diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..045bbf4
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,31 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  check:
+    name: Check, Lint & Test
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 18
+          cache: npm
+
+      - run: npm ci
+
+      - name: Type check
+        run: npm run check
+
+      - name: Lint
+        run: npm run lint
+
+      - name: Test
+        run: npm test
diff --git a/README.md b/README.md
index 1652999..16560d8 100644
--- a/README.md
+++ b/README.md
@@ -42,6 +42,7 @@ A real-time social status app where you can share what you're up to with your fr
 ## Overview
 
 Rez lets you:
+
 - Post a short status (up to 42 characters) so friends know what you're up to
 - See your friends' statuses and when they last updated them
 - Send, accept, and reject friend requests by username
@@ -55,12 +56,13 @@ Rez lets you:
 
 | Feature | Details |
 |---|---|
-| Authentication | Email/password with optional email confirmation |
+| Authentication | Email/password with email confirmation, password reset, email change |
 | Status updates | 42-character limit, with quick-status presets |
 | Friend requests | Send by username, accept/reject/cancel |
 | Real-time sync | Supabase Realtime (optional, gracefully degrades) |
 | Friend ordering | Drag-and-drop reorder, persisted in `localStorage` |
 | Themes | 35 built-in DaisyUI themes, cookie-persisted |
+| PWA | Installable on mobile and desktop via web app manifest |
 | Profile | Username (3–20 chars) + optional display name (up to 50 chars) |
 | Data export | Download all your data as JSON |
 | Account deletion | Password-confirmed, cascades all data including auth user |
@@ -80,8 +82,10 @@ Rez lets you:
 | Avatars | `svelte-boring-avatars` (deterministic from user ID) |
 | Theme switching | `theme-change` |
 | Build tool | Vite 7 |
+| Testing | [Vitest](https://vitest.dev/) |
 | Linting | ESLint 9 + `eslint-plugin-svelte` |
 | Formatting | Prettier + `prettier-plugin-svelte` + `prettier-plugin-tailwindcss` |
+| CI | GitHub Actions (check, lint, test) |
 
 ---
 
@@ -131,6 +135,8 @@ npm run check          # Type-check the project
 npm run check:watch    # Type-check in watch mode
 npm run lint           # Check formatting + ESLint
 npm run format         # Auto-format all files
+npm test               # Run Vitest tests
+npm run test:watch     # Run tests in watch mode
 ```
 
 ### Building for Production
@@ -200,7 +206,7 @@ In your Supabase dashboard under **Authentication → URL Configuration**:
 - **Site URL**: your production domain (e.g. `https://yourapp.com`)
 - **Redirect URLs**: add `https://yourapp.com/auth/confirm` (and `http://localhost:5173/auth/confirm` for local dev)
 
-Email confirmation is supported. When a new user signs up, they receive a confirmation email that redirects to `/auth/confirm`, which validates the OTP token and then redirects to `/dashboard`.
+The `/auth/confirm` endpoint handles multiple OTP types: signup confirmation, password recovery, and email change. For password resets, the recovery email links to `/auth/confirm?next=/auth/reset-password`, which verifies the token and redirects to the new-password form.
 
 ---
 
@@ -229,7 +235,7 @@ src/
 │   │       ├── Requests.svelte    # Send/accept/reject/cancel requests
 │   │       └── RequestsSkeleton.svelte
 │   ├── profile/
-│   │   ├── api.ts                 # findUserByUsername, checkUsernameAvailability
+│   │   ├── api.ts                 # checkUsernameAvailability
 │   │   └── validation.ts          # Username/display-name constants, validators, ERROR_MESSAGES
 │   ├── realtime/
 │   │   └── subscriptions.ts       # RealtimeSubscriptionManager class
@@ -247,6 +253,7 @@ src/
 │       ├── DebugPanel.svelte      # Floating debug log panel (dev/iOS/error)
 │       ├── Footer.svelte
 │       ├── Navigation.svelte      # Sticky nav with logout + settings link
+│       ├── RelativeTime.svelte    # Live-ticking relative timestamp component
 │       ├── ThemeSelect.svelte     # Theme picker component
 │       ├── Toast.svelte
 │       └── ToastContainer.svelte
@@ -258,11 +265,14 @@ src/
 │   ├── +page.svelte               # Landing / hero page
 │   ├── auth/
 │   │   ├── +layout.svelte
-│   │   ├── +page.server.ts        # login/signup form actions
-│   │   ├── +page.svelte           # Login/signup tab UI
-│   │   ├── confirm/+server.ts     # Email confirmation OTP handler
+│   │   ├── +page.server.ts        # login/signup/forgotPassword form actions
+│   │   ├── +page.svelte           # Login/signup tab UI with forgot password flow
+│   │   ├── confirm/+server.ts     # Email confirmation OTP handler (signup, recovery, email change)
 │   │   ├── error/+page.svelte     # Auth error page
-│   │   └── logout/+server.ts      # POST endpoint: server-side sign out + cookie clear
+│   │   ├── logout/+server.ts      # POST endpoint: server-side sign out + cookie clear
+│   │   └── reset-password/
+│   │       ├── +page.server.ts    # Load function (session check)
+│   │       └── +page.svelte       # New password form after recovery
 │   └── dashboard/
 │       ├── +layout.server.ts      # Auth guard - redirects unauthenticated users to /
 │       ├── +layout.svelte         # Dashboard layout with Navigation
@@ -270,7 +280,7 @@ src/
 │       ├── +page.svelte           # Main dashboard page
 │       └── settings/
 │           ├── +page.server.ts
-│           └── +page.svelte       # Settings page
+│           └── +page.svelte       # Settings page (profile, security, quick statuses, appearance, data)
 │
 └── sql/
     ├── functions/
@@ -292,7 +302,7 @@ src/
 2. **`+layout.server.ts`** passes `session` and raw cookies to the client.
 3. **`+layout.ts`** creates a Supabase browser client (or server client during SSR) and exposes `supabase`, `session`, and `user` to all child layouts/pages.
 4. **Dashboard page** receives only `session` from the server - all dashboard data (friends, statuses, requests) is loaded client-side via `DashboardDataLoader`. This keeps server load minimal and avoids serializing large data structures through the load chain.
-5. **Real-time** updates are handled by `RealtimeSubscriptionManager`, which subscribes to `friend_requests`, `friends`, and `profiles` table changes. On any relevant event, a debounced refresh (300ms) reloads dashboard data.
+5. **Real-time** updates are handled by `RealtimeSubscriptionManager`, which subscribes to `friend_requests`, `friends`, and `profiles` table changes. Updates are granular: profile/status changes are patched in-place from the realtime payload (zero DB calls), friend request changes trigger a targeted reload of just the request arrays, and friendship changes (rare, structural) trigger a full data reload.
 
 ### Database Schema
 
@@ -323,8 +333,8 @@ Quick statuses and friend order are stored in the browser's `localStorage` rathe
 **Svelte 5 runes throughout**
 All components use Svelte 5's rune-based reactivity (`$state`, `$derived`, `$effect`, `$props`, `$bindable`). This is the modern Svelte 5 API and provides cleaner component logic with explicit reactivity.
 
-**Debounced real-time refresh**
-Rather than updating specific state slices on each Realtime event, the app does a full data reload with a 300ms debounce. This is simpler to reason about and handles batched events correctly, at the cost of slightly more database reads.
+**Granular real-time updates**
+Realtime events are handled with three strategies: profile/status changes are patched in-place directly from the event payload (zero database calls), friend request changes trigger a debounced (300ms) reload of just the request arrays (two small queries), and friendship changes trigger a full reload since they are rare structural events that affect the profiles subscription scope.
 
 **`adapter-auto`**
 Using `@sveltejs/adapter-auto` means the project deploys to any supported platform without configuration changes. Swap in a specific adapter if you need fine-grained control.
@@ -338,7 +348,10 @@ Using `@sveltejs/adapter-auto` means the project deploys to any supported platfo
 - Auth uses Supabase's email/password flow via `@supabase/ssr`.
 - Session validation in `hooks.server.ts` calls both `getSession()` and `getUser()`. The `getUser()` call makes a network request to Supabase to cryptographically verify the JWT - this prevents accepting a locally-forged or replayed token. This pattern follows [Supabase's security recommendations](https://supabase.com/docs/guides/auth/server-side/nextjs#understanding-what-session-means).
 - `safeGetSession()` returns `{ session: null, user: null }` on any validation error rather than propagating the error upward.
-- The auth guard in `hooks.server.ts` redirects unauthenticated users away from `/dashboard/**` and redirects authenticated users away from `/auth`.
+- The auth guard has two layers: `hooks.server.ts` redirects unauthenticated users away from `/dashboard/**` to `/auth`, and `dashboard/+layout.server.ts` provides a secondary guard that redirects to `/`. Authenticated users hitting exactly `/auth` are redirected to `/dashboard` (sub-routes like `/auth/reset-password` are not affected).
+- **Password reset**: Users request a reset link from the login page via `resetPasswordForEmail()`. The email links through `/auth/confirm` (OTP verification) and redirects to `/auth/reset-password` where they set a new password via `updateUser()`. The root layout's `onAuthStateChange` listener also handles the `PASSWORD_RECOVERY` event as a safety redirect.
+- **Password change**: Authenticated users can change their password from Settings. The current password is verified via `signInWithPassword()` re-authentication before calling `updateUser()`.
+- **Email change**: Authenticated users can request an email change from Settings via `updateUser({ email })`. Supabase sends a confirmation link to the new address; the existing `/auth/confirm` handler processes the `email_change` OTP type.
 - Logout hits both the client-side `supabase.auth.signOut()` and a server-side `POST /auth/logout` endpoint that manually clears all Supabase auth cookies.
 
 ### Row Level Security
@@ -350,20 +363,23 @@ All four public tables have RLS enabled. The policies enforce:
 | `users` | All authenticated users can read | - | Own row only | Own row only |
 | `profiles` | All authenticated users can read | Own row only | Own row only | - |
 | `friends` | Only if `user_id` or `friend_id` matches | Only if `user_id` or `friend_id` matches | - | Only if `user_id` or `friend_id` matches |
-| `friend_requests` | Own rows (as requester or target) | Own as requester | Own as target | Own as requester or target |
+| `friend_requests` | Own rows (as requester or target) | Own as requester (rate-limited) | Own as target | Own as requester or target |
 
 The read-all policy on `users` and `profiles` is intentional - users need to search for others by username and view friends' statuses.
 
+**Rate limiting**: A restrictive RLS policy on `friend_requests` limits each user to 20 INSERT operations per hour. This is enforced at the database level via a `RESTRICTIVE` policy that is ANDed with the permissive INSERT policy, backed by a composite index on `(requester_id, created_at)`.
+
 ### Cookie Security
 
 Auth session cookies are set with:
+
 - **`path: '/'`** - applies app-wide
 - **`secure: true`** in production (HTTPS only) - prevents cookie theft over plain HTTP
 - **`sameSite: 'lax'`** - blocks cross-site POST requests from sending the cookie (CSRF mitigation)
 - **`domain`** set to the request hostname in production - prevents session sharing across subdomains
 - Localhost/127.0.0.1: `domain` is omitted to avoid browser quirks
 
-iOS Safari receives `sameSite: 'lax'` (same as all other clients), which avoids the more restrictive `none` behavior that can cause issues with in-app browsers.
+All clients (including iOS Safari) receive `sameSite: 'lax'`, which avoids the more restrictive `none` behavior that can cause issues with in-app browsers.
 
 ### Database Functions
 
@@ -418,10 +434,5 @@ These are purely client-side and device-specific - they are not synced to the da
 ## Potential Improvements
 
 **API**
-- Introduce an API. View only, so people can make their own dashboards (e.g. TRMNL).
-
-**User Experience**
-- No password reset or email change flow is exposed in the UI.
 
-**Code Quality**
-- No automated tests (unit or integration).
+- Introduce an API. View only, so people can make their own dashboards (e.g. TRMNL).
diff --git a/package-lock.json b/package-lock.json
index 0307c6a..3e93c67 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -20,8 +20,6 @@
 				"@sveltejs/adapter-auto": "^7.0.1",
 				"@sveltejs/kit": "^2.53.0",
 				"@sveltejs/vite-plugin-svelte": "^6.2.4",
-				"@tailwindcss/forms": "^0.5.11",
-				"@tailwindcss/typography": "^0.5.19",
 				"@tailwindcss/vite": "^4.2.1",
 				"eslint": "^9.39.3",
 				"eslint-config-prettier": "^10.1.8",
@@ -35,7 +33,19 @@
 				"tailwindcss": "^4.2.1",
 				"typescript": "^5.9.3",
 				"typescript-eslint": "^8.56.1",
-				"vite": "^7.3.1"
+				"vite": "^7.3.1",
+				"vitest": "^4.0.18"
+			}
+		},
+		"node_modules/@emnapi/runtime": {
+			"version": "1.8.1",
+			"resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.8.1.tgz",
+			"integrity": "sha512-mehfKSMWjjNol8659Z8KxEMrdSJDDot5SXMq00dM8BN4o+CLNXQ0xH2V7EchNHV4RmbZLmmPdEaXZc5H2FXmDg==",
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"dependencies": {
+				"tslib": "^2.4.0"
 			}
 		},
 		"node_modules/@esbuild/aix-ppc64": {
@@ -1298,19 +1308,6 @@
 				"vite": "^6.3.0 || ^7.0.0"
 			}
 		},
-		"node_modules/@tailwindcss/forms": {
-			"version": "0.5.11",
-			"resolved": "https://registry.npmjs.org/@tailwindcss/forms/-/forms-0.5.11.tgz",
-			"integrity": "sha512-h9wegbZDPurxG22xZSoWtdzc41/OlNEUQERNqI/0fOwa2aVlWGu7C35E/x6LDyD3lgtztFSSjKZyuVM0hxhbgA==",
-			"dev": true,
-			"license": "MIT",
-			"dependencies": {
-				"mini-svg-data-uri": "^1.2.3"
-			},
-			"peerDependencies": {
-				"tailwindcss": ">=3.0.0 || >= 3.0.0-alpha.1 || >= 4.0.0-alpha.20 || >= 4.0.0-beta.1"
-			}
-		},
 		"node_modules/@tailwindcss/node": {
 			"version": "4.2.1",
 			"resolved": "https://registry.npmjs.org/@tailwindcss/node/-/node-4.2.1.tgz",
@@ -1568,19 +1565,6 @@
 				"node": ">= 20"
 			}
 		},
-		"node_modules/@tailwindcss/typography": {
-			"version": "0.5.19",
-			"resolved": "https://registry.npmjs.org/@tailwindcss/typography/-/typography-0.5.19.tgz",
-			"integrity": "sha512-w31dd8HOx3k9vPtcQh5QHP9GwKcgbMp87j58qi6xgiBnFFtKEAgCWnDw4qUT8aHwkCp8bKvb/KGKWWHedP0AAg==",
-			"dev": true,
-			"license": "MIT",
-			"dependencies": {
-				"postcss-selector-parser": "6.0.10"
-			},
-			"peerDependencies": {
-				"tailwindcss": ">=3.0.0 || insiders || >=4.0.0-alpha.20 || >=4.0.0-beta.1"
-			}
-		},
 		"node_modules/@tailwindcss/vite": {
 			"version": "4.2.1",
 			"resolved": "https://registry.npmjs.org/@tailwindcss/vite/-/vite-4.2.1.tgz",
@@ -1596,6 +1580,17 @@
 				"vite": "^5.2.0 || ^6 || ^7"
 			}
 		},
+		"node_modules/@types/chai": {
+			"version": "5.2.3",
+			"resolved": "https://registry.npmjs.org/@types/chai/-/chai-5.2.3.tgz",
+			"integrity": "sha512-Mw558oeA9fFbv65/y4mHtXDs9bPnFMZAL/jxdPFUpOHHIXX91mcgEHbS5Lahr+pwZFR8A7GQleRWeI6cGFC2UA==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@types/deep-eql": "*",
+				"assertion-error": "^2.0.1"
+			}
+		},
 		"node_modules/@types/cookie": {
 			"version": "0.6.0",
 			"resolved": "https://registry.npmjs.org/@types/cookie/-/cookie-0.6.0.tgz",
@@ -1603,6 +1598,13 @@
 			"dev": true,
 			"license": "MIT"
 		},
+		"node_modules/@types/deep-eql": {
+			"version": "4.0.2",
+			"resolved": "https://registry.npmjs.org/@types/deep-eql/-/deep-eql-4.0.2.tgz",
+			"integrity": "sha512-c9h9dVVMigMPc4bwTvC5dxqtqJZwQPePsWjPlpSOnojbor6pGqdk541lfA7AqFQr5pB1BRdq0juY9db81BwyFw==",
+			"dev": true,
+			"license": "MIT"
+		},
 		"node_modules/@types/estree": {
 			"version": "1.0.8",
 			"resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.8.tgz",
@@ -1930,6 +1932,117 @@
 				"url": "https://opencollective.com/eslint"
 			}
 		},
+		"node_modules/@vitest/expect": {
+			"version": "4.0.18",
+			"resolved": "https://registry.npmjs.org/@vitest/expect/-/expect-4.0.18.tgz",
+			"integrity": "sha512-8sCWUyckXXYvx4opfzVY03EOiYVxyNrHS5QxX3DAIi5dpJAAkyJezHCP77VMX4HKA2LDT/Jpfo8i2r5BE3GnQQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@standard-schema/spec": "^1.0.0",
+				"@types/chai": "^5.2.2",
+				"@vitest/spy": "4.0.18",
+				"@vitest/utils": "4.0.18",
+				"chai": "^6.2.1",
+				"tinyrainbow": "^3.0.3"
+			},
+			"funding": {
+				"url": "https://opencollective.com/vitest"
+			}
+		},
+		"node_modules/@vitest/mocker": {
+			"version": "4.0.18",
+			"resolved": "https://registry.npmjs.org/@vitest/mocker/-/mocker-4.0.18.tgz",
+			"integrity": "sha512-HhVd0MDnzzsgevnOWCBj5Otnzobjy5wLBe4EdeeFGv8luMsGcYqDuFRMcttKWZA5vVO8RFjexVovXvAM4JoJDQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@vitest/spy": "4.0.18",
+				"estree-walker": "^3.0.3",
+				"magic-string": "^0.30.21"
+			},
+			"funding": {
+				"url": "https://opencollective.com/vitest"
+			},
+			"peerDependencies": {
+				"msw": "^2.4.9",
+				"vite": "^6.0.0 || ^7.0.0-0"
+			},
+			"peerDependenciesMeta": {
+				"msw": {
+					"optional": true
+				},
+				"vite": {
+					"optional": true
+				}
+			}
+		},
+		"node_modules/@vitest/pretty-format": {
+			"version": "4.0.18",
+			"resolved": "https://registry.npmjs.org/@vitest/pretty-format/-/pretty-format-4.0.18.tgz",
+			"integrity": "sha512-P24GK3GulZWC5tz87ux0m8OADrQIUVDPIjjj65vBXYG17ZeU3qD7r+MNZ1RNv4l8CGU2vtTRqixrOi9fYk/yKw==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"tinyrainbow": "^3.0.3"
+			},
+			"funding": {
+				"url": "https://opencollective.com/vitest"
+			}
+		},
+		"node_modules/@vitest/runner": {
+			"version": "4.0.18",
+			"resolved": "https://registry.npmjs.org/@vitest/runner/-/runner-4.0.18.tgz",
+			"integrity": "sha512-rpk9y12PGa22Jg6g5M3UVVnTS7+zycIGk9ZNGN+m6tZHKQb7jrP7/77WfZy13Y/EUDd52NDsLRQhYKtv7XfPQw==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@vitest/utils": "4.0.18",
+				"pathe": "^2.0.3"
+			},
+			"funding": {
+				"url": "https://opencollective.com/vitest"
+			}
+		},
+		"node_modules/@vitest/snapshot": {
+			"version": "4.0.18",
+			"resolved": "https://registry.npmjs.org/@vitest/snapshot/-/snapshot-4.0.18.tgz",
+			"integrity": "sha512-PCiV0rcl7jKQjbgYqjtakly6T1uwv/5BQ9SwBLekVg/EaYeQFPiXcgrC2Y7vDMA8dM1SUEAEV82kgSQIlXNMvA==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@vitest/pretty-format": "4.0.18",
+				"magic-string": "^0.30.21",
+				"pathe": "^2.0.3"
+			},
+			"funding": {
+				"url": "https://opencollective.com/vitest"
+			}
+		},
+		"node_modules/@vitest/spy": {
+			"version": "4.0.18",
+			"resolved": "https://registry.npmjs.org/@vitest/spy/-/spy-4.0.18.tgz",
+			"integrity": "sha512-cbQt3PTSD7P2OARdVW3qWER5EGq7PHlvE+QfzSC0lbwO+xnt7+XH06ZzFjFRgzUX//JmpxrCu92VdwvEPlWSNw==",
+			"dev": true,
+			"license": "MIT",
+			"funding": {
+				"url": "https://opencollective.com/vitest"
+			}
+		},
+		"node_modules/@vitest/utils": {
+			"version": "4.0.18",
+			"resolved": "https://registry.npmjs.org/@vitest/utils/-/utils-4.0.18.tgz",
+			"integrity": "sha512-msMRKLMVLWygpK3u2Hybgi4MNjcYJvwTb0Ru09+fOyCXIgT5raYP041DRRdiJiI3k/2U6SEbAETB3YtBrUkCFA==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@vitest/pretty-format": "4.0.18",
+				"tinyrainbow": "^3.0.3"
+			},
+			"funding": {
+				"url": "https://opencollective.com/vitest"
+			}
+		},
 		"node_modules/acorn": {
 			"version": "8.15.0",
 			"resolved": "https://registry.npmjs.org/acorn/-/acorn-8.15.0.tgz",
@@ -2003,6 +2116,16 @@
 				"node": ">= 0.4"
 			}
 		},
+		"node_modules/assertion-error": {
+			"version": "2.0.1",
+			"resolved": "https://registry.npmjs.org/assertion-error/-/assertion-error-2.0.1.tgz",
+			"integrity": "sha512-Izi8RQcffqCeNVgFigKli1ssklIbpHnCYc6AknXGYoB6grJqyeby7jv12JUQgmTAnIDnbck1uxksT4dzN3PWBA==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=12"
+			}
+		},
 		"node_modules/axobject-query": {
 			"version": "4.1.0",
 			"resolved": "https://registry.npmjs.org/axobject-query/-/axobject-query-4.1.0.tgz",
@@ -2041,6 +2164,16 @@
 				"node": ">=6"
 			}
 		},
+		"node_modules/chai": {
+			"version": "6.2.2",
+			"resolved": "https://registry.npmjs.org/chai/-/chai-6.2.2.tgz",
+			"integrity": "sha512-NUPRluOfOiTKBKvWPtSD4PhFvWCqOi0BGStNWs57X9js7XGTprSmFoz5F0tWhR4WPjNeR9jXqdC7/UpSJTnlRg==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=18"
+			}
+		},
 		"node_modules/chalk": {
 			"version": "4.1.2",
 			"resolved": "https://registry.npmjs.org/chalk/-/chalk-4.1.2.tgz",
@@ -2194,9 +2327,9 @@
 			}
 		},
 		"node_modules/detect-libc": {
-			"version": "2.0.4",
-			"resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.0.4.tgz",
-			"integrity": "sha512-3UDv+G9CsCKO1WKMGw9fwq/SWJYbI0c5Y7LU1AXYoDdbhE2AHQ6N6Nb34sG8Fj7T5APy8qXDCKuuIHd1BR0tVA==",
+			"version": "2.1.2",
+			"resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.1.2.tgz",
+			"integrity": "sha512-Btj2BOOO83o3WyH59e8MgXsxEQVcarkUOpEYrubB0urwnN10yQ364rsiByU11nZlqWYZm05i/of7io4mzihBtQ==",
 			"dev": true,
 			"license": "Apache-2.0",
 			"engines": {
@@ -2224,6 +2357,13 @@
 				"node": ">=10.13.0"
 			}
 		},
+		"node_modules/es-module-lexer": {
+			"version": "1.7.0",
+			"resolved": "https://registry.npmjs.org/es-module-lexer/-/es-module-lexer-1.7.0.tgz",
+			"integrity": "sha512-jEQoCwk8hyb2AZziIOLhDqpm5+2ww5uIE6lkO/6jcOCusfk6LhMHpXXfBLXTZ7Ydyt0j4VoUQv6uGNYbdW+kBA==",
+			"dev": true,
+			"license": "MIT"
+		},
 		"node_modules/esbuild": {
 			"version": "0.27.3",
 			"resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.3.tgz",
@@ -2503,6 +2643,16 @@
 				"node": ">=4.0"
 			}
 		},
+		"node_modules/estree-walker": {
+			"version": "3.0.3",
+			"resolved": "https://registry.npmjs.org/estree-walker/-/estree-walker-3.0.3.tgz",
+			"integrity": "sha512-7RUKfXgSMMkzt6ZuXmqapOurLGPPfgj6l9uRZ7lRGolvk0y2yocc35LdcxKC5PQZdn2DMqioAQ2NoWcrTKmm6g==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@types/estree": "^1.0.0"
+			}
+		},
 		"node_modules/esutils": {
 			"version": "2.0.3",
 			"resolved": "https://registry.npmjs.org/esutils/-/esutils-2.0.3.tgz",
@@ -2513,6 +2663,16 @@
 				"node": ">=0.10.0"
 			}
 		},
+		"node_modules/expect-type": {
+			"version": "1.3.0",
+			"resolved": "https://registry.npmjs.org/expect-type/-/expect-type-1.3.0.tgz",
+			"integrity": "sha512-knvyeauYhqjOYvQ66MznSMs83wmHrCycNEN6Ao+2AeYEfxUIkuiVxdEa1qlGEPK+We3n0THiDciYSsCcgW/DoA==",
+			"dev": true,
+			"license": "Apache-2.0",
+			"engines": {
+				"node": ">=12.0.0"
+			}
+		},
 		"node_modules/fast-deep-equal": {
 			"version": "3.1.3",
 			"resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz",
@@ -3143,16 +3303,6 @@
 				"@jridgewell/sourcemap-codec": "^1.5.5"
 			}
 		},
-		"node_modules/mini-svg-data-uri": {
-			"version": "1.4.4",
-			"resolved": "https://registry.npmjs.org/mini-svg-data-uri/-/mini-svg-data-uri-1.4.4.tgz",
-			"integrity": "sha512-r9deDe9p5FJUPZAk3A59wGH7Ii9YrjjWw0jmw/liSbHl2CHiyXj6FcDXDu2K3TjVAXqiJdaw3xxwlZZr9E6nHg==",
-			"dev": true,
-			"license": "MIT",
-			"bin": {
-				"mini-svg-data-uri": "cli.js"
-			}
-		},
 		"node_modules/minimatch": {
 			"version": "3.1.2",
 			"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
@@ -3313,6 +3463,13 @@
 				"node": ">=8"
 			}
 		},
+		"node_modules/pathe": {
+			"version": "2.0.3",
+			"resolved": "https://registry.npmjs.org/pathe/-/pathe-2.0.3.tgz",
+			"integrity": "sha512-WUjGcAqP1gQacoQe+OBJsFA7Ld4DyXuUIjZ5cc75cLHvJ7dtNsTugphxIADwspS+AraAUePCKrSVtPLFj/F88w==",
+			"dev": true,
+			"license": "MIT"
+		},
 		"node_modules/picocolors": {
 			"version": "1.1.1",
 			"resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz",
@@ -3456,20 +3613,6 @@
 				"postcss": "^8.4.29"
 			}
 		},
-		"node_modules/postcss-selector-parser": {
-			"version": "6.0.10",
-			"resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-6.0.10.tgz",
-			"integrity": "sha512-IQ7TZdoaqbT+LCpShg46jnZVlhWD2w6iQYAcYXfHARZ7X1t/UGhhceQDs5X0cGqKvYlHNOuv7Oa1xmb0oQuA3w==",
-			"dev": true,
-			"license": "MIT",
-			"dependencies": {
-				"cssesc": "^3.0.0",
-				"util-deprecate": "^1.0.2"
-			},
-			"engines": {
-				"node": ">=4"
-			}
-		},
 		"node_modules/prelude-ls": {
 			"version": "1.2.1",
 			"resolved": "https://registry.npmjs.org/prelude-ls/-/prelude-ls-1.2.1.tgz",
@@ -3718,6 +3861,13 @@
 				"node": ">=8"
 			}
 		},
+		"node_modules/siginfo": {
+			"version": "2.0.0",
+			"resolved": "https://registry.npmjs.org/siginfo/-/siginfo-2.0.0.tgz",
+			"integrity": "sha512-ybx0WO1/8bSBLEWXZvEd7gMW3Sn3JFlW3TvX1nREbDLRNQNaeNN8WK0meBwPdAaOI7TtRRRJn/Es1zhrrCHu7g==",
+			"dev": true,
+			"license": "ISC"
+		},
 		"node_modules/sirv": {
 			"version": "3.0.1",
 			"resolved": "https://registry.npmjs.org/sirv/-/sirv-3.0.1.tgz",
@@ -3743,6 +3893,20 @@
 				"node": ">=0.10.0"
 			}
 		},
+		"node_modules/stackback": {
+			"version": "0.0.2",
+			"resolved": "https://registry.npmjs.org/stackback/-/stackback-0.0.2.tgz",
+			"integrity": "sha512-1XMJE5fQo1jGH6Y/7ebnwPOBEkIEnT4QF32d5R1+VXdXveM0IBMJt8zfaxX1P3QhVwrYe+576+jkANtSS2mBbw==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/std-env": {
+			"version": "3.10.0",
+			"resolved": "https://registry.npmjs.org/std-env/-/std-env-3.10.0.tgz",
+			"integrity": "sha512-5GS12FdOZNliM5mAOxFRg7Ir0pWz8MdpYm6AY6VPkGpbA7ZzmbzNcBJQ0GPvvyWgcY7QAhCgf9Uy89I03faLkg==",
+			"dev": true,
+			"license": "MIT"
+		},
 		"node_modules/strip-json-comments": {
 			"version": "3.1.1",
 			"resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-3.1.1.tgz",
@@ -3899,6 +4063,23 @@
 			"integrity": "sha512-B/UdsgdHAGhSKHTAQnxg/etN0RaMDpehuJmZIjLMDVJ6DGIliRHGD6pODi1CXLQAN9GV0GSyB3G6yCuK05PkPQ==",
 			"license": "MIT"
 		},
+		"node_modules/tinybench": {
+			"version": "2.9.0",
+			"resolved": "https://registry.npmjs.org/tinybench/-/tinybench-2.9.0.tgz",
+			"integrity": "sha512-0+DUvqWMValLmha6lr4kD8iAMK1HzV0/aKnCtWb9v9641TnP/MFb7Pc2bxoxQjTXAErryXVgUOfv2YqNllqGeg==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/tinyexec": {
+			"version": "1.0.2",
+			"resolved": "https://registry.npmjs.org/tinyexec/-/tinyexec-1.0.2.tgz",
+			"integrity": "sha512-W/KYk+NFhkmsYpuHq5JykngiOCnxeVL8v8dFnqxSD8qEEdRfXk1SDM6JzNqcERbcGYj9tMrDQBYV9cjgnunFIg==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=18"
+			}
+		},
 		"node_modules/tinyglobby": {
 			"version": "0.2.15",
 			"resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.15.tgz",
@@ -3916,6 +4097,16 @@
 				"url": "https://github.com/sponsors/SuperchupuDev"
 			}
 		},
+		"node_modules/tinyrainbow": {
+			"version": "3.0.3",
+			"resolved": "https://registry.npmjs.org/tinyrainbow/-/tinyrainbow-3.0.3.tgz",
+			"integrity": "sha512-PSkbLUoxOFRzJYjjxHJt9xro7D+iilgMX/C9lawzVuYiIdcihh9DXmVibBe8lmcFrRi/VzlPjBxbN7rH24q8/Q==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=14.0.0"
+			}
+		},
 		"node_modules/totalist": {
 			"version": "3.0.1",
 			"resolved": "https://registry.npmjs.org/totalist/-/totalist-3.0.1.tgz",
@@ -4114,6 +4305,84 @@
 				}
 			}
 		},
+		"node_modules/vitest": {
+			"version": "4.0.18",
+			"resolved": "https://registry.npmjs.org/vitest/-/vitest-4.0.18.tgz",
+			"integrity": "sha512-hOQuK7h0FGKgBAas7v0mSAsnvrIgAvWmRFjmzpJ7SwFHH3g1k2u37JtYwOwmEKhK6ZO3v9ggDBBm0La1LCK4uQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@vitest/expect": "4.0.18",
+				"@vitest/mocker": "4.0.18",
+				"@vitest/pretty-format": "4.0.18",
+				"@vitest/runner": "4.0.18",
+				"@vitest/snapshot": "4.0.18",
+				"@vitest/spy": "4.0.18",
+				"@vitest/utils": "4.0.18",
+				"es-module-lexer": "^1.7.0",
+				"expect-type": "^1.2.2",
+				"magic-string": "^0.30.21",
+				"obug": "^2.1.1",
+				"pathe": "^2.0.3",
+				"picomatch": "^4.0.3",
+				"std-env": "^3.10.0",
+				"tinybench": "^2.9.0",
+				"tinyexec": "^1.0.2",
+				"tinyglobby": "^0.2.15",
+				"tinyrainbow": "^3.0.3",
+				"vite": "^6.0.0 || ^7.0.0",
+				"why-is-node-running": "^2.3.0"
+			},
+			"bin": {
+				"vitest": "vitest.mjs"
+			},
+			"engines": {
+				"node": "^20.0.0 || ^22.0.0 || >=24.0.0"
+			},
+			"funding": {
+				"url": "https://opencollective.com/vitest"
+			},
+			"peerDependencies": {
+				"@edge-runtime/vm": "*",
+				"@opentelemetry/api": "^1.9.0",
+				"@types/node": "^20.0.0 || ^22.0.0 || >=24.0.0",
+				"@vitest/browser-playwright": "4.0.18",
+				"@vitest/browser-preview": "4.0.18",
+				"@vitest/browser-webdriverio": "4.0.18",
+				"@vitest/ui": "4.0.18",
+				"happy-dom": "*",
+				"jsdom": "*"
+			},
+			"peerDependenciesMeta": {
+				"@edge-runtime/vm": {
+					"optional": true
+				},
+				"@opentelemetry/api": {
+					"optional": true
+				},
+				"@types/node": {
+					"optional": true
+				},
+				"@vitest/browser-playwright": {
+					"optional": true
+				},
+				"@vitest/browser-preview": {
+					"optional": true
+				},
+				"@vitest/browser-webdriverio": {
+					"optional": true
+				},
+				"@vitest/ui": {
+					"optional": true
+				},
+				"happy-dom": {
+					"optional": true
+				},
+				"jsdom": {
+					"optional": true
+				}
+			}
+		},
 		"node_modules/which": {
 			"version": "2.0.2",
 			"resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz",
@@ -4130,6 +4399,23 @@
 				"node": ">= 8"
 			}
 		},
+		"node_modules/why-is-node-running": {
+			"version": "2.3.0",
+			"resolved": "https://registry.npmjs.org/why-is-node-running/-/why-is-node-running-2.3.0.tgz",
+			"integrity": "sha512-hUrmaWBdVDcxvYqnyh09zunKzROWjbZTiNy8dBEjkS7ehEDQibXJ7XvlmtbwuTclUiIyN+CyXQD4Vmko8fNm8w==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"siginfo": "^2.0.0",
+				"stackback": "0.0.2"
+			},
+			"bin": {
+				"why-is-node-running": "cli.js"
+			},
+			"engines": {
+				"node": ">=8"
+			}
+		},
 		"node_modules/word-wrap": {
 			"version": "1.2.5",
 			"resolved": "https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.5.tgz",
diff --git a/package.json b/package.json
index 6e75cc1..d19d1ad 100644
--- a/package.json
+++ b/package.json
@@ -11,7 +11,9 @@
 		"check": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json",
 		"check:watch": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json --watch",
 		"format": "prettier --write .",
-		"lint": "prettier --check . && eslint ."
+		"lint": "prettier --check . && eslint .",
+		"test": "vitest run",
+		"test:watch": "vitest"
 	},
 	"devDependencies": {
 		"@eslint/compat": "^1.4.1",
@@ -19,8 +21,6 @@
 		"@sveltejs/adapter-auto": "^7.0.1",
 		"@sveltejs/kit": "^2.53.0",
 		"@sveltejs/vite-plugin-svelte": "^6.2.4",
-		"@tailwindcss/forms": "^0.5.11",
-		"@tailwindcss/typography": "^0.5.19",
 		"@tailwindcss/vite": "^4.2.1",
 		"eslint": "^9.39.3",
 		"eslint-config-prettier": "^10.1.8",
@@ -34,7 +34,8 @@
 		"tailwindcss": "^4.2.1",
 		"typescript": "^5.9.3",
 		"typescript-eslint": "^8.56.1",
-		"vite": "^7.3.1"
+		"vite": "^7.3.1",
+		"vitest": "^4.0.18"
 	},
 	"dependencies": {
 		"@supabase/ssr": "^0.8.0",
diff --git a/src/app.css b/src/app.css
index 5676928..da6e77a 100644
--- a/src/app.css
+++ b/src/app.css
@@ -1,6 +1,4 @@
 @import 'tailwindcss';
-@plugin '@tailwindcss/forms';
-@plugin '@tailwindcss/typography';
 @plugin "daisyui" {
 	themes: all;
 }
diff --git a/src/app.html b/src/app.html
index f2516ae..1093ed8 100644
--- a/src/app.html
+++ b/src/app.html
@@ -2,8 +2,13 @@
 <html lang="en" data-theme="">
 	<head>
 		<meta charset="utf-8" />
-		<link rel="icon" href="%sveltekit.assets%/favicon.png" />
+		<link rel="icon" type="image/svg+xml" href="%sveltekit.assets%/favicon.svg" />
+		<link rel="manifest" href="%sveltekit.assets%/manifest.json" />
+		<link rel="apple-touch-icon" href="%sveltekit.assets%/icon-192.png" />
 		<meta name="viewport" content="width=device-width, initial-scale=1" />
+		<meta name="theme-color" content="#6419e6" />
+		<meta name="apple-mobile-web-app-capable" content="yes" />
+		<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent" />
 		%sveltekit.head%
 	</head>
 	<body data-sveltekit-preload-data="hover">
diff --git a/src/database.types.ts b/src/database.types.ts
index 69b5250..49455d6 100644
--- a/src/database.types.ts
+++ b/src/database.types.ts
@@ -51,31 +51,28 @@ export interface Database {
 				};
 				Relationships: [];
 			};
-			friend_requests: {
-				Row: {
-					id: string;
-					requester_id: string;
-					target_id: string;
-					status: string;
-					created_at: string;
-					updated_at: string;
-				};
-				Insert: {
-					id?: string;
-					requester_id: string;
-					target_id: string;
-					status?: string;
-					created_at?: string;
-					updated_at?: string;
-				};
-				Update: {
-					id?: string;
-					requester_id?: string;
-					target_id?: string;
-					status?: string;
-					created_at?: string;
-					updated_at?: string;
-				};
+		friend_requests: {
+			Row: {
+				id: string;
+				requester_id: string;
+				target_id: string;
+				created_at: string;
+				updated_at: string;
+			};
+			Insert: {
+				id?: string;
+				requester_id: string;
+				target_id: string;
+				created_at?: string;
+				updated_at?: string;
+			};
+			Update: {
+				id?: string;
+				requester_id?: string;
+				target_id?: string;
+				created_at?: string;
+				updated_at?: string;
+			};
 				Relationships: [
 					{
 						foreignKeyName: 'friend_requests_requester_id_fkey';
@@ -130,7 +127,14 @@ export interface Database {
 			[_ in never]: never;
 		};
 		Functions: {
-			[_ in never]: never;
+			get_dashboard_data: {
+				Args: Record<string, never>;
+				Returns: Json;
+			};
+			delete_user_account: {
+				Args: Record<string, never>;
+				Returns: undefined;
+			};
 		};
 		Enums: {
 			[_ in never]: never;
diff --git a/src/hooks.server.ts b/src/hooks.server.ts
index 6b0c0d8..de0b48b 100644
--- a/src/hooks.server.ts
+++ b/src/hooks.server.ts
@@ -1,5 +1,3 @@
-// Set NODE_TLS_REJECT_UNAUTHORIZED=0 only in development mode
-// This allows self-signed certificates to be accepted
 if (process.env.NODE_ENV === 'development') {
 	process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
 	console.log('⚠️\tSSL certificate verification disabled for development');
@@ -12,21 +10,17 @@ import { type Handle, redirect } from '@sveltejs/kit';
 import { sequence } from '@sveltejs/kit/hooks';
 import https from 'node:https';
 
-// Create a custom agent that allows self-signed certificates in development
 const isDev = process.env.NODE_ENV === 'development';
 const httpsAgent = isDev ? new https.Agent({ rejectUnauthorized: false }) : undefined;
 
-// Custom fetch function that uses our HTTPS agent in development
 const customFetch = (input: URL | RequestInfo, init?: RequestInit) => {
 	if (isDev) {
-		// In development, use node-fetch with our custom agent
 		return fetch(input, {
 			...init,
 			// @ts-expect-error - Agent is not in standard RequestInit but works with Node.js fetch
 			agent: httpsAgent
 		});
 	}
-	// In production, use the standard fetch
 	return fetch(input, init);
 };
 
@@ -38,33 +32,13 @@ const supabase: Handle = async ({ event, resolve }) => {
 				cookiesToSet: { name: string; value: string; options?: Record<string, unknown> }[]
 			) => {
 				cookiesToSet.forEach(({ name, value, options }) => {
-					// Get the current host from the request
 					const host = event.url.hostname;
 
-					// Detect iOS Safari user agent for special cookie handling
-					const userAgent = event.request.headers.get('user-agent') || '';
-					const isIOS = /iPad|iPhone|iPod/.test(userAgent);
-					const isSafari = /Safari/.test(userAgent) && !/Chrome|CriOS|FxiOS/.test(userAgent);
-					const isIOSSafari = isIOS && isSafari;
-
-					// SECURITY FIX: Set secure cookie options to prevent session sharing across devices/domains
-					// This addresses the critical vulnerability where users were sharing sessions
-					// iOS Safari compatibility: Use 'none' with secure for cross-site, or 'lax' for same-site
-					// For iOS Safari, we need to be more careful with sameSite settings
 					const secureOptions = {
 						...options,
 						path: '/',
-						// Note: We don't set httpOnly for auth tokens as Supabase needs client-side access
-						// Set secure flag in production (requires HTTPS)
 						secure: event.url.protocol === 'https:',
-						// iOS Safari fix: Use 'lax' for same-site, but ensure secure is set properly
-						// For iOS Safari, 'lax' works better than 'none' for same-site requests
-						sameSite: (isIOSSafari && event.url.protocol === 'https:')
-							? 'lax' as const
-							: 'lax' as const,
-						// Set domain to current host to prevent cross-domain sharing
-						// This ensures sessions are isolated per domain/device
-						// iOS Safari: Don't set domain for localhost, and be careful with subdomains
+						sameSite: 'lax' as const,
 						domain: host.startsWith('localhost') || host.startsWith('127.0.0.1')
 							? undefined
 							: host
@@ -95,7 +69,6 @@ const supabase: Handle = async ({ event, resolve }) => {
 		} = await event.locals.supabase.auth.getUser();
 
 		if (userError) {
-			// JWT validation has failed - following official docs pattern
 			return { session: null, user: null };
 		}
 
@@ -125,9 +98,7 @@ const authGuard: Handle = async ({ event, resolve }) => {
 	return resolve(event);
 };
 
-// Handle Chrome DevTools requests to prevent 404 errors
 const handleDevToolsRequests: Handle = async ({ event, resolve }) => {
-	// Check if the request is for Chrome DevTools specific endpoints
 	if (event.url.pathname.includes('/.well-known/appspecific/com.chrome.devtools')) {
 		return new Response(JSON.stringify({ message: 'Not implemented' }), {
 			status: 200,
diff --git a/src/lib/dashboard/loader.ts b/src/lib/dashboard/loader.ts
index 2113a25..231085b 100644
--- a/src/lib/dashboard/loader.ts
+++ b/src/lib/dashboard/loader.ts
@@ -2,7 +2,6 @@ import type { SupabaseClient } from '@supabase/supabase-js';
 import type { Database } from '../../database.types';
 import { getQuickStatuses, type QuickStatus } from '../status/quick.js';
 
-// Types for the dashboard data
 export interface FriendRequest {
 	id: string;
 	requester_id: string;
@@ -10,7 +9,6 @@ export interface FriendRequest {
 	requester_display_name: string | null;
 }
 
-// Types for joined queries
 interface FriendRequestWithUser {
 	id: string;
 	requester_id: string;
@@ -80,11 +78,9 @@ export interface UserExportData {
 	};
 }
 
-// Utility function to remove duplicates by ID
 const deduplicateById = <T extends { id: string }>(items: T[]): T[] =>
 	items.filter((item, index, self) => index === self.findIndex((other) => other.id === item.id));
 
-// Shape of the JSON object returned by the get_dashboard_data() RPC function.
 interface DashboardRpcResult {
 	username: string;
 	display_name: string | null;
@@ -120,23 +116,6 @@ export class DashboardDataLoader {
 		this.userId = userId;
 	}
 
-	async loadUserProfile(): Promise<{
-		username: string;
-		display_name: string | null;
-		status: string;
-	}> {
-		const [userData, profileData] = await Promise.all([
-			this.supabase.from('users').select('username, display_name').eq('id', this.userId).single(),
-			this.supabase.from('profiles').select('status').eq('id', this.userId).single()
-		]);
-
-		return {
-			username: userData.data?.username || '',
-			display_name: userData.data?.display_name || null,
-			status: profileData.data?.status || ''
-		};
-	}
-
 	async loadFriendRequests(): Promise<FriendRequest[]> {
 		const { data } = await this.supabase
 			.from('friend_requests')
@@ -179,8 +158,6 @@ export class DashboardDataLoader {
 	}
 
 	async loadFriends(): Promise<Friend[]> {
-		// Get all friendships where current user is either user_id or friend_id
-		// Since we now store only one record per friendship, we need to check both columns
 		const { data: friendships } = await this.supabase
 			.from('friends')
 			.select('id, user_id, friend_id')
@@ -190,31 +167,26 @@ export class DashboardDataLoader {
 			return [];
 		}
 
-		// Get friend IDs (the other person in each friendship)
 		const friendIds = friendships.map((friendship) => {
 			return friendship.user_id === this.userId ? friendship.friend_id : friendship.user_id;
 		});
 
-		// Fetch user details for all friends
 		const { data: friendUsers } = await this.supabase
 			.from('users')
 			.select('id, username, display_name')
 			.in('id', friendIds);
 
-		// Get statuses for all friends in parallel
 		const { data: friendStatuses } =
 			friendIds.length > 0
 				? await this.supabase.from('profiles').select('id, status, updated_at').in('id', friendIds)
 				: { data: [] };
 
-		// Create maps for friend data
 		const userMap = new Map(friendUsers?.map((user) => [user.id, user]) || []);
 		const statusMap = new Map(friendStatuses?.map((profile) => [profile.id, profile.status]) || []);
 		const statusUpdatedAtMap = new Map(
 			friendStatuses?.map((profile) => [profile.id, profile.updated_at]) || []
 		);
 
-		// Process and format friends
 		const formattedFriends = friendIds.map((friendId) => {
 			const user = userMap.get(friendId);
 			return {
@@ -230,14 +202,11 @@ export class DashboardDataLoader {
 	}
 
 	async loadQuickStatuses(): Promise<QuickStatus[]> {
-		// Load quick statuses from localStorage instead of database
 		return getQuickStatuses();
 	}
 
 	async loadAllData(): Promise<DashboardData> {
-		const rpcResult = await this.supabase.rpc(
-			'get_dashboard_data' as keyof Database['public']['Functions']
-		);
+		const rpcResult = await this.supabase.rpc('get_dashboard_data');
 
 		if (rpcResult.error) {
 			throw rpcResult.error;
@@ -260,7 +229,6 @@ export class DashboardDataLoader {
 	}
 
 	async exportUserData(): Promise<UserExportData> {
-		// Load all user data including detailed user and profile information
 		const [userData, profileData, friendRequests, sentFriendRequests, friends, quickStatuses] =
 			await Promise.all([
 				this.supabase
@@ -309,12 +277,8 @@ export class DashboardDataLoader {
 	}
 
 	async deleteUserAccount(): Promise<void> {
-		// Use the database function to delete the user account
-		// This function handles all the deletion logic and can delete the auth user
 		try {
-			const { error } = await this.supabase.rpc(
-				'delete_user_account' as keyof Database['public']['Functions']
-			);
+			const { error } = await this.supabase.rpc('delete_user_account');
 
 			if (error) {
 				throw new Error(`Failed to delete account: ${error.message}`);
diff --git a/src/lib/friends/api.ts b/src/lib/friends/api.ts
index fd05bca..4a2f2ff 100644
--- a/src/lib/friends/api.ts
+++ b/src/lib/friends/api.ts
@@ -1,13 +1,11 @@
 import type { SupabaseClient } from '@supabase/supabase-js';
 
-// Friendship verification utility
 export async function verifyFriendshipExists(
 	supabase: SupabaseClient,
 	userId: string,
 	friendId: string
 ): Promise<boolean> {
 	try {
-		// Check for the single friendship record (could be in either direction)
 		const { data: friendship, error } = await supabase
 			.from('friends')
 			.select('id')
@@ -28,7 +26,6 @@ export async function verifyFriendshipExists(
 	}
 }
 
-// Friend request utilities
 export async function checkExistingFriendRequest(
 	supabase: SupabaseClient,
 	requesterId: string,
@@ -73,7 +70,6 @@ export async function checkIncomingFriendRequest(
 			throw error;
 		}
 
-		// If a request exists, it's pending (requests are deleted when accepted/rejected)
 		return {
 			exists: !!incomingRequest,
 			isPending: !!incomingRequest
diff --git a/src/lib/friends/components/DeleteModal.svelte b/src/lib/friends/components/DeleteModal.svelte
index 9985b37..bb0ada0 100644
--- a/src/lib/friends/components/DeleteModal.svelte
+++ b/src/lib/friends/components/DeleteModal.svelte
@@ -11,7 +11,6 @@
 		$props();
 </script>
 
-<!-- Friend Deletion Confirmation Modal -->
 <dialog open={showDeleteModal} class="modal modal-bottom sm:modal-middle">
 	<div class="modal-box">
 		<h3 class="text-lg font-bold">Remove Friend</h3>
diff --git a/src/lib/friends/components/List.svelte b/src/lib/friends/components/List.svelte
index 986d941..40fdca3 100644
--- a/src/lib/friends/components/List.svelte
+++ b/src/lib/friends/components/List.svelte
@@ -1,10 +1,8 @@
 <script lang="ts">
 	import { browser } from '$app/environment';
-	import {
-		formatStatusUpdatedAt,
-		formatStatusUpdatedAtTooltip
-	} from '$lib/status/formatting';
+	import { formatStatusUpdatedAtTooltip } from '$lib/status/formatting';
 	import { getDisplayName } from '$lib/ui/notifications';
+	import RelativeTime from '$lib/ui/RelativeTime.svelte';
 	import Avatar from 'svelte-boring-avatars';
 
 	interface Friend {
@@ -24,7 +22,6 @@
 
 	let { friends, deletingFriends, onDeleteFriend, onReorderFriends }: Props = $props();
 
-	// Modal helpers
 	function openStatusModal(friend: Friend) {
 		const modal = document.getElementById(`status_modal_${friend.id}`) as HTMLDialogElement;
 		modal?.showModal();
@@ -43,20 +40,15 @@
 		if (event.key === 'Enter' || event.key === ' ') event.stopPropagation();
 	}
 
-	// --- Drag and drop state ---
 	let draggedFriend: Friend | null = $state(null);
 	let draggedIndex = $state(-1);
-	// Insertion gap: 0 = before first item, friends.length = after last item
 	let dropGapIndex = $state(-1);
 
-	// Container ref for touch calculations and drag-leave detection
 	let containerRef: HTMLDivElement | null = $state(null);
 
-	// Touch state — plain vars, not reactive (not rendered)
 	let touchStartY = 0;
 	let longPressTimer: ReturnType<typeof setTimeout> | null = null;
 
-	// Cached once — touch support doesn't change mid-session
 	const isTouch = browser && ('ontouchstart' in window || navigator.maxTouchPoints > 0);
 
 	function resetDragState() {
@@ -65,20 +57,18 @@
 		dropGapIndex = -1;
 	}
 
-	// Apply the pending reorder and notify the parent
 	function commitReorder() {
 		if (!draggedFriend || draggedIndex === -1 || dropGapIndex === -1) {
 			resetDragState();
 			return;
 		}
 
-		// Once the dragged item is removed from the array, indices above it shift down by one
-		const insertAt = dropGapIndex > draggedIndex ? dropGapIndex - 1 : dropGapIndex;
+		const adjustedInsertIndex = dropGapIndex > draggedIndex ? dropGapIndex - 1 : dropGapIndex;
 
-		if (insertAt !== draggedIndex) {
+		if (adjustedInsertIndex !== draggedIndex) {
 			const next = [...friends];
 			const [moved] = next.splice(draggedIndex, 1);
-			next.splice(insertAt, 0, moved);
+			next.splice(adjustedInsertIndex, 0, moved);
 			friends = next;
 			onReorderFriends?.(next);
 		}
@@ -86,8 +76,6 @@
 		resetDragState();
 	}
 
-	// --- Mouse drag handlers ---
-
 	function handleDragStart(event: DragEvent, friend: Friend, index: number) {
 		draggedFriend = friend;
 		draggedIndex = index;
@@ -100,16 +88,17 @@
 	function handleDragOver(event: DragEvent, index: number) {
 		event.preventDefault();
 		if (event.dataTransfer) event.dataTransfer.dropEffect = 'move';
-		// Map cursor Y position within the element to an insertion gap
 		const el = event.currentTarget as HTMLElement;
 		const rect = el.getBoundingClientRect();
 		dropGapIndex = event.clientY < rect.top + rect.height / 2 ? index : index + 1;
 	}
 
+	function cursorLeftContainer(event: DragEvent): boolean {
+		return !containerRef?.contains(event.relatedTarget as Node | null);
+	}
+
 	function handleDragLeave(event: DragEvent) {
-		// Only clear the indicator when the cursor truly leaves the list container,
-		// not when crossing between child elements
-		if (!containerRef?.contains(event.relatedTarget as Node | null)) {
+		if (cursorLeftContainer(event)) {
 			dropGapIndex = -1;
 		}
 	}
@@ -123,9 +112,6 @@
 		resetDragState();
 	}
 
-	// --- Touch drag action ---
-	// Long-press (400 ms) initiates drag; moving the finger before 400 ms cancels
-	// the timer so normal scrolling is unaffected.
 	function touchDragAction(
 		element: HTMLElement,
 		params: [Friend, number] | undefined
@@ -141,26 +127,25 @@
 				longPressTimer = null;
 				draggedFriend = currentFriend;
 				draggedIndex = currentIndex;
-				navigator.vibrate?.(40); // haptic feedback if supported
+				navigator.vibrate?.(40);
 			}, 400);
 		}
 
 		function onTouchMove(event: TouchEvent) {
 			const touch = event.touches[0];
-			// Cancel long-press if finger moves significantly before it fires
 			if (longPressTimer && Math.abs(touch.clientY - touchStartY) > 8) {
 				clearTimeout(longPressTimer);
 				longPressTimer = null;
 			}
 
-			if (draggedIndex === -1) return; // long-press hasn't fired yet — allow scroll
-			event.preventDefault(); // block scroll while dragging
+			if (draggedIndex === -1) return;
+			event.preventDefault();
 
 			if (!containerRef) return;
 
 			const currentY = touch.clientY;
 			const els = containerRef.querySelectorAll<HTMLElement>('.draggable-item');
-			let gap = els.length; // default: append to end
+			let gap = els.length;
 
 			for (let i = 0; i < els.length; i++) {
 				const rect = els[i].getBoundingClientRect();
@@ -181,7 +166,7 @@
 				clearTimeout(longPressTimer);
 				longPressTimer = null;
 			}
-			if (draggedIndex === -1) return; // was a tap, not a drag
+			if (draggedIndex === -1) return;
 			event.preventDefault();
 			commitReorder();
 		}
@@ -196,7 +181,6 @@
 
 		function attach() {
 			if (!attached) {
-				// touchstart can be passive — we only call preventDefault in touchmove/end
 				element.addEventListener('touchstart', onTouchStart, { passive: true });
 				element.addEventListener('touchmove', onTouchMove, { passive: false });
 				element.addEventListener('touchend', onTouchEnd, { passive: false });
@@ -235,8 +219,6 @@
 		};
 	}
 
-	// A gap is "neutral" (would not change order) if it sits directly before or
-	// after the item currently being dragged.
 	function isNeutralGap(gap: number, dragged: number) {
 		return gap === dragged || gap === dragged + 1;
 	}
@@ -269,14 +251,11 @@
 						ondragend={handleDragEnd}
 					>
 						<div class="flex w-full items-start gap-3">
-							<!-- Avatar and Delete Button Container -->
 							<div class="flex flex-shrink-0 flex-col items-center gap-2">
-								<!-- Avatar -->
 								<div class="avatar">
 									<Avatar name={friend.id} size={48} variant="beam" />
 								</div>
 
-								<!-- Delete Button - Mobile only -->
 								<button
 									class="btn btn-sm btn-error btn-outline opacity-100 transition-opacity duration-200 sm:hidden"
 									onclick={() => onDeleteFriend(friend.id)}
@@ -303,9 +282,7 @@
 								</button>
 							</div>
 
-							<!-- Friend Info -->
 							<div class="min-w-0 flex-1">
-								<!-- Name and Username -->
 								<div
 									class="mb-2 flex flex-col gap-1 sm:flex-row sm:items-center sm:justify-between"
 								>
@@ -318,7 +295,6 @@
 										{/if}
 									</div>
 
-									<!-- Delete Button - Desktop only -->
 									<button
 										class="btn btn-sm btn-error btn-outline hidden flex-shrink-0 opacity-0 transition-opacity duration-200 sm:flex sm:opacity-100 sm:group-hover:opacity-100"
 										onclick={() => onDeleteFriend(friend.id)}
@@ -345,7 +321,6 @@
 									</button>
 								</div>
 
-								<!-- Status -->
 								<div class="mb-2">
 									{#if friend.status}
 										<div class="flex flex-col gap-2 sm:flex-row sm:items-center">
@@ -353,22 +328,20 @@
 												{friend.status}
 											</p>
 											{#if friend.status_updated_at}
-												<!-- Tooltip for larger screens -->
 												<div
 													class="tooltip tooltip-right md:tooltip-left hidden sm:block"
 													data-tip={formatStatusUpdatedAtTooltip(friend.status_updated_at)}
 												>
 													<span class="text-base-content/50 cursor-help text-xs whitespace-nowrap">
-														{formatStatusUpdatedAt(friend.status_updated_at)}
+														<RelativeTime timestamp={friend.status_updated_at} />
 													</span>
 												</div>
 
-												<!-- Clickable element for smaller screens -->
 												<button
 													class="text-base-content/50 hover:text-base-content/70 cursor-pointer text-left text-xs whitespace-nowrap transition-colors sm:hidden"
 													onclick={() => openStatusModal(friend)}
 												>
-													{formatStatusUpdatedAt(friend.status_updated_at)}
+													<RelativeTime timestamp={friend.status_updated_at} />
 												</button>
 											{/if}
 										</div>
@@ -381,7 +354,6 @@
 					</div>
 				{/each}
 
-				<!-- Gap indicator after the last item -->
 				{#if draggedIndex !== -1 && dropGapIndex === friends.length && !isNeutralGap(dropGapIndex, draggedIndex)}
 					<div class="mx-2 h-0.5 rounded-full bg-primary/70 transition-all duration-100"></div>
 				{/if}
@@ -394,7 +366,6 @@
 	</div>
 </div>
 
-<!-- Status Date Modals for Mobile -->
 {#each friends as friend (friend.id)}
 	{#if friend.status_updated_at}
 		<dialog
diff --git a/src/lib/friends/components/ListSkeleton.svelte b/src/lib/friends/components/ListSkeleton.svelte
index ce41381..84fd080 100644
--- a/src/lib/friends/components/ListSkeleton.svelte
+++ b/src/lib/friends/components/ListSkeleton.svelte
@@ -1,8 +1,6 @@
 <script lang="ts">
-	// Skeleton component for friends list loading state
 </script>
 
-<!-- Friends List Skeleton -->
 <div class="mb-4">
 	<div class="card bg-base-200">
 		<div class="card-body">
@@ -11,10 +9,8 @@
 				{#each Array.from({ length: 3 }, (_, i) => i) as i (i)}
 					<div class="bg-base-300 rounded-box p-4">
 						<div class="flex w-full items-start gap-3">
-							<!-- Avatar skeleton -->
 							<div class="skeleton h-12 w-12 flex-shrink-0 rounded-full"></div>
 
-							<!-- Content skeleton -->
 							<div class="min-w-0 flex-1">
 								<div
 									class="mb-2 flex flex-col gap-1 sm:flex-row sm:items-center sm:justify-between"
diff --git a/src/lib/friends/components/Requests.svelte b/src/lib/friends/components/Requests.svelte
index 16ede34..8b82ff3 100644
--- a/src/lib/friends/components/Requests.svelte
+++ b/src/lib/friends/components/Requests.svelte
@@ -1,454 +1,438 @@
-<script lang="ts">
-	import { checkExistingFriendRequest, checkIncomingFriendRequest } from '$lib/friends/api';
-	import { getDisplayName, handleDatabaseError, NotificationManager } from '$lib/ui/notifications';
-	import type { SupabaseClient, User } from '@supabase/supabase-js';
-	import Avatar from 'svelte-boring-avatars';
-
-	interface FriendRequest {
-		id: string;
-		requester_id: string;
-		requester_display_name: string | null;
-		requester_username: string;
-	}
-
-	interface SentFriendRequest {
-		id: string;
-		target_id: string;
-		target_display_name: string | null;
-		target_username: string;
-	}
-
-	interface Props {
-		friendRequests: FriendRequest[];
-		sentFriendRequests: SentFriendRequest[];
-		supabase: SupabaseClient | null;
-		user: User | null;
-		onDataRefresh: () => Promise<void>;
-	}
-
-	let { friendRequests, sentFriendRequests, supabase, user, onDataRefresh }: Props = $props();
-
-	// Loading states
-	let isSendingFriendRequest = $state(false);
-	let processingRequests = $state(new Set<string>());
-	let cancellingRequests = $state(new Set<string>());
-	// Brief cooldown after each send attempt to prevent accidental rapid-fire submissions.
-	let canSendRequest = $state(true);
-
-	const RATE_LIMIT_PER_HOUR = 20;
-
-	const handleFriendRequest = async (evt: SubmitEvent) => {
-		evt.preventDefault();
-		if (!user || !supabase || !canSendRequest) return;
-
-		const formData = new FormData(evt.target as HTMLFormElement);
-		const username = formData.get('username') as string;
-
-		if (!username) {
-			NotificationManager.showError('Please enter a username');
-			return;
-		}
-
-		isSendingFriendRequest = true;
-		try {
-			// Rate limit pre-check: count requests sent in the last hour.
-			// The server enforces the same limit via a RESTRICTIVE RLS policy, but
-			// checking here first lets us show a helpful message instead of a generic error.
-			const oneHourAgo = new Date(Date.now() - 60 * 60 * 1000).toISOString();
-			const { count, error: countError } = await supabase
-				.from('friend_requests')
-				.select('id', { count: 'exact', head: true })
-				.eq('requester_id', user.id)
-				.gte('created_at', oneHourAgo);
-
-			if (!countError && count !== null && count >= RATE_LIMIT_PER_HOUR) {
-				NotificationManager.showError(
-					`You've sent ${RATE_LIMIT_PER_HOUR} friend requests in the last hour. Please wait before sending more.`
-				);
-				return;
-			}
-
-			// First, find the target user by username
-			const { data: targetUser, error: userError } = await supabase
-				.from('users')
-				.select('id, username')
-				.eq('username', username)
-				.maybeSingle();
-
-			if (userError) {
-				handleDatabaseError(userError, 'find user');
-				return;
-			}
-
-			if (!targetUser) {
-				NotificationManager.showError('User not found');
-				return;
-			}
-
-			if (targetUser.id === user.id) {
-				NotificationManager.showError('You cannot send a friend request to yourself');
-				return;
-			}
-
-			// Check if they're already friends (single record check with OR)
-			const { data: existingFriendship, error: friendshipError } = await supabase
-				.from('friends')
-				.select('id')
-				.or(
-					`and(user_id.eq.${user.id},friend_id.eq.${targetUser.id}),and(user_id.eq.${targetUser.id},friend_id.eq.${user.id})`
-				)
-				.maybeSingle();
-
-			if (friendshipError && friendshipError.code !== 'PGRST116') {
-				handleDatabaseError(friendshipError, 'check friendship');
-				return;
-			}
-
-			if (existingFriendship) {
-				NotificationManager.showError('You are already friends with this user');
-				return;
-			}
-
-			// Check for existing outgoing friend request
-			const existingOutgoing = await checkExistingFriendRequest(supabase, user.id, targetUser.id);
-			if (existingOutgoing.exists) {
-				NotificationManager.showError('You have already sent a friend request to this user');
-				return;
-			}
-
-			// Check for existing incoming friend request
-			const existingIncoming = await checkIncomingFriendRequest(supabase, targetUser.id, user.id);
-			if (existingIncoming.exists && existingIncoming.isPending) {
-				NotificationManager.showError(
-					'This user has already sent you a friend request. Check your pending requests.'
-				);
-				return;
-			}
-
-			// Create the friend request
-			const { error: insertError } = await supabase.from('friend_requests').insert({
-				requester_id: user.id,
-				target_id: targetUser.id
-			});
-
-			if (insertError) {
-				// 42501 = RLS policy violation — the server-side rate limit was hit.
-				if (insertError.code === '42501') {
-					NotificationManager.showError(
-						`You've reached the limit of ${RATE_LIMIT_PER_HOUR} friend requests per hour. Please try again later.`
-					);
-				} else {
-					handleDatabaseError(insertError, 'send friend request');
-				}
-				return;
-			}
-
-			// Clear the form
-			(evt.target as HTMLFormElement).reset();
-
-			await onDataRefresh();
-			NotificationManager.showSuccess(`Friend request sent to ${username}`);
-		} catch (error) {
-			handleDatabaseError(error, 'send friend request');
-		} finally {
-			isSendingFriendRequest = false;
-			// Apply a short cooldown regardless of outcome to prevent rapid-fire clicks.
-			canSendRequest = false;
-			setTimeout(() => {
-				canSendRequest = true;
-			}, 2000);
-		}
-	};
-
-	const handleFriendRequestAction = async (requestId: string, action: 'accept' | 'reject') => {
-		if (!user || !supabase) return;
-
-		// Add to processing set
-		processingRequests = new Set([...processingRequests, requestId]);
-
-		try {
-			// Get the friend request details
-			const { data: friendRequest, error: requestError } = await supabase
-				.from('friend_requests')
-				.select('requester_id, target_id')
-				.eq('id', requestId)
-				.eq('target_id', user.id)
-				.maybeSingle();
-
-			if (requestError) {
-				handleDatabaseError(requestError, 'get friend request');
-				return;
-			}
-
-			if (!friendRequest) {
-				NotificationManager.showError('Friend request not found or already processed');
-				return;
-			}
-
-			if (action === 'accept') {
-
-				// First check if friendship already exists (prevent duplicates)
-				const { data: existingFriendship } = await supabase
-					.from('friends')
-					.select('id')
-					.or(
-						`and(user_id.eq.${user.id},friend_id.eq.${friendRequest.requester_id}),and(user_id.eq.${friendRequest.requester_id},friend_id.eq.${user.id})`
-					)
-					.limit(1);
-
-				if (existingFriendship && existingFriendship.length > 0) {
-					NotificationManager.showError('You are already friends with this user');
-					return;
-				}
-
-				const { error: insertError } = await supabase
-					.from('friends')
-					.insert({ user_id: user.id, friend_id: friendRequest.requester_id });
-
-				if (insertError) {
-					// If it's a duplicate key error, it means the friendship already exists
-					if (insertError.code === '23505') {
-						NotificationManager.showError('You are already friends with this user');
-					} else {
-						handleDatabaseError(insertError, 'create friendship');
-					}
-					return;
-				}
-
-
-				// Delete the friend request since it's been accepted
-				const { error: deleteError } = await supabase
-					.from('friend_requests')
-					.delete()
-					.eq('id', requestId);
-
-				if (deleteError) {
-					handleDatabaseError(deleteError, 'delete friend request');
-					return;
-				}
-
-				NotificationManager.showSuccess('Friend request accepted');
-			} else {
-				// Delete the friend request since it's been rejected
-				const { error: deleteError } = await supabase
-					.from('friend_requests')
-					.delete()
-					.eq('id', requestId);
-
-				if (deleteError) {
-					handleDatabaseError(deleteError, 'delete friend request');
-					return;
-				}
-
-				NotificationManager.showSuccess('Friend request rejected');
-			}
-
-			await onDataRefresh();
-		} catch (error) {
-			handleDatabaseError(error, `${action} friend request`);
-		} finally {
-			processingRequests = new Set([...processingRequests].filter((id) => id !== requestId));
-		}
-	};
-
-	const handleCancelFriendRequest = async (requestId: string) => {
-		if (!user || !supabase) return;
-
-		// Add to cancelling set
-		cancellingRequests = new Set([...cancellingRequests, requestId]);
-
-		try {
-			// Delete the friend request
-			const { error } = await supabase
-				.from('friend_requests')
-				.delete()
-				.eq('id', requestId)
-				.eq('requester_id', user.id);
-
-			if (error) {
-				handleDatabaseError(error, 'cancel friend request');
-				return;
-			}
-
-			await onDataRefresh();
-			NotificationManager.showSuccess('Friend request cancelled');
-		} catch (error) {
-			handleDatabaseError(error, 'cancel friend request');
-		} finally {
-			cancellingRequests = new Set([...cancellingRequests].filter((id) => id !== requestId));
-		}
-	};
-</script>
-
-<div class="card bg-base-200">
-	<div class="card-body">
-		<h2 class="card-title">Friend Requests</h2>
-
-		<form onsubmit={handleFriendRequest} class="mb-4">
-			<div class="join w-full">
-				<div class="w-full">
-					<label class="input validator join-item w-full">
-						<svg class="h-[1em] opacity-50" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24">
-							<g
-								stroke-linejoin="round"
-								stroke-linecap="round"
-								stroke-width="2.5"
-								fill="none"
-								stroke="currentColor"
-							>
-								<path d="M19 21v-2a4 4 0 0 0-4-4H9a4 4 0 0 0-4 4v2"></path>
-								<circle cx="12" cy="7" r="4"></circle>
-							</g>
-						</svg>
-						<input
-							id="friend-username"
-							name="username"
-							type="text"
-							required
-							placeholder="Username"
-							pattern="[A-Za-z][A-Za-z0-9._\-]*"
-							minlength="3"
-							maxlength="20"
-							title="Must start with a letter, then letters, numbers, dots, dashes, or underscores"
-						/>
-					</label>
-				</div>
-				<button class="btn btn-neutral join-item" disabled={isSendingFriendRequest || !canSendRequest}>
-					{#if isSendingFriendRequest}
-						<span class="loading loading-spinner loading-sm"></span>
-					{:else}
-						<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24"
-							><path
-								fill="currentColor"
-								d="M4.4 19.425q-.5.2-.95-.088T3 18.5V14l8-2l-8-2V5.5q0-.55.45-.837t.95-.088l15.4 6.5q.625.275.625.925t-.625.925z"
-							/></svg
-						>
-					{/if}
-				</button>
-			</div>
-		</form>
-
-		<!-- Pending Friend Requests -->
-		{#if friendRequests && friendRequests.length > 0}
-			<h3 class="mt-4 font-bold">Friend Requests</h3>
-			<ul class="list">
-				{#each friendRequests as request (request.id)}
-					<li class="bg-base-300 rounded-box mb-2 p-2">
-						<div class="flex w-full items-center justify-between gap-3">
-							<div class="flex flex-1 items-center gap-3">
-								<div class="avatar">
-									<Avatar name={request.requester_id} size={40} variant="marble" />
-								</div>
-								<div class="flex flex-col">
-									<span
-										>{getDisplayName(request.requester_display_name, request.requester_username)} wants
-										to be your friend</span
-									>
-									{#if request.requester_display_name}
-										<span class="text-base-content/60 text-xs">@{request.requester_username}</span>
-									{/if}
-								</div>
-							</div>
-							<div class="join">
-								<button
-									class="btn btn-sm btn-success join-item"
-									onclick={() => handleFriendRequestAction(request.id, 'accept')}
-									disabled={processingRequests.has(request.id)}
-								>
-									{#if processingRequests.has(request.id)}
-										<span class="loading loading-spinner loading-xs"></span>
-									{:else}
-										<svg
-											xmlns="http://www.w3.org/2000/svg"
-											class="h-6 w-6 shrink-0 stroke-current"
-											fill="none"
-											viewBox="0 0 24 24"
-										>
-											<path
-												stroke-linecap="round"
-												stroke-linejoin="round"
-												stroke-width="2"
-												d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z"
-											/>
-										</svg>
-									{/if}
-								</button>
-								<button
-									class="btn btn-sm btn-error join-item"
-									onclick={() => handleFriendRequestAction(request.id, 'reject')}
-									disabled={processingRequests.has(request.id)}
-								>
-									{#if processingRequests.has(request.id)}
-										<span class="loading loading-spinner loading-xs"></span>
-									{:else}
-										<svg
-											xmlns="http://www.w3.org/2000/svg"
-											class="h-6 w-6 shrink-0 stroke-current"
-											fill="none"
-											viewBox="0 0 24 24"
-										>
-											<path
-												stroke-linecap="round"
-												stroke-linejoin="round"
-												stroke-width="2"
-												d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z"
-											/>
-										</svg>
-									{/if}
-								</button>
-							</div>
-						</div>
-					</li>
-				{/each}
-			</ul>
-		{/if}
-
-		<!-- Sent Friend Requests -->
-		{#if sentFriendRequests && sentFriendRequests.length > 0}
-			<h3 class="mt-4 font-bold">Sent Friend Requests</h3>
-			<ul class="list">
-				{#each sentFriendRequests as request (request.id)}
-					<li class="bg-base-300 rounded-box group mb-2 p-2">
-						<div class="flex w-full items-center justify-between gap-3">
-							<div class="flex flex-1 items-center gap-3">
-								<div class="avatar">
-									<Avatar name={request.target_id} size={40} variant="marble" />
-								</div>
-								<div class="flex flex-col">
-									<span>{getDisplayName(request.target_display_name, request.target_username)}</span
-									>
-									{#if request.target_display_name}
-										<span class="text-base-content/60 text-xs">@{request.target_username}</span>
-									{/if}
-								</div>
-							</div>
-							<button
-								class="btn btn-sm btn-error"
-								onclick={() => handleCancelFriendRequest(request.id)}
-								disabled={cancellingRequests.has(request.id)}
-							>
-								{#if cancellingRequests.has(request.id)}
-									<span class="loading loading-spinner loading-xs"></span>
-								{:else}
-									<svg
-										xmlns="http://www.w3.org/2000/svg"
-										class="h-6 w-6 shrink-0 stroke-current"
-										fill="none"
-										viewBox="0 0 24 24"
-									>
-										<path
-											stroke-linecap="round"
-											stroke-linejoin="round"
-											stroke-width="2"
-											d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z"
-										/>
-									</svg>
-								{/if}
-							</button>
-						</div>
-					</li>
-				{/each}
-			</ul>
-		{/if}
-	</div>
-</div>
+<script lang="ts">
+	import { checkExistingFriendRequest, checkIncomingFriendRequest } from '$lib/friends/api';
+	import { getDisplayName, handleDatabaseError, NotificationManager } from '$lib/ui/notifications';
+	import type { SupabaseClient, User } from '@supabase/supabase-js';
+	import Avatar from 'svelte-boring-avatars';
+
+	interface FriendRequest {
+		id: string;
+		requester_id: string;
+		requester_display_name: string | null;
+		requester_username: string;
+	}
+
+	interface SentFriendRequest {
+		id: string;
+		target_id: string;
+		target_display_name: string | null;
+		target_username: string;
+	}
+
+	interface Props {
+		friendRequests: FriendRequest[];
+		sentFriendRequests: SentFriendRequest[];
+		supabase: SupabaseClient | null;
+		user: User | null;
+		onDataRefresh: () => Promise<void>;
+	}
+
+	let { friendRequests, sentFriendRequests, supabase, user, onDataRefresh }: Props = $props();
+
+	let isSendingFriendRequest = $state(false);
+	let processingRequests = $state(new Set<string>());
+	let cancellingRequests = $state(new Set<string>());
+	let canSendRequest = $state(true);
+
+	const RATE_LIMIT_PER_HOUR = 20;
+	const POSTGRES_RLS_VIOLATION = '42501';
+
+	async function hasExceededHourlyRequestLimit(): Promise<boolean> {
+		if (!user || !supabase) return false;
+
+		const oneHourAgo = new Date(Date.now() - 60 * 60 * 1000).toISOString();
+		const { count, error } = await supabase
+			.from('friend_requests')
+			.select('id', { count: 'exact', head: true })
+			.eq('requester_id', user.id)
+			.gte('created_at', oneHourAgo);
+
+		return !error && count !== null && count >= RATE_LIMIT_PER_HOUR;
+	}
+
+	const handleFriendRequest = async (evt: SubmitEvent) => {
+		evt.preventDefault();
+		if (!user || !supabase || !canSendRequest) return;
+
+		const formData = new FormData(evt.target as HTMLFormElement);
+		const username = formData.get('username') as string;
+
+		if (!username) {
+			NotificationManager.showError('Please enter a username');
+			return;
+		}
+
+		isSendingFriendRequest = true;
+		try {
+			if (await hasExceededHourlyRequestLimit()) {
+				NotificationManager.showError(
+					`You've sent ${RATE_LIMIT_PER_HOUR} friend requests in the last hour. Please wait before sending more.`
+				);
+				return;
+			}
+
+			const { data: targetUser, error: userError } = await supabase
+				.from('users')
+				.select('id, username')
+				.eq('username', username)
+				.maybeSingle();
+
+			if (userError) {
+				handleDatabaseError(userError, 'find user');
+				return;
+			}
+
+			if (!targetUser) {
+				NotificationManager.showError('User not found');
+				return;
+			}
+
+			if (targetUser.id === user.id) {
+				NotificationManager.showError('You cannot send a friend request to yourself');
+				return;
+			}
+
+			const { data: existingFriendship, error: friendshipError } = await supabase
+				.from('friends')
+				.select('id')
+				.or(
+					`and(user_id.eq.${user.id},friend_id.eq.${targetUser.id}),and(user_id.eq.${targetUser.id},friend_id.eq.${user.id})`
+				)
+				.maybeSingle();
+
+			if (friendshipError && friendshipError.code !== 'PGRST116') {
+				handleDatabaseError(friendshipError, 'check friendship');
+				return;
+			}
+
+			if (existingFriendship) {
+				NotificationManager.showError('You are already friends with this user');
+				return;
+			}
+
+			const existingOutgoing = await checkExistingFriendRequest(supabase, user.id, targetUser.id);
+			if (existingOutgoing.exists) {
+				NotificationManager.showError('You have already sent a friend request to this user');
+				return;
+			}
+
+			const existingIncoming = await checkIncomingFriendRequest(supabase, targetUser.id, user.id);
+			if (existingIncoming.exists && existingIncoming.isPending) {
+				NotificationManager.showError(
+					'This user has already sent you a friend request. Check your pending requests.'
+				);
+				return;
+			}
+
+			const { error: insertError } = await supabase.from('friend_requests').insert({
+				requester_id: user.id,
+				target_id: targetUser.id
+			});
+
+			if (insertError) {
+				if (insertError.code === POSTGRES_RLS_VIOLATION) {
+					NotificationManager.showError(
+						`You've reached the limit of ${RATE_LIMIT_PER_HOUR} friend requests per hour. Please try again later.`
+					);
+				} else {
+					handleDatabaseError(insertError, 'send friend request');
+				}
+				return;
+			}
+
+			(evt.target as HTMLFormElement).reset();
+
+			await onDataRefresh();
+			NotificationManager.showSuccess(`Friend request sent to ${username}`);
+		} catch (error) {
+			handleDatabaseError(error, 'send friend request');
+		} finally {
+			isSendingFriendRequest = false;
+			canSendRequest = false;
+			setTimeout(() => {
+				canSendRequest = true;
+			}, 2000);
+		}
+	};
+
+	const handleFriendRequestAction = async (requestId: string, action: 'accept' | 'reject') => {
+		if (!user || !supabase) return;
+
+		processingRequests = new Set([...processingRequests, requestId]);
+
+		try {
+			const { data: friendRequest, error: requestError } = await supabase
+				.from('friend_requests')
+				.select('requester_id, target_id')
+				.eq('id', requestId)
+				.eq('target_id', user.id)
+				.maybeSingle();
+
+			if (requestError) {
+				handleDatabaseError(requestError, 'get friend request');
+				return;
+			}
+
+			if (!friendRequest) {
+				NotificationManager.showError('Friend request not found or already processed');
+				return;
+			}
+
+			if (action === 'accept') {
+
+				const { data: existingFriendship } = await supabase
+					.from('friends')
+					.select('id')
+					.or(
+						`and(user_id.eq.${user.id},friend_id.eq.${friendRequest.requester_id}),and(user_id.eq.${friendRequest.requester_id},friend_id.eq.${user.id})`
+					)
+					.limit(1);
+
+				if (existingFriendship && existingFriendship.length > 0) {
+					NotificationManager.showError('You are already friends with this user');
+					return;
+				}
+
+				const { error: insertError } = await supabase
+					.from('friends')
+					.insert({ user_id: user.id, friend_id: friendRequest.requester_id });
+
+				if (insertError) {
+					if (insertError.code === '23505') {
+						NotificationManager.showError('You are already friends with this user');
+					} else {
+						handleDatabaseError(insertError, 'create friendship');
+					}
+					return;
+				}
+
+
+				const { error: deleteError } = await supabase
+					.from('friend_requests')
+					.delete()
+					.eq('id', requestId);
+
+				if (deleteError) {
+					handleDatabaseError(deleteError, 'delete friend request');
+					return;
+				}
+
+				NotificationManager.showSuccess('Friend request accepted');
+			} else {
+				const { error: deleteError } = await supabase
+					.from('friend_requests')
+					.delete()
+					.eq('id', requestId);
+
+				if (deleteError) {
+					handleDatabaseError(deleteError, 'delete friend request');
+					return;
+				}
+
+				NotificationManager.showSuccess('Friend request rejected');
+			}
+
+			await onDataRefresh();
+		} catch (error) {
+			handleDatabaseError(error, `${action} friend request`);
+		} finally {
+			processingRequests = new Set([...processingRequests].filter((id) => id !== requestId));
+		}
+	};
+
+	const handleCancelFriendRequest = async (requestId: string) => {
+		if (!user || !supabase) return;
+
+		cancellingRequests = new Set([...cancellingRequests, requestId]);
+
+		try {
+			const { error } = await supabase
+				.from('friend_requests')
+				.delete()
+				.eq('id', requestId)
+				.eq('requester_id', user.id);
+
+			if (error) {
+				handleDatabaseError(error, 'cancel friend request');
+				return;
+			}
+
+			await onDataRefresh();
+			NotificationManager.showSuccess('Friend request cancelled');
+		} catch (error) {
+			handleDatabaseError(error, 'cancel friend request');
+		} finally {
+			cancellingRequests = new Set([...cancellingRequests].filter((id) => id !== requestId));
+		}
+	};
+</script>
+
+<div class="card bg-base-200">
+	<div class="card-body">
+		<h2 class="card-title">Friend Requests</h2>
+
+		<form onsubmit={handleFriendRequest} class="mb-4">
+			<div class="join w-full">
+				<div class="w-full">
+					<label class="input validator join-item w-full">
+						<svg class="h-[1em] opacity-50" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24">
+							<g
+								stroke-linejoin="round"
+								stroke-linecap="round"
+								stroke-width="2.5"
+								fill="none"
+								stroke="currentColor"
+							>
+								<path d="M19 21v-2a4 4 0 0 0-4-4H9a4 4 0 0 0-4 4v2"></path>
+								<circle cx="12" cy="7" r="4"></circle>
+							</g>
+						</svg>
+						<input
+							id="friend-username"
+							name="username"
+							type="text"
+							required
+							placeholder="Username"
+							pattern="[A-Za-z][A-Za-z0-9._\-]*"
+							minlength="3"
+							maxlength="20"
+							title="Must start with a letter, then letters, numbers, dots, dashes, or underscores"
+						/>
+					</label>
+				</div>
+				<button class="btn btn-neutral join-item" disabled={isSendingFriendRequest || !canSendRequest}>
+					{#if isSendingFriendRequest}
+						<span class="loading loading-spinner loading-sm"></span>
+					{:else}
+						<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24"
+							><path
+								fill="currentColor"
+								d="M4.4 19.425q-.5.2-.95-.088T3 18.5V14l8-2l-8-2V5.5q0-.55.45-.837t.95-.088l15.4 6.5q.625.275.625.925t-.625.925z"
+							/></svg
+						>
+					{/if}
+				</button>
+			</div>
+		</form>
+
+		{#if friendRequests && friendRequests.length > 0}
+			<h3 class="mt-4 font-bold">Friend Requests</h3>
+			<ul class="list">
+				{#each friendRequests as request (request.id)}
+					<li class="bg-base-300 rounded-box mb-2 p-2">
+						<div class="flex w-full items-center justify-between gap-3">
+							<div class="flex flex-1 items-center gap-3">
+								<div class="avatar">
+									<Avatar name={request.requester_id} size={40} variant="marble" />
+								</div>
+								<div class="flex flex-col">
+									<span
+										>{getDisplayName(request.requester_display_name, request.requester_username)} wants
+										to be your friend</span
+									>
+									{#if request.requester_display_name}
+										<span class="text-base-content/60 text-xs">@{request.requester_username}</span>
+									{/if}
+								</div>
+							</div>
+							<div class="join">
+								<button
+									class="btn btn-sm btn-success join-item"
+									onclick={() => handleFriendRequestAction(request.id, 'accept')}
+									disabled={processingRequests.has(request.id)}
+								>
+									{#if processingRequests.has(request.id)}
+										<span class="loading loading-spinner loading-xs"></span>
+									{:else}
+										<svg
+											xmlns="http://www.w3.org/2000/svg"
+											class="h-6 w-6 shrink-0 stroke-current"
+											fill="none"
+											viewBox="0 0 24 24"
+										>
+											<path
+												stroke-linecap="round"
+												stroke-linejoin="round"
+												stroke-width="2"
+												d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z"
+											/>
+										</svg>
+									{/if}
+								</button>
+								<button
+									class="btn btn-sm btn-error join-item"
+									onclick={() => handleFriendRequestAction(request.id, 'reject')}
+									disabled={processingRequests.has(request.id)}
+								>
+									{#if processingRequests.has(request.id)}
+										<span class="loading loading-spinner loading-xs"></span>
+									{:else}
+										<svg
+											xmlns="http://www.w3.org/2000/svg"
+											class="h-6 w-6 shrink-0 stroke-current"
+											fill="none"
+											viewBox="0 0 24 24"
+										>
+											<path
+												stroke-linecap="round"
+												stroke-linejoin="round"
+												stroke-width="2"
+												d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z"
+											/>
+										</svg>
+									{/if}
+								</button>
+							</div>
+						</div>
+					</li>
+				{/each}
+			</ul>
+		{/if}
+
+		{#if sentFriendRequests && sentFriendRequests.length > 0}
+			<h3 class="mt-4 font-bold">Sent Friend Requests</h3>
+			<ul class="list">
+				{#each sentFriendRequests as request (request.id)}
+					<li class="bg-base-300 rounded-box group mb-2 p-2">
+						<div class="flex w-full items-center justify-between gap-3">
+							<div class="flex flex-1 items-center gap-3">
+								<div class="avatar">
+									<Avatar name={request.target_id} size={40} variant="marble" />
+								</div>
+								<div class="flex flex-col">
+									<span>{getDisplayName(request.target_display_name, request.target_username)}</span
+									>
+									{#if request.target_display_name}
+										<span class="text-base-content/60 text-xs">@{request.target_username}</span>
+									{/if}
+								</div>
+							</div>
+							<button
+								class="btn btn-sm btn-error"
+								onclick={() => handleCancelFriendRequest(request.id)}
+								disabled={cancellingRequests.has(request.id)}
+							>
+								{#if cancellingRequests.has(request.id)}
+									<span class="loading loading-spinner loading-xs"></span>
+								{:else}
+									<svg
+										xmlns="http://www.w3.org/2000/svg"
+										class="h-6 w-6 shrink-0 stroke-current"
+										fill="none"
+										viewBox="0 0 24 24"
+									>
+										<path
+											stroke-linecap="round"
+											stroke-linejoin="round"
+											stroke-width="2"
+											d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z"
+										/>
+									</svg>
+								{/if}
+							</button>
+						</div>
+					</li>
+				{/each}
+			</ul>
+		{/if}
+	</div>
+</div>
diff --git a/src/lib/friends/components/RequestsSkeleton.svelte b/src/lib/friends/components/RequestsSkeleton.svelte
index febb16a..884aa17 100644
--- a/src/lib/friends/components/RequestsSkeleton.svelte
+++ b/src/lib/friends/components/RequestsSkeleton.svelte
@@ -1,12 +1,10 @@
 <script lang="ts">
-	// Skeleton component for friend requests section loading state
 </script>
 
 <div class="card bg-base-200">
 	<div class="card-body">
 		<h2 class="card-title">Friend Requests</h2>
 
-		<!-- Friend request form skeleton -->
 		<div class="join mb-4 w-full">
 			<div class="w-full">
 				<div class="skeleton h-12 w-full"></div>
@@ -14,7 +12,6 @@
 			<div class="skeleton h-12 w-40"></div>
 		</div>
 
-		<!-- Friend requests list skeleton -->
 		<div class="space-y-2">
 			{#each Array.from({ length: 2 }, (_, i) => i) as i (i)}
 				<div class="bg-base-300 rounded-box p-2">
diff --git a/src/lib/friends/order.test.ts b/src/lib/friends/order.test.ts
new file mode 100644
index 0000000..0b9c673
--- /dev/null
+++ b/src/lib/friends/order.test.ts
@@ -0,0 +1,111 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { FriendOrderStore } from './order';
+
+const localStorageMock = (() => {
+	let store: Record<string, string> = {};
+	return {
+		getItem: vi.fn((key: string) => store[key] ?? null),
+		setItem: vi.fn((key: string, value: string) => {
+			store[key] = value;
+		}),
+		removeItem: vi.fn((key: string) => {
+			delete store[key];
+		}),
+		clear: vi.fn(() => {
+			store = {};
+		}),
+		get length() {
+			return Object.keys(store).length;
+		},
+		key: vi.fn((index: number) => Object.keys(store)[index] ?? null)
+	};
+})();
+
+Object.defineProperty(globalThis, 'window', {
+	value: { localStorage: localStorageMock },
+	writable: true
+});
+Object.defineProperty(globalThis, 'localStorage', {
+	value: localStorageMock,
+	writable: true
+});
+
+vi.mock('$app/environment', () => ({ browser: true }));
+
+function makeFriend(id: string) {
+	return { id, username: id, display_name: null, status: null, status_updated_at: null };
+}
+
+describe('FriendOrderStore', () => {
+	beforeEach(() => {
+		localStorageMock.clear();
+		vi.clearAllMocks();
+	});
+
+	it('returns friends in original order when no order is stored', () => {
+		const store = new FriendOrderStore();
+		const friends = [makeFriend('a'), makeFriend('b'), makeFriend('c')];
+
+		const ordered = store.getOrderedFriends(friends);
+		expect(ordered.map((f) => f.id)).toEqual(['a', 'b', 'c']);
+	});
+
+	it('persists order to localStorage on first call', () => {
+		const store = new FriendOrderStore();
+		const friends = [makeFriend('a'), makeFriend('b')];
+
+		store.getOrderedFriends(friends);
+		expect(localStorageMock.setItem).toHaveBeenCalledWith(
+			'friend-order',
+			JSON.stringify(['a', 'b'])
+		);
+	});
+
+	it('applies stored order', () => {
+		localStorageMock.setItem('friend-order', JSON.stringify(['c', 'a', 'b']));
+		const store = new FriendOrderStore();
+		const friends = [makeFriend('a'), makeFriend('b'), makeFriend('c')];
+
+		const ordered = store.getOrderedFriends(friends);
+		expect(ordered.map((f) => f.id)).toEqual(['c', 'a', 'b']);
+	});
+
+	it('appends new friends to the end', () => {
+		localStorageMock.setItem('friend-order', JSON.stringify(['a', 'b']));
+		const store = new FriendOrderStore();
+		const friends = [makeFriend('a'), makeFriend('b'), makeFriend('c')];
+
+		const ordered = store.getOrderedFriends(friends);
+		expect(ordered.map((f) => f.id)).toEqual(['a', 'b', 'c']);
+	});
+
+	it('skips IDs no longer in the friend list', () => {
+		localStorageMock.setItem('friend-order', JSON.stringify(['a', 'b', 'c']));
+		const store = new FriendOrderStore();
+		const friends = [makeFriend('a'), makeFriend('c')];
+
+		const ordered = store.getOrderedFriends(friends);
+		expect(ordered.map((f) => f.id)).toEqual(['a', 'c']);
+	});
+
+	it('updateOrder persists new order', () => {
+		const store = new FriendOrderStore();
+		const reordered = [makeFriend('c'), makeFriend('a'), makeFriend('b')];
+
+		store.updateOrder(reordered);
+		expect(localStorageMock.setItem).toHaveBeenCalledWith(
+			'friend-order',
+			JSON.stringify(['c', 'a', 'b'])
+		);
+	});
+
+	it('removeFriend removes from stored order', () => {
+		localStorageMock.setItem('friend-order', JSON.stringify(['a', 'b', 'c']));
+		const store = new FriendOrderStore();
+		store.getOrderedFriends([makeFriend('a'), makeFriend('b'), makeFriend('c')]);
+
+		store.removeFriend('b');
+		const stored = JSON.parse(localStorageMock.getItem('friend-order')!);
+		expect(stored).toEqual(['a', 'c']);
+	});
+});
diff --git a/src/lib/friends/order.ts b/src/lib/friends/order.ts
index 2d93713..6b3c413 100644
--- a/src/lib/friends/order.ts
+++ b/src/lib/friends/order.ts
@@ -16,9 +16,6 @@ export class FriendOrderStore {
 		this.loadFromStorage();
 	}
 
-	/**
-	 * Load the friend order from localStorage
-	 */
 	private loadFromStorage(): void {
 		if (!browser) return;
 
@@ -33,9 +30,6 @@ export class FriendOrderStore {
 		}
 	}
 
-	/**
-	 * Save the current order to localStorage
-	 */
 	private saveToStorage(): void {
 		if (!browser) return;
 
@@ -46,12 +40,8 @@ export class FriendOrderStore {
 		}
 	}
 
-	/**
-	 * Get the ordered friends array based on the stored order
-	 */
 	getOrderedFriends(friends: Friend[]): Friend[] {
 		if (this.order.length === 0) {
-			// No stored order — persist the incoming order and return it as-is
 			this.order = friends.map((f) => f.id);
 			this.saveToStorage();
 			return friends;
@@ -60,18 +50,15 @@ export class FriendOrderStore {
 		const storedSet = new Set(this.order);
 		const friendMap = new Map(friends.map((f) => [f.id, f]));
 
-		// Apply stored order, skipping IDs no longer in the friend list
 		const ordered: Friend[] = [];
 		for (const id of this.order) {
 			const f = friendMap.get(id);
 			if (f) ordered.push(f);
 		}
 
-		// Collect friends not yet in the stored order (newly added friends)
 		const newFriends = friends.filter((f) => !storedSet.has(f.id));
 
 		if (newFriends.length > 0) {
-			// Append new friends and persist the updated order
 			const result = [...ordered, ...newFriends];
 			this.order = result.map((f) => f.id);
 			this.saveToStorage();
@@ -81,17 +68,11 @@ export class FriendOrderStore {
 		return ordered;
 	}
 
-	/**
-	 * Update the order when friends are reordered via drag and drop
-	 */
 	updateOrder(newOrder: Friend[]): void {
 		this.order = newOrder.map(friend => friend.id);
 		this.saveToStorage();
 	}
 
-	/**
-	 * Remove a friend from the order when they are deleted
-	 */
 	removeFriend(friendId: string): void {
 		this.order = this.order.filter(id => id !== friendId);
 		this.saveToStorage();
@@ -99,5 +80,4 @@ export class FriendOrderStore {
 
 }
 
-// Export a singleton instance
 export const friendOrderStore = new FriendOrderStore();
diff --git a/src/lib/profile/api.ts b/src/lib/profile/api.ts
index 6aa9240..6999aa7 100644
--- a/src/lib/profile/api.ts
+++ b/src/lib/profile/api.ts
@@ -17,7 +17,7 @@ export async function checkUsernameAvailability(
 			throw error;
 		}
 
-		return !existingUser; // Available if no existing user found
+		return !existingUser;
 	} catch (error) {
 		console.error('Error checking username availability:', error);
 		throw error;
diff --git a/src/lib/profile/validation.test.ts b/src/lib/profile/validation.test.ts
new file mode 100644
index 0000000..acdf531
--- /dev/null
+++ b/src/lib/profile/validation.test.ts
@@ -0,0 +1,112 @@
+import { describe, it, expect } from 'vitest';
+import {
+	validateUsername,
+	validateDisplayName,
+	sanitizeUsername,
+	sanitizeDisplayName,
+	MIN_USERNAME_LENGTH,
+	MAX_USERNAME_LENGTH,
+	MAX_DISPLAY_NAME_LENGTH,
+	ERROR_MESSAGES
+} from './validation';
+
+describe('validateUsername', () => {
+	it('rejects empty username', () => {
+		expect(validateUsername('')).toBe(ERROR_MESSAGES.USERNAME_EMPTY);
+	});
+
+	it('rejects username shorter than minimum', () => {
+		expect(validateUsername('ab')).toBe(ERROR_MESSAGES.USERNAME_TOO_SHORT);
+		expect(validateUsername('a')).toBe(ERROR_MESSAGES.USERNAME_TOO_SHORT);
+	});
+
+	it('accepts username at minimum length', () => {
+		expect(validateUsername('abc')).toBeNull();
+	});
+
+	it('rejects username exceeding max length', () => {
+		const long = 'a'.repeat(MAX_USERNAME_LENGTH + 1);
+		expect(validateUsername(long)).toBe(ERROR_MESSAGES.USERNAME_TOO_LONG);
+	});
+
+	it('accepts username at max length', () => {
+		const exact = 'a'.repeat(MAX_USERNAME_LENGTH);
+		expect(validateUsername(exact)).toBeNull();
+	});
+
+	it('rejects username starting with a number', () => {
+		expect(validateUsername('1user')).toBe(ERROR_MESSAGES.USERNAME_INVALID);
+	});
+
+	it('rejects username starting with a dot', () => {
+		expect(validateUsername('.user')).toBe(ERROR_MESSAGES.USERNAME_INVALID);
+	});
+
+	it('rejects username with spaces', () => {
+		expect(validateUsername('user name')).toBe(ERROR_MESSAGES.USERNAME_INVALID);
+	});
+
+	it('rejects username with special characters', () => {
+		expect(validateUsername('user@name')).toBe(ERROR_MESSAGES.USERNAME_INVALID);
+		expect(validateUsername('user!name')).toBe(ERROR_MESSAGES.USERNAME_INVALID);
+	});
+
+	it('accepts valid usernames', () => {
+		expect(validateUsername('alice')).toBeNull();
+		expect(validateUsername('Bob42')).toBeNull();
+		expect(validateUsername('user.name')).toBeNull();
+		expect(validateUsername('user-name')).toBeNull();
+		expect(validateUsername('user_name')).toBeNull();
+		expect(validateUsername('A.b-c_1')).toBeNull();
+	});
+
+	it('enforces documented length constants', () => {
+		expect(MIN_USERNAME_LENGTH).toBe(3);
+		expect(MAX_USERNAME_LENGTH).toBe(20);
+	});
+});
+
+describe('validateDisplayName', () => {
+	it('rejects empty display name', () => {
+		expect(validateDisplayName('')).toBe(ERROR_MESSAGES.DISPLAY_NAME_EMPTY);
+	});
+
+	it('rejects display name exceeding max length', () => {
+		const long = 'a'.repeat(MAX_DISPLAY_NAME_LENGTH + 1);
+		expect(validateDisplayName(long)).toBe(ERROR_MESSAGES.DISPLAY_NAME_TOO_LONG);
+	});
+
+	it('accepts display name at max length', () => {
+		const exact = 'a'.repeat(MAX_DISPLAY_NAME_LENGTH);
+		expect(validateDisplayName(exact)).toBeNull();
+	});
+
+	it('accepts normal display names', () => {
+		expect(validateDisplayName('Alice Smith')).toBeNull();
+		expect(validateDisplayName('Bob')).toBeNull();
+	});
+
+	it('enforces documented max length constant', () => {
+		expect(MAX_DISPLAY_NAME_LENGTH).toBe(50);
+	});
+});
+
+describe('sanitizeUsername', () => {
+	it('trims whitespace', () => {
+		expect(sanitizeUsername('  alice  ')).toBe('alice');
+	});
+
+	it('returns trimmed value unchanged', () => {
+		expect(sanitizeUsername('bob')).toBe('bob');
+	});
+});
+
+describe('sanitizeDisplayName', () => {
+	it('trims whitespace', () => {
+		expect(sanitizeDisplayName('  Alice  ')).toBe('Alice');
+	});
+
+	it('returns trimmed value unchanged', () => {
+		expect(sanitizeDisplayName('Bob')).toBe('Bob');
+	});
+});
diff --git a/src/lib/profile/validation.ts b/src/lib/profile/validation.ts
index be8d661..eb08fb7 100644
--- a/src/lib/profile/validation.ts
+++ b/src/lib/profile/validation.ts
@@ -1,10 +1,11 @@
+export const MIN_USERNAME_LENGTH = 3;
 export const MAX_USERNAME_LENGTH = 20;
 export const MAX_DISPLAY_NAME_LENGTH = 50;
 export const USERNAME_PATTERN = /^[a-zA-Z][a-zA-Z0-9._-]*$/;
 
-// Error messages
 export const ERROR_MESSAGES = {
 	USERNAME_EMPTY: 'Username cannot be empty',
+	USERNAME_TOO_SHORT: `Username must be at least ${MIN_USERNAME_LENGTH} characters`,
 	USERNAME_TOO_LONG: `Username must be ${MAX_USERNAME_LENGTH} characters or less`,
 	USERNAME_INVALID:
 		'Username must start with a letter and can only contain letters, numbers, dots, dashes, and underscores',
@@ -17,6 +18,9 @@ export function validateUsername(username: string): string | null {
 	if (username.length === 0) {
 		return ERROR_MESSAGES.USERNAME_EMPTY;
 	}
+	if (username.length < MIN_USERNAME_LENGTH) {
+		return ERROR_MESSAGES.USERNAME_TOO_SHORT;
+	}
 	if (username.length > MAX_USERNAME_LENGTH) {
 		return ERROR_MESSAGES.USERNAME_TOO_LONG;
 	}
@@ -37,11 +41,9 @@ export function validateDisplayName(displayName: string): string | null {
 }
 
 export function sanitizeUsername(username: string): string {
-	// Trim whitespace from username
 	return username.trim();
 }
 
 export function sanitizeDisplayName(displayName: string): string {
-	// Trim whitespace from display name
 	return displayName.trim();
 }
diff --git a/src/lib/realtime/subscriptions.ts b/src/lib/realtime/subscriptions.ts
index 0abae38..812d9f9 100644
--- a/src/lib/realtime/subscriptions.ts
+++ b/src/lib/realtime/subscriptions.ts
@@ -1,33 +1,25 @@
-import type { RealtimeChannel, SupabaseClient } from '@supabase/supabase-js';
+import type { RealtimeChannel, RealtimePostgresChangesPayload, SupabaseClient } from '@supabase/supabase-js';
 import type { Database } from '../../database.types';
 
+export interface StatusChangePayload {
+	id: string;
+	status: string | null;
+	updated_at: string;
+}
+
 interface SubscriptionCallbacks {
 	onFriendRequestChange?: () => void;
 	onFriendshipChange?: () => void;
-	onStatusChange?: () => void;
+	onStatusChange?: (payload: StatusChangePayload) => void;
 }
 
-/**
- * Manages real-time Supabase subscriptions for dashboard updates.
- *
- * Uses server-side column filters so only rows relevant to this user are
- * delivered over the wire. The friend_requests and friends tables each
- * require two channels because Realtime only supports a single `eq` filter
- * per channel — one for each column that can reference the current user.
- *
- * The profiles subscription is scoped to the user's friend list via an `in`
- * filter and is (re)created whenever the friend list changes via
- * `updateFriendIds()`. It is not set up until the first call to that method.
- */
+// Realtime only supports a single eq filter per channel, so each table needs two channels.
 export class RealtimeSubscriptionManager {
 	private supabase: SupabaseClient<Database>;
 	private userId: string;
-	/** Channels that live for the whole session (friend_requests + friends). */
 	private channels: RealtimeChannel[] = [];
-	/** The profiles channel — replaced whenever the friend list changes. */
 	private profileChannel: RealtimeChannel | null = null;
 	private callbacks: SubscriptionCallbacks = {};
-	/** Sorted snapshot of the friend IDs the profile channel is scoped to. */
 	private subscribedFriendIds: string[] = [];
 
 	constructor(supabase: SupabaseClient<Database>, userId: string) {
@@ -35,26 +27,15 @@ export class RealtimeSubscriptionManager {
 		this.userId = userId;
 	}
 
-	/**
-	 * Open channels for friend_requests and friends table changes.
-	 * The profiles channel is NOT started here; call `updateFriendIds` once
-	 * dashboard data is available.
-	 */
 	subscribe(callbacks: SubscriptionCallbacks): void {
 		this.callbacks = callbacks;
 		this.subscribeToFriendRequests();
 		this.subscribeToFriends();
 	}
 
-	/**
-	 * (Re)create the profiles subscription scoped to the given friend IDs.
-	 * Safe to call on every data refresh — it is a no-op when the list has
-	 * not changed since the last call.
-	 */
 	updateFriendIds(friendIds: string[]): void {
 		const sorted = [...friendIds].sort();
 
-		// No-op if the friend list is identical to what we already have.
 		const unchanged =
 			sorted.length === this.subscribedFriendIds.length &&
 			sorted.every((id, i) => id === this.subscribedFriendIds[i]);
@@ -72,12 +53,7 @@ export class RealtimeSubscriptionManager {
 		}
 	}
 
-	/**
-	 * Two channels for friend_requests — one per column that can reference
-	 * the current user — so the server delivers only relevant rows.
-	 */
 	private subscribeToFriendRequests(): void {
-		// Requests sent by this user (outgoing).
 		const outgoing = this.supabase
 			.channel(`friend_requests_from_${this.userId}`)
 			.on(
@@ -94,7 +70,6 @@ export class RealtimeSubscriptionManager {
 				if (err) console.error('Realtime: friend_requests (outgoing) error:', err);
 			});
 
-		// Requests sent to this user (incoming).
 		const incoming = this.supabase
 			.channel(`friend_requests_to_${this.userId}`)
 			.on(
@@ -114,13 +89,7 @@ export class RealtimeSubscriptionManager {
 		this.channels.push(outgoing, incoming);
 	}
 
-	/**
-	 * Two channels for friends — one per column that can reference the
-	 * current user (the canonical ordering means user_id < friend_id, so
-	 * the user could appear in either column).
-	 */
 	private subscribeToFriends(): void {
-		// Friendships where this user is stored as user_id.
 		const asUser = this.supabase
 			.channel(`friends_user_${this.userId}`)
 			.on(
@@ -137,7 +106,6 @@ export class RealtimeSubscriptionManager {
 				if (err) console.error('Realtime: friends (as user_id) error:', err);
 			});
 
-		// Friendships where this user is stored as friend_id.
 		const asFriend = this.supabase
 			.channel(`friends_friend_${this.userId}`)
 			.on(
@@ -157,12 +125,6 @@ export class RealtimeSubscriptionManager {
 		this.channels.push(asUser, asFriend);
 	}
 
-	/**
-	 * Open a profiles channel scoped to the supplied friend IDs using an
-	 * `in` filter. Only UPDATE events on those specific rows are delivered,
-	 * eliminating the previous behaviour of receiving every profile change
-	 * from every user in the database.
-	 */
 	private openProfileChannel(friendIds: string[]): RealtimeChannel {
 		return this.supabase
 			.channel(`profiles_friends_${this.userId}`)
@@ -174,14 +136,22 @@ export class RealtimeSubscriptionManager {
 					table: 'profiles',
 					filter: `id=in.(${friendIds.join(',')})`
 				},
-				() => this.callbacks.onStatusChange?.()
+				(payload: RealtimePostgresChangesPayload<{ id: string; status: string | null; updated_at: string }>) => {
+					const row = payload.new as { id: string; status: string | null; updated_at: string } | undefined;
+					if (row?.id) {
+						this.callbacks.onStatusChange?.({
+							id: row.id,
+							status: row.status,
+							updated_at: row.updated_at
+						});
+					}
+				}
 			)
 			.subscribe((_, err) => {
 				if (err) console.error('Realtime: profiles error:', err);
 			});
 	}
 
-	/** Tear down all channels and reset state. */
 	unsubscribe(): void {
 		for (const channel of this.channels) {
 			this.supabase.removeChannel(channel);
diff --git a/src/lib/status/components/Skeleton.svelte b/src/lib/status/components/Skeleton.svelte
index 6d01b57..ab09d7c 100644
--- a/src/lib/status/components/Skeleton.svelte
+++ b/src/lib/status/components/Skeleton.svelte
@@ -1,17 +1,14 @@
 <script lang="ts">
-	// Skeleton component for status section loading state
 </script>
 
 <div class="card bg-base-200">
 	<div class="card-body">
 		<h2 class="card-title">Status</h2>
 
-		<!-- Current status display skeleton -->
 		<div class="bg-base-300 mb-4 rounded-lg p-3">
 			<div class="skeleton h-6 w-48"></div>
 		</div>
 
-		<!-- Status input form skeleton -->
 		<div class="join w-full">
 			<div class="w-full">
 				<div class="skeleton h-12 w-full"></div>
diff --git a/src/lib/status/formatting.test.ts b/src/lib/status/formatting.test.ts
new file mode 100644
index 0000000..9d630d1
--- /dev/null
+++ b/src/lib/status/formatting.test.ts
@@ -0,0 +1,64 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import { formatStatusUpdatedAt, formatStatusUpdatedAtTooltip } from './formatting';
+
+describe('formatStatusUpdatedAt', () => {
+	beforeEach(() => {
+		vi.useFakeTimers();
+		vi.setSystemTime(new Date('2026-02-26T12:00:00Z'));
+	});
+
+	afterEach(() => {
+		vi.useRealTimers();
+	});
+
+	it('returns empty string for null', () => {
+		expect(formatStatusUpdatedAt(null)).toBe('');
+	});
+
+	it('returns "just now" for less than a minute ago', () => {
+		const thirtySecondsAgo = new Date('2026-02-26T11:59:35Z').toISOString();
+		expect(formatStatusUpdatedAt(thirtySecondsAgo)).toBe('just now');
+	});
+
+	it('returns minutes ago', () => {
+		const fiveMinAgo = new Date('2026-02-26T11:55:00Z').toISOString();
+		expect(formatStatusUpdatedAt(fiveMinAgo)).toBe('5m ago');
+	});
+
+	it('returns hours ago', () => {
+		const threeHoursAgo = new Date('2026-02-26T09:00:00Z').toISOString();
+		expect(formatStatusUpdatedAt(threeHoursAgo)).toBe('3h ago');
+	});
+
+	it('returns days ago', () => {
+		const twoDaysAgo = new Date('2026-02-24T12:00:00Z').toISOString();
+		expect(formatStatusUpdatedAt(twoDaysAgo)).toBe('2d ago');
+	});
+
+	it('returns formatted date for older than a week', () => {
+		const twoWeeksAgo = new Date('2026-02-10T12:00:00Z').toISOString();
+		const result = formatStatusUpdatedAt(twoWeeksAgo);
+		expect(result).toContain('Feb');
+		expect(result).toContain('10');
+	});
+
+	it('includes year for dates in a different year', () => {
+		const lastYear = new Date('2025-06-15T12:00:00Z').toISOString();
+		const result = formatStatusUpdatedAt(lastYear);
+		expect(result).toContain('2025');
+	});
+});
+
+describe('formatStatusUpdatedAtTooltip', () => {
+	it('returns empty string for null', () => {
+		expect(formatStatusUpdatedAtTooltip(null)).toBe('');
+	});
+
+	it('returns full formatted date string', () => {
+		const date = new Date('2026-02-26T14:30:45Z').toISOString();
+		const result = formatStatusUpdatedAtTooltip(date);
+		expect(result).toContain('2026');
+		expect(result).toContain('February');
+		expect(result).toContain('26');
+	});
+});
diff --git a/src/lib/status/formatting.ts b/src/lib/status/formatting.ts
index 66b3b77..5aecd14 100644
--- a/src/lib/status/formatting.ts
+++ b/src/lib/status/formatting.ts
@@ -1,8 +1,3 @@
-/**
- * Format datetime for display in a user-friendly format
- * @param updatedAt - ISO datetime string or null
- * @returns Formatted string like "2h ago" or "Dec 15"
- */
 export const formatStatusUpdatedAt = (updatedAt: string | null): string => {
 	if (!updatedAt) return '';
 
@@ -19,7 +14,6 @@ export const formatStatusUpdatedAt = (updatedAt: string | null): string => {
 	const diffInDays = Math.floor(diffInHours / 24);
 	if (diffInDays < 7) return `${diffInDays}d ago`;
 
-	// For older dates, show the actual date
 	return date.toLocaleDateString('en-US', {
 		month: 'short',
 		day: 'numeric',
@@ -27,11 +21,6 @@ export const formatStatusUpdatedAt = (updatedAt: string | null): string => {
 	});
 };
 
-/**
- * Format datetime for tooltip display with full date and time
- * @param updatedAt - ISO datetime string or null
- * @returns Formatted string like "Monday, December 15, 2024 at 2:30:45 PM EST"
- */
 export const formatStatusUpdatedAtTooltip = (updatedAt: string | null): string => {
 	if (!updatedAt) return '';
 
diff --git a/src/lib/status/quick.test.ts b/src/lib/status/quick.test.ts
new file mode 100644
index 0000000..179e32c
--- /dev/null
+++ b/src/lib/status/quick.test.ts
@@ -0,0 +1,110 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { getQuickStatuses, saveQuickStatuses } from './quick';
+
+const localStorageMock = (() => {
+	let store: Record<string, string> = {};
+	return {
+		getItem: vi.fn((key: string) => store[key] ?? null),
+		setItem: vi.fn((key: string, value: string) => {
+			store[key] = value;
+		}),
+		removeItem: vi.fn((key: string) => {
+			delete store[key];
+		}),
+		clear: vi.fn(() => {
+			store = {};
+		}),
+		get length() {
+			return Object.keys(store).length;
+		},
+		key: vi.fn((index: number) => Object.keys(store)[index] ?? null)
+	};
+})();
+
+Object.defineProperty(globalThis, 'window', {
+	value: { localStorage: localStorageMock },
+	writable: true
+});
+Object.defineProperty(globalThis, 'localStorage', {
+	value: localStorageMock,
+	writable: true
+});
+
+describe('getQuickStatuses', () => {
+	beforeEach(() => {
+		localStorageMock.clear();
+		vi.clearAllMocks();
+	});
+
+	it('returns default statuses when nothing is stored', () => {
+		const statuses = getQuickStatuses();
+		expect(statuses).toHaveLength(4);
+		expect(statuses[0].status_text).toBe('Travelling');
+		expect(statuses[1].status_text).toBe('Sleeping');
+		expect(statuses[2].status_text).toBe('Working');
+		expect(statuses[3].status_text).toBe('Lounging');
+	});
+
+	it('returns stored statuses when available', () => {
+		const stored = [
+			{ id: 'a', status_text: 'Coding', display_order: 0 },
+			{ id: 'b', status_text: 'Gaming', display_order: 1 }
+		];
+		localStorageMock.setItem('rez_quick_statuses', JSON.stringify(stored));
+
+		const statuses = getQuickStatuses();
+		expect(statuses).toHaveLength(2);
+		expect(statuses[0].status_text).toBe('Coding');
+		expect(statuses[1].status_text).toBe('Gaming');
+	});
+
+	it('returns defaults for invalid JSON', () => {
+		localStorageMock.setItem('rez_quick_statuses', 'not json');
+		const statuses = getQuickStatuses();
+		expect(statuses).toHaveLength(4);
+	});
+
+	it('filters out malformed entries', () => {
+		const stored = [
+			{ id: 'a', status_text: 'Valid', display_order: 0 },
+			{ id: 123, status_text: 'Bad ID', display_order: 1 },
+			{ status_text: 'No ID', display_order: 2 }
+		];
+		localStorageMock.setItem('rez_quick_statuses', JSON.stringify(stored));
+
+		const statuses = getQuickStatuses();
+		expect(statuses).toHaveLength(1);
+		expect(statuses[0].status_text).toBe('Valid');
+	});
+});
+
+describe('saveQuickStatuses', () => {
+	beforeEach(() => {
+		localStorageMock.clear();
+		vi.clearAllMocks();
+	});
+
+	it('saves non-empty statuses to localStorage', () => {
+		saveQuickStatuses(['Working', 'Gaming', '']);
+
+		const stored = JSON.parse(localStorageMock.getItem('rez_quick_statuses')!);
+		expect(stored).toHaveLength(2);
+		expect(stored[0].status_text).toBe('Working');
+		expect(stored[1].status_text).toBe('Gaming');
+	});
+
+	it('trims whitespace from statuses', () => {
+		saveQuickStatuses(['  Coding  ']);
+
+		const stored = JSON.parse(localStorageMock.getItem('rez_quick_statuses')!);
+		expect(stored[0].status_text).toBe('Coding');
+	});
+
+	it('filters out empty and whitespace-only statuses', () => {
+		saveQuickStatuses(['', '   ', 'Valid']);
+
+		const stored = JSON.parse(localStorageMock.getItem('rez_quick_statuses')!);
+		expect(stored).toHaveLength(1);
+		expect(stored[0].status_text).toBe('Valid');
+	});
+});
diff --git a/src/lib/status/quick.ts b/src/lib/status/quick.ts
index 36f319b..4f8f8b7 100644
--- a/src/lib/status/quick.ts
+++ b/src/lib/status/quick.ts
@@ -1,8 +1,3 @@
-/**
- * Quick Status localStorage management
- * Handles storing and retrieving quick statuses from the browser's localStorage
- */
-
 export interface QuickStatus {
 	id: string;
 	status_text: string;
@@ -11,10 +6,6 @@ export interface QuickStatus {
 
 const QUICK_STATUS_STORAGE_KEY = 'rez_quick_statuses';
 
-/**
- * Get quick statuses from localStorage
- * Returns an empty array if none exist or if localStorage is not available
- */
 export function getQuickStatuses(): QuickStatus[] {
 	if (typeof window === 'undefined' || !window.localStorage) {
 		return [];
@@ -27,7 +18,6 @@ export function getQuickStatuses(): QuickStatus[] {
 		}
 
 		const parsed = JSON.parse(stored);
-		// Validate the structure
 		if (Array.isArray(parsed)) {
 			return parsed.filter(
 				(item) =>
@@ -44,10 +34,6 @@ export function getQuickStatuses(): QuickStatus[] {
 	}
 }
 
-/**
- * Save quick statuses to localStorage
- * Filters out empty statuses and validates the data
- */
 export function saveQuickStatuses(statuses: string[]): void {
 	if (typeof window === 'undefined' || !window.localStorage) {
 		console.warn('localStorage not available');
@@ -55,12 +41,11 @@ export function saveQuickStatuses(statuses: string[]): void {
 	}
 
 	try {
-		// Filter out empty statuses and create QuickStatus objects
 		const validStatuses: QuickStatus[] = statuses
 			.map((text, index) => ({ text: text.trim(), order: index }))
 			.filter((qs) => qs.text.length > 0)
 			.map((qs) => ({
-				id: `local_${qs.order}_${Date.now()}`, // Generate unique ID
+				id: `local_${qs.order}_${Date.now()}`,
 				status_text: qs.text,
 				display_order: qs.order
 			}));
@@ -71,9 +56,6 @@ export function saveQuickStatuses(statuses: string[]): void {
 	}
 }
 
-/**
- * Get default quick statuses for new users
- */
 function getDefaultQuickStatuses(): QuickStatus[] {
 	return [
 		{ id: 'default_0', status_text: 'Travelling', display_order: 0 },
@@ -82,4 +64,3 @@ function getDefaultQuickStatuses(): QuickStatus[] {
 		{ id: 'default_3', status_text: 'Lounging', display_order: 3 }
 	];
 }
-
diff --git a/src/lib/status/validation.test.ts b/src/lib/status/validation.test.ts
new file mode 100644
index 0000000..eb6c9cd
--- /dev/null
+++ b/src/lib/status/validation.test.ts
@@ -0,0 +1,22 @@
+import { describe, it, expect } from 'vitest';
+import { validateStatus, MAX_STATUS_LENGTH } from './validation';
+
+describe('validateStatus', () => {
+	it('accepts empty status', () => {
+		expect(validateStatus('')).toBeNull();
+	});
+
+	it('accepts status within limit', () => {
+		expect(validateStatus('Working')).toBeNull();
+		expect(validateStatus('a'.repeat(MAX_STATUS_LENGTH))).toBeNull();
+	});
+
+	it('rejects status exceeding limit', () => {
+		const long = 'a'.repeat(MAX_STATUS_LENGTH + 1);
+		expect(validateStatus(long)).toBe(`Status must be ${MAX_STATUS_LENGTH} characters or less`);
+	});
+
+	it('enforces documented max length constant', () => {
+		expect(MAX_STATUS_LENGTH).toBe(42);
+	});
+});
diff --git a/src/lib/ui/DebugPanel.svelte b/src/lib/ui/DebugPanel.svelte
index 01a82e0..393370f 100644
--- a/src/lib/ui/DebugPanel.svelte
+++ b/src/lib/ui/DebugPanel.svelte
@@ -8,7 +8,6 @@
 		data?: unknown;
 	}
 
-	// Props: show on errors or always show on iOS
 	let { hasError = $bindable(false), openOnMount = false } = $props();
 
 	let isOpen = $state(false);
@@ -16,7 +15,6 @@
 	let isIOS = $state(false);
 	let showPanel = $state(false);
 
-	// Expose function to open panel from outside
 	function openPanel() {
 		showPanel = true;
 		isOpen = true;
@@ -25,17 +23,13 @@
 	export { openPanel };
 
 	onMount(() => {
-		// Detect iOS
 		isIOS = /iPad|iPhone|iPod/.test(navigator.userAgent);
 
-		// Show debug panel button on iOS, if explicitly enabled, or if there's an error
-		// Check for debug mode in localStorage (only in browser)
 		if (typeof window !== 'undefined' && typeof localStorage !== 'undefined') {
 			const debugMode = localStorage.getItem('debug-mode') === 'true';
 			showPanel = debugMode || isIOS || hasError;
 
 			if (showPanel) {
-				// Initialize with current page info
 				addLog('info', 'Debug panel initialized', {
 					userAgent: navigator.userAgent,
 					isIOS,
@@ -45,19 +39,16 @@
 				});
 			}
 
-			// Auto-open if requested (e.g., from button click)
 			if (openOnMount) {
 				isOpen = true;
 			}
 		} else if (hasError) {
-			// Show panel even if localStorage isn't available, if there's an error
 			showPanel = true;
 			if (openOnMount) {
 				isOpen = true;
 			}
 		}
 
-		// Intercept console methods to capture logs
 		const originalLog = console.log;
 		const originalWarn = console.warn;
 		const originalError = console.error;
@@ -77,7 +68,6 @@
 			addLog('error', args.join(' '), args.length > 1 ? args.slice(1) : undefined);
 		};
 
-		// Capture unhandled errors
 		window.addEventListener('error', (event) => {
 			addLog('error', `Unhandled error: ${event.message}`, {
 				filename: event.filename,
@@ -87,7 +77,6 @@
 			});
 		});
 
-		// Capture unhandled promise rejections
 		window.addEventListener('unhandledrejection', (event) => {
 			addLog('error', `Unhandled promise rejection: ${event.reason}`, {
 				reason: event.reason
@@ -111,7 +100,6 @@
 				data
 			}
 		];
-		// Keep only last 100 logs
 		if (logs.length > 100) {
 			logs = logs.slice(-100);
 		}
@@ -157,18 +145,14 @@
 		return false;
 	}
 
-	// Expose function to add logs from outside
-	// In Svelte 5, we use a method that can be called via component instance
 	function addDebugLog(level: LogEntry['level'], message: string, data?: unknown) {
 		addLog(level, message, data);
 	}
 
-	// Export the method for external access
 	export { addDebugLog };
 </script>
 
 {#if showPanel}
-	<!-- Floating debug button -->
 	<button
 		class="btn btn-circle btn-sm btn-warning fixed right-4 bottom-4 z-50 shadow-lg"
 		onclick={() => (isOpen = !isOpen)}
@@ -191,7 +175,6 @@
 		</svg>
 	</button>
 
-	<!-- Debug panel modal -->
 	{#if isOpen}
 		<div class="bg-opacity-50 fixed inset-0 z-50 flex items-center justify-center bg-black p-4">
 			<div class="card bg-base-100 max-h-[90vh] w-full max-w-2xl shadow-2xl">
@@ -203,7 +186,6 @@
 						</button>
 					</div>
 
-					<!-- Device Info -->
 					<div class="bg-base-200 mb-4 rounded-lg p-3">
 						<h3 class="mb-2 font-semibold">Device Information</h3>
 						<div class="space-y-1 text-sm">
@@ -218,7 +200,6 @@
 						</div>
 					</div>
 
-					<!-- Logs -->
 					<div class="mb-4">
 						<div class="mb-2 flex items-center justify-between">
 							<h3 class="font-semibold">Logs ({logs.length})</h3>
@@ -263,7 +244,6 @@
 						</div>
 					</div>
 
-					<!-- Actions -->
 					<div class="card-actions justify-end">
 						<button class="btn btn-sm btn-ghost" onclick={toggleDebugMode}>
 							{getDebugMode() ? 'Disable' : 'Enable'} Debug Mode
@@ -271,7 +251,6 @@
 						<button class="btn btn-sm btn-primary" onclick={() => (isOpen = false)}>Close</button>
 					</div>
 
-					<!-- Help text for Debug Mode -->
 					<div class="bg-base-200 mt-4 rounded-lg p-3 text-xs">
 						<p class="mb-1 font-semibold">About Debug Mode:</p>
 						<p class="text-base-content/70">
diff --git a/src/lib/ui/DotGridBackground.svelte b/src/lib/ui/DotGridBackground.svelte
new file mode 100644
index 0000000..dcbdf3d
--- /dev/null
+++ b/src/lib/ui/DotGridBackground.svelte
@@ -0,0 +1,79 @@
+<div class="dot-grid-bg">
+	<div class="dot-grid-glow glow-1"></div>
+	<div class="dot-grid-glow glow-2"></div>
+</div>
+
+<style>
+	.dot-grid-bg {
+		position: absolute;
+		inset: 0;
+		overflow: hidden;
+		pointer-events: none;
+		background-image: radial-gradient(
+			circle,
+			color-mix(in oklch, var(--color-base-content) 10%, transparent) 1px,
+			transparent 1px
+		);
+		background-size: 32px 32px;
+	}
+
+	.dot-grid-glow {
+		position: absolute;
+		width: 500px;
+		height: 500px;
+		border-radius: 50%;
+		filter: blur(60px);
+		opacity: 0.2;
+		will-change: transform;
+	}
+
+	.glow-1 {
+		background: var(--color-primary);
+		top: -10%;
+		left: -10%;
+		animation: orbit1 25s ease-in-out infinite;
+	}
+
+	.glow-2 {
+		background: var(--color-secondary);
+		top: 30%;
+		left: 50%;
+		animation: orbit2 35s ease-in-out infinite;
+	}
+
+	@keyframes orbit1 {
+		0% {
+			transform: translate(5vw, 5vh);
+		}
+		25% {
+			transform: translate(45vw, 10vh);
+		}
+		50% {
+			transform: translate(35vw, 50vh);
+		}
+		75% {
+			transform: translate(5vw, 40vh);
+		}
+		100% {
+			transform: translate(5vw, 5vh);
+		}
+	}
+
+	@keyframes orbit2 {
+		0% {
+			transform: translate(0, 0);
+		}
+		25% {
+			transform: translate(-30vw, 20vh);
+		}
+		50% {
+			transform: translate(-10vw, -25vh);
+		}
+		75% {
+			transform: translate(15vw, 15vh);
+		}
+		100% {
+			transform: translate(0, 0);
+		}
+	}
+</style>
diff --git a/src/lib/ui/Navigation.svelte b/src/lib/ui/Navigation.svelte
index 997215e..731006c 100644
--- a/src/lib/ui/Navigation.svelte
+++ b/src/lib/ui/Navigation.svelte
@@ -9,10 +9,8 @@
 		if (!supabase) return;
 
 		try {
-			// First, sign out from Supabase client-side
 			await supabase.auth.signOut();
 
-			// Then call the server-side logout endpoint for thorough cleanup
 			const response = await fetch('/auth/logout', {
 				method: 'POST',
 				headers: {
@@ -21,15 +19,12 @@
 			});
 
 			if (response.ok) {
-				// Server-side logout successful, redirect will be handled by the endpoint
 				window.location.href = '/auth';
 			} else {
-				// Fallback: force redirect even if server-side logout fails
 				window.location.href = '/auth';
 			}
 		} catch (err) {
 			console.error('Logout error:', err);
-			// Even if there's an error, redirect to auth page
 			window.location.href = '/auth';
 		}
 	};
diff --git a/src/lib/ui/RelativeTime.svelte b/src/lib/ui/RelativeTime.svelte
new file mode 100644
index 0000000..c72b992
--- /dev/null
+++ b/src/lib/ui/RelativeTime.svelte
@@ -0,0 +1,24 @@
+<script lang="ts">
+	import { formatStatusUpdatedAt } from '$lib/status/formatting';
+
+	interface Props {
+		timestamp: string | null;
+	}
+
+	let { timestamp }: Props = $props();
+	let now = $state(Date.now());
+
+	$effect(() => {
+		const interval = setInterval(() => {
+			now = Date.now();
+		}, 30_000);
+		return () => clearInterval(interval);
+	});
+
+	let display = $derived.by(() => {
+		void now;
+		return formatStatusUpdatedAt(timestamp);
+	});
+</script>
+
+{display}
diff --git a/src/lib/ui/Toast.svelte b/src/lib/ui/Toast.svelte
index 8b2deff..cba44f0 100644
--- a/src/lib/ui/Toast.svelte
+++ b/src/lib/ui/Toast.svelte
@@ -5,14 +5,12 @@
 
 	let { toast }: { toast: Toast } = $props();
 
-	// Map toast types to DaisyUI alert classes
 	const alertClasses = {
 		success: 'alert-success',
 		error: 'alert-error',
 		info: 'alert-info'
 	};
 
-	// Get the appropriate icon for each type
 	const getIcon = (type: Toast['type']) => {
 		switch (type) {
 			case 'success':
diff --git a/src/lib/ui/ToastContainer.svelte b/src/lib/ui/ToastContainer.svelte
index 1fa99cf..eaf825d 100644
--- a/src/lib/ui/ToastContainer.svelte
+++ b/src/lib/ui/ToastContainer.svelte
@@ -3,7 +3,6 @@
 	import Toast from './Toast.svelte';
 </script>
 
-<!-- Toast container positioned at the top-right corner -->
 <div class="toast toast-end toast-top z-50">
 	{#each $toasts as toast (toast.id)}
 		<Toast {toast} />
diff --git a/src/lib/ui/notifications.ts b/src/lib/ui/notifications.ts
index 674e2fc..7bdb368 100644
--- a/src/lib/ui/notifications.ts
+++ b/src/lib/ui/notifications.ts
@@ -1,12 +1,9 @@
 import { toastStore } from './toast.js';
 
-// Notification system using DaisyUI toast components
 export class NotificationManager {
 	private static show(message: string, type: 'success' | 'error' | 'info' = 'info') {
-		// Use the toast store to display notifications
 		toastStore.add(message, type);
 
-		// Keep console logging for errors for debugging
 		if (type === 'error') {
 			console.error(message);
 		}
@@ -21,14 +18,12 @@ export class NotificationManager {
 	}
 }
 
-// Database error handler
 export function handleDatabaseError(error: unknown, operation: string): boolean {
 	console.error(`Database error during ${operation}:`, error);
 	NotificationManager.showError(`Failed to ${operation}`);
 	return false;
 }
 
-// Display name utility
 export function getDisplayName(displayName: string | null, username: string): string {
 	return displayName || username;
 }
diff --git a/src/lib/ui/toast.ts b/src/lib/ui/toast.ts
index 6ddb004..6943fc5 100644
--- a/src/lib/ui/toast.ts
+++ b/src/lib/ui/toast.ts
@@ -4,23 +4,20 @@ export interface Toast {
 	id: string;
 	message: string;
 	type: 'success' | 'error' | 'info';
-	duration?: number; // milliseconds, undefined means no auto-dismiss
+	duration?: number;
 }
 
-// Store for managing toast notifications
 export const toasts = writable<Toast[]>([]);
 
 let toastIdCounter = 0;
 
 export const toastStore = {
-	// Add a new toast
 	add: (message: string, type: Toast['type'] = 'info', duration = 5000) => {
 		const id = `toast-${++toastIdCounter}`;
 		const toast: Toast = { id, message, type, duration };
 
 		toasts.update((current) => [...current, toast]);
 
-		// Auto-dismiss after duration if specified
 		if (duration > 0) {
 			setTimeout(() => {
 				toastStore.remove(id);
@@ -30,18 +27,15 @@ export const toastStore = {
 		return id;
 	},
 
-	// Remove a specific toast
 	remove: (id: string) => {
 		toasts.update((current) => current.filter((toast) => toast.id !== id));
 	},
 
-	// Clear all toasts
 	clear: () => {
 		toasts.set([]);
 	},
 
-	// Convenience methods
 	success: (message: string, duration = 5000) => toastStore.add(message, 'success', duration),
-	error: (message: string, duration = 8000) => toastStore.add(message, 'error', duration), // Errors stay longer
+	error: (message: string, duration = 8000) => toastStore.add(message, 'error', duration),
 	info: (message: string, duration = 5000) => toastStore.add(message, 'info', duration)
 };
diff --git a/src/routes/+layout.svelte b/src/routes/+layout.svelte
index 548830e..c045b16 100644
--- a/src/routes/+layout.svelte
+++ b/src/routes/+layout.svelte
@@ -10,10 +10,8 @@
 	let { data, children } = $props();
 	let { session, supabase } = $derived(data);
 
-	// Centralized title management based on current route
 	let pageTitle = $state('Rez');
 
-	// Update title based on current route
 	$effect(() => {
 		const pathname = page.url.pathname;
 
@@ -37,21 +35,23 @@
 
 		const { data: authListener } = supabase.auth.onAuthStateChange(
 			(event: AuthChangeEvent, newSession: Session | null) => {
-				// Following official docs pattern with our security enhancements
 				if (newSession?.expires_at !== session?.expires_at) {
 					invalidate('supabase:auth');
 				}
 
-				// Handle sign out - ensure complete cleanup
-				if (event === 'SIGNED_OUT') {
-					// Clear any remaining client-side auth state
-					invalidate('supabase:auth');
-					// If we're not already on the auth page, redirect
-					if (!window.location.pathname.startsWith('/auth')) {
-						window.location.href = '/auth';
-					}
+			if (event === 'PASSWORD_RECOVERY') {
+				if (!window.location.pathname.startsWith('/auth/reset-password')) {
+					window.location.href = '/auth/reset-password';
 				}
 			}
+
+			if (event === 'SIGNED_OUT') {
+				invalidate('supabase:auth');
+				if (!window.location.pathname.startsWith('/auth')) {
+					window.location.href = '/auth';
+				}
+			}
+			}
 		);
 
 		return () => authListener.subscription.unsubscribe();
@@ -63,7 +63,7 @@
 </svelte:head>
 
 <div class="bg-base-100 flex min-h-screen flex-col">
-	<main class="flex-grow">
+	<main class="flex grow flex-col">
 		{@render children()}
 	</main>
 
diff --git a/src/routes/+layout.ts b/src/routes/+layout.ts
index 1d85634..470273d 100644
--- a/src/routes/+layout.ts
+++ b/src/routes/+layout.ts
@@ -3,10 +3,6 @@ import { createBrowserClient, createServerClient, isBrowser } from '@supabase/ss
 import type { LayoutLoad } from './$types';
 
 export const load: LayoutLoad = async ({ data, depends, fetch }) => {
-	/**
-	 * Declare a dependency so the layout can be invalidated, for example, on
-	 * session refresh.
-	 */
 	depends('supabase:auth');
 
 	const supabase = isBrowser()
@@ -22,11 +18,7 @@ export const load: LayoutLoad = async ({ data, depends, fetch }) => {
 				}
 			});
 
-	/**
-	 * It's fine to use `getSession` here, because on the client, `getSession` is
-	 * safe, and on the server, it reads `session` from the `LayoutData`, which
-	 * safely checked the session using `safeGetSession`.
-	 */
+	// getSession is safe here: on the server it reads from LayoutData validated by safeGetSession
 	const {
 		data: { session }
 	} = await supabase.auth.getSession();
diff --git a/src/routes/+page.svelte b/src/routes/+page.svelte
index 3bfd01f..b6f688d 100644
--- a/src/routes/+page.svelte
+++ b/src/routes/+page.svelte
@@ -1,16 +1,17 @@
 <script>
 	import { resolve } from '$app/paths';
+	import DotGridBackground from '$lib/ui/DotGridBackground.svelte';
 </script>
 
-<!-- Hero Section -->
-<div class="hero from-primary to-secondary text-primary-content min-h-screen bg-gradient-to-br">
+<div class="hero from-primary to-secondary text-primary-content relative grow bg-gradient-to-br">
+	<DotGridBackground />
 	<div class="hero-overlay bg-opacity-60"></div>
 	<div class="hero-content text-center">
 		<div class="animate-fade-in-up max-w-md">
 			<h1 class="relative mb-5 text-5xl font-bold md:text-7xl">
 				<div class="grid">
 					<span
-						class="pointer-events-none col-start-1 row-start-1 [transform:translate3d(0,0,0)] bg-[linear-gradient(90deg,var(--color-secondary)_4%,color-mix(in_oklch,var(--color-secondary),var(--color-error))_22%,var(--color-primary)_45%,color-mix(in_oklch,var(--color-primary),var(--color-accent))_67%,var(--color-accent)_100.2%)] bg-clip-text opacity-70 blur-xl [-webkit-text-fill-color:transparent] [:root[dir=rtl]_&]:leading-[1.35]"
+						class="text-primary-content pointer-events-none col-start-1 row-start-1 opacity-50 blur-xl [:root[dir=rtl]_&]:leading-[1.35]"
 						aria-hidden="true">Rezonate</span
 					>
 					<span class="relative z-10 col-start-1 row-start-1">Rezonate</span>
@@ -20,9 +21,13 @@
 			<p class="mb-5 text-xl md:text-2xl">
 				Connect to people. Stay up to date. Always in the know.
 			</p>
-			<div class="flex flex-col gap-4 sm:flex-row sm:justify-center">
-				<a href={resolve('/dashboard')} class="btn btn-accent btn-lg" aria-label="Go to dashboard">
-					<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24"
+			<div class="flex justify-center">
+				<a
+					href={resolve('/dashboard')}
+					class="hero-cta group relative flex h-16 w-16 items-center justify-center rounded-full border border-white/20 bg-white/10 backdrop-blur-md transition-all duration-300 hover:scale-110 hover:bg-white/20"
+					aria-label="Go to dashboard"
+				>
+					<svg xmlns="http://www.w3.org/2000/svg" width="28" height="28" viewBox="0 0 24 24" class="relative z-10 drop-shadow-md transition-transform duration-300 group-hover:scale-110"
 						><path
 							fill="currentColor"
 							d="M16.434 8.596c1.152 0 2.237.449 3.053 1.264c.815.816 1.266 1.9 1.266 3.056s-.45 2.239-1.268 3.056c-.813.815-1.898 1.266-3.053 1.266s-2.238-.449-3.055-1.266l-1.376-1.32l-1.395 1.338a4.27 4.27 0 0 1-3.036 1.248a4.28 4.28 0 0 1-3.054-1.267c-.815-.813-1.265-1.899-1.265-3.053s.45-2.237 1.267-3.056a4.3 4.3 0 0 1 3.053-1.266c1.154 0 2.239.449 3.055 1.266l1.375 1.32l1.396-1.34a4.28 4.28 0 0 1 3.037-1.246m0-2c-1.679 0-3.25.645-4.433 1.813a6.25 6.25 0 0 0-4.43-1.813a6.27 6.27 0 0 0-4.467 1.853c-1.194 1.192-1.852 2.78-1.852 4.469s.658 3.274 1.852 4.468a6.28 6.28 0 0 0 4.468 1.852a6.25 6.25 0 0 0 4.431-1.814a6.25 6.25 0 0 0 4.431 1.814a6.27 6.27 0 0 0 4.469-1.854a6.26 6.26 0 0 0 1.852-4.467a6.3 6.3 0 0 0-1.852-4.47a6.28 6.28 0 0 0-4.469-1.851m-8.863 5.5c.225 0 .426.088.612.271l.57.548l-.603.579a.8.8 0 0 1-.578.223a.82.82 0 0 1-.58-.223a.8.8 0 0 1-.24-.578c0-.221.084-.422.243-.581a.8.8 0 0 1 .576-.239m0-1c-.486 0-.942.189-1.285.533a1.8 1.8 0 0 0-.535 1.287c0 .484.189.941.533 1.285s.815.516 1.287.516a1.8 1.8 0 0 0 1.285-.516l1.339-1.285l-1.321-1.27a1.82 1.82 0 0 0-1.303-.55m8.863 1.017a.8.8 0 0 1 .576.219c.158.159.242.359.242.582s-.083.422-.243.581a.8.8 0 0 1-.571.228a.86.86 0 0 1-.617-.261l-.571-.548l.603-.578a.8.8 0 0 1 .581-.223m0-1c-.472 0-.943.172-1.287.516l-1.34 1.285l1.322 1.27a1.85 1.85 0 0 0 1.311.539a1.8 1.8 0 0 0 1.813-1.808a1.8 1.8 0 0 0-.532-1.287a1.82 1.82 0 0 0-1.287-.515"
@@ -32,36 +37,9 @@
 			</div>
 		</div>
 	</div>
-
-	<!-- Floating Elements -->
-	<div
-		class="animate-float bg-primary-content/10 absolute top-20 left-10 h-20 w-20 rounded-full"
-	></div>
-	<div
-		class="animate-float bg-primary-content/10 absolute top-40 right-20 h-16 w-16 rounded-full"
-		style="animation-delay: -2s;"
-	></div>
-	<div
-		class="animate-float bg-primary-content/10 absolute bottom-20 left-20 h-12 w-12 rounded-full"
-		style="animation-delay: -4s;"
-	></div>
-	<div
-		class="animate-float bg-primary-content/10 absolute right-10 bottom-40 h-24 w-24 rounded-full"
-		style="animation-delay: -1s;"
-	></div>
 </div>
 
 <style>
-	@keyframes float {
-		0%,
-		100% {
-			transform: translateY(0px);
-		}
-		50% {
-			transform: translateY(-20px);
-		}
-	}
-
 	@keyframes fadeInUp {
 		from {
 			opacity: 0;
@@ -73,33 +51,25 @@
 		}
 	}
 
-	@keyframes fadeIn {
-		from {
-			opacity: 0;
+	@keyframes pulse-glow {
+		0%,
+		100% {
+			box-shadow:
+				0 0 15px 2px rgba(255, 255, 255, 0.15),
+				0 0 40px 8px rgba(255, 255, 255, 0.08);
 		}
-		to {
-			opacity: 1;
+		50% {
+			box-shadow:
+				0 0 20px 6px rgba(255, 255, 255, 0.25),
+				0 0 60px 16px rgba(255, 255, 255, 0.12);
 		}
 	}
 
-	.animate-float {
-		animation: float 6s ease-in-out infinite;
-	}
-
 	.animate-fade-in-up {
 		animation: fadeInUp 0.8s ease-out forwards;
 	}
 
-	.hero::before {
-		content: '';
-		position: absolute;
-		top: 0;
-		left: 0;
-		right: 0;
-		bottom: 0;
-		background: url("data:image/svg+xml,%3Csvg width='60' height='60' viewBox='0 0 60 60' xmlns='http://www.w3.org/2000/svg'%3E%3Cg fill='none' fill-rule='evenodd'%3E%3Cg fill='%23ffffff' fill-opacity='0.1'%3E%3Ccircle cx='30' cy='30' r='2'/%3E%3C/g%3E%3C/g%3E%3C/svg%3E")
-			repeat;
-		animation: float 20s linear infinite;
-		pointer-events: none;
+	.hero-cta {
+		animation: pulse-glow 4s ease-in-out infinite;
 	}
 </style>
diff --git a/src/routes/auth/+layout.svelte b/src/routes/auth/+layout.svelte
index 17d34e7..a73dd26 100644
--- a/src/routes/auth/+layout.svelte
+++ b/src/routes/auth/+layout.svelte
@@ -1,5 +1,10 @@
 <script>
+	import DotGridBackground from '$lib/ui/DotGridBackground.svelte';
+
 	let { children } = $props();
 </script>
 
-{@render children()}
+<div class="bg-base-200 relative flex grow">
+	<DotGridBackground />
+	{@render children()}
+</div>
diff --git a/src/routes/auth/+page.server.ts b/src/routes/auth/+page.server.ts
index a949352..987fd57 100644
--- a/src/routes/auth/+page.server.ts
+++ b/src/routes/auth/+page.server.ts
@@ -24,11 +24,8 @@ export const actions: Actions = {
 			});
 		}
 
-		// Check if email confirmation is required
-		// Supabase may return a user but no session if email confirmation is required
-		if (data.user && !data.session) {
-			// Email confirmation required — return a plain object so result.type === 'success'
-			// Using fail() here would set result.type === 'failure' and break the client handler
+		const emailConfirmationRequired = data.user && !data.session;
+		if (emailConfirmationRequired) {
 			return {
 				requiresConfirmation: true,
 				message: 'Please check your email to confirm your account before signing in.',
@@ -36,16 +33,14 @@ export const actions: Actions = {
 			};
 		}
 
-		// Signup successful with session
 		if (data.session) {
 			redirect(303, '/dashboard');
-		} else {
-			// Edge case: no error but also no session/user
-			return fail(500, {
-				error: 'Signup completed but no session was created. Please try logging in.',
-				email
-			});
 		}
+
+		return fail(500, {
+			error: 'Signup completed but no session was created. Please try logging in.',
+			email
+		});
 	},
 	login: async ({ request, locals: { supabase } }) => {
 		const formData = await request.formData();
@@ -62,5 +57,18 @@ export const actions: Actions = {
 		}
 
 		redirect(303, '/dashboard');
+	},
+	forgotPassword: async ({ request, locals: { supabase }, url }) => {
+		const formData = await request.formData();
+		const email = formData.get('email') as string;
+
+		await supabase.auth.resetPasswordForEmail(email, {
+			redirectTo: `${url.origin}/auth/confirm?next=/auth/reset-password`
+		});
+
+		return {
+			forgotPasswordSuccess: true,
+			message: "If an account exists with that email, you'll receive a password reset link."
+		};
 	}
 };
diff --git a/src/routes/auth/+page.svelte b/src/routes/auth/+page.svelte
index 83fac72..5cc54a2 100644
--- a/src/routes/auth/+page.svelte
+++ b/src/routes/auth/+page.svelte
@@ -1,294 +1,494 @@
-<script lang="ts">
-	import { applyAction, enhance } from '$app/forms';
-	import DebugPanel from '$lib/ui/DebugPanel.svelte';
-
-	let activeTab = $state<'login' | 'signup'>('login');
-	let signupError = $state<string | null>(null);
-	let signupSuccess = $state<string | null>(null);
-	let loginError = $state<string | null>(null);
-	let debugPanel: DebugPanel | null = $state(null);
-	let hasAuthError = $derived(signupError !== null || loginError !== null);
-
-	function handleTabKeydown(e: KeyboardEvent, targetTab: 'login' | 'signup') {
-		if (e.key === 'Enter' || e.key === ' ') {
-			e.preventDefault();
-			activeTab = targetTab;
-		} else if (e.key === 'ArrowLeft' || e.key === 'ArrowRight') {
-			e.preventDefault();
-			activeTab = activeTab === 'login' ? 'signup' : 'login';
-		}
-	}
-
-	function clearErrors() {
-		signupError = null;
-		loginError = null;
-		signupSuccess = null;
-	}
-</script>
-
-<div class="bg-base-200 flex min-h-screen items-center justify-center p-4">
-	<div class="card bg-base-100 w-full max-w-md shadow-xl">
-		<div class="card-body">
-			<h1 class="card-title mb-6 justify-center text-2xl">Welcome!</h1>
-
-			<!-- Tabs for Login/Signup -->
-			<div role="tablist" class="tabs tabs-boxed mb-6" aria-label="Authentication options">
-				<button
-					role="tab"
-					aria-selected={activeTab === 'login'}
-					aria-controls="login-panel"
-					id="login-tab"
-					class="tab flex-1"
-					class:tab-active={activeTab === 'login'}
-					onclick={() => (activeTab = 'login')}
-					onkeydown={(e) => handleTabKeydown(e, 'login')}
-				>
-					Sign In
-				</button>
-				<button
-					role="tab"
-					aria-selected={activeTab === 'signup'}
-					aria-controls="signup-panel"
-					id="signup-tab"
-					class="tab flex-1"
-					class:tab-active={activeTab === 'signup'}
-					onclick={() => (activeTab = 'signup')}
-					onkeydown={(e) => handleTabKeydown(e, 'signup')}
-				>
-					Sign Up
-				</button>
-			</div>
-
-			<!-- Login Form -->
-			<div
-				id="login-panel"
-				role="tabpanel"
-				aria-labelledby="login-tab"
-				class:hidden={activeTab !== 'login'}
-			>
-				{#if loginError}
-					<div class="alert alert-error mb-4" role="alert">
-						<svg
-							xmlns="http://www.w3.org/2000/svg"
-							class="h-6 w-6 shrink-0 stroke-current"
-							fill="none"
-							viewBox="0 0 24 24"
-						>
-							<path
-								stroke-linecap="round"
-								stroke-linejoin="round"
-								stroke-width="2"
-								d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z"
-							/>
-						</svg>
-						<div class="flex-1">
-							<span>{loginError}</span>
-							<div class="mt-2">
-								<button
-									class="btn btn-sm btn-outline"
-									onclick={() => {
-										if (debugPanel) {
-											debugPanel.openPanel();
-										}
-									}}
-								>
-									View Debug Info
-								</button>
-							</div>
-						</div>
-						<button class="btn btn-sm btn-ghost" onclick={clearErrors}>✕</button>
-					</div>
-				{/if}
-
-				<form
-					method="POST"
-					action="?/login"
-					class="space-y-4"
-					use:enhance={() => {
-						return async ({ result }) => {
-							if (result.type === 'failure' && result.data) {
-								const data = result.data as { error?: string; errorCode?: string };
-								loginError = data.error || 'Login failed. Please try again.';
-								if (debugPanel) {
-									debugPanel.addDebugLog('error', 'Login form error', { errorCode: data.errorCode });
-								}
-							} else {
-								await applyAction(result);
-							}
-						};
-					}}
-				>
-					<div class="form-control">
-						<label class="label" for="login-email">
-							<span class="label-text font-medium">Email address</span>
-						</label>
-						<input
-							id="login-email"
-							name="email"
-							type="email"
-							autocomplete="email"
-							placeholder="your@email.com"
-							required
-							aria-required="true"
-							class="input input-bordered w-full"
-						/>
-					</div>
-
-					<div class="form-control">
-						<label class="label" for="login-password">
-							<span class="label-text font-medium">Password</span>
-						</label>
-						<input
-							id="login-password"
-							name="password"
-							type="password"
-							autocomplete="current-password"
-							placeholder="Enter your password"
-							required
-							aria-required="true"
-							class="input input-bordered w-full"
-						/>
-					</div>
-
-					<div class="form-control mt-6">
-						<button type="submit" class="btn btn-primary w-full"> Sign In </button>
-					</div>
-				</form>
-			</div>
-
-			<!-- Signup Form -->
-			<div
-				id="signup-panel"
-				role="tabpanel"
-				aria-labelledby="signup-tab"
-				class:hidden={activeTab !== 'signup'}
-			>
-				{#if signupError}
-					<div class="alert alert-error mb-4" role="alert">
-						<svg
-							xmlns="http://www.w3.org/2000/svg"
-							class="h-6 w-6 shrink-0 stroke-current"
-							fill="none"
-							viewBox="0 0 24 24"
-						>
-							<path
-								stroke-linecap="round"
-								stroke-linejoin="round"
-								stroke-width="2"
-								d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z"
-							/>
-						</svg>
-						<div class="flex-1">
-							<span class="font-semibold">Signup Error</span>
-							<p class="text-sm">{signupError}</p>
-							<div class="mt-2">
-								<button
-									class="btn btn-sm btn-outline"
-									onclick={() => {
-										if (debugPanel) {
-											debugPanel.openPanel();
-										}
-									}}
-								>
-									View Debug Info
-								</button>
-							</div>
-						</div>
-						<button class="btn btn-sm btn-ghost" onclick={clearErrors}>✕</button>
-					</div>
-				{/if}
-
-				{#if signupSuccess}
-					<div class="alert alert-success mb-4" role="alert">
-						<svg
-							xmlns="http://www.w3.org/2000/svg"
-							class="h-6 w-6 shrink-0 stroke-current"
-							fill="none"
-							viewBox="0 0 24 24"
-						>
-							<path
-								stroke-linecap="round"
-								stroke-linejoin="round"
-								stroke-width="2"
-								d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z"
-							/>
-						</svg>
-						<span>{signupSuccess}</span>
-						<button class="btn btn-sm btn-ghost" onclick={clearErrors}>✕</button>
-					</div>
-				{/if}
-
-				<form
-					method="POST"
-					action="?/signup"
-					class="space-y-4"
-					use:enhance={() => {
-						return async ({ result }) => {
-							if (result.type === 'failure' && result.data) {
-								const data = result.data as {
-									error?: string;
-									errorCode?: string;
-									errorName?: string;
-									isIOS?: boolean;
-								};
-								signupError = data.error || 'Signup failed. Please try again.';
-								if (debugPanel) {
-									debugPanel.addDebugLog('error', 'Signup form error', data);
-								}
-							} else if (result.type === 'success' && result.data) {
-								const data = result.data as { requiresConfirmation?: boolean; message?: string };
-								if (data.requiresConfirmation) {
-									signupSuccess =
-										data.message || 'Please check your email to confirm your account.';
-									signupError = null;
-								} else {
-									await applyAction(result);
-								}
-							} else {
-								await applyAction(result);
-							}
-						};
-					}}
-				>
-					<div class="form-control">
-						<label class="label" for="signup-email">
-							<span class="label-text font-medium">Email address</span>
-						</label>
-						<input
-							id="signup-email"
-							name="email"
-							type="email"
-							autocomplete="email"
-							placeholder="your@email.com"
-							required
-							aria-required="true"
-							class="input input-bordered w-full"
-						/>
-					</div>
-
-					<div class="form-control">
-						<label class="label" for="signup-password">
-							<span class="label-text font-medium">Password</span>
-						</label>
-						<input
-							id="signup-password"
-							name="password"
-							type="password"
-							autocomplete="new-password"
-							placeholder="Create a password"
-							required
-							aria-required="true"
-							class="input input-bordered w-full"
-						/>
-					</div>
-
-					<div class="form-control mt-6">
-						<button type="submit" class="btn btn-primary w-full"> Create Account </button>
-					</div>
-				</form>
-			</div>
-		</div>
-	</div>
-</div>
-
-<DebugPanel bind:this={debugPanel} hasError={hasAuthError} />
+<script lang="ts">
+	import { applyAction, enhance } from '$app/forms';
+	import DebugPanel from '$lib/ui/DebugPanel.svelte';
+
+	type AuthView = 'login' | 'signup' | 'forgotPassword';
+
+	let view = $state<AuthView>('login');
+	let signupError = $state<string | null>(null);
+	let signupSuccess = $state<string | null>(null);
+	let loginError = $state<string | null>(null);
+	let forgotPasswordSuccess = $state<string | null>(null);
+	let forgotPasswordError = $state<string | null>(null);
+	let debugPanel: DebugPanel | null = $state(null);
+	let hasAuthError = $derived(signupError !== null || loginError !== null);
+
+	let showLoginPassword = $state(false);
+	let showSignupPassword = $state(false);
+
+	let loginEmail = $state('');
+	let loginPassword = $state('');
+	let loginEmailTouched = $state(false);
+	let loginPasswordTouched = $state(false);
+
+	let signupEmail = $state('');
+	let signupPassword = $state('');
+	let signupEmailTouched = $state(false);
+	let signupPasswordTouched = $state(false);
+
+	const MIN_PASSWORD_LENGTH = 6;
+
+	function isValidEmail(email: string): boolean {
+		return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email);
+	}
+
+	let loginEmailError = $derived(
+		loginEmailTouched && loginEmail.length > 0 && !isValidEmail(loginEmail)
+			? 'Please enter a valid email address.'
+			: null
+	);
+	let loginEmailValid = $derived(loginEmailTouched && loginEmail.length > 0 && isValidEmail(loginEmail));
+
+	let loginPasswordError = $derived(
+		loginPasswordTouched && loginPassword.length > 0 && loginPassword.length < MIN_PASSWORD_LENGTH
+			? `Password must be at least ${MIN_PASSWORD_LENGTH} characters.`
+			: null
+	);
+	let loginPasswordValid = $derived(
+		loginPasswordTouched && loginPassword.length >= MIN_PASSWORD_LENGTH
+	);
+
+	let signupEmailError = $derived(
+		signupEmailTouched && signupEmail.length > 0 && !isValidEmail(signupEmail)
+			? 'Please enter a valid email address.'
+			: null
+	);
+	let signupEmailValid = $derived(
+		signupEmailTouched && signupEmail.length > 0 && isValidEmail(signupEmail)
+	);
+
+	let signupPasswordError = $derived(
+		signupPasswordTouched && signupPassword.length > 0 && signupPassword.length < MIN_PASSWORD_LENGTH
+			? `Password must be at least ${MIN_PASSWORD_LENGTH} characters.`
+			: null
+	);
+	let signupPasswordValid = $derived(
+		signupPasswordTouched && signupPassword.length >= MIN_PASSWORD_LENGTH
+	);
+
+	function clearErrors() {
+		signupError = null;
+		loginError = null;
+		signupSuccess = null;
+		forgotPasswordSuccess = null;
+		forgotPasswordError = null;
+	}
+
+	function switchView(target: AuthView) {
+		view = target;
+		clearErrors();
+		loginEmailTouched = false;
+		loginPasswordTouched = false;
+		signupEmailTouched = false;
+		signupPasswordTouched = false;
+		showLoginPassword = false;
+		showSignupPassword = false;
+	}
+</script>
+
+<div class="flex grow items-center justify-center p-4">
+	<div class="card bg-base-100 w-full max-w-md shadow-xl">
+		<div class="card-body gap-6 p-8 sm:p-10">
+
+			{#if view === 'login'}
+				<h1 class="text-base-content text-center text-3xl font-bold tracking-tight">
+					Sign In
+				</h1>
+
+				{#if loginError}
+					<div class="alert alert-error" role="alert">
+						<svg xmlns="http://www.w3.org/2000/svg" class="h-6 w-6 shrink-0 stroke-current" fill="none" viewBox="0 0 24 24">
+							<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z" />
+						</svg>
+						<div class="flex-1">
+							<span class="text-base font-medium">{loginError}</span>
+							<div class="mt-2">
+								<button
+									class="btn btn-sm btn-outline"
+									onclick={() => { if (debugPanel) debugPanel.openPanel(); }}
+								>
+									View Debug Info
+								</button>
+							</div>
+						</div>
+						<button class="btn btn-sm btn-ghost" onclick={clearErrors} aria-label="Dismiss error">✕</button>
+					</div>
+				{/if}
+
+				<form
+					method="POST"
+					action="?/login"
+					class="space-y-5"
+					use:enhance={() => {
+						return async ({ result }) => {
+							if (result.type === 'failure' && result.data) {
+								const data = result.data as { error?: string; errorCode?: string };
+								loginError = data.error || 'Login failed. Please try again.';
+								if (debugPanel) {
+									debugPanel.addDebugLog('error', 'Login form error', {
+										errorCode: data.errorCode
+									});
+								}
+							} else {
+								await applyAction(result);
+							}
+						};
+					}}
+				>
+					<div class="form-control">
+						<label class="label pb-1.5" for="login-email">
+							<span class="label-text text-base font-semibold text-base-content">Email address</span>
+						</label>
+						<div class="relative">
+							<input
+								id="login-email"
+								name="email"
+								type="email"
+								autocomplete="email"
+								placeholder="you@example.com"
+								required
+								aria-required="true"
+								aria-describedby={loginEmailError ? 'login-email-error' : undefined}
+								aria-invalid={loginEmailError ? 'true' : undefined}
+								bind:value={loginEmail}
+								onblur={() => (loginEmailTouched = true)}
+								class="input input-bordered h-12 w-full px-4 text-base {loginEmailError ? 'input-error' : ''} {loginEmailValid ? 'input-success' : ''}"
+							/>
+							{#if loginEmailValid}
+								<span class="pointer-events-none absolute right-3 top-1/2 -translate-y-1/2 text-success" aria-hidden="true">
+									<svg xmlns="http://www.w3.org/2000/svg" class="h-5 w-5" viewBox="0 0 20 20" fill="currentColor">
+										<path fill-rule="evenodd" d="M16.707 5.293a1 1 0 010 1.414l-8 8a1 1 0 01-1.414 0l-4-4a1 1 0 011.414-1.414L8 12.586l7.293-7.293a1 1 0 011.414 0z" clip-rule="evenodd" />
+									</svg>
+								</span>
+							{/if}
+						</div>
+					<div id="login-email-error" class="mt-1.5 flex items-center gap-1.5 text-error" class:invisible={!loginEmailError} role={loginEmailError ? 'alert' : undefined}>
+						<svg xmlns="http://www.w3.org/2000/svg" class="h-4 w-4 shrink-0" viewBox="0 0 20 20" fill="currentColor">
+							<path fill-rule="evenodd" d="M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7 4a1 1 0 11-2 0 1 1 0 012 0zm-1-9a1 1 0 00-1 1v4a1 1 0 102 0V6a1 1 0 00-1-1z" clip-rule="evenodd" />
+						</svg>
+						<span class="text-sm font-medium">{loginEmailError ?? '\u00A0'}</span>
+					</div>
+				</div>
+
+				<div class="form-control">
+					<label class="label pb-1.5" for="login-password">
+							<span class="label-text text-base font-semibold text-base-content">Password</span>
+						</label>
+						<div class="relative">
+							<input
+								id="login-password"
+								name="password"
+								type={showLoginPassword ? 'text' : 'password'}
+								autocomplete="current-password"
+								placeholder="Enter your password"
+								required
+								aria-required="true"
+								aria-describedby={loginPasswordError ? 'login-password-error' : undefined}
+								aria-invalid={loginPasswordError ? 'true' : undefined}
+								bind:value={loginPassword}
+								onblur={() => (loginPasswordTouched = true)}
+								class="input input-bordered h-12 w-full px-4 pr-12 text-base {loginPasswordError ? 'input-error' : ''} {loginPasswordValid ? 'input-success' : ''}"
+							/>
+							<button
+								type="button"
+								class="absolute right-3 top-1/2 -translate-y-1/2 p-1 text-base-content/50 transition-colors hover:text-base-content"
+								onclick={() => (showLoginPassword = !showLoginPassword)}
+								aria-label={showLoginPassword ? 'Hide password' : 'Show password'}
+							>
+								{#if showLoginPassword}
+									<svg xmlns="http://www.w3.org/2000/svg" class="h-5 w-5" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+										<path d="M17.94 17.94A10.07 10.07 0 0112 20c-7 0-11-8-11-8a18.45 18.45 0 015.06-5.94M9.9 4.24A9.12 9.12 0 0112 4c7 0 11 8 11 8a18.5 18.5 0 01-2.16 3.19m-6.72-1.07a3 3 0 11-4.24-4.24" />
+										<line x1="1" y1="1" x2="23" y2="23" />
+									</svg>
+								{:else}
+									<svg xmlns="http://www.w3.org/2000/svg" class="h-5 w-5" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+										<path d="M1 12s4-8 11-8 11 8 11 8-4 8-11 8-11-8-11-8z" />
+										<circle cx="12" cy="12" r="3" />
+									</svg>
+								{/if}
+							</button>
+						</div>
+					<div id="login-password-error" class="mt-1.5 flex items-center gap-1.5 text-error" class:invisible={!loginPasswordError} role={loginPasswordError ? 'alert' : undefined}>
+						<svg xmlns="http://www.w3.org/2000/svg" class="h-4 w-4 shrink-0" viewBox="0 0 20 20" fill="currentColor">
+							<path fill-rule="evenodd" d="M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7 4a1 1 0 11-2 0 1 1 0 012 0zm-1-9a1 1 0 00-1 1v4a1 1 0 102 0V6a1 1 0 00-1-1z" clip-rule="evenodd" />
+						</svg>
+						<span class="text-sm font-medium">{loginPasswordError ?? '\u00A0'}</span>
+					</div>
+				</div>
+
+				<div class="flex justify-end">
+						<button
+							type="button"
+							class="link link-hover text-base-content/70 text-sm font-medium min-h-[44px] flex items-center"
+							onclick={() => switchView('forgotPassword')}
+						>
+							Forgot password?
+						</button>
+					</div>
+
+					<div class="form-control pt-1">
+						<button type="submit" class="btn btn-primary h-12 w-full rounded-lg text-base font-semibold shadow-md">
+							Sign In
+						</button>
+					</div>
+				</form>
+
+				<p class="mt-2 text-center text-base text-base-content/70">
+					New user?
+					<button
+						class="link link-primary font-semibold min-h-[44px] inline-flex items-center"
+						onclick={() => switchView('signup')}
+					>
+						Create an account here
+					</button>
+				</p>
+
+			{:else if view === 'signup'}
+				<h1 class="text-base-content text-center text-3xl font-bold tracking-tight">
+					Create Account
+				</h1>
+
+				{#if signupError}
+					<div class="alert alert-error" role="alert">
+						<svg xmlns="http://www.w3.org/2000/svg" class="h-6 w-6 shrink-0 stroke-current" fill="none" viewBox="0 0 24 24">
+							<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z" />
+						</svg>
+						<div class="flex-1">
+							<span class="text-base font-medium">{signupError}</span>
+							<div class="mt-2">
+								<button
+									class="btn btn-sm btn-outline"
+									onclick={() => { if (debugPanel) debugPanel.openPanel(); }}
+								>
+									View Debug Info
+								</button>
+							</div>
+						</div>
+						<button class="btn btn-sm btn-ghost" onclick={clearErrors} aria-label="Dismiss error">✕</button>
+					</div>
+				{/if}
+
+				{#if signupSuccess}
+					<div class="alert alert-success" role="alert">
+						<svg xmlns="http://www.w3.org/2000/svg" class="h-6 w-6 shrink-0 stroke-current" fill="none" viewBox="0 0 24 24">
+							<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z" />
+						</svg>
+						<span class="text-base">{signupSuccess}</span>
+						<button class="btn btn-sm btn-ghost" onclick={clearErrors} aria-label="Dismiss message">✕</button>
+					</div>
+				{/if}
+
+				<form
+					method="POST"
+					action="?/signup"
+					class="space-y-5"
+					use:enhance={() => {
+						return async ({ result }) => {
+							if (result.type === 'failure' && result.data) {
+								const data = result.data as {
+									error?: string;
+									errorCode?: string;
+									errorName?: string;
+									isIOS?: boolean;
+								};
+								signupError = data.error || 'Signup failed. Please try again.';
+								if (debugPanel) {
+									debugPanel.addDebugLog('error', 'Signup form error', data);
+								}
+							} else if (result.type === 'success' && result.data) {
+								const data = result.data as { requiresConfirmation?: boolean; message?: string };
+								if (data.requiresConfirmation) {
+									signupSuccess =
+										data.message || 'Please check your email to confirm your account.';
+									signupError = null;
+								} else {
+									await applyAction(result);
+								}
+							} else {
+								await applyAction(result);
+							}
+						};
+					}}
+				>
+					<div class="form-control">
+						<label class="label pb-1.5" for="signup-email">
+							<span class="label-text text-base font-semibold text-base-content">Email address</span>
+						</label>
+						<div class="relative">
+							<input
+								id="signup-email"
+								name="email"
+								type="email"
+								autocomplete="email"
+								placeholder="you@example.com"
+								required
+								aria-required="true"
+								aria-describedby={signupEmailError ? 'signup-email-error' : undefined}
+								aria-invalid={signupEmailError ? 'true' : undefined}
+								bind:value={signupEmail}
+								onblur={() => (signupEmailTouched = true)}
+								class="input input-bordered h-12 w-full px-4 text-base {signupEmailError ? 'input-error' : ''} {signupEmailValid ? 'input-success' : ''}"
+							/>
+							{#if signupEmailValid}
+								<span class="pointer-events-none absolute right-3 top-1/2 -translate-y-1/2 text-success" aria-hidden="true">
+									<svg xmlns="http://www.w3.org/2000/svg" class="h-5 w-5" viewBox="0 0 20 20" fill="currentColor">
+										<path fill-rule="evenodd" d="M16.707 5.293a1 1 0 010 1.414l-8 8a1 1 0 01-1.414 0l-4-4a1 1 0 011.414-1.414L8 12.586l7.293-7.293a1 1 0 011.414 0z" clip-rule="evenodd" />
+									</svg>
+								</span>
+							{/if}
+						</div>
+					<div id="signup-email-error" class="mt-1.5 flex items-center gap-1.5 text-error" class:invisible={!signupEmailError} role={signupEmailError ? 'alert' : undefined}>
+						<svg xmlns="http://www.w3.org/2000/svg" class="h-4 w-4 shrink-0" viewBox="0 0 20 20" fill="currentColor">
+							<path fill-rule="evenodd" d="M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7 4a1 1 0 11-2 0 1 1 0 012 0zm-1-9a1 1 0 00-1 1v4a1 1 0 102 0V6a1 1 0 00-1-1z" clip-rule="evenodd" />
+						</svg>
+						<span class="text-sm font-medium">{signupEmailError ?? '\u00A0'}</span>
+					</div>
+				</div>
+
+				<div class="form-control">
+					<label class="label pb-1.5" for="signup-password">
+							<span class="label-text text-base font-semibold text-base-content">Password</span>
+						</label>
+						<div class="relative">
+							<input
+								id="signup-password"
+								name="password"
+								type={showSignupPassword ? 'text' : 'password'}
+								autocomplete="new-password"
+								placeholder="Create a password (min. 6 characters)"
+								required
+								aria-required="true"
+								aria-describedby={signupPasswordError ? 'signup-password-error' : undefined}
+								aria-invalid={signupPasswordError ? 'true' : undefined}
+								bind:value={signupPassword}
+								onblur={() => (signupPasswordTouched = true)}
+								class="input input-bordered h-12 w-full px-4 pr-12 text-base {signupPasswordError ? 'input-error' : ''} {signupPasswordValid ? 'input-success' : ''}"
+							/>
+							<button
+								type="button"
+								class="absolute right-3 top-1/2 -translate-y-1/2 p-1 text-base-content/50 transition-colors hover:text-base-content"
+								onclick={() => (showSignupPassword = !showSignupPassword)}
+								aria-label={showSignupPassword ? 'Hide password' : 'Show password'}
+							>
+								{#if showSignupPassword}
+									<svg xmlns="http://www.w3.org/2000/svg" class="h-5 w-5" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+										<path d="M17.94 17.94A10.07 10.07 0 0112 20c-7 0-11-8-11-8a18.45 18.45 0 015.06-5.94M9.9 4.24A9.12 9.12 0 0112 4c7 0 11 8 11 8a18.5 18.5 0 01-2.16 3.19m-6.72-1.07a3 3 0 11-4.24-4.24" />
+										<line x1="1" y1="1" x2="23" y2="23" />
+									</svg>
+								{:else}
+									<svg xmlns="http://www.w3.org/2000/svg" class="h-5 w-5" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+										<path d="M1 12s4-8 11-8 11 8 11 8-4 8-11 8-11-8-11-8z" />
+										<circle cx="12" cy="12" r="3" />
+									</svg>
+								{/if}
+							</button>
+						</div>
+					<div id="signup-password-error" class="mt-1.5 flex items-center gap-1.5 text-error" class:invisible={!signupPasswordError} role={signupPasswordError ? 'alert' : undefined}>
+						<svg xmlns="http://www.w3.org/2000/svg" class="h-4 w-4 shrink-0" viewBox="0 0 20 20" fill="currentColor">
+							<path fill-rule="evenodd" d="M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7 4a1 1 0 11-2 0 1 1 0 012 0zm-1-9a1 1 0 00-1 1v4a1 1 0 102 0V6a1 1 0 00-1-1z" clip-rule="evenodd" />
+						</svg>
+						<span class="text-sm font-medium">{signupPasswordError ?? '\u00A0'}</span>
+					</div>
+				</div>
+
+				<div class="form-control pt-1">
+					<button type="submit" class="btn btn-primary h-12 w-full rounded-lg text-base font-semibold shadow-md">
+						Create Account
+						</button>
+					</div>
+				</form>
+
+				<p class="mt-2 text-center text-base text-base-content/70">
+					Already have an account?
+					<button
+						class="link link-primary font-semibold min-h-[44px] inline-flex items-center"
+						onclick={() => switchView('login')}
+					>
+						Sign in
+					</button>
+				</p>
+
+			{:else if view === 'forgotPassword'}
+				<h1 class="text-base-content text-center text-3xl font-bold tracking-tight">
+					Reset Password
+				</h1>
+
+				{#if forgotPasswordSuccess}
+					<div class="alert alert-success" role="alert">
+						<svg xmlns="http://www.w3.org/2000/svg" class="h-6 w-6 shrink-0 stroke-current" fill="none" viewBox="0 0 24 24">
+							<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z" />
+						</svg>
+						<span class="text-base">{forgotPasswordSuccess}</span>
+					</div>
+				{/if}
+
+				{#if forgotPasswordError}
+					<div class="alert alert-error" role="alert">
+						<svg xmlns="http://www.w3.org/2000/svg" class="h-6 w-6 shrink-0 stroke-current" fill="none" viewBox="0 0 24 24">
+							<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z" />
+						</svg>
+						<span class="text-base">{forgotPasswordError}</span>
+					</div>
+				{/if}
+
+				<form
+					method="POST"
+					action="?/forgotPassword"
+					class="space-y-5"
+					use:enhance={() => {
+						return async ({ result }) => {
+							if (result.type === 'failure' && result.data) {
+								const data = result.data as { error?: string };
+								forgotPasswordError =
+									data.error || 'Failed to send reset email. Please try again.';
+							} else if (result.type === 'success' && result.data) {
+								const data = result.data as { message?: string };
+								forgotPasswordSuccess =
+									data.message ||
+									"If an account exists with that email, you'll receive a reset link.";
+								forgotPasswordError = null;
+							}
+						};
+					}}
+				>
+					<p class="text-base-content/70 text-base">
+						Enter your email address and we'll send you a link to reset your password.
+					</p>
+
+					<div class="form-control">
+						<label class="label pb-1.5" for="forgot-email">
+							<span class="label-text text-base font-semibold text-base-content">Email address</span>
+						</label>
+						<input
+							id="forgot-email"
+							name="email"
+							type="email"
+							autocomplete="email"
+							placeholder="you@example.com"
+							required
+							aria-required="true"
+							class="input input-bordered h-12 w-full px-4 text-base"
+						/>
+					</div>
+
+					<div class="form-control pt-1">
+						<button type="submit" class="btn btn-primary h-12 w-full rounded-lg text-base font-semibold shadow-md">
+							Send Reset Link
+						</button>
+					</div>
+				</form>
+
+				<p class="mt-2 text-center text-base text-base-content/70">
+					<button
+						class="link link-primary font-semibold min-h-[44px] inline-flex items-center"
+						onclick={() => switchView('login')}
+					>
+						Back to Sign In
+					</button>
+				</p>
+			{/if}
+		</div>
+	</div>
+</div>
+
+<DebugPanel bind:this={debugPanel} hasError={hasAuthError} />
diff --git a/src/routes/auth/confirm/+server.ts b/src/routes/auth/confirm/+server.ts
index f667cd0..a9b4e44 100644
--- a/src/routes/auth/confirm/+server.ts
+++ b/src/routes/auth/confirm/+server.ts
@@ -6,13 +6,8 @@ import type { RequestHandler } from './$types';
 export const GET: RequestHandler = async ({ url, locals }) => {
 	const token_hash = url.searchParams.get('token_hash');
 	const type = url.searchParams.get('type') as EmailOtpType | null;
-	const next = url.searchParams.get('next') ?? '/dashboard'; // Changed default from '/' to '/dashboard'
+	const next = url.searchParams.get('next') ?? '/dashboard';
 
-	/**
-	 * Clean up the redirect URL by deleting the Auth flow parameters.
-	 *
-	 * `next` is preserved for now, because it's needed in the error case.
-	 */
 	const redirectTo = new URL(url);
 	redirectTo.pathname = next;
 	redirectTo.searchParams.delete('token_hash');
diff --git a/src/routes/auth/error/+page.svelte b/src/routes/auth/error/+page.svelte
index ac18f69..47fecf8 100644
--- a/src/routes/auth/error/+page.svelte
+++ b/src/routes/auth/error/+page.svelte
@@ -9,13 +9,11 @@
 	let hasError = $state(false);
 
 	$effect(() => {
-		// Get error from URL parameters
 		const urlParams = new URLSearchParams($page.url.search);
 		errorMessage = urlParams.get('error') || urlParams.get('message') || null;
 		errorCode = urlParams.get('code') || null;
 		hasError = errorMessage !== null;
 
-		// If we have error details, log them to debug panel
 		if (errorMessage && debugPanel) {
 			debugPanel.addDebugLog('error', 'Authentication error page', {
 				message: errorMessage,
@@ -26,43 +24,31 @@
 	});
 </script>
 
-<div class="bg-base-200 flex min-h-screen items-center justify-center p-4">
+<div class="flex grow items-center justify-center p-4">
 	<div class="card bg-base-100 w-full max-w-md shadow-xl">
-		<div class="card-body">
-			<div class="card-title text-error mb-2 justify-center text-2xl">Authentication Error</div>
+		<div class="card-body gap-6 p-8 sm:p-10">
+			<h1 class="text-error text-center text-3xl font-bold tracking-tight">
+				Authentication Error
+			</h1>
 
-			<div class="alert alert-error mb-4">
-				<svg
-					xmlns="http://www.w3.org/2000/svg"
-					class="h-6 w-6 shrink-0 stroke-current"
-					fill="none"
-					viewBox="0 0 24 24"
-				>
-					<path
-						stroke-linecap="round"
-						stroke-linejoin="round"
-						stroke-width="2"
-						d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z"
-					/>
+			<div class="alert alert-error" role="alert">
+				<svg xmlns="http://www.w3.org/2000/svg" class="h-6 w-6 shrink-0 stroke-current" fill="none" viewBox="0 0 24 24">
+					<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z" />
 				</svg>
 				<div class="flex-1">
-					<span class="font-semibold">
+					<span class="text-base font-semibold">
 						{errorMessage ? 'Error Details' : 'We couldn\'t sign you in. Please try again.'}
 					</span>
 					{#if errorMessage}
-						<p class="text-sm mt-1">{errorMessage}</p>
+						<p class="mt-1 text-base">{errorMessage}</p>
 					{/if}
 					{#if errorCode}
-						<p class="text-xs mt-1 opacity-75">Error Code: {errorCode}</p>
+						<p class="mt-1 text-sm opacity-75">Error Code: {errorCode}</p>
 					{/if}
-					<div class="mt-2">
+					<div class="mt-3">
 						<button
 							class="btn btn-sm btn-outline"
-							onclick={() => {
-								if (debugPanel) {
-									debugPanel.openPanel();
-								}
-							}}
+							onclick={() => { if (debugPanel) debugPanel.openPanel(); }}
 						>
 							View Debug Info
 						</button>
@@ -71,11 +57,11 @@
 			</div>
 
 			{#if !errorMessage}
-				<p class="mb-4 text-center">
+				<p class="text-base-content/80 text-center text-base">
 					There was a problem with your sign-in attempt. This could be due to:
 				</p>
 
-				<ul class="mb-6 list-inside list-disc">
+				<ul class="text-base-content/80 list-inside list-disc space-y-1 text-base">
 					<li>Incorrect email or password</li>
 					<li>Your account may not exist</li>
 					<li>A temporary connection issue</li>
@@ -83,13 +69,16 @@
 				</ul>
 			{/if}
 
-			<div class="card-actions justify-center">
-				<a href={resolve('/auth')} class="btn btn-primary">Back to Login</a>
-				<a href={resolve('/')} class="btn btn-ghost">Home</a>
+			<div class="flex flex-col gap-3 sm:flex-row sm:justify-center">
+				<a href={resolve('/auth')} class="btn btn-primary h-12 rounded-lg px-8 text-base font-semibold shadow-md">
+					Back to Sign In
+				</a>
+				<a href={resolve('/')} class="btn btn-ghost h-12 rounded-lg px-8 text-base font-semibold">
+					Home
+				</a>
 			</div>
 		</div>
 	</div>
 </div>
 
-<!-- Debug Panel - shows button on iOS, when errors occur, or when enabled -->
 <DebugPanel bind:this={debugPanel} hasError={hasError} />
diff --git a/src/routes/auth/logout/+server.ts b/src/routes/auth/logout/+server.ts
index bf98afa..13b2e7d 100644
--- a/src/routes/auth/logout/+server.ts
+++ b/src/routes/auth/logout/+server.ts
@@ -2,12 +2,10 @@ import { redirect } from '@sveltejs/kit';
 import type { RequestHandler } from './$types';
 
 export const POST: RequestHandler = async ({ locals, cookies }) => {
-	// Sign out from Supabase
 	if (locals.supabase) {
 		await locals.supabase.auth.signOut();
 	}
 
-	// Clear all auth-related cookies manually as an extra safety measure
 	const authCookieNames = [
 		'sb-access-token',
 		'sb-refresh-token',
@@ -15,21 +13,17 @@ export const POST: RequestHandler = async ({ locals, cookies }) => {
 		'supabase.auth.token'
 	];
 
-	// Get all cookies and clear any that might be auth-related
 	const allCookies = cookies.getAll();
 	allCookies.forEach((cookie) => {
-		// Clear any Supabase auth cookies
 		if (cookie.name.includes('supabase') || cookie.name.includes('sb-')) {
 			cookies.delete(cookie.name, { path: '/' });
 		}
 	});
 
-	// Also clear the known auth cookie names with different path configurations
 	authCookieNames.forEach((name) => {
 		cookies.delete(name, { path: '/' });
 		cookies.delete(name, { path: '/', domain: undefined });
 	});
 
-	// Redirect to auth page
 	throw redirect(303, '/auth');
 };
diff --git a/src/routes/auth/reset-password/+page.server.ts b/src/routes/auth/reset-password/+page.server.ts
new file mode 100644
index 0000000..43d5877
--- /dev/null
+++ b/src/routes/auth/reset-password/+page.server.ts
@@ -0,0 +1,9 @@
+import type { PageServerLoad } from './$types';
+
+export const load: PageServerLoad = async ({ locals: { safeGetSession } }) => {
+	const { session } = await safeGetSession();
+
+	return {
+		session
+	};
+};
diff --git a/src/routes/auth/reset-password/+page.svelte b/src/routes/auth/reset-password/+page.svelte
new file mode 100644
index 0000000..8431b4d
--- /dev/null
+++ b/src/routes/auth/reset-password/+page.svelte
@@ -0,0 +1,212 @@
+<script lang="ts">
+	import { goto } from '$app/navigation';
+	import { resolve } from '$app/paths';
+
+	let { data } = $props();
+	let { supabase, session } = $derived(data);
+
+	let newPassword = $state('');
+	let confirmPassword = $state('');
+	let error = $state<string | null>(null);
+	let isSubmitting = $state(false);
+
+	let showNewPassword = $state(false);
+	let showConfirmPassword = $state(false);
+
+	let newPasswordTouched = $state(false);
+	let confirmPasswordTouched = $state(false);
+
+	const MIN_PASSWORD_LENGTH = 6;
+
+	let newPasswordError = $derived(
+		newPasswordTouched && newPassword.length > 0 && newPassword.length < MIN_PASSWORD_LENGTH
+			? `Password must be at least ${MIN_PASSWORD_LENGTH} characters.`
+			: null
+	);
+	let newPasswordValid = $derived(
+		newPasswordTouched && newPassword.length >= MIN_PASSWORD_LENGTH
+	);
+
+	let confirmPasswordError = $derived(
+		confirmPasswordTouched && confirmPassword.length > 0 && confirmPassword !== newPassword
+			? 'Passwords do not match.'
+			: null
+	);
+	let confirmPasswordValid = $derived(
+		confirmPasswordTouched && confirmPassword.length > 0 && confirmPassword === newPassword && newPassword.length >= MIN_PASSWORD_LENGTH
+	);
+
+	const handleResetPassword = async (evt: Event) => {
+		evt.preventDefault();
+		error = null;
+
+		if (newPassword.length < MIN_PASSWORD_LENGTH) {
+			error = `Password must be at least ${MIN_PASSWORD_LENGTH} characters.`;
+			return;
+		}
+
+		if (newPassword !== confirmPassword) {
+			error = 'Passwords do not match.';
+			return;
+		}
+
+		isSubmitting = true;
+		try {
+			const { error: updateError } = await supabase.auth.updateUser({
+				password: newPassword
+			});
+
+			if (updateError) {
+				error = updateError.message;
+				return;
+			}
+
+			goto(resolve('/dashboard'));
+		} catch {
+			error = 'An unexpected error occurred. Please try again.';
+		} finally {
+			isSubmitting = false;
+		}
+	};
+</script>
+
+<div class="flex grow items-center justify-center p-4">
+	<div class="card bg-base-100 w-full max-w-md shadow-xl">
+		<div class="card-body gap-6 p-8 sm:p-10">
+			{#if !session}
+				<h1 class="text-base-content text-center text-3xl font-bold tracking-tight">
+					Link Expired
+				</h1>
+				<p class="text-base-content/70 text-center text-base">
+					This password reset link has expired or is invalid. Please request a new one.
+				</p>
+				<a href={resolve('/auth')} class="btn btn-primary h-12 w-full rounded-lg text-base font-semibold shadow-md">
+					Back to Sign In
+				</a>
+			{:else}
+				<h1 class="text-base-content text-center text-3xl font-bold tracking-tight">
+					Set New Password
+				</h1>
+				<p class="text-base-content/70 text-center text-base">
+					Enter your new password below.
+				</p>
+
+				{#if error}
+					<div class="alert alert-error" role="alert">
+						<svg xmlns="http://www.w3.org/2000/svg" class="h-6 w-6 shrink-0 stroke-current" fill="none" viewBox="0 0 24 24">
+							<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z" />
+						</svg>
+						<span class="text-base">{error}</span>
+					</div>
+				{/if}
+
+				<form onsubmit={handleResetPassword} class="space-y-5">
+					<div class="form-control">
+						<label class="label pb-1.5" for="new-password">
+							<span class="label-text text-base font-semibold text-base-content">New password</span>
+						</label>
+						<div class="relative">
+							<input
+								id="new-password"
+								type={showNewPassword ? 'text' : 'password'}
+								autocomplete="new-password"
+								placeholder="Enter new password (min. 6 characters)"
+								bind:value={newPassword}
+								required
+								minlength={MIN_PASSWORD_LENGTH}
+								aria-describedby={newPasswordError ? 'new-password-error' : undefined}
+								aria-invalid={newPasswordError ? 'true' : undefined}
+								onblur={() => (newPasswordTouched = true)}
+								class="input input-bordered h-12 w-full px-4 pr-12 text-base {newPasswordError ? 'input-error' : ''} {newPasswordValid ? 'input-success' : ''}"
+							/>
+							<button
+								type="button"
+								class="absolute right-3 top-1/2 -translate-y-1/2 p-1 text-base-content/50 transition-colors hover:text-base-content"
+								onclick={() => (showNewPassword = !showNewPassword)}
+								aria-label={showNewPassword ? 'Hide password' : 'Show password'}
+							>
+								{#if showNewPassword}
+									<svg xmlns="http://www.w3.org/2000/svg" class="h-5 w-5" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+										<path d="M17.94 17.94A10.07 10.07 0 0112 20c-7 0-11-8-11-8a18.45 18.45 0 015.06-5.94M9.9 4.24A9.12 9.12 0 0112 4c7 0 11 8 11 8a18.5 18.5 0 01-2.16 3.19m-6.72-1.07a3 3 0 11-4.24-4.24" />
+										<line x1="1" y1="1" x2="23" y2="23" />
+									</svg>
+								{:else}
+									<svg xmlns="http://www.w3.org/2000/svg" class="h-5 w-5" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+										<path d="M1 12s4-8 11-8 11 8 11 8-4 8-11 8-11-8-11-8z" />
+										<circle cx="12" cy="12" r="3" />
+									</svg>
+								{/if}
+							</button>
+						</div>
+					<div id="new-password-error" class="mt-1.5 flex items-center gap-1.5 text-error" class:invisible={!newPasswordError} role={newPasswordError ? 'alert' : undefined}>
+						<svg xmlns="http://www.w3.org/2000/svg" class="h-4 w-4 shrink-0" viewBox="0 0 20 20" fill="currentColor">
+							<path fill-rule="evenodd" d="M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7 4a1 1 0 11-2 0 1 1 0 012 0zm-1-9a1 1 0 00-1 1v4a1 1 0 102 0V6a1 1 0 00-1-1z" clip-rule="evenodd" />
+						</svg>
+						<span class="text-sm font-medium">{newPasswordError ?? '\u00A0'}</span>
+					</div>
+				</div>
+
+				<div class="form-control">
+					<label class="label pb-1.5" for="confirm-password">
+							<span class="label-text text-base font-semibold text-base-content">Confirm new password</span>
+						</label>
+						<div class="relative">
+							<input
+								id="confirm-password"
+								type={showConfirmPassword ? 'text' : 'password'}
+								autocomplete="new-password"
+								placeholder="Re-enter your new password"
+								bind:value={confirmPassword}
+								required
+								minlength={MIN_PASSWORD_LENGTH}
+								aria-describedby={confirmPasswordError ? 'confirm-password-error' : undefined}
+								aria-invalid={confirmPasswordError ? 'true' : undefined}
+								onblur={() => (confirmPasswordTouched = true)}
+								class="input input-bordered h-12 w-full px-4 pr-12 text-base {confirmPasswordError ? 'input-error' : ''} {confirmPasswordValid ? 'input-success' : ''}"
+							/>
+							<button
+								type="button"
+								class="absolute right-3 top-1/2 -translate-y-1/2 p-1 text-base-content/50 transition-colors hover:text-base-content"
+								onclick={() => (showConfirmPassword = !showConfirmPassword)}
+								aria-label={showConfirmPassword ? 'Hide password' : 'Show password'}
+							>
+								{#if showConfirmPassword}
+									<svg xmlns="http://www.w3.org/2000/svg" class="h-5 w-5" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+										<path d="M17.94 17.94A10.07 10.07 0 0112 20c-7 0-11-8-11-8a18.45 18.45 0 015.06-5.94M9.9 4.24A9.12 9.12 0 0112 4c7 0 11 8 11 8a18.5 18.5 0 01-2.16 3.19m-6.72-1.07a3 3 0 11-4.24-4.24" />
+										<line x1="1" y1="1" x2="23" y2="23" />
+									</svg>
+								{:else}
+									<svg xmlns="http://www.w3.org/2000/svg" class="h-5 w-5" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+										<path d="M1 12s4-8 11-8 11 8 11 8-4 8-11 8-11-8-11-8z" />
+										<circle cx="12" cy="12" r="3" />
+									</svg>
+								{/if}
+							</button>
+						</div>
+					<div id="confirm-password-error" class="mt-1.5 flex items-center gap-1.5 text-error" class:invisible={!confirmPasswordError} role={confirmPasswordError ? 'alert' : undefined}>
+						<svg xmlns="http://www.w3.org/2000/svg" class="h-4 w-4 shrink-0" viewBox="0 0 20 20" fill="currentColor">
+							<path fill-rule="evenodd" d="M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7 4a1 1 0 11-2 0 1 1 0 012 0zm-1-9a1 1 0 00-1 1v4a1 1 0 102 0V6a1 1 0 00-1-1z" clip-rule="evenodd" />
+						</svg>
+						<span class="text-sm font-medium">{confirmPasswordError ?? '\u00A0'}</span>
+					</div>
+				</div>
+
+				<div class="form-control pt-1">
+						<button
+							type="submit"
+							class="btn btn-primary h-12 w-full rounded-lg text-base font-semibold shadow-md"
+							disabled={isSubmitting}
+						>
+							{#if isSubmitting}
+								<span class="loading loading-spinner loading-sm"></span>
+								Updating...
+							{:else}
+								Update Password
+							{/if}
+						</button>
+					</div>
+				</form>
+			{/if}
+		</div>
+	</div>
+</div>
diff --git a/src/routes/dashboard/+layout.server.ts b/src/routes/dashboard/+layout.server.ts
index a3db729..a7fa62f 100644
--- a/src/routes/dashboard/+layout.server.ts
+++ b/src/routes/dashboard/+layout.server.ts
@@ -1,8 +1,4 @@
-/**
- * This file is necessary to ensure protection of all routes in the `private`
- * directory. It makes the routes in this directory _dynamic_ routes, which
- * send a server request, and thus trigger `hooks.server.ts`.
- **/
+// This file makes dashboard routes dynamic, ensuring hooks.server.ts auth guards run on every request.
 
 import { redirect } from '@sveltejs/kit';
 import type { LayoutServerLoad } from './$types';
diff --git a/src/routes/dashboard/+page.server.ts b/src/routes/dashboard/+page.server.ts
index c153d8a..dd7d766 100644
--- a/src/routes/dashboard/+page.server.ts
+++ b/src/routes/dashboard/+page.server.ts
@@ -1,7 +1,6 @@
 import type { PageServerLoad } from './$types';
 
 export const load: PageServerLoad = async ({ depends, locals: { safeGetSession } }) => {
-	// Set up dependencies for client-side data loading
 	depends('supabase:auth');
 
 	const { session } = await safeGetSession();
@@ -10,7 +9,6 @@ export const load: PageServerLoad = async ({ depends, locals: { safeGetSession }
 		throw new Error('User not authenticated');
 	}
 
-	// Only return essential auth data - let client load the rest
 	return {
 		session
 	};
diff --git a/src/routes/dashboard/+page.svelte b/src/routes/dashboard/+page.svelte
index 2f1534d..3fe1d67 100644
--- a/src/routes/dashboard/+page.svelte
+++ b/src/routes/dashboard/+page.svelte
@@ -1,317 +1,321 @@
-<script lang="ts">
-	import DeleteFriendModal from '$lib/friends/components/DeleteModal.svelte';
-	import FriendRequestsSection from '$lib/friends/components/Requests.svelte';
-	import FriendRequestsSectionSkeleton from '$lib/friends/components/RequestsSkeleton.svelte';
-	import FriendsList from '$lib/friends/components/List.svelte';
-	import LoadingSkeletons from '$lib/friends/components/ListSkeleton.svelte';
-	import StatusSection from '$lib/status/components/Section.svelte';
-	import StatusSectionSkeleton from '$lib/status/components/Skeleton.svelte';
-	import { DashboardDataLoader, type DashboardData } from '$lib/dashboard/loader';
-	import { getDisplayName, handleDatabaseError, NotificationManager } from '$lib/ui/notifications';
-	import { validateStatus } from '$lib/status/validation';
-	import { verifyFriendshipExists } from '$lib/friends/api';
-	import { friendOrderStore } from '$lib/friends/order';
-	import { RealtimeSubscriptionManager } from '$lib/realtime/subscriptions';
-
-	let { data } = $props();
-	let { supabase, user } = $derived(data);
-
-	// Client-side loaded data
-	let dashboardData = $state<DashboardData | null>(null);
-	let isLoadingData = $state(true);
-	let isInitialLoad = $state(true);
-	let isReady = $derived(!(isInitialLoad && isLoadingData));
-	let hasLoadedData = false;
-
-	// Derived values from dashboard data
-	let currentStatus = $derived(dashboardData?.currentStatus || '');
-	let friendRequests = $derived(dashboardData?.friendRequests || []);
-	let sentFriendRequests = $derived(dashboardData?.sentFriendRequests || []);
-	let rawFriends = $derived(dashboardData?.friends || []);
-	let friends = $derived(friendOrderStore.getOrderedFriends(rawFriends));
-	let quickStatuses = $derived(dashboardData?.quickStatuses || []);
-
-	// Reactive state
-	let statusInputText = $state('');
-
-	// Loading states
-	let isUpdatingStatus = $state(false);
-	let deletingFriends = $state(new Set<string>());
-
-	// Modal state for friend deletion confirmation
-	let showDeleteModal = $state(false);
-	let friendToDelete = $state<{ id: string; name: string } | null>(null);
-
-	// Real-time subscription manager (non-reactive to avoid effect loops)
-	let subscriptionManager: RealtimeSubscriptionManager | null = null;
-	let refreshTimer: ReturnType<typeof setTimeout> | null = null;
-	// Track the user ID we've subscribed for (non-reactive to avoid effect loops)
-	let subscribedUserId: string | null = null;
-
-	// Load dashboard data on client side - only run once when user/supabase become available
-	$effect(() => {
-		if (user && supabase && !hasLoadedData) {
-			loadDashboardData();
-			hasLoadedData = true;
-		}
-	});
-
-	// Set up real-time subscriptions separately - only when user changes
-	$effect(() => {
-		const userId = user?.id;
-
-		// If user/supabase unavailable, cleanup and exit
-		if (!userId || !supabase) {
-			if (subscribedUserId) {
-				cleanupRealtimeSubscriptions();
-				subscribedUserId = null;
-			}
-			return;
-		}
-
-		// If already subscribed for this user, just ensure cleanup on unmount
-		if (subscribedUserId === userId) {
-			return () => {
-				// Cleanup on unmount
-				if (subscribedUserId === userId) {
-					cleanupRealtimeSubscriptions();
-					subscribedUserId = null;
-				}
-			};
-		}
-
-		// Clean up old subscriptions if user changed
-		if (subscribedUserId && subscribedUserId !== userId) {
-			cleanupRealtimeSubscriptions();
-		}
-
-		// Set up new subscriptions
-		setupRealtimeSubscriptions();
-		subscribedUserId = userId;
-
-		// Cleanup on unmount
-		return () => {
-			cleanupRealtimeSubscriptions();
-			subscribedUserId = null;
-		};
-	});
-
-	const loadDashboardData = async (showSkeletons = true) => {
-		if (!user || !supabase) return;
-
-		// Only show skeletons if this is the initial load or explicitly requested
-		if (showSkeletons) {
-			isLoadingData = true;
-		}
-
-		try {
-			const dataLoader = new DashboardDataLoader(supabase, user.id);
-			dashboardData = await dataLoader.loadAllData();
-			// Keep the profiles subscription scoped to the current friend list.
-			// Safe to call on every refresh — no-op when the list hasn't changed.
-			subscriptionManager?.updateFriendIds(dashboardData.friends.map((f) => f.id));
-		} catch (error) {
-			handleDatabaseError(error, 'load dashboard data');
-		} finally {
-			if (showSkeletons) {
-				isLoadingData = false;
-			}
-			// Mark that initial load is complete
-			isInitialLoad = false;
-		}
-	};
-
-	const refreshData = async () => {
-		await loadDashboardData(false); // Don't show skeletons on refresh
-	};
-
-	// Debounced refresh to avoid too many rapid refreshes from multiple events
-	const debouncedRefresh = () => {
-		if (refreshTimer) {
-			clearTimeout(refreshTimer);
-		}
-		refreshTimer = setTimeout(() => {
-			refreshData();
-		}, 300); // Wait 300ms for additional events to batch
-	};
-
-	// Set up real-time subscriptions
-	const setupRealtimeSubscriptions = () => {
-		if (!user || !supabase || subscriptionManager) return;
-
-		try {
-			const manager = new RealtimeSubscriptionManager(supabase, user.id);
-			manager.subscribe({
-				onFriendRequestChange: debouncedRefresh,
-				onFriendshipChange: debouncedRefresh,
-				onStatusChange: debouncedRefresh
-			});
-			subscriptionManager = manager;
-		} catch (error) {
-			console.error('Failed to set up real-time subscriptions:', error);
-			// Real-time subscriptions are optional - the app will still work without them
-		}
-	};
-
-	// Clean up real-time subscriptions
-	const cleanupRealtimeSubscriptions = () => {
-		if (refreshTimer) {
-			clearTimeout(refreshTimer);
-			refreshTimer = null;
-		}
-		if (subscriptionManager) {
-			subscriptionManager.unsubscribe();
-			subscriptionManager = null;
-		}
-	};
-
-	// Event handlers - defined as functions that can access current state
-	const handleStatusUpdate = async (evt: SubmitEvent) => {
-		evt.preventDefault();
-		if (!user || !supabase) return;
-
-		const validationError = validateStatus(statusInputText);
-		if (validationError) {
-			NotificationManager.showError(validationError);
-			return;
-		}
-
-		isUpdatingStatus = true;
-		try {
-			const { error } = await supabase.from('profiles').upsert(
-				{
-					id: user.id,
-					status: statusInputText
-				},
-				{ onConflict: 'id' }
-			);
-
-			if (error) {
-				handleDatabaseError(error, 'update status');
-				return;
-			}
-
-			await refreshData();
-			statusInputText = '';
-			NotificationManager.showSuccess('Status updated successfully');
-		} catch (error) {
-			handleDatabaseError(error, 'update status');
-		} finally {
-			isUpdatingStatus = false;
-		}
-	};
-
-	const handleDeleteFriend = (friendId: string) => {
-		// Find the friend to get their display name
-		const friend = friends.find((f) => f.id === friendId);
-		if (!friend) return;
-
-		// Set the friend to delete and show modal
-		friendToDelete = {
-			id: friendId,
-			name: getDisplayName(friend.display_name, friend.username)
-		};
-		showDeleteModal = true;
-	};
-
-	const handleReorderFriends = (reorderedFriends: typeof friends) => {
-		// Update the friend order in the store
-		friendOrderStore.updateOrder(reorderedFriends);
-	};
-
-	const confirmDeleteFriend = async () => {
-		if (!friendToDelete || !user || !supabase) return;
-
-		const friendId = friendToDelete.id;
-
-		// Add to deleting set to show loading state
-		deletingFriends = new Set([...deletingFriends, friendId]);
-
-		try {
-			// First, verify the friendship exists before attempting deletion
-			const friendshipExists = await verifyFriendshipExists(supabase, user.id, friendId);
-			if (!friendshipExists) {
-				NotificationManager.showError(
-					'No friendship found to remove. The friendship may have already been removed.'
-				);
-				return;
-			}
-
-			// Delete the single friendship record (works regardless of which direction it's stored)
-			const { error } = await supabase
-				.from('friends')
-				.delete()
-				.or(
-					`and(user_id.eq.${user.id},friend_id.eq.${friendId}),and(user_id.eq.${friendId},friend_id.eq.${user.id})`
-				);
-
-			if (error) {
-				handleDatabaseError(error, 'remove friend');
-				return;
-			}
-
-			// Remove friend from order store
-			friendOrderStore.removeFriend(friendId);
-
-			await refreshData();
-			NotificationManager.showSuccess('Friend removed successfully');
-		} catch (error) {
-			handleDatabaseError(error, 'remove friend');
-		} finally {
-			deletingFriends = new Set([...deletingFriends].filter((id) => id !== friendId));
-			// Close modal
-			showDeleteModal = false;
-			friendToDelete = null;
-		}
-	};
-
-	const cancelDeleteFriend = () => {
-		showDeleteModal = false;
-		friendToDelete = null;
-	};
-</script>
-
-<div class="p-4">
-	{#if !isReady}
-		<LoadingSkeletons />
-		<div class="grid grid-cols-1 gap-4 md:grid-cols-2">
-			<StatusSectionSkeleton />
-			<FriendRequestsSectionSkeleton />
-		</div>
-	{:else}
-		<div class="mb-4">
-			<FriendsList
-				{friends}
-				{deletingFriends}
-				onDeleteFriend={handleDeleteFriend}
-				onReorderFriends={handleReorderFriends}
-			/>
-		</div>
-
-		<div class="grid grid-cols-1 gap-4 md:grid-cols-2">
-			<StatusSection
-				{currentStatus}
-				{isUpdatingStatus}
-				{quickStatuses}
-				onStatusUpdate={handleStatusUpdate}
-				bind:statusInputText
-			/>
-			<FriendRequestsSection
-				{friendRequests}
-				{sentFriendRequests}
-				{supabase}
-				{user}
-				onDataRefresh={refreshData}
-			/>
-		</div>
-	{/if}
-</div>
-
-<!-- Friend Deletion Confirmation Modal -->
-<DeleteFriendModal
-	{showDeleteModal}
-	{friendToDelete}
-	{deletingFriends}
-	onConfirmDelete={confirmDeleteFriend}
-	onCancelDelete={cancelDeleteFriend}
-/>
+<script lang="ts">
+	import DeleteFriendModal from '$lib/friends/components/DeleteModal.svelte';
+	import FriendRequestsSection from '$lib/friends/components/Requests.svelte';
+	import FriendRequestsSectionSkeleton from '$lib/friends/components/RequestsSkeleton.svelte';
+	import FriendsList from '$lib/friends/components/List.svelte';
+	import LoadingSkeletons from '$lib/friends/components/ListSkeleton.svelte';
+	import StatusSection from '$lib/status/components/Section.svelte';
+	import StatusSectionSkeleton from '$lib/status/components/Skeleton.svelte';
+	import { DashboardDataLoader, type DashboardData } from '$lib/dashboard/loader';
+	import { getDisplayName, handleDatabaseError, NotificationManager } from '$lib/ui/notifications';
+	import { validateStatus } from '$lib/status/validation';
+	import { verifyFriendshipExists } from '$lib/friends/api';
+	import { friendOrderStore } from '$lib/friends/order';
+	import { RealtimeSubscriptionManager, type StatusChangePayload } from '$lib/realtime/subscriptions';
+
+	let { data } = $props();
+	let { supabase, user } = $derived(data);
+
+	let dashboardData = $state<DashboardData | null>(null);
+	let isLoadingData = $state(true);
+	let isInitialLoad = $state(true);
+	let isReady = $derived(!(isInitialLoad && isLoadingData));
+	let hasLoadedData = false;
+
+	let currentStatus = $derived(dashboardData?.currentStatus || '');
+	let friendRequests = $derived(dashboardData?.friendRequests || []);
+	let sentFriendRequests = $derived(dashboardData?.sentFriendRequests || []);
+	let rawFriends = $derived(dashboardData?.friends || []);
+	let friends = $derived(friendOrderStore.getOrderedFriends(rawFriends));
+	let quickStatuses = $derived(dashboardData?.quickStatuses || []);
+
+	let statusInputText = $state('');
+	let isUpdatingStatus = $state(false);
+	let deletingFriends = $state(new Set<string>());
+
+	let showDeleteModal = $state(false);
+	let friendToDelete = $state<{ id: string; name: string } | null>(null);
+
+	let subscriptionManager: RealtimeSubscriptionManager | null = null;
+	let requestRefreshTimer: ReturnType<typeof setTimeout> | null = null;
+	let fullRefreshTimer: ReturnType<typeof setTimeout> | null = null;
+	let subscribedUserId: string | null = null;
+
+	$effect(() => {
+		if (user && supabase && !hasLoadedData) {
+			loadDashboardData();
+			hasLoadedData = true;
+		}
+	});
+
+	$effect(() => {
+		const userId = user?.id;
+
+		if (!userId || !supabase) {
+			if (subscribedUserId) {
+				cleanupRealtimeSubscriptions();
+				subscribedUserId = null;
+			}
+			return;
+		}
+
+		if (subscribedUserId === userId) {
+			return () => {
+				if (subscribedUserId === userId) {
+					cleanupRealtimeSubscriptions();
+					subscribedUserId = null;
+				}
+			};
+		}
+
+		if (subscribedUserId && subscribedUserId !== userId) {
+			cleanupRealtimeSubscriptions();
+		}
+
+		setupRealtimeSubscriptions();
+		subscribedUserId = userId;
+
+		return () => {
+			cleanupRealtimeSubscriptions();
+			subscribedUserId = null;
+		};
+	});
+
+	const loadDashboardData = async (showSkeletons = true) => {
+		if (!user || !supabase) return;
+
+		if (showSkeletons) {
+			isLoadingData = true;
+		}
+
+		try {
+			const dataLoader = new DashboardDataLoader(supabase, user.id);
+			dashboardData = await dataLoader.loadAllData();
+			subscriptionManager?.updateFriendIds(dashboardData.friends.map((f) => f.id));
+		} catch (error) {
+			handleDatabaseError(error, 'load dashboard data');
+		} finally {
+			if (showSkeletons) {
+				isLoadingData = false;
+			}
+			isInitialLoad = false;
+		}
+	};
+
+	const refreshData = async () => {
+		await loadDashboardData(false);
+	};
+
+	const handleRealtimeStatusChange = (payload: StatusChangePayload) => {
+		if (!dashboardData) return;
+
+		const idx = dashboardData.friends.findIndex((f) => f.id === payload.id);
+		if (idx === -1) return;
+
+		dashboardData.friends[idx] = {
+			...dashboardData.friends[idx],
+			status: payload.status,
+			status_updated_at: payload.updated_at
+		};
+		dashboardData = { ...dashboardData };
+	};
+
+	const debouncedRequestRefresh = () => {
+		if (requestRefreshTimer) clearTimeout(requestRefreshTimer);
+		requestRefreshTimer = setTimeout(async () => {
+			if (!user || !supabase) return;
+			try {
+				const loader = new DashboardDataLoader(supabase, user.id);
+				const [incoming, sent] = await Promise.all([
+					loader.loadFriendRequests(),
+					loader.loadSentFriendRequests()
+				]);
+				if (dashboardData) {
+					dashboardData = {
+						...dashboardData,
+						friendRequests: incoming,
+						sentFriendRequests: sent
+					};
+				}
+			} catch (error) {
+				handleDatabaseError(error, 'refresh friend requests');
+			}
+		}, 300);
+	};
+
+	const debouncedFullRefresh = () => {
+		if (fullRefreshTimer) clearTimeout(fullRefreshTimer);
+		fullRefreshTimer = setTimeout(() => refreshData(), 300);
+	};
+
+	const setupRealtimeSubscriptions = () => {
+		if (!user || !supabase || subscriptionManager) return;
+
+		try {
+			const manager = new RealtimeSubscriptionManager(supabase, user.id);
+			manager.subscribe({
+				onFriendRequestChange: debouncedRequestRefresh,
+				onFriendshipChange: debouncedFullRefresh,
+				onStatusChange: handleRealtimeStatusChange
+			});
+			subscriptionManager = manager;
+		} catch (error) {
+			console.error('Failed to set up real-time subscriptions:', error);
+		}
+	};
+
+	const cleanupRealtimeSubscriptions = () => {
+		if (requestRefreshTimer) {
+			clearTimeout(requestRefreshTimer);
+			requestRefreshTimer = null;
+		}
+		if (fullRefreshTimer) {
+			clearTimeout(fullRefreshTimer);
+			fullRefreshTimer = null;
+		}
+		if (subscriptionManager) {
+			subscriptionManager.unsubscribe();
+			subscriptionManager = null;
+		}
+	};
+
+	const handleStatusUpdate = async (evt: SubmitEvent) => {
+		evt.preventDefault();
+		if (!user || !supabase) return;
+
+		const validationError = validateStatus(statusInputText);
+		if (validationError) {
+			NotificationManager.showError(validationError);
+			return;
+		}
+
+		isUpdatingStatus = true;
+		try {
+			const { error } = await supabase.from('profiles').upsert(
+				{
+					id: user.id,
+					status: statusInputText
+				},
+				{ onConflict: 'id' }
+			);
+
+			if (error) {
+				handleDatabaseError(error, 'update status');
+				return;
+			}
+
+			await refreshData();
+			statusInputText = '';
+			NotificationManager.showSuccess('Status updated successfully');
+		} catch (error) {
+			handleDatabaseError(error, 'update status');
+		} finally {
+			isUpdatingStatus = false;
+		}
+	};
+
+	const handleDeleteFriend = (friendId: string) => {
+		const friend = friends.find((f) => f.id === friendId);
+		if (!friend) return;
+
+		friendToDelete = {
+			id: friendId,
+			name: getDisplayName(friend.display_name, friend.username)
+		};
+		showDeleteModal = true;
+	};
+
+	const handleReorderFriends = (reorderedFriends: typeof friends) => {
+		friendOrderStore.updateOrder(reorderedFriends);
+	};
+
+	const confirmDeleteFriend = async () => {
+		if (!friendToDelete || !user || !supabase) return;
+
+		const friendId = friendToDelete.id;
+
+		deletingFriends = new Set([...deletingFriends, friendId]);
+
+		try {
+			const friendshipExists = await verifyFriendshipExists(supabase, user.id, friendId);
+			if (!friendshipExists) {
+				NotificationManager.showError(
+					'No friendship found to remove. The friendship may have already been removed.'
+				);
+				return;
+			}
+
+			const { error } = await supabase
+				.from('friends')
+				.delete()
+				.or(
+					`and(user_id.eq.${user.id},friend_id.eq.${friendId}),and(user_id.eq.${friendId},friend_id.eq.${user.id})`
+				);
+
+			if (error) {
+				handleDatabaseError(error, 'remove friend');
+				return;
+			}
+
+			friendOrderStore.removeFriend(friendId);
+
+			await refreshData();
+			NotificationManager.showSuccess('Friend removed successfully');
+		} catch (error) {
+			handleDatabaseError(error, 'remove friend');
+		} finally {
+			deletingFriends = new Set([...deletingFriends].filter((id) => id !== friendId));
+			showDeleteModal = false;
+			friendToDelete = null;
+		}
+	};
+
+	const cancelDeleteFriend = () => {
+		showDeleteModal = false;
+		friendToDelete = null;
+	};
+</script>
+
+<div class="p-4">
+	{#if !isReady}
+		<LoadingSkeletons />
+		<div class="grid grid-cols-1 gap-4 md:grid-cols-2">
+			<StatusSectionSkeleton />
+			<FriendRequestsSectionSkeleton />
+		</div>
+	{:else}
+		<div class="mb-4">
+			<FriendsList
+				{friends}
+				{deletingFriends}
+				onDeleteFriend={handleDeleteFriend}
+				onReorderFriends={handleReorderFriends}
+			/>
+		</div>
+
+		<div class="grid grid-cols-1 gap-4 md:grid-cols-2">
+			<StatusSection
+				{currentStatus}
+				{isUpdatingStatus}
+				{quickStatuses}
+				onStatusUpdate={handleStatusUpdate}
+				bind:statusInputText
+			/>
+			<FriendRequestsSection
+				{friendRequests}
+				{sentFriendRequests}
+				{supabase}
+				{user}
+				onDataRefresh={refreshData}
+			/>
+		</div>
+	{/if}
+</div>
+
+<DeleteFriendModal
+	{showDeleteModal}
+	{friendToDelete}
+	{deletingFriends}
+	onConfirmDelete={confirmDeleteFriend}
+	onCancelDelete={cancelDeleteFriend}
+/>
diff --git a/src/routes/dashboard/settings/+page.svelte b/src/routes/dashboard/settings/+page.svelte
index 726cfe8..0fc1d1a 100644
--- a/src/routes/dashboard/settings/+page.svelte
+++ b/src/routes/dashboard/settings/+page.svelte
@@ -22,7 +22,6 @@
 
 	let isLoading = $state(false);
 
-	// Username functionality
 	let dashboardData = $state<DashboardData | null>(null);
 	let isLoadingData = $state(true);
 	let currentUsername = $derived(dashboardData?.currentUsername || '');
@@ -34,23 +33,28 @@
 	let usernameCharacterCount = $derived(usernameText.length);
 	let displayNameCharacterCount = $derived(displayNameText.length);
 
-	// Delete account modal functionality
+	let currentPassword = $state('');
+	let newPassword = $state('');
+	let confirmNewPassword = $state('');
+	let isChangingPassword = $state(false);
+
+	let newEmail = $state('');
+	let isChangingEmail = $state(false);
+	let emailChangeSuccess = $state<string | null>(null);
+
 	let showDeleteModal = $state(false);
 	let deletePassword = $state('');
 	let isDeletingAccount = $state(false);
 
-	// Quick status management
 	let quickStatusInputs = $state<string[]>([]);
 	let isUpdatingQuickStatuses = $state(false);
 
-	// Load dashboard data on mount
 	onMount(() => {
 		if (session?.user && supabase) {
 			loadDashboardData();
 		}
 	});
 
-	// Load dashboard data
 	const loadDashboardData = async () => {
 		if (!session?.user || !supabase) return;
 
@@ -58,10 +62,8 @@
 		try {
 			const dataLoader = new DashboardDataLoader(supabase, session.user.id);
 			dashboardData = await dataLoader.loadAllData();
-			// Initialize quick status inputs from localStorage
 			const localQuickStatuses = getQuickStatuses();
 			quickStatusInputs = localQuickStatuses.map((qs) => qs.status_text);
-			// Fill empty slots up to 5
 			while (quickStatusInputs.length < 5) {
 				quickStatusInputs.push('');
 			}
@@ -72,6 +74,19 @@
 		}
 	};
 
+	function downloadJsonFile(data: unknown, filename: string) {
+		const jsonString = JSON.stringify(data, null, 2);
+		const blob = new Blob([jsonString], { type: 'application/json' });
+		const url = URL.createObjectURL(blob);
+		const link = document.createElement('a');
+		link.href = url;
+		link.download = filename;
+		document.body.appendChild(link);
+		link.click();
+		document.body.removeChild(link);
+		URL.revokeObjectURL(url);
+	}
+
 	const exportData = async () => {
 		if (!session?.user || !supabase) {
 			toastStore.error('Unable to export data: User not authenticated');
@@ -83,27 +98,9 @@
 			toastStore.info('Preparing your data export...');
 
 			const dataLoader = new DashboardDataLoader(supabase, session.user.id);
-			const exportData = await dataLoader.exportUserData();
-
-			// Create a formatted JSON string
-			const jsonString = JSON.stringify(exportData, null, 2);
-
-			// Create a blob and download it
-			const blob = new Blob([jsonString], { type: 'application/json' });
-			const url = URL.createObjectURL(blob);
+			const exportedData = await dataLoader.exportUserData();
 
-			// Create a temporary download link
-			const link = document.createElement('a');
-			link.href = url;
-			link.download = `rez-data-export-${new Date().toISOString().split('T')[0]}.json`;
-
-			// Trigger the download
-			document.body.appendChild(link);
-			link.click();
-			document.body.removeChild(link);
-
-			// Clean up the URL object
-			URL.revokeObjectURL(url);
+			downloadJsonFile(exportedData, `rez-data-export-${new Date().toISOString().split('T')[0]}.json`);
 
 			toastStore.success('Data exported successfully!');
 		} catch (error) {
@@ -131,7 +128,6 @@
 
 		isDeletingAccount = true;
 		try {
-			// Re-authenticate user with password
 			const { error: authError } = await supabase.auth.signInWithPassword({
 				email: session.user.email!,
 				password: deletePassword
@@ -142,7 +138,6 @@
 				return;
 			}
 
-			// Use the comprehensive delete function from DashboardDataLoader
 			const dataLoader = new DashboardDataLoader(supabase, session.user.id);
 			await dataLoader.deleteUserAccount();
 
@@ -150,7 +145,6 @@
 				'Account and all data deleted successfully. You will be redirected to the login page.'
 			);
 
-			// Sign out and redirect
 			await supabase.auth.signOut();
 			window.location.href = '/auth';
 		} catch (error) {
@@ -174,12 +168,10 @@
 
 		isUpdatingQuickStatuses = true;
 		try {
-			// Filter out empty inputs
 			const validStatuses = quickStatusInputs
 				.map((text, index) => ({ text: text.trim(), order: index }))
 				.filter((qs) => qs.text.length > 0);
 
-			// Validate all statuses
 			for (const qs of validStatuses) {
 				const { validateStatus } = await import('$lib/status/validation');
 				const validationError = validateStatus(qs.text);
@@ -189,7 +181,6 @@
 				}
 			}
 
-			// Save to localStorage instead of database
 			saveQuickStatuses(quickStatusInputs);
 
 			await loadDashboardData();
@@ -201,6 +192,89 @@
 		}
 	};
 
+	const MIN_PASSWORD_LENGTH = 6;
+
+	const handleChangePassword = async (evt: Event) => {
+		evt.preventDefault();
+		if (!session?.user || !supabase) return;
+
+		if (newPassword.length < MIN_PASSWORD_LENGTH) {
+			toastStore.error(`New password must be at least ${MIN_PASSWORD_LENGTH} characters.`);
+			return;
+		}
+
+		if (newPassword !== confirmNewPassword) {
+			toastStore.error('New passwords do not match.');
+			return;
+		}
+
+		isChangingPassword = true;
+		try {
+			const { error: authError } = await supabase.auth.signInWithPassword({
+				email: session.user.email!,
+				password: currentPassword
+			});
+
+			if (authError) {
+				toastStore.error('Current password is incorrect.');
+				return;
+			}
+
+			const { error: updateError } = await supabase.auth.updateUser({
+				password: newPassword
+			});
+
+			if (updateError) {
+				toastStore.error(updateError.message);
+				return;
+			}
+
+			toastStore.success('Password updated successfully.');
+			currentPassword = '';
+			newPassword = '';
+			confirmNewPassword = '';
+		} catch (error) {
+			handleDatabaseError(error, 'change password');
+		} finally {
+			isChangingPassword = false;
+		}
+	};
+
+	const handleChangeEmail = async (evt: Event) => {
+		evt.preventDefault();
+		if (!session?.user || !supabase) return;
+
+		const trimmedEmail = newEmail.trim();
+		if (!trimmedEmail) {
+			toastStore.error('Please enter a new email address.');
+			return;
+		}
+
+		if (trimmedEmail === session.user.email) {
+			toastStore.error('New email is the same as your current email.');
+			return;
+		}
+
+		isChangingEmail = true;
+		emailChangeSuccess = null;
+		try {
+			const { error } = await supabase.auth.updateUser({ email: trimmedEmail });
+
+			if (error) {
+				toastStore.error(error.message);
+				return;
+			}
+
+			emailChangeSuccess =
+				'A confirmation link has been sent to your new email address. Your email will update after you confirm.';
+			newEmail = '';
+		} catch (error) {
+			handleDatabaseError(error, 'change email');
+		} finally {
+			isChangingEmail = false;
+		}
+	};
+
 	const handleUsernameUpdate = async (evt: Event) => {
 		evt.preventDefault();
 		if (!session?.user || !supabase) return;
@@ -214,14 +288,12 @@
 
 		isUpdatingUsername = true;
 		try {
-			// Check if username is available
 			const isAvailable = await checkUsernameAvailability(supabase, sanitizedUsername, session.user.id);
 			if (!isAvailable) {
 				toastStore.error(ERROR_MESSAGES.USERNAME_TAKEN);
 				return;
 			}
 
-			// Update username
 			const { error } = await supabase
 				.from('users')
 				.update({ username: sanitizedUsername })
@@ -254,7 +326,6 @@
 
 		isUpdatingDisplayName = true;
 		try {
-			// Update display name (can be null if empty)
 			const { error } = await supabase
 				.from('users')
 				.update({ display_name: sanitizedDisplayName || null })
@@ -276,7 +347,6 @@
 </script>
 
 <div class="container mx-auto max-w-4xl px-4 py-8 sm:px-6">
-	<!-- Header Section -->
 	<header class="mb-12">
 		<h1 class="text-base-content mb-3 text-4xl font-bold">Settings</h1>
 		<p class="text-base-content/70 text-lg">
@@ -284,9 +354,7 @@
 		</p>
 	</header>
 
-	<!-- Main Settings Container -->
 	<main class="space-y-12">
-		<!-- Profile Section -->
 		<section class="card bg-base-100 shadow-xl" aria-labelledby="profile-heading">
 			<div class="card-body p-6 sm:p-8">
 				<h2 id="profile-heading" class="card-title mb-6 flex items-center gap-3 text-2xl">
@@ -301,26 +369,11 @@
 					Profile Information
 				</h2>
 				<div class="space-y-8">
-					<!-- Account Information Subsection -->
 					<div class="space-y-6">
 						<h3 class="text-base-content/80 border-base-300 border-b pb-2 text-lg font-semibold">
 							Account Information
 						</h3>
 
-						<div class="form-control min-w-0">
-							<label class="label" for="email-input">
-								<span class="label-text font-medium">Email Address</span>
-							</label>
-							<input
-								id="email-input"
-								type="email"
-								value={session?.user?.email || ''}
-								class="input input-bordered w-full"
-								disabled
-								aria-describedby="email-help"
-							/>
-						</div>
-
 						<div class="form-control min-w-0">
 							<label class="label" for="user-id-input">
 								<span class="label-text font-medium">User ID</span>
@@ -336,7 +389,6 @@
 						</div>
 					</div>
 
-					<!-- Username Subsection -->
 					<div class="space-y-6">
 						<h3 class="text-base-content/80 border-base-300 border-b pb-2 text-lg font-semibold">
 							Username
@@ -471,7 +523,6 @@
 						{/if}
 					</div>
 
-					<!-- Display Name Subsection -->
 					<div class="space-y-6">
 						<h3 class="text-base-content/80 border-base-300 border-b pb-2 text-lg font-semibold">
 							Display Name
@@ -606,7 +657,164 @@
 			</div>
 		</section>
 
-		<!-- Quick Status Section -->
+		<section class="card bg-base-100 shadow-xl" aria-labelledby="security-heading">
+			<div class="card-body p-6 sm:p-8">
+				<h2 id="security-heading" class="card-title mb-6 flex items-center gap-3 text-2xl">
+					<svg class="h-6 w-6" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+						<path
+							stroke-linecap="round"
+							stroke-linejoin="round"
+							stroke-width="2"
+							d="M12 15v2m-6 4h12a2 2 0 002-2v-6a2 2 0 00-2-2H6a2 2 0 00-2 2v6a2 2 0 002 2zm10-10V7a4 4 0 00-8 0v4h8z"
+						/>
+					</svg>
+					Security
+				</h2>
+				<div class="space-y-8">
+					<div class="space-y-6">
+						<h3 class="text-base-content/80 border-base-300 border-b pb-2 text-lg font-semibold">
+							Email Address
+						</h3>
+
+						<div class="bg-base-200 border-base-300 rounded-lg border p-4">
+							<p class="text-base-content text-lg font-medium">
+								Current email: <span class="text-primary">{session?.user?.email || ''}</span>
+							</p>
+						</div>
+
+						{#if emailChangeSuccess}
+							<div class="alert alert-success" role="alert">
+								<svg
+									xmlns="http://www.w3.org/2000/svg"
+									class="h-6 w-6 shrink-0 stroke-current"
+									fill="none"
+									viewBox="0 0 24 24"
+								>
+									<path
+										stroke-linecap="round"
+										stroke-linejoin="round"
+										stroke-width="2"
+										d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z"
+									/>
+								</svg>
+								<span>{emailChangeSuccess}</span>
+								<button
+									class="btn btn-sm btn-ghost"
+									onclick={() => (emailChangeSuccess = null)}
+									type="button">✕</button
+								>
+							</div>
+						{/if}
+
+						<form onsubmit={handleChangeEmail} class="space-y-4">
+							<div class="form-control min-w-0">
+								<label class="label" for="new-email-input">
+									<span class="label-text font-medium">New email address</span>
+								</label>
+								<div class="join w-full min-w-0">
+									<input
+										id="new-email-input"
+										type="email"
+										bind:value={newEmail}
+										required
+										placeholder="newemail@example.com"
+										class="input input-bordered join-item w-full"
+										aria-describedby="change-email-help"
+									/>
+									<button
+										class="btn btn-primary join-item"
+										disabled={isChangingEmail}
+										type="submit"
+									>
+										{#if isChangingEmail}
+											<span class="loading loading-spinner loading-xs"></span>
+										{:else}
+											Update
+										{/if}
+									</button>
+								</div>
+								<div class="label w-full max-w-full">
+									<span
+										id="change-email-help"
+										class="label-text-alt text-base-content/60 break-anywhere block w-full max-w-full text-sm leading-relaxed break-words hyphens-auto whitespace-normal sm:text-base"
+									>
+										A confirmation link will be sent to the new address. Your email won't change
+										until you confirm.
+									</span>
+								</div>
+							</div>
+						</form>
+					</div>
+
+					<div class="space-y-6">
+						<h3 class="text-base-content/80 border-base-300 border-b pb-2 text-lg font-semibold">
+							Change Password
+						</h3>
+
+						<form onsubmit={handleChangePassword} class="space-y-4">
+							<div class="form-control min-w-0">
+								<label class="label" for="current-password-input">
+									<span class="label-text font-medium">Current password</span>
+								</label>
+								<input
+									id="current-password-input"
+									type="password"
+									autocomplete="current-password"
+									bind:value={currentPassword}
+									required
+									placeholder="Enter current password"
+									class="input input-bordered w-full"
+								/>
+							</div>
+
+							<div class="form-control min-w-0">
+								<label class="label" for="new-password-input">
+									<span class="label-text font-medium">New password</span>
+								</label>
+								<input
+									id="new-password-input"
+									type="password"
+									autocomplete="new-password"
+									bind:value={newPassword}
+									required
+									minlength={MIN_PASSWORD_LENGTH}
+									placeholder="Enter new password"
+									class="input input-bordered w-full"
+								/>
+							</div>
+
+							<div class="form-control min-w-0">
+								<label class="label" for="confirm-new-password-input">
+									<span class="label-text font-medium">Confirm new password</span>
+								</label>
+								<input
+									id="confirm-new-password-input"
+									type="password"
+									autocomplete="new-password"
+									bind:value={confirmNewPassword}
+									required
+									minlength={MIN_PASSWORD_LENGTH}
+									placeholder="Confirm new password"
+									class="input input-bordered w-full"
+								/>
+							</div>
+
+							<div class="form-control mt-2">
+								<button class="btn btn-primary" disabled={isChangingPassword} type="submit">
+									{#if isChangingPassword}
+										<span class="loading loading-spinner loading-sm"></span>
+										Updating...
+									{:else}
+										Change Password
+									{/if}
+								</button>
+							</div>
+						</form>
+					</div>
+				</div>
+			</div>
+		</section>
+
 		<section class="card bg-base-100 shadow-xl" aria-labelledby="quick-status-heading">
 			<div class="card-body p-6 sm:p-8">
 				<h2 id="quick-status-heading" class="card-title mb-6 flex items-center gap-3 text-2xl">
@@ -736,7 +944,6 @@
 			</div>
 		</section>
 
-		<!-- Appearance Section -->
 		<section class="card bg-base-100 shadow-xl" aria-labelledby="appearance-heading">
 			<div class="card-body p-6 sm:p-8">
 				<h2 id="appearance-heading" class="card-title mb-6 flex items-center gap-3 text-2xl">
@@ -754,7 +961,6 @@
 			</div>
 		</section>
 
-		<!-- Data Management Section -->
 		<section class="card bg-base-100 shadow-xl" aria-labelledby="data-management-heading">
 			<div class="card-body p-6 sm:p-8">
 				<h2 id="data-management-heading" class="card-title mb-6 flex items-center gap-3 text-2xl">
@@ -810,7 +1016,6 @@
 			</div>
 		</section>
 
-		<!-- Danger Zone Section -->
 		<section class="card bg-base-100 border-error shadow-xl" aria-labelledby="danger-zone-heading">
 			<div class="card-body p-6 sm:p-8">
 				<h2
@@ -865,7 +1070,6 @@
 	</main>
 </div>
 
-<!-- Delete Account Confirmation Modal -->
 {#if showDeleteModal}
 	<div
 		class="modal modal-open"
diff --git a/static/favicon.png b/static/favicon.png
deleted file mode 100644
index 4569774..0000000
Binary files a/static/favicon.png and /dev/null differ
diff --git a/static/favicon.svg b/static/favicon.svg
new file mode 100644
index 0000000..523d20b
--- /dev/null
+++ b/static/favicon.svg
@@ -0,0 +1,4 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32">
+  <rect width="32" height="32" rx="8" fill="#6419e6"/>
+  <path d="M11 8h6.5a4.5 4.5 0 0 1 .73 8.94L22 24h-3.2l-3.5-6.5H14V24h-3V8zm3 3v4.5h3.5a2.25 2.25 0 0 0 0-4.5H14z" fill="#fff"/>
+</svg>
diff --git a/static/icon-192.png b/static/icon-192.png
new file mode 100644
index 0000000..3deacc7
Binary files /dev/null and b/static/icon-192.png differ
diff --git a/static/icon-512.png b/static/icon-512.png
new file mode 100644
index 0000000..3e62f09
Binary files /dev/null and b/static/icon-512.png differ
diff --git a/static/manifest.json b/static/manifest.json
new file mode 100644
index 0000000..6bfd9d8
--- /dev/null
+++ b/static/manifest.json
@@ -0,0 +1,26 @@
+{
+	"name": "Rez",
+	"short_name": "Rez",
+	"description": "Share what you're up to with your friends in real time.",
+	"start_url": "/dashboard",
+	"display": "standalone",
+	"background_color": "#1d232a",
+	"theme_color": "#6419e6",
+	"icons": [
+		{
+			"src": "/icon-192.png",
+			"sizes": "192x192",
+			"type": "image/png"
+		},
+		{
+			"src": "/icon-512.png",
+			"sizes": "512x512",
+			"type": "image/png"
+		},
+		{
+			"src": "/favicon.svg",
+			"sizes": "any",
+			"type": "image/svg+xml"
+		}
+	]
+}
diff --git a/vite.config.ts b/vite.config.ts
index 2d35c4f..10bc094 100644
--- a/vite.config.ts
+++ b/vite.config.ts
@@ -1,7 +1,11 @@
+/// <reference types="vitest/config" />
 import tailwindcss from '@tailwindcss/vite';
 import { sveltekit } from '@sveltejs/kit/vite';
 import { defineConfig } from 'vite';
 
 export default defineConfig({
-	plugins: [tailwindcss(), sveltekit()]
+	plugins: [tailwindcss(), sveltekit()],
+	test: {
+		include: ['src/**/*.test.ts']
+	}
 });