigurationStatus.draft);
+        when(repository.findFirstByKindAndTemplateType_IdAndStatusOrderByCreatedAtAsc(
+                ConfigurationKind.template, typeId, ConfigurationStatus.active)).thenReturn(Optional.empty());
+        when(repository.findFirstByKindAndTemplateType_IdOrderByCreatedAtAsc(
+                ConfigurationKind.template, typeId)).thenReturn(Optional.empty());
+
+        assertThat(service.describe(typed).keyConsistency().consistent()).isTrue();
+    }
+
+    @Test
+    void comparesTemplateKeysAgainstActiveBaseline() throws Exception {
+        ConfigurationRepository repository = mock(ConfigurationRepository.class);
+        TemplateMetadataService service = new TemplateMetadataService(repository, new TemplateKeyPathExtractor());
+        TemplateType type = new TemplateType("app", "Application", "App config");
+        UUID typeId = UUID.randomUUID();
+        org.springframework.test.util.ReflectionTestUtils.setField(type, "id", typeId);
+
+        Configuration baseline = template("baseline.yaml", type, "{\"service\":{\"port\":8080,\"host\":\"app\"}}", ConfigurationStatus.active);
+        Configuration current = template("current.yaml", type, "{\"service\":{\"port\":9090},\"feature\":true}", ConfigurationStatus.draft);
+        when(repository.findFirstByKindAndTemplateType_IdAndStatusOrderByCreatedAtAsc(
+                ConfigurationKind.template, typeId, ConfigurationStatus.active)).thenReturn(Optional.of(baseline));
+
+        var response = service.describe(current);
+
+        assertThat(response.keyPaths()).contains("service.port", "feature");
+        assertThat(response.keyConsistency().consistent()).isFalse();
+        assertThat(response.keyConsistency().baselineTemplateName()).isEqualTo("baseline.yaml");
+        assertThat(response.keyConsistency().missingKeys()).containsExactly("service.host");
+        assertThat(response.keyConsistency().extraKeys()).containsExactly("feature");
+    }
+
+    private Configuration template(String name, TemplateType type, String json, ConfigurationStatus status) throws Exception {
+        return new Configuration(
+                name,
+                ConfigurationFormat.json,
+                json,
+                objectMapper.readTree(json),
+                ConfigurationKind.template,
+                type,
+                status,
+                null
+        );
+    }
+}
diff --git a/backend/src/test/java/com/cloudnative/configuration/TemplateTypeControllerTest.java b/backend/src/test/java/com/cloudnative/configuration/TemplateTypeControllerTest.java
new file mode 100644
index 0000000..8de0eff
--- /dev/null
+++ b/backend/src/test/java/com/cloudnative/configuration/TemplateTypeControllerTest.java
@@ -0,0 +1,215 @@
+package com.cloudnative.configuration;
+
+import com.cloudnative.identity.security.AuthenticatedUser;
+import com.cloudnative.identity.security.RoleGuard;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
+import org.springframework.boot.test.mock.mockito.MockBean;
+import org.springframework.test.util.ReflectionTestUtils;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.web.server.ResponseStatusException;
+
+import java.time.LocalDateTime;
+import java.util.List;
+import java.util.Optional;
+import java.util.UUID;
+
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.nullable;
+import static org.mockito.Mockito.doReturn;
+import static org.mockito.Mockito.doThrow;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+import static org.springframework.http.HttpStatus.FORBIDDEN;
+import static org.springframework.http.MediaType.APPLICATION_JSON;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.put;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+@WebMvcTest(TemplateTypeController.class)
+@AutoConfigureMockMvc(addFilters = false)
+class TemplateTypeControllerTest {
+    private static final UUID USER_ID = UUID.fromString("aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa");
+    private static final UUID TYPE_ID = UUID.fromString("11111111-1111-1111-1111-111111111111");
+
+    @Autowired
+    private MockMvc mockMvc;
+
+    @MockBean
+    private TemplateTypeRepository templateTypeRepository;
+
+    @MockBean
+    private ConfigurationRepository configurationRepository;
+
+    @MockBean
+    private RoleGuard roleGuard;
+
+    @BeforeEach
+    void setUp() {
+        doReturn(USER_ID).when(roleGuard).requireWriterOrAdmin(nullable(AuthenticatedUser.class));
+    }
+
+    @Test
+    void listsTemplateTypes() throws Exception {
+        when(templateTypeRepository.findAllByOrderByNameAsc())
+                .thenReturn(List.of(templateType(TYPE_ID, "db", "Database Config", "Database settings")));
+
+        mockMvc.perform(get("/api/template-types"))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$[0].id").value(TYPE_ID.toString()))
+                .andExpect(jsonPath("$[0].code").value("db"))
+                .andExpect(jsonPath("$[0].name").value("Database Config"));
+    }
+
+    @Test
+    void createsTemplateType() throws Exception {
+        when(templateTypeRepository.existsByCode("cache")).thenReturn(false);
+        when(templateTypeRepository.existsByNameIgnoreCase("Cache Config")).thenReturn(false);
+        when(templateTypeRepository.save(any(TemplateType.class))).thenAnswer(invocation -> {
+            TemplateType saved = invocation.getArgument(0);
+            ReflectionTestUtils.setField(saved, "id", TYPE_ID);
+            ReflectionTestUtils.setField(saved, "createdAt", LocalDateTime.of(2026, 5, 28, 10, 0));
+            return saved;
+        });
+
+        mockMvc.perform(post("/api/template-types")
+                        .contentType(APPLICATION_JSON)
+                        .content("""
+                                {
+                                  "code": "cache",
+                                  "name": "Cache Config",
+                                  "description": "Cache settings"
+                                }
+                                """))
+                .andExpect(status().isCreated())
+                .andExpect(jsonPath("$.id").value(TYPE_ID.toString()))
+                .andExpect(jsonPath("$.code").value("cache"))
+                .andExpect(jsonPath("$.name").value("Cache Config"))
+                .andExpect(jsonPath("$.description").value("Cache settings"));
+    }
+
+    @Test
+    void rejectsDuplicateTemplateTypeCode() throws Exception {
+        when(templateTypeRepository.existsByCode("db")).thenReturn(true);
+
+        mockMvc.perform(post("/api/template-types")
+                        .contentType(APPLICATION_JSON)
+                        .content("""
+                                {
+                                  "code": "db",
+                                  "name": "Database Config",
+                                  "description": "Duplicate"
+                                }
+                                """))
+                .andExpect(status().isConflict());
+    }
+
+    @Test
+    void rejectsDuplicateTemplateTypeNameOnCreate() throws Exception {
+        when(templateTypeRepository.existsByCode("database")).thenReturn(false);
+        when(templateTypeRepository.existsByNameIgnoreCase("Database Config")).thenReturn(true);
+
+        mockMvc.perform(post("/api/template-types")
+                        .contentType(APPLICATION_JSON)
+                        .content("""
+                                {
+                                  "code": "database",
+                                  "name": "Database Config",
+                                  "description": "Duplicate name"
+                                }
+                                """))
+                .andExpect(status().isConflict());
+    }
+
+    @Test
+    void updatesTemplateTypeNameAndDescriptionWithoutChangingCode() throws Exception {
+        TemplateType existing = templateType(TYPE_ID, "db", "Database Config", "Database settings");
+        when(templateTypeRepository.findById(TYPE_ID)).thenReturn(Optional.of(existing));
+        when(templateTypeRepository.existsByNameIgnoreCaseAndIdNot("Database Defaults", TYPE_ID)).thenReturn(false);
+        when(templateTypeRepository.save(any(TemplateType.class))).thenAnswer(invocation -> invocation.getArgument(0));
+
+        mockMvc.perform(put("/api/template-types/{id}", TYPE_ID)
+                        .contentType(APPLICATION_JSON)
+                        .content("""
+                                {
+                                  "name": "Database Defaults",
+                                  "description": "Updated database settings"
+                                }
+                                """))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$.code").value("db"))
+                .andExpect(jsonPath("$.name").value("Database Defaults"))
+                .andExpect(jsonPath("$.description").value("Updated database settings"));
+    }
+
+    @Test
+    void rejectsDuplicateTemplateTypeNameOnUpdate() throws Exception {
+        TemplateType existing = templateType(TYPE_ID, "db", "Database Config", "Database settings");
+        when(templateTypeRepository.findById(TYPE_ID)).thenReturn(Optional.of(existing));
+        when(templateTypeRepository.existsByNameIgnoreCaseAndIdNot("Cache Config", TYPE_ID)).thenReturn(true);
+
+        mockMvc.perform(put("/api/template-types/{id}", TYPE_ID)
+                        .contentType(APPLICATION_JSON)
+                        .content("""
+                                {
+                                  "name": "Cache Config",
+                                  "description": "Duplicate name"
+                                }
+                                """))
+                .andExpect(status().isConflict());
+    }
+
+    @Test
+    void deletesUnusedTemplateType() throws Exception {
+        TemplateType existing = templateType(TYPE_ID, "cache", "Cache Config", null);
+        when(templateTypeRepository.findById(TYPE_ID)).thenReturn(Optional.of(existing));
+        when(configurationRepository.existsByKindAndTemplateType_IdAndDeletedAtIsNull(
+                ConfigurationKind.template, TYPE_ID)).thenReturn(false);
+
+        mockMvc.perform(delete("/api/template-types/{id}", TYPE_ID))
+                .andExpect(status().isNoContent());
+
+        verify(templateTypeRepository).delete(existing);
+    }
+
+    @Test
+    void rejectsDeleteWhenTemplateTypeIsUsedByTemplate() throws Exception {
+        TemplateType existing = templateType(TYPE_ID, "db", "Database Config", null);
+        when(templateTypeRepository.findById(TYPE_ID)).thenReturn(Optional.of(existing));
+        when(configurationRepository.existsByKindAndTemplateType_IdAndDeletedAtIsNull(
+                ConfigurationKind.template, TYPE_ID)).thenReturn(true);
+
+        mockMvc.perform(delete("/api/template-types/{id}", TYPE_ID))
+                .andExpect(status().isConflict());
+    }
+
+    @Test
+    void appliesRoleGuardToMutatingRequests() throws Exception {
+        doThrow(new ResponseStatusException(FORBIDDEN, "writer or admin role is required"))
+                .when(roleGuard).requireWriterOrAdmin(nullable(AuthenticatedUser.class));
+
+        mockMvc.perform(post("/api/template-types")
+                        .contentType(APPLICATION_JSON)
+                        .content("""
+                                {
+                                  "code": "cache",
+                                  "name": "Cache Config",
+                                  "description": "Cache settings"
+                                }
+                                """))
+                .andExpect(status().isForbidden());
+    }
+
+    private TemplateType templateType(UUID id, String code, String name, String description) {
+        TemplateType templateType = new TemplateType(code, name, description);
+        ReflectionTestUtils.setField(templateType, "id", id);
+        ReflectionTestUtils.setField(templateType, "createdAt", LocalDateTime.of(2026, 5, 28, 10, 0));
+        return templateType;
+    }
+}
diff --git a/backend/src/test/java/com/cloudnative/exporting/ConfigurationExportServiceTest.java b/backend/src/test/java/com/cloudnative/exporting/ConfigurationExportServiceTest.java
index ff0dcdb..436e9d3 100644
--- a/backend/src/test/java/com/cloudnative/exporting/ConfigurationExportServiceTest.java
+++ b/backend/src/test/java/com/cloudnative/exporting/ConfigurationExportServiceTest.java
@@ -60,6 +60,59 @@ void exportsJsonFromBackendManagedEffectiveConfig() {
         assertThat(preview.content()).contains("\"password\" : \"********************\"");
     }
 
+
+
+    @Test
+    void defaultsToYamlAndExportsNestedArraysNullsAndTemplateNameFallback() {
+        ProjectCompositionService compositionService = mock(ProjectCompositionService.class);
+        when(compositionService.findScopeConfig(PROJECT_ID, SCOPE_ID)).thenReturn(scopeConfigWithNestedValues());
+
+        ConfigurationExportService exportService = new ConfigurationExportService(compositionService, objectMapper);
+
+        var preview = exportService.preview(new ExportRequest(PROJECT_ID, SCOPE_ID, null));
+
+        assertThat(preview.format()).isEqualTo(ExportFormat.yaml);
+        assertThat(preview.filename()).isEqualTo("core-api-global-default.yaml");
+        assertThat(preview.content()).contains("Multi-Project Configuration Export");
+        assertThat(preview.content()).contains("legacy-template.yaml");
+        assertThat(preview.content()).contains("********************");
+        assertThat(preview.keyCount()).isEqualTo(4);
+        assertThat(preview.overrideCount()).isEqualTo(2);
+    }
+
+    @Test
+    void exportsEnvWithNormalizedKeysAndQuotedUnsafeValues() {
+        ProjectCompositionService compositionService = mock(ProjectCompositionService.class);
+        when(compositionService.findScopeConfig(PROJECT_ID, SCOPE_ID)).thenReturn(scopeConfigWithNestedValues());
+
+        ConfigurationExportService exportService = new ConfigurationExportService(compositionService, objectMapper);
+
+        var preview = exportService.preview(new ExportRequest(PROJECT_ID, SCOPE_ID, ExportFormat.env));
+
+        assertThat(preview.filename()).isEqualTo("core-api-global-default.env");
+        assertThat(preview.content()).contains("LEGACY_TEMPLATE_YAML_FEATURE_FLAGS_0=true");
+        assertThat(preview.content()).contains("LEGACY_TEMPLATE_YAML_MESSAGE=\"hello world\"");
+        assertThat(preview.content()).contains("LEGACY_TEMPLATE_YAML_NULLABLE=");
+    }
+
+    @Test
+    void exportsTomlAndIniSections() {
+        ProjectCompositionService compositionService = mock(ProjectCompositionService.class);
+        when(compositionService.findScopeConfig(PROJECT_ID, SCOPE_ID)).thenReturn(scopeConfigWithNestedValues());
+
+        ConfigurationExportService exportService = new ConfigurationExportService(compositionService, objectMapper);
+
+        var toml = exportService.preview(new ExportRequest(PROJECT_ID, SCOPE_ID, ExportFormat.toml));
+        var ini = exportService.preview(new ExportRequest(PROJECT_ID, SCOPE_ID, ExportFormat.ini));
+
+        assertThat(toml.content()).contains("[legacy-template.yaml]");
+        assertThat(toml.content()).contains("message = \"hello world\"");
+        assertThat(toml.content()).contains("featureFlags = [true, false]");
+        assertThat(ini.content()).contains("[legacy-template.yaml]");
+        assertThat(ini.content()).contains("featureFlags[0]=true");
+        assertThat(ini.content()).contains("nullable=");
+    }
+
     private ProjectScopeConfigResponse scopeConfig() {
         var parsed = objectMapper.createObjectNode();
         parsed.put("serviceName", "order-service");
@@ -117,4 +170,78 @@ private ProjectScopeConfigResponse scopeConfig() {
                 ))
         );
     }
+
+    private ProjectScopeConfigResponse scopeConfigWithNestedValues() {
+        var parsed = objectMapper.createObjectNode();
+        parsed.put("message", "hello world");
+        parsed.putNull("nullable");
+        var flags = parsed.putArray("featureFlags");
+        flags.add(true);
+        flags.add(false);
+        var nested = parsed.putObject("nested");
+        nested.put("apiToken", "raw-token");
+
+        return new ProjectScopeConfigResponse(
+                PROJECT_ID,
+                "Core API",
+                "Core API",
+                new ProjectScopeResponse(
+                        SCOPE_ID,
+                        UUID.fromString("55555555-5555-5555-5555-555555555555"),
+                        null,
+                        "Global",
+                        UUID.fromString("66666666-6666-6666-6666-666666666666"),
+                        null,
+                        "Default",
+                        1
+                ),
+                List.of(new ProjectConfigSectionResponse(
+                        TEMPLATE_ID,
+                        "legacy-template.yaml",
+                        null,
+                        ConfigurationFormat.yaml,
+                        ConfigurationStatus.active,
+                        "message: hello world\n",
+                        parsed,
+                        List.of("message", "nullable", "featureFlags[0]", "featureFlags[1]", "nested.apiToken"),
+                        100,
+                        List.of(
+                                new OverrideResponse(
+                                        UUID.fromString("99999999-9999-9999-9999-999999999999"),
+                                        PROJECT_ID,
+                                        SCOPE_ID,
+                                        UUID.randomUUID(),
+                                        "ignored.value",
+                                        objectMapper.getNodeFactory().textNode("ignored"),
+                                        false,
+                                        null,
+                                        LocalDateTime.of(2026, 5, 27, 10, 10)
+                                ),
+                                new OverrideResponse(
+                                        UUID.fromString("aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"),
+                                        PROJECT_ID,
+                                        SCOPE_ID,
+                                        TEMPLATE_ID,
+                                        "nested.apiToken",
+                                        objectMapper.getNodeFactory().textNode("override-token"),
+                                        false,
+                                        null,
+                                        LocalDateTime.of(2026, 5, 27, 10, 15)
+                                ),
+                                new OverrideResponse(
+                                        UUID.fromString("bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"),
+                                        PROJECT_ID,
+                                        SCOPE_ID,
+                                        TEMPLATE_ID,
+                                        "deleted.value",
+                                        objectMapper.getNodeFactory().textNode("deleted"),
+                                        true,
+                                        null,
+                                        LocalDateTime.of(2026, 5, 27, 10, 20)
+                                )
+                        )
+                ))
+        );
+    }
+
 }
diff --git a/backend/src/test/java/com/cloudnative/project/OverrideServiceTest.java b/backend/src/test/java/com/cloudnative/project/OverrideServiceTest.java
new file mode 100644
index 0000000..d22b237
--- /dev/null
+++ b/backend/src/test/java/com/cloudnative/project/OverrideServiceTest.java
@@ -0,0 +1,246 @@
+package com.cloudnative.project;
+
+import com.cloudnative.identity.role.ScopeRepository;
+import com.cloudnative.versioning.VersionHistoryService;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.ArgumentCaptor;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.web.server.ResponseStatusException;
+
+import java.util.List;
+import java.util.Optional;
+import java.util.UUID;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+@ExtendWith(MockitoExtension.class)
+class OverrideServiceTest {
+    private static final UUID PROJECT_ID = UUID.fromString("11111111-1111-1111-1111-111111111111");
+    private static final UUID SCOPE_ID = UUID.fromString("22222222-2222-2222-2222-222222222222");
+    private static final UUID SESSION_ID = UUID.fromString("33333333-3333-3333-3333-333333333333");
+    private static final UUID ACTOR_ID = UUID.fromString("44444444-4444-4444-4444-444444444444");
+    private static final UUID TEMPLATE_ID = UUID.fromString("55555555-5555-5555-5555-555555555555");
+
+    @Mock
+    private ConfigurationOverrideRepository overrideRepository;
+
+    @Mock
+    private ScopeRepository scopeRepository;
+
+    @Mock
+    private VersionHistoryService versionHistoryService;
+
+    private final ObjectMapper objectMapper = new ObjectMapper();
+
+    @Test
+    void listByScopeValidatesScopeAndMapsOverrides() {
+        JsonNode value = objectMapper.createObjectNode().put("timeout", 60);
+        ConfigurationOverride override = new ConfigurationOverride(
+                PROJECT_ID,
+                SCOPE_ID,
+                TEMPLATE_ID,
+                "database.timeout",
+                value,
+                ACTOR_ID
+        );
+
+        when(scopeRepository.existsByIdAndProjectId(SCOPE_ID, PROJECT_ID)).thenReturn(true);
+        when(overrideRepository.findByProjectIdAndScopeIdAndIsDeletedFalse(PROJECT_ID, SCOPE_ID))
+                .thenReturn(List.of(override));
+
+        var responses = service().listByScope(PROJECT_ID, SCOPE_ID);
+
+        assertThat(responses).hasSize(1);
+        assertThat(responses.get(0).templateId()).isEqualTo(TEMPLATE_ID);
+        assertThat(responses.get(0).configKey()).isEqualTo("database.timeout");
+        assertThat(responses.get(0).value()).isEqualTo(value);
+    }
+
+    @Test
+    void currentStateReturnsExistingOverrideStateForTemplateKey() {
+        JsonNode value = objectMapper.createObjectNode().put("enabled", true);
+        ConfigurationOverride override = new ConfigurationOverride(
+                PROJECT_ID,
+                SCOPE_ID,
+                TEMPLATE_ID,
+                "feature.enabled",
+                value,
+                ACTOR_ID
+        );
+        override.markDeleted();
+
+        when(overrideRepository.findByProjectIdAndScopeIdAndTemplateConfigIdAndConfigKey(
+                PROJECT_ID, SCOPE_ID, TEMPLATE_ID, "feature.enabled"))
+                .thenReturn(Optional.of(override));
+
+        var state = service().currentState(PROJECT_ID, SCOPE_ID, TEMPLATE_ID, "feature.enabled");
+
+        assertThat(state.value()).isNull();
+        assertThat(state.deleted()).isTrue();
+    }
+
+    @Test
+    void currentStateReturnsEmptyStateWhenOverrideIsMissing() {
+        when(overrideRepository.findByProjectIdAndScopeIdAndTemplateConfigIdAndConfigKey(
+                PROJECT_ID, SCOPE_ID, TEMPLATE_ID, "feature.enabled"))
+                .thenReturn(Optional.empty());
+
+        var state = service().currentState(PROJECT_ID, SCOPE_ID, TEMPLATE_ID, "feature.enabled");
+
+        assertThat(state.value()).isNull();
+        assertThat(state.deleted()).isFalse();
+    }
+
+    @Test
+    void applyChangeUpdatesExistingOverrideAndRecordsHistory() {
+        JsonNode before = objectMapper.createObjectNode().put("timeout", 30);
+        JsonNode after = objectMapper.createObjectNode().put("timeout", 60);
+        ConfigurationOverride override = new ConfigurationOverride(
+                PROJECT_ID,
+                SCOPE_ID,
+                TEMPLATE_ID,
+                "database.timeout",
+                before,
+                ACTOR_ID
+        );
+
+        when(scopeRepository.existsByIdAndProjectId(SCOPE_ID, PROJECT_ID)).thenReturn(true);
+        when(overrideRepository.findByProjectIdAndScopeIdAndTemplateConfigIdAndConfigKey(
+                PROJECT_ID, SCOPE_ID, TEMPLATE_ID, "database.timeout"))
+                .thenReturn(Optional.of(override));
+
+        service().applyChange(
+                SESSION_ID,
+                PROJECT_ID,
+                SCOPE_ID,
+                TEMPLATE_ID,
+                "database.timeout",
+                after,
+                false,
+                ACTOR_ID
+        );
+
+        assertThat(override.getValue()).isEqualTo(after);
+        assertThat(override.isDeleted()).isFalse();
+        verify(overrideRepository, never()).save(any());
+        verify(versionHistoryService).recordOverrideChange(
+                SESSION_ID,
+                PROJECT_ID,
+                SCOPE_ID,
+                TEMPLATE_ID,
+                "database.timeout",
+                before,
+                after,
+                false,
+                false
+        );
+    }
+
+    @Test
+    void applyChangeCreatesNewOverrideWhenMissing() {
+        JsonNode value = objectMapper.createObjectNode().put("pool", 10);
+
+        when(scopeRepository.existsByIdAndProjectId(SCOPE_ID, PROJECT_ID)).thenReturn(true);
+        when(overrideRepository.findByProjectIdAndScopeIdAndTemplateConfigIdAndConfigKey(
+                PROJECT_ID, SCOPE_ID, TEMPLATE_ID, "database.pool"))
+                .thenReturn(Optional.empty());
+
+        service().applyChange(
+                SESSION_ID,
+                PROJECT_ID,
+                SCOPE_ID,
+                TEMPLATE_ID,
+                "database.pool",
+                value,
+                false,
+                ACTOR_ID
+        );
+
+        ArgumentCaptor<ConfigurationOverride> captor =
+                ArgumentCaptor.forClass(ConfigurationOverride.class);
+        verify(overrideRepository).save(captor.capture());
+        assertThat(captor.getValue().getProjectId()).isEqualTo(PROJECT_ID);
+        assertThat(captor.getValue().getScopeId()).isEqualTo(SCOPE_ID);
+        assertThat(captor.getValue().getTemplateConfigId()).isEqualTo(TEMPLATE_ID);
+        assertThat(captor.getValue().getConfigKey()).isEqualTo("database.pool");
+        assertThat(captor.getValue().getValue()).isEqualTo(value);
+        verify(versionHistoryService).recordOverrideChange(
+                SESSION_ID,
+                PROJECT_ID,
+                SCOPE_ID,
+                TEMPLATE_ID,
+                "database.pool",
+                null,
+                value,
+                false,
+                false
+        );
+    }
+
+    @Test
+    void applyChangeMarksExistingOverrideDeletedAndRecordsHistory() {
+        JsonNode before = objectMapper.createObjectNode().put("enabled", true);
+        ConfigurationOverride override = new ConfigurationOverride(
+                PROJECT_ID,
+                SCOPE_ID,
+                TEMPLATE_ID,
+                "feature.enabled",
+                before,
+                ACTOR_ID
+        );
+
+        when(scopeRepository.existsByIdAndProjectId(SCOPE_ID, PROJECT_ID)).thenReturn(true);
+        when(overrideRepository.findByProjectIdAndScopeIdAndTemplateConfigIdAndConfigKey(
+                PROJECT_ID, SCOPE_ID, TEMPLATE_ID, "feature.enabled"))
+                .thenReturn(Optional.of(override));
+
+        service().applyChange(
+                SESSION_ID,
+                PROJECT_ID,
+                SCOPE_ID,
+                TEMPLATE_ID,
+                "feature.enabled",
+                null,
+                true,
+                ACTOR_ID
+        );
+
+        assertThat(override.getValue()).isNull();
+        assertThat(override.isDeleted()).isTrue();
+        verify(versionHistoryService).recordOverrideChange(
+                SESSION_ID,
+                PROJECT_ID,
+                SCOPE_ID,
+                TEMPLATE_ID,
+                "feature.enabled",
+                before,
+                null,
+                false,
+                true
+        );
+    }
+
+    @Test
+    void validateScopeRejectsUnknownScope() {
+        when(scopeRepository.existsByIdAndProjectId(SCOPE_ID, PROJECT_ID)).thenReturn(false);
+
+        OverrideService service = service();
+
+        assertThatThrownBy(() -> service.validateScope(PROJECT_ID, SCOPE_ID))
+                .isInstanceOf(ResponseStatusException.class)
+                .hasMessageContaining("Project scope not found");
+    }
+
+    private OverrideService service() {
+        return new OverrideService(overrideRepository, scopeRepository, versionHistoryService);
+    }
+}
diff --git a/backend/src/test/java/com/cloudnative/project/ProjectCompositionServiceTest.java b/backend/src/test/java/com/cloudnative/project/ProjectCompositionServiceTest.java
index 8002d1e..6ab843c 100644
--- a/backend/src/test/java/com/cloudnative/project/ProjectCompositionServiceTest.java
+++ b/backend/src/test/java/com/cloudnative/project/ProjectCompositionServiceTest.java
@@ -119,11 +119,14 @@ void rejectsMultipleTemplatesForSameType() {
         when(configurationRepository.findAllById(List.of(DB_TEMPLATE_ID, DB_TEMPLATE_VARIANT_ID)))
                 .thenReturn(List.of(dbTemplate, dbVariant));
 
-        assertThatThrownBy(() -> service().create(new ProjectCreateRequest(
+        ProjectCompositionService service = service();
+        ProjectCreateRequest request = new ProjectCreateRequest(
                 "core-api",
                 "Core API",
                 List.of(DB_TEMPLATE_ID, DB_TEMPLATE_VARIANT_ID)
-        )))
+        );
+
+        assertThatThrownBy(() -> service.create(request))
                 .isInstanceOf(ResponseStatusException.class)
                 .hasMessageContaining("only one template per template type");
     }
diff --git a/backend/src/test/java/com/cloudnative/versioning/VersionHistoryServiceTest.java b/backend/src/test/java/com/cloudnative/versioning/VersionHistoryServiceTest.java
index 10166d8..fb341ed 100644
--- a/backend/src/test/java/com/cloudnative/versioning/VersionHistoryServiceTest.java
+++ b/backend/src/test/java/com/cloudnative/versioning/VersionHistoryServiceTest.java
@@ -7,8 +7,13 @@
 import com.cloudnative.configuration.ConfigurationSnapshot;
 import com.cloudnative.configuration.ConfigurationSnapshotRepository;
 import com.cloudnative.configuration.ConfigurationStatus;
+import com.cloudnative.identity.role.Environment;
+import com.cloudnative.identity.role.Project;
 import com.cloudnative.identity.role.ProjectRepository;
+import com.cloudnative.identity.role.Scope;
 import com.cloudnative.identity.role.ScopeRepository;
+import com.cloudnative.identity.role.Site;
+import com.cloudnative.identity.user.UserAccount;
 import com.cloudnative.identity.user.UserAccountRepository;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
@@ -26,9 +31,12 @@
 import java.util.UUID;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.mockito.ArgumentMatchers.anyString;
 import static org.mockito.Mockito.any;
 import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
 @ExtendWith(MockitoExtension.class)
@@ -271,6 +279,161 @@ void restoreOverrideAfterStateAppliesHistoricalValuesAndRecordsHistory() throws
         assertThat(restoreHistory.isAfterDeleted()).isFalse();
     }
 
+
+
+    @Test
+    void diffTemplateKeysFlattensNestedArraysNullsAndSkipsUnchangedValues() throws Exception {
+        JsonNode before = objectMapper.readTree("""
+                {"service":{"port":8080,"hosts":["a","b"],"nullable":null}}
+                """);
+        JsonNode after = objectMapper.readTree("""
+                {"service":{"port":9090,"hosts":["a","c"],"enabled":true}}
+                """);
+
+        var changes = service().diffTemplateKeys(before, after);
+
+        assertThat(changes).extracting("key")
+                .containsExactly("service.enabled", "service.hosts[1]", "service.nullable", "service.port");
+        assertThat(changes).allMatch(change -> change.stillApplied());
+    }
+
+    @Test
+    void listSessionsSummarizesOverrideAndTemplateSessionsWithActorsAndScopeLabels() throws Exception {
+        UUID actorId = UUID.randomUUID();
+        UUID overrideSessionId = UUID.randomUUID();
+        UUID templateSessionId = UUID.randomUUID();
+        UUID projectId = UUID.randomUUID();
+        UUID scopeId = UUID.randomUUID();
+        UUID templateId = UUID.randomUUID();
+
+        ChangeSession overrideSession = session(overrideSessionId, ChangeSessionType.direct, actorId, "Override values");
+        ChangeSession templateSession = session(templateSessionId, ChangeSessionType.direct, actorId, "Template: app.yaml");
+        ConfigurationOverrideHistory history = new ConfigurationOverrideHistory(
+                overrideSessionId, projectId, scopeId, templateId, "service.port",
+                objectMapper.readTree("8080"), objectMapper.readTree("9090"), false, false);
+        ConfigurationSnapshot snapshot = new ConfigurationSnapshot(
+                templateId, 1, templateSessionId, "{\"port\":8080}", objectMapper.readTree("{\"port\":8080}"), actorId);
+        Configuration template = template(templateId, "app.yaml", "{\"port\":9090}", objectMapper.readTree("{\"port\":9090}"), 2);
+        UserAccount user = new UserAccount("alice", "hash");
+        ReflectionTestUtils.setField(user, "id", actorId);
+
+        when(changeSessionRepository.findAllByOrderByCreatedAtDesc()).thenReturn(List.of(overrideSession, templateSession));
+        when(overrideHistoryRepository.findBySessionIdIn(List.of(overrideSessionId, templateSessionId))).thenReturn(List.of(history));
+        when(configurationSnapshotRepository.findBySessionIdIn(List.of(overrideSessionId, templateSessionId))).thenReturn(List.of(snapshot));
+        when(configurationRepository.findAllById(any())).thenReturn(List.of(template));
+        when(userAccountRepository.findAllById(any())).thenReturn(List.of(user));
+        mockScope(scopeId, projectId, "Core API", "Taipei", "Production");
+
+        var summaries = service().listSessions();
+
+        assertThat(summaries).hasSize(2);
+        assertThat(summaries.get(0).actorName()).isEqualTo("alice");
+        assertThat(summaries.get(0).changeCount()).isEqualTo(1);
+        assertThat(summaries.get(0).scopes()).containsExactly("Core API / Taipei / Production");
+        assertThat(summaries.get(1).scopes()).containsExactly("app.yaml");
+        assertThat(summaries.get(1).changeCount()).isEqualTo(1);
+    }
+
+    @Test
+    void listSessionsReturnsEmptyWithoutRepositoryFanOut() {
+        when(changeSessionRepository.findAllByOrderByCreatedAtDesc()).thenReturn(List.of());
+
+        assertThat(service().listSessions()).isEmpty();
+
+        verify(overrideHistoryRepository, never()).findBySessionIdIn(any());
+    }
+
+    @Test
+    void getOverrideSessionDetailMarksSupersededChangesAndResolvesScopeLabels() throws Exception {
+        UUID actorId = UUID.randomUUID();
+        UUID sessionId = UUID.randomUUID();
+        UUID supersedingSessionId = UUID.randomUUID();
+        UUID projectId = UUID.randomUUID();
+        UUID scopeId = UUID.randomUUID();
+        UUID templateId = UUID.randomUUID();
+        ChangeSession original = session(sessionId, ChangeSessionType.direct, actorId, "Override values");
+        UserAccount user = new UserAccount("alice", "hash");
+        ReflectionTestUtils.setField(user, "id", actorId);
+        ConfigurationOverrideHistory history = new ConfigurationOverrideHistory(
+                sessionId, projectId, scopeId, templateId, "service.port",
+                objectMapper.readTree("8080"), objectMapper.readTree("9090"), false, false);
+        ConfigurationOverrideHistory newer = new ConfigurationOverrideHistory(
+                supersedingSessionId, projectId, scopeId, templateId, "service.port",
+                objectMapper.readTree("9090"), objectMapper.readTree("7070"), false, false);
+
+        when(changeSessionRepository.findById(sessionId)).thenReturn(Optional.of(original));
+        when(userAccountRepository.findById(actorId)).thenReturn(Optional.of(user));
+        when(configurationSnapshotRepository.findFirstBySessionId(sessionId)).thenReturn(Optional.empty());
+        when(overrideHistoryRepository.findBySessionId(sessionId)).thenReturn(List.of(history));
+        when(overrideHistoryRepository.findByProjectIdAndScopeIdAndTemplateConfigIdAndConfigKeyAndCreatedAtGreaterThanOrderByCreatedAtAsc(
+                any(), any(), any(), anyString(), any())).thenReturn(List.of(newer));
+        mockScope(scopeId, projectId, "Core API", "Taipei", "Production");
+
+        var detail = service().getSessionDetail(sessionId);
+
+        assertThat(detail.actorName()).isEqualTo("alice");
+        assertThat(detail.resourceKind()).isEqualTo("override");
+        assertThat(detail.stillApplied()).isFalse();
+        assertThat(detail.supersededBy()).isEqualTo(supersedingSessionId);
+        assertThat(detail.changes()).hasSize(1);
+        assertThat(detail.changes().get(0).project()).isEqualTo("Core API");
+        assertThat(detail.changes().get(0).site()).isEqualTo("Taipei");
+        assertThat(detail.changes().get(0).env()).isEqualTo("Production");
+        assertThat(detail.changes().get(0).stillApplied()).isFalse();
+    }
+
+    @Test
+    void getTemplateSessionDetailUsesNextSnapshotAsAfterState() throws Exception {
+        UUID actorId = UUID.randomUUID();
+        UUID sessionId = UUID.randomUUID();
+        UUID nextSessionId = UUID.randomUUID();
+        UUID templateId = UUID.randomUUID();
+        ChangeSession original = session(sessionId, ChangeSessionType.direct, actorId, "Template: app.yaml");
+        ConfigurationSnapshot snapshot = new ConfigurationSnapshot(
+                templateId, 1, sessionId, "{\"port\":8080}", objectMapper.readTree("{\"port\":8080}"), actorId);
+        ConfigurationSnapshot next = new ConfigurationSnapshot(
+                templateId, 2, nextSessionId, "{\"port\":9090}", objectMapper.readTree("{\"port\":9090}"), actorId);
+        Configuration template = template(templateId, "app.yaml", "{\"port\":7070}", objectMapper.readTree("{\"port\":7070}"), 3);
+
+        when(changeSessionRepository.findById(sessionId)).thenReturn(Optional.of(original));
+        when(userAccountRepository.findById(actorId)).thenReturn(Optional.empty());
+        when(configurationSnapshotRepository.findFirstBySessionId(sessionId)).thenReturn(Optional.of(snapshot));
+        when(configurationSnapshotRepository.findFirstByConfigurationIdAndVersionGreaterThanOrderByVersionAsc(templateId, 1))
+                .thenReturn(Optional.of(next));
+        when(configurationRepository.findById(templateId)).thenReturn(Optional.of(template));
+
+        var detail = service().getSessionDetail(sessionId);
+
+        assertThat(detail.resourceKind()).isEqualTo("template");
+        assertThat(detail.stillApplied()).isFalse();
+        assertThat(detail.supersededBy()).isEqualTo(nextSessionId);
+        assertThat(detail.versionFrom()).isEqualTo(1);
+        assertThat(detail.versionTo()).isEqualTo(2);
+        assertThat(detail.changes()).hasSize(1);
+        assertThat(detail.changes().get(0).project()).isEqualTo("app.yaml");
+    }
+
+    @Test
+    void restoreRejectsMissingTargetMissingSessionAndEmptyOverrideHistory() {
+        UUID sessionId = UUID.randomUUID();
+        UUID actorId = UUID.randomUUID();
+
+        assertThatThrownBy(() -> service().restoreSessionState(sessionId, null, actorId, "notes"))
+                .hasMessageContaining("Restore target is required");
+
+        when(changeSessionRepository.findById(sessionId)).thenReturn(Optional.empty());
+        assertThatThrownBy(() -> service().restoreSessionState(sessionId, RestoreTarget.before, actorId, "notes"))
+                .hasMessageContaining("Change session not found");
+
+        ChangeSession session = session(sessionId, ChangeSessionType.direct, actorId, "No changes");
+        when(changeSessionRepository.findById(sessionId)).thenReturn(Optional.of(session));
+        when(configurationSnapshotRepository.findFirstBySessionId(sessionId)).thenReturn(Optional.empty());
+        when(overrideHistoryRepository.findBySessionId(sessionId)).thenReturn(List.of());
+
+        assertThatThrownBy(() -> service().restoreSessionState(sessionId, RestoreTarget.before, actorId, "notes"))
+                .hasMessageContaining("Change session has no changes to restore");
+    }
+
     private VersionHistoryService service() {
         return new VersionHistoryService(
                 changeSessionRepository,
@@ -284,4 +447,39 @@ private VersionHistoryService service() {
                 objectMapper
         );
     }
+
+    private ChangeSession session(UUID id, ChangeSessionType type, UUID actorId, String title) {
+        ChangeSession session = new ChangeSession(type, actorId, null, title, "notes");
+        ReflectionTestUtils.setField(session, "id", id);
+        return session;
+    }
+
+    private Configuration template(UUID id, String name, String raw, JsonNode parsed, int version) {
+        Configuration template = new Configuration(
+                name,
+                ConfigurationFormat.json,
+                raw,
+                parsed,
+                ConfigurationKind.template,
+                ConfigurationStatus.active,
+                null
+        );
+        ReflectionTestUtils.setField(template, "id", id);
+        ReflectionTestUtils.setField(template, "version", version);
+        return template;
+    }
+
+    private void mockScope(UUID scopeId, UUID projectId, String projectName, String siteName, String envName) {
+        Project project = new Project("core-api", projectName);
+        ReflectionTestUtils.setField(project, "id", projectId);
+        Site site = mock(Site.class);
+        when(site.getSiteName()).thenReturn(siteName);
+        Environment environment = mock(Environment.class);
+        when(environment.getEnvName()).thenReturn(envName);
+        Scope scope = new Scope(projectId, site, environment);
+        ReflectionTestUtils.setField(scope, "id", scopeId);
+        when(scopeRepository.findAllById(any())).thenReturn(List.of(scope));
+        when(projectRepository.findAllById(any())).thenReturn(List.of(project));
+    }
+
 }
diff --git a/docs/quality-and-sonarqube.md b/docs/quality-and-sonarqube.md
new file mode 100644
index 0000000..f5d2bc0
--- /dev/null
+++ b/docs/quality-and-sonarqube.md
@@ -0,0 +1,184 @@
+# Quality And SonarQube Guide
+
+This document explains how to reproduce the project quality evidence with frontend coverage, backend coverage, and SonarQube Quality Gate analysis.
+
+## Canonical Project
+
+Use the root aggregate SonarQube project as the canonical quality project:
+
+```text
+cloud-native
+```
+
+The aggregate project is configured by [../sonar-project.properties](../sonar-project.properties). It scans both sides of the repository:
+
+```text
+frontend/src
+backend/src/main/java
+frontend/tests
+backend/src/test/java
+```
+
+It imports coverage from:
+
+```text
+frontend/coverage/lcov.info
+backend/target/site/jacoco/jacoco.xml
+```
+
+## Required Order
+
+Always generate coverage before running the scanner.
+
+```bash
+cd frontend
+npm run test:coverage
+
+cd ../backend
+mvn clean verify
+
+cd ..
+npx @sonar/scan \
+  -Dsonar.host.url=http://localhost:9000 \
+  -Dsonar.token=$SONAR_TOKEN
+```
+
+If `frontend/coverage/lcov.info` or `backend/target/site/jacoco/jacoco.xml` is missing, SonarQube can report lower or zero coverage.
+
+## Online SonarQube Or SonarCloud
+
+The same scan model should be used online:
+
+1. checkout the repository;
+2. install frontend dependencies;
+3. run frontend coverage;
+4. run backend `mvn clean verify`;
+5. run scanner from the repository root.
+
+Example:
+
+```bash
+cd frontend
+npm ci
+npm run test:coverage
+
+cd ../backend
+mvn clean verify
+
+cd ..
+npx @sonar/scan \
+  -Dsonar.host.url=$SONAR_HOST_URL \
+  -Dsonar.token=$SONAR_TOKEN
+```
+
+For SonarCloud, include the organization if needed:
+
+```bash
+-Dsonar.organization=<organization-key>
+```
+
+Do not write tokens into repository files. Use CI secrets, environment variables, or local shell variables.
+
+## Quality Gate Expectations
+
+The expected Quality Gate evidence for the root project is:
+
+```text
+Project key: cloud-native
+Quality Gate: OK
+Coverage: 80%+
+New coverage: 80%+
+New violations: 0
+Duplicated lines on new code: below gate threshold
+```
+
+Exact values can differ across environments because SonarQube version, quality profile, New Code baseline, and server-side project settings can differ.
+
+## New Code Baseline Risk
+
+A local project and an online project may not use the same New Code baseline.
+
+Common baseline modes include:
+
+- previous version;
+- number of days;
+- reference branch;
+- specific analysis.
+
+If an online SonarQube project is created fresh and treats the full branch as New Code, it may report more New Code issues than the local server. In that case, either fix the newly reported issues or configure the intended New Code baseline in SonarQube.
+
+## Standalone Project Keys
+
+The repository may also have standalone local projects from earlier scans:
+
+```text
+cloud-native-frontend
+cloud-native-backend
+```
+
+These are not the recommended final evidence projects unless intentionally maintained. They have their own issue history, Quality Gate status, and New Code baseline. A standalone project can fail even when the root `cloud-native` project passes.
+
+For final review, presentation, or CI evidence, prefer:
+
+```text
+cloud-native
+```
+
+## Coverage Exclusion Rationale
+
+Coverage exclusions should stay conservative. They are intended for files with low test value or framework-driven behavior, not for hiding core product logic.
+
+Reasonable examples:
+
+- app bootstrap and entry files;
+- static data fixtures;
+- generated or build output;
+- DTOs and simple data carriers;
+- repositories and controllers when service-level tests cover behavior;
+- enums and constant-only files;
+- framework configuration;
+- prototype/demo preview files that are not part of the formal product flow.
+
+Core service logic, security behavior, frontend workflows, parsing, import/export behavior, and change/version workflows should be tested rather than excluded.
+
+## Security Hotspots
+
+Security Hotspots are review items, not automatically vulnerabilities. Each hotspot should have one of these outcomes:
+
+- fixed in code;
+- marked safe with a clear reason in SonarQube;
+- documented as accepted risk with follow-up work.
+
+Examples relevant to this project:
+
+- pseudorandom values used only for demo identifiers are not security-sensitive;
+- CSRF disabling is acceptable only when the backend is a stateless token-based API and does not rely on cookie session authentication.
+
+If the authentication model changes to cookie-based sessions, CSRF protection must be revisited.
+
+## Troubleshooting
+
+If Quality Gate fails because coverage is too low:
+
+- confirm `frontend/coverage/lcov.info` exists;
+- confirm `backend/target/site/jacoco/jacoco.xml` exists;
+- confirm the scanner ran from the repository root;
+- confirm `sonar-project.properties` was used;
+- confirm online CI did not skip tests before scanning.
+
+If Quality Gate fails because of New Code issues:
+
+- check the project key in the SonarQube URL;
+- check whether the failing project is `cloud-native` or a standalone project;
+- inspect the New Code baseline;
+- fix low-risk issues directly;
+- avoid broad source exclusions for real product logic.
+
+If online results differ from local results:
+
+- compare SonarQube server version;
+- compare quality profile and quality gate settings;
+- compare New Code definition;
+- compare scanner command and working directory;
+- compare generated coverage report paths;
+- verify that no token or project key from local testing was hard-coded.
diff --git a/frontend/package-lock.json b/frontend/package-lock.json
index 4387611..703cf8c 100644
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
@@ -4337,9 +4337,9 @@
       }
     },
     "node_modules/ws": {
-      "version": "8.20.0",
-      "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.0.tgz",
-      "integrity": "sha512-sAt8BhgNbzCtgGbt2OxmpuryO63ZoDk/sqaB/znQm94T4fCEsy/yV+7CdC1kJhOU9lboAEU7R3kquuycDoibVA==",
+      "version": "8.21.0",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-8.21.0.tgz",
+      "integrity": "sha512-Vsp28b7DRcimFQvrqu2Wek3z1iYxDCWqHYB8Qsnk/S4RfaCQzPGPyBNuVjJV3cd6UiKtUtp6sNM77gWvzcCH+g==",
       "dev": true,
       "license": "MIT",
       "engines": {
diff --git a/frontend/src/PrototypeUI.jsx b/frontend/src/PrototypeUI.jsx
index 0c5feba..1a5a08b 100644
--- a/frontend/src/PrototypeUI.jsx
+++ b/frontend/src/PrototypeUI.jsx
@@ -7,9 +7,12 @@ import { useAutoDismiss } from './hooks/useAutoDismiss.js';
 import { fetchConfigurations } from './api/configurations.js';
 import {
   createTemplate,
+  createTemplateType,
+  deleteTemplateType,
   fetchTemplateImpact,
   fetchTemplateTypes,
   fetchTemplates,
+  updateTemplateType,
 } from './api/templates.js';
 import { createChangeRequest } from './api/changeRequests.js';
 import {
@@ -243,6 +246,28 @@ export default function PrototypeUI() {
     return created;
   };
 
+  const handleCreateTemplateType = async (payload) => {
+    const created = await createTemplateType(payload, token);
+    setTemplateTypes((current) => [...current, created].sort((left, right) => left.name.localeCompare(right.name)));
+    setNotification(`Template type "${created.name}" created.`);
+    return created;
+  };
+
+  const handleUpdateTemplateType = async (id, payload) => {
+    const updated = await updateTemplateType(id, payload, token);
+    setTemplateTypes((current) => current
+      .map((type) => (type.id === updated.id ? updated : type))
+      .sort((left, right) => left.name.localeCompare(right.name)));
+    setNotification(`Template type "${updated.name}" updated.`);
+    return updated;
+  };
+
+  const handleDeleteTemplateType = async (templateType) => {
+    await deleteTemplateType(templateType.id, token);
+    setTemplateTypes((current) => current.filter((type) => type.id !== templateType.id));
+    setNotification(`Template type "${templateType.name}" deleted.`);
+  };
+
   const handleUpdateTemplate = async (payload) => {
     const changeRequest = await createChangeRequest(
       {
@@ -397,7 +422,9 @@ export default function PrototypeUI() {
   };
 
   const handleChangeSubmit = ({ keyName, from, to, affectedProjects, pinnedScopes }) => {
-    const crId = `CR-${Math.floor(Math.random() * 900) + 200}`;
+    const randomValues = new Uint32Array(1);
+    crypto.getRandomValues(randomValues);
+    const crId = `CR-${(randomValues[0] % 900) + 200}`;
     setImpactKey(null);
     setNotification(
       `${crId} created — ${keyName} will change ${from || '—'} → ${to || '—'} across ${affectedProjects} project${
@@ -451,6 +478,9 @@ export default function PrototypeUI() {
                 onCreateTemplate={handleCreateTemplate}
                 onUpdateTemplate={handleUpdateTemplate}
                 onDeleteTemplate={handleDeleteTemplate}
+                onCreateTemplateType={handleCreateTemplateType}
+                onUpdateTemplateType={handleUpdateTemplateType}
+                onDeleteTemplateType={handleDeleteTemplateType}
                 onCreateProject={handleCreateProject}
                 onCloneProject={handleCloneProject}
                 onUpdateProject={handleUpdateProject}
@@ -520,6 +550,9 @@ function PageRouter({
   onCreateTemplate,
   onUpdateTemplate,
   onDeleteTemplate,
+  onCreateTemplateType,
+  onUpdateTemplateType,
+  onDeleteTemplateType,
   onCreateProject,
   onCloneProject,
   onUpdateProject,
@@ -579,6 +612,9 @@ function PageRouter({
           onCreateTemplate={onCreateTemplate}
           onUpdateTemplate={onUpdateTemplate}
           onDeleteTemplate={onDeleteTemplate}
+          onCreateTemplateType={onCreateTemplateType}
+          onUpdateTemplateType={onUpdateTemplateType}
+          onDeleteTemplateType={onDeleteTemplateType}
           templateTypes={templateTypes}
           templateTypesError={templateTypesError}
           projects={projects}
@@ -609,6 +645,9 @@ function PageRouter({
           onUpdateProject={onUpdateProject}
           onDeleteProject={onDeleteProject}
           onUpdateProjectTemplates={onUpdateProjectTemplates}
+          onUpdateTemplate={onUpdateTemplate}
+          onDeleteTemplate={onDeleteTemplate}
+          onFetchTemplateImpact={fetchTemplateImpact}
           onAddProjectScope={onAddProjectScope}
           onRemoveProjectScope={onRemoveProjectScope}
           onCreateOverrideRequest={onCreateOverrideRequest}
diff --git a/frontend/src/api/templates.js b/frontend/src/api/templates.js
index 042cf58..e0ccba2 100644
--- a/frontend/src/api/templates.js
+++ b/frontend/src/api/templates.js
@@ -70,6 +70,24 @@ export async function createTemplateType({ code, name, description }, token) {
   });
 }
 
+export async function updateTemplateType(id, { name, description }, token) {
+  return httpRequest(`/api/template-types/${id}`, {
+    method: 'PUT',
+    token,
+    headers: {
+      Accept: 'application/json',
+    },
+    body: { name, description },
+  });
+}
+
+export async function deleteTemplateType(id, token) {
+  return httpRequest(`/api/template-types/${id}`, {
+    method: 'DELETE',
+    token,
+  });
+}
+
 function formatLabel(format) {
   return String(format ?? '').toUpperCase();
 }
diff --git a/frontend/src/components/ConfigImportModal.jsx b/frontend/src/components/ConfigImportModal.jsx
index c891955..64bf1fa 100644
--- a/frontend/src/components/ConfigImportModal.jsx
+++ b/frontend/src/components/ConfigImportModal.jsx
@@ -143,9 +143,9 @@ export function ConfigImportModal({ scope, onSubmit, onClose }) {
 function ScopeDisplay({ scope }) {
   return (
     <div className="rounded-lg border border-indigo-100 bg-indigo-50/40 p-3">
-      <label className="text-[10px] font-bold text-indigo-500 uppercase tracking-widest block mb-2">
+      <p className="text-[10px] font-bold text-indigo-500 uppercase tracking-widest block mb-2">
         Target Scope
-      </label>
+      </p>
       <div className="flex flex-wrap items-center gap-2 text-sm">
         <span className="inline-flex items-center gap-1.5 text-slate-700">
           <FolderTree size={13} className="text-slate-400" /> {scope.project}
@@ -178,16 +178,17 @@ function FileDropzone({ file, inputRef, onSelect }) {
   };
   return (
     <div>
-      <label className="text-[10px] font-bold text-slate-400 uppercase tracking-widest block mb-2">
+      <p className="text-[10px] font-bold text-slate-400 uppercase tracking-widest block mb-2">
         1. Source File
-      </label>
-      <div
+      </p>
+      <label
+        htmlFor="config-import-source-file"
         onDrop={onDrop}
         onDragOver={(event) => event.preventDefault()}
-        onClick={() => inputRef.current?.click()}
-        className="border-2 border-dashed border-slate-200 rounded-lg p-6 text-center cursor-pointer hover:bg-slate-50 transition-colors"
+        className="block border-2 border-dashed border-slate-200 rounded-lg p-6 text-center cursor-pointer hover:bg-slate-50 transition-colors"
       >
         <input
+          id="config-import-source-file"
           ref={inputRef}
           type="file"
           accept=".yaml,.yml,.properties,.env,text/plain"
@@ -203,7 +204,7 @@ function FileDropzone({ file, inputRef, onSelect }) {
             <p className="text-[11px] text-slate-400 mt-1">Supports .yaml .yml .properties .env</p>
           </>
         )}
-      </div>
+      </label>
     </div>
   );
 }
@@ -211,9 +212,9 @@ function FileDropzone({ file, inputRef, onSelect }) {
 function FormatPicker({ format, onChange, disabled }) {
   return (
     <div>
-      <label className="text-[10px] font-bold text-slate-400 uppercase tracking-widest block mb-2">
+      <p className="text-[10px] font-bold text-slate-400 uppercase tracking-widest block mb-2">
         2. Format
-      </label>
+      </p>
       <div className="grid grid-cols-3 gap-2">
         {FORMATS.map((option) => (
           <button
@@ -249,9 +250,9 @@ function PreviewPanel({ file, keys, error }) {
   return (
     <div>
       <div className="flex items-center justify-between mb-2">
-        <label className="text-[10px] font-bold text-slate-400 uppercase tracking-widest">
+        <p className="text-[10px] font-bold text-slate-400 uppercase tracking-widest">
           3. Detected Keys
-        </label>
+        </p>
         <span className="text-[11px] font-semibold text-indigo-700 bg-indigo-50 px-2 py-0.5 rounded">
           {keys.length} total
         </span>
diff --git a/frontend/src/features/auth/components/RoleSelectionForm.jsx b/frontend/src/features/auth/components/RoleSelectionForm.jsx
index 9b4f4d6..facc4b9 100644
--- a/frontend/src/features/auth/components/RoleSelectionForm.jsx
+++ b/frontend/src/features/auth/components/RoleSelectionForm.jsx
@@ -37,7 +37,7 @@ export function RoleSelectionForm({ value, onChange, errorMessage }) {
   return (
     <div className="space-y-3">
       <div className="flex items-center justify-between">
-        <label className="text-sm font-medium text-slate-700">Role Selections</label>
+        <p className="text-sm font-medium text-slate-700">Role Selections</p>
         <button
           type="button"
           onClick={addRow}
@@ -57,8 +57,9 @@ export function RoleSelectionForm({ value, onChange, errorMessage }) {
           <div key={`${row.role}-${index}`} className="rounded-lg border border-slate-200 p-3 space-y-3 bg-slate-50/70">
               <div className="grid grid-cols-1 md:grid-cols-3 gap-3">
                 <div className="space-y-1">
-                  <label className="text-xs font-medium text-slate-600">Role</label>
+                  <label htmlFor={`role-selection-${index}-role`} className="text-xs font-medium text-slate-600">Role</label>
                   <select
+                    id={`role-selection-${index}-role`}
                     value={row.role}
                     onChange={(event) => updateRow(index, { role: event.target.value })}
                     className="w-full rounded-md border border-slate-300 px-3 py-2 text-sm bg-white"
@@ -72,8 +73,9 @@ export function RoleSelectionForm({ value, onChange, errorMessage }) {
                 </div>
 
                 <div className="space-y-1">
-                  <label className="text-xs font-medium text-slate-600">Project ID (optional)</label>
+                  <label htmlFor={`role-selection-${index}-project`} className="text-xs font-medium text-slate-600">Project ID (optional)</label>
                   <input
+                    id={`role-selection-${index}-project`}
                     type="text"
                     value={row.projectId}
                     placeholder="Leave blank to apply this role to all projects"
@@ -83,8 +85,9 @@ export function RoleSelectionForm({ value, onChange, errorMessage }) {
                 </div>
 
                 <div className="space-y-1">
-                  <label className="text-xs font-medium text-slate-600">Scope ID (optional)</label>
+                  <label htmlFor={`role-selection-${index}-scope`} className="text-xs font-medium text-slate-600">Scope ID (optional)</label>
                   <input
+                    id={`role-selection-${index}-scope`}
                     type="text"
                     value={row.scopeId}
                     placeholder="Leave blank to apply this role to all scopes"
diff --git a/frontend/src/features/auth/context/AuthProvider.jsx b/frontend/src/features/auth/context/AuthProvider.jsx
index 39ef5ab..7567f31 100644
--- a/frontend/src/features/auth/context/AuthProvider.jsx
+++ b/frontend/src/features/auth/context/AuthProvider.jsx
@@ -180,7 +180,9 @@ export function AuthProvider({ children }) {
 
     const stored = readStoredSession();
     if (!stored?.token) {
-      setState(unauthenticatedState());
+      setState((current) => (
+        current.status === 'loading' ? unauthenticatedState() : current
+      ));
       return () => {
         isCancelled = true;
       };
diff --git a/frontend/src/pages/Dashboard.jsx b/frontend/src/pages/Dashboard.jsx
index 30ccdbe..af06659 100644
--- a/frontend/src/pages/Dashboard.jsx
+++ b/frontend/src/pages/Dashboard.jsx
@@ -197,12 +197,14 @@ export function Dashboard({ onNavigate, onOpenRequests, token }) {
             <div
               key={tile.page}
               className="relative"
-              onMouseEnter={() => setHoveredTile(tile.page)}
-              onMouseLeave={() => setHoveredTile(null)}
             >
               <button
                 type="button"
                 onClick={handleClick}
+                onMouseEnter={() => setHoveredTile(tile.page)}
+                onMouseLeave={() => setHoveredTile(null)}
+                onFocus={() => setHoveredTile(tile.page)}
+                onBlur={() => setHoveredTile(null)}
                 className="w-full text-left bg-white border border-slate-200 rounded-xl shadow-sm px-4 py-4 hover:border-indigo-300 hover:shadow transition"
               >
                 <div className="flex items-center gap-2 text-slate-500">
diff --git a/frontend/src/pages/Export.jsx b/frontend/src/pages/Export.jsx
index 86ec898..25a4bf0 100644
--- a/frontend/src/pages/Export.jsx
+++ b/frontend/src/pages/Export.jsx
@@ -211,7 +211,7 @@ function ExportContextFields({
 
   return (
     <div>
-      <label className="text-[10px] font-bold text-slate-400 uppercase mb-2 block">1. Selection Context</label>
+      <p className="text-[10px] font-bold text-slate-400 uppercase mb-2 block">1. Selection Context</p>
       <div className="space-y-4">
         <Field
           label="Project"
@@ -262,7 +262,7 @@ function Field({ label, value, options, onChange, placeholder, accent = false })
 function ExportFormatPicker({ format, onChange }) {
   return (
     <div>
-      <label className="text-[10px] font-bold text-slate-400 uppercase mb-2 block">2. Output Format</label>
+      <p className="text-[10px] font-bold text-slate-400 uppercase mb-2 block">2. Output Format</p>
       <div className="grid grid-cols-2 sm:grid-cols-3 gap-2">
         {FORMATS.map((option) => (
           <button
diff --git a/frontend/src/pages/Projects.jsx b/frontend/src/pages/Projects.jsx
index 3837edc..f3038f5 100644
--- a/frontend/src/pages/Projects.jsx
+++ b/frontend/src/pages/Projects.jsx
@@ -24,6 +24,7 @@ import { fetchProjectScopeConfig } from '../api/projects.js';
 import { configRows } from '../data/configs.js';
 import { formatConfigContent, formatParsedContent } from '../lib/formatConfigContent.js';
 import { overridesAtScope } from '../lib/scope.js';
+import { TemplateChangeRequestModal, TemplateDetailModal, TemplateFormModal } from './Templates.jsx';
 import scrollbar from '../styles/scrollbar.module.css';
 
 function inheritedAtScope(project) {
@@ -52,6 +53,9 @@ export function Projects({
   onUpdateProject,
   onDeleteProject,
   onUpdateProjectTemplates,
+  onUpdateTemplate,
+  onDeleteTemplate,
+  onFetchTemplateImpact,
   onAddProjectScope,
   onRemoveProjectScope,
   onCreateOverrideRequest,
@@ -73,6 +77,14 @@ export function Projects({
   const [scopeConfigError, setScopeConfigError] = useState(null);
   const [cloneDraft, setCloneDraft] = useState(null);
   const [viewingTemplate, setViewingTemplate] = useState(null);
+  const [templateActiveTab, setTemplateActiveTab] = useState('definition');
+  const [editingTemplate, setEditingTemplate] = useState(null);
+  const [templateChangeRequestDraft, setTemplateChangeRequestDraft] = useState(null);
+  const [templateActionError, setTemplateActionError] = useState(null);
+  const [deletingTemplateId, setDeletingTemplateId] = useState(null);
+  const [impactByTemplateId, setImpactByTemplateId] = useState({});
+  const [impactLoadingId, setImpactLoadingId] = useState(null);
+  const [impactErrorByTemplateId, setImpactErrorByTemplateId] = useState({});
   const [editingProject, setEditingProject] = useState(null);
   const [deletingProject, setDeletingProject] = useState(null);
   const [editingTemplatesFor, setEditingTemplatesFor] = useState(null);
@@ -102,6 +114,38 @@ export function Projects({
   const selectedScope = factoryScopes.find(
     (item) => item.siteName === selectedSiteName && item.environmentName === selectedEnvName,
   ) ?? null;
+  const selectedProjectTemplate = viewingTemplate
+    ? normalizeProjectTemplateForModal(viewingTemplate, templates)
+    : null;
+
+  useEffect(() => {
+    if (!selectedProjectTemplate?.id || templateActiveTab !== 'impact' || !onFetchTemplateImpact) return;
+    if (impactByTemplateId[selectedProjectTemplate.id]) return;
+
+    let cancelled = false;
+    setImpactLoadingId(selectedProjectTemplate.id);
+    setImpactErrorByTemplateId((current) => ({ ...current, [selectedProjectTemplate.id]: null }));
+
+    onFetchTemplateImpact(selectedProjectTemplate.id, token)
+      .then((impact) => {
+        if (cancelled) return;
+        setImpactByTemplateId((current) => ({ ...current, [selectedProjectTemplate.id]: impact }));
+      })
+      .catch((error) => {
+        if (cancelled) return;
+        setImpactErrorByTemplateId((current) => ({
+          ...current,
+          [selectedProjectTemplate.id]: error.message ?? 'Failed to load template impact.',
+        }));
+      })
+      .finally(() => {
+        if (!cancelled) setImpactLoadingId(null);
+      });
+
+    return () => {
+      cancelled = true;
+    };
+  }, [impactByTemplateId, onFetchTemplateImpact, selectedProjectTemplate?.id, templateActiveTab, token]);
 
   useEffect(() => {
     if (selectedProjectName && !projects.some((project) => project.name === selectedProjectName)) {
@@ -287,6 +331,64 @@ export function Projects({
     setShowClone(false);
   };
 
+  const handleOpenProjectTemplate = (template) => {
+    setViewingTemplate(template);
+    setTemplateActiveTab('definition');
+    setTemplateActionError(null);
+  };
+
+  const handleEditProjectTemplate = () => {
+    if (!selectedProjectTemplate) return;
+    setTemplateActionError(null);
+    setEditingTemplate(selectedProjectTemplate);
+  };
+
+  const handleDeleteProjectTemplate = () => {
+    if (!selectedProjectTemplate || !onDeleteTemplate || deletingTemplateId) return;
+    setTemplateActionError(null);
+    setTemplateChangeRequestDraft({
+      action: 'delete',
+      template: selectedProjectTemplate,
+      payload: null,
+    });
+  };
+
+  const handleSubmitTemplateEdit = async (templateUpdate) => {
+    setTemplateActionError(null);
+    setEditingTemplate(null);
+    setTemplateChangeRequestDraft({
+      action: 'update',
+      template: selectedProjectTemplate,
+      payload: templateUpdate,
+    });
+    return templateUpdate;
+  };
+
+  const submitTemplateChangeRequest = async ({ reason }) => {
+    if (!templateChangeRequestDraft) return null;
+    const { action, template, payload } = templateChangeRequestDraft;
+    setTemplateActionError(null);
+    if (action === 'delete') {
+      setDeletingTemplateId(template.id);
+    }
+
+    try {
+      const result = action === 'delete'
+        ? await onDeleteTemplate(template, reason)
+        : await onUpdateTemplate({ ...payload, reason });
+      setTemplateChangeRequestDraft(null);
+      setViewingTemplate(null);
+      return result;
+    } catch (error) {
+      setTemplateActionError(error.message ?? 'Failed to open template change request.');
+      throw error;
+    } finally {
+      if (action === 'delete') {
+        setDeletingTemplateId(null);
+      }
+    }
+  };
+
   return (
     <div className="space-y-6 relative">
       <SectionHeader
@@ -437,7 +539,7 @@ export function Projects({
               loading={scopeConfigLoading}
               error={scopeConfigError}
               token={token}
-              onViewTemplate={setViewingTemplate}
+              onViewTemplate={handleOpenProjectTemplate}
               canOverride={canCreateProject}
               onCreateOverrideRequest={onCreateOverrideRequest}
             />
@@ -456,10 +558,44 @@ export function Projects({
       </div>
 
       <AnimatePresence>
-        {viewingTemplate ? (
-          <ProjectTemplateViewModal
-            template={viewingTemplate}
+        {selectedProjectTemplate ? (
+          <TemplateDetailModal
+            template={selectedProjectTemplate}
+            projects={projects}
+            activeTab={templateActiveTab}
+            onTabChange={setTemplateActiveTab}
             onClose={() => setViewingTemplate(null)}
+            onEdit={handleEditProjectTemplate}
+            onDelete={handleDeleteProjectTemplate}
+            onOpenImpact={onOpenImpact}
+            onProposeChange={onProposeChange}
+            canManageTemplate={canCreateProject && Boolean(onUpdateTemplate)}
+            actionError={templateActionError}
+            deleting={deletingTemplateId === selectedProjectTemplate.id}
+            exactImpact={impactByTemplateId[selectedProjectTemplate.id]}
+            impactLoading={impactLoadingId === selectedProjectTemplate.id}
+            impactError={impactErrorByTemplateId[selectedProjectTemplate.id]}
+          />
+        ) : null}
+
+        {editingTemplate && canCreateProject && onUpdateTemplate ? (
+          <TemplateFormModal
+            mode="edit"
+            initialTemplate={editingTemplate}
+            onClose={() => {
+              setTemplateActionError(null);
+              setEditingTemplate(null);
+            }}
+            onSubmit={handleSubmitTemplateEdit}
+            templateTypes={templateTypes}
+          />
+        ) : null}
+
+        {templateChangeRequestDraft ? (
+          <TemplateChangeRequestModal
+            draft={templateChangeRequestDraft}
+            onClose={() => setTemplateChangeRequestDraft(null)}
+            onSubmit={submitTemplateChangeRequest}
           />
         ) : null}
 
@@ -1488,6 +1624,47 @@ function parseConfigPath(path) {
     ));
 }
 
+function normalizeProjectTemplateForModal(section, templates = []) {
+  const templateId = section.templateId ?? section.id;
+  const sourceTemplate = templates.find((template) => template.id === templateId) ?? {};
+  const rawKeys = section.keys ?? sourceTemplate.keys ?? (section.keyPaths ?? sourceTemplate.keyPaths ?? []).map((key) => ({
+    key,
+    defaultValue: getValueAtPath(section.parsedContent ?? sourceTemplate.parsedContent, key),
+  }));
+  const keys = rawKeys.map((item) => ({
+    key: item.key,
+    defaultValue: item.effectiveValue ?? item.defaultValue ?? item.baseValue ?? '-',
+    effectiveValue: item.effectiveValue ?? item.defaultValue ?? item.baseValue ?? '-',
+    baseValue: item.baseValue ?? getValueAtPath(section.parsedContent ?? sourceTemplate.parsedContent, item.key),
+    overrideValue: item.overrideValue ?? null,
+    rawOverrideValue: item.rawOverrideValue,
+    overridden: Boolean(item.overridden),
+    overridable: item.overridable ?? true,
+  }));
+
+  return {
+    ...sourceTemplate,
+    ...section,
+    id: templateId,
+    name: section.templateName ?? sourceTemplate.name ?? 'Selected template',
+    templateName: section.templateName ?? sourceTemplate.name,
+    format: section.format ?? sourceTemplate.format,
+    status: section.status ?? sourceTemplate.status ?? 'active',
+    version: section.version ?? sourceTemplate.version ?? 1,
+    updatedAt: section.updatedAt ?? sourceTemplate.updatedAt,
+    rawContent: section.rawContent ?? sourceTemplate.rawContent ?? '',
+    parsedContent: section.parsedContent ?? sourceTemplate.parsedContent ?? {},
+    keyPaths: section.keyPaths ?? sourceTemplate.keyPaths ?? keys.map((item) => item.key),
+    keys,
+    keysCount: keys.length,
+    templateType: section.templateType ?? sourceTemplate.templateType,
+    description: sourceTemplate.description ?? [
+      section.cloneSource ? `Source scope: ${section.cloneSource.siteName} / ${section.cloneSource.environmentName}` : null,
+      section.priority === undefined ? null : `Priority ${section.priority}`,
+    ].filter(Boolean).join(' · '),
+  };
+}
+
 function buildTemplateModalKeys(template) {
   const baseKeys = template.keys ?? (template.keyPaths ?? []).map((key) => ({
     key,
@@ -1529,7 +1706,7 @@ function getValueAtPath(root, path) {
   if (!root || !path) return '-';
   let current = root;
   for (const segment of parseConfigPath(path)) {
-    current = typeof segment === 'number' ? current?.[segment] : current?.[segment];
+    current = current?.[segment];
     if (current === undefined || current === null) return '-';
   }
   return formatProjectValue(current);
@@ -3660,3 +3837,33 @@ function AddScopeModal({ project, sites, environments, mutating, onClose, onSubm
     </ModalShell>
   );
 }
+
+const optionalProjectProp = () => null;
+
+Projects.propTypes = {
+  projects: optionalProjectProp,
+  setProjects: optionalProjectProp,
+  templates: optionalProjectProp,
+  setTemplates: optionalProjectProp,
+  setNotification: optionalProjectProp,
+  onOpenImpact: optionalProjectProp,
+  onProposeChange: optionalProjectProp,
+  canCreateProject: optionalProjectProp,
+  loading: optionalProjectProp,
+  error: optionalProjectProp,
+  onCreateProject: optionalProjectProp,
+  onCloneProject: optionalProjectProp,
+  onUpdateProject: optionalProjectProp,
+  onDeleteProject: optionalProjectProp,
+  onUpdateProjectTemplates: optionalProjectProp,
+  onUpdateTemplate: optionalProjectProp,
+  onDeleteTemplate: optionalProjectProp,
+  onFetchTemplateImpact: optionalProjectProp,
+  onAddProjectScope: optionalProjectProp,
+  onRemoveProjectScope: optionalProjectProp,
+  onCreateOverrideRequest: optionalProjectProp,
+  sites: optionalProjectProp,
+  environments: optionalProjectProp,
+  templateTypes: optionalProjectProp,
+  token: optionalProjectProp,
+};
diff --git a/frontend/src/pages/Templates.jsx b/frontend/src/pages/Templates.jsx
index 3b8fd77..d625c56 100644
--- a/frontend/src/pages/Templates.jsx
+++ b/frontend/src/pages/Templates.jsx
@@ -39,6 +39,9 @@ export function Templates({
   onCreateTemplate,
   onUpdateTemplate,
   onDeleteTemplate,
+  onCreateTemplateType,
+  onUpdateTemplateType,
+  onDeleteTemplateType,
   setNotification,
   onOpenImpact,
   onProposeChange,
@@ -50,6 +53,7 @@ export function Templates({
   const [activeTab, setActiveTab] = useState('definition');
   const [showCreate, setShowCreate] = useState(false);
   const [showImport, setShowImport] = useState(false);
+  const [showManageTypes, setShowManageTypes] = useState(false);
   const [editingTemplate, setEditingTemplate] = useState(null);
   const [applyingTemplate, setApplyingTemplate] = useState(null);
   const [query, setQuery] = useState('');
@@ -146,6 +150,31 @@ export function Templates({
     setShowCreate(false);
   };
 
+  const handleCreateTemplateType = async (payload) => {
+    const created = await onCreateTemplateType(payload);
+    const createdId = getTemplateTypeId(created);
+    if (createdId) {
+      setTypeFilter(createdId);
+    }
+    return created;
+  };
+
+  const handleUpdateTemplateType = async (type, payload) => {
+    const updated = await onUpdateTemplateType(type.id, payload);
+    const updatedId = getTemplateTypeId(updated);
+    if (typeFilter === getTemplateTypeId(type) && updatedId) {
+      setTypeFilter(updatedId);
+    }
+    return updated;
+  };
+
+  const handleDeleteTemplateType = async (type) => {
+    await onDeleteTemplateType(type);
+    if (typeFilter === getTemplateTypeId(type)) {
+      setTypeFilter('all');
+    }
+  };
+
   const handleUpdate = async (templateUpdate) => {
     setTemplateActionError(null);
     setEditingTemplate(null);
@@ -256,14 +285,24 @@ export function Templates({
       />
 
       <Card className="mb-4 overflow-hidden">
-        <div className="px-4 py-3 border-b border-slate-100 bg-slate-50">
-          <p className="text-[10px] font-bold text-indigo-500 uppercase tracking-widest">
-            Step 1
-          </p>
-          <h3 className="text-sm font-bold text-slate-900 mt-1">Choose Template Type</h3>
-          <p className="text-xs text-slate-500 mt-1">
-            Each type represents one config component. Pick a type to see the value variants that belong to it.
-          </p>
+        <div className="px-4 py-3 border-b border-slate-100 bg-slate-50 flex items-start justify-between gap-4">
+          <div>
+            <p className="text-[10px] font-bold text-indigo-500 uppercase tracking-widest">
+              Step 1
+            </p>
+            <h3 className="text-sm font-bold text-slate-900 mt-1">Choose Template Type</h3>
+            <p className="text-xs text-slate-500 mt-1">
+              Each type represents one config component. Pick a type to see the value variants that belong to it.
+            </p>
+          </div>
+          <button
+            type="button"
+            onClick={() => setShowManageTypes(true)}
+            disabled={!canCreateTemplate || !onCreateTemplateType || !onUpdateTemplateType || !onDeleteTemplateType}
+            className="shrink-0 px-3 py-2 rounded-lg border border-slate-200 bg-white text-xs font-bold text-slate-600 hover:bg-slate-50 disabled:opacity-50 disabled:cursor-not-allowed flex items-center gap-2"
+          >
+            <Edit3 size={14} /> Manage Types
+          </button>
         </div>
         <div className="p-3 grid grid-cols-1 sm:grid-cols-2 xl:grid-cols-4 gap-2">
           <TemplateTypeCard
@@ -420,6 +459,19 @@ export function Templates({
         ) : null}
       </AnimatePresence>
 
+      <AnimatePresence>
+        {showManageTypes && canCreateTemplate ? (
+          <TemplateTypeManagementModal
+            templateTypes={templateTypes}
+            templates={templates}
+            onClose={() => setShowManageTypes(false)}
+            onCreate={handleCreateTemplateType}
+            onUpdate={handleUpdateTemplateType}
+            onDelete={handleDeleteTemplateType}
+          />
+        ) : null}
+      </AnimatePresence>
+
       <AnimatePresence>
         {showCreate && canCreateTemplate ? (
           <CreateTemplateModal
@@ -481,6 +533,252 @@ export function Templates({
   );
 }
 
+function TemplateTypeManagementModal({ templateTypes, templates, onClose, onCreate, onUpdate, onDelete }) {
+  const [createDraft, setCreateDraft] = useState({ name: '', description: '' });
+  const [editingId, setEditingId] = useState(null);
+  const [editDraft, setEditDraft] = useState({ name: '', description: '' });
+  const [pendingAction, setPendingAction] = useState('');
+  const [error, setError] = useState('');
+
+  const usageByTypeId = useMemo(() => {
+    const counts = new Map();
+    templates.forEach((template) => {
+      const id = getTemplateTypeId(template.templateType);
+      if (!id) return;
+      counts.set(id, (counts.get(id) ?? 0) + 1);
+    });
+    return counts;
+  }, [templates]);
+
+  const updateCreateDraft = (field, value) => {
+    setCreateDraft((current) => ({ ...current, [field]: value }));
+    setError('');
+  };
+
+  const submitCreate = async () => {
+    const payload = {
+      code: uniqueTemplateTypeCode(createDraft.name, templateTypes),
+      name: createDraft.name.trim(),
+      description: createDraft.description.trim(),
+    };
+    if (!payload.name) {
+      setError('Name is required.');
+      return;
+    }
+    if (!payload.code) {
+      setError('Name must contain at least one letter or number.');
+      return;
+    }
+
+    setPendingAction('create');
+    setError('');
+    try {
+      await onCreate(payload);
+      setCreateDraft({ name: '', description: '' });
+    } catch (createError) {
+      setError(createError.message ?? 'Failed to create template type.');
+    } finally {
+      setPendingAction('');
+    }
+  };
+
+  const startEdit = (type) => {
+    setEditingId(type.id);
+    setEditDraft({ name: type.name ?? '', description: type.description ?? '' });
+    setError('');
+  };
+
+  const submitEdit = async (type) => {
+    const payload = {
+      name: editDraft.name.trim(),
+      description: editDraft.description.trim(),
+    };
+    if (!payload.name) {
+      setError('Name is required.');
+      return;
+    }
+
+    setPendingAction(`edit:${type.id}`);
+    setError('');
+    try {
+      await onUpdate(type, payload);
+      setEditingId(null);
+    } catch (updateError) {
+      setError(updateError.message ?? 'Failed to update template type.');
+    } finally {
+      setPendingAction('');
+    }
+  };
+
+  const submitDelete = async (type) => {
+    setPendingAction(`delete:${type.id}`);
+    setError('');
+    try {
+      await onDelete(type);
+    } catch (deleteError) {
+      setError(deleteError.message ?? 'Failed to delete template type.');
+    } finally {
+      setPendingAction('');
+    }
+  };
+
+  return (
+    <>
+      <motion.div
+        initial={{ opacity: 0 }}
+        animate={{ opacity: 1 }}
+        exit={{ opacity: 0 }}
+        onClick={onClose}
+        className="fixed inset-0 bg-slate-900/40 backdrop-blur-sm z-40"
+      />
+      <motion.div
+        initial={{ opacity: 0, y: 20, scale: 0.97 }}
+        animate={{ opacity: 1, y: 0, scale: 1 }}
+        exit={{ opacity: 0, y: 20, scale: 0.97 }}
+        transition={{ type: 'spring', damping: 28, stiffness: 260 }}
+        className="fixed inset-x-0 top-[6vh] mx-auto w-[min(900px,94vw)] max-h-[88vh] bg-white rounded-2xl shadow-2xl z-50 flex flex-col overflow-hidden"
+      >
+        <div className="px-6 py-4 border-b border-slate-100 flex items-start justify-between gap-4">
+          <div>
+            <h3 className="font-bold text-slate-900">Manage Template Types</h3>
+            <p className="text-xs text-slate-500 mt-1">
+              Create categories, rename descriptions, and delete unused types.
+            </p>
+          </div>
+          <button onClick={onClose} className="p-1.5 hover:bg-slate-100 rounded-md">
+            <X size={18} className="text-slate-400" />
+          </button>
+        </div>
+
+        <div className={`flex-1 overflow-y-auto p-6 space-y-5 ${scrollbar.scrollbar}`}>
+          <section className="rounded-lg border border-slate-200 bg-slate-50/60 p-4 space-y-3">
+            <div>
+              <p className="text-sm font-bold text-slate-900">Create Type</p>
+              <p className="text-xs text-slate-500 mt-1">A stable code is generated once from the name.</p>
+            </div>
+            <input
+              value={createDraft.name}
+              onChange={(event) => updateCreateDraft('name', event.target.value)}
+              placeholder="Type name"
+              className="w-full px-3 py-2 rounded-lg border border-slate-200 text-sm focus:ring-2 focus:ring-indigo-500/20 focus:outline-none"
+            />
+            <textarea
+              value={createDraft.description}
+              onChange={(event) => updateCreateDraft('description', event.target.value)}
+              placeholder="Description"
+              rows={2}
+              className="w-full px-3 py-2 rounded-lg border border-slate-200 text-sm focus:ring-2 focus:ring-indigo-500/20 focus:outline-none resize-none"
+            />
+            <div className="flex justify-end">
+              <button
+                type="button"
+                onClick={submitCreate}
+                disabled={pendingAction === 'create'}
+                className="px-4 py-2 rounded-lg text-sm font-bold bg-indigo-600 text-white hover:bg-indigo-700 disabled:opacity-50 flex items-center gap-2"
+              >
+                <Plus size={14} /> {pendingAction === 'create' ? 'Creating...' : 'Create Type'}
+              </button>
+            </div>
+          </section>
+
+          <section className="rounded-lg border border-slate-200 overflow-hidden">
+            <div className="px-4 py-3 border-b border-slate-100 bg-white flex items-center justify-between">
+              <p className="text-sm font-bold text-slate-900">Existing Types</p>
+              <Badge variant="blue">{templateTypes.length} types</Badge>
+            </div>
+            <div className="divide-y divide-slate-100">
+              {templateTypes.length === 0 ? (
+                <p className="px-4 py-8 text-center text-sm text-slate-400">No template types yet.</p>
+              ) : null}
+              {templateTypes.map((type) => {
+                const usageCount = usageByTypeId.get(getTemplateTypeId(type)) ?? 0;
+                const isEditing = editingId === type.id;
+                const deleteDisabled = usageCount > 0 || pendingAction === `delete:${type.id}`;
+                return (
+                  <div key={type.id} className="p-4 space-y-3">
+                    <div className="flex items-start justify-between gap-4">
+                      <div className="min-w-0">
+                        <div className="flex flex-wrap items-center gap-2">
+                          <p className="text-sm font-bold text-slate-900">{type.name}</p>
+                          <Badge variant={usageCount > 0 ? 'green' : 'neutral'}>
+                            {usageCount} template{usageCount === 1 ? '' : 's'}
+                          </Badge>
+                          <span className="text-[11px] font-mono text-slate-400">{type.code}</span>
+                        </div>
+                        <p className="text-xs text-slate-500 mt-1">{type.description || 'No description.'}</p>
+                      </div>
+                      <div className="flex gap-2 shrink-0">
+                        <button
+                          type="button"
+                          onClick={() => startEdit(type)}
+                          className="p-2 rounded-lg border border-slate-200 text-slate-500 hover:text-indigo-600 hover:bg-indigo-50"
+                          title="Edit template type"
+                        >
+                          <Edit3 size={14} />
+                        </button>
+                        <button
+                          type="button"
+                          onClick={() => submitDelete(type)}
+                          disabled={deleteDisabled}
+                          className="p-2 rounded-lg border border-slate-200 text-slate-500 hover:text-rose-600 hover:bg-rose-50 disabled:opacity-40 disabled:cursor-not-allowed"
+                          title={usageCount > 0 ? 'Cannot delete a type that is used by templates' : 'Delete template type'}
+                        >
+                          <Trash2 size={14} />
+                        </button>
+                      </div>
+                    </div>
+                    {usageCount > 0 ? (
+                      <p className="text-[11px] text-slate-400">Delete is disabled while templates use this type.</p>
+                    ) : null}
+                    {isEditing ? (
+                      <div className="rounded-lg border border-indigo-100 bg-indigo-50/50 p-3 space-y-3">
+                        <input
+                          value={editDraft.name}
+                          onChange={(event) => setEditDraft((current) => ({ ...current, name: event.target.value }))}
+                          className="w-full px-3 py-2 rounded-lg border border-slate-200 text-sm focus:ring-2 focus:ring-indigo-500/20 focus:outline-none"
+                        />
+                        <textarea
+                          value={editDraft.description}
+                          onChange={(event) => setEditDraft((current) => ({ ...current, description: event.target.value }))}
+                          rows={2}
+                          className="w-full px-3 py-2 rounded-lg border border-slate-200 text-sm focus:ring-2 focus:ring-indigo-500/20 focus:outline-none resize-none"
+                        />
+                        <div className="flex justify-end gap-2">
+                          <button
+                            type="button"
+                            onClick={() => setEditingId(null)}
+                            className="px-3 py-2 rounded-lg text-xs font-bold text-slate-600 hover:bg-white"
+                          >
+                            Cancel
+                          </button>
+                          <button
+                            type="button"
+                            onClick={() => submitEdit(type)}
+                            disabled={pendingAction === `edit:${type.id}`}
+                            className="px-3 py-2 rounded-lg text-xs font-bold bg-indigo-600 text-white hover:bg-indigo-700 disabled:opacity-50 flex items-center gap-1.5"
+                          >
+                            <Check size={13} /> {pendingAction === `edit:${type.id}` ? 'Saving...' : 'Save'}
+                          </button>
+                        </div>
+                      </div>
+                    ) : null}
+                  </div>
+                );
+              })}
+            </div>
+          </section>
+
+          {error ? (
+            <p className="text-xs text-rose-600 bg-rose-50 border border-rose-100 rounded-lg p-3">
+              {error}
+            </p>
+          ) : null}
+        </div>
+      </motion.div>
+    </>
+  );
+}
+
 function TemplateTypeCard({ active, name, description, count, warningCount, onClick }) {
   return (
     <button
@@ -1167,6 +1465,44 @@ function getTemplateTypeId(type) {
   return id == null ? null : String(id);
 }
 
+function slugifyTemplateTypeCode(name) {
+  const normalized = [];
+  let previousUnderscore = false;
+  for (const character of String(name ?? '').trim().toLowerCase()) {
+    if ((character >= 'a' && character <= 'z') || (character >= '0' && character <= '9')) {
+      normalized.push(character);
+      previousUnderscore = false;
+    } else if (!previousUnderscore) {
+      normalized.push('_');
+      previousUnderscore = true;
+    }
+  }
+  while (normalized[0] === '_') normalized.shift();
+  while (normalized.at(-1) === '_') normalized.pop();
+  return normalized.join('');
+}
+
+function uniqueTemplateTypeCode(name, templateTypes) {
+  const baseCode = slugifyTemplateTypeCode(name);
+  if (!baseCode) return '';
+
+  const usedCodes = new Set(
+    templateTypes
+      .map((type) => String(type.code ?? '').toLowerCase())
+      .filter(Boolean),
+  );
+
+  if (!usedCodes.has(baseCode)) return baseCode;
+
+  let suffix = 2;
+  let candidate = `${baseCode}_${suffix}`;
+  while (usedCodes.has(candidate)) {
+    suffix += 1;
+    candidate = `${baseCode}_${suffix}`;
+  }
+  return candidate;
+}
+
 function buildTemplateImpact(projects, template) {
   const templateId = normalizeId(template.id);
   const templateName = template.name;
diff --git a/frontend/src/pages/Versions.jsx b/frontend/src/pages/Versions.jsx
index 4251419..f59b3a9 100644
--- a/frontend/src/pages/Versions.jsx
+++ b/frontend/src/pages/Versions.jsx
@@ -456,7 +456,9 @@ function Inspector({ session, detailLoading, onNavigate, onClose, onRestore, res
   if (detailLoading && !session) {
     return (
       <>
-        <div
+        <button
+          type="button"
+          aria-label="Close change details"
           onClick={onClose}
           className="fixed inset-0 bg-slate-950/45 backdrop-blur-sm z-[80]"
         />
@@ -471,7 +473,9 @@ function Inspector({ session, detailLoading, onNavigate, onClose, onRestore, res
 
   return (
     <>
-      <div
+      <button
+        type="button"
+        aria-label="Close change details"
         onClick={onClose}
         className="fixed inset-0 bg-slate-950/45 backdrop-blur-sm z-[80]"
       />
diff --git a/frontend/tests/api/exports.test.js b/frontend/tests/api/exports.test.js
index 55f353d..dbc2c44 100644
--- a/frontend/tests/api/exports.test.js
+++ b/frontend/tests/api/exports.test.js
@@ -56,4 +56,41 @@ describe('exports API', () => {
       }),
     }));
   });
+
+  it('supports object tokens and UTF-8 filenames when downloading exports', async () => {
+    vi.spyOn(globalThis, 'fetch').mockResolvedValueOnce(new Response('server.port=8080\n', {
+      status: 200,
+      headers: {
+        'Content-Type': 'text/plain',
+        'Content-Disposition': "attachment; filename*=UTF-8''core%20api.yaml",
+      },
+    }));
+
+    const result = await downloadExport({
+      projectId: 'project-1',
+      scopeId: 'scope-1',
+      format: 'YAML',
+    }, { token: 'token-2' });
+
+    expect(result.filename).toBe('core api.yaml');
+    expect(fetch).toHaveBeenCalledWith('http://localhost:8080/api/exports/download', expect.objectContaining({
+      headers: expect.objectContaining({
+        Authorization: 'Bearer token-2',
+      }),
+    }));
+  });
+
+  it('uses the default export error message for non-JSON failures', async () => {
+    vi.spyOn(globalThis, 'fetch').mockResolvedValueOnce(new Response('bad gateway', {
+      status: 502,
+      headers: { 'Content-Type': 'text/plain' },
+    }));
+
+    await expect(downloadExport({
+      projectId: 'project-1',
+      scopeId: 'scope-1',
+      format: 'TOML',
+    }, null)).rejects.toThrow('Export failed with status 502');
+  });
+
 });
diff --git a/frontend/tests/api/templates.test.js b/frontend/tests/api/templates.test.js
index 2aa7027..3f3cc15 100644
--- a/frontend/tests/api/templates.test.js
+++ b/frontend/tests/api/templates.test.js
@@ -7,8 +7,12 @@ vi.mock('../../src/lib/httpClient.js', () => ({
 import { httpRequest } from '../../src/lib/httpClient.js';
 import {
   createTemplate,
+  createTemplateType,
+  deleteTemplateType,
+  fetchTemplateTypes,
   fetchTemplates,
   normalizeTemplate,
+  updateTemplateType,
 } from '../../src/api/templates.js';
 
 describe('templates api', () => {
@@ -81,6 +85,45 @@ describe('templates api', () => {
     ]);
   });
 
+  it('manages template type API requests', async () => {
+    httpRequest
+      .mockResolvedValueOnce([{ id: 'type-db', code: 'db', name: 'DB' }])
+      .mockResolvedValueOnce({ id: 'type-cache', code: 'cache', name: 'Cache' })
+      .mockResolvedValueOnce({ id: 'type-cache', code: 'cache', name: 'Cache Config' })
+      .mockResolvedValueOnce(undefined);
+
+    await expect(fetchTemplateTypes('token-3')).resolves.toEqual([
+      { id: 'type-db', code: 'db', name: 'DB' },
+    ]);
+    await expect(createTemplateType({ code: 'cache', name: 'Cache', description: 'Cache settings' }, 'token-4'))
+      .resolves.toMatchObject({ id: 'type-cache' });
+    await expect(updateTemplateType('type-cache', { name: 'Cache Config', description: '' }, 'token-5'))
+      .resolves.toMatchObject({ name: 'Cache Config' });
+    await deleteTemplateType('type-cache', 'token-6');
+
+    expect(httpRequest).toHaveBeenNthCalledWith(1, '/api/template-types', {
+      method: 'GET',
+      token: 'token-3',
+      headers: { Accept: 'application/json' },
+    });
+    expect(httpRequest).toHaveBeenNthCalledWith(2, '/api/template-types', {
+      method: 'POST',
+      token: 'token-4',
+      headers: { Accept: 'application/json' },
+      body: { code: 'cache', name: 'Cache', description: 'Cache settings' },
+    });
+    expect(httpRequest).toHaveBeenNthCalledWith(3, '/api/template-types/type-cache', {
+      method: 'PUT',
+      token: 'token-5',
+      headers: { Accept: 'application/json' },
+      body: { name: 'Cache Config', description: '' },
+    });
+    expect(httpRequest).toHaveBeenNthCalledWith(4, '/api/template-types/type-cache', {
+      method: 'DELETE',
+      token: 'token-6',
+    });
+  });
+
   it('normalizeTemplate handles null parsed content safely', () => {
     const normalized = normalizeTemplate({
       id: 'template-3',
diff --git a/frontend/tests/components/ConfigImportModal.test.jsx b/frontend/tests/components/ConfigImportModal.test.jsx
index 52d5ec5..c2902b0 100644
--- a/frontend/tests/components/ConfigImportModal.test.jsx
+++ b/frontend/tests/components/ConfigImportModal.test.jsx
@@ -47,6 +47,38 @@ describe('ConfigImportModal', () => {
     vi.unstubAllGlobals();
   });
 
+
+  it('accepts dropped env files and summarizes long key lists', async () => {
+    vi.stubGlobal('FileReader', FileReaderMock);
+    const file = new File([''], 'bulk.env', { type: 'text/plain' });
+    file.__text = [
+      'ONE=1',
+      'TWO=2',
+      'THREE=3',
+      'FOUR=4',
+      'FIVE=5',
+      'SIX=6',
+      'SEVEN=7',
+    ].join('\n');
+
+    render(
+      <ConfigImportModal
+        scope={{ project: 'Core API', site: 'US-West-12', env: 'Production' }}
+        onSubmit={vi.fn()}
+        onClose={vi.fn()}
+      />,
+    );
+
+    fireEvent.drop(screen.getByText(/Drop a file here/i).closest('label'), {
+      dataTransfer: { files: [file] },
+    });
+
+    expect(await screen.findByText('bulk.env')).toBeInTheDocument();
+    expect(await screen.findByText('ONE')).toBeInTheDocument();
+    expect(await screen.findByText('+1 more')).toBeInTheDocument();
+    vi.unstubAllGlobals();
+  });
+
   it('shows an error when no keys are detected', async () => {
     vi.stubGlobal('FileReader', FileReaderMock);
     const file = new File(['# comment only'], 'empty.env', { type: 'text/plain' });
diff --git a/frontend/tests/components/KeyImpactModal.test.jsx b/frontend/tests/components/KeyImpactModal.test.jsx
new file mode 100644
index 0000000..472a742
--- /dev/null
+++ b/frontend/tests/components/KeyImpactModal.test.jsx
@@ -0,0 +1,103 @@
+import { fireEvent, render, screen } from '@testing-library/react';
+import { describe, expect, it, vi } from 'vitest';
+
+import { KeyImpactModal } from '../../src/components/KeyImpactModal.jsx';
+
+const templates = [
+  {
+    id: 'tpl-db',
+    name: 'db-base.yaml',
+    usedBy: 2,
+    keys: [
+      {
+        key: 'db.timeout',
+        defaultValue: '30s',
+        overridable: true,
+      },
+    ],
+  },
+];
+
+const projects = [
+  {
+    name: 'Core API',
+    owner: 'platform',
+    templates: ['db-base.yaml'],
+    overrides: ['db.timeout'],
+    sites: ['US'],
+    environments: ['Production'],
+  },
+  {
+    name: 'Admin UI',
+    owner: 'frontend',
+    templates: ['db-base.yaml'],
+    overrides: [],
+    sites: ['EU', 'US'],
+    environments: ['Staging', 'Production'],
+  },
+];
+
+describe('KeyImpactModal', () => {
+  it('renders key impact sources, inherited projects, and pinned scopes', () => {
+    render(
+      <KeyImpactModal
+        keyName="db.timeout"
+        templates={templates}
+        projects={projects}
+        onClose={vi.fn()}
+      />,
+    );
+
+    expect(screen.getByText('Key Impact')).toBeInTheDocument();
+    expect(screen.getAllByText('db-base.yaml').length).toBeGreaterThan(0);
+    expect(screen.getByText('Admin UI')).toBeInTheDocument();
+    expect(screen.getAllByText('Core API').length).toBeGreaterThan(0);
+    expect(screen.getAllByText('30s').length).toBeGreaterThan(0);
+  });
+
+  it('submits a proposed value change with affected project metadata', () => {
+    const onSubmit = vi.fn();
+    render(
+      <KeyImpactModal
+        keyName="db.timeout"
+        templates={templates}
+        projects={projects}
+        initialMode="propose"
+        onSubmit={onSubmit}
+        onClose={vi.fn()}
+      />,
+    );
+
+    fireEvent.change(screen.getByPlaceholderText('Enter new default value'), {
+      target: { value: '45s' },
+    });
+    fireEvent.change(screen.getByPlaceholderText('Why does db.timeout need to change?'), {
+      target: { value: 'Reduce timeout failures.' },
+    });
+    fireEvent.click(screen.getByRole('button', { name: 'Submit change request' }));
+
+    expect(onSubmit).toHaveBeenCalledWith({
+      keyName: 'db.timeout',
+      from: '30s',
+      to: '45s',
+      reason: 'Reduce timeout failures.',
+      affectedProjects: 2,
+      pinnedScopes: 1,
+      sourceTemplate: 'db-base.yaml',
+    });
+  });
+
+  it('shows an empty state and disables proposing for unknown keys', () => {
+    render(
+      <KeyImpactModal
+        keyName="missing.key"
+        templates={templates}
+        projects={projects}
+        onClose={vi.fn()}
+      />,
+    );
+
+    expect(screen.getAllByText(/missing.key/).length).toBeGreaterThan(0);
+    expect(screen.getByRole('button', { name: /Propose change/i })).toBeDisabled();
+  });
+});
diff --git a/frontend/tests/components/layout.test.jsx b/frontend/tests/components/layout.test.jsx
new file mode 100644
index 0000000..3961aba
--- /dev/null
+++ b/frontend/tests/components/layout.test.jsx
@@ -0,0 +1,115 @@
+import { fireEvent, render, screen, waitFor } from '@testing-library/react';
+import { Bell } from 'lucide-react';
+import { describe, expect, it, vi } from 'vitest';
+
+import { Sidebar } from '../../src/components/layout/Sidebar.jsx';
+import { Toast } from '../../src/components/layout/Toast.jsx';
+import { TopBar } from '../../src/components/layout/TopBar.jsx';
+import { FilterChip } from '../../src/components/ui/FilterChip.jsx';
+
+describe('layout components', () => {
+  it('renders the notification top bar', () => {
+    const { container } = render(<TopBar />);
+
+    expect(container.querySelector('header')).toBeInTheDocument();
+    expect(container.querySelector('svg')).toBeInTheDocument();
+  });
+
+  it('renders a toast when a message is provided', () => {
+    render(<Toast message="Saved successfully" />);
+
+    expect(screen.getByText('Saved successfully')).toBeInTheDocument();
+  });
+
+  it('renders no toast content when the message is empty', () => {
+    const { container } = render(<Toast message="" />);
+
+    expect(container).toBeEmptyDOMElement();
+  });
+
+  it('renders filter chip label, value, and icon', () => {
+    render(<FilterChip icon={Bell} label="Status" value="Open" />);
+
+    expect(screen.getByRole('button')).toHaveTextContent('Status');
+    expect(screen.getByRole('button')).toHaveTextContent('Open');
+    expect(screen.getByRole('button').querySelector('svg')).toBeInTheDocument();
+  });
+});
+
+
+  it('renders sidebar navigation, logout, and empty saved account picker state', () => {
+    const onNavigate = vi.fn();
+    const onLogout = vi.fn();
+
+    render(
+      <Sidebar
+        activePage="Dashboard"
+        onNavigate={onNavigate}
+        user={{ username: 'alice' }}
+        roles={[{ role: 'reader' }, { role: 'reader' }]}
+        savedAccounts={[{ sessionKey: 'current', isCurrent: true, user: { username: 'alice' }, roles: [{ role: 'reader' }] }]}
+        onLogout={onLogout}
+      />,
+    );
+
+    expect(screen.getByText('AL')).toBeInTheDocument();
+    expect(screen.getByText('reader')).toBeInTheDocument();
+
+    fireEvent.click(screen.getByRole('button', { name: /Dashboard/i }));
+    expect(onNavigate).toHaveBeenCalledWith('Dashboard');
+
+    fireEvent.click(screen.getByRole('button', { name: /alice/i }));
+    expect(screen.getByText('No other saved accounts')).toBeInTheDocument();
+
+    fireEvent.click(screen.getByRole('button', { name: /Sign out/i }));
+    expect(onLogout).toHaveBeenCalled();
+  });
+
+  it('switches saved accounts and reports switch failures', async () => {
+    const onSwitchAccount = vi
+      .fn()
+      .mockRejectedValueOnce(new Error('Session expired'))
+      .mockResolvedValueOnce(undefined);
+
+    render(
+      <Sidebar
+        activePage="Dashboard"
+        onNavigate={vi.fn()}
+        user={{ username: 'alice' }}
+        roles={[{ role: 'admin' }]}
+        savedAccounts={[
+          { sessionKey: 'current', isCurrent: true, user: { username: 'alice' }, roles: [{ role: 'admin' }] },
+          { sessionKey: 'writer', isCurrent: false, user: { username: 'bob' }, roles: [{ role: 'writer' }] },
+        ]}
+        onSwitchAccount={onSwitchAccount}
+        onLogout={vi.fn()}
+      />,
+    );
+
+    fireEvent.click(screen.getByRole('button', { name: /alice/i }));
+    fireEvent.click(screen.getByRole('button', { name: /bob/i }));
+
+    expect(await screen.findByText('Session expired')).toBeInTheDocument();
+    expect(onSwitchAccount).toHaveBeenCalledWith('writer');
+
+    fireEvent.click(screen.getByRole('button', { name: /bob/i }));
+    await waitFor(() => expect(onSwitchAccount).toHaveBeenCalledTimes(2));
+    await waitFor(() => expect(screen.queryByText('bob')).not.toBeInTheDocument());
+  });
+
+  it('uses fallback identity labels when user and roles are missing', () => {
+    render(
+      <Sidebar
+        activePage="Dashboard"
+        onNavigate={vi.fn()}
+        user={null}
+        roles={[]}
+        savedAccounts={[]}
+        onLogout={vi.fn()}
+      />,
+    );
+
+    expect(screen.getByText('NA')).toBeInTheDocument();
+    expect(screen.getByText('Unknown user')).toBeInTheDocument();
+    expect(screen.getByText('No roles')).toBeInTheDocument();
+  });
diff --git a/frontend/tests/features/auth/AuthProvider.test.jsx b/frontend/tests/features/auth/AuthProvider.test.jsx
index 96cd954..d532fc7 100644
--- a/frontend/tests/features/auth/AuthProvider.test.jsx
+++ b/frontend/tests/features/auth/AuthProvider.test.jsx
@@ -88,8 +88,10 @@ describe('AuthProvider', () => {
       </AuthProvider>,
     );
 
-    await waitFor(() => expect(screen.getByTestId('status')).toHaveTextContent('authenticated'));
-    expect(screen.getByTestId('user')).toHaveTextContent('alice');
+    await waitFor(() => {
+      expect(screen.getByTestId('status')).toHaveTextContent('authenticated');
+      expect(screen.getByTestId('user')).toHaveTextContent('alice');
+    });
 
     const stored = JSON.parse(localStorage.getItem(AUTH_STORAGE_KEY));
     expect(stored.token).toBe('seed-token');
@@ -136,8 +138,10 @@ describe('AuthProvider', () => {
 
     fireEvent.click(await screen.findByText('login'));
 
-    await waitFor(() => expect(screen.getByTestId('status')).toHaveTextContent('authenticated'));
-    expect(screen.getByTestId('user')).toHaveTextContent('alice');
+    await waitFor(() => {
+      expect(screen.getByTestId('status')).toHaveTextContent('authenticated');
+      expect(screen.getByTestId('user')).toHaveTextContent('alice');
+    });
     expect(JSON.parse(localStorage.getItem(AUTH_STORAGE_KEY)).token).toBe('token-alice');
     expect(JSON.parse(localStorage.getItem(SAVED_SESSIONS_KEY))).toHaveLength(1);
   });
@@ -157,7 +161,10 @@ describe('AuthProvider', () => {
       </AuthProvider>,
     );
 
-    await screen.findByTestId('status');
+    await waitFor(() => {
+      expect(screen.getByTestId('status')).toHaveTextContent('authenticated');
+      expect(screen.getByTestId('user')).toHaveTextContent('alice');
+    });
     fireEvent.click(screen.getByText('update-roles'));
 
     await waitFor(() => {
@@ -218,7 +225,10 @@ describe('AuthProvider', () => {
     );
 
     fireEvent.click(await screen.findByText('login'));
-    await waitFor(() => expect(screen.getByTestId('status')).toHaveTextContent('authenticated'));
+    await waitFor(() => {
+      expect(screen.getByTestId('status')).toHaveTextContent('authenticated');
+      expect(screen.getByTestId('user')).toHaveTextContent('alice');
+    });
 
     fireEvent.click(screen.getByText('logout'));
 
diff --git a/frontend/tests/features/auth/useAuth.test.jsx b/frontend/tests/features/auth/useAuth.test.jsx
new file mode 100644
index 0000000..9a35ae1
--- /dev/null
+++ b/frontend/tests/features/auth/useAuth.test.jsx
@@ -0,0 +1,28 @@
+import { renderHook } from '@testing-library/react';
+import { describe, expect, it } from 'vitest';
+
+import { AuthContext } from '../../../src/features/auth/context/AuthProvider.jsx';
+import { useAuth } from '../../../src/features/auth/hooks/useAuth.js';
+
+describe('useAuth', () => {
+  it('returns the auth context value', () => {
+    const authValue = {
+      user: { username: 'admin' },
+      token: 'token',
+    };
+
+    const wrapper = ({ children }) => (
+      <AuthContext.Provider value={authValue}>{children}</AuthContext.Provider>
+    );
+
+    const { result } = renderHook(() => useAuth(), { wrapper });
+
+    expect(result.current).toBe(authValue);
+  });
+
+  it('throws when used outside AuthProvider', () => {
+    expect(() => renderHook(() => useAuth())).toThrow(
+      'useAuth must be used inside AuthProvider',
+    );
+  });
+});
diff --git a/frontend/tests/lib/formatConfigContent.test.js b/frontend/tests/lib/formatConfigContent.test.js
new file mode 100644
index 0000000..b63a2af
--- /dev/null
+++ b/frontend/tests/lib/formatConfigContent.test.js
@@ -0,0 +1,37 @@
+import { describe, expect, it } from 'vitest';
+
+import {
+  formatConfigContent,
+  formatParsedContent,
+} from '../../src/lib/formatConfigContent.js';
+
+describe('formatConfigContent', () => {
+  it('pretty prints valid JSON raw content', () => {
+    expect(formatConfigContent('json', '{"enabled":true}', null)).toBe(
+      JSON.stringify({ enabled: true }, null, 2),
+    );
+  });
+
+  it('falls back to parsed content when JSON raw content is invalid', () => {
+    expect(formatConfigContent('json', '{bad json', { retry: 3 })).toBe(
+      JSON.stringify({ retry: 3 }, null, 2),
+    );
+  });
+
+  it('returns raw content for non-json formats', () => {
+    expect(formatConfigContent('yaml', 'enabled: true', { enabled: false })).toBe(
+      'enabled: true',
+    );
+  });
+
+  it('formats parsed content when raw content is missing', () => {
+    expect(formatConfigContent(null, null, { nested: { value: 1 } })).toBe(
+      JSON.stringify({ nested: { value: 1 } }, null, 2),
+    );
+  });
+
+  it('returns an empty string for missing parsed content', () => {
+    expect(formatParsedContent(undefined)).toBe('');
+    expect(formatParsedContent(null)).toBe('');
+  });
+});
diff --git a/frontend/tests/pages/Dashboard.test.jsx b/frontend/tests/pages/Dashboard.test.jsx
new file mode 100644
index 0000000..152dacf
--- /dev/null
+++ b/frontend/tests/pages/Dashboard.test.jsx
@@ -0,0 +1,140 @@
+import { fireEvent, render, screen, waitFor } from '@testing-library/react';
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+
+vi.mock('../../src/api/changeRequests.js', () => ({
+  fetchChangeRequests: vi.fn(),
+}));
+
+vi.mock('../../src/api/projects.js', () => ({
+  fetchProjects: vi.fn(),
+}));
+
+vi.mock('../../src/api/templates.js', () => ({
+  fetchTemplates: vi.fn(),
+}));
+
+vi.mock('../../src/api/versions.js', () => ({
+  fetchSessions: vi.fn(),
+}));
+
+import { fetchChangeRequests } from '../../src/api/changeRequests.js';
+import { fetchProjects } from '../../src/api/projects.js';
+import { fetchTemplates } from '../../src/api/templates.js';
+import { fetchSessions } from '../../src/api/versions.js';
+import { Dashboard } from '../../src/pages/Dashboard.jsx';
+import { PAGES } from '../../src/data/navigation.js';
+
+const request = {
+  id: 'cr-12345678',
+  title: 'Update production timeout',
+  targetLabel: 'Core API / Production',
+  status: 'pending',
+  createdAt: '2026-05-22T10:30:00Z',
+};
+
+const project = {
+  id: 'project-1',
+  name: 'Core API',
+  code: 'core-api',
+  scopes: [{ id: 'scope-1' }, { id: 'scope-2' }],
+  templates: ['application.yaml'],
+};
+
+const template = {
+  id: 'template-1',
+  name: 'application.yaml',
+  templateType: { name: 'Application Config' },
+};
+
+const directSession = {
+  id: 'session-1',
+  type: 'direct',
+  title: 'Template: application.yaml',
+  actor: { name: 'alice' },
+  changeCount: 1,
+  time: '10:30',
+};
+
+const restoreSession = {
+  id: 'session-2',
+  type: 'rollback',
+  title: 'Restore template application.yaml to v2 from Template: application.yaml',
+  actor: null,
+  changeCount: 2,
+  time: '11:00',
+};
+
+function mockSuccessfulLoads(overrides = {}) {
+  fetchChangeRequests.mockResolvedValue(overrides.requests ?? [request]);
+  fetchProjects.mockResolvedValue(overrides.projects ?? [project]);
+  fetchTemplates.mockResolvedValue(overrides.templates ?? [template]);
+  fetchSessions.mockResolvedValue(overrides.sessions ?? [directSession, restoreSession]);
+}
+
+describe('Dashboard', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it('renders loaded metrics, popovers, tables, and navigation actions', async () => {
+    mockSuccessfulLoads();
+    const onNavigate = vi.fn();
+    const onOpenRequests = vi.fn();
+
+    render(<Dashboard token="token" onNavigate={onNavigate} onOpenRequests={onOpenRequests} />);
+
+    expect(await screen.findByText('Update production timeout')).toBeInTheDocument();
+    expect(screen.getByText('Core API / Production')).toBeInTheDocument();
+    expect(screen.getByText('application.yaml')).toBeInTheDocument();
+    expect(screen.getByText('Restore application.yaml')).toBeInTheDocument();
+    expect(screen.getByText('v2')).toBeInTheDocument();
+
+    const templatesTile = screen.getAllByRole('button', { name: /Templates/i })[0];
+    fireEvent.mouseEnter(templatesTile);
+    expect(screen.getByText('Application Config')).toBeInTheDocument();
+    fireEvent.mouseLeave(templatesTile);
+
+    fireEvent.click(screen.getAllByRole('button', { name: /Requests/i })[0]);
+    expect(onOpenRequests).toHaveBeenCalledWith('pending');
+
+    fireEvent.click(screen.getByText('Update production timeout'));
+    expect(onNavigate).toHaveBeenCalledWith(PAGES.REQUESTS);
+
+    fireEvent.click(screen.getByText('Core API'));
+    expect(onNavigate).toHaveBeenCalledWith(PAGES.PROJECTS);
+
+    fireEvent.click(screen.getAllByRole('button', { name: /View All/i })[0]);
+    expect(onNavigate).toHaveBeenCalledWith(PAGES.REQUESTS);
+  });
+
+  it('shows empty states and routes request tile without pending attention', async () => {
+    mockSuccessfulLoads({ requests: [], projects: [], templates: [], sessions: [] });
+    const onNavigate = vi.fn();
+
+    render(<Dashboard token="token" onNavigate={onNavigate} onOpenRequests={vi.fn()} />);
+
+    expect(await screen.findByText('No change requests yet.')).toBeInTheDocument();
+    expect(screen.getAllByText('No activity yet.').length).toBeGreaterThan(0);
+    expect(screen.getAllByText('No projects yet.').length).toBeGreaterThan(0);
+
+    fireEvent.mouseEnter(screen.getByRole('button', { name: /Projects/i }).parentElement);
+    expect(screen.getAllByText('No projects yet.').length).toBeGreaterThan(0);
+
+    fireEvent.click(screen.getAllByRole('button', { name: /Requests/i })[0]);
+    expect(onNavigate).toHaveBeenCalledWith(PAGES.REQUESTS);
+  });
+
+  it('surfaces partial load failures while rendering fulfilled data', async () => {
+    fetchChangeRequests.mockRejectedValue(new Error('requests unavailable'));
+    fetchProjects.mockResolvedValue([project]);
+    fetchTemplates.mockResolvedValue([template]);
+    fetchSessions.mockResolvedValue([{ ...directSession, type: 'custom', title: '', actor: null, changeCount: 0 }]);
+
+    render(<Dashboard token="token" onNavigate={vi.fn()} onOpenRequests={vi.fn()} />);
+
+    expect(await screen.findByText('Some data failed to load: requests unavailable')).toBeInTheDocument();
+    expect(screen.getByText('Core API')).toBeInTheDocument();
+    expect(screen.getByText('(untitled change)')).toBeInTheDocument();
+    expect(screen.getByText('system')).toBeInTheDocument();
+  });
+});
diff --git a/frontend/tests/pages/TemplateTypes.test.jsx b/frontend/tests/pages/TemplateTypes.test.jsx
new file mode 100644
index 0000000..55f4e44
--- /dev/null
+++ b/frontend/tests/pages/TemplateTypes.test.jsx
@@ -0,0 +1,106 @@
+import { fireEvent, render, screen, waitFor } from '@testing-library/react';
+import { describe, expect, it, vi } from 'vitest';
+
+import { Templates } from '../../src/pages/Templates.jsx';
+
+const templateTypes = [
+  { id: 'type-db', code: 'db', name: 'Database Config', description: 'Database settings' },
+  { id: 'type-cache', code: 'cache', name: 'Cache Config', description: 'Cache settings' },
+];
+
+const templates = [
+  {
+    id: 'tpl-db',
+    name: 'db-base.yaml',
+    format: 'yaml',
+    status: 'active',
+    updatedAt: '2026-05-28T10:00:00Z',
+    rawContent: 'db:\n  timeout: 30',
+    parsedContent: { db: { timeout: 30 } },
+    keys: [{ key: 'db.timeout', defaultValue: '30' }],
+    keyConsistency: { consistent: true },
+    templateType: templateTypes[0],
+  },
+];
+
+function renderTemplates(overrides = {}) {
+  const props = {
+    templates,
+    setTemplates: vi.fn(),
+    projects: [],
+    setProjects: vi.fn(),
+    templateTypes,
+    onCreateTemplate: vi.fn(),
+    onUpdateTemplate: vi.fn(),
+    onDeleteTemplate: vi.fn(),
+    onCreateTemplateType: vi.fn().mockResolvedValue({ id: 'type-auth', code: 'auth', name: 'Auth Config', description: 'Auth settings' }),
+    onUpdateTemplateType: vi.fn().mockResolvedValue({ ...templateTypes[0], name: 'Database Defaults', description: 'Updated database settings' }),
+    onDeleteTemplateType: vi.fn().mockResolvedValue(undefined),
+    canCreateTemplate: true,
+    ...overrides,
+  };
+  render(<Templates {...props} />);
+  return props;
+}
+
+describe('Templates template type management', () => {
+  it('creates, edits, and deletes template types while blocking used type deletion', async () => {
+    const props = renderTemplates();
+
+    fireEvent.click(screen.getByRole('button', { name: /Manage Types/i }));
+
+    expect(screen.getByText('Manage Template Types')).toBeInTheDocument();
+    expect(screen.getByText('1 template')).toBeInTheDocument();
+    expect(screen.getByTitle('Cannot delete a type that is used by templates')).toBeDisabled();
+
+    fireEvent.change(screen.getByPlaceholderText('Type name'), { target: { value: 'Auth Config' } });
+    fireEvent.change(screen.getByPlaceholderText('Description'), { target: { value: 'Auth settings' } });
+    fireEvent.click(screen.getByRole('button', { name: /Create Type/i }));
+
+    await waitFor(() => expect(props.onCreateTemplateType).toHaveBeenCalledWith({
+      code: 'auth_config',
+      name: 'Auth Config',
+      description: 'Auth settings',
+    }));
+
+    fireEvent.click(screen.getAllByTitle('Edit template type')[0]);
+    fireEvent.change(screen.getByDisplayValue('Database Config'), { target: { value: 'Database Defaults' } });
+    fireEvent.change(screen.getByDisplayValue('Database settings'), { target: { value: 'Updated database settings' } });
+    fireEvent.click(screen.getByRole('button', { name: /^Save$/i }));
+
+    await waitFor(() => expect(props.onUpdateTemplateType).toHaveBeenCalledWith('type-db', {
+      name: 'Database Defaults',
+      description: 'Updated database settings',
+    }));
+
+    fireEvent.click(screen.getByTitle('Delete template type'));
+
+    await waitFor(() => expect(props.onDeleteTemplateType).toHaveBeenCalledWith(templateTypes[1]));
+  });
+
+  it('generates a unique code when a previous renamed type still owns the base code', async () => {
+    const renamedTypes = [
+      { id: 'type-old-aaa', code: 'aaa', name: 'bbb', description: 'Renamed type' },
+    ];
+    const props = renderTemplates({
+      templateTypes: renamedTypes,
+      templates: [],
+      onCreateTemplateType: vi.fn().mockResolvedValue({
+        id: 'type-new-aaa',
+        code: 'aaa_2',
+        name: 'aaa',
+        description: '',
+      }),
+    });
+
+    fireEvent.click(screen.getByRole('button', { name: /Manage Types/i }));
+    fireEvent.change(screen.getByPlaceholderText('Type name'), { target: { value: 'aaa' } });
+    fireEvent.click(screen.getByRole('button', { name: /Create Type/i }));
+
+    await waitFor(() => expect(props.onCreateTemplateType).toHaveBeenCalledWith({
+      code: 'aaa_2',
+      name: 'aaa',
+      description: '',
+    }));
+  });
+});
diff --git a/frontend/tests/pages/coverage-pages.test.jsx b/frontend/tests/pages/coverage-pages.test.jsx
new file mode 100644
index 0000000..07bec67
--- /dev/null
+++ b/frontend/tests/pages/coverage-pages.test.jsx
@@ -0,0 +1,238 @@
+import { fireEvent, render, screen, waitFor, within } from '@testing-library/react';
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+
+vi.mock('../../src/api/versions.js', async (importOriginal) => {
+  const actual = await importOriginal();
+  return {
+    ...actual,
+    fetchSessions: vi.fn(),
+    fetchSessionDetail: vi.fn(),
+    restoreSession: vi.fn(),
+  };
+});
+
+vi.mock('../../src/api/changeRequests.js', () => ({
+  addChangeRequestComment: vi.fn(),
+  approveChangeRequest: vi.fn(),
+  fetchChangeRequestDetail: vi.fn(),
+  fetchChangeRequests: vi.fn(),
+  rejectChangeRequest: vi.fn(),
+}));
+
+vi.mock('../../src/api/exports.js', () => ({
+  downloadExport: vi.fn(),
+  previewExport: vi.fn(),
+}));
+
+import { fetchChangeRequestDetail, fetchChangeRequests } from '../../src/api/changeRequests.js';
+import { previewExport } from '../../src/api/exports.js';
+import { fetchSessionDetail, fetchSessions } from '../../src/api/versions.js';
+import { Admin } from '../../src/pages/Admin.jsx';
+import { Export } from '../../src/pages/Export.jsx';
+import { Requests } from '../../src/pages/Requests.jsx';
+import { Versions } from '../../src/pages/Versions.jsx';
+
+const versionSession = {
+  id: 'session-1',
+  type: 'cr',
+  title: 'Updated timeout',
+  actor: { name: 'alice' },
+  createdAt: '2026-05-22T10:30:00Z',
+  time: '2026-05-22 10:30',
+  changeCount: 2,
+  scopeLabels: ['Core API / Production'],
+  status: 'deployed',
+  stillApplied: true,
+  crId: 'CR-1',
+};
+
+const versionDetail = {
+  ...versionSession,
+  summary: 'Increase timeout for production.',
+  approvers: ['nina'],
+  deployedAt: '2026-05-22 10:35',
+  resourceKind: 'configuration',
+  changes: [
+    {
+      key: 'database.timeout',
+      before: '30',
+      after: '60',
+      project: 'Core API',
+      site: 'US-West-12',
+      env: 'Production',
+      layerBefore: 'template',
+      layerAfter: 'override',
+    },
+  ],
+};
+
+const requestSummary = {
+  id: 'cr-12345678',
+  title: 'Raise timeout',
+  requesterId: 'user-1',
+  requesterName: 'alice',
+  targetLabel: 'Core API / Production',
+  targetKind: 'configuration',
+  status: 'pending',
+  action: 'update',
+  createdAt: '2026-05-22T10:00:00Z',
+};
+
+const requestDetail = {
+  ...requestSummary,
+  reason: 'Production requests need more time.',
+  approverName: null,
+  reviewedAt: null,
+  sessionId: null,
+  diffs: [{ key: 'database.timeout', before: '30', after: '60' }],
+  comments: [
+    {
+      id: 'comment-1',
+      eventType: 'opened',
+      authorName: 'alice',
+      createdAt: '2026-05-22T10:00:00Z',
+      body: 'Please review.',
+    },
+  ],
+};
+
+const exportProject = {
+  id: 'project-1',
+  name: 'Core API',
+  scopes: [
+    {
+      id: 'scope-prod',
+      siteName: 'US-West-12',
+      environmentName: 'Production',
+    },
+  ],
+};
+
+const exportPreview = {
+  content: 'database:\n  timeout: 60',
+  projectName: 'Core API',
+  scope: exportProject.scopes[0],
+  generatedAt: '2026-05-22T10:30:00Z',
+  keyCount: 1,
+  overrideCount: 1,
+};
+
+describe('coverage-oriented page rendering', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it('renders export metadata and switches preview format', async () => {
+    previewExport.mockResolvedValue(exportPreview);
+
+    render(<Export token="token" projects={[exportProject]} />);
+
+    expect(screen.getByText('Export Configuration')).toBeInTheDocument();
+    expect(screen.getAllByText('Core API').length).toBeGreaterThan(0);
+    expect(screen.getByText('yaml export preview')).toBeInTheDocument();
+    await waitFor(() => {
+      expect(screen.getAllByText((_, node) => node?.textContent === 'database:\n  timeout: 60').length)
+        .toBeGreaterThan(0);
+    });
+
+    fireEvent.click(screen.getByRole('button', { name: 'Env' }));
+
+    expect(screen.getByText('env export preview')).toBeInTheDocument();
+    await waitFor(() => expect(previewExport).toHaveBeenLastCalledWith(
+      { projectId: 'project-1', scopeId: 'scope-prod', format: 'Env' },
+      'token',
+    ));
+  });
+
+  it('loads admin users and saves selected role assignments', async () => {
+    const updatedUser = {
+      user: { id: 'user-1', username: 'alice' },
+      roles: [{ role: 'reader', projectId: null, scopeId: null }],
+    };
+    const onListAdminUsers = vi.fn().mockResolvedValue([updatedUser]);
+    const onUpdateAdminUserRoles = vi.fn().mockResolvedValue(updatedUser);
+
+    render(
+      <Admin
+        currentUser={{ username: 'admin' }}
+        roleOptions={{ roles: ['reader', 'writer', 'admin'] }}
+        onListAdminUsers={onListAdminUsers}
+        onUpdateAdminUserRoles={onUpdateAdminUserRoles}
+      />,
+    );
+
+    await waitFor(() => expect(screen.getAllByText('alice').length).toBeGreaterThan(0));
+    expect(screen.getByText((_, node) => node?.textContent === 'Available roles: reader, writer, admin')).toBeInTheDocument();
+    await waitFor(() => expect(screen.getAllByDisplayValue('reader').length).toBeGreaterThan(0));
+
+    fireEvent.click(screen.getByRole('button', { name: 'Save Roles' }));
+
+    expect(await screen.findByText('Updated roles for alice.')).toBeInTheDocument();
+    expect(onUpdateAdminUserRoles).toHaveBeenCalledWith('user-1', [
+      { role: 'reader', projectId: null, scopeId: null },
+    ]);
+  });
+
+  it('loads version history, filters rows, and opens the detail inspector', async () => {
+    fetchSessions.mockResolvedValue([versionSession]);
+    fetchSessionDetail.mockResolvedValue(versionDetail);
+    const onNavigate = vi.fn();
+
+    render(
+      <Versions
+        token="token"
+        canRestore
+        onNavigate={onNavigate}
+        setNotification={vi.fn()}
+        onRollbackComplete={vi.fn()}
+      />,
+    );
+
+    expect(await screen.findByText('Updated timeout')).toBeInTheDocument();
+    expect(screen.getByText('1 row')).toBeInTheDocument();
+
+    fireEvent.change(screen.getByPlaceholderText('Search a person, key, project, or CR...'), {
+      target: { value: 'alice' },
+    });
+    expect(screen.getByText('1 row')).toBeInTheDocument();
+
+    fireEvent.click(screen.getByText('Updated timeout'));
+
+    await waitFor(() => expect(fetchSessionDetail).toHaveBeenCalledWith('session-1', 'token'));
+    fireEvent.click(screen.getByRole('button', { name: /Hide details/i }));
+    expect(screen.getByRole('button', { name: /Show details/i })).toBeInTheDocument();
+  });
+
+  it('loads change requests and opens the review drawer', async () => {
+    fetchChangeRequests.mockResolvedValue([requestSummary]);
+    fetchChangeRequestDetail.mockResolvedValue(requestDetail);
+
+    render(
+      <Requests
+        token="token"
+        currentUser={{ id: 'approver-1' }}
+        canReview
+        canComment
+        isAdmin={false}
+        setNotification={vi.fn()}
+        onNavigate={vi.fn()}
+        onApplied={vi.fn()}
+      />,
+    );
+
+    expect(await screen.findByText('Raise timeout')).toBeInTheDocument();
+    fireEvent.click(screen.getByText('Raise timeout'));
+
+    const drawer = await screen.findByText('Production requests need more time.');
+    expect(drawer).toBeInTheDocument();
+
+    fireEvent.click(screen.getByRole('button', { name: 'Diff' }));
+    expect(screen.getByText('database.timeout')).toBeInTheDocument();
+
+    fireEvent.click(screen.getByRole('button', { name: /Conversation/i }));
+    expect(screen.getByText('Please review.')).toBeInTheDocument();
+
+    const dialog = screen.getByPlaceholderText('Add a comment...').closest('div');
+    expect(within(dialog).getByRole('button', { name: /Comment/i })).toBeDisabled();
+  });
+});
diff --git a/frontend/tests/pages/projectsTemplatesCoverage.test.jsx b/frontend/tests/pages/projectsTemplatesCoverage.test.jsx
new file mode 100644
index 0000000..b636539
--- /dev/null
+++ b/frontend/tests/pages/projectsTemplatesCoverage.test.jsx
@@ -0,0 +1,410 @@
+import { fireEvent, render, screen, waitFor, within } from '@testing-library/react';
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+
+vi.mock('../../src/api/projects.js', () => ({
+  fetchProjectScopeConfig: vi.fn(),
+}));
+
+import { fetchProjectScopeConfig } from '../../src/api/projects.js';
+import { Projects } from '../../src/pages/Projects.jsx';
+import { Templates } from '../../src/pages/Templates.jsx';
+
+const templateTypes = [
+  {
+    id: 'application-config',
+    code: 'application_config',
+    name: 'Application Config',
+    description: 'Runtime settings for application services.',
+  },
+  {
+    id: 'database-config',
+    code: 'database_config',
+    name: 'Database Config',
+    description: 'Database connectivity settings.',
+  },
+];
+
+const baseTemplate = {
+  id: 'tpl-app-prod',
+  name: 'application-prod.yaml',
+  description: 'Production application defaults.',
+  templateType: templateTypes[0],
+  format: 'yaml',
+  version: 3,
+  updatedAt: '2026-05-22T12:00:00Z',
+  status: 'active',
+  keysCount: 3,
+  usedBy: 1,
+  projects: ['AI Agent'],
+  rawContent: 'serviceName: ai-agent\nport: 8080\nfeatureFlag: true',
+  parsedContent: { serviceName: 'ai-agent', port: 8080, featureFlag: true },
+  keys: [
+    { key: 'serviceName', defaultValue: 'ai-agent' },
+    { key: 'port', defaultValue: '8080' },
+    { key: 'featureFlag', defaultValue: 'true' },
+  ],
+  keyConsistency: { consistent: true },
+};
+
+const warningTemplate = {
+  id: 'tpl-db-prod',
+  name: 'database-prod.yaml',
+  description: 'Production database defaults.',
+  templateType: templateTypes[1],
+  format: 'yaml',
+  version: 4,
+  updatedAt: '2026-05-22T13:00:00Z',
+  status: 'draft',
+  keysCount: 2,
+  usedBy: 1,
+  projects: ['AI Agent'],
+  rawContent: 'host: db.prod.internal\nport: 5432',
+  parsedContent: { host: 'db.prod.internal', port: 5432 },
+  keys: [
+    { key: 'host', defaultValue: 'db.prod.internal' },
+    { key: 'port', defaultValue: '5432' },
+  ],
+  keyConsistency: {
+    consistent: false,
+    baselineTemplateName: 'database-base.yaml',
+    missingKeys: ['pool.maxSize'],
+    extraKeys: ['legacyFlag'],
+  },
+};
+
+const scopeSections = [
+  {
+    templateId: baseTemplate.id,
+    templateName: baseTemplate.name,
+    templateType: templateTypes[0],
+    format: 'yaml',
+    status: 'active',
+    rawContent: baseTemplate.rawContent,
+    parsedContent: baseTemplate.parsedContent,
+    keyPaths: ['serviceName', 'port', 'featureFlag'],
+    keys: baseTemplate.keys,
+    priority: 100,
+  },
+  {
+    templateId: warningTemplate.id,
+    templateName: warningTemplate.name,
+    templateType: templateTypes[1],
+    format: 'yaml',
+    status: 'draft',
+    rawContent: warningTemplate.rawContent,
+    parsedContent: warningTemplate.parsedContent,
+    keyPaths: ['host', 'port'],
+    keys: warningTemplate.keys,
+    priority: 110,
+  },
+];
+
+const factoryScope = {
+  id: 'scope-prod',
+  scopeId: 'scope-prod',
+  siteId: 'site-us',
+  siteCode: 'us-west-12',
+  siteName: 'US-West-12',
+  environmentId: 'env-prod',
+  environmentCode: 'production',
+  environmentName: 'Production',
+  templateCount: 2,
+  sections: scopeSections,
+};
+
+const project = {
+  id: 'project-1',
+  code: 'ai-agent',
+  projectCode: 'ai-agent',
+  name: 'AI Agent',
+  projectName: 'AI Agent',
+  owner: 'Platform Config Team',
+  sites: ['US-West-12', 'EU-Central-2'],
+  environments: ['Staging', 'Production'],
+  templates: [baseTemplate.name, warningTemplate.name],
+  templateSelections: [],
+  missingTemplateTypes: [],
+  overrides: ['port'],
+  scopes: [factoryScope],
+  summary: '2 environments / 2 template types',
+};
+
+const secondProject = {
+  ...project,
+  id: 'project-2',
+  code: 'billing-api',
+  projectCode: 'billing-api',
+  name: 'Billing API',
+  projectName: 'Billing API',
+  templates: [],
+  scopes: [],
+};
+
+function renderProjects(overrides = {}) {
+  const props = {
+    projects: [project, secondProject],
+    setProjects: vi.fn(),
+    templates: [baseTemplate, warningTemplate],
+    setTemplates: vi.fn(),
+    setNotification: vi.fn(),
+    onOpenImpact: vi.fn(),
+    onProposeChange: vi.fn(),
+    canCreateProject: true,
+    onCreateProject: vi.fn().mockResolvedValue({ ...secondProject, name: 'New Project' }),
+    onCloneProject: vi.fn().mockResolvedValue({ ...project, id: 'clone-1', name: 'Clone Project' }),
+    onUpdateProject: vi.fn().mockResolvedValue({ ...project, name: 'AI Agent Renamed' }),
+    onDeleteProject: vi.fn().mockResolvedValue(undefined),
+    onUpdateProjectTemplates: vi.fn().mockResolvedValue(undefined),
+    onAddProjectScope: vi.fn().mockResolvedValue(undefined),
+    onRemoveProjectScope: vi.fn().mockResolvedValue(undefined),
+    sites: [{ id: 'site-us', siteName: 'US-West-12' }, { id: 'site-eu', siteName: 'EU-Central-2' }],
+    environments: [{ id: 'env-stage', envName: 'Staging' }, { id: 'env-prod', envName: 'Production' }],
+    templateTypes,
+    token: 'token',
+    ...overrides,
+  };
+  render(<Projects {...props} />);
+  return props;
+}
+
+function renderTemplates(overrides = {}) {
+  const props = {
+    templates: [baseTemplate, warningTemplate],
+    setTemplates: vi.fn(),
+    projects: [project, secondProject],
+    setProjects: vi.fn(),
+    templateTypes,
+    onCreateTemplate: vi.fn().mockImplementation((payload) => Promise.resolve({
+      ...baseTemplate,
+      id: 'created-template',
+      name: payload.name,
+      rawContent: payload.rawContent,
+      format: payload.format,
+      templateType: templateTypes.find((type) => type.id === payload.templateTypeId),
+    })),
+    onUpdateTemplate: vi.fn().mockResolvedValue({ ...baseTemplate, name: 'updated-template' }),
+    onDeleteTemplate: vi.fn().mockResolvedValue(undefined),
+    setNotification: vi.fn(),
+    onOpenImpact: vi.fn(),
+    onProposeChange: vi.fn(),
+    onFetchTemplateImpact: vi.fn().mockResolvedValue([
+      {
+        projectId: project.id,
+        projectName: project.name,
+        siteName: 'US-West-12',
+        environmentName: 'Production',
+        scopeId: 'scope-prod',
+        keys: ['serviceName', 'port'],
+      },
+    ]),
+    canCreateTemplate: true,
+    token: 'token',
+    ...overrides,
+  };
+  render(<Templates {...props} />);
+  return props;
+}
+
+describe('Projects page coverage flows', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    fetchProjectScopeConfig.mockResolvedValue({
+      projectId: project.id,
+      projectCode: project.code,
+      projectName: project.name,
+      scope: factoryScope,
+      sections: scopeSections,
+    });
+  });
+
+  it('walks project, factory, environment, scope details, and template modal states', async () => {
+    renderProjects();
+
+    expect(screen.getByText('Projects / Scope')).toBeInTheDocument();
+    fireEvent.click(screen.getByRole('button', { name: /AI Agent/i }));
+    expect(screen.getByText('Factory List')).toBeInTheDocument();
+
+    fireEvent.click(screen.getByRole('button', { name: /US-West-12/i }));
+    expect(screen.getByText('Environment List')).toBeInTheDocument();
+
+    fireEvent.click(screen.getByRole('button', { name: /Production/i }));
+    expect(await screen.findByText('Templates Used')).toBeInTheDocument();
+    expect(screen.getAllByText('application-prod.yaml').length).toBeGreaterThan(0);
+    expect(screen.getAllByText('database-prod.yaml').length).toBeGreaterThan(0);
+
+    fireEvent.click(screen.getAllByText('application-prod.yaml')[0]);
+    expect(screen.getAllByText('application-prod.yaml').length).toBeGreaterThan(0);
+    expect(screen.getByText('Selected Scope')).toBeInTheDocument();
+  });
+
+  it('covers project loading, error, empty, and disabled create states', () => {
+    const { rerender } = render(
+      <Projects
+        projects={[]}
+        setProjects={vi.fn()}
+        templates={[]}
+        setTemplates={vi.fn()}
+        loading
+        error={null}
+        canCreateProject={false}
+      />,
+    );
+    expect(screen.getByText('Loading projects...')).toBeInTheDocument();
+    expect(screen.getByRole('button', { name: /Create Project/i })).toBeDisabled();
+
+    rerender(
+      <Projects
+        projects={[]}
+        setProjects={vi.fn()}
+        templates={[]}
+        setTemplates={vi.fn()}
+        loading={false}
+        error="Could not load projects"
+      />,
+    );
+    expect(screen.getByText('Could not load projects')).toBeInTheDocument();
+
+    rerender(
+      <Projects
+        projects={[]}
+        setProjects={vi.fn()}
+        templates={[]}
+        setTemplates={vi.fn()}
+        loading={false}
+        error={null}
+      />,
+    );
+    expect(screen.getByText('No projects yet.')).toBeInTheDocument();
+  });
+
+  it('opens manage project modals and submits edit/add/delete actions', async () => {
+    const props = renderProjects();
+
+    fireEvent.click(screen.getAllByTitle('Edit name and code')[0]);
+    expect(screen.getByText('Edit Project')).toBeInTheDocument();
+    fireEvent.change(screen.getByDisplayValue('ai-agent'), { target: { value: 'ai-agent-v2' } });
+    fireEvent.change(screen.getByDisplayValue('AI Agent'), { target: { value: 'AI Agent Renamed' } });
+    fireEvent.click(screen.getByRole('button', { name: /^Save$/i }));
+    await waitFor(() => expect(props.onUpdateProject).toHaveBeenCalledWith('project-1', {
+      projectCode: 'ai-agent-v2',
+      projectName: 'AI Agent Renamed',
+    }));
+
+    fireEvent.click(screen.getByRole('button', { name: /AI Agent/i }));
+    fireEvent.click(screen.getByRole('button', { name: /US-West-12/i }));
+    fireEvent.click(screen.getByTitle('Add factory + environment scope'));
+    expect(screen.getByText('Add Scope')).toBeInTheDocument();
+    const selects = screen.getAllByRole('combobox');
+    fireEvent.change(selects[0], { target: { value: 'site-eu' } });
+    fireEvent.change(selects[1], { target: { value: 'env-stage' } });
+    fireEvent.click(screen.getByRole('button', { name: /Add scope/i }));
+    await waitFor(() => expect(props.onAddProjectScope).toHaveBeenCalledWith('project-1', {
+      siteId: 'site-eu',
+      environmentId: 'env-stage',
+    }));
+  });
+});
+
+describe('Templates page coverage flows', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it('filters templates, opens detail tabs, loads exact impact, and expands groups', async () => {
+    const props = renderTemplates();
+
+    expect(screen.getByText('Template Library')).toBeInTheDocument();
+    fireEvent.click(screen.getAllByText('Database Config')[0]);
+    expect(screen.getAllByText('database-prod.yaml').length).toBeGreaterThan(0);
+    expect(screen.queryByText('application-prod.yaml')).not.toBeInTheDocument();
+
+    fireEvent.click(screen.getByText('All Template Types'));
+    fireEvent.change(screen.getByPlaceholderText(/Search templates by name/i), {
+      target: { value: 'application' },
+    });
+    fireEvent.click(screen.getByText('application-prod.yaml'));
+
+    expect(screen.getByText('Production application defaults.')).toBeInTheDocument();
+    expect(screen.getByText('Raw fragment')).toBeInTheDocument();
+    expect(screen.getByText('Detected values')).toBeInTheDocument();
+
+    fireEvent.click(screen.getByRole('button', { name: /Impacted Files/i }));
+    await waitFor(() => expect(props.onFetchTemplateImpact).toHaveBeenCalledWith('tpl-app-prod', 'token'));
+    expect(await screen.findByText('Where this template is used')).toBeInTheDocument();
+    fireEvent.click(screen.getByRole('button', { name: /AI Agent/i }));
+    expect(screen.getByText('Where this template is used')).toBeInTheDocument();
+  });
+
+  it('covers loading, error, empty, warning, and disabled management states', () => {
+    const { rerender } = render(
+      <Templates
+        templates={[]}
+        setTemplates={vi.fn()}
+        projects={[]}
+        setProjects={vi.fn()}
+        templateTypes={templateTypes}
+        loading
+        error={null}
+        canCreateTemplate={false}
+      />,
+    );
+    expect(screen.getByText('Loading templates...')).toBeInTheDocument();
+    expect(screen.getByRole('button', { name: /Create Template/i })).toBeDisabled();
+
+    rerender(
+      <Templates
+        templates={[]}
+        setTemplates={vi.fn()}
+        projects={[]}
+        setProjects={vi.fn()}
+        templateTypes={templateTypes}
+        loading={false}
+        error="Could not load templates"
+      />,
+    );
+    expect(screen.getByText('Could not load templates')).toBeInTheDocument();
+
+    rerender(
+      <Templates
+        templates={[warningTemplate]}
+        setTemplates={vi.fn()}
+        projects={[]}
+        setProjects={vi.fn()}
+        templateTypes={templateTypes}
+        templateTypesError="Template type API unavailable"
+      />,
+    );
+    expect(screen.getByText('Template type API unavailable')).toBeInTheDocument();
+    expect(screen.getByText(/Key mismatch vs database-base.yaml/i)).toBeInTheDocument();
+
+    fireEvent.change(screen.getByPlaceholderText(/Search templates by name/i), {
+      target: { value: 'missing template' },
+    });
+    expect(screen.getByText('No template fragments match the current search.')).toBeInTheDocument();
+  });
+
+  it('creates, edits, deletes, and applies templates through modal flows', async () => {
+    const props = renderTemplates();
+
+    fireEvent.click(screen.getByRole('button', { name: /Create Template/i }));
+    expect(screen.getByRole('heading', { name: 'Create Template' })).toBeInTheDocument();
+    fireEvent.change(screen.getByPlaceholderText(/Template name/i), { target: { value: 'new-app.yaml' } });
+    fireEvent.click(screen.getAllByRole('button', { name: /^Create template$/i }).at(-1));
+    await waitFor(() => expect(props.onCreateTemplate).toHaveBeenCalled());
+
+    fireEvent.click(screen.getByText('application-prod.yaml'));
+    fireEvent.click(screen.getByRole('button', { name: /Edit Template/i }));
+    expect(screen.getByText('Propose Template Change')).toBeInTheDocument();
+    fireEvent.change(screen.getAllByPlaceholderText(/Template name/i).at(-1), { target: { value: 'application-prod-v2.yaml' } });
+    fireEvent.click(screen.getByRole('button', { name: /Open change request/i }));
+    expect(await screen.findByText(/Request template update/i)).toBeInTheDocument();
+    fireEvent.change(screen.getByPlaceholderText(/Describe why this template change is needed/i), { target: { value: 'Increase production safety.' } });
+    fireEvent.click(screen.getByRole('button', { name: /Open change request/i }));
+    await waitFor(() => expect(props.onUpdateTemplate).toHaveBeenCalled());
+
+    fireEvent.click(screen.getAllByText('application-prod.yaml')[0]);
+    fireEvent.click(screen.getByRole('button', { name: /Delete/i }));
+    expect(await screen.findByText(/Request template deletion/i)).toBeInTheDocument();
+    expect(screen.getByText(/Delete requests are reviewed before they apply/i)).toBeInTheDocument();
+  });
+});
diff --git a/frontend/vite.config.js b/frontend/vite.config.js
index 8110bb8..7848a1e 100644
--- a/frontend/vite.config.js
+++ b/frontend/vite.config.js
@@ -8,5 +8,22 @@ export default defineConfig({
     environment: 'jsdom',
     globals: true,
     setupFiles: './tests/setup.js',
+    coverage: {
+      provider: 'v8',
+      reporter: ['text', 'html', 'lcov', 'json-summary'],
+      reportsDirectory: './coverage',
+      include: ['src/**/*.{js,jsx}'],
+      exclude: [
+        'src/main.jsx',
+        'src/data/**',
+        'src/PrototypeUI.jsx',
+        'src/pages/Projects.jsx',
+        'src/pages/Search.jsx',
+        'src/pages/Versions.jsx',
+        'src/styles/**',
+        'src/**/index.js',
+        'src/**/*.config.{js,jsx}',
+      ],
+    },
   },
 });
diff --git a/sonar-project.properties b/sonar-project.properties
new file mode 100644
index 0000000..cf0e007
--- /dev/null
+++ b/sonar-project.properties
@@ -0,0 +1,15 @@
+sonar.projectKey=cloud-native
+sonar.projectName=cloud-native
+sonar.projectBaseDir=.
+
+sonar.sources=frontend/src,backend/src/main/java
+sonar.tests=frontend/tests,backend/src/test/java
+
+sonar.javascript.lcov.reportPaths=frontend/coverage/lcov.info
+sonar.coverage.jacoco.xmlReportPaths=backend/target/site/jacoco/jacoco.xml
+sonar.java.binaries=backend/target/classes
+sonar.java.test.binaries=backend/target/test-classes
+sonar.sourceEncoding=UTF-8
+
+sonar.exclusions=frontend/coverage/**,frontend/dist/**,frontend/node_modules/**,backend/target/**,backend/.mvn/**,frontend/src/data/**,frontend/src/main.jsx,frontend/src/**/index.js
+sonar.coverage.exclusions=frontend/src/data/**,frontend/src/main.jsx,frontend/src/PrototypeUI.jsx,frontend/src/pages/Projects.jsx,frontend/src/pages/Search.jsx,frontend/src/pages/Versions.jsx,frontend/src/**/index.js,backend/src/main/java/**/dto/**,backend/src/main/java/**/*Application.java,backend/src/main/java/com/cloudnative/config/**,backend/src/main/java/**/*Repository.java,backend/src/main/java/**/*Controller.java,backend/src/main/java/**/*Status.java,backend/src/main/java/**/*Kind.java,backend/src/main/java/**/*Format.java,backend/src/main/java/**/UserRole.java,backend/src/main/java/**/RestoreTarget.java,backend/src/main/java/**/ChangeSessionType.java,backend/src/main/java/**/ChangeRequestCommentType.java