diff --git a/.gitignore b/.gitignore
index 0e38d571..c06cbcd5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -158,3 +158,7 @@ native/macos/MCPProxy/.build/
 
 # demo pipeline: playwright node_modules symlink (recreated at capture time)
 scripts/demo/node_modules
+
+# Transient work artifacts (brainstorm logs, editor backups)
+*.bak
+**/execution_log.md
diff --git a/scanner-qa-report.html b/scanner-qa-report.html
deleted file mode 100644
index 1c267daf..00000000
--- a/scanner-qa-report.html
+++ /dev/null
@@ -1,417 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-<meta charset="UTF-8">
-<meta name="viewport" content="width=device-width, initial-scale=1.0">
-<title>MCPProxy Security Scanner QA Report</title>
-<style>
-  :root { --bg: #0f172a; --card: #1e293b; --border: #334155; --text: #e2e8f0; --muted: #94a3b8; --accent: #3b82f6; --green: #22c55e; --red: #ef4444; --yellow: #eab308; --orange: #f97316; }
-  * { margin: 0; padding: 0; box-sizing: border-box; }
-  body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, monospace; background: var(--bg); color: var(--text); line-height: 1.6; }
-  .container { max-width: 1200px; margin: 0 auto; padding: 2rem; }
-  h1 { font-size: 2rem; margin-bottom: 0.5rem; }
-  h2 { font-size: 1.5rem; margin: 2rem 0 1rem; padding-bottom: 0.5rem; border-bottom: 2px solid var(--accent); }
-  h3 { font-size: 1.1rem; margin: 1.5rem 0 0.5rem; color: var(--accent); }
-  .subtitle { color: var(--muted); margin-bottom: 2rem; }
-  .badge { display: inline-block; padding: 2px 8px; border-radius: 4px; font-size: 0.75rem; font-weight: 600; text-transform: uppercase; }
-  .badge-critical { background: var(--red); color: white; }
-  .badge-high { background: var(--orange); color: white; }
-  .badge-medium { background: var(--yellow); color: #000; }
-  .badge-low { background: var(--accent); color: white; }
-  .badge-fixed { background: var(--green); color: white; }
-  .badge-open { background: var(--red); color: white; }
-  .badge-fp { background: #8b5cf6; color: white; }
-  .stats-grid { display: grid; grid-template-columns: repeat(auto-fit, minmax(180px, 1fr)); gap: 1rem; margin: 1.5rem 0; }
-  .stat-card { background: var(--card); border: 1px solid var(--border); border-radius: 8px; padding: 1.25rem; text-align: center; }
-  .stat-value { font-size: 2rem; font-weight: 700; }
-  .stat-label { color: var(--muted); font-size: 0.85rem; }
-  .stat-value.green { color: var(--green); }
-  .stat-value.red { color: var(--red); }
-  .stat-value.yellow { color: var(--yellow); }
-  .stat-value.blue { color: var(--accent); }
-  table { width: 100%; border-collapse: collapse; margin: 1rem 0; }
-  th, td { padding: 0.75rem; text-align: left; border-bottom: 1px solid var(--border); font-size: 0.9rem; }
-  th { background: var(--card); font-weight: 600; color: var(--muted); text-transform: uppercase; font-size: 0.75rem; letter-spacing: 0.05em; }
-  tr:hover { background: rgba(59,130,246,0.05); }
-  .card { background: var(--card); border: 1px solid var(--border); border-radius: 8px; padding: 1.5rem; margin: 1rem 0; }
-  .card-title { font-weight: 600; margin-bottom: 0.5rem; }
-  code { background: rgba(59,130,246,0.1); padding: 2px 6px; border-radius: 3px; font-size: 0.85rem; }
-  .evidence { background: #1a1a2e; border-left: 3px solid var(--yellow); padding: 0.75rem; margin: 0.5rem 0; font-size: 0.85rem; white-space: pre-wrap; max-height: 100px; overflow-y: auto; }
-  .fix-diff { background: #0d1117; border-radius: 6px; padding: 1rem; font-family: monospace; font-size: 0.8rem; overflow-x: auto; margin: 0.5rem 0; }
-  .fix-diff .add { color: var(--green); }
-  .fix-diff .del { color: var(--red); }
-  .server-grid { display: grid; grid-template-columns: repeat(auto-fill, minmax(350px, 1fr)); gap: 1rem; }
-  .server-card { background: var(--card); border: 1px solid var(--border); border-radius: 8px; padding: 1rem; }
-  .server-name { font-weight: 600; font-size: 1.1rem; margin-bottom: 0.25rem; }
-  .server-meta { color: var(--muted); font-size: 0.8rem; }
-  .scanner-status { display: flex; align-items: center; gap: 0.5rem; font-size: 0.85rem; padding: 0.25rem 0; }
-  .dot { width: 8px; height: 8px; border-radius: 50%; }
-  .dot-green { background: var(--green); }
-  .dot-red { background: var(--red); }
-  .toc { background: var(--card); border-radius: 8px; padding: 1.5rem; margin: 1.5rem 0; }
-  .toc a { color: var(--accent); text-decoration: none; display: block; padding: 0.25rem 0; }
-  .toc a:hover { text-decoration: underline; }
-  .separator { border: none; border-top: 1px solid var(--border); margin: 2rem 0; }
-</style>
-</head>
-<body>
-<div class="container">
-
-<h1>MCPProxy Security Scanner QA Report</h1>
-<p class="subtitle">Comprehensive audit of scanning feature across all server types | 2026-04-06 | Branch: feat/039-security-scanner-plugins</p>
-
-<div class="toc">
-  <strong>Table of Contents</strong>
-  <a href="#overview">1. Executive Overview</a>
-  <a href="#testing">2. Testing Coverage</a>
-  <a href="#server-results">3. Server-by-Server Scan Results</a>
-  <a href="#bugs-found">4. Bugs Found (42 total)</a>
-  <a href="#bugs-fixed">5. Bugs Fixed (6 implemented)</a>
-  <a href="#false-positives">6. False Positive Analysis</a>
-  <a href="#remaining">7. Remaining Issues</a>
-  <a href="#recommendations">8. Recommendations</a>
-</div>
-
-<!-- =================== EXECUTIVE OVERVIEW =================== -->
-<h2 id="overview">1. Executive Overview</h2>
-
-<div class="stats-grid">
-  <div class="stat-card">
-    <div class="stat-value blue">11</div>
-    <div class="stat-label">Servers Tested</div>
-  </div>
-  <div class="stat-card">
-    <div class="stat-value blue">6</div>
-    <div class="stat-label">Scanners Installed</div>
-  </div>
-  <div class="stat-card">
-    <div class="stat-value blue">214</div>
-    <div class="stat-label">Total Scans Run</div>
-  </div>
-  <div class="stat-card">
-    <div class="stat-value yellow">42</div>
-    <div class="stat-label">Total Bugs Found</div>
-  </div>
-  <div class="stat-card">
-    <div class="stat-value green">6</div>
-    <div class="stat-label">Bugs Fixed</div>
-  </div>
-  <div class="stat-card">
-    <div class="stat-value red">1,899</div>
-    <div class="stat-label">Total Findings</div>
-  </div>
-</div>
-
-<div class="card">
-  <div class="card-title">Findings by Severity (Global Overview)</div>
-  <table>
-    <tr><th>Level</th><th>Count</th><th>Percentage</th></tr>
-    <tr><td><span class="badge badge-critical">Critical</span></td><td>14</td><td>0.7%</td></tr>
-    <tr><td><span class="badge badge-high">High</span></td><td>631</td><td>33.2%</td></tr>
-    <tr><td><span class="badge badge-medium">Medium</span></td><td>1,163</td><td>61.2%</td></tr>
-    <tr><td><span class="badge badge-low">Low</span></td><td>91</td><td>4.8%</td></tr>
-  </table>
-  <p style="margin-top:0.5rem; font-size:0.85rem; color:var(--muted)">
-    Threat classification: <strong>247</strong> dangerous, <strong>473</strong> warnings, <strong>1,179</strong> informational
-  </p>
-</div>
-
-<!-- =================== TESTING COVERAGE =================== -->
-<h2 id="testing">2. Testing Coverage</h2>
-
-<div class="card">
-  <div class="card-title">QA Methodology</div>
-  <table>
-    <tr><th>Phase</th><th>Method</th><th>Scope</th></tr>
-    <tr><td>API Testing</td><td>curl + jq</td><td>72 API tests across all scan endpoints</td></tr>
-    <tr><td>Frontend Code Review</td><td>Static analysis</td><td>ServerDetail.vue (2,000+ lines), Security.vue, api.ts</td></tr>
-    <tr><td>Backend Code Review</td><td>Static analysis</td><td>service.go, engine.go, source_resolver.go, registry_bundled.go, security_scanner.go</td></tr>
-    <tr><td>Visual UI Testing</td><td>Chrome screenshots</td><td>Global Security page, server detail security tabs</td></tr>
-    <tr><td>Scanner Quality</td><td>False positive analysis</td><td>All findings from cisco-mcp-scanner, trivy, semgrep</td></tr>
-  </table>
-</div>
-
-<div class="card">
-  <div class="card-title">Server Types Tested</div>
-  <table>
-    <tr><th>Type</th><th>Servers</th><th>Source Method</th><th>Scanners Run</th></tr>
-    <tr><td>HTTP (remote)</td><td>context7, hugginface, kaggle, supabase</td><td>url</td><td>1-6</td></tr>
-    <tr><td>Streamable-HTTP (remote)</td><td>kubic, synapbus</td><td>url</td><td>1-3</td></tr>
-    <tr><td>Stdio (local)</td><td>demo-filesystem</td><td>working_dir</td><td>6</td></tr>
-    <tr><td>Stdio (Docker)</td><td>perplexity, screenshot-website-fast</td><td>docker_extract</td><td>3-6</td></tr>
-    <tr><td>Stdio (quarantined)</td><td>malicious-demo</td><td>uvx_cache</td><td>6 (1 failed)</td></tr>
-    <tr><td>Stdio (disconnected)</td><td>everything-server</td><td>npx_cache</td><td>6</td></tr>
-  </table>
-</div>
-
-<!-- =================== SERVER RESULTS =================== -->
-<h2 id="server-results">3. Server-by-Server Scan Results</h2>
-
-<div class="server-grid">
-
-<div class="server-card">
-  <div class="server-name">context7</div>
-  <div class="server-meta">HTTP | https://mcp.context7.com/mcp | 2 tools</div>
-  <div style="margin:0.5rem 0"><span class="badge badge-high">Risk: 60</span> <span class="badge badge-fp">2 False Positives</span></div>
-  <div class="scanner-status"><span class="dot dot-green"></span> cisco-mcp-scanner: 2 findings (PROMPT INJECTION)</div>
-  <div class="scanner-status"><span class="dot dot-green"></span> semgrep-mcp: 0 findings</div>
-  <div class="scanner-status"><span class="dot dot-green"></span> trivy-mcp: 0 findings</div>
-  <div class="scanner-status"><span class="dot dot-green"></span> ramparts: 0 findings</div>
-  <div class="scanner-status"><span class="dot dot-green"></span> nova-proximity: 0 findings</div>
-  <div class="scanner-status"><span class="dot dot-green"></span> mcp-scan: 0 findings</div>
-</div>
-
-<div class="server-card">
-  <div class="server-name">demo-filesystem</div>
-  <div class="server-meta">Stdio (local) | working_dir | 14 tools</div>
-  <div style="margin:0.5rem 0"><span class="badge badge-high">Risk: 31</span> <span class="badge badge-high">7 Findings</span></div>
-  <div class="scanner-status"><span class="dot dot-green"></span> trivy-mcp: 5 findings (secrets)</div>
-  <div class="scanner-status"><span class="dot dot-green"></span> semgrep-mcp: 2 findings (secrets)</div>
-  <div class="scanner-status"><span class="dot dot-green"></span> cisco-mcp-scanner: 0 findings</div>
-  <div class="scanner-status"><span class="dot dot-green"></span> ramparts/nova/mcp-scan: 0 findings</div>
-</div>
-
-<div class="server-card">
-  <div class="server-name">perplexity</div>
-  <div class="server-meta">Stdio (Docker) | docker_extract | 3 tools</div>
-  <div style="margin:0.5rem 0"><span class="badge badge-medium">Risk: 20</span> <span class="badge badge-high">2 CVEs</span></div>
-  <div class="scanner-status"><span class="dot dot-green"></span> trivy-mcp: 2 findings (MCP SDK CVEs)</div>
-  <div class="scanner-status"><span class="dot dot-green"></span> All other scanners: 0 findings</div>
-  <p style="font-size:0.8rem; color:var(--muted); margin-top:0.5rem">CVE-2025-66414 (DNS rebinding), CVE-2026-0621 (ReDoS) in @modelcontextprotocol/sdk</p>
-</div>
-
-<div class="server-card">
-  <div class="server-name">malicious-demo</div>
-  <div class="server-meta">Stdio (quarantined) | uvx_cache | 0 tools (disconnected)</div>
-  <div style="margin:0.5rem 0"><span class="badge badge-low">Risk: 0</span> <span class="badge badge-open">Scan Incomplete</span></div>
-  <div class="scanner-status"><span class="dot dot-red"></span> cisco-mcp-scanner: FAILED (tools.json not found)</div>
-  <div class="scanner-status"><span class="dot dot-green"></span> All other scanners: 0 findings</div>
-  <p style="font-size:0.8rem; color:var(--red); margin-top:0.5rem">Tool poisoning detector could not run - server failed to connect for tool export</p>
-</div>
-
-<div class="server-card">
-  <div class="server-name">ElevenLabs</div>
-  <div class="server-meta">Stdio | Error state | 0 tools</div>
-  <div style="margin:0.5rem 0"><span class="badge badge-critical">Risk: 100</span> <span class="badge badge-fp">16 False Positives</span></div>
-  <div class="scanner-status"><span class="dot dot-green"></span> cisco-mcp-scanner: 16 findings (SYSTEM MANIPULATION)</div>
-  <p style="font-size:0.8rem; color:var(--muted); margin-top:0.5rem">Audio processing tools incorrectly flagged as system manipulation</p>
-</div>
-
-<div class="server-card">
-  <div class="server-name">hugginface / kaggle / supabase / kubic / synapbus</div>
-  <div class="server-meta">HTTP/Streamable-HTTP | url | 5-58 tools</div>
-  <div style="margin:0.5rem 0"><span class="badge badge-low">Risk: 0</span> <span class="badge badge-fixed">Clean</span></div>
-  <p style="font-size:0.8rem; color:var(--muted); margin-top:0.5rem">Note: supabase and kubic had 2 failed scanners each (cisco, trivy) due to tools.json not exported at time of scan</p>
-</div>
-
-</div>
-
-<!-- =================== BUGS FOUND =================== -->
-<h2 id="bugs-found">4. All Bugs Found (42 total)</h2>
-
-<h3>API / Backend Bugs (27)</h3>
-<table>
-  <tr><th>#</th><th>Severity</th><th>Category</th><th>Description</th><th>Status</th></tr>
-  <tr><td>1</td><td><span class="badge badge-high">High</span></td><td>API</td><td>Concurrent scan returns 500 instead of 409 Conflict</td><td><span class="badge badge-fixed">Fixed</span></td></tr>
-  <tr><td>2</td><td><span class="badge badge-high">High</span></td><td>Backend</td><td>Duplicate findings when merging Pass 1 + Pass 2 reports (same CVE appears twice)</td><td><span class="badge badge-fixed">Fixed</span></td></tr>
-  <tr><td>3</td><td><span class="badge badge-high">High</span></td><td>Backend</td><td>Security overview threat levels all zero (dangerous/warnings/info_level not aggregated)</td><td><span class="badge badge-fixed">Fixed</span></td></tr>
-  <tr><td>4</td><td><span class="badge badge-high">High</span></td><td>Backend</td><td>malicious-demo tools.json not exported - cisco scanner fails, server shows "clean"</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>5</td><td><span class="badge badge-high">High</span></td><td>Backend</td><td>CancelScan doesn't cancel running Docker containers (uses context.Background())</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>6</td><td><span class="badge badge-high">High</span></td><td>Backend</td><td>Race condition between Pass 1 completion and Pass 2 start</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>7</td><td><span class="badge badge-high">High</span></td><td>Backend</td><td>Report directory (scanner-reports/) never cleaned up</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>8</td><td><span class="badge badge-high">High</span></td><td>Backend</td><td>No scanner-source matching: all scanners run on all source types</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>9</td><td><span class="badge badge-medium">Medium</span></td><td>API</td><td>handleStartScan silently ignores JSON decode errors</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>10</td><td><span class="badge badge-medium">Medium</span></td><td>Backend</td><td>Pass 1 cleanup removes temp dir before Pass 2 can use it</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>11</td><td><span class="badge badge-medium">Medium</span></td><td>Backend</td><td>Race condition reading/writing job.Status without lock</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>12</td><td><span class="badge badge-medium">Medium</span></td><td>API</td><td>POST scan for nonexistent server returns 500 instead of 404</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>13</td><td><span class="badge badge-medium">Medium</span></td><td>Backend</td><td>tools_exported inconsistently null for some servers</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>14</td><td><span class="badge badge-medium">Medium</span></td><td>Backend</td><td>Inconsistent scanner count: some servers get 6 scanners, others only 1-3</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>15</td><td><span class="badge badge-medium">Medium</span></td><td>Backend</td><td>Docker cache mount at /root/.cache may conflict with scanner-specific paths</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>16</td><td><span class="badge badge-medium">Medium</span></td><td>Backend</td><td>extractTopLevelDir includes /usr, /var for Docker - too broad for supply chain audit</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>17</td><td><span class="badge badge-medium">Medium</span></td><td>Backend</td><td>cancel-all wipes scan job data for servers with active scans</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>18</td><td><span class="badge badge-medium">Medium</span></td><td>Backend</td><td>Scan report has duplicate scanner entries for multi-scanned servers</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>19</td><td><span class="badge badge-low">Low</span></td><td>Backend</td><td>ValidateManifest requires Command non-empty, but 3 bundled scanners have nil Command</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>20</td><td><span class="badge badge-low">Low</span></td><td>Backend</td><td>parseResults silently treats unparseable scanner output as 'clean'</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>21</td><td><span class="badge badge-low">Low</span></td><td>Backend</td><td>File-to-findings path matching uses flawed normalization</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>22</td><td><span class="badge badge-low">Low</span></td><td>Backend</td><td>GetScanSummary doesn't check for active Pass 2 scans</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>23</td><td><span class="badge badge-low">Low</span></td><td>Backend</td><td>Cisco scanner hardcodes --tools /scan/source/tools.json path</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>24</td><td><span class="badge badge-low">Low</span></td><td>Backend</td><td>Docker-extracted scans report total_files=0 despite scanning extracted files</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>25</td><td><span class="badge badge-low">Low</span></td><td>Backend</td><td>Argument-based source resolution matches non-flag args as file paths incorrectly</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>26</td><td><span class="badge badge-low">Low</span></td><td>Backend</td><td>Job ID collision risk with time.Now().UnixNano() generation</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>27</td><td><span class="badge badge-low">Low</span></td><td>Backend</td><td>handleGetScanFiles retrieves report independently of job (potential mismatch)</td><td><span class="badge badge-open">Open</span></td></tr>
-</table>
-
-<h3>Frontend / UI Bugs (15)</h3>
-<table>
-  <tr><th>#</th><th>Severity</th><th>Category</th><th>Description</th><th>Status</th></tr>
-  <tr><td>28</td><td><span class="badge badge-high">High</span></td><td>UI</td><td>No Cancel button during active scan (API exists but UI doesn't expose it)</td><td><span class="badge badge-fixed">Fixed</span></td></tr>
-  <tr><td>29</td><td><span class="badge badge-medium">Medium</span></td><td>UI</td><td>Scanned Files section visible for tool_definitions_only source method</td><td><span class="badge badge-fixed">Fixed</span></td></tr>
-  <tr><td>30</td><td><span class="badge badge-medium">Medium</span></td><td>UI</td><td>No retry button after scan failure</td><td><span class="badge badge-fixed">Fixed</span></td></tr>
-  <tr><td>31</td><td><span class="badge badge-high">High</span></td><td>UI</td><td>Race condition: polling completion fires before scanReport loads</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>32</td><td><span class="badge badge-high">High</span></td><td>UI</td><td>"Already in progress" error extracts job ID with fragile regex</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>33</td><td><span class="badge badge-medium">Medium</span></td><td>UI</td><td>No debounce on Scan Now button (rapid clicks can cause issues)</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>34</td><td><span class="badge badge-medium">Medium</span></td><td>UI</td><td>Polling continues silently on network errors with no max retry</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>35</td><td><span class="badge badge-medium">Medium</span></td><td>UI</td><td>Scan error alert has no dismiss action</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>36</td><td><span class="badge badge-medium">Medium</span></td><td>UI</td><td>Approve/Reject only shown with findings (can't approve clean servers)</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>37</td><td><span class="badge badge-medium">Medium</span></td><td>UI</td><td>Active scan state lost on page navigation and return</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>38</td><td><span class="badge badge-low">Low</span></td><td>UI</td><td>Inconsistent risk score color thresholds between pages</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>39</td><td><span class="badge badge-low">Low</span></td><td>UI</td><td>Failed scanners counted as "completed" in progress bar</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>40</td><td><span class="badge badge-low">Low</span></td><td>UI</td><td>Scanner Execution Logs depend on scanStatus populated at wrong time</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>41</td><td><span class="badge badge-low">Low</span></td><td>UI</td><td>No explanation of Risk Score metric anywhere</td><td><span class="badge badge-open">Open</span></td></tr>
-  <tr><td>42</td><td><span class="badge badge-low">Low</span></td><td>UI</td><td>No "last scanned" timestamp shown prominently</td><td><span class="badge badge-open">Open</span></td></tr>
-</table>
-
-<!-- =================== BUGS FIXED =================== -->
-<h2 id="bugs-fixed">5. Bugs Fixed (6 implemented)</h2>
-
-<div class="card">
-  <div class="card-title">Fix 1: Concurrent scan returns 409 Conflict <span class="badge badge-fixed">Verified</span></div>
-  <p>File: <code>internal/httpapi/security_scanner.go</code></p>
-  <p>When a scan is already running for a server and another scan is triggered, the API now returns HTTP 409 Conflict instead of 500 Internal Server Error.</p>
-  <div class="fix-diff">
-    <div class="del">- s.writeError(w, r, http.StatusInternalServerError, err.Error())</div>
-    <div class="add">+ if strings.Contains(err.Error(), "already in progress") {</div>
-    <div class="add">+     s.writeError(w, r, http.StatusConflict, err.Error())</div>
-    <div class="add">+ } else {</div>
-    <div class="add">+     s.writeError(w, r, http.StatusInternalServerError, err.Error())</div>
-    <div class="add">+ }</div>
-  </div>
-  <p style="font-size:0.85rem; color:var(--green)">Validated: POST /scan returns 409 with "scan already in progress" message</p>
-</div>
-
-<div class="card">
-  <div class="card-title">Fix 2: Deduplicate Pass 1/Pass 2 findings <span class="badge badge-fixed">Verified</span></div>
-  <p>File: <code>internal/security/scanner/service.go</code></p>
-  <p>When merging Pass 1 (security scan) and Pass 2 (supply chain audit) reports, duplicate findings (same scanner + rule + title) are now removed. Pass 1 findings take priority.</p>
-  <p>Example: Perplexity had 4 findings (2 duplicated). Now correctly shows 2.</p>
-  <p style="font-size:0.85rem; color:var(--green)">Validated: perplexity report shows 2 findings (was 4)</p>
-</div>
-
-<div class="card">
-  <div class="card-title">Fix 3: Security overview threat level aggregation <span class="badge badge-fixed">Verified</span></div>
-  <p>File: <code>internal/security/scanner/service.go</code></p>
-  <p>The global security overview now correctly counts findings by threat level (dangerous, warnings, info_level). Previously these were all zero because ClassifyFinding() wasn't called during overview aggregation.</p>
-  <p style="font-size:0.85rem; color:var(--green)">Validated: Overview shows dangerous=247, warnings=473, info_level=1179 (was all 0)</p>
-</div>
-
-<div class="card">
-  <div class="card-title">Fix 4: Cancel button in security tab <span class="badge badge-fixed">Verified</span></div>
-  <p>File: <code>frontend/src/views/ServerDetail.vue</code></p>
-  <p>Added a "Cancel" button that appears during active scans. Calls the existing cancelScan API endpoint, stops polling, and resets scan state.</p>
-  <p style="font-size:0.85rem; color:var(--green)">Validated: Cancel button renders, calls API correctly</p>
-</div>
-
-<div class="card">
-  <div class="card-title">Fix 5: Scanned Files section visibility <span class="badge badge-fixed">Verified</span></div>
-  <p>File: <code>frontend/src/views/ServerDetail.vue</code></p>
-  <p>The Scanned Files collapsible section is now hidden for HTTP servers and tool_definitions_only source methods (no filesystem to show files for).</p>
-  <p style="font-size:0.85rem; color:var(--green)">Validated: Section hidden for url, url_full, and tool_definitions_only</p>
-</div>
-
-<div class="card">
-  <div class="card-title">Fix 6: Retry button after scan error <span class="badge badge-fixed">Verified</span></div>
-  <p>File: <code>frontend/src/views/ServerDetail.vue</code></p>
-  <p>Added a "Retry" button to the scan error alert, allowing users to easily re-trigger a scan after failure without refreshing the page.</p>
-  <p style="font-size:0.85rem; color:var(--green)">Validated: Retry button clears error and re-triggers scan</p>
-</div>
-
-<!-- =================== FALSE POSITIVES =================== -->
-<h2 id="false-positives">6. False Positive Analysis</h2>
-
-<div class="card" style="border-color: #8b5cf6;">
-  <div class="card-title">False Positive: context7 "PROMPT INJECTION" (Risk: 60)</div>
-  <p><strong>Scanner:</strong> cisco-mcp-scanner | <strong>Findings:</strong> 2</p>
-  <p><strong>What was flagged:</strong></p>
-  <div class="evidence">Tool: resolve-library-id
-Evidence: "You MUST call this function before 'Query Documentation' tool to obtain a valid Context7-compatible library ID UNLESS the user explicitly provides a library ID..."</div>
-  <p style="margin-top:0.5rem"><strong>Analysis:</strong> This is standard MCP tool description pattern. Context7 instructs the LLM to call resolve-library-id before query-docs. The phrase "You MUST call" triggers the prompt injection detector, but this is normal tool orchestration guidance, not malicious prompt injection.</p>
-  <p style="color:#8b5cf6"><strong>Verdict: FALSE POSITIVE</strong> &mdash; Cisco scanner is too aggressive with imperative language in tool descriptions.</p>
-</div>
-
-<div class="card" style="border-color: #8b5cf6;">
-  <div class="card-title">False Positive: ElevenLabs "SYSTEM MANIPULATION" (Risk: 100)</div>
-  <p><strong>Scanner:</strong> cisco-mcp-scanner | <strong>Findings:</strong> 16 (2 dangerous + 14 warning)</p>
-  <p><strong>What was flagged:</strong> All audio tools (text_to_speech, speech_to_text, text_to_sound_effects, isolate_audio, speech_to_speech, etc.) flagged as "SYSTEM MANIPULATION"</p>
-  <p style="margin-top:0.5rem"><strong>Analysis:</strong> ElevenLabs is a legitimate audio processing API. Its tools interact with audio data, not system resources. The scanner's description of system manipulation ("unsolicited modification or deletion of files, registries") does not match what these tools do.</p>
-  <p style="color:#8b5cf6"><strong>Verdict: FALSE POSITIVE</strong> &mdash; Cisco scanner misclassifies media processing as system manipulation.</p>
-</div>
-
-<div class="card">
-  <div class="card-title">True Positives (Confirmed Real Issues)</div>
-  <table>
-    <tr><th>Server</th><th>Findings</th><th>Assessment</th></tr>
-    <tr><td>demo-filesystem</td><td>7 findings (Stripe key, GitHub PAT, private keys)</td><td>TRUE POSITIVE - real secrets in filesystem</td></tr>
-    <tr><td>perplexity</td><td>2 CVEs (DNS rebinding, ReDoS in MCP SDK)</td><td>TRUE POSITIVE - real vulnerabilities in dependencies</td></tr>
-  </table>
-</div>
-
-<!-- =================== REMAINING ISSUES =================== -->
-<h2 id="remaining">7. Remaining Issues (Not Fixed)</h2>
-
-<div class="card">
-  <div class="card-title">Critical: malicious-demo tool poisoning not detected</div>
-  <p>The quarantined malicious-demo server can't have its tool definitions exported because it fails to connect (MCP initialize timeout). The cisco-mcp-scanner, which is the primary tool poisoning detector, requires <code>/scan/source/tools.json</code> which can't be created without a connection.</p>
-  <p><strong>Impact:</strong> Quarantined servers that are truly malicious can't be scanned for tool poisoning — the exact scenario this feature is designed for.</p>
-  <p><strong>Suggested fix:</strong> Cache tool definitions when they are first discovered (before quarantine), so scanning can use cached definitions even when the server refuses to connect.</p>
-</div>
-
-<div class="card">
-  <div class="card-title">High: Inconsistent scanner count across servers</div>
-  <p>Some servers get 6 scanners, others only 1-3. The scanner selection logic doesn't match scanner capabilities to source types. For example, hugginface (HTTP, 8 tools) only ran semgrep, while context7 (HTTP, 2 tools) ran all 6.</p>
-  <p><strong>Impact:</strong> Inconsistent security coverage across servers.</p>
-  <p><strong>Suggested fix:</strong> Implement scanner-to-source capability matching based on scanner input requirements.</p>
-</div>
-
-<div class="card">
-  <div class="card-title">High: False positive rate from cisco-mcp-scanner</div>
-  <p>The Cisco MCP Scanner produces a high false positive rate for standard MCP tool descriptions. Imperative language ("You MUST call", "always use") and media processing tools are incorrectly flagged.</p>
-  <p><strong>Impact:</strong> Risk score of 60-100 for legitimate servers, eroding user trust.</p>
-  <p><strong>Suggested fix:</strong> Implement scanner result post-processing to filter known false positive patterns, or adjust cisco scanner configuration thresholds.</p>
-</div>
-
-<!-- =================== RECOMMENDATIONS =================== -->
-<h2 id="recommendations">8. Recommendations</h2>
-
-<div class="card">
-  <h3>Priority 1 (Next Sprint)</h3>
-  <ul style="margin-top:0.5rem; padding-left:1.5rem;">
-    <li>Cache tool definitions for quarantined servers to enable tool poisoning detection</li>
-    <li>Implement scanner-source capability matching to avoid running irrelevant scanners</li>
-    <li>Add false positive suppression rules for cisco-mcp-scanner (imperative language patterns)</li>
-    <li>Fix CancelScan to actually terminate Docker containers</li>
-    <li>Fix Pass 1/Pass 2 race condition (Pass 2 starts before Pass 1 cleanup)</li>
-  </ul>
-</div>
-
-<div class="card">
-  <h3>Priority 2 (Future)</h3>
-  <ul style="margin-top:0.5rem; padding-left:1.5rem;">
-    <li>Add report directory cleanup (TTL-based or max-size)</li>
-    <li>Add Risk Score explanation tooltip in the UI</li>
-    <li>Show "last scanned" timestamp prominently</li>
-    <li>Add scan history view (past scans comparison)</li>
-    <li>Improve error handling for nonexistent servers (404 instead of 500)</li>
-    <li>Add scanner input/output type enforcement during installation</li>
-  </ul>
-</div>
-
-<div class="card">
-  <h3>Priority 3 (Polish)</h3>
-  <ul style="margin-top:0.5rem; padding-left:1.5rem;">
-    <li>Standardize risk score color thresholds across all pages</li>
-    <li>Add debounce to Scan Now button</li>
-    <li>Add polling error limit (stop after N consecutive failures)</li>
-    <li>Show scanner capability badges in the scanner list</li>
-    <li>Improve progress bar to distinguish failed vs completed scanners</li>
-  </ul>
-</div>
-
-<hr class="separator">
-<p style="text-align: center; color: var(--muted); font-size: 0.85rem;">
-  Generated 2026-04-06 | MCPProxy v0.23.1 | Branch: feat/039-security-scanner-plugins
-  <br>QA Coverage: 72 API tests, 15 UI bugs, 20 backend bugs, 8 design issues, 10 UX improvements
-</p>
-
-</div>
-</body>
-</html>
diff --git a/specs/005-rest-management-integration/tasks.md.bak b/specs/005-rest-management-integration/tasks.md.bak
deleted file mode 100644
index 1c93a91a..00000000
--- a/specs/005-rest-management-integration/tasks.md.bak
+++ /dev/null
@@ -1,301 +0,0 @@
-# Tasks: REST Endpoint Management Service Integration
-
-**Input**: Design documents from `/specs/005-rest-management-integration/`
-**Prerequisites**: plan.md, spec.md, data-model.md, contracts/management-service.yaml
-
-**Tests**: Test tasks included per FR-015, FR-016, FR-017 (unit, integration, E2E validation)
-
-**Organization**: Tasks are grouped by user story to enable independent implementation and testing of each story.
-
-## Format: `[ID] [P?] [Story] Description`
-
-- **[P]**: Can run in parallel (different files, no dependencies)
-- **[Story]**: Which user story this task belongs to (e.g., US1, US2, US3)
-- Include exact file paths in descriptions
-
-## Path Conventions
-
-This project uses single project structure:
-- `internal/` - All Go packages
-- `cmd/` - Command-line applications
-- `scripts/` - Test and build scripts
-
----
-
-## Phase 1: Setup (Shared Infrastructure)
-
-**Purpose**: Verify existing infrastructure and review current implementations
-
-Since this is a refactoring within an existing codebase, setup is minimal.
-
-- [ ] T001 Review existing management service interface in internal/management/service.go
-- [ ] T002 Review existing runtime implementations in internal/server/server.go:1447 and internal/server/server.go:136
-- [ ] T003 [P] Review existing REST handlers in internal/httpapi/server.go:1155 and internal/httpapi/server.go:1050
-
-**Checkpoint**: Understand current code structure before refactoring
-
----
-
-## Phase 2: Foundational (Blocking Prerequisites)
-
-**Purpose**: Core interface extension that MUST be complete before ANY user story can be implemented
-
-**⚠️ CRITICAL**: No REST handler work can begin until management service interface is extended
-
-- [ ] T004 Extend ManagementService interface in internal/management/service.go with GetServerTools method signature
-- [ ] T005 Extend ManagementService interface in internal/management/service.go with TriggerOAuthLogin method signature
-
-**Checkpoint**: Foundation ready - user story implementation can now begin
-
----
-
-## Phase 3: User Story 1 - Unified Server Management via REST API (Priority: P1) 🎯 MVP
-
-**Goal**: Refactor two REST endpoints to delegate to management service layer, ensuring architectural compliance with spec 004 and consistent behavior across all interfaces.
-
-**Independent Test**: Call REST endpoints directly (`GET /api/v1/servers/{id}/tools` and `POST /api/v1/servers/{id}/login`) and verify they delegate to management service methods, emit events, and respect configuration gates.
-
-### Unit Tests for User Story 1 (Per FR-015)
-
-> **NOTE: Write these tests FIRST using TDD approach, ensure they FAIL before implementation**
-
-- [ ] T006 [P] [US1] Add unit test for GetServerTools with valid server name in internal/management/service_test.go
-- [ ] T007 [P] [US1] Add unit test for GetServerTools with empty server name in internal/management/service_test.go
-- [ ] T008 [P] [US1] Add unit test for GetServerTools with nonexistent server in internal/management/service_test.go
-- [ ] T009 [P] [US1] Add unit test for TriggerOAuthLogin with valid server in internal/management/service_test.go
-- [ ] T010 [P] [US1] Add unit test for TriggerOAuthLogin with disable_management enabled in internal/management/service_test.go
-- [ ] T011 [P] [US1] Add unit test for TriggerOAuthLogin with read_only enabled in internal/management/service_test.go
-- [ ] T012 [P] [US1] Add unit test for TriggerOAuthLogin with empty server name in internal/management/service_test.go
-
-### Implementation for User Story 1
-
-**Service Layer Implementation:**
-
-- [ ] T013 [US1] Implement GetServerTools method in internal/management/service_impl.go - delegate to runtime.GetServerTools
-- [ ] T014 [US1] Implement TriggerOAuthLogin method in internal/management/service_impl.go - check config gates, delegate to runtime.TriggerOAuthLogin
-- [ ] T015 [US1] Add configuration gate checks in TriggerOAuthLogin (disable_management, read_only) in internal/management/service_impl.go
-
-**REST Handler Refactoring:**
-
-- [ ] T016 [US1] Update handleGetServerTools in internal/httpapi/server.go:1155 to call management service instead of controller
-- [ ] T017 [US1] Update handleServerLogin in internal/httpapi/server.go:1050 to call management service instead of controller
-- [ ] T018 [US1] Add error mapping for management service errors to HTTP status codes in handleGetServerTools
-- [ ] T019 [US1] Add error mapping for management service errors to HTTP status codes in handleServerLogin
-
-**Mock Updates:**
-
-- [ ] T020 [US1] Update MockServerController in internal/httpapi/contracts_test.go to include GetServerTools method
-- [ ] T021 [US1] Update MockServerController in internal/httpapi/contracts_test.go to include TriggerOAuthLogin method
-
-**Integration Testing (Per FR-016):**
-
-- [ ] T022 [US1] Add integration test to verify servers.changed event emitted after OAuth completion in internal/management/service_test.go
-- [ ] T023 [US1] Verify event propagates to SSE endpoint /events (monitor event bus integration)
-
-**E2E Validation (Per FR-017, SC-005):**
-
-- [ ] T024 [US1] Run existing E2E API tests with ./scripts/test-api-e2e.sh and verify all pass without modification
-- [ ] T025 [US1] Verify no behavioral changes in REST API responses (backward compatibility check)
-
-**Checkpoint**: At this point, User Story 1 should be fully functional - REST endpoints delegate to management service, config gates enforced, events emitted, E2E tests pass
-
----
-
-## Phase 4: User Story 2 - CLI Socket Commands Use Management Layer (Priority: P2)
-
-**Goal**: Ensure CLI commands from PR #152 (`tools list`, `auth login`, `auth status`) benefit from management service's configuration gates, event emissions, and error handling.
-
-**Independent Test**: Run `mcpproxy tools list --server=test-server` and `mcpproxy auth login --server=test-server` with daemon running, verify they work correctly and trigger management service events.
-
-**Note**: No new implementation required for this story - it automatically benefits once REST endpoints are refactored in US1. This phase is purely validation.
-
-### Validation for User Story 2
-
-- [ ] T026 [US2] Start mcpproxy daemon and verify it's running
-- [ ] T027 [US2] Test mcpproxy tools list --server=<name> command and verify tools retrieved via management service
-- [ ] T028 [US2] Test mcpproxy auth login --server=<name> command and verify OAuth triggered via management service
-- [ ] T029 [US2] Test mcpproxy auth status --server=<name> command and verify authentication state shown
-- [ ] T030 [US2] Enable disable_management in config and verify mcpproxy auth login is blocked with clear error
-- [ ] T031 [US2] Verify servers.changed event emitted after OAuth completion (monitor logs or SSE stream)
-
-**Checkpoint**: CLI commands work correctly through refactored REST endpoints, config gates enforced, events emitted
-
----
-
-## Phase 5: User Story 3 - Tray Application Server Management (Priority: P3)
-
-**Goal**: Ensure tray application users get consistent behavior when managing servers through GUI menus (passive benefit from US1 refactoring).
-
-**Independent Test**: Use tray menu actions to trigger OAuth login and verify operations go through management service with proper event emissions.
-
-**Note**: No new implementation required - tray already uses REST API endpoints refactored in US1. This phase is purely validation.
-
-### Validation for User Story 3
-
-- [ ] T032 [US3] Launch mcpproxy-tray application and verify connection to daemon
-- [ ] T033 [US3] Use tray menu "Authenticate Server" action and verify OAuth triggered via management service
-- [ ] T034 [US3] Verify tray UI updates automatically after OAuth completion (SSE event received)
-- [ ] T035 [US3] Enable read_only mode and verify server restart blocked via tray menu with error message
-- [ ] T036 [US3] Verify all tray server management actions use refactored REST endpoints
-
-**Checkpoint**: Tray application works correctly through refactored REST endpoints, automatic UI updates via events
-
----
-
-## Phase 6: Polish & Cross-Cutting Concerns
-
-**Purpose**: Final cleanup, documentation updates, and comprehensive validation
-
-### Documentation
-
-- [ ] T037 Add code comments explaining delegation pattern in internal/management/service_impl.go
-- [ ] T038 Update CLAUDE.md if management service patterns changed (minimal changes expected)
-- [ ] T039 Update OpenAPI annotations in internal/httpapi/server.go if endpoint behavior changed
-
-### Code Quality
-
-- [ ] T040 Run golangci-lint on modified files: ./scripts/run-linter.sh
-- [ ] T041 Verify test coverage ≥80% for new management service methods: go test -coverprofile=coverage.out ./internal/management/...
-- [ ] T042 [P] Check for code duplication removed (SC-006): compare LOC before/after refactoring
-
-### Final Validation
-
-- [ ] T043 Run full test suite: ./scripts/run-all-tests.sh
-- [ ] T044 Manual smoke test: Start daemon, call all refactored endpoints, verify responses
-- [ ] T045 Performance verification: Ensure no regression in API response times (<10ms for GetServerTools, <50ms for TriggerOAuthLogin)
-
-**Final Checkpoint**: All success criteria met, ready for PR submission
-
----
-
-## Dependencies Between User Stories
-
-```
-Phase 1 (Setup) → Phase 2 (Foundational)
-                      ↓
-                  Phase 3 (US1) 🎯 MVP - Core refactoring
-                      ↓
-        ┌─────────────┼─────────────┐
-        ↓             ↓             ↓
-   Phase 4 (US2)  Phase 5 (US3)  Phase 6 (Polish)
-   CLI validation  Tray validation  Cleanup
-```
-
-**Critical Path**: Phase 1 → Phase 2 → Phase 3 (US1) → Phase 4 (US2) + Phase 5 (US3) in parallel → Phase 6
-
-**Parallelization Opportunities**:
-- After US1 complete: US2 and US3 validation can run in parallel
-- Within US1: All unit tests (T006-T012) can be written in parallel
-- Within US1: Mock updates (T020-T021) can be done in parallel with service implementation
-- Within Phase 6: Documentation (T037-T039) and code quality (T040-T042) can run in parallel
-
----
-
-## Implementation Strategy
-
-### MVP Scope (Minimum Viable Product)
-
-**Phase 3 (US1) ONLY** constitutes the MVP:
-- Extend management service interface with 2 methods ✅
-- Implement methods to delegate to runtime ✅
-- Refactor 2 REST handlers to call management service ✅
-- Add unit tests (target 80% coverage) ✅
-- Verify E2E tests pass ✅
-
-**Deliverable**: REST endpoints architecturally compliant, all interfaces use unified management service
-
-### Incremental Delivery
-
-**Iteration 1** (MVP): User Story 1
-- ✅ Delivers core architectural compliance
-- ✅ Unblocks CLI and tray benefits
-- ✅ Verifiable by E2E tests
-
-**Iteration 2**: User Story 2 + User Story 3
-- ✅ Validates CLI commands work correctly
-- ✅ Validates tray application works correctly
-- ✅ Confirms passive benefits realized
-
-**Iteration 3**: Polish & Documentation
-- ✅ Final cleanup and documentation
-- ✅ Performance verification
-- ✅ Ready for production deployment
-
-### Parallel Execution Examples
-
-**Within User Story 1**:
-```bash
-# Terminal 1: Write unit tests
-vim internal/management/service_test.go  # T006-T012
-
-# Terminal 2: Implement service methods
-vim internal/management/service_impl.go  # T013-T015
-
-# Terminal 3: Update mocks
-vim internal/httpapi/contracts_test.go   # T020-T021
-
-# All three can proceed in parallel
-```
-
-**Across User Stories** (after US1 complete):
-```bash
-# Terminal 1: Validate CLI commands
-./scripts/validate-cli.sh  # US2 tasks
-
-# Terminal 2: Validate tray application
-./mcpproxy-tray  # US3 tasks
-
-# Both can run in parallel
-```
-
----
-
-## Task Summary
-
-**Total Tasks**: 45
-
-**Breakdown by Phase**:
-- Phase 1 (Setup): 3 tasks
-- Phase 2 (Foundational): 2 tasks
-- Phase 3 (US1 - MVP): 20 tasks (7 unit tests + 13 implementation/integration)
-- Phase 4 (US2): 6 validation tasks
-- Phase 5 (US3): 5 validation tasks
-- Phase 6 (Polish): 9 tasks
-
-**Breakdown by User Story**:
-- User Story 1 (P1): 20 tasks - Core refactoring (MVP)
-- User Story 2 (P2): 6 tasks - CLI validation
-- User Story 3 (P3): 5 tasks - Tray validation
-
-**Parallelization**:
-- 16 tasks marked with [P] can run in parallel
-- After US1: US2 and US3 can run fully in parallel (11 tasks total)
-
-**Test Coverage**:
-- 7 unit tests (T006-T012) - Target 80% coverage
-- 2 integration tests (T022-T023) - Event emissions
-- 1 E2E validation (T024-T025) - Backward compatibility
-- 6 CLI validation tests (T026-T031)
-- 5 tray validation tests (T032-T036)
-- **Total: 21 test/validation tasks (47% of all tasks)**
-
-**Independent Test Criteria**:
-- ✅ US1: Call REST endpoints, verify delegation and events
-- ✅ US2: Run CLI commands, verify correct behavior
-- ✅ US3: Use tray menus, verify automatic updates
-
-**Suggested MVP**: Phase 3 (US1) only - 20 tasks delivering core architectural compliance
-
----
-
-## Format Validation
-
-✅ **ALL tasks follow checklist format**: `- [ ] [TaskID] [P?] [Story?] Description with file path`
-
-- ✅ Checkbox prefix: All tasks start with `- [ ]`
-- ✅ Task IDs: Sequential T001-T045
-- ✅ [P] markers: 16 tasks correctly marked as parallelizable
-- ✅ [Story] labels: All US1/US2/US3 tasks properly labeled
-- ✅ File paths: All implementation tasks include exact file paths
-- ✅ Organization: Grouped by user story for independent implementation
-- ✅ Dependencies: Clear critical path and parallelization opportunities documented
diff --git a/specs/043-linux-package-repos/execution_log.md b/specs/043-linux-package-repos/execution_log.md
deleted file mode 100644
index 5c93db66..00000000
--- a/specs/043-linux-package-repos/execution_log.md
+++ /dev/null
@@ -1,73 +0,0 @@
-# Execution Log — Feature 043 Linux Package Repositories
-
-Running per CLAUDE.md Autonomous Operation Constraints. Logging every completed step.
-
-## Branch
-`043-linux-package-repos`
-
-## Tool verification (start)
-- gh: OK (logged in as Dumbris, repo/workflow scopes)
-- wrangler: OK (account `d2fa289033a2f6f28c550834d0fe43c5`, a.dumbris@gmail.com)
-- gpg: 2.4.9 OK
-- aws CLI: NOT installed locally — fine for CI (ubuntu-latest has it pre-installed); for local one-time uploads we use `wrangler r2 object put`.
-
-## Phase 1: Setup (Shared Infrastructure)
-Status: in_progress
-
-### T001 — Generate GPG signing key — DONE
-- Fingerprint: `3B6FA1AD5D5359DA51F18DDCE1B59B9BA1CB8A3B`
-- UID: `MCPProxy Packages (Linux repository signing key) <mcpproxy-packages@mcpproxy.app>`
-- Created: 2026-04-21
-- Expires: 2031-04-21
-- Keys stored in user's GnuPG keyring (`~/.gnupg/`). Batch file shredded.
-
-### T002 — Export public key — DONE
-- Written to `/Users/user/repos/mcpproxy-go/contrib/signing/mcpproxy-packages.asc` (3216 bytes)
-
-### T003 — Write backup file — DONE
-- Path: `~/repos/PACKAGES_GPG_PRIVATE_KEY.txt` (outside any git repo, 0600)
-- Contains: metadata header, passphrase (flagged for user to move to 1Password), full usage/rotation instructions, ASCII-armored private key.
-- Size: 8472 bytes, 141 lines.
-
-### T004-T015 — R2 and credentials — DONE
-- R2 subscription activated (user-authorized click).
-- Buckets `mcpproxy-apt` and `mcpproxy-rpm` created in EEUR region.
-- Custom domains `apt.mcpproxy.app` + `rpm.mcpproxy.app` bound, both Active + Enabled.
-- R2 API token "MCPProxy Packages CI" created, Object Read&Write, scoped to both buckets.
-- 5 GitHub Actions secrets + 1 variable registered.
-- Public signing key uploaded to both buckets (note: needed `--remote` flag on wrangler).
-- HTTPS fetch of public key verified, fingerprint `3B6F A1AD 5D53 59DA 51F1 8DDC E1B5 9B9B A1CB 8A3B` matches.
-
-## Phase 2: Foundational — DONE
-Helper scripts and config files created under `contrib/linux-repos/`.
-
-## Phase 3: US2 — Publish automation — DONE
-- `apt-publish.sh`, `rpm-publish.sh`, `publish.sh` written.
-- Smoke tests `smoke-test-debian.sh` + `smoke-test-fedora.sh` written.
-- `publish-linux-repos` job added to `.github/workflows/release.yml`.
-
-Bugs found and fixed during local e2e test:
-1. `wrangler r2 object put` defaulted to local storage — must use `--remote`. (Only affected initial setup, not CI.)
-2. `import-key.sh` writing `GNUPGHOME=...` to `$GITHUB_ENV` doesn't help in Docker/local runs. Refactored to export a stable `GNUPGHOME` before invoking.
-3. AWS CLI v2.23+ sends CRC32 checksums by default → R2 `SignatureDoesNotMatch`. Added `AWS_REQUEST_CHECKSUM_CALCULATION=when_required` and `AWS_RESPONSE_CHECKSUM_VALIDATION=when_required` to publish.sh.
-4. RPM packages lacked embedded GPG signatures, failing `dnf install` with `gpgcheck=1`. Added `rpmsign --addsign` step to rpm-publish.sh (requires `rpm` package in CI image).
-5. Cache TTL of 300s on metadata produced hash-mismatch windows across releases. Shortened to 60s + `must-revalidate`.
-
-## Phase 4: US1 verification — DONE
-- debian:stable-slim `apt install mcpproxy` → 0.24.6 installed successfully.
-- fedora:latest `dnf install mcpproxy` → 0.24.6 installed successfully.
-- GPG key imported from `https://rpm.mcpproxy.app/mcpproxy.gpg`, fingerprint verified.
-
-## Phase 5: Docs — DONE
-- Website `installation.astro` updated with apt + dnf sections.
-- README.md Linux install replaced with repo-based install.
-- `docs/getting-started/installation.md` updated.
-- `docs/features/linux-package-repos.md` created.
-
-## Phase 6: Ops runbook — DONE
-- `docs/operations/linux-package-repos-infrastructure.md` created with rotation, manual republish, purge procedures.
-
-## Phase 7: Polish — in_progress
-- bash -n passes on all scripts.
-- Local e2e smoke test passes (Debian + Fedora).
-- Remaining: commit fixes, push branch, open PR, let user review.
diff --git a/specs/044-diagnostics-taxonomy/test-report.html b/specs/044-diagnostics-taxonomy/test-report.html
deleted file mode 100644
index a9f9a328..00000000
--- a/specs/044-diagnostics-taxonomy/test-report.html
+++ /dev/null
@@ -1,838 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-<meta charset="UTF-8">
-<meta name="viewport" content="width=device-width, initial-scale=1.0">
-<title>Spec 044 Diagnostics — End-to-End Verification Report</title>
-<style>
-  :root {
-    --bg: #0d1117;
-    --bg-2: #161b22;
-    --bg-3: #1c2128;
-    --border: #30363d;
-    --border-soft: #21262d;
-    --text: #c9d1d9;
-    --text-dim: #8b949e;
-    --text-bright: #f0f6fc;
-    --accent: #58a6ff;
-    --green: #3fb950;
-    --green-bg: rgba(63,185,80,0.12);
-    --yellow: #d29922;
-    --yellow-bg: rgba(210,153,34,0.12);
-    --red: #f85149;
-    --red-bg: rgba(248,81,73,0.12);
-    --blue: #58a6ff;
-    --blue-bg: rgba(88,166,255,0.12);
-    --amber: #e3b341;
-    --amber-bg: rgba(227,179,65,0.12);
-    --purple: #bc8cff;
-  }
-  * { box-sizing: border-box; }
-  html, body {
-    margin: 0; padding: 0;
-    background: var(--bg);
-    color: var(--text);
-    font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Arial, sans-serif;
-    font-size: 14px;
-    line-height: 1.55;
-  }
-  .container {
-    max-width: 1040px;
-    margin: 0 auto;
-    padding: 32px 24px 64px;
-  }
-  h1, h2, h3, h4 {
-    color: var(--text-bright);
-    font-weight: 600;
-    margin-top: 1.8em;
-    margin-bottom: 0.6em;
-    letter-spacing: -0.01em;
-  }
-  h1 { font-size: 28px; margin-top: 0; }
-  h2 { font-size: 22px; border-bottom: 1px solid var(--border-soft); padding-bottom: 8px; }
-  h3 { font-size: 17px; color: var(--text-bright); }
-  h4 { font-size: 14px; color: var(--text); text-transform: uppercase; letter-spacing: 0.05em; font-weight: 600; }
-  a { color: var(--accent); text-decoration: none; }
-  a:hover { text-decoration: underline; }
-  code {
-    font-family: "SF Mono", Monaco, "Cascadia Code", "Roboto Mono", Consolas, "Courier New", monospace;
-    font-size: 12.5px;
-    background: var(--bg-3);
-    padding: 1px 6px;
-    border-radius: 4px;
-    color: var(--text-bright);
-    border: 1px solid var(--border-soft);
-  }
-  pre {
-    background: var(--bg-2);
-    border: 1px solid var(--border);
-    border-radius: 8px;
-    padding: 14px 16px;
-    overflow-x: auto;
-    font-family: "SF Mono", Monaco, "Cascadia Code", "Roboto Mono", Consolas, monospace;
-    font-size: 12.5px;
-    line-height: 1.55;
-    color: var(--text-bright);
-  }
-  pre code { background: transparent; border: none; padding: 0; }
-  /* Simple syntax hints via class */
-  .k { color: #ff7b72; } /* keyword */
-  .s { color: #a5d6ff; } /* string */
-  .n { color: #79c0ff; } /* number */
-  .c { color: #8b949e; font-style: italic; } /* comment */
-  .p { color: #d2a8ff; } /* punct / prompt */
-  .ok { color: var(--green); }
-  .warn { color: var(--yellow); }
-  .err { color: var(--red); }
-
-  .header-strip {
-    background: linear-gradient(135deg, #0d1117 0%, #161b22 100%);
-    border: 1px solid var(--border);
-    border-radius: 12px;
-    padding: 24px 28px;
-    margin-bottom: 28px;
-  }
-  .header-strip h1 { margin-bottom: 10px; }
-  .header-meta {
-    display: flex;
-    flex-wrap: wrap;
-    gap: 10px 24px;
-    font-size: 13px;
-    color: var(--text-dim);
-    margin-bottom: 16px;
-  }
-  .header-meta > div { display: flex; align-items: center; gap: 6px; }
-  .header-meta .label { color: var(--text-dim); }
-  .header-meta .value { color: var(--text-bright); font-family: "SF Mono", Monaco, Consolas, monospace; font-size: 12.5px; }
-  .pills { display: flex; flex-wrap: wrap; gap: 8px; }
-  .pill {
-    display: inline-flex;
-    align-items: center;
-    gap: 6px;
-    padding: 4px 12px;
-    border-radius: 999px;
-    font-size: 12px;
-    font-weight: 600;
-    border: 1px solid transparent;
-  }
-  .pill-green { background: var(--green-bg); color: var(--green); border-color: rgba(63,185,80,0.3); }
-  .pill-yellow { background: var(--yellow-bg); color: var(--yellow); border-color: rgba(210,153,34,0.3); }
-  .pill-red { background: var(--red-bg); color: var(--red); border-color: rgba(248,81,73,0.3); }
-  .pill-blue { background: var(--blue-bg); color: var(--blue); border-color: rgba(88,166,255,0.3); }
-  .pill-muted { background: var(--bg-3); color: var(--text-dim); border-color: var(--border); }
-
-  table {
-    width: 100%;
-    border-collapse: collapse;
-    margin: 12px 0 20px;
-    background: var(--bg-2);
-    border: 1px solid var(--border);
-    border-radius: 8px;
-    overflow: hidden;
-  }
-  th, td {
-    text-align: left;
-    padding: 10px 14px;
-    border-bottom: 1px solid var(--border-soft);
-    font-size: 13px;
-    vertical-align: top;
-  }
-  th {
-    background: var(--bg-3);
-    color: var(--text-bright);
-    font-weight: 600;
-    font-size: 12px;
-    text-transform: uppercase;
-    letter-spacing: 0.04em;
-  }
-  tbody tr:last-child td { border-bottom: none; }
-  tbody tr:hover { background: rgba(88,166,255,0.04); }
-
-  details {
-    background: var(--bg-2);
-    border: 1px solid var(--border);
-    border-radius: 8px;
-    margin: 12px 0;
-    overflow: hidden;
-  }
-  details summary {
-    cursor: pointer;
-    padding: 10px 14px;
-    font-weight: 500;
-    font-size: 13px;
-    color: var(--text-bright);
-    user-select: none;
-    background: var(--bg-3);
-    border-bottom: 1px solid transparent;
-    list-style: none;
-  }
-  details summary::-webkit-details-marker { display: none; }
-  details summary::before {
-    content: "▸";
-    display: inline-block;
-    margin-right: 8px;
-    transition: transform 0.15s ease;
-    color: var(--text-dim);
-  }
-  details[open] summary::before { transform: rotate(90deg); }
-  details[open] summary { border-bottom: 1px solid var(--border); }
-  details .details-body { padding: 0; }
-  details pre { margin: 0; border: none; border-radius: 0; }
-
-  .test-block {
-    border-left: 3px solid var(--border);
-    padding-left: 16px;
-    margin: 20px 0;
-  }
-  .test-block.pass { border-left-color: var(--green); }
-  .test-block.warn { border-left-color: var(--yellow); }
-  .test-block.fail { border-left-color: var(--red); }
-  .test-block .status-line {
-    display: flex;
-    align-items: center;
-    gap: 10px;
-    flex-wrap: wrap;
-    margin: 6px 0 12px;
-  }
-  .test-block h3 { margin-top: 0.4em; }
-
-  .kv {
-    display: grid;
-    grid-template-columns: max-content 1fr;
-    gap: 4px 14px;
-    font-size: 13px;
-    margin: 8px 0;
-  }
-  .kv .k-label { color: var(--text-dim); }
-  .kv .k-value { color: var(--text-bright); }
-
-  .check-list {
-    list-style: none;
-    padding: 0;
-    margin: 10px 0;
-  }
-  .check-list li {
-    padding: 4px 0 4px 26px;
-    position: relative;
-    font-size: 13.5px;
-  }
-  .check-list li::before {
-    content: "✓";
-    position: absolute;
-    left: 0;
-    top: 4px;
-    color: var(--green);
-    font-weight: 700;
-  }
-  .check-list li.x::before { content: "✗"; color: var(--red); }
-  .check-list li.dash::before { content: "–"; color: var(--text-dim); }
-
-  .callout {
-    border-radius: 8px;
-    padding: 14px 18px;
-    margin: 16px 0;
-    font-size: 13.5px;
-    border: 1px solid transparent;
-  }
-  .callout-warn {
-    background: var(--amber-bg);
-    border-color: rgba(227,179,65,0.4);
-    color: #f2cc60;
-  }
-  .callout-warn strong { color: var(--amber); }
-  .callout-info {
-    background: var(--blue-bg);
-    border-color: rgba(88,166,255,0.3);
-    color: #9ecbff;
-  }
-  .callout-info strong { color: var(--blue); }
-  .callout-success {
-    background: var(--green-bg);
-    border-color: rgba(63,185,80,0.3);
-    color: #7ee787;
-  }
-
-  .finding {
-    background: var(--bg-2);
-    border: 1px solid var(--border);
-    border-left: 4px solid var(--amber);
-    border-radius: 6px;
-    padding: 14px 18px;
-    margin: 12px 0;
-  }
-  .finding h4 {
-    margin: 0 0 6px;
-    font-size: 14px;
-    text-transform: none;
-    letter-spacing: 0;
-    color: var(--text-bright);
-  }
-  .finding .severity {
-    display: inline-block;
-    padding: 2px 8px;
-    border-radius: 4px;
-    font-size: 11px;
-    font-weight: 600;
-    text-transform: uppercase;
-    letter-spacing: 0.04em;
-    margin-left: 8px;
-    vertical-align: middle;
-  }
-  .sev-low { background: var(--blue-bg); color: var(--blue); }
-  .sev-medium { background: var(--amber-bg); color: var(--amber); }
-  .sev-high { background: var(--red-bg); color: var(--red); }
-
-  .screenshot-placeholder {
-    border: 2px dashed var(--border);
-    border-radius: 8px;
-    padding: 32px;
-    text-align: center;
-    color: var(--text-dim);
-    background: var(--bg-2);
-    margin: 12px 0;
-    font-size: 13px;
-  }
-  .screenshot-placeholder strong { color: var(--text-bright); }
-
-  .footer {
-    margin-top: 48px;
-    padding-top: 20px;
-    border-top: 1px solid var(--border-soft);
-    text-align: center;
-    font-size: 12.5px;
-    color: var(--text-dim);
-  }
-  .footer a { color: var(--accent); }
-
-  .commit-list {
-    font-family: "SF Mono", Monaco, Consolas, monospace;
-    font-size: 12.5px;
-    background: var(--bg-2);
-    border: 1px solid var(--border);
-    border-radius: 8px;
-    padding: 12px 16px;
-    margin: 12px 0;
-  }
-  .commit-list .sha { color: var(--amber); margin-right: 10px; }
-  .commit-list .msg { color: var(--text); }
-  .commit-list div { padding: 2px 0; }
-
-  @media (max-width: 640px) {
-    .container { padding: 20px 14px 48px; }
-    h1 { font-size: 22px; }
-    h2 { font-size: 18px; }
-    .header-strip { padding: 18px; }
-    .header-meta { gap: 8px 16px; }
-    table { font-size: 12px; }
-    pre { font-size: 11.5px; }
-  }
-
-  @media print {
-    body { background: white; color: black; }
-    .container { max-width: 100%; padding: 0; }
-    pre, table, .finding, details, .callout { break-inside: avoid; }
-    details { border: 1px solid #ccc !important; }
-    details[open] summary, details summary { background: #f5f5f5 !important; color: black !important; }
-    details pre { background: #fafafa !important; color: black !important; }
-    details { page-break-inside: avoid; }
-    details > *:not(summary) { display: block !important; }
-    h1, h2, h3, h4 { color: black !important; }
-    pre { background: #f5f5f5 !important; color: black !important; border: 1px solid #ddd !important; }
-    code { background: #f0f0f0 !important; color: black !important; border: 1px solid #ddd !important; }
-    a { color: #0366d6 !important; }
-    .pill, .callout, .finding { -webkit-print-color-adjust: exact; print-color-adjust: exact; }
-    .footer { page-break-before: avoid; }
-  }
-</style>
-</head>
-<body>
-<div class="container">
-
-  <!-- HEADER -->
-  <header class="header-strip">
-    <h1>Spec 044 Diagnostics — End-to-End Verification</h1>
-    <div class="header-meta">
-      <div><span class="label">Run:</span> <span class="value">2026-04-24 15:53 UTC</span> <span class="label">(18:53 EEST)</span></div>
-      <div><span class="label">Branch:</span> <span class="value">feat/diagnostics-taxonomy</span></div>
-      <div><span class="label">SHA:</span> <span class="value"><a href="https://github.com/smart-mcp-proxy/mcpproxy-go/commit/911704cc539e8c4965e7c1786cbcf3b0b70e0ae6">911704c</a></span></div>
-      <div><span class="label">Commits under test:</span> <span class="value">9</span></div>
-      <div><span class="label">Binary version:</span> <span class="value">v0.24.9</span></div>
-      <div><span class="label">Go:</span> <span class="value">go1.25.1 darwin/arm64</span></div>
-      <div><span class="label">PR:</span> <span class="value"><a href="https://github.com/smart-mcp-proxy/mcpproxy-go/pull/400">#400</a></span></div>
-    </div>
-    <div class="pills">
-      <span class="pill pill-green">&#9679; PASS (2/3 phases)</span>
-      <span class="pill pill-yellow">&#9888; Tray phase skipped</span>
-      <span class="pill pill-muted">3 non-blocking findings</span>
-      <span class="pill pill-muted">Production untouched</span>
-    </div>
-  </header>
-
-  <!-- SUMMARY TABLE -->
-  <h2>Summary</h2>
-  <table>
-    <thead>
-      <tr>
-        <th>Phase</th>
-        <th>Surface</th>
-        <th>Status</th>
-        <th>Tests executed</th>
-        <th>Notes</th>
-      </tr>
-    </thead>
-    <tbody>
-      <tr>
-        <td><strong>Phase 1</strong></td>
-        <td>CLI (<code>doctor</code>)</td>
-        <td><span class="pill pill-green">PASS</span></td>
-        <td>6</td>
-        <td>All 29 codes registered; <code>doctor fix</code> dry-run + execute exercised; classifier maps stdio-spawn-enoent.</td>
-      </tr>
-      <tr>
-        <td><strong>Phase 2</strong></td>
-        <td>Web UI (ErrorPanel)</td>
-        <td><span class="pill pill-green">PASS</span></td>
-        <td>1 integration flow</td>
-        <td>ErrorPanel renders full payload; Preview (dry-run) button fires fix endpoint → 200.</td>
-      </tr>
-      <tr>
-        <td><strong>Phase 3</strong></td>
-        <td>macOS Tray</td>
-        <td><span class="pill pill-yellow">SKIPPED</span></td>
-        <td>0</td>
-        <td>Production tray actively running; stopping mid-session was judged too risky. Visual confirm recommended post-merge.</td>
-      </tr>
-    </tbody>
-  </table>
-
-  <div class="callout callout-info">
-    <strong>Commits under test (9)</strong>
-    <div class="commit-list" style="margin-top:10px;">
-      <div><span class="sha">911704c</span><span class="msg">chore(spec-044): regenerate OpenAPI spec for Diagnostic schema</span></div>
-      <div><span class="sha">892e056</span><span class="msg">feat(spec-044): wrap OAUTH/DOCKER/CONFIG/QUARANTINE errors with DiagnosticError</span></div>
-      <div><span class="sha">7b81e03</span><span class="msg">feat(spec-044): mcpproxy doctor fix + --server filter</span></div>
-      <div><span class="sha">6aa8305</span><span class="msg">feat(spec-044): macOS tray badge + Fix issues menu group</span></div>
-      <div><span class="sha">4d92c82</span><span class="msg">feat(spec-044): Vue ErrorPanel for per-server diagnostics</span></div>
-      <div><span class="sha">4f6872c</span><span class="msg">feat(diagnostics): mcpproxy doctor list-codes subcommand</span></div>
-      <div><span class="sha">8ac86ba</span><span class="msg">feat(diagnostics): STDIO classifier wired + per-server REST + fix endpoint</span></div>
-      <div><span class="sha">a0a1049</span><span class="msg">feat(diagnostics): initial error-code catalog</span></div>
-      <div><span class="sha">a632288</span><span class="msg">docs(spec-044): speckit artifacts for diagnostics &amp; error taxonomy</span></div>
-    </div>
-  </div>
-
-  <!-- PHASE 1 -->
-  <h2>Phase 1 — CLI</h2>
-  <p>
-    Ran the freshly-built dev <code>mcpproxy</code> on an isolated port (<code>127.0.0.1:18080</code>) and data dir
-    (<code>/tmp/mcpproxy-test-spec044</code>) with a purpose-built test config containing a <code>broken-stdio</code>
-    server whose command points at <code>/nonexistent/binary</code>. The production daemon on <code>:8080</code> was
-    never touched; its config was backed up (byte-identical after test) and the dev binary was run from the worktree.
-  </p>
-
-  <!-- 1a -->
-  <div class="test-block pass">
-    <h3>1a · <code>doctor list-codes</code> — all 29 diagnostic codes registered</h3>
-    <div class="status-line">
-      <span class="pill pill-green">PASS</span>
-      <span class="pill pill-muted">pretty + JSON output</span>
-    </div>
-    <div class="kv">
-      <span class="k-label">Expected:</span><span class="k-value">29 codes registered, <code>list-codes</code> enumerates them with docs + fix rows.</span>
-      <span class="k-label">Actual:</span><span class="k-value"><code>jq length == 29</code>. All 5 MCPX_STDIO codes present. Each entry surfaces severity, docs link, and fix rows (command / button / link).</span>
-    </div>
-    <details>
-      <summary>Command + output</summary>
-      <div class="details-body">
-<pre><span class="p">$</span> ./mcpproxy doctor list-codes
-29 diagnostic codes registered:
-
-  MCPX_CONFIG_DEPRECATED_FIELD          <span class="warn">warn</span>   The configuration uses a deprecated field that will be removed in a future release.
-    docs: docs/errors/MCPX_CONFIG_DEPRECATED_FIELD.md
-    fix (button):  Preview migration (dry-run)  key=config_migrate_deprecated [destructive -&gt; dry-run default]
-    fix (link):    Migration notes  docs/errors/MCPX_CONFIG_DEPRECATED_FIELD.md
-
-  MCPX_CONFIG_MISSING_SECRET            <span class="err">error</span>  The configuration references a secret that is not defined.
-    docs: docs/errors/MCPX_CONFIG_MISSING_SECRET.md
-    fix (command): List secrets  mcpproxy secret list
-    fix (link):    Secret references  docs/errors/MCPX_CONFIG_MISSING_SECRET.md
-  <span class="c">... (27 more) ...</span>
-
-<span class="p">$</span> ./mcpproxy doctor list-codes -o json <span class="p">|</span> jq <span class="s">'length'</span>
-<span class="n">29</span>
-
-<span class="p">$</span> ./mcpproxy doctor list-codes -o json <span class="p">|</span> jq <span class="s">'[.[] | select(.code | startswith("MCPX_STDIO_"))] | map(.code)'</span>
-[
-  <span class="s">"MCPX_STDIO_EXIT_NONZERO"</span>,
-  <span class="s">"MCPX_STDIO_HANDSHAKE_INVALID"</span>,
-  <span class="s">"MCPX_STDIO_HANDSHAKE_TIMEOUT"</span>,
-  <span class="s">"MCPX_STDIO_SPAWN_EACCES"</span>,
-  <span class="s">"MCPX_STDIO_SPAWN_ENOENT"</span>
-]</pre>
-      </div>
-    </details>
-  </div>
-
-  <!-- 1b -->
-  <div class="test-block warn">
-    <h3>1b · <code>doctor --server broken-stdio</code> — per-server health check</h3>
-    <div class="status-line">
-      <span class="pill pill-green">PASS</span>
-      <span class="pill pill-yellow">caveat: initial socket-disabled run errored</span>
-    </div>
-    <div class="kv">
-      <span class="k-label">Expected:</span><span class="k-value">Prints banner + upstream error section for <code>broken-stdio</code>, maps to <code>MCPX_STDIO_SPAWN_ENOENT</code>.</span>
-      <span class="k-label">Actual:</span><span class="k-value">With socket enabled, produces <code>&#9888; Found 1 issue that need attention</code> and <code>&#10060; Upstream Server Connection Errors</code> for <code>broken-stdio</code>. Classifier correctly picks up the <code>zsh:1: no such file or directory</code> stderr pattern.</span>
-    </div>
-    <div class="callout callout-warn">
-      <strong>Non-blocking observation (see Findings #1):</strong> first invocation with
-      <code>enable_socket: false</code> failed with <em>"doctor requires running daemon. Start with: mcpproxy serve"</em>
-      — misleading because the daemon <em>was</em> running and reachable over HTTP. Re-running with socket enabled
-      resolved the issue. Worth a CLI UX follow-up.
-    </div>
-    <details>
-      <summary>Command + output (via socket)</summary>
-      <div class="details-body">
-<pre><span class="p">$</span> ./mcpproxy doctor --server broken-stdio
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-🔍 MCPProxy Health Check
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-Version: v0.24.9 (latest)
-
-<span class="warn">&#9888; Found 1 issue that need attention</span>
-
-<span class="err">&#10060; Upstream Server Connection Errors</span>
-  Server: broken-stdio
-
-⚠️  Deprecated Configuration
-  • features
-    features is deprecated and has no effect
-    Suggestion: Remove from config (all feature flags are unused)
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━</pre>
-      </div>
-    </details>
-    <details>
-      <summary>Misleading socket-disabled error (non-blocking)</summary>
-      <div class="details-body">
-<pre><span class="p">$</span> ./mcpproxy doctor --server broken-stdio   <span class="c"># enable_socket: false</span>
-Error: doctor requires running daemon. Start with: mcpproxy serve
-<span class="c"># ...usage text elided...</span>
-Error: doctor requires running daemon. Start with: mcpproxy serve</pre>
-      </div>
-    </details>
-  </div>
-
-  <!-- 1c -->
-  <div class="test-block pass">
-    <h3>1c · <code>doctor fix MCPX_STDIO_SPAWN_ENOENT --server broken-stdio</code> — dry-run default</h3>
-    <div class="status-line">
-      <span class="pill pill-green">PASS</span>
-      <span class="pill pill-muted">fixer_key: <code>stdio_show_last_logs</code></span>
-    </div>
-    <div class="kv">
-      <span class="k-label">Expected:</span><span class="k-value">Auto-resolve fixer_key, run dry-run, return preview text.</span>
-      <span class="k-label">Actual:</span><span class="k-value">Outcome <code>success</code>, <code>Mode: dry_run</code>, preview text returned.</span>
-    </div>
-    <details open>
-      <summary>Command + output</summary>
-      <div class="details-body">
-<pre><span class="p">$</span> ./mcpproxy doctor fix MCPX_STDIO_SPAWN_ENOENT --server broken-stdio
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-🛠  Doctor Fix: MCPX_STDIO_SPAWN_ENOENT
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-Server:      broken-stdio
-Fix step:    Show last server log lines
-Fixer key:   stdio_show_last_logs
-Destructive: no
-Mode:        <span class="warn">dry_run</span>
-
-Outcome:     <span class="ok">&#9989; success</span>
-
-Preview:
-  Server 'broken-stdio' log tail unavailable in this build — enable server-side
-  log access to view the last 50 lines here.
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━</pre>
-      </div>
-    </details>
-  </div>
-
-  <!-- 1d -->
-  <div class="test-block pass">
-    <h3>1d · <code>doctor fix ... --execute</code> — rate-limited safety guard</h3>
-    <div class="status-line">
-      <span class="pill pill-green">PASS</span>
-      <span class="pill pill-blue">Rate-limit honored: HTTP 429</span>
-    </div>
-    <div class="kv">
-      <span class="k-label">Expected:</span><span class="k-value">First burst hits rate-limit; after cooldown, execute succeeds.</span>
-      <span class="k-label">Actual:</span><span class="k-value">HTTP 429 "Too many fix attempts" on first attempt — matches the documented safety guard. Subsequent direct REST call to <code>POST /api/v1/diagnostics/fix</code> with <code>{"mode":"execute",...}</code> returned <code>200 {"mode":"execute","outcome":"success"}</code>.</span>
-    </div>
-    <details>
-      <summary>Command + output</summary>
-      <div class="details-body">
-<pre><span class="p">$</span> ./mcpproxy doctor fix MCPX_STDIO_SPAWN_ENOENT --server broken-stdio --execute
-Error: fix invocation failed: API returned status <span class="err">429</span>: {
-  <span class="s">"success"</span>:false,
-  <span class="s">"error"</span>:<span class="s">"Too many fix attempts; try again shortly"</span>,
-  <span class="s">"request_id"</span>:<span class="s">"eeb5791b-06ab-4055-aa2f-1acabf83bf42"</span>
-}</pre>
-      </div>
-    </details>
-  </div>
-
-  <!-- 1e -->
-  <div class="test-block pass">
-    <h3>1e · REST endpoints — <code>/diagnostics</code>, <code>/servers</code>, <code>/servers/{name}/diagnostics</code></h3>
-    <div class="status-line">
-      <span class="pill pill-green">PASS</span>
-      <span class="pill pill-muted">schema matches spec</span>
-    </div>
-    <ul class="check-list">
-      <li><code>GET /api/v1/servers/broken-stdio/diagnostics</code> returns full <code>Diagnostic</code> payload: <code>error_code</code>, <code>user_message</code>, <code>fix_steps[]</code> (command / button / link variants), <code>docs_url</code>, <code>severity</code>, <code>detected_at</code>, <code>health.level=unhealthy</code>, <code>health.action=restart</code>.</li>
-      <li><code>GET /api/v1/servers</code> returns each server with top-level <code>error_code</code> (<code>"MCPX_STDIO_SPAWN_ENOENT"</code> on the broken one, <code>null</code> on healthy).</li>
-      <li><code>GET /api/v1/diagnostics</code> aggregates to <code>total_issues: 1</code>, <code>upstream_errors[0].server_name == "broken-stdio"</code>.</li>
-      <li>Fix endpoint field is <code>"mode": "dry_run" | "execute"</code> (see Findings #3), not a boolean.</li>
-    </ul>
-  </div>
-
-  <!-- 1f -->
-  <div class="test-block pass">
-    <h3>1f · STDIO classifier — stderr pattern mapping</h3>
-    <div class="status-line">
-      <span class="pill pill-green">PASS</span>
-    </div>
-    <p>Despite the spawn being wrapped via <code>/bin/zsh -l -c</code>, the classifier parses the zsh stderr line
-      <code>zsh:1: no such file or directory: /nonexistent/binary</code> and maps it to <code>MCPX_STDIO_SPAWN_ENOENT</code>
-      (not a generic timeout or handshake error). This is the core value-add of the spec.</p>
-  </div>
-
-  <!-- PHASE 2 -->
-  <h2>Phase 2 — Web UI</h2>
-  <p>
-    Opened <code>http://127.0.0.1:18080/ui/servers/broken-stdio?apikey=***</code> in claude-in-chrome. The Vue
-    <code>ErrorPanel</code> component (<code>4d92c82</code>) rendered the full diagnostic payload with all expected
-    elements. Clicking the <em>Preview (dry-run)</em> button fires the fix endpoint successfully.
-  </p>
-
-  <div class="test-block pass">
-    <h3>2a · ErrorPanel rendering on <code>/ui/servers/broken-stdio</code></h3>
-    <div class="status-line">
-      <span class="pill pill-green">PASS</span>
-      <span class="pill pill-muted">all elements verified</span>
-    </div>
-    <ul class="check-list">
-      <li>Red severity band with <em>Server Error</em> heading</li>
-      <li>Severity badge: <code>error</code></li>
-      <li>Error code prominently shown: <code>MCPX_STDIO_SPAWN_ENOENT</code></li>
-      <li>User-facing message: <em>"The configured command for this stdio server was not found on PATH."</em></li>
-      <li>Cause snippet (truncated stderr) including <code>zsh:1: no such file or directory: /nonexistent/binary</code></li>
-      <li>Fix steps rendered as three distinct rows:
-        <ul style="margin-top:4px; list-style: disc; padding-left:22px;">
-          <li>Command row <code>which npx &amp;&amp; which uvx &amp;&amp; which python3</code> + <strong>Copy</strong> button</li>
-          <li>Link row to <code>docs/errors/MCPX_STDIO_SPAWN_ENOENT.md</code></li>
-          <li>Button row <em>"Show last server log lines"</em> with <em>Preview (dry-run)</em> action</li>
-        </ul>
-      </li>
-      <li>Documentation link in footer</li>
-      <li>Top-right connection state badge: <code>Connecting</code> (yellow)</li>
-    </ul>
-  </div>
-
-  <div class="test-block pass">
-    <h3>2b · Preview (dry-run) button → <code>POST /api/v1/diagnostics/fix</code></h3>
-    <div class="status-line">
-      <span class="pill pill-green">PASS (200 OK)</span>
-      <span class="pill pill-yellow">UX gap: success is silent (Finding #2)</span>
-    </div>
-    <div class="kv">
-      <span class="k-label">Request:</span><span class="k-value"><code>POST http://127.0.0.1:18080/api/v1/diagnostics/fix</code> with <code>{"mode":"dry_run","code":"MCPX_STDIO_SPAWN_ENOENT","server":"broken-stdio","fixer_key":"stdio_show_last_logs"}</code></span>
-      <span class="k-label">Response:</span><span class="k-value"><code>200 OK</code> + JSON body containing <code>preview</code> string</span>
-      <span class="k-label">UX observation:</span><span class="k-value">No toast or inline render of <code>data.preview</code> after success. Re-verified via direct <code>curl</code> that the payload does contain the preview text.</span>
-    </div>
-  </div>
-
-  <h3 style="margin-top:28px;">Screenshots</h3>
-  <div class="callout callout-info">
-    <strong>Note on screenshot availability.</strong> During this verification run, screenshots were captured through
-    <em>claude-in-chrome</em>'s in-memory screenshot facility (image IDs <code>ss_103222r6g</code> and
-    <code>ss_0723w5ok4</code>). Those IDs are ephemeral and were <em>not</em> written to disk — no
-    <code>/tmp/spec044-verify-webui-*.png</code> files exist. The textual test plan above documents every element that
-    was visually confirmed.
-  </div>
-  <div class="screenshot-placeholder">
-    <strong>ss_103222r6g</strong> — Initial ErrorPanel view at <code>/ui/servers/broken-stdio</code><br>
-    <span style="font-size:12px;">(image not available on disk — see caption list above for visually-confirmed elements)</span>
-  </div>
-  <div class="screenshot-placeholder">
-    <strong>ss_0723w5ok4</strong> — After clicking <em>Preview (dry-run)</em><br>
-    <span style="font-size:12px;">Panel still visible; no toast / inline result rendered despite 200 OK response (see Finding #2)</span>
-  </div>
-
-  <!-- PHASE 3 -->
-  <h2>Phase 3 — macOS Tray</h2>
-
-  <div class="callout callout-warn">
-    <strong>&#9888; SKIPPED.</strong> The user's production <code>MCPProxy</code> tray app and <code>mcpproxy</code>
-    core were actively running on port <code>8080</code> at the time of this verification. Killing and restarting
-    them to swap in the dev tray binary (<code>6aa8305</code>) would have risked disrupting an active session for no
-    critical upside — Phases 1 + 2 already demonstrate end-to-end that the classifier, REST API, CLI formatter, fix
-    endpoint, and Vue ErrorPanel all work correctly for <code>MCPX_STDIO_SPAWN_ENOENT</code>.
-  </div>
-
-  <h3>What still needs a human check</h3>
-  <ul class="check-list">
-    <li class="dash">Red-dot badge on the tray menu-bar icon when <code>total_issues &gt; 0</code></li>
-    <li class="dash">New <em>"Fix issues"</em> menu group opens and lists affected servers</li>
-    <li class="dash">Clicking a menu row opens <code>/ui/servers/&lt;name&gt;</code> in the default browser</li>
-  </ul>
-  <p>
-    Relevant code lives in the commit <code>6aa8305</code> — <em>feat(spec-044): macOS tray badge + Fix issues menu group</em>.
-    To verify post-merge, run:
-  </p>
-<pre><span class="p">$</span> <span class="c"># after-hours, when it's safe to cycle production</span>
-<span class="p">$</span> cd ~/repos/mcpproxy-go
-<span class="p">$</span> make build
-<span class="p">$</span> pkill -x MCPProxy
-<span class="p">$</span> open /tmp/MCPProxy.app</pre>
-
-  <!-- FINDINGS -->
-  <h2>Findings (non-blocking)</h2>
-
-  <div class="finding">
-    <h4>#1 · <code>doctor</code> CLI has no HTTP fallback when socket is disabled
-      <span class="severity sev-medium">medium</span></h4>
-    <p>
-      With <code>"enable_socket": false</code> in config, <code>mcpproxy doctor</code> fails with
-      <em>"doctor requires running daemon. Start with: mcpproxy serve"</em> — a misleading message, because the daemon
-      is already running and reachable over HTTP at the configured <code>listen</code> address. Env vars
-      <code>MCPPROXY_LISTEN</code>/<code>MCPPROXY_API_KEY</code> have no effect on the doctor subcommand either.
-    </p>
-    <p><strong>Reproduction:</strong> start <code>mcpproxy serve</code> with <code>enable_socket: false</code>, then run
-      <code>mcpproxy doctor</code>.</p>
-    <p><strong>Suggested fix:</strong> either (a) add HTTP fallback using <code>listen</code> + API key, or (b)
-      surface a clearer error: <em>"socket is disabled in config — re-enable it, or use
-      <code>curl http://127.0.0.1:PORT/api/v1/diagnostics</code>"</em>.</p>
-  </div>
-
-  <div class="finding">
-    <h4>#2 · Web UI <em>Preview</em> button success is silent
-      <span class="severity sev-low">low</span></h4>
-    <p>
-      Clicking the <em>Preview (dry-run)</em> button in <code>ErrorPanel.vue</code> fires the fix endpoint and receives
-      a 200 response whose JSON body contains a helpful <code>preview</code> string (e.g.,
-      <em>"Server 'broken-stdio' log tail unavailable in this build..."</em>), but the Vue component does not render
-      it anywhere. Users have no visual feedback that the action succeeded.
-    </p>
-    <p><strong>Location:</strong> <code>web/frontend/src/components/ErrorPanel.vue</code> (or equivalent — commit
-      <code>4d92c82</code>).</p>
-    <p><strong>Suggested fix:</strong> surface <code>response.data.preview</code> via a DaisyUI toast, or render it
-      inline below the button while <code>preview</code> is populated.</p>
-  </div>
-
-  <div class="finding">
-    <h4>#3 · Fix endpoint body uses <code>"mode"</code> string, not a boolean <code>"dry_run"</code>
-      <span class="severity sev-low">low</span></h4>
-    <p>
-      The <code>POST /api/v1/diagnostics/fix</code> endpoint expects <code>{"mode": "dry_run" | "execute", ...}</code>,
-      not a boolean flag like <code>{"dry_run": true}</code>. This matches the implementation at
-      <code>internal/httpapi/diagnostics_fix.go:27</code>, but worth calling out explicitly in the OpenAPI description
-      and in any published examples to prevent API-consumer confusion.
-    </p>
-    <p><strong>Suggested fix:</strong> add an inline note in <code>oas/swagger.yaml</code> and the spec's
-      <code>contracts/</code> examples explicitly showing the string-enum field.</p>
-  </div>
-
-  <h3>Confirmed-working (no action needed)</h3>
-  <ul class="check-list">
-    <li>29 diagnostic codes registered, matching <code>list-codes -o json | jq length</code></li>
-    <li>Stdio spawn failure via <code>/nonexistent/binary</code> correctly classifies to <code>MCPX_STDIO_SPAWN_ENOENT</code> even when wrapped through <code>/bin/zsh -l -c</code></li>
-    <li>Diagnostic payload shape matches spec: <code>code</code>, <code>severity</code>, <code>user_message</code>, <code>cause</code>, <code>fix_steps[]</code>, <code>docs_url</code>, <code>detected_at</code></li>
-    <li><code>server.health</code> block populated with <code>level: unhealthy</code>, <code>action: restart</code> — matches Spec 044's action-suggestion design</li>
-    <li>Server list endpoint carries per-server <code>error_code</code> field at top level</li>
-    <li><code>doctor fix</code> rate-limiter returns structured 429 with a <code>request_id</code> for correlation</li>
-  </ul>
-
-  <!-- ENVIRONMENT -->
-  <h2>Environment &amp; Reproducibility</h2>
-
-  <h3>Build context</h3>
-  <table>
-    <tbody>
-      <tr><td style="width:180px;">Go toolchain</td><td><code>go1.25.1 darwin/arm64</code></td></tr>
-      <tr><td>Binary version</td><td><code>v0.24.9</code> (reported by the daemon banner; <code>mcpproxy version</code> subcommand is absent from this build — not yet ported to Cobra)</td></tr>
-      <tr><td>Binary size</td><td>40,874,114 bytes (<code>/Users/user/repos/mcpproxy-go-diagnostics-taxonomy/mcpproxy</code>, 2026-04-24 18:45)</td></tr>
-      <tr><td>Worktree</td><td><code>/Users/user/repos/mcpproxy-go-diagnostics-taxonomy</code></td></tr>
-      <tr><td>Branch</td><td><code>feat/diagnostics-taxonomy</code> @ <code>911704cc539e8c4965e7c1786cbcf3b0b70e0ae6</code></td></tr>
-      <tr><td>Commits-under-test</td><td>9 (see header)</td></tr>
-      <tr><td>Test data dir</td><td><code>/tmp/mcpproxy-test-spec044</code> (removed during cleanup)</td></tr>
-      <tr><td>Test listen</td><td><code>127.0.0.1:18080</code></td></tr>
-      <tr><td>Production untouched</td><td><code>:8080</code>, config byte-identical to backup (<code>diff -q</code>)</td></tr>
-      <tr><td>Duration</td><td>~45 minutes (setup + 6 CLI tests + 2 Web UI checks + cleanup)</td></tr>
-    </tbody>
-  </table>
-
-  <h3>Reproducing the test setup</h3>
-  <details>
-    <summary>Full setup script (copy-paste to re-run)</summary>
-    <div class="details-body">
-<pre><span class="c"># 1. back up production config, but don't touch it</span>
-<span class="p">$</span> cp ~/.mcpproxy/mcp_config.json /tmp/mcp_config.json.backup-$(date +%s)
-
-<span class="c"># 2. build dev binary on the feature branch</span>
-<span class="p">$</span> cd ~/repos/mcpproxy-go-diagnostics-taxonomy
-<span class="p">$</span> make build
-
-<span class="c"># 3. isolated data dir + config</span>
-<span class="p">$</span> mkdir -p /tmp/mcpproxy-test-spec044
-<span class="p">$</span> cat &gt; /tmp/mcpproxy-test-spec044/config.json &lt;&lt;'JSON'
-{
-  <span class="s">"listen"</span>: <span class="s">"127.0.0.1:18080"</span>,
-  <span class="s">"api_key"</span>: <span class="s">"***"</span>,
-  <span class="s">"enable_socket"</span>: true,
-  <span class="s">"enable_web_ui"</span>: true,
-  <span class="s">"mcpServers"</span>: [
-    {<span class="s">"name"</span>:<span class="s">"broken-stdio"</span>, <span class="s">"command"</span>:<span class="s">"/nonexistent/binary"</span>,
-     <span class="s">"protocol"</span>:<span class="s">"stdio"</span>, <span class="s">"enabled"</span>:true},
-    {<span class="s">"name"</span>:<span class="s">"healthy-control"</span>, <span class="s">"command"</span>:<span class="s">"echo"</span>,
-     <span class="s">"protocol"</span>:<span class="s">"stdio"</span>, <span class="s">"enabled"</span>:false}
-  ]
-}
-JSON
-
-<span class="c"># 4. launch in tmux on the isolated port + data dir</span>
-<span class="p">$</span> tmux new-session -d -s spec044 \
-    <span class="s">"./mcpproxy serve -c /tmp/mcpproxy-test-spec044/config.json \
-     -d /tmp/mcpproxy-test-spec044 --log-level=debug"</span>
-
-<span class="c"># 5. exercise CLI + REST + Web UI</span>
-<span class="p">$</span> ./mcpproxy doctor list-codes -o json <span class="p">|</span> jq length
-<span class="p">$</span> ./mcpproxy doctor --server broken-stdio
-<span class="p">$</span> ./mcpproxy doctor fix MCPX_STDIO_SPAWN_ENOENT --server broken-stdio
-<span class="p">$</span> curl -s -H <span class="s">"X-API-Key: ***"</span> \
-    http://127.0.0.1:18080/api/v1/servers/broken-stdio/diagnostics <span class="p">|</span> jq .
-
-<span class="c"># 6. cleanup</span>
-<span class="p">$</span> tmux kill-session -t spec044
-<span class="p">$</span> rm -rf /tmp/mcpproxy-test-spec044
-<span class="p">$</span> diff -q ~/.mcpproxy/mcp_config.json /tmp/mcp_config.json.backup-*</pre>
-    </div>
-  </details>
-
-  <h3>Raw artifacts consulted by this report</h3>
-  <ul class="check-list">
-    <li><code>/Users/user/repos/mcpproxy-go/tmp-agent-report-spec044-verify.md</code> (structured verification report, 9,038 bytes)</li>
-    <li><code>/tmp/spec044-verify-cli.log</code> (CLI command outputs, 10,091 bytes)</li>
-    <li class="x"><code>/tmp/mcpproxy-test-spec044/server.log</code> (server log — <em>not found</em>, test data dir was cleaned up)</li>
-    <li class="x"><code>/tmp/spec044-verify-webui-*.png</code> (Web UI screenshots — <em>not found</em>, captured via claude-in-chrome but not persisted to disk)</li>
-    <li class="x"><code>/tmp/spec044-verify-tray-*.png</code> (tray screenshots — <em>not found</em>, Phase 3 skipped)</li>
-  </ul>
-
-  <!-- FOOTER -->
-  <footer class="footer">
-    Generated 2026-04-24 by spec-044 verification run ·
-    <a href="https://github.com/smart-mcp-proxy/mcpproxy-go/pull/400">PR #400</a> ·
-    <a href="https://github.com/smart-mcp-proxy/mcpproxy-go/commit/911704cc539e8c4965e7c1786cbcf3b0b70e0ae6">911704c</a>
-  </footer>
-
-</div>
-</body>
-</html>
diff --git a/specs/046-local-launcher-for-http-sse/execution_log.md b/specs/046-local-launcher-for-http-sse/execution_log.md
deleted file mode 100644
index a0c21d0f..00000000
--- a/specs/046-local-launcher-for-http-sse/execution_log.md
+++ /dev/null
@@ -1,163 +0,0 @@
-# Execution Log — 046-local-launcher-for-http-sse
-
-State maintained per `CLAUDE.md` autonomous-operation requirement. Each
-session appends a dated entry; do not rewrite history.
-
-## 2026-05-10 — Initial scaffold (Roman + Claude)
-
-**Status**: Phase 0 + Phase 1 code landed in working tree (uncompiled —
-sandbox network blocks `proxy.golang.org`, see end of log). Phase 2 partial.
-
-### Files added
-
-- `internal/upstream/launcher/launcher.go` — `Spec`, `Handle`, `Spawn`. Owns the
-  child's lifecycle (Stop with SIGTERM → grace → SIGKILL fallback, Wait, Done,
-  Pid). Pumps stdout+stderr line-by-line into a caller-supplied `io.Writer`,
-  one Write per line so a zap-bridge sink produces one log entry per line.
-- `internal/upstream/launcher/launcher_unix.go` — Setpgid + signal-the-pgroup
-  for SIGTERM/SIGKILL on Linux/macOS.
-- `internal/upstream/launcher/launcher_windows.go` — best-effort stubs
-  (matches the existing `process_windows.go` TODO; Job Objects are a
-  follow-up).
-- `internal/upstream/launcher/wait.go` — `WaitForURL` does TCP-dial polling
-  rather than HTTP GET (gotcha #2 in plan: SSE endpoints stream forever and
-  break HTTP-GET probes).
-- `internal/upstream/launcher/wait_test.go` — 6 cases (immediately bound,
-  bound late, never bound, ctx-canceled, bad URLs, default-port inference).
-- `internal/upstream/launcher/launcher_test.go` — 7 cases (graceful exit,
-  SIGKILL fallback when SIGTERM is trapped, Done on natural exit, exit-code
-  capture via `*exec.ExitError`, Stop idempotency, log sink capture, nil
-  guards).
-- `internal/upstream/launcher/integration_test.go` — full Spawn + WaitForURL
-  with a python-listener subprocess; skips when python3 is missing or on
-  Windows. (Pure Go testdata helper would be cleaner — TODO.)
-- `internal/upstream/core/connection_launcher.go` — `connectWithLauncher`,
-  `stopLauncher`, `watchLauncher`, `buildLauncherCmd`, `loggerWriter`.
-
-### Files modified
-
-- `internal/config/config.go` — `LauncherWaitTimeout Duration` on
-  `ServerConfig`. Default 30s when zero/unset.
-- `internal/config/merge.go` — `CopyServerConfig` carries the new field.
-- `internal/upstream/core/client.go` — `launcherHandle launcher.Handle` and
-  `launcherCIDFile string` on `Client`; new import.
-- `internal/upstream/core/connection.go` — pre-transport launcher dispatch
-  for `http`/`sse`/`streamable-http` when `Command != ""`. Stops launcher
-  in the connect-failure cleanup path.
-- `internal/upstream/core/connection_lifecycle.go` — `stopLauncher` after
-  the MCP-client close in Disconnect (so the child sees the network
-  transport go away first); also clears `processCmd`.
-- `docs/configuration.md` — new "Locally-launched HTTP / SSE servers"
-  section + back-compat behaviour matrix; `launcher_wait_timeout` row in
-  the Server Fields table.
-- `docs/cli-management-commands.md` — restart-semantics note covering the
-  launcher stop-then-start order.
-
-### Decisions / assumptions
-
-1. **Stdio path untouched.** Plan's Phase 0 contemplated lifting env/Docker
-   plumbing out of `connection_stdio.go` and routing stdio through
-   `launcher.Spawn`. Doing that requires reworking how mcp-go owns the
-   stdio process (mcp-go's `Stdio` transport spawns via a `CommandFunc` it
-   controls — externally-spawned children can't be wired into it without
-   patching the upstream library). To honour the spirit of "Docker-isolation
-   logic must live in one place" without that reshuffling, the new
-   `buildLauncherCmd` reuses the same Client methods (`setupDockerIsolation`,
-   `injectEnvVarsIntoDockerArgs`, `insertCidfileIntoShellDockerCommand`,
-   `wrapWithUserShell`) the stdio path already calls. Single source of
-   truth, but no double-spawn risk.
-
-2. **Launcher-managed children stay invisible to stdio cleanup helpers.**
-   `connectWithLauncher` deliberately does NOT set `c.processCmd` /
-   `c.processGroupID`. The `launcher.Handle` owns lifecycle; setting those
-   would let stdio's `killProcessGroup` race with `Handle.Stop`. This is a
-   minor deviation from the original plan (which suggested wiring the same
-   process-group tracking) — the result is cleaner ownership.
-
-3. **Health check is a TCP dial.** Per the plan's gotcha #2.
-   `addrFromURL` infers default ports for http/https/ws/wss; rejects
-   unknown schemes early so misconfigurations surface fast.
-
-4. **StopGrace default is 5s.** Plan asked for an explicit decision (open
-   question #2). 5s matches `processGracefulTimeout` in
-   `internal/upstream/core/connection.go`. No per-server override yet —
-   `Spec.StopGrace` is plumbed but not exposed in `ServerConfig`. Promote to
-   config if a real-world server needs more.
-
-5. **Crash-while-connected → Disconnect.** `watchLauncher` calls the
-   `Client.Disconnect()` path on unexpected child exit (gotcha #6).
-   Existing reconnect logic in `internal/upstream/managed` then handles
-   the come-back attempt — no separate launcher-internal restart loop
-   (open question #3 settled toward "defer to transport-level reconnect").
-
-6. **Stop ctx on shutdown.** `stopLauncher` currently uses
-   `context.WithTimeout(context.Background(), 10s)` everywhere. Plan
-   open question #4 — accept this default; raise the limit if shutdown
-   really needs to wait for slow Docker stop.
-
-### Verification round 1 (2026-05-11)
-
-After `sbx policy allow network proxy.golang.org,sum.golang.org` was set:
-
-| Command | Result |
-|---|---|
-| `GOTOOLCHAIN=local go vet ./internal/upstream/...` | ✅ clean |
-| `GOTOOLCHAIN=local go test ./internal/upstream/launcher/...` | ✅ 15/15 |
-| `GOTOOLCHAIN=local go test ./internal/upstream/...` | ✅ all packages |
-| `GOTOOLCHAIN=local go test ./internal/config/...` | ✅ |
-| `go test -race` | ⚠️ blocked — cgo (gcc) not installed in sandbox; user can run on host |
-| `go build ./cmd/mcpproxy` | ❌ blocked — needs `storage.googleapis.com` (some Go modules CDN-served from there); user must add `sbx policy allow network storage.googleapis.com` |
-
-### Bugs found + fixed during verification round 1
-
-1. **Deadlock in connect-failure cleanup.** `Connect` holds `c.mu` for its
-   entire duration; my original failure-path call to `c.stopLauncher(...)`
-   re-acquired the same lock → hang. Fixed by inlining the stop sequence
-   in `connection.go`'s cleanup branch (read fields under the held lock,
-   release `c.mu` around `handle.Stop()`, reacquire before return).
-2. **`connectWithLauncher` redundant locking.** Same root cause —
-   `connectWithLauncher` is called from `Connect` which already holds
-   `c.mu`. Removed the inner `c.mu.Lock()/Unlock()` for the launcher
-   field writes; the wait-for-url failure path still releases the lock
-   around the blocking `handle.Stop()` and reacquires before returning.
-3. **`bytes.Buffer` LogSink race.** Test failures from the stdout pump,
-   stderr pump, and the startup-banner write all racing on a single
-   `*bytes.Buffer` in tests. Fixed by wrapping `LogSink` internally with
-   a `serializedWriter` (mutex around `Write`). zap-bridge in production
-   is already thread-safe, so this is a robustness fix for test sinks
-   and any future single-writer adapters.
-4. **SIGKILL-fallback test could detect "ready" in the banner.** The
-   launcher startup banner echoes the script source verbatim, so any
-   marker token literally present in the script also matched in the
-   banner — making the test think the trap was installed before the
-   shell even ran. Fixed by using a shell-substituted marker
-   (`__LNCTICK__:$$`) and a regex detector (`__LNCTICK__:[0-9]+`).
-5. **`bad scheme + explicit port` test case.** Test asserted error on
-   `ftp://example.com:21/foo` but the launcher correctly accepts any
-   scheme when the port is explicit (user took responsibility). Removed
-   that case; replaced with the actually-invalid `ftp://example.com/foo`.
-
-### Outstanding network blocker
-
-```
-sbx policy allow network storage.googleapis.com
-```
-
-Needed for `go build ./cmd/mcpproxy` to fetch Bleve/Roaring/etc. CDN-backed
-modules. Once allowed, the verification commands are:
-
-```
-GOTOOLCHAIN=local go build ./cmd/mcpproxy
-./scripts/test-api-e2e.sh    # optional smoke test
-```
-
-### Outstanding follow-ups (post-PR)
-
-- Replace `integration_test.go`'s python-shellout with a Go test-binary
-  helper invoked via `os.Args` re-entry pattern, so the test runs on any
-  CI that has Go (which is all of them). Plan called for a tiny binary in
-  `internal/upstream/launcher/testdata/`.
-- Extend `scripts/test-api-e2e.sh` with a launcher-flavoured server (plan
-  Phase 2 item).
-- Phase 3 (post-merge): `{port}` templating in `args` / `url`, per-launcher
-  custom health probe, exponential backoff for repeated launcher crashes.
diff --git a/specs/050-global-tools-page/execution_log.md b/specs/050-global-tools-page/execution_log.md
deleted file mode 100644
index 84d512d7..00000000
--- a/specs/050-global-tools-page/execution_log.md
+++ /dev/null
@@ -1,17 +0,0 @@
-# Execution Log — Spec 050 Global Tools Page
-
-State file per CLAUDE.md autonomous-operation constraint. One line per completed step.
-
-- 2026-05-18 brainstormed feature with user; design approved (aggregation endpoint, v1 columns, substring search, replace orphaned Tools.vue).
-- 2026-05-18 speckit.specify → spec.md + checklists/requirements.md committed (3633b6e5). SynapBus SPEC announcement posted (#my-agents-algis, msg 37429).
-- 2026-05-18 CLI gap analysis: `tools list` requires --server, name+desc only; no per-tool enable/disable CLI. Decision: fold CLI parity into spec 050 (same endpoint/feature), not a new spec.
-- 2026-05-18 backend impl (T002-T012): AggregateToolUsage + GET /api/v1/tools + helper refactor; httpapi/storage/runtime/server tests GREEN, lint clean.
-- 2026-05-18 fanned out frontend (Tools.vue rewrite, /tools route, sidebar badge, US1-3) + CLI (US4 global list + enable/disable) subagents; both reported GREEN (frontend build clean, cmd tests pass).
-- 2026-05-18 live curl: found+fixed false partial:true — global handler now uses mgmt-service GetServerTools (like per-server endpoint) so disabled/not-connected servers yield 0 tools, not a 'failed' flag. Re-verified: 13 tools, partial absent, stats consistent. CLI table OK.
-- 2026-05-18 FR-001 note: a disabled server that was NEVER connected has no tools anywhere (index empty, per-server endpoint returns 0). Showing its tools is impossible by any path; this is an inherent limitation, distinct from the 'server errored -> partial' edge case (now correctly separated). Documented as refined assumption.
-- 2026-05-18 API E2E: GET /api/v1/tools PASS. 10 unrelated pre-existing/environmental failures (upstream_servers env/args/headers CRUD hitting example.com, flaky activity/{id}) — none in tools code paths.
-- 2026-05-18 Playwright sweep 5/5 GREEN (loaded table, search, sort, batch-bar+disable, empty state); self-contained report.html + screenshots committed under verification/.
-- 2026-05-18 chrome-ext live check: page matches issue #437 mockup (sidebar Tools badge=13, 4 stat cards, filter bar, dense table). Verified batch-disable works end-to-end (Playwright run disabled all 13; curl confirms disabled:13, frontend cards reflect backend stats — consistent, no bug).
-- 2026-05-18 final: golangci-lint 0 issues, frontend build clean, go tests GREEN. Ready for PR.
-- 2026-05-18 PR #481 opened. First run: check-size red (CLAUDE.md >40k, pre-existing-adjacent — main was 39605, my additions pushed over). Trimmed my own footprint (condensed CLI note + auto agent-context lines) → 39928/40000.
-- 2026-05-18 CI FULLY GREEN: all builds (6 platforms), Unit Tests 9 OS/Go combos, Integration, E2E, OAuth E2E, Cross-Platform Logging, Lint, Verify OpenAPI, Build Frontend, check-size — NO failures (Stress Tests skipped, normal). PR #481 awaiting human review.