diff --git a/.env-example b/.env-example
index da373d2..e284bf1 100644
--- a/.env-example
+++ b/.env-example
@@ -1,18 +1,22 @@
 # PostgreSQL
-# (Currently hardcoded in docker-compose.yaml)
+POSTGRES_USER=mlsec2
+POSTGRES_PASSWORD=mlsec2_pw
 
-# MinIO
-MINIO_ROOT_USER=minioadmin
-MINIO_ROOT_PASSWORD=minioadmin
+# MinIO Object Storage
+MINIO_ROOT_USER=mlsec2
+MINIO_ROOT_PASSWORD=mlsec2_pw
 
-# Docker Configuration
-DOCKER_GID=999
+# RabbitMQ
+RABBITMQ_USER=mlsec2
+RABBITMQ_PASSWORD=mlsec2_pw
 
 # Gateway Secret
-# (Currently hardcoded in docker-compose.yaml, could be moved here if needed)
-GATEWAY_SECRET=welovemarcus
+GATEWAY_SECRET=mlsec2_pw
+
+# Docker Configuration
+DOCKER_GID=999
 
-# VirusTotal API key (for attack similarity evaluation)
+# VirusTotal API key (for attack behavioral evaluation)
 VIRUSTOTAL_API_KEY=
 
 # Email MFA (SMTP) configuration
diff --git a/.github/workflows/api_ci.yaml b/.github/workflows/api_ci.yaml
index 38caca6..1653289 100644
--- a/.github/workflows/api_ci.yaml
+++ b/.github/workflows/api_ci.yaml
@@ -20,7 +20,7 @@ jobs:
           --health-retries 5
 
     env:
-      DATABASE_URL: postgresql://postgres:password123@localhost:5433/mlsec_test
+      DATABASE_URL: postgresql://mlsec2:mlsec2_pw@localhost:5433/mlsec_test
       REDIS_URL: redis://localhost:6379/0
 
     steps:
@@ -33,7 +33,7 @@ jobs:
       - name: Wait for test database readiness
         run: |
           for i in {1..30}; do
-            if docker exec test-postgres-db pg_isready -U postgres -d mlsec_test; then
+            if docker exec test-postgres-db pg_isready -U mlsec2 -d mlsec_test; then
               exit 0
             fi
             sleep 2
diff --git a/.github/workflows/worker_ci.yaml b/.github/workflows/worker_ci.yaml
index 8227200..a33ca2e 100644
--- a/.github/workflows/worker_ci.yaml
+++ b/.github/workflows/worker_ci.yaml
@@ -9,11 +9,11 @@ jobs:
     runs-on: ubuntu-latest
 
     env:
-      DATABASE_URL: postgresql://postgres:password123@localhost:5433/mlsec_test
+      DATABASE_URL: postgresql://mlsec2:mlsec2_pw@localhost:5433/mlsec_test
       REDIS_URL: redis://localhost:6379/0
       MINIO_ENDPOINT: localhost:9000
-      MINIO_ACCESS_KEY: minioadmin
-      MINIO_SECRET_KEY: minioadmin
+      MINIO_ACCESS_KEY: mlsec2
+      MINIO_SECRET_KEY: mlsec2_pw
       CELERY_BROKER_URL: redis://localhost:6379/1
       CELERY_RESULT_BACKEND: redis://localhost:6379/2
 
@@ -39,7 +39,7 @@ jobs:
       - name: Wait for test database readiness
         run: |
           for i in {1..30}; do
-            if docker exec test-postgres-db pg_isready -U postgres -d mlsec_test; then
+            if docker exec test-postgres-db pg_isready -U mlsec2 -d mlsec_test; then
               exit 0
             fi
             sleep 2
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..0c2e987
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,23 @@
+.PHONY: up down build ps logs worker-count
+
+# Parse num_workers from config.yaml
+NUM_WORKERS=$(shell awk '/worker:/ {found=1} found && /num_workers:/ {print $$2; exit}' config.yaml)
+
+up:
+	@echo "Starting platform with $(NUM_WORKERS) workers..."
+	docker compose up --scale worker=$(NUM_WORKERS)
+
+down:
+	docker compose down
+
+build:
+	docker compose build
+
+ps:
+	docker compose ps
+
+logs:
+	docker compose logs -f
+
+worker-count:
+	@echo $(NUM_WORKERS)
diff --git a/config.yaml b/config.yaml
index f67f8e6..9743559 100644
--- a/config.yaml
+++ b/config.yaml
@@ -1,5 +1,5 @@
 worker:
-  num_workers: 4   # number of concurrent Celery worker processes (maps to --concurrency)
+  num_workers: 4   # number of concurrent Worker containers (Total Possible Competitor Containers = num_workers*batch_size)
   defense_job:
     mem_limit: "1g"
     nano_cpus: 1000000000
@@ -8,19 +8,19 @@ worker:
     max_uncompressed_size_mb: 1024
   evaluation:
     requests_timeout_seconds: 5
-    batch_size: 4
+    batch_size: 2
     defense_max_ram: 1024        # MB - soft RAM threshold; sample marked evaded and container restarted if exceeded
     defense_max_time: 5000       # ms - per-sample time limit; exceeded = evaded
     defense_max_timeout: 20000   # ms - forced restart threshold (must be >= defense_max_time)
     defense_max_restarts: 3      # max container restarts before error state
     stats_sampling_rate: 25      # Number of samples evaluated before checking container stats again (This has a massive impact on total evaluation time)
   heuristic_validation:
-    enable_heuristic_validation: true
+    enable_heuristic_validation: false
     heurval_malware_fpr_minimum: 0.0
     heurval_malware_tpr_minimum: 0.30
     heurval_goodware_fpr_minimum: 0.0
     heurval_goodware_tpr_minimum: 0.30
-    reject_heurval_failures: true
+    reject_heurval_failures: false
   source:
     # Resource limits
     max_zip_size_mb: 512
@@ -41,9 +41,8 @@ worker:
     cleanup_pulled_images: true           # Remove pulled images after evaluation (Docker Hub sources only)
   minio:
     bucket_name: "mlsec-submissions"
-    access_key: "mlsec_minio_admin"
-    secret_key: "mlsec_minio_password_change_in_production"
   attack:
+    skip_seeding: true              # true = skip template seeding and all behavioral checks
     check_similarity: false           # false = skip evaluation, accept all validated attacks
     reject_dissimilar_attacks: false  # only applies when check_similarity=true
                                      #   true  = reject if score < minimum_attack_similarity
@@ -52,7 +51,10 @@ worker:
     max_zip_size_mb: 100
     sandbox_backend: "virustotal"    # "virustotal" | "local"
     cache_persistence_duration: 300  # seconds of inactivity before clearing the sample cache
+    cache_max_size_gb: 10            # Maximum size of local sample cache before pruning
 
 application:
   login_code: 'ABC'
+  defense_submission_cooldown: 30   # seconds between defense submissions per user; 0 = no cooldown
+  attack_submission_cooldown: 30    # seconds between attack submissions per user; 0 = no cooldown
   email_mfa_enabled: true
diff --git a/docker-compose.prod.yaml b/docker-compose.prod.yaml
deleted file mode 100644
index 958699a..0000000
--- a/docker-compose.prod.yaml
+++ /dev/null
@@ -1,169 +0,0 @@
-services:
-  postgres:
-    image: postgres:18
-    container_name: postgres-db
-    restart: unless-stopped
-    environment:
-      POSTGRES_USER: postgres
-      POSTGRES_PASSWORD: password123
-      POSTGRES_DB: mlsec
-    volumes:
-      - pgdata:/var/lib/postgresql
-      - ./services/postgres/init:/docker-entrypoint-initdb.d
-    networks:
-      - backend_net
-
-  minio:
-    image: minio/minio:latest
-    container_name: mlsec-minio
-    restart: unless-stopped
-    environment:
-      MINIO_ROOT_USER: ${MINIO_ROOT_USER:-mlsec_minio_admin}
-      MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD:-mlsec_minio_password_change_in_production}
-    command: server /data --console-address ":9001"
-    volumes:
-      - miniodata:/data
-    networks:
-      - backend_net
-
-  rabbitmq:
-    image: rabbitmq:3-management
-    container_name: rabbitmq
-    restart: unless-stopped
-    environment:
-      RABBITMQ_DEFAULT_USER: mlsec
-      RABBITMQ_DEFAULT_PASS: mlsec
-    volumes:
-      - rabbitmqdata:/var/lib/rabbitmq
-    networks:
-      - backend_net
-
-  redis:
-    image: redis:7-alpine
-    container_name: mlsec-redis
-    restart: unless-stopped
-    command: redis-server --appendonly yes
-    volumes:
-      - redisdata:/data
-    networks:
-      - backend_net
-
-  api:
-    build:
-      context: ./services/api
-      dockerfile: Dockerfile
-    container_name: mlsec-api
-    restart: unless-stopped
-    environment:
-      DATABASE_URL: postgresql://postgres:password123@postgres:5432/mlsec
-      CELERY_BROKER_URL: amqp://mlsec:mlsec@rabbitmq:5672//
-      REDIS_URL: redis://redis:6379/0
-      MINIO_ENDPOINT: minio:9000
-      MINIO_ACCESS_KEY: ${MINIO_ROOT_USER:-mlsec_minio_admin}
-      MINIO_SECRET_KEY: ${MINIO_ROOT_PASSWORD:-mlsec_minio_password_change_in_production}
-      MINIO_SECURE: "false"
-      # Production-specific settings
-      ADMIN_LOCALHOST_ONLY: "false"
-      ADMIN_ALLOWED_HOSTS: '["mlsec2.com", "api:8000"]'
-      ADMIN_TRUSTED_PROXY_HOSTS: '["127.0.0.1", "::1", "172.16.0.0/12", "172.17.0.0/12", "172.18.0.0/12", "172.19.0.0/12", "172.20.0.0/12", "172.21.0.0/12", "172.22.0.0/12"]'
-      ADMIN_ALLOWED_NETWORKS: '["172.16.0.0/12"]'
-      CORS_ALLOW_ORIGINS: '["http://mlsec2.com", "http://localhost:4321"]'
-      CORS_ALLOW_ORIGIN_REGEX: '^https?://(mlsec2\.com|localhost)(:\d+)?$'
-    volumes:
-      - ./config.yaml:/app/config.yaml:ro
-    networks:
-      - backend_net
-    depends_on:
-      - postgres
-      - rabbitmq
-      - redis
-      - minio
-
-  worker:
-    build:
-      context: ./services/worker
-      dockerfile: Dockerfile
-    container_name: mlsec-worker
-    restart: unless-stopped
-    environment:
-      DATABASE_URL: postgresql://postgres:password123@postgres:5432/mlsec
-      CELERY_BROKER_URL: amqp://mlsec:mlsec@rabbitmq:5672//
-      CELERY_DEFAULT_QUEUE: mlsec
-      REDIS_URL: redis://redis:6379/0
-      MINIO_ENDPOINT: minio:9000
-      MINIO_ACCESS_KEY: ${MINIO_ROOT_USER:-mlsec_minio_admin}
-      MINIO_SECRET_KEY: ${MINIO_ROOT_PASSWORD:-mlsec_minio_password_change_in_production}
-      MINIO_SECURE: "false"
-      VIRUSTOTAL_API_KEY: ${VIRUSTOTAL_API_KEY:-}
-      CELERY_CONCURRENCY: "${WORKER_CONCURRENCY:-4}"
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-      - ./config.yaml:/app/config.yaml:ro
-      - worker_cache:/app/cache
-    group_add:
-      - "${DOCKER_GID:-999}"
-    networks:
-      - backend_net
-      - defense_net
-    depends_on:
-      - postgres
-      - rabbitmq
-      - redis
-      - minio
-
-  frontend:
-    build:
-      context: ./services/frontend
-      dockerfile: Dockerfile.prod
-    container_name: mlsec-frontend
-    restart: unless-stopped
-    environment:
-      PUBLIC_API_URL: "http://mlsec2.com"
-      API_INTERNAL_URL: "http://api:8000"
-    networks:
-      - backend_net
-    depends_on:
-      - api
-
-  nginx:
-    image: nginx:alpine
-    container_name: mlsec-nginx
-    restart: unless-stopped
-    ports:
-      - "80:80"
-    volumes:
-      - ./services/nginx/nginx.conf:/etc/nginx/conf.d/default.conf:ro
-    networks:
-      - backend_net
-    depends_on:
-      - api
-      - frontend
-
-  # Gateway to control traffic for student containers
-  mlsec-gateway:
-    build:
-      context: ./services/gateway
-      dockerfile: Dockerfile
-    container_name: mlsec-gateway
-    restart: unless-stopped
-    cap_add:
-      - NET_ADMIN
-    sysctls:
-      - net.ipv4.ip_forward=1
-    networks:
-      - defense_net
-
-networks:
-  backend_net:
-    name: backend_net
-    driver: bridge
-  defense_net:
-    name: defense_net
-    driver: bridge
-
-volumes:
-  pgdata:
-  rabbitmqdata:
-  redisdata:
-  miniodata:
-  worker_cache:
diff --git a/docker-compose.yaml b/docker-compose.yaml
index ea9aebf..03522d4 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -4,8 +4,8 @@ services:
     image: postgres:18
     container_name: postgres-db
     environment:
-      POSTGRES_USER: postgres
-      POSTGRES_PASSWORD: password123
+      POSTGRES_USER: ${POSTGRES_USER:-mlsec2}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-mlsec2_pw}
       POSTGRES_DB: mlsec
     ports:
       - "5432:5432"
@@ -20,8 +20,8 @@ services:
     image: postgres:18
     container_name: test-postgres-db
     environment:
-      POSTGRES_USER: postgres
-      POSTGRES_PASSWORD: password123
+      POSTGRES_USER: ${POSTGRES_USER:-mlsec2}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-mlsec2_pw}
       POSTGRES_DB: mlsec_test
     ports:
       - "5433:5432"
@@ -35,8 +35,8 @@ services:
     image: minio/minio:latest
     container_name: mlsec-minio
     environment:
-      MINIO_ROOT_USER: ${MINIO_ROOT_USER:-mlsec_minio_admin}
-      MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD:-mlsec_minio_password_change_in_production}
+      MINIO_ROOT_USER: ${MINIO_ROOT_USER:-mlsec2}
+      MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD:-mlsec2_pw}
     command: server /data --console-address ":9001"
     ports:
       - "9000:9000" # API
@@ -55,8 +55,8 @@ services:
     image: rabbitmq:3-management
     container_name: rabbitmq
     environment:
-      RABBITMQ_DEFAULT_USER: mlsec
-      RABBITMQ_DEFAULT_PASS: mlsec
+      RABBITMQ_DEFAULT_USER: ${RABBITMQ_USER:-mlsec2}
+      RABBITMQ_DEFAULT_PASS: ${RABBITMQ_PASSWORD:-mlsec2_pw}
     ports:
       - "5672:5672" # AMQP
       - "15672:15672" # Management UI
@@ -88,12 +88,12 @@ services:
       dockerfile: Dockerfile
     container_name: mlsec-api
     environment:
-      DATABASE_URL: postgresql://postgres:password123@postgres:5432/mlsec
-      CELERY_BROKER_URL: amqp://mlsec:mlsec@rabbitmq:5672//
+      DATABASE_URL: postgresql://${POSTGRES_USER:-mlsec2}:${POSTGRES_PASSWORD:-mlsec2_pw}@postgres:5432/mlsec
+      CELERY_BROKER_URL: amqp://${RABBITMQ_USER:-mlsec2}:${RABBITMQ_PASSWORD:-mlsec2_pw}@rabbitmq:5672//
       REDIS_URL: redis://redis:6379/0
       MINIO_ENDPOINT: minio:9000
-      MINIO_ACCESS_KEY: ${MINIO_ROOT_USER:-mlsec_minio_admin}
-      MINIO_SECRET_KEY: ${MINIO_ROOT_PASSWORD:-mlsec_minio_password_change_in_production}
+      MINIO_ACCESS_KEY: ${MINIO_ROOT_USER:-mlsec2}
+      MINIO_SECRET_KEY: ${MINIO_ROOT_PASSWORD:-mlsec2_pw}
       MINIO_SECURE: "false"
       ADMIN_ALLOWED_HOSTS: '["172.22.0.1"]' # Docker bridge gateway for localhost SSH tunnel access
       ADMIN_TRUSTED_PROXY_HOSTS: '["127.0.0.1", "::1", "172.16.0.0/12"]' # Trust nginx on any Docker bridge subnet
@@ -127,16 +127,16 @@ services:
       context: ./services/worker
       dockerfile: Dockerfile
     environment:
-      DATABASE_URL: postgresql://postgres:password123@postgres:5432/mlsec
-      CELERY_BROKER_URL: amqp://mlsec:mlsec@rabbitmq:5672//
+      DATABASE_URL: postgresql://${POSTGRES_USER:-mlsec2}:${POSTGRES_PASSWORD:-mlsec2_pw}@postgres:5432/mlsec
+      CELERY_BROKER_URL: amqp://${RABBITMQ_USER:-mlsec2}:${RABBITMQ_PASSWORD:-mlsec2_pw}@rabbitmq:5672//
       CELERY_DEFAULT_QUEUE: mlsec
       REDIS_URL: redis://redis:6379/0
       MINIO_ENDPOINT: minio:9000
-      MINIO_ACCESS_KEY: ${MINIO_ROOT_USER:-mlsec_minio_admin}
-      MINIO_SECRET_KEY: ${MINIO_ROOT_PASSWORD:-mlsec_minio_password_change_in_production}
+      MINIO_ACCESS_KEY: ${MINIO_ROOT_USER:-mlsec2}
+      MINIO_SECRET_KEY: ${MINIO_ROOT_PASSWORD:-mlsec2_pw}
       MINIO_SECURE: "false"
       VIRUSTOTAL_API_KEY: ${VIRUSTOTAL_API_KEY:-}
-      CELERY_CONCURRENCY: "${WORKER_CONCURRENCY:-4}"
+      CELERY_CONCURRENCY: "${WORKER_CONCURRENCY:-1}" # Forces use of a single thread per Worker container
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - ./config.yaml:/app/config.yaml:ro
@@ -174,14 +174,25 @@ services:
     container_name: mlsec-nginx
     ports:
       - "80:80"
+      - "443:443"
     volumes:
       - ./services/nginx/nginx.conf:/etc/nginx/conf.d/default.conf:ro
+      - certbot-conf:/etc/letsencrypt:ro
+      - certbot-www:/var/www/certbot:ro
     networks:
       - backend_net
     depends_on:
       - api
       - frontend
 
+  certbot:
+    image: certbot/certbot
+    container_name: mlsec-certbot
+    volumes:
+      - certbot-conf:/etc/letsencrypt
+      - certbot-www:/var/www/certbot
+    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew --quiet; sleep 12h & wait $${!}; done'"
+
   # Adminer (Can remove in production if we dont need it)
   adminer:
     image: adminer:latest
@@ -209,5 +220,7 @@ volumes:
   redisdata:
   miniodata:
   worker_cache:
+  certbot-conf:
+  certbot-www:
 
 
diff --git a/services/api/core/admin.py b/services/api/core/admin.py
index 2053fdc..62ad2b8 100644
--- a/services/api/core/admin.py
+++ b/services/api/core/admin.py
@@ -149,7 +149,6 @@ def _hash_token(token: str) -> str:
 
 def require_admin_origin(request: Request, *, require_present: bool = True) -> None:
     """Ensure Origin/Referer points to localhost (and is present if required)."""
-    settings = get_settings()
     origin = request.headers.get("origin")
     referer = request.headers.get("referer")
 
@@ -168,22 +167,18 @@ def _origin_host(value: str) -> str | None:
 
     if origin:
         origin_host = _origin_host(origin)
-        if not _is_loopback_host(origin_host) and not _is_in_allowed_hosts(
-            origin_host, settings.admin_allowed_hosts
-        ):
+        if not _is_loopback_host(origin_host):
             raise HTTPException(
                 status_code=status.HTTP_403_FORBIDDEN,
-                detail="Admin actions require localhost or allowed origin",
+                detail="Admin actions require localhost origin",
             )
 
     if referer:
         referer_host = _origin_host(referer)
-        if not _is_loopback_host(referer_host) and not _is_in_allowed_hosts(
-            referer_host, settings.admin_allowed_hosts
-        ):
+        if not _is_loopback_host(referer_host):
             raise HTTPException(
                 status_code=status.HTTP_403_FORBIDDEN,
-                detail="Admin actions require localhost or allowed origin",
+                detail="Admin actions require localhost origin",
             )
 
 
diff --git a/services/api/core/config.py b/services/api/core/config.py
index 16a6e96..fd87b78 100644
--- a/services/api/core/config.py
+++ b/services/api/core/config.py
@@ -16,14 +16,16 @@
 
 class MinIOConfig(BaseModel):
     endpoint: str = "minio:9000"
-    access_key: str = "minioadmin"
-    secret_key: str = "minioadmin"
+    access_key: str = "mlsec2"
+    secret_key: str = "mlsec2_pw"
     bucket_name: str = "mlsec-submissions"
     secure: bool = False
 
 
 class ApplicationConfig(BaseModel):
     join_code: str | None = None
+    defense_submission_cooldown: int = 0
+    attack_submission_cooldown: int = 0
     email_mfa_enabled: bool | None = None
 
 
@@ -53,6 +55,8 @@ def get_config() -> AppConfig:
             minio=MinIOConfig(**minio_data),
             application=ApplicationConfig(
                 join_code=join_code,
+                defense_submission_cooldown=int(app_data.get("defense_submission_cooldown", 0)),
+                attack_submission_cooldown=int(app_data.get("attack_submission_cooldown", 0)),
                 email_mfa_enabled=email_mfa_enabled,
             ),
         )
diff --git a/services/api/core/database.py b/services/api/core/database.py
index 48c1cb0..579a731 100644
--- a/services/api/core/database.py
+++ b/services/api/core/database.py
@@ -15,7 +15,7 @@
 from core.settings import get_settings
 
 # TODO: Change this to .env for resolving password, port, etc.
-DEFAULT_DATABASE_URL = "postgresql://postgres:password123@postgres:5432/mlsec"
+DEFAULT_DATABASE_URL = "postgresql://mlsec2:mlsec2_pw@postgres:5432/mlsec"
 logger = logging.getLogger(__name__)
 
 
diff --git a/services/api/core/settings.py b/services/api/core/settings.py
index dbf2125..ef7493e 100644
--- a/services/api/core/settings.py
+++ b/services/api/core/settings.py
@@ -26,8 +26,8 @@ class Settings(BaseSettings):
 
     # MinIO object storage
     minio_endpoint: str = "minio:9000"
-    minio_access_key: str = "minioadmin"
-    minio_secret_key: str = "minioadmin"
+    minio_access_key: str = "mlsec2"
+    minio_secret_key: str = "mlsec2_pw"
     minio_secure: bool = False
     minio_bucket_name: str = "mlsec-submissions"
 
diff --git a/services/api/core/storage.py b/services/api/core/storage.py
index 570709e..3cba640 100644
--- a/services/api/core/storage.py
+++ b/services/api/core/storage.py
@@ -21,8 +21,8 @@ def get_minio_client() -> Minio:
     """Singleton MinIO client factory."""
     cfg = get_config().minio
     http_client = urllib3.PoolManager(
-        timeout=urllib3.Timeout(connect=5, read=30),
-        retries=urllib3.Retry(total=0),
+        timeout=urllib3.Timeout(connect=5, read=600),
+        retries=urllib3.Retry(total=2),
     )
     return Minio(
         endpoint=cfg.endpoint,
diff --git a/services/api/core/submission_control.py b/services/api/core/submission_control.py
index 5e9e60f..9cabaa6 100644
--- a/services/api/core/submission_control.py
+++ b/services/api/core/submission_control.py
@@ -2,6 +2,7 @@
 
 from __future__ import annotations
 
+import math
 from dataclasses import dataclass
 from datetime import datetime, timezone
 
@@ -91,7 +92,12 @@ def set_manual_closed(
     closed: bool,
     updated_by: str | None,
 ) -> SubmissionControl:
-    """Toggle the manual close flag and return the updated control state."""
+    """Toggle the manual close flag and return the updated control state.
+
+    When opening submissions (closed=False), also clears a lapsed scheduled
+    close time so the submission window is actually open afterwards.
+    """
+    now = _utcnow()
     row = (
         db.execute(
             text(
@@ -100,6 +106,11 @@ def set_manual_closed(
                 VALUES (1, :manual_closed, :updated_at, :updated_by)
                 ON CONFLICT (id) DO UPDATE
                 SET manual_closed = EXCLUDED.manual_closed,
+                    close_at = CASE
+                        WHEN NOT :manual_closed AND submission_control.close_at <= :now
+                        THEN NULL
+                        ELSE submission_control.close_at
+                    END,
                     updated_at = EXCLUDED.updated_at,
                     updated_by = EXCLUDED.updated_by
                 RETURNING manual_closed, close_at, updated_at, updated_by
@@ -107,8 +118,9 @@ def set_manual_closed(
             ),
             {
                 "manual_closed": closed,
-                "updated_at": _utcnow(),
+                "updated_at": now,
                 "updated_by": updated_by,
+                "now": now,
             },
         )
         .mappings()
@@ -176,3 +188,54 @@ def ensure_submissions_open(db: Session) -> None:
             status_code=status.HTTP_403_FORBIDDEN,
             detail="Submissions are closed (deadline passed)",
         )
+
+
+def get_cooldown_remaining(
+    db: Session,
+    *,
+    user_id: str,
+    submission_type: str,
+    cooldown_seconds: int,
+) -> int | None:
+    """Return remaining cooldown seconds, or None if no cooldown is active."""
+    if cooldown_seconds <= 0:
+        return None
+    row = db.execute(
+        text(
+            """
+            SELECT MAX(created_at)
+            FROM submissions
+            WHERE user_id = :user_id
+              AND submission_type = :submission_type
+              AND deleted_at IS NULL
+            """
+        ),
+        {"user_id": user_id, "submission_type": submission_type},
+    ).fetchone()
+    if row is None or row[0] is None:
+        return None
+    last_submitted = _as_utc(row[0])
+    elapsed = (_utcnow() - last_submitted).total_seconds()
+    remaining = cooldown_seconds - elapsed
+    return math.ceil(remaining) if remaining > 0 else None
+
+
+def check_cooldown(
+    db: Session,
+    *,
+    user_id: str,
+    submission_type: str,
+    cooldown_seconds: int,
+) -> None:
+    """Raise HTTP 429 if the user submitted within the cooldown window."""
+    remaining = get_cooldown_remaining(
+        db,
+        user_id=user_id,
+        submission_type=submission_type,
+        cooldown_seconds=cooldown_seconds,
+    )
+    if remaining:
+        raise HTTPException(
+            status_code=status.HTTP_429_TOO_MANY_REQUESTS,
+            detail=f"Please wait {remaining} seconds before submitting again.",
+        )
diff --git a/services/api/core/submissions.py b/services/api/core/submissions.py
index 6769b26..7081d46 100644
--- a/services/api/core/submissions.py
+++ b/services/api/core/submissions.py
@@ -45,32 +45,23 @@ def require_submission_of_type(
 
 def validate_docker_image_format(image: str) -> None:
     """
-    Validate Docker image URL/name format.
+    Validate Docker image reference format.
 
     Accepts formats like:
+    - nginx
     - nginx:latest
-    - user/repo:tag
-    - hub.docker.com/r/user/image
-    - registry.io/project/image:tag
+    - user/image:tag
+    - registry.io/user/image:tag
 
     Raises:
         HTTPException(400): If format is invalid
     """
     image = image.strip()
-    if not image:
+    pattern = r"^[a-zA-Z0-9][a-zA-Z0-9._\-/]*(:[a-zA-Z0-9._\-]+)?$"
+    if not re.match(pattern, image):
         raise HTTPException(
-            status_code=400, detail="Docker image cannot be empty")
-
-    # Basic validation - detailed validation happens in worker
-    # Just check for obviously bad patterns
-    if " " in image:
-        raise HTTPException(
-            status_code=400, detail="Docker image name cannot contain spaces"
-        )
-
-    if image.startswith("-") or image.endswith("-"):
-        raise HTTPException(
-            status_code=400, detail="Docker image name cannot start or end with dash"
+            status_code=400,
+            detail="Invalid Docker image format. Expected: image, image:tag, user/image:tag, or registry/path:tag",
         )
 
 
@@ -83,11 +74,11 @@ def validate_github_url_format(url: str) -> None:
     Raises:
         HTTPException(400): If format is invalid
     """
-    pattern = r"^https://github\.com/[\w-]+/[\w-]+(\.git)?$"
+    pattern = r"^https://github\.com/[\w-]+/[\w-]+(/tree/(?!.*\.\.)([\w.\-/]+))?(\.git)?$"
     if not re.match(pattern, url.strip()):
         raise HTTPException(
             status_code=400,
-            detail="Invalid GitHub URL format. Must be https://github.com/username/repository",
+            detail="Invalid GitHub URL format. Expected: https://github.com/username/repository or https://github.com/username/repository/tree/branch",
         )
 
 
diff --git a/services/api/main.py b/services/api/main.py
index 93ce861..b5a0583 100644
--- a/services/api/main.py
+++ b/services/api/main.py
@@ -68,8 +68,7 @@ def create_app() -> FastAPI:
     app.include_router(queue_router)
     app.include_router(submissions_router, prefix="/api")
     app.include_router(leaderboard_router)
-    app.include_router(admin_router) # this needs to be fixed but I think this will fix our problems for now
-    app.include_router(admin_router, prefix="/api")
+    app.include_router(admin_router)
     return app
 
 
diff --git a/services/api/routers/admin.py b/services/api/routers/admin.py
index 5074fec..0d802e9 100644
--- a/services/api/routers/admin.py
+++ b/services/api/routers/admin.py
@@ -1,5 +1,6 @@
 from __future__ import annotations
 
+import csv
 import io
 import json
 import logging
@@ -8,6 +9,7 @@
 from uuid import UUID, uuid4
 
 from fastapi import APIRouter, Depends, HTTPException, Query, Request, UploadFile, status
+from fastapi.responses import StreamingResponse
 from sqlalchemy import text
 from sqlalchemy.orm import Session
 
@@ -53,6 +55,9 @@
     AdminEvaluationPairRecord,
     AdminSubmissionEvaluationsResponse,
     AdminActivateSubmissionResponse,
+    JobDetailResponse,
+    JobDetailSubmission,
+    JobDetailEvalRun,
 )
 
 router = APIRouter(
@@ -461,6 +466,191 @@ def get_recent_jobs(
     return AdminJobLogsResponse(count=len(items), items=items)
 
 
+@router.get("/logs/jobs/{job_id}/detail", response_model=JobDetailResponse)
+def get_job_detail(
+    job_id: str,
+    _: AuthenticatedUser = Depends(require_admin_user),
+    db: Session = Depends(get_db),
+) -> JobDetailResponse:
+    """Return extended detail for a single job record."""
+    row = (
+        db.execute(
+            text(
+                """
+                SELECT id, job_type, status, requested_by_user_id, payload, created_at, updated_at
+                FROM jobs
+                WHERE id = :id
+                """
+            ),
+            {"id": job_id},
+        )
+        .mappings()
+        .fetchone()
+    )
+    if row is None:
+        raise HTTPException(status_code=404, detail="Job not found")
+
+    job = AdminJobLogRecord(**row)
+    payload = row["payload"] or {}
+    submission: JobDetailSubmission | None = None
+    eval_runs: list[JobDetailEvalRun] = []
+
+    if job.job_type == "D":
+        sub_id = payload.get("defense_submission_id")
+        if sub_id:
+            sub_row = (
+                db.execute(
+                    text(
+                        """
+                        SELECT s.id, s.version, s.display_name, s.status,
+                               d.source_type
+                        FROM submissions s
+                        LEFT JOIN defense_submission_details d ON d.submission_id = s.id
+                        WHERE s.id = :id
+                        """
+                    ),
+                    {"id": sub_id},
+                )
+                .mappings()
+                .fetchone()
+            )
+            heurval_done: int | None = None
+            heurval_total: int | None = None
+            hv_row = (
+                db.execute(
+                    text(
+                        """
+                        SELECT hr.sample_set_id,
+                               COUNT(hfr.id) AS done,
+                               (SELECT COUNT(*) FROM heurval_samples hs
+                                WHERE hs.sample_set_id = hr.sample_set_id) AS total
+                        FROM heurval_results hr
+                        LEFT JOIN heurval_file_results hfr ON hfr.heurval_result_id = hr.id
+                        WHERE hr.defense_submission_id = :sub_id
+                        GROUP BY hr.sample_set_id
+                        LIMIT 1
+                        """
+                    ),
+                    {"sub_id": sub_id},
+                )
+                .mappings()
+                .fetchone()
+            )
+            if hv_row:
+                heurval_done = int(hv_row["done"])
+                heurval_total = int(hv_row["total"])
+            if sub_row:
+                submission = JobDetailSubmission(
+                    submission_id=str(sub_row["id"]),
+                    version=sub_row["version"],
+                    display_name=sub_row["display_name"],
+                    status=sub_row["status"],
+                    source_type=sub_row["source_type"],
+                    heurval_done=heurval_done,
+                    heurval_total=heurval_total,
+                )
+            run_rows = (
+                db.execute(
+                    text(
+                        """
+                        SELECT er.id,
+                               er.attack_submission_id,
+                               er.status,
+                               er.duration_ms,
+                               COUNT(efr.id) AS files_done,
+                               (SELECT COUNT(*) FROM attack_files af
+                                WHERE af.attack_submission_id = er.attack_submission_id) AS files_total
+                        FROM evaluation_runs er
+                        LEFT JOIN evaluation_file_results efr ON efr.evaluation_run_id = er.id
+                        WHERE er.defense_submission_id = :id
+                        GROUP BY er.id, er.attack_submission_id, er.status, er.duration_ms
+                        ORDER BY er.created_at DESC
+                        LIMIT 10
+                        """
+                    ),
+                    {"id": sub_id},
+                )
+                .mappings()
+                .fetchall()
+            )
+            eval_runs = [
+                JobDetailEvalRun(
+                    id=str(r["id"]),
+                    counterpart_id=str(r["attack_submission_id"]),
+                    status=r["status"],
+                    duration_ms=r["duration_ms"],
+                    files_done=int(r["files_done"]),
+                    files_total=int(r["files_total"]),
+                )
+                for r in run_rows
+            ]
+
+    elif job.job_type == "A":
+        sub_id = payload.get("attack_submission_id")
+        if sub_id:
+            sub_row = (
+                db.execute(
+                    text(
+                        """
+                        SELECT s.id, s.version, s.display_name, s.status,
+                               a.file_count
+                        FROM submissions s
+                        LEFT JOIN attack_submission_details a ON a.submission_id = s.id
+                        WHERE s.id = :id
+                        """
+                    ),
+                    {"id": sub_id},
+                )
+                .mappings()
+                .fetchone()
+            )
+            if sub_row:
+                submission = JobDetailSubmission(
+                    submission_id=str(sub_row["id"]),
+                    version=sub_row["version"],
+                    display_name=sub_row["display_name"],
+                    status=sub_row["status"],
+                    file_count=sub_row["file_count"],
+                )
+            run_rows = (
+                db.execute(
+                    text(
+                        """
+                        SELECT er.id,
+                               er.defense_submission_id,
+                               er.status,
+                               er.duration_ms,
+                               COUNT(efr.id) AS files_done,
+                               (SELECT COUNT(*) FROM attack_files af
+                                WHERE af.attack_submission_id = er.attack_submission_id) AS files_total
+                        FROM evaluation_runs er
+                        LEFT JOIN evaluation_file_results efr ON efr.evaluation_run_id = er.id
+                        WHERE er.attack_submission_id = :id
+                        GROUP BY er.id, er.defense_submission_id, er.status, er.duration_ms
+                        ORDER BY er.created_at DESC
+                        LIMIT 10
+                        """
+                    ),
+                    {"id": sub_id},
+                )
+                .mappings()
+                .fetchall()
+            )
+            eval_runs = [
+                JobDetailEvalRun(
+                    id=str(r["id"]),
+                    counterpart_id=str(r["defense_submission_id"]),
+                    status=r["status"],
+                    duration_ms=r["duration_ms"],
+                    files_done=int(r["files_done"]),
+                    files_total=int(r["files_total"]),
+                )
+                for r in run_rows
+            ]
+
+    return JobDetailResponse(job=job, submission=submission, evaluation_runs=eval_runs)
+
+
 @router.get("/logs/evaluations", response_model=AdminEvaluationLogsResponse)
 def get_recent_evaluations(
     _: AuthenticatedUser = Depends(require_admin_user),
@@ -1521,7 +1711,7 @@ def activate_submission(
 
         sub_row = db.execute(
             text("""
-                SELECT id, user_id, submission_type
+                SELECT id, user_id, submission_type, status
                 FROM submissions
                 WHERE id = CAST(:sid AS uuid) AND deleted_at IS NULL
             """),
@@ -1530,6 +1720,13 @@ def activate_submission(
         if sub_row is None:
             raise HTTPException(status_code=404, detail="Submission not found")
 
+        status: str = sub_row["status"]
+        if status not in ("validated", "evaluated"):
+             raise HTTPException(
+                status_code=409,
+                detail="Submission must be validated or evaluated before it can be set as active",
+            )
+
         user_id: str = str(sub_row["user_id"])
         submission_type: str = sub_row["submission_type"]
 
@@ -1560,6 +1757,27 @@ def activate_submission(
         )
         db.commit()
 
+        # Setting to active mimics an initial submission
+        from routers.queue import _insert_job, _publish_task
+        from schemas.jobs import JobType
+
+        if submission_type == "defense":
+            j_type = JobType.DEFENSE
+            payload = {"defense_submission_id": submission_id}
+        else:
+            j_type = JobType.ATTACK
+            payload = {"attack_submission_id": submission_id}
+
+        job_id = _insert_job(
+            db=db,
+            job_type=j_type.value,
+            payload=payload,
+            requested_by_user_id=current_user.user_id,
+        )
+        _publish_task(job_type=j_type, job_id=job_id, payload=payload)
+
+        logger.info(f"Enqueued {submission_type} job {job_id} after admin set active")
+
         client_ip, user_agent = _request_meta(request)
         log_audit_event(
             event_type=event_type,
@@ -1599,3 +1817,235 @@ def activate_submission(
             message=str(exc),
         )
         raise
+
+
+# ---------------------------------------------------------------------------
+# CSV exports
+# ---------------------------------------------------------------------------
+
+def _csv_response(rows: list[list], filename: str) -> StreamingResponse:
+    """Build a StreamingResponse from a 2-D list of CSV rows."""
+    buf = io.StringIO()
+    writer = csv.writer(buf)
+    writer.writerows(rows)
+    buf.seek(0)
+    return StreamingResponse(
+        iter([buf.getvalue()]),
+        media_type="text/csv",
+        headers={"Content-Disposition": f'attachment; filename="{filename}"'},
+    )
+
+
+def _submission_label(username: str, display_name: str | None, version: str) -> str:
+    return f"{username} / {display_name or version}"
+
+
+@router.get("/export/scores/all")
+def export_all_evaluation_scores(
+    _: AuthenticatedUser = Depends(require_admin_user),
+    db: Session = Depends(get_db),
+) -> StreamingResponse:
+    """Download confusion-matrix CSV (TP, FP, FN, TN) for all active submission pairs."""
+    axis_rows = db.execute(
+        text("""
+            SELECT u.username, s.display_name, s.version, s.id::text, a.submission_type
+            FROM active_submissions a
+            JOIN submissions s ON s.id = a.submission_id
+            JOIN users u       ON u.id = a.user_id
+            WHERE u.disabled_at IS NULL AND s.deleted_at IS NULL
+            ORDER BY a.submission_type, u.username
+        """)
+    ).fetchall()
+
+    attackers = [r for r in axis_rows if r[4] == "attack"]
+    defenders = [r for r in axis_rows if r[4] == "defense"]
+
+    if not attackers or not defenders:
+        return _csv_response(
+            [["No active submission pairs available."]],
+            "evaluation_scores_all.csv",
+        )
+
+    attack_ids  = [r[3] for r in attackers]
+    defense_ids = [r[3] for r in defenders]
+
+    file_rows = db.execute(
+        text("""
+            SELECT eps.defense_submission_id::text,
+                   eps.attack_submission_id::text,
+                   af.is_malware,
+                   efr.model_output
+            FROM evaluation_pair_scores eps
+            JOIN evaluation_runs er          ON er.id  = eps.latest_evaluation_run_id
+            JOIN evaluation_file_results efr ON efr.evaluation_run_id = er.id
+            JOIN attack_files af             ON af.id  = efr.attack_file_id
+            WHERE eps.defense_submission_id::text = ANY(:def_ids)
+              AND eps.attack_submission_id::text   = ANY(:atk_ids)
+              AND eps.latest_evaluation_run_id IS NOT NULL
+              AND efr.model_output IS NOT NULL
+              AND af.is_malware    IS NOT NULL
+        """),
+        {"def_ids": defense_ids, "atk_ids": attack_ids},
+    ).fetchall()
+
+    confusion: dict[tuple[str, str], dict[str, int]] = {}
+    for fr in file_rows:
+        key = (fr[0], fr[1])
+        if key not in confusion:
+            confusion[key] = {"tp": 0, "fp": 0, "fn": 0, "tn": 0}
+        if   fr[3] == 1 and     fr[2]: confusion[key]["tp"] += 1
+        elif fr[3] == 1 and not fr[2]: confusion[key]["fp"] += 1
+        elif fr[3] == 0 and     fr[2]: confusion[key]["fn"] += 1
+        elif fr[3] == 0 and not fr[2]: confusion[key]["tn"] += 1
+
+    header = ["Defense \\ Attack"] + [_submission_label(r[0], r[1], r[2]) for r in attackers]
+    data_rows: list[list] = [header]
+    for d in defenders:
+        did = d[3]
+        cells = []
+        for a in attackers:
+            c = confusion.get((did, a[3]))
+            cells.append(f"({c['tp']},{c['fp']},{c['fn']},{c['tn']})" if c else "")
+        data_rows.append([_submission_label(d[0], d[1], d[2])] + cells)
+
+    return _csv_response(data_rows, "evaluation_scores_all.csv")
+
+
+@router.get("/export/scores/individual")
+def export_individual_evaluation_scores(
+    defense_submission_id: UUID = Query(...),
+    attack_submission_id: UUID = Query(...),
+    _: AuthenticatedUser = Depends(require_admin_user),
+    db: Session = Depends(get_db),
+) -> StreamingResponse:
+    """Download per-file model output for a single defense/attack pair."""
+    rows = db.execute(
+        text("""
+            SELECT af.filename, efr.model_output, af.is_malware
+            FROM evaluation_pair_scores eps
+            JOIN evaluation_runs er          ON er.id  = eps.latest_evaluation_run_id
+            JOIN evaluation_file_results efr ON efr.evaluation_run_id = er.id
+            JOIN attack_files af             ON af.id  = efr.attack_file_id
+            WHERE eps.defense_submission_id = :def_id
+              AND eps.attack_submission_id  = :atk_id
+              AND eps.latest_evaluation_run_id IS NOT NULL
+            ORDER BY af.filename
+        """),
+        {"def_id": str(defense_submission_id), "atk_id": str(attack_submission_id)},
+    ).fetchall()
+
+    if not rows:
+        return _csv_response(
+            [["No evaluation data found for this pair."]],
+            "evaluation_scores_individual.csv",
+        )
+
+    filenames = [r[0] or "unknown" for r in rows]
+    outputs   = [str(r[1]) if r[1] is not None else "" for r in rows]
+    ground    = [str(r[2]) if r[2] is not None else "" for r in rows]
+
+    return _csv_response(
+        [
+            [""] + filenames,
+            ["Model Output"] + outputs,
+            ["Is Malware (ground truth)"] + ground,
+        ],
+        "evaluation_scores_individual.csv",
+    )
+
+
+@router.get("/export/validation-scores")
+def export_validation_scores(
+    _: AuthenticatedUser = Depends(require_admin_user),
+    db: Session = Depends(get_db),
+) -> StreamingResponse:
+    """Download heuristic-validation result grid: defenses vs validation samples."""
+    rows = db.execute(
+        text("""
+            SELECT u.username, s.display_name, s.version, s.id::text,
+                   hs.filename, hfr.model_output
+            FROM heurval_results hr
+            JOIN submissions s            ON s.id  = hr.defense_submission_id
+            JOIN users u                  ON u.id  = s.user_id
+            JOIN heurval_file_results hfr ON hfr.heurval_result_id = hr.id
+            JOIN heurval_samples hs       ON hs.id = hfr.sample_id
+            WHERE s.deleted_at IS NULL
+            ORDER BY s.created_at, hs.filename
+        """)
+    ).fetchall()
+
+    if not rows:
+        return _csv_response([["No validation scores available."]], "validation_scores.csv")
+
+    sub_order: list[str] = []
+    sub_labels: dict[str, str] = {}
+    cells: dict[str, dict[str, int | None]] = {}
+    all_files: set[str] = set()
+
+    for r in rows:
+        sid = r[3]
+        if sid not in sub_labels:
+            sub_order.append(sid)
+            sub_labels[sid] = _submission_label(r[0], r[1], r[2])
+            cells[sid] = {}
+        cells[sid][r[4]] = r[5]
+        all_files.add(r[4])
+
+    sorted_files = sorted(all_files)
+    data_rows: list[list] = [["Defense"] + sorted_files]
+    for sid in sub_order:
+        row_cells = [str(cells[sid].get(f, "")) for f in sorted_files]
+        data_rows.append([sub_labels[sid]] + row_cells)
+
+    return _csv_response(data_rows, "validation_scores.csv")
+
+
+@router.get("/export/behavioral-analysis")
+def export_behavioral_analysis(
+    _: AuthenticatedUser = Depends(require_admin_user),
+    db: Session = Depends(get_db),
+) -> StreamingResponse:
+    """Download behavioral analysis status grid: attacks vs template files."""
+    rows = db.execute(
+        text("""
+            SELECT u.username, s.display_name, s.version, s.id::text,
+                   orig.filename AS template_filename,
+                   af.behavior_status
+            FROM submissions s
+            JOIN users u       ON u.id  = s.user_id
+            JOIN attack_files af   ON af.attack_submission_id = s.id
+            JOIN attack_files orig ON orig.id = af.original_file_id
+            WHERE s.submission_type = 'attack'
+              AND s.deleted_at IS NULL
+              AND af.original_file_id IS NOT NULL
+            ORDER BY s.created_at, orig.filename
+        """)
+    ).fetchall()
+
+    if not rows:
+        return _csv_response(
+            [["No behavioral analysis data available."]],
+            "behavioral_analysis.csv",
+        )
+
+    sub_order: list[str] = []
+    sub_labels: dict[str, str] = {}
+    cells: dict[str, dict[str, str]] = {}
+    all_files: set[str] = set()
+
+    for r in rows:
+        sid = r[3]
+        if sid not in sub_labels:
+            sub_order.append(sid)
+            sub_labels[sid] = _submission_label(r[0], r[1], r[2])
+            cells[sid] = {}
+        cells[sid][r[4]] = r[5] or ""
+        all_files.add(r[4])
+
+    sorted_files = sorted(all_files)
+    data_rows: list[list] = [["Attack"] + sorted_files]
+    for sid in sub_order:
+        row_cells = [cells[sid].get(f, "") for f in sorted_files]
+        data_rows.append([sub_labels[sid]] + row_cells)
+
+    return _csv_response(data_rows, "behavioral_analysis.csv")
diff --git a/services/api/routers/submissions.py b/services/api/routers/submissions.py
index 60df912..b1d0378 100644
--- a/services/api/routers/submissions.py
+++ b/services/api/routers/submissions.py
@@ -24,13 +24,15 @@
     validate_github_url_format,
     validate_semver_format,
 )
-from core.submission_control import ensure_submissions_open
+from core.config import get_config
+from core.submission_control import check_cooldown, ensure_submissions_open, get_cooldown_remaining
 from routers.queue import _insert_job, _publish_task
 from schemas.jobs import JobType
 from schemas.submissions import (
     CreateDefenseDockerRequest,
     CreateDefenseGitHubRequest,
     SetActiveResponse,
+    SubmissionDetailResponse,
     SubmissionListItem,
     SubmissionHistoryResponse,
     SubmissionResponse,
@@ -106,6 +108,7 @@ def create_defense_docker(
     """
     # Enforce admin-controlled submission window before accepting new work.
     ensure_submissions_open(db)
+    check_cooldown(db, user_id=str(current_user.user_id), submission_type='defense', cooldown_seconds=get_config().application.defense_submission_cooldown)
     # 1. Validate format
     validate_docker_image_format(req.docker_image)
     validate_semver_format(req.version)
@@ -198,6 +201,7 @@ def create_defense_github(
     """
     # Enforce admin-controlled submission window before accepting new work.
     ensure_submissions_open(db)
+    check_cooldown(db, user_id=str(current_user.user_id), submission_type='defense', cooldown_seconds=get_config().application.defense_submission_cooldown)
     # 1. Validate format
     validate_github_url_format(req.git_repo)
     validate_semver_format(req.version)
@@ -292,6 +296,7 @@ async def create_defense_zip(
     """
     # Enforce admin-controlled submission window before accepting new work.
     ensure_submissions_open(db)
+    check_cooldown(db, user_id=str(current_user.user_id), submission_type='defense', cooldown_seconds=get_config().application.defense_submission_cooldown)
     settings = get_settings()
 
     # 1. Validate file
@@ -448,6 +453,7 @@ async def create_attack_zip(
     """
     # Enforce admin-controlled submission window before accepting new work.
     ensure_submissions_open(db)
+    check_cooldown(db, user_id=str(current_user.user_id), submission_type='attack', cooldown_seconds=get_config().application.attack_submission_cooldown)
     settings = get_settings()
 
     # 1. Validate file
@@ -720,7 +726,98 @@ def set_active_submission(
     except Exception:
         logger.warning("Failed to publish leaderboard update after active submission change")
 
+    # Setting to active mimics an initial submission
+    from routers.queue import _insert_job, _publish_task
+    from schemas.jobs import JobType
+
+    if sub_type == "defense":
+        j_type = JobType.DEFENSE
+        payload = {"defense_submission_id": submission_id}
+    else:
+        j_type = JobType.ATTACK
+        payload = {"attack_submission_id": submission_id}
+
+    job_id = _insert_job(
+        db=db,
+        job_type=j_type.value,
+        payload=payload,
+        requested_by_user_id=current_user.user_id,
+    )
+    _publish_task(job_type=j_type, job_id=job_id, payload=payload)
+
+    logger.info(f"Enqueued {sub_type} job {job_id} after setting active")
+
     return SetActiveResponse(
         submission_id=submission_id,
         submission_type=sub_type,
     )
+
+
+@router.get("/{submission_id}/detail", response_model=SubmissionDetailResponse)
+def get_submission_detail(
+    submission_id: str,
+    current_user: AuthenticatedUser = Depends(get_authenticated_user),
+    db: Session = Depends(get_db),
+) -> SubmissionDetailResponse:
+    """Return source metadata for a submission belonging to the authenticated user."""
+    row = db.execute(
+        text(
+            """
+            SELECT
+                s.id,
+                s.submission_type,
+                s.created_at,
+                d.source_type,
+                d.sha256,
+                d.docker_image,
+                d.git_repo,
+                a.zip_sha256
+            FROM submissions s
+            LEFT JOIN defense_submission_details d ON d.submission_id = s.id
+            LEFT JOIN attack_submission_details a ON a.submission_id = s.id
+            WHERE s.id = :id
+              AND s.user_id = :user_id
+              AND s.deleted_at IS NULL
+            """
+        ),
+        {"id": submission_id, "user_id": str(current_user.user_id)},
+    ).mappings().fetchone()
+
+    if row is None:
+        raise HTTPException(status_code=404, detail="Submission not found")
+
+    return SubmissionDetailResponse(
+        submission_id=str(row["id"]),
+        created_at=row["created_at"].isoformat(),
+        source_type=row["source_type"],
+        sha256=row["sha256"] or row["zip_sha256"],
+        docker_image=row["docker_image"],
+        git_repo=row["git_repo"],
+    )
+
+
+@router.get("/cooldown")
+def get_submission_cooldown(
+    current_user: AuthenticatedUser = Depends(get_authenticated_user),
+    db: Session = Depends(get_db),
+) -> dict:
+    """Return remaining cooldown seconds for each submission type.
+
+    A null value means no cooldown is currently active.
+    """
+    cfg = get_config()
+    user_id = str(current_user.user_id)
+    return {
+        "defense_remaining_seconds": get_cooldown_remaining(
+            db,
+            user_id=user_id,
+            submission_type="defense",
+            cooldown_seconds=cfg.application.defense_submission_cooldown,
+        ),
+        "attack_remaining_seconds": get_cooldown_remaining(
+            db,
+            user_id=user_id,
+            submission_type="attack",
+            cooldown_seconds=cfg.application.attack_submission_cooldown,
+        ),
+    }
diff --git a/services/api/schemas/admin.py b/services/api/schemas/admin.py
index 07d7a5a..ea76a00 100644
--- a/services/api/schemas/admin.py
+++ b/services/api/schemas/admin.py
@@ -38,6 +38,32 @@ class AdminJobLogsResponse(BaseModel):
     items: list[AdminJobLogRecord]
 
 
+class JobDetailSubmission(BaseModel):
+    submission_id: str
+    version: str
+    display_name: str | None
+    status: str
+    source_type: str | None = None
+    file_count: int | None = None
+    heurval_done: int | None = None
+    heurval_total: int | None = None
+
+
+class JobDetailEvalRun(BaseModel):
+    id: str
+    counterpart_id: str
+    status: str | None
+    duration_ms: int | None
+    files_done: int | None = None
+    files_total: int | None = None
+
+
+class JobDetailResponse(BaseModel):
+    job: AdminJobLogRecord
+    submission: JobDetailSubmission | None
+    evaluation_runs: list[JobDetailEvalRun]
+
+
 class AdminEvaluationLogRecord(BaseModel):
     id: UUID
     defense_submission_id: UUID
diff --git a/services/api/schemas/submissions.py b/services/api/schemas/submissions.py
index ea736a2..964cb17 100644
--- a/services/api/schemas/submissions.py
+++ b/services/api/schemas/submissions.py
@@ -11,7 +11,7 @@
 class CreateDefenseDockerRequest(BaseModel):
     """Request schema for Docker Hub defense submission."""
 
-    docker_image: str = Field(..., min_length=1, max_length=500)
+    docker_image: str = Field(..., pattern=r"^[a-zA-Z0-9][a-zA-Z0-9._\-/]*(:[a-zA-Z0-9._\-]+)?$", max_length=500)
     version: str = Field(..., pattern=r"^\d+\.\d+\.\d+$")
     display_name: str | None = Field(None, max_length=200)
 
@@ -25,17 +25,20 @@ def validate_docker_format(cls, v: str) -> str:
 class CreateDefenseGitHubRequest(BaseModel):
     """Request schema for GitHub repository defense submission."""
 
-    git_repo: str = Field(..., pattern=r"^https://github\.com/[\w-]+/[\w-]+")
+    git_repo: str = Field(..., max_length=500)
     version: str = Field(..., pattern=r"^\d+\.\d+\.\d+$")
     display_name: str | None = Field(None, max_length=200)
 
     @field_validator("git_repo")
     @classmethod
     def validate_github_url(cls, v: str) -> str:
-        """Strip whitespace and .git suffix from GitHub URL."""
+        """Strip whitespace, remove .git suffix, and enforce GitHub URL format."""
+        import re
         v = v.strip()
         if v.endswith(".git"):
             v = v[:-4]
+        if not re.match(r"^https://github\.com/[\w-]+/[\w-]+(/tree/(?!.*\.\.)([\w.\-/]+))?$", v):
+            raise ValueError("Provided path is incorrectly formatted")
         return v
 
 
@@ -113,3 +116,14 @@ class SubmissionHistoryResponse(BaseModel):
     total: int
     limit: int
     offset: int
+
+
+class SubmissionDetailResponse(BaseModel):
+    """Source metadata for a single submission, fetched on demand."""
+
+    submission_id: str
+    created_at: str
+    source_type: str | None
+    sha256: str | None
+    docker_image: str | None
+    git_repo: str | None
diff --git a/services/api/tests/conftest.py b/services/api/tests/conftest.py
index eba47fb..2137f05 100644
--- a/services/api/tests/conftest.py
+++ b/services/api/tests/conftest.py
@@ -5,11 +5,17 @@
 from sqlalchemy.orm import sessionmaker
 from fastapi.testclient import TestClient
 
+import os
+os.environ["CELERY_BROKER_URL"] = "memory://"
+os.environ["CELERY_DEFAULT_QUEUE"] = "mlsec"
+
 from main import app
 from core.database import Base, get_db
+from core.celery_app import get_celery
+from unittest.mock import MagicMock
 
 
-TEST_DB_URL = "postgresql://postgres:password123@localhost:5433/mlsec_test"
+TEST_DB_URL = os.getenv("DATABASE_URL", "postgresql://mlsec2:mlsec2_pw@localhost:5433/mlsec_test")
 
 engine = create_engine(TEST_DB_URL)
 TestingSessionLocal = sessionmaker(bind=engine)
@@ -94,6 +100,14 @@ def override_get_db():
         app.dependency_overrides.pop(get_db, None)
 
 
+@pytest.fixture(autouse=True)
+def mock_celery(monkeypatch):
+    """Mock Celery to prevent physical broker connections during tests."""
+    mock_app = MagicMock()
+    monkeypatch.setattr("core.celery_app.get_celery", lambda: mock_app)
+    return mock_app
+
+
 @pytest.fixture()
 def fake_redis():
     """Provide fake Redis client for testing without external dependency."""
diff --git a/services/api/tests/test_audit.py b/services/api/tests/test_audit.py
new file mode 100644
index 0000000..7482626
--- /dev/null
+++ b/services/api/tests/test_audit.py
@@ -0,0 +1,119 @@
+"""Tests for core/audit.py."""
+
+from __future__ import annotations
+
+from unittest.mock import MagicMock, call
+from uuid import UUID, uuid4
+
+import pytest
+
+import core.audit as audit_module
+from core.audit import log_audit_event
+
+
+def _make_engine_mock():
+    mock_conn = MagicMock()
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__ = MagicMock(return_value=mock_conn)
+    mock_ctx.__exit__ = MagicMock(return_value=False)
+    mock_engine = MagicMock()
+    mock_engine.begin.return_value = mock_ctx
+    return mock_engine, mock_conn
+
+
+def test_log_audit_event_minimal(monkeypatch):
+    mock_engine, mock_conn = _make_engine_mock()
+    monkeypatch.setattr(audit_module, "get_engine", lambda: mock_engine)
+
+    log_audit_event(event_type="test.event")
+
+    mock_conn.execute.assert_called_once()
+
+
+def test_log_audit_event_all_fields(monkeypatch):
+    mock_engine, mock_conn = _make_engine_mock()
+    monkeypatch.setattr(audit_module, "get_engine", lambda: mock_engine)
+
+    user_id = uuid4()
+    log_audit_event(
+        event_type="auth.login",
+        user_id=user_id,
+        email="user@example.com",
+        ip_address="127.0.0.1",
+        user_agent="TestAgent/1.0",
+        success=True,
+        message="Login successful",
+        metadata={"key": "value", "count": 42},
+    )
+
+    mock_conn.execute.assert_called_once()
+    _, params = mock_conn.execute.call_args[0]
+    assert params["event_type"] == "auth.login"
+    assert params["user_id"] == str(user_id)
+    assert params["email"] == "user@example.com"
+    assert params["ip_address"] == "127.0.0.1"
+    assert params["user_agent"] == "TestAgent/1.0"
+    assert params["success"] is True
+    assert params["message"] == "Login successful"
+    assert '"key": "value"' in params["metadata"]
+    assert '"count": 42' in params["metadata"]
+
+
+def test_log_audit_event_none_user_id(monkeypatch):
+    mock_engine, mock_conn = _make_engine_mock()
+    monkeypatch.setattr(audit_module, "get_engine", lambda: mock_engine)
+
+    log_audit_event(event_type="anon.event", user_id=None)
+
+    _, params = mock_conn.execute.call_args[0]
+    assert params["user_id"] is None
+
+
+def test_log_audit_event_none_metadata_serializes_as_none(monkeypatch):
+    mock_engine, mock_conn = _make_engine_mock()
+    monkeypatch.setattr(audit_module, "get_engine", lambda: mock_engine)
+
+    log_audit_event(event_type="test.event", metadata=None)
+
+    _, params = mock_conn.execute.call_args[0]
+    assert params["metadata"] is None
+
+
+def test_log_audit_event_swallows_engine_exception(monkeypatch):
+    def _bad_engine():
+        raise RuntimeError("DB is down")
+
+    monkeypatch.setattr(audit_module, "get_engine", _bad_engine)
+
+    result = log_audit_event(event_type="test.event", message="should not crash")
+
+    assert result is None
+
+
+def test_log_audit_event_swallows_execute_exception(monkeypatch):
+    mock_conn = MagicMock()
+    mock_conn.execute.side_effect = Exception("execute failed")
+    mock_ctx = MagicMock()
+    mock_ctx.__enter__ = MagicMock(return_value=mock_conn)
+    mock_ctx.__exit__ = MagicMock(return_value=False)
+    mock_engine = MagicMock()
+    mock_engine.begin.return_value = mock_ctx
+    monkeypatch.setattr(audit_module, "get_engine", lambda: mock_engine)
+
+    result = log_audit_event(event_type="test.event")
+
+    assert result is None
+
+
+def test_log_audit_event_metadata_dict_is_json_serialized(monkeypatch):
+    mock_engine, mock_conn = _make_engine_mock()
+    monkeypatch.setattr(audit_module, "get_engine", lambda: mock_engine)
+
+    metadata = {"action": "disable", "target_user": "abc-123"}
+    log_audit_event(event_type="admin.user_disabled", metadata=metadata)
+
+    _, params = mock_conn.execute.call_args[0]
+    import json
+    parsed = json.loads(params["metadata"])
+    assert parsed["action"] == "disable"
+    assert parsed["target_user"] == "abc-123"
diff --git a/services/api/tests/test_config.py b/services/api/tests/test_config.py
new file mode 100644
index 0000000..237e3fb
--- /dev/null
+++ b/services/api/tests/test_config.py
@@ -0,0 +1,159 @@
+"""Tests for core/config.py."""
+
+from __future__ import annotations
+
+import pytest
+
+import core.config as config_module
+from core.config import AppConfig, get_config
+
+
+@pytest.fixture(autouse=True)
+def clear_cache():
+    config_module.get_config.cache_clear()
+    yield
+    config_module.get_config.cache_clear()
+
+
+def test_get_config_no_file_returns_defaults(monkeypatch, tmp_path):
+    missing = tmp_path / "nonexistent.yaml"
+    monkeypatch.setattr(config_module, "Path", lambda p: missing)
+
+    config = get_config()
+
+    assert config.minio.endpoint == "minio:9000"
+    assert config.minio.access_key == "mlsec2"
+    assert config.minio.secret_key == "mlsec2_pw"
+    assert config.minio.bucket_name == "mlsec-submissions"
+    assert config.minio.secure is False
+    assert config.application.join_code is None
+    assert config.application.defense_submission_cooldown == 0
+    assert config.application.attack_submission_cooldown == 0
+
+
+def test_get_config_valid_yaml(monkeypatch, tmp_path):
+    config_file = tmp_path / "config.yaml"
+    config_file.write_text(
+        "worker:\n"
+        "  minio:\n"
+        "    endpoint: custom-minio:9001\n"
+        "    access_key: mykey\n"
+        "    secret_key: mysecret\n"
+        "    bucket_name: my-bucket\n"
+        "    secure: true\n"
+        "application:\n"
+        "  join_code: secret123\n"
+        "  defense_submission_cooldown: 300\n"
+        "  attack_submission_cooldown: 600\n"
+    )
+    monkeypatch.setattr(config_module, "Path", lambda p: config_file)
+
+    config = get_config()
+
+    assert config.minio.endpoint == "custom-minio:9001"
+    assert config.minio.access_key == "mykey"
+    assert config.minio.secret_key == "mysecret"
+    assert config.minio.bucket_name == "my-bucket"
+    assert config.minio.secure is True
+    assert config.application.join_code == "secret123"
+    assert config.application.defense_submission_cooldown == 300
+    assert config.application.attack_submission_cooldown == 600
+
+
+def test_get_config_login_code_fallback(monkeypatch, tmp_path):
+    config_file = tmp_path / "config.yaml"
+    config_file.write_text(
+        "worker:\n"
+        "  minio: {}\n"
+        "application:\n"
+        "  login_code: fallback_code\n"
+    )
+    monkeypatch.setattr(config_module, "Path", lambda p: config_file)
+
+    config = get_config()
+
+    assert config.application.join_code == "fallback_code"
+
+
+def test_get_config_join_code_takes_precedence_over_login_code(monkeypatch, tmp_path):
+    config_file = tmp_path / "config.yaml"
+    config_file.write_text(
+        "worker:\n"
+        "  minio: {}\n"
+        "application:\n"
+        "  join_code: primary\n"
+        "  login_code: fallback\n"
+    )
+    monkeypatch.setattr(config_module, "Path", lambda p: config_file)
+
+    config = get_config()
+
+    assert config.application.join_code == "primary"
+
+
+def test_get_config_malformed_yaml_returns_defaults(monkeypatch, tmp_path):
+    config_file = tmp_path / "config.yaml"
+    config_file.write_text("[invalid yaml {{{")
+    monkeypatch.setattr(config_module, "Path", lambda p: config_file)
+
+    config = get_config()
+
+    assert isinstance(config, AppConfig)
+    assert config.minio.endpoint == "minio:9000"
+    assert config.application.defense_submission_cooldown == 0
+
+
+def test_get_config_empty_yaml_returns_defaults(monkeypatch, tmp_path):
+    config_file = tmp_path / "config.yaml"
+    config_file.write_text("")
+    monkeypatch.setattr(config_module, "Path", lambda p: config_file)
+
+    config = get_config()
+
+    assert isinstance(config, AppConfig)
+    assert config.minio.endpoint == "minio:9000"
+    assert config.application.join_code is None
+
+
+def test_get_config_partial_application_section(monkeypatch, tmp_path):
+    config_file = tmp_path / "config.yaml"
+    config_file.write_text(
+        "worker:\n"
+        "  minio:\n"
+        "    endpoint: minio:9000\n"
+        "application:\n"
+        "  defense_submission_cooldown: 120\n"
+    )
+    monkeypatch.setattr(config_module, "Path", lambda p: config_file)
+
+    config = get_config()
+
+    assert config.application.defense_submission_cooldown == 120
+    assert config.application.attack_submission_cooldown == 0
+    assert config.application.join_code is None
+
+
+def test_get_config_no_application_section(monkeypatch, tmp_path):
+    config_file = tmp_path / "config.yaml"
+    config_file.write_text(
+        "worker:\n"
+        "  minio:\n"
+        "    endpoint: custom:9000\n"
+    )
+    monkeypatch.setattr(config_module, "Path", lambda p: config_file)
+
+    config = get_config()
+
+    assert config.application.join_code is None
+    assert config.application.defense_submission_cooldown == 0
+
+
+def test_get_config_is_cached(monkeypatch, tmp_path):
+    config_file = tmp_path / "config.yaml"
+    config_file.write_text("")
+    monkeypatch.setattr(config_module, "Path", lambda p: config_file)
+
+    first = get_config()
+    second = get_config()
+
+    assert first is second
diff --git a/services/api/tests/test_core_admin.py b/services/api/tests/test_core_admin.py
new file mode 100644
index 0000000..ecec69a
--- /dev/null
+++ b/services/api/tests/test_core_admin.py
@@ -0,0 +1,390 @@
+"""Tests for core/admin.py."""
+
+from __future__ import annotations
+
+import hashlib
+import secrets
+from datetime import datetime, timedelta, timezone
+from types import SimpleNamespace
+from uuid import uuid4
+
+import pytest
+from fastapi import HTTPException
+from sqlalchemy import text
+
+from core.admin import (
+    _hosts_match,
+    _is_from_trusted_proxy,
+    _is_in_allowed_hosts,
+    _is_in_allowed_networks,
+    _is_loopback_host,
+    consume_admin_action_token,
+    issue_admin_action_token,
+    require_admin_origin,
+    require_localhost_request,
+    require_admin_action_token,
+)
+
+
+# ---------------------------------------------------------------------------
+# Helpers
+# ---------------------------------------------------------------------------
+
+
+class _FakeSettings:
+    admin_localhost_only = True
+    admin_trusted_proxy_hosts = []
+    admin_forwarded_for_header = "x-forwarded-for"
+    admin_allowed_hosts = []
+    admin_allowed_networks = []
+    admin_action_token_ttl_minutes = 5
+
+
+def _make_request(host="127.0.0.1", headers=None, client=True):
+    if client:
+        client_obj = SimpleNamespace(host=host)
+    else:
+        client_obj = None
+    return SimpleNamespace(client=client_obj, headers=headers or {})
+
+
+def _create_user_and_session(db_session):
+    uid = uuid4().hex[:8]
+    user_row = db_session.execute(
+        text(
+            "INSERT INTO users (username, email, is_admin) "
+            "VALUES (:username, :email, true) RETURNING id"
+        ),
+        {"username": f"admin_{uid}", "email": f"admin_{uid}@test.com"},
+    ).fetchone()
+    user_id = str(user_row[0])
+
+    token = f"test-session-{uuid4()}"
+    token_hash = hashlib.sha256(token.encode()).hexdigest()
+    now = datetime.now(timezone.utc)
+    session_row = db_session.execute(
+        text(
+            "INSERT INTO user_sessions (user_id, token_hash, expires_at, last_seen_at) "
+            "VALUES (:user_id, :token_hash, :expires_at, :last_seen_at) RETURNING id"
+        ),
+        {
+            "user_id": user_id,
+            "token_hash": token_hash,
+            "expires_at": now + timedelta(hours=2),
+            "last_seen_at": now,
+        },
+    ).fetchone()
+    session_id = str(session_row[0])
+    db_session.flush()
+    return user_id, session_id
+
+
+# ---------------------------------------------------------------------------
+# _is_loopback_host
+# ---------------------------------------------------------------------------
+
+
+class TestIsLoopbackHost:
+    def test_localhost_string(self):
+        assert _is_loopback_host("localhost") is True
+
+    def test_ipv4_loopback(self):
+        assert _is_loopback_host("127.0.0.1") is True
+
+    def test_ipv4_loopback_alt(self):
+        assert _is_loopback_host("127.0.0.2") is True
+
+    def test_ipv6_loopback(self):
+        assert _is_loopback_host("::1") is True
+
+    def test_private_ip_is_not_loopback(self):
+        assert _is_loopback_host("192.168.1.1") is False
+
+    def test_public_ip_is_not_loopback(self):
+        assert _is_loopback_host("8.8.8.8") is False
+
+    def test_none_returns_false(self):
+        assert _is_loopback_host(None) is False
+
+    def test_invalid_string_returns_false(self):
+        assert _is_loopback_host("not-an-ip") is False
+
+    def test_ipv4_mapped_loopback(self):
+        assert _is_loopback_host("::ffff:127.0.0.1") is True
+
+
+# ---------------------------------------------------------------------------
+# _hosts_match
+# ---------------------------------------------------------------------------
+
+
+class TestHostsMatch:
+    def test_identical_strings(self):
+        assert _hosts_match("localhost", "localhost") is True
+
+    def test_case_insensitive(self):
+        assert _hosts_match("LOCALHOST", "localhost") is True
+
+    def test_same_ip_different_format(self):
+        assert _hosts_match("127.0.0.1", "127.0.0.1") is True
+
+    def test_different_hosts(self):
+        assert _hosts_match("192.168.1.1", "192.168.1.2") is False
+
+    def test_hostname_vs_ip(self):
+        assert _hosts_match("example.com", "127.0.0.1") is False
+
+
+# ---------------------------------------------------------------------------
+# _is_from_trusted_proxy
+# ---------------------------------------------------------------------------
+
+
+class TestIsFromTrustedProxy:
+    def test_exact_match(self):
+        assert _is_from_trusted_proxy("10.0.0.1", ["10.0.0.1"]) is True
+
+    def test_cidr_match(self):
+        assert _is_from_trusted_proxy("10.0.0.5", ["10.0.0.0/24"]) is True
+
+    def test_no_match(self):
+        assert _is_from_trusted_proxy("172.16.0.1", ["10.0.0.0/8"]) is False
+
+    def test_none_host_returns_false(self):
+        assert _is_from_trusted_proxy(None, ["10.0.0.1"]) is False
+
+    def test_empty_list_returns_false(self):
+        assert _is_from_trusted_proxy("127.0.0.1", []) is False
+
+
+# ---------------------------------------------------------------------------
+# _is_in_allowed_hosts
+# ---------------------------------------------------------------------------
+
+
+class TestIsInAllowedHosts:
+    def test_matching_host(self):
+        assert _is_in_allowed_hosts("10.1.2.3", ["10.1.2.3"]) is True
+
+    def test_non_matching_host(self):
+        assert _is_in_allowed_hosts("10.1.2.4", ["10.1.2.3"]) is False
+
+    def test_none_host_returns_false(self):
+        assert _is_in_allowed_hosts(None, ["10.1.2.3"]) is False
+
+    def test_empty_list_returns_false(self):
+        assert _is_in_allowed_hosts("10.1.2.3", []) is False
+
+
+# ---------------------------------------------------------------------------
+# _is_in_allowed_networks
+# ---------------------------------------------------------------------------
+
+
+class TestIsInAllowedNetworks:
+    def test_ip_in_cidr(self):
+        assert _is_in_allowed_networks("10.0.0.50", ["10.0.0.0/24"]) is True
+
+    def test_ip_outside_cidr(self):
+        assert _is_in_allowed_networks("10.0.1.1", ["10.0.0.0/24"]) is False
+
+    def test_none_host_returns_false(self):
+        assert _is_in_allowed_networks(None, ["10.0.0.0/24"]) is False
+
+    def test_invalid_network_skipped(self):
+        assert _is_in_allowed_networks("10.0.0.1", ["not-a-network"]) is False
+
+
+# ---------------------------------------------------------------------------
+# require_localhost_request
+# ---------------------------------------------------------------------------
+
+
+class TestRequireLocalhostRequest:
+    def test_loopback_host_allowed(self, monkeypatch):
+        monkeypatch.setattr("core.admin.get_settings", _FakeSettings)
+        request = _make_request(host="127.0.0.1")
+        require_localhost_request(request)
+
+    def test_non_loopback_raises_403(self, monkeypatch):
+        monkeypatch.setattr("core.admin.get_settings", _FakeSettings)
+        request = _make_request(host="192.168.1.100")
+        with pytest.raises(HTTPException) as exc_info:
+            require_localhost_request(request)
+        assert exc_info.value.status_code == 403
+
+    def test_non_loopback_in_allowed_hosts_passes(self, monkeypatch):
+        class _Settings(_FakeSettings):
+            admin_allowed_hosts = ["10.0.0.5"]
+
+        monkeypatch.setattr("core.admin.get_settings", _Settings)
+        request = _make_request(host="10.0.0.5")
+        require_localhost_request(request)
+
+    def test_non_loopback_in_allowed_networks_passes(self, monkeypatch):
+        class _Settings(_FakeSettings):
+            admin_allowed_networks = ["10.0.0.0/24"]
+
+        monkeypatch.setattr("core.admin.get_settings", _Settings)
+        request = _make_request(host="10.0.0.42")
+        require_localhost_request(request)
+
+    def test_localhost_only_false_skips_check(self, monkeypatch):
+        class _Settings(_FakeSettings):
+            admin_localhost_only = False
+
+        monkeypatch.setattr("core.admin.get_settings", _Settings)
+        request = _make_request(host="8.8.8.8")
+        require_localhost_request(request)
+
+    def test_ipv6_loopback_allowed(self, monkeypatch):
+        monkeypatch.setattr("core.admin.get_settings", _FakeSettings)
+        request = _make_request(host="::1")
+        require_localhost_request(request)
+
+
+# ---------------------------------------------------------------------------
+# require_admin_origin
+# ---------------------------------------------------------------------------
+
+
+class TestRequireAdminOrigin:
+    def test_no_origin_or_referer_with_require_present_raises(self):
+        request = _make_request(headers={})
+        with pytest.raises(HTTPException) as exc_info:
+            require_admin_origin(request, require_present=True)
+        assert exc_info.value.status_code == 403
+
+    def test_no_origin_or_referer_with_require_present_false_passes(self):
+        request = _make_request(headers={})
+        require_admin_origin(request, require_present=False)
+
+    def test_localhost_origin_passes(self):
+        request = _make_request(headers={"origin": "http://localhost:4321"})
+        require_admin_origin(request)
+
+    def test_non_localhost_origin_raises(self):
+        request = _make_request(headers={"origin": "https://evil.com"})
+        with pytest.raises(HTTPException) as exc_info:
+            require_admin_origin(request)
+        assert exc_info.value.status_code == 403
+
+    def test_localhost_referer_passes(self):
+        request = _make_request(headers={"referer": "http://localhost/admin"})
+        require_admin_origin(request)
+
+    def test_non_localhost_referer_raises(self):
+        request = _make_request(headers={"referer": "https://evil.com/path"})
+        with pytest.raises(HTTPException) as exc_info:
+            require_admin_origin(request)
+        assert exc_info.value.status_code == 403
+
+    def test_127_origin_passes(self):
+        request = _make_request(headers={"origin": "http://127.0.0.1:3000"})
+        require_admin_origin(request)
+
+
+# ---------------------------------------------------------------------------
+# issue_admin_action_token / require_admin_action_token / consume_admin_action_token
+# ---------------------------------------------------------------------------
+
+
+class TestAdminActionToken:
+    def test_issue_returns_token_and_expiry(self, db_session):
+        _, session_id = _create_user_and_session(db_session)
+
+        token, expires_at = issue_admin_action_token(db_session, session_id=session_id)
+
+        assert isinstance(token, str)
+        assert len(token) > 0
+        assert isinstance(expires_at, datetime)
+        assert expires_at > datetime.now(timezone.utc)
+
+    def test_issued_token_is_hashed_in_db(self, db_session):
+        _, session_id = _create_user_and_session(db_session)
+
+        token, _ = issue_admin_action_token(db_session, session_id=session_id)
+
+        expected_hash = hashlib.sha256(token.encode()).hexdigest()
+        row = db_session.execute(
+            text(
+                "SELECT token_hash FROM admin_action_tokens WHERE session_id = :session_id"
+            ),
+            {"session_id": session_id},
+        ).fetchone()
+        assert row is not None
+        assert row[0] == expected_hash
+
+    def test_require_valid_token_returns_token(self, db_session):
+        _, session_id = _create_user_and_session(db_session)
+        token, _ = issue_admin_action_token(db_session, session_id=session_id)
+        request = _make_request(headers={"x-admin-action": token})
+
+        result = require_admin_action_token(request, db=db_session, session_id=session_id)
+
+        assert result == token
+
+    def test_require_missing_header_raises_403(self, db_session):
+        _, session_id = _create_user_and_session(db_session)
+        request = _make_request(headers={})
+
+        with pytest.raises(HTTPException) as exc_info:
+            require_admin_action_token(request, db=db_session, session_id=session_id)
+        assert exc_info.value.status_code == 403
+
+    def test_require_wrong_token_raises_403(self, db_session):
+        _, session_id = _create_user_and_session(db_session)
+        issue_admin_action_token(db_session, session_id=session_id)
+        request = _make_request(headers={"x-admin-action": "wrong-token"})
+
+        with pytest.raises(HTTPException) as exc_info:
+            require_admin_action_token(request, db=db_session, session_id=session_id)
+        assert exc_info.value.status_code == 403
+
+    def test_require_expired_token_raises_403(self, db_session):
+        _, session_id = _create_user_and_session(db_session)
+        raw_token = secrets.token_urlsafe(32)
+        token_hash = hashlib.sha256(raw_token.encode()).hexdigest()
+        past = datetime.now(timezone.utc) - timedelta(minutes=10)
+        db_session.execute(
+            text(
+                "INSERT INTO admin_action_tokens (session_id, token_hash, expires_at) "
+                "VALUES (:session_id, :token_hash, :expires_at)"
+            ),
+            {"session_id": session_id, "token_hash": token_hash, "expires_at": past},
+        )
+        db_session.flush()
+        request = _make_request(headers={"x-admin-action": raw_token})
+
+        with pytest.raises(HTTPException) as exc_info:
+            require_admin_action_token(request, db=db_session, session_id=session_id)
+        assert exc_info.value.status_code == 403
+
+    def test_consume_removes_token(self, db_session):
+        _, session_id = _create_user_and_session(db_session)
+        token, _ = issue_admin_action_token(db_session, session_id=session_id)
+
+        consume_admin_action_token(db_session, session_id=session_id, token=token)
+        db_session.flush()
+
+        row = db_session.execute(
+            text(
+                "SELECT token_hash FROM admin_action_tokens WHERE session_id = :session_id"
+            ),
+            {"session_id": session_id},
+        ).fetchone()
+        assert row is None
+
+    def test_issue_replaces_existing_token(self, db_session):
+        _, session_id = _create_user_and_session(db_session)
+        token1, _ = issue_admin_action_token(db_session, session_id=session_id)
+        token2, _ = issue_admin_action_token(db_session, session_id=session_id)
+
+        count_row = db_session.execute(
+            text(
+                "SELECT COUNT(*) FROM admin_action_tokens WHERE session_id = :session_id"
+            ),
+            {"session_id": session_id},
+        ).fetchone()
+        assert count_row[0] == 1
+        assert token1 != token2
diff --git a/services/api/tests/test_storage.py b/services/api/tests/test_storage.py
new file mode 100644
index 0000000..660c39e
--- /dev/null
+++ b/services/api/tests/test_storage.py
@@ -0,0 +1,189 @@
+"""Tests for core/storage.py."""
+
+from __future__ import annotations
+
+import hashlib
+import io
+from unittest.mock import MagicMock, patch
+
+import pytest
+from minio.error import S3Error
+
+import core.storage as storage_module
+from core.storage import (
+    delete_object,
+    ensure_bucket_exists,
+    upload_attack_template,
+    upload_attack_zip,
+    upload_defense_zip,
+    upload_heurval_sample,
+    upload_heurval_set_zip,
+)
+
+
+def _make_s3_error():
+    fake_response = MagicMock()
+    return S3Error(fake_response, "TestError", "something went wrong", "/", "req-1", "host-1")
+
+
+@pytest.fixture(autouse=True)
+def mock_storage(monkeypatch):
+    mock_client = MagicMock()
+    mock_config = MagicMock()
+    mock_config.minio.bucket_name = "test-bucket"
+    monkeypatch.setattr(storage_module, "get_minio_client", lambda: mock_client)
+    monkeypatch.setattr(storage_module, "get_config", lambda: mock_config)
+    return mock_client
+
+
+class TestUploadDefenseZip:
+    def test_returns_correct_keys(self, mock_storage):
+        content = b"fake zip content"
+        user_id = "user-123"
+        submission_id = "sub-456"
+
+        result = upload_defense_zip(io.BytesIO(content), user_id, submission_id)
+
+        assert result["object_key"] == f"defense/{user_id}/{submission_id}.zip"
+        assert result["sha256"] == hashlib.sha256(content).hexdigest()
+        assert result["size_bytes"] == len(content)
+
+    def test_calls_put_object_with_correct_args(self, mock_storage):
+        content = b"zip data"
+        upload_defense_zip(io.BytesIO(content), "uid", "sid")
+
+        mock_storage.put_object.assert_called_once()
+        call_kwargs = mock_storage.put_object.call_args.kwargs
+        assert call_kwargs["bucket_name"] == "test-bucket"
+        assert call_kwargs["object_name"] == "defense/uid/sid.zip"
+        assert call_kwargs["length"] == len(content)
+        assert call_kwargs["content_type"] == "application/zip"
+
+    def test_raises_s3_error_on_failure(self, mock_storage):
+        mock_storage.put_object.side_effect = _make_s3_error()
+        with pytest.raises(S3Error):
+            upload_defense_zip(io.BytesIO(b"data"), "uid", "sid")
+
+
+class TestUploadAttackZip:
+    def test_returns_correct_keys(self, mock_storage):
+        content = b"attack zip"
+        user_id = "user-abc"
+        submission_id = "sub-xyz"
+
+        result = upload_attack_zip(io.BytesIO(content), user_id, submission_id)
+
+        assert result["object_key"] == f"attack/{user_id}/{submission_id}.zip"
+        assert result["sha256"] == hashlib.sha256(content).hexdigest()
+        assert result["size_bytes"] == len(content)
+
+    def test_calls_put_object_with_correct_args(self, mock_storage):
+        content = b"atk data"
+        upload_attack_zip(io.BytesIO(content), "uid", "sid")
+
+        call_kwargs = mock_storage.put_object.call_args.kwargs
+        assert call_kwargs["bucket_name"] == "test-bucket"
+        assert call_kwargs["object_name"] == "attack/uid/sid.zip"
+
+    def test_raises_s3_error_on_failure(self, mock_storage):
+        mock_storage.put_object.side_effect = _make_s3_error()
+        with pytest.raises(S3Error):
+            upload_attack_zip(io.BytesIO(b"data"), "uid", "sid")
+
+
+class TestUploadAttackTemplate:
+    def test_returns_correct_keys(self, mock_storage):
+        content = b"template zip content"
+        template_id = "tmpl-001"
+
+        result = upload_attack_template(content, template_id)
+
+        assert result["object_key"] == f"template/{template_id}.zip"
+        assert result["sha256"] == hashlib.sha256(content).hexdigest()
+        assert result["size_bytes"] == len(content)
+
+    def test_sha256_matches_actual_hash(self, mock_storage):
+        content = b"hello world"
+        result = upload_attack_template(content, "t1")
+        expected = hashlib.sha256(content).hexdigest()
+        assert result["sha256"] == expected
+
+    def test_raises_s3_error_on_failure(self, mock_storage):
+        mock_storage.put_object.side_effect = _make_s3_error()
+        with pytest.raises(S3Error):
+            upload_attack_template(b"data", "tmpl-id")
+
+
+class TestUploadHeurvalSample:
+    def test_returns_correct_keys(self, mock_storage):
+        content = b"sample content"
+        set_id = "set-001"
+        label = "malware"
+        filename = "evil.exe"
+
+        result = upload_heurval_sample(content, set_id, label, filename)
+
+        assert result["object_key"] == f"heurval/{set_id}/{label}/{filename}"
+        assert result["sha256"] == hashlib.sha256(content).hexdigest()
+        assert result["size_bytes"] == len(content)
+
+    def test_uses_basename_for_safety(self, mock_storage):
+        content = b"data"
+        result = upload_heurval_sample(
+            content, "s1", "goodware", "/some/nested/path/file.exe"
+        )
+        assert result["object_key"] == "heurval/s1/goodware/file.exe"
+
+    def test_raises_s3_error_on_failure(self, mock_storage):
+        mock_storage.put_object.side_effect = _make_s3_error()
+        with pytest.raises(S3Error):
+            upload_heurval_sample(b"data", "set", "malware", "file.exe")
+
+
+class TestUploadHeurvalSetZip:
+    def test_returns_correct_keys(self, mock_storage):
+        content = b"heurval zip"
+        set_id = "hvset-001"
+
+        result = upload_heurval_set_zip(content, set_id)
+
+        assert result["object_key"] == f"heurval/{set_id}/samples.zip"
+        assert result["sha256"] == hashlib.sha256(content).hexdigest()
+        assert result["size_bytes"] == len(content)
+
+    def test_raises_s3_error_on_failure(self, mock_storage):
+        mock_storage.put_object.side_effect = _make_s3_error()
+        with pytest.raises(S3Error):
+            upload_heurval_set_zip(b"data", "set-id")
+
+
+class TestDeleteObject:
+    def test_calls_remove_object_with_correct_args(self, mock_storage):
+        object_key = "defense/user-1/sub-1.zip"
+        delete_object(object_key)
+        mock_storage.remove_object.assert_called_once_with(
+            bucket_name="test-bucket",
+            object_name=object_key,
+        )
+
+    def test_raises_s3_error_on_failure(self, mock_storage):
+        mock_storage.remove_object.side_effect = _make_s3_error()
+        with pytest.raises(S3Error):
+            delete_object("some/key.zip")
+
+
+class TestEnsureBucketExists:
+    def test_creates_bucket_when_not_exists(self, mock_storage):
+        mock_storage.bucket_exists.return_value = False
+        ensure_bucket_exists()
+        mock_storage.make_bucket.assert_called_once_with("test-bucket")
+
+    def test_skips_make_bucket_when_already_exists(self, mock_storage):
+        mock_storage.bucket_exists.return_value = True
+        ensure_bucket_exists()
+        mock_storage.make_bucket.assert_not_called()
+
+    def test_raises_s3_error_when_bucket_check_fails(self, mock_storage):
+        mock_storage.bucket_exists.side_effect = _make_s3_error()
+        with pytest.raises(S3Error):
+            ensure_bucket_exists()
diff --git a/services/api/tests/test_submission_control.py b/services/api/tests/test_submission_control.py
new file mode 100644
index 0000000..e1d470e
--- /dev/null
+++ b/services/api/tests/test_submission_control.py
@@ -0,0 +1,343 @@
+"""Tests for core/submission_control.py."""
+
+from __future__ import annotations
+
+from datetime import datetime, timedelta, timezone
+from uuid import uuid4
+
+import pytest
+from fastapi import HTTPException
+from sqlalchemy import text
+
+from core.submission_control import (
+    SubmissionControl,
+    _as_utc,
+    check_cooldown,
+    ensure_submissions_open,
+    get_cooldown_remaining,
+    get_submission_control,
+    set_close_at,
+    set_manual_closed,
+)
+
+
+# ---------------------------------------------------------------------------
+# Pure-Python unit tests (no DB)
+# ---------------------------------------------------------------------------
+
+
+class TestSubmissionControlIsClosed:
+    def test_open_by_default(self):
+        sc = SubmissionControl(
+            manual_closed=False,
+            close_at=None,
+            updated_at=None,
+            updated_by=None,
+        )
+        assert sc.is_closed() is False
+
+    def test_manual_closed_true(self):
+        sc = SubmissionControl(
+            manual_closed=True,
+            close_at=None,
+            updated_at=None,
+            updated_by=None,
+        )
+        assert sc.is_closed() is True
+
+    def test_close_at_in_past(self):
+        past = datetime.now(timezone.utc) - timedelta(minutes=5)
+        sc = SubmissionControl(
+            manual_closed=False,
+            close_at=past,
+            updated_at=None,
+            updated_by=None,
+        )
+        assert sc.is_closed() is True
+
+    def test_close_at_in_future(self):
+        future = datetime.now(timezone.utc) + timedelta(hours=1)
+        sc = SubmissionControl(
+            manual_closed=False,
+            close_at=future,
+            updated_at=None,
+            updated_by=None,
+        )
+        assert sc.is_closed() is False
+
+    def test_both_manual_and_past_close_at(self):
+        past = datetime.now(timezone.utc) - timedelta(seconds=1)
+        sc = SubmissionControl(
+            manual_closed=True,
+            close_at=past,
+            updated_at=None,
+            updated_by=None,
+        )
+        assert sc.is_closed() is True
+
+    def test_is_closed_accepts_explicit_now(self):
+        future = datetime.now(timezone.utc) + timedelta(hours=1)
+        sc = SubmissionControl(
+            manual_closed=False,
+            close_at=future,
+            updated_at=None,
+            updated_by=None,
+        )
+        now_way_ahead = future + timedelta(hours=2)
+        assert sc.is_closed(now=now_way_ahead) is True
+
+
+class TestAsUtc:
+    def test_none_returns_none(self):
+        assert _as_utc(None) is None
+
+    def test_naive_datetime_gets_utc_tzinfo(self):
+        naive = datetime(2024, 6, 1, 12, 0, 0)
+        result = _as_utc(naive)
+        assert result.tzinfo is timezone.utc
+        assert result.replace(tzinfo=None) == naive
+
+    def test_utc_datetime_unchanged(self):
+        utc_dt = datetime(2024, 6, 1, 12, 0, 0, tzinfo=timezone.utc)
+        result = _as_utc(utc_dt)
+        assert result == utc_dt
+
+    def test_non_utc_aware_datetime_converted(self):
+        from datetime import timezone as tz
+        eastern = timezone(timedelta(hours=-5))
+        dt = datetime(2024, 6, 1, 7, 0, 0, tzinfo=eastern)
+        result = _as_utc(dt)
+        assert result.tzinfo == timezone.utc
+        assert result.hour == 12
+
+
+# ---------------------------------------------------------------------------
+# DB-backed integration tests
+# ---------------------------------------------------------------------------
+
+
+def _create_user(db_session, *, username: str = None, email: str = None) -> str:
+    username = username or f"sc_user_{uuid4().hex[:8]}"
+    email = email or f"{uuid4().hex[:8]}@test.com"
+    row = db_session.execute(
+        text(
+            "INSERT INTO users (username, email, is_admin) "
+            "VALUES (:username, :email, false) RETURNING id"
+        ),
+        {"username": username, "email": email},
+    ).fetchone()
+    return str(row[0])
+
+
+class TestGetSubmissionControl:
+    def test_returns_defaults_when_no_row(self, db_session):
+        sc = get_submission_control(db_session)
+        assert sc.manual_closed is False
+        assert sc.close_at is None
+
+    def test_returns_correct_state_when_row_exists(self, db_session):
+        future = datetime.now(timezone.utc) + timedelta(hours=2)
+        user_id = _create_user(db_session)
+        db_session.execute(
+            text(
+                "INSERT INTO submission_control (id, manual_closed, close_at, updated_by) "
+                "VALUES (1, true, :close_at, :updated_by) "
+                "ON CONFLICT (id) DO UPDATE "
+                "SET manual_closed = EXCLUDED.manual_closed, "
+                "    close_at = EXCLUDED.close_at, "
+                "    updated_by = EXCLUDED.updated_by"
+            ),
+            {"close_at": future, "updated_by": user_id},
+        )
+        db_session.flush()
+
+        sc = get_submission_control(db_session)
+
+        assert sc.manual_closed is True
+        assert sc.close_at is not None
+        assert sc.close_at > datetime.now(timezone.utc)
+        assert sc.updated_by == user_id
+
+
+class TestSetManualClosed:
+    def test_set_manual_closed_true(self, db_session):
+        user_id = _create_user(db_session)
+        sc = set_manual_closed(db_session, closed=True, updated_by=user_id)
+        assert sc.manual_closed is True
+        assert sc.updated_by == user_id
+
+    def test_set_manual_closed_false(self, db_session):
+        user_id = _create_user(db_session)
+        set_manual_closed(db_session, closed=True, updated_by=user_id)
+        sc = set_manual_closed(db_session, closed=False, updated_by=user_id)
+        assert sc.manual_closed is False
+
+    def test_open_clears_lapsed_close_at(self, db_session):
+        user_id = _create_user(db_session)
+        past = datetime.now(timezone.utc) - timedelta(hours=1)
+        set_close_at(db_session, close_at=past, updated_by=user_id)
+        sc = set_manual_closed(db_session, closed=False, updated_by=user_id)
+        assert sc.close_at is None
+
+    def test_open_preserves_future_close_at(self, db_session):
+        user_id = _create_user(db_session)
+        future = datetime.now(timezone.utc) + timedelta(hours=2)
+        set_close_at(db_session, close_at=future, updated_by=user_id)
+        sc = set_manual_closed(db_session, closed=False, updated_by=user_id)
+        assert sc.close_at is not None
+
+
+class TestSetCloseAt:
+    def test_set_future_close_at(self, db_session):
+        user_id = _create_user(db_session)
+        future = datetime.now(timezone.utc) + timedelta(hours=3)
+        sc = set_close_at(db_session, close_at=future, updated_by=user_id)
+        assert sc.close_at is not None
+        assert sc.close_at > datetime.now(timezone.utc)
+
+    def test_clear_close_at(self, db_session):
+        user_id = _create_user(db_session)
+        future = datetime.now(timezone.utc) + timedelta(hours=3)
+        set_close_at(db_session, close_at=future, updated_by=user_id)
+        sc = set_close_at(db_session, close_at=None, updated_by=user_id)
+        assert sc.close_at is None
+
+
+class TestEnsureSubmissionsOpen:
+    def test_does_not_raise_when_open(self, db_session):
+        ensure_submissions_open(db_session)
+
+    def test_raises_403_when_manual_closed(self, db_session):
+        user_id = _create_user(db_session)
+        set_manual_closed(db_session, closed=True, updated_by=user_id)
+        with pytest.raises(HTTPException) as exc_info:
+            ensure_submissions_open(db_session)
+        assert exc_info.value.status_code == 403
+        assert "administrator" in exc_info.value.detail
+
+    def test_raises_403_when_deadline_passed(self, db_session):
+        user_id = _create_user(db_session)
+        past = datetime.now(timezone.utc) - timedelta(minutes=1)
+        set_close_at(db_session, close_at=past, updated_by=user_id)
+        with pytest.raises(HTTPException) as exc_info:
+            ensure_submissions_open(db_session)
+        assert exc_info.value.status_code == 403
+        assert "deadline" in exc_info.value.detail
+
+
+class TestGetCooldownRemaining:
+    def test_returns_none_when_cooldown_zero(self, db_session):
+        user_id = _create_user(db_session)
+        result = get_cooldown_remaining(
+            db_session,
+            user_id=user_id,
+            submission_type="defense",
+            cooldown_seconds=0,
+        )
+        assert result is None
+
+    def test_returns_none_when_no_prior_submissions(self, db_session):
+        user_id = _create_user(db_session)
+        result = get_cooldown_remaining(
+            db_session,
+            user_id=user_id,
+            submission_type="defense",
+            cooldown_seconds=3600,
+        )
+        assert result is None
+
+    def test_returns_remaining_when_within_cooldown(self, db_session):
+        user_id = _create_user(db_session)
+        just_now = datetime.now(timezone.utc) - timedelta(seconds=10)
+        db_session.execute(
+            text(
+                "INSERT INTO submissions (user_id, submission_type, version, status, created_at) "
+                "VALUES (:user_id, 'defense', '1.0.0', 'submitted', :created_at)"
+            ),
+            {"user_id": user_id, "created_at": just_now},
+        )
+        db_session.flush()
+
+        result = get_cooldown_remaining(
+            db_session,
+            user_id=user_id,
+            submission_type="defense",
+            cooldown_seconds=3600,
+        )
+        assert result is not None
+        assert result > 0
+        assert result <= 3600
+
+    def test_returns_none_when_cooldown_expired(self, db_session):
+        user_id = _create_user(db_session)
+        long_ago = datetime.now(timezone.utc) - timedelta(hours=2)
+        db_session.execute(
+            text(
+                "INSERT INTO submissions (user_id, submission_type, version, status, created_at) "
+                "VALUES (:user_id, 'defense', '1.0.0', 'submitted', :created_at)"
+            ),
+            {"user_id": user_id, "created_at": long_ago},
+        )
+        db_session.flush()
+
+        result = get_cooldown_remaining(
+            db_session,
+            user_id=user_id,
+            submission_type="defense",
+            cooldown_seconds=60,
+        )
+        assert result is None
+
+    def test_ignores_deleted_submissions(self, db_session):
+        user_id = _create_user(db_session)
+        just_now = datetime.now(timezone.utc) - timedelta(seconds=10)
+        db_session.execute(
+            text(
+                "INSERT INTO submissions "
+                "(user_id, submission_type, version, status, created_at, deleted_at) "
+                "VALUES (:user_id, 'defense', '1.0.0', 'submitted', :created_at, :deleted_at)"
+            ),
+            {"user_id": user_id, "created_at": just_now, "deleted_at": just_now},
+        )
+        db_session.flush()
+
+        result = get_cooldown_remaining(
+            db_session,
+            user_id=user_id,
+            submission_type="defense",
+            cooldown_seconds=3600,
+        )
+        assert result is None
+
+
+class TestCheckCooldown:
+    def test_does_not_raise_when_no_cooldown(self, db_session):
+        user_id = _create_user(db_session)
+        check_cooldown(
+            db_session,
+            user_id=user_id,
+            submission_type="attack",
+            cooldown_seconds=0,
+        )
+
+    def test_raises_429_when_within_cooldown(self, db_session):
+        user_id = _create_user(db_session)
+        just_now = datetime.now(timezone.utc) - timedelta(seconds=5)
+        db_session.execute(
+            text(
+                "INSERT INTO submissions (user_id, submission_type, version, status, created_at) "
+                "VALUES (:user_id, 'attack', '1.0.0', 'submitted', :created_at)"
+            ),
+            {"user_id": user_id, "created_at": just_now},
+        )
+        db_session.flush()
+
+        with pytest.raises(HTTPException) as exc_info:
+            check_cooldown(
+                db_session,
+                user_id=user_id,
+                submission_type="attack",
+                cooldown_seconds=3600,
+            )
+        assert exc_info.value.status_code == 429
+        assert "wait" in exc_info.value.detail.lower()
diff --git a/services/api/tests/test_submissions.py b/services/api/tests/test_submissions.py
index 27e9996..ebddba6 100644
--- a/services/api/tests/test_submissions.py
+++ b/services/api/tests/test_submissions.py
@@ -296,6 +296,71 @@ def test_create_defense_github_strips_git_extension(self, client, db_session, mo
 
         assert response.status_code == 201
 
+    def test_create_defense_github_with_branch(self, client, db_session, monkeypatch):
+        """Test that a URL with /tree/<branch> is accepted and stored verbatim."""
+        from routers import submissions as submissions_module
+
+        fake = _FakeCelery()
+        monkeypatch.setattr(submissions_module, "_publish_task",
+                            lambda **kwargs: fake.send_task("", kwargs))
+
+        user_id = _create_user(db_session)
+        token = _create_session_token(db_session, user_id=user_id)
+
+        response = client.post(
+            "/api/submissions/defense/github",
+            json={
+                "git_repo": "https://github.com/user/repo/tree/my-branch",
+                "version": "1.0.0",
+            },
+            headers=_make_auth_headers(token),
+        )
+
+        assert response.status_code == 201
+        details_row = db_session.execute(
+            text("SELECT git_repo FROM defense_submission_details WHERE submission_id = :id"),
+            {"id": response.json()["submission_id"]},
+        ).fetchone()
+        assert details_row[0] == "https://github.com/user/repo/tree/my-branch"
+
+    def test_create_defense_github_with_slash_branch(self, client, db_session, monkeypatch):
+        """Test that a URL with a multi-segment branch (feature/foo) is accepted."""
+        from routers import submissions as submissions_module
+
+        fake = _FakeCelery()
+        monkeypatch.setattr(submissions_module, "_publish_task",
+                            lambda **kwargs: fake.send_task("", kwargs))
+
+        user_id = _create_user(db_session)
+        token = _create_session_token(db_session, user_id=user_id)
+
+        response = client.post(
+            "/api/submissions/defense/github",
+            json={
+                "git_repo": "https://github.com/user/repo/tree/feature/my-feature",
+                "version": "1.0.0",
+            },
+            headers=_make_auth_headers(token),
+        )
+
+        assert response.status_code == 201
+
+    def test_create_defense_github_invalid_branch_empty(self, client, db_session):
+        """Test that /tree/ with no branch name is rejected."""
+        user_id = _create_user(db_session)
+        token = _create_session_token(db_session, user_id=user_id)
+
+        response = client.post(
+            "/api/submissions/defense/github",
+            json={
+                "git_repo": "https://github.com/user/repo/tree/",
+                "version": "1.0.0",
+            },
+            headers=_make_auth_headers(token),
+        )
+
+        assert response.status_code == 422
+
 
 # ============================================================================
 # Defense ZIP Submission Tests
@@ -524,6 +589,8 @@ def test_validate_github_url_format_valid(self):
         validate_github_url_format("https://github.com/user/repo")
         validate_github_url_format("https://github.com/user-name/repo-name")
         validate_github_url_format("https://github.com/user/repo.git")
+        validate_github_url_format("https://github.com/user/repo/tree/my-branch")
+        validate_github_url_format("https://github.com/user/repo/tree/feature/foo")
 
     def test_validate_github_url_format_invalid(self):
         """Test GitHub URL validation with invalid URLs."""
@@ -541,6 +608,10 @@ def test_validate_github_url_format_invalid(self):
             validate_github_url_format("github.com/user/repo")
         assert exc.value.status_code == 400
 
+        with pytest.raises(HTTPException) as exc:
+            validate_github_url_format("https://github.com/user/repo/tree/")
+        assert exc.value.status_code == 400
+
     def test_validate_docker_image_format_valid(self):
         """Test Docker image format validation."""
         from core.submissions import validate_docker_image_format
diff --git a/services/frontend/Dockerfile.prod b/services/frontend/Dockerfile.prod
deleted file mode 100644
index 4e4f50e..0000000
--- a/services/frontend/Dockerfile.prod
+++ /dev/null
@@ -1,25 +0,0 @@
-FROM node:20-alpine AS build
-
-WORKDIR /app
-
-COPY package.json package-lock.json* ./
-RUN npm install
-
-COPY . .
-RUN npm run build
-
-FROM node:20-alpine AS runtime
-
-WORKDIR /app
-
-COPY --from=build /app/dist ./dist
-COPY --from=build /app/package.json ./package.json
-COPY --from=build /app/node_modules ./node_modules
-
-ENV HOST=0.0.0.0
-ENV PORT=4321
-ENV NODE_ENV=production
-
-EXPOSE 4321
-
-CMD ["node", "./dist/server/entry.mjs"]
diff --git a/services/frontend/astro.config.mjs b/services/frontend/astro.config.mjs
index dbc42a9..8e11199 100644
--- a/services/frontend/astro.config.mjs
+++ b/services/frontend/astro.config.mjs
@@ -3,16 +3,12 @@ import { defineConfig } from 'astro/config';
 
 import react from '@astrojs/react';
 import tailwind from '@astrojs/tailwind';
-import node from '@astrojs/node';
 
 const apiTarget = process.env.API_INTERNAL_URL || 'http://127.0.0.1:8000';
 
 // https://astro.build/config
 export default defineConfig({
   output: 'server',
-  adapter: node({
-    mode: 'standalone',
-  }),
   integrations: [react(), tailwind()],
   vite: {
     server: {
diff --git a/services/frontend/package.json b/services/frontend/package.json
index 70f81d8..f34cd5b 100644
--- a/services/frontend/package.json
+++ b/services/frontend/package.json
@@ -9,7 +9,6 @@
     "astro": "astro"
   },
   "dependencies": {
-    "@astrojs/node": "^9.0.0",
     "@astrojs/react": "^4.4.2",
     "@tailwindcss/vite": "^4.1.18",
     "@types/react": "^19.2.10",
diff --git a/services/frontend/public/favicon.svg b/services/frontend/public/favicon.svg
index f157bd1..71d77f3 100644
--- a/services/frontend/public/favicon.svg
+++ b/services/frontend/public/favicon.svg
@@ -1,9 +1,251 @@
-<svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 128 128">
-    <path d="M50.4 78.5a75.1 75.1 0 0 0-28.5 6.9l24.2-65.7c.7-2 1.9-3.2 3.4-3.2h29c1.5 0 2.7 1.2 3.4 3.2l24.2 65.7s-11.6-7-28.5-7L67 45.5c-.4-1.7-1.6-2.8-2.9-2.8-1.3 0-2.5 1.1-2.9 2.7L50.4 78.5Zm-1.1 28.2Zm-4.2-20.2c-2 6.6-.6 15.8 4.2 20.2a17.5 17.5 0 0 1 .2-.7 5.5 5.5 0 0 1 5.7-4.5c2.8.1 4.3 1.5 4.7 4.7.2 1.1.2 2.3.2 3.5v.4c0 2.7.7 5.2 2.2 7.4a13 13 0 0 0 5.7 4.9v-.3l-.2-.3c-1.8-5.6-.5-9.5 4.4-12.8l1.5-1a73 73 0 0 0 3.2-2.2 16 16 0 0 0 6.8-11.4c.3-2 .1-4-.6-6l-.8.6-1.6 1a37 37 0 0 1-22.4 2.7c-5-.7-9.7-2-13.2-6.2Z" />
-    <style>
-        path { fill: #000; }
-        @media (prefers-color-scheme: dark) {
-            path { fill: #FFF; }
-        }
-    </style>
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   width="100"
+   height="100"
+   viewBox="0 0 100 100"
+   version="1.1"
+   id="svg1"
+   inkscape:version="1.3.2 (091e20e, 2023-11-25, custom)"
+   sodipodi:docname="mlsec-logo-white.svg"
+   inkscape:export-filename="..\Downloads\logos-final\mlsec-logo.svg"
+   inkscape:export-xdpi="96"
+   inkscape:export-ydpi="96"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg">
+  <sodipodi:namedview
+     id="namedview1"
+     pagecolor="#6f6f6f"
+     bordercolor="#000000"
+     borderopacity="0.25"
+     inkscape:showpageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
+     inkscape:document-units="px"
+     showgrid="true"
+     showguides="true"
+     inkscape:zoom="8.4880471"
+     inkscape:cx="39.820703"
+     inkscape:cy="53.074635"
+     inkscape:window-width="2560"
+     inkscape:window-height="1369"
+     inkscape:window-x="2552"
+     inkscape:window-y="-8"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="layer1"
+     inkscape:export-bgcolor="#ffffff00">
+    <inkscape:grid
+       id="grid1"
+       units="px"
+       originx="-5.3290705e-15"
+       originy="-5.3290705e-15"
+       spacingx="1"
+       spacingy="1"
+       empcolor="#0099e5"
+       empopacity="0.30196078"
+       color="#0099e5"
+       opacity="0.14901961"
+       empspacing="5"
+       dotted="false"
+       gridanglex="30"
+       gridanglez="30"
+       visible="true" />
+    <sodipodi:guide
+       position="-5.3290705e-15,100"
+       orientation="0.70710678,0.70710678"
+       id="guide2"
+       inkscape:locked="false"
+       inkscape:label=""
+       inkscape:color="rgb(224,27,36)" />
+    <sodipodi:guide
+       position="45,100"
+       orientation="-1,0"
+       id="guide3"
+       inkscape:locked="false"
+       inkscape:label=""
+       inkscape:color="rgb(224,27,36)" />
+    <sodipodi:guide
+       position="-5.3290705e-15,55"
+       orientation="0,1"
+       id="guide4"
+       inkscape:locked="false"
+       inkscape:label=""
+       inkscape:color="rgb(224,27,36)" />
+    <sodipodi:guide
+       position="54,46"
+       orientation="0.70710678,-0.70710678"
+       id="guide6"
+       inkscape:locked="false"
+       inkscape:label=""
+       inkscape:color="rgb(224,27,36)" />
+    <sodipodi:guide
+       position="32,24"
+       orientation="0.70710678,0.70710678"
+       id="guide7"
+       inkscape:locked="false"
+       inkscape:label=""
+       inkscape:color="rgb(224,27,36)" />
+    <sodipodi:guide
+       position="1,55"
+       orientation="0.70710678,-0.70710678"
+       id="guide8"
+       inkscape:locked="false"
+       inkscape:label=""
+       inkscape:color="rgb(145,65,172)" />
+    <sodipodi:guide
+       position="45,99"
+       orientation="0.70710678,0.70710678"
+       id="guide9"
+       inkscape:locked="false"
+       inkscape:label=""
+       inkscape:color="rgb(224,27,36)" />
+    <sodipodi:guide
+       position="14,42"
+       orientation="0.70710678,-0.70710678"
+       id="guide10"
+       inkscape:locked="false"
+       inkscape:label=""
+       inkscape:color="rgb(224,27,36)" />
+    <sodipodi:guide
+       position="12.050253,49.949747"
+       orientation="0.70710678,-0.70710678"
+       id="guide1"
+       inkscape:locked="false"
+       inkscape:label=""
+       inkscape:color="rgb(0,134,229)" />
+  </sodipodi:namedview>
+  <defs
+     id="defs1" />
+  <g
+     inkscape:label="mlsec-logo"
+     inkscape:groupmode="layer"
+     id="layer1">
+    <path
+       style="font-variation-settings:'wght' 700;display:inline;fill:none;stroke:#ffffff;stroke-width:8;stroke-linecap:round;stroke-dasharray:none;stroke-opacity:1;paint-order:stroke fill markers"
+       d="M 4,96 96,4"
+       id="path1"
+       inkscape:label="line"
+       sodipodi:nodetypes="cc" />
+    <circle
+       style="font-variation-settings:'wght' 700;display:inline;fill:#ffffff;fill-opacity:1;stroke:none;stroke-width:9.99999;stroke-linecap:round;stroke-dasharray:none;stroke-opacity:1;paint-order:stroke fill markers"
+       id="path2"
+       cx="17"
+       cy="55"
+       r="7"
+       inkscape:label="dot" />
+    <circle
+       style="font-variation-settings:'wght' 700;fill:#ffffff;fill-opacity:1;stroke:none;stroke-width:9.99997;stroke-linecap:round;stroke-dasharray:none;stroke-opacity:1;paint-order:stroke fill markers"
+       id="path2-1"
+       cx="55"
+       cy="17"
+       r="7"
+       inkscape:label="dot" />
+    <circle
+       style="font-variation-settings:'wght' 700;fill:#ffffff;fill-opacity:1;stroke:none;stroke-width:9.99994;stroke-linecap:round;stroke-dasharray:none;stroke-opacity:1;paint-order:stroke fill markers"
+       id="path2-6"
+       cx="18"
+       cy="18"
+       r="7"
+       inkscape:label="dot" />
+    <g
+       inkscape:groupmode="layer"
+       id="layer3"
+       inkscape:label="long-arrow"
+       style="display:none">
+      <path
+         style="font-variation-settings:'wght' 700;fill:none;fill-opacity:1;stroke:#000000;stroke-width:6;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1;paint-order:stroke fill markers"
+         d="M 97,97 33,33 v 11"
+         id="path5-5"
+         sodipodi:nodetypes="ccc" />
+      <path
+         style="font-variation-settings:'wght' 700;fill:none;fill-opacity:1;stroke:#000000;stroke-width:6;stroke-linecap:round;stroke-dasharray:none;stroke-opacity:1;paint-order:stroke fill markers"
+         d="M 33,33 H 44"
+         id="path6-2"
+         sodipodi:nodetypes="cc" />
+    </g>
+    <g
+       inkscape:groupmode="layer"
+       id="layer2"
+       inkscape:label="arrow"
+       style="display:inline">
+      <path
+         style="font-variation-settings:'wght' 700;fill:none;fill-opacity:1;stroke:#ffffff;stroke-width:6;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1;paint-order:stroke fill markers"
+         d="M 97,97 54,54 v 11"
+         id="path5"
+         sodipodi:nodetypes="ccc" />
+      <path
+         style="font-variation-settings:'wght' 700;fill:none;fill-opacity:1;stroke:#ffffff;stroke-width:6;stroke-linecap:round;stroke-dasharray:none;stroke-opacity:1;paint-order:stroke fill markers"
+         d="M 54,54 H 65"
+         id="path6"
+         sodipodi:nodetypes="cc" />
+    </g>
+    <g
+       inkscape:groupmode="layer"
+       id="layer2-0"
+       inkscape:label="small-arrow"
+       transform="translate(-22,22)">
+      <path
+         style="font-variation-settings:'wght' 700;fill:none;fill-opacity:1;stroke:#ffffff;stroke-width:6;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1;paint-order:stroke fill markers"
+         d="M 75,75 54,54 v 11"
+         id="path5-6"
+         sodipodi:nodetypes="ccc" />
+      <path
+         style="font-variation-settings:'wght' 700;fill:none;fill-opacity:1;stroke:#ffffff;stroke-width:6;stroke-linecap:round;stroke-dasharray:none;stroke-opacity:1;paint-order:stroke fill markers"
+         d="M 54,54 H 65"
+         id="path6-8"
+         sodipodi:nodetypes="cc" />
+    </g>
+    <g
+       inkscape:groupmode="layer"
+       id="layer2-0-7"
+       inkscape:label="small-arrow"
+       transform="translate(22,-22)">
+      <path
+         style="font-variation-settings:'wght' 700;fill:none;fill-opacity:1;stroke:#ffffff;stroke-width:6;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1;paint-order:stroke fill markers"
+         d="M 75,75 54,54 v 11"
+         id="path5-6-2"
+         sodipodi:nodetypes="ccc" />
+      <path
+         style="font-variation-settings:'wght' 700;fill:none;fill-opacity:1;stroke:#ffffff;stroke-width:6;stroke-linecap:round;stroke-dasharray:none;stroke-opacity:1;paint-order:stroke fill markers"
+         d="M 54,54 H 65"
+         id="path6-8-1"
+         sodipodi:nodetypes="cc" />
+    </g>
+    <text
+       xml:space="preserve"
+       style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:12px;line-height:1;font-family:arial;-inkscape-font-specification:arial;text-align:center;letter-spacing:0px;text-anchor:middle;display:none;fill:#000000;stroke-width:6;stroke-linecap:square;paint-order:stroke fill markers"
+       x="50.294922"
+       y="28.212891"
+       id="text1"
+       inkscape:label="attribution"><tspan
+         sodipodi:role="line"
+         id="tspan1"
+         x="50.294922"
+         y="28.212891"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:8px;font-family:Sans;-inkscape-font-specification:'Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Created by</tspan><tspan
+         sodipodi:role="line"
+         x="50.294922"
+         y="40.212891"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:8px;font-family:Sans;-inkscape-font-specification:'Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal"
+         id="tspan5">Aaron Thompson</tspan><tspan
+         sodipodi:role="line"
+         x="50.294922"
+         y="52.212891"
+         id="tspan2"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:8px;font-family:Sans;-inkscape-font-specification:'Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Graham Dungan</tspan><tspan
+         sodipodi:role="line"
+         x="50.294922"
+         y="64.212891"
+         id="tspan4"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:8px;font-family:Sans;-inkscape-font-specification:'Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Karl Farrar</tspan><tspan
+         sodipodi:role="line"
+         x="50.294922"
+         y="76.212891"
+         id="tspan3"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:8px;font-family:Sans;-inkscape-font-specification:'Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Maxim Mouget</tspan></text>
+  </g>
 </svg>
diff --git a/services/frontend/public/mlsec-title.svg b/services/frontend/public/mlsec-title.svg
new file mode 100644
index 0000000..8d27f1d
--- /dev/null
+++ b/services/frontend/public/mlsec-title.svg
@@ -0,0 +1,243 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   width="549.53137"
+   height="100"
+   viewBox="0 0 549.53137 100"
+   version="1.1"
+   id="svg1"
+   inkscape:version="1.3.2 (091e20e, 2023-11-25, custom)"
+   sodipodi:docname="mlsec-title-white.svg"
+   inkscape:export-filename="..\Downloads\logos-final\mlsec-title.svg"
+   inkscape:export-xdpi="300"
+   inkscape:export-ydpi="300"
+   xml:space="preserve"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg"><sodipodi:namedview
+   id="namedview1"
+   pagecolor="#383838"
+   bordercolor="#000000"
+   borderopacity="0.25"
+   inkscape:showpageshadow="2"
+   inkscape:pageopacity="0.0"
+   inkscape:pagecheckerboard="0"
+   inkscape:deskcolor="#d1d1d1"
+   inkscape:document-units="px"
+   showgrid="true"
+   showguides="true"
+   inkscape:zoom="2.1220118"
+   inkscape:cx="277.56679"
+   inkscape:cy="45.475713"
+   inkscape:window-width="2560"
+   inkscape:window-height="1369"
+   inkscape:window-x="2552"
+   inkscape:window-y="-8"
+   inkscape:window-maximized="1"
+   inkscape:current-layer="layer1"
+   inkscape:export-bgcolor="#ffffff00"><inkscape:grid
+     id="grid1"
+     units="px"
+     originx="-5.3290705e-15"
+     originy="-5.3290705e-15"
+     spacingx="1"
+     spacingy="1"
+     empcolor="#0099e5"
+     empopacity="0.30196078"
+     color="#0099e5"
+     opacity="0.14901961"
+     empspacing="5"
+     dotted="false"
+     gridanglex="30"
+     gridanglez="30"
+     visible="true" /><sodipodi:guide
+     position="-5.3290705e-15,100"
+     orientation="0.70710678,0.70710678"
+     id="guide2"
+     inkscape:locked="false"
+     inkscape:label=""
+     inkscape:color="rgb(224,27,36)" /><sodipodi:guide
+     position="45,100"
+     orientation="-1,0"
+     id="guide3"
+     inkscape:locked="false"
+     inkscape:label=""
+     inkscape:color="rgb(224,27,36)" /><sodipodi:guide
+     position="-5.3290705e-15,55"
+     orientation="0,1"
+     id="guide4"
+     inkscape:locked="false"
+     inkscape:label=""
+     inkscape:color="rgb(224,27,36)" /><sodipodi:guide
+     position="54,46"
+     orientation="0.70710678,-0.70710678"
+     id="guide6"
+     inkscape:locked="false"
+     inkscape:label=""
+     inkscape:color="rgb(224,27,36)" /><sodipodi:guide
+     position="32,24"
+     orientation="0.70710678,0.70710678"
+     id="guide7"
+     inkscape:locked="false"
+     inkscape:label=""
+     inkscape:color="rgb(224,27,36)" /><sodipodi:guide
+     position="1,55"
+     orientation="0.70710678,-0.70710678"
+     id="guide8"
+     inkscape:locked="false"
+     inkscape:label=""
+     inkscape:color="rgb(145,65,172)" /><sodipodi:guide
+     position="45,99"
+     orientation="0.70710678,0.70710678"
+     id="guide9"
+     inkscape:locked="false"
+     inkscape:label=""
+     inkscape:color="rgb(224,27,36)" /><sodipodi:guide
+     position="14,42"
+     orientation="0.70710678,-0.70710678"
+     id="guide10"
+     inkscape:locked="false"
+     inkscape:label=""
+     inkscape:color="rgb(224,27,36)" /><sodipodi:guide
+     position="100,55"
+     orientation="1,0"
+     id="guide11"
+     inkscape:locked="false" /></sodipodi:namedview><defs
+   id="defs1"><inkscape:path-effect
+     effect="fillet_chamfer"
+     id="path-effect2"
+     is_visible="true"
+     lpeversion="1"
+     nodesatellites_param="F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 | F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 | F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 | F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 | F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 | F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 | F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 | F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 | F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1 @ F,0,0,1,0,5,0,1"
+     radius="5"
+     unit="px"
+     method="auto"
+     mode="F"
+     chamfer_steps="1"
+     flexible="false"
+     use_knot_distance="true"
+     apply_no_radius="true"
+     apply_with_radius="true"
+     only_selected="false"
+     hide_knots="false" /></defs><g
+   inkscape:label="Layer 1"
+   inkscape:groupmode="layer"
+   id="layer1"><g
+   inkscape:label="mlsec-logo"
+   id="layer1-6"
+   style="display:inline"><path
+     style="font-variation-settings:'wght' 700;display:inline;fill:none;stroke:#ffffff;stroke-width:8;stroke-linecap:round;stroke-dasharray:none;stroke-opacity:1;paint-order:stroke fill markers"
+     d="M 4,96 96,4"
+     id="path1"
+     inkscape:label="line"
+     sodipodi:nodetypes="cc" /><circle
+     style="font-variation-settings:'wght' 700;fill:#ffffff;fill-opacity:1;stroke:none;stroke-width:9.99999;stroke-linecap:round;stroke-dasharray:none;stroke-opacity:1;paint-order:stroke fill markers"
+     id="path2"
+     cx="17"
+     cy="55"
+     r="7"
+     inkscape:label="dot" /><circle
+     style="font-variation-settings:'wght' 700;fill:#ffffff;fill-opacity:1;stroke:none;stroke-width:9.99997;stroke-linecap:round;stroke-dasharray:none;stroke-opacity:1;paint-order:stroke fill markers"
+     id="path2-1"
+     cx="55"
+     cy="17"
+     r="7"
+     inkscape:label="dot" /><circle
+     style="font-variation-settings:'wght' 700;fill:#ffffff;fill-opacity:1;stroke:none;stroke-width:9.99994;stroke-linecap:round;stroke-dasharray:none;stroke-opacity:1;paint-order:stroke fill markers"
+     id="path2-6"
+     cx="18"
+     cy="18"
+     r="7"
+     inkscape:label="dot" /><g
+     inkscape:groupmode="layer"
+     id="layer3"
+     inkscape:label="long-arrow"
+     style="display:none"><path
+       style="font-variation-settings:'wght' 700;fill:none;fill-opacity:1;stroke:#000000;stroke-width:6;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1;paint-order:stroke fill markers"
+       d="M 97,97 33,33 v 11"
+       id="path5-5"
+       sodipodi:nodetypes="ccc" /><path
+       style="font-variation-settings:'wght' 700;fill:none;fill-opacity:1;stroke:#000000;stroke-width:6;stroke-linecap:round;stroke-dasharray:none;stroke-opacity:1;paint-order:stroke fill markers"
+       d="M 33,33 H 44"
+       id="path6-2"
+       sodipodi:nodetypes="cc" /></g><g
+     inkscape:groupmode="layer"
+     id="layer2"
+     inkscape:label="arrow"
+     style="display:inline"><path
+       style="font-variation-settings:'wght' 700;fill:none;fill-opacity:1;stroke:#ffffff;stroke-width:6;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1;paint-order:stroke fill markers"
+       d="M 97,97 54,54 v 11"
+       id="path5"
+       sodipodi:nodetypes="ccc" /><path
+       style="font-variation-settings:'wght' 700;fill:none;fill-opacity:1;stroke:#ffffff;stroke-width:6;stroke-linecap:round;stroke-dasharray:none;stroke-opacity:1;paint-order:stroke fill markers"
+       d="M 54,54 H 65"
+       id="path6"
+       sodipodi:nodetypes="cc" /></g><g
+     inkscape:groupmode="layer"
+     id="layer2-0"
+     inkscape:label="small-arrow"
+     transform="translate(-22,22)"><path
+       style="font-variation-settings:'wght' 700;fill:none;fill-opacity:1;stroke:#ffffff;stroke-width:6;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1;paint-order:stroke fill markers"
+       d="M 75,75 54,54 v 11"
+       id="path5-6"
+       sodipodi:nodetypes="ccc" /><path
+       style="font-variation-settings:'wght' 700;fill:none;fill-opacity:1;stroke:#ffffff;stroke-width:6;stroke-linecap:round;stroke-dasharray:none;stroke-opacity:1;paint-order:stroke fill markers"
+       d="M 54,54 H 65"
+       id="path6-8"
+       sodipodi:nodetypes="cc" /></g><g
+     inkscape:groupmode="layer"
+     id="layer2-0-7"
+     inkscape:label="small-arrow"
+     transform="translate(22,-22)"><path
+       style="font-variation-settings:'wght' 700;fill:none;fill-opacity:1;stroke:#ffffff;stroke-width:6;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1;paint-order:stroke fill markers"
+       d="M 75,75 54,54 v 11"
+       id="path5-6-2"
+       sodipodi:nodetypes="ccc" /><path
+       style="font-variation-settings:'wght' 700;fill:none;fill-opacity:1;stroke:#ffffff;stroke-width:6;stroke-linecap:round;stroke-dasharray:none;stroke-opacity:1;paint-order:stroke fill markers"
+       d="M 54,54 H 65"
+       id="path6-8-1"
+       sodipodi:nodetypes="cc" /></g></g><path
+   d="m 110,79.655998 v -59.408 a 5,5 135 0 1 5,-5 l 4.496,0 a 7.0734658,7.0734658 35.255232 0 1 6.66817,4.713512 l 16.19966,45.772976 a 1.7825979,1.7825979 0.13261118 0 0 3.35814,0.0078 l 16.44406,-45.78852 a 7.1083132,7.1083132 144.87738 0 1 6.68997,-4.70574 h 4.4 a 5,5 45 0 1 5,5 l 0,59.408 a 5,5 135 0 1 -5,5 h -0.512 a 5,5 45 0 1 -5,-5 v -45.296 a 0.84335921,0.84335921 9.5740687 0 0 -1.64006,-0.276632 L 150.18406,79.93263 a 7.0289442,7.0289442 144.57407 0 1 -6.64006,4.723368 6.3357699,6.3357699 40.03596 0 1 -5.62021,-4.721926 L 122.10821,34.513924 a 0.84561705,0.84561705 170.40078 0 0 -1.64421,0.278074 v 44.864 a 5,5 135 0 1 -5,5 l -0.464,0 a 5,5 45 0 1 -5,-5 z m 75.82738,10e-7 0.0411,-59.408002 a 5.003459,5.003459 135.01981 0 1 5.00346,-4.999999 h 0.416 a 5,5 45 0 1 5,5 l 0,50.384 a 5,5 45 0 0 5,5 h 22.064 a 5,5 45 0 1 5,5 4.5383133,4.5383133 141.17289 0 1 -5,4.024 l -32.528,0 a 4.9965434,4.9965434 45.019812 0 1 -4.99654,-4.999999 z m 66.32152,5.648643 c -2.6821,-0.341473 -6.9962,-1.474278 -9.5153,-2.598437 -2.16754,-0.967276 -5.71673,-3.231444 -7.63254,-5.212429 -1.48911,-1.539779 -3.74378,-4.890558 -4.59884,-7.507444 -0.72833,-2.229047 1.32421,-4.146334 4.08563,-4.146334 h 0.704 c 2.76142,0 5.37871,2.304589 6.88398,4.601144 0.65076,0.992826 2.89194,3.388454 5.34186,4.634211 1.1171,0.568034 4.21498,1.67557 6.9517,1.999998 1.80983,0.214545 5.56575,0.262007 8.25794,-0.327895 1.49982,-0.328637 4.89045,-1.466995 6.99988,-3.228113 0.78792,-0.657823 2.99658,-3.081362 3.38652,-5.774947 0.12059,-0.833082 0.30535,-4.006595 -1.20667,-6.268332 -0.63377,-0.948 -3.11286,-3.035796 -5.65639,-4.077024 -1.98285,-0.811706 -5.85944,-1.74645 -8.53949,-2.411844 L 253.39652,53.9408 c -2.68005,-0.665394 -7.05404,-1.67905 -9.62903,-2.670781 -2.33986,-0.901177 -6.13154,-3.027574 -7.99742,-5.049617 -1.30049,-1.409337 -3.22291,-4.778203 -3.76068,-7.474516 -0.48186,-2.416051 -0.49935,-6.728781 0.21305,-9.388542 0.10568,-0.394575 0.22482,-0.782714 0.35741,-1.164418 0.90262,-2.598401 3.64781,-6.261076 5.78175,-8.002657 0.40265,-0.328623 0.82005,-0.644311 1.25219,-0.947065 2.2576,-1.581664 6.43398,-3.325735 9.11919,-3.955356 1.05957,-0.248446 2.15028,-0.445674 3.27212,-0.591683 2.73642,-0.356147 7.2356,-0.357467 9.97575,-0.02884 1.5153,0.181732 2.9491,0.450887 4.30141,0.807467 2.66543,0.70283 6.74324,2.68218 8.91156,4.384265 0.41957,0.329357 0.82151,0.670271 1.20581,1.02274 2.02899,1.860943 4.50475,5.700414 5.34699,8.321884 0.0635,0.197793 0.12364,0.396547 0.18029,0.596263 0.75129,2.648655 -1.54164,4.93605 -4.30306,4.93605 h -0.464 c -2.76142,0 -5.06598,-2.333851 -6.23907,-4.818779 -0.61281,-1.298094 -2.82567,-4.060553 -5.27457,-5.291527 -0.88083,-0.44276 -3.78276,-1.4666 -6.52515,-1.727721 -1.35685,-0.129192 -4.7377,-0.214821 -7.43364,0.359371 -0.47206,0.10054 -0.9264,0.217096 -1.36302,0.349669 -2.62205,0.796135 -6.28752,3.802089 -7.28977,6.346957 -0.70755,1.796595 -0.84026,5.915191 0.64029,8.200144 0.60535,0.934236 3.06837,3.010998 5.62897,4.007846 1.86592,0.726403 5.63751,1.605665 8.31872,2.266393 l 3.73048,0.919294 c 2.68121,0.660728 7.06833,1.621213 9.65425,2.583534 0.3279,0.122023 0.64846,0.248065 0.96167,0.378125 2.5442,1.05647 6.29653,3.657797 8.00795,5.813351 1.23822,1.559575 2.8725,5.135166 3.30334,7.854262 0.28911,1.824589 0.34008,5.622919 -0.38541,8.278815 -0.10651,0.389895 -0.22628,0.774597 -0.35933,1.154105 -0.91047,2.596979 -3.61004,6.286486 -5.72788,8.04736 -0.47394,0.394056 -0.97013,0.771931 -1.48857,1.133623 -2.26127,1.577584 -6.41427,3.368703 -9.0945,4.018442 -1.30821,0.317136 -2.6747,0.559345 -4.09946,0.726627 -2.74103,0.321826 -7.23877,0.317273 -9.97625,-0.03125 z m 35.42111,-5.648644 0,-59.408 a 5,5 135 0 1 5,-5 h 34.832 a 4.9731905,4.9731905 45.154019 0 1 4.97312,4.999928 4.5200146,4.5200146 141.96357 0 1 -5.02112,3.928072 l -24.464,0 a 5,5 135 0 0 -5,5 v 11.072 a 5,5 45 0 0 5,5 h 20.768 a 5,5 45 0 1 5,5 4.4338841,4.4338841 142.88156 0 1 -5,3.784 l -20.816,0 a 5,5 135 0 0 -5,5 l 0,11.552 a 5.0067889,5.0067889 45.038871 0 0 5,5.006784 l 25.376,0.03443 a 5.0067889,5.0067889 45.038871 0 1 5,5.006784 4.5383133,4.5383133 141.17289 0 1 -5,4.024 h -35.648 a 5,5 45 0 1 -5,-5 z m 71.01272,5.631355 c -2.38518,-0.327927 -4.61766,-0.901263 -6.69744,-1.720006 -2.56535,-1.009895 -6.36843,-3.463507 -8.35711,-5.373455 -1.50246,-1.442982 -2.84463,-3.073387 -4.0265,-4.891214 -1.5037,-2.312835 -3.31176,-6.439569 -4.07413,-9.091486 -0.84594,-2.94257 -1.40325,-6.14256 -1.67193,-9.599971 -0.2139,-2.752431 -0.21465,-7.238153 0.002,-9.990326 0.2669,-3.385497 0.81512,-6.508685 1.64466,-9.369562 0.76838,-2.649961 2.59225,-6.772466 4.11243,-9.07416 1.15028,-1.741627 2.45617,-3.299361 3.91765,-4.673202 2.00871,-1.888246 5.85891,-4.270283 8.43744,-5.246295 2.08218,-0.788133 4.31931,-1.339747 6.71141,-1.654843 2.73581,-0.360372 7.24144,-0.366624 9.96806,0.05309 1.27305,0.195961 2.50329,0.4702 3.69072,0.822719 2.6429,0.784608 6.64978,2.888722 8.80934,4.603384 0.67603,0.536757 1.31928,1.103565 1.92974,1.700424 1.97112,1.927197 4.5234,5.67071 5.59933,8.208899 0.3062,0.722341 0.57685,1.458309 0.81196,2.207905 0.82505,2.630577 -1.22924,4.888748 -3.99066,4.888748 h -0.944 c -2.76142,0 -5.33493,-2.258575 -6.48862,-4.759414 -0.61972,-1.343348 -2.4539,-4.355004 -4.62011,-6.044761 -1.06695,-0.832276 -4.04864,-2.49564 -6.7584,-2.951892 -1.7816,-0.29997 -5.54149,-0.352576 -8.21678,0.304304 -0.18529,0.0455 -0.36884,0.09375 -0.55062,0.144747 -2.64735,0.742711 -6.46535,3.329268 -8.092,5.543741 -0.1768,0.240692 -0.349,0.488682 -0.51659,0.743972 -1.51211,2.303343 -2.97352,6.593086 -3.47757,9.305146 -0.30843,1.659521 -0.53186,3.456213 -0.67027,5.390075 -0.19711,2.753794 -0.19626,7.23822 -0.003,9.992299 0.31056,4.422799 1.05644,8.155224 2.23766,11.197275 0.99676,2.566998 3.63414,6.316824 5.86876,7.919385 1.53677,1.102099 3.27193,1.896348 5.20549,2.382746 2.67121,0.671961 7.2525,0.688898 9.8921,-0.0894 1.74702,-0.515121 5.05031,-2.416068 6.85074,-4.494488 0.95536,-1.102867 2.79684,-4.043992 3.64419,-6.6653 0.48456,-1.498985 2.93348,-2.766432 5.6949,-2.766432 l 0.944,0 c 2.76142,0 4.758,2.241805 3.99507,4.892879 -0.63138,2.193949 -2.25477,5.988462 -3.84763,8.238282 -1.30846,1.848131 -4.18693,4.80339 -6.51487,6.276724 -2.16416,1.369677 -6.23424,2.940091 -8.94789,3.427586 -0.4995,0.08973 -1.00931,0.168293 -1.52944,0.235682 -2.73664,0.354563 -7.23897,0.352027 -9.97253,-0.0238 z m 58.31353,-5.631355 v -3.88 c 1.01941,-7.368537 2.9613,-11.208942 4.71988,-13.331146 1.2792,-1.543677 4.18195,-4.127294 6.43903,-5.715444 1.73788,-1.222832 5.18095,-3.191064 7.60074,-4.521437 1.90577,-1.047773 5.45335,-2.904801 7.81043,-4.342639 1.57214,-0.959018 4.72566,-3.024212 6.59038,-5.053197 0.85979,-0.93554 2.87901,-3.677761 3.30812,-6.380401 0.17647,-1.111485 0.30801,-4.410555 -0.86912,-6.883045 -0.97251,-2.042684 -4.20081,-4.855948 -6.81795,-5.667881 -0.0743,-0.02305 -0.14904,-0.04554 -0.22423,-0.06747 -2.64208,-0.770634 -7.23509,-0.755163 -9.88481,-0.0091 -0.40195,0.113176 -0.79383,0.241452 -1.17565,0.384826 -2.56978,0.964969 -6.02538,4.086146 -7.2415,6.54691 -0.17771,0.359594 -0.34174,0.730329 -0.49209,1.112205 -1.00839,2.561239 -3.36181,4.8558 -6.12323,4.8558 h -0.08 c -2.76142,0 -5.0089,-2.266056 -4.40761,-4.956653 0.13153,-0.588573 0.28469,-1.168418 0.45947,-1.739538 0.8065,-2.635281 3.04273,-6.598232 4.95604,-8.579111 0.43851,-0.453998 0.90099,-0.889909 1.38745,-1.307735 2.09073,-1.795751 6.10574,-3.912151 8.75722,-4.66382 1.34984,-0.382667 2.78318,-0.671398 4.30002,-0.866191 2.73707,-0.351496 7.24045,-0.355801 9.9718,0.03462 0.94736,0.135418 1.86321,0.311579 2.74754,0.528481 2.67689,0.656573 6.79384,2.579326 8.93762,4.309576 0.23521,0.18984 0.4648,0.384404 0.68877,0.583692 2.05639,1.829816 4.5165,5.689907 5.29502,8.329759 0.0986,0.33421 0.18822,0.673018 0.26899,1.016424 0.63077,2.6821 0.63539,7.230053 0.0555,9.924622 -0.51742,2.404235 -2.45509,6.252706 -4.22784,8.362321 -1.22949,1.463126 -4.10015,3.969474 -6.38371,5.518957 -1.64116,1.113583 -5.01372,2.971469 -7.45511,4.261773 -1.80511,0.95402 -5.2959,2.687422 -7.66776,4.100339 -1.4974,0.892004 -4.62127,2.86252 -6.50718,4.870877 -0.79458,0.846173 -2.78923,3.506267 -3.18109,6.211501 -0.14953,1.032336 -0.13113,2.421355 -0.13113,3.084102 h 31.288 a 5,5 45 0 1 5,5 4.4960641,4.4960641 141.84682 0 1 -5,3.928 l -37.712,0 a 5,5 45 0 1 -5,-5 z m 60.40014,0 v -2.384 a 5,5 135 0 1 5,-5 h 1.856 a 5,5 45 0 1 5,5 v 2.384 a 5,5 135 0 1 -5,5 l -1.856,0 a 5,5 45 0 1 -5,-5 z m 32.45067,5.614027 c -3.8872,-0.726833 -7.27583,-2.35013 -10.16589,-4.869891 -2.07766,-1.81145 -4.76951,-5.453947 -5.98273,-7.930057 -2.25861,-4.609719 -3.60062,-10.370072 -4.02603,-17.28106 -0.16963,-2.755773 -0.17003,-7.238382 0.003,-9.993905 0.22882,-3.63738 0.71704,-6.959486 1.46467,-9.96632 0.66585,-2.677957 2.27099,-6.885177 3.63944,-9.280787 0.88992,-1.557899 1.87947,-2.961657 2.96865,-4.211275 1.8104,-2.077081 5.49641,-4.739593 8.0492,-5.775714 1.30449,-0.52946 2.67107,-0.933251 4.09974,-1.211373 2.70637,-0.526853 7.23583,-0.528384 9.94162,0.0012 3.82346,0.74829 7.17412,2.403975 10.05199,4.967056 2.05865,1.833476 4.74979,5.473801 5.97479,7.944128 2.30405,4.646358 3.6714,10.458692 4.10203,17.437002 0.17006,2.755745 0.17014,7.238283 -5.8e-4,9.993984 -0.42904,6.92579 -1.78431,12.703583 -4.06581,17.333378 -1.21886,2.473404 -3.9073,6.117438 -5.97791,7.937038 -2.88358,2.534013 -6.26046,4.167619 -10.13065,4.900819 -2.7092,0.513253 -7.23533,0.512625 -9.94585,0.0058 z m 9.90688,-9.194862 c 0.93282,-0.38434 1.79564,-0.891663 2.58846,-1.521969 2.14835,-1.707992 4.28788,-5.797011 5.03253,-8.44932 0.83237,-2.96473 1.35932,-6.618689 1.58087,-10.961877 0.14067,-2.757536 0.13997,-7.238356 0.003,-9.996117 -0.22347,-4.510947 -0.76654,-8.293187 -1.62922,-11.346719 -0.74902,-2.651208 -2.8678,-6.741552 -4.97747,-8.499275 -0.81294,-0.677316 -1.69798,-1.220435 -2.65513,-1.629355 -2.52198,-1.077461 -7.23313,-1.073815 -9.75096,0.01241 -0.96958,0.418289 -1.86833,0.975154 -2.69625,1.670597 -2.1034,1.766819 -4.25736,5.832207 -5.02748,8.477348 -0.88914,3.053937 -1.4493,6.825655 -1.68048,11.315153 -0.14198,2.757462 -0.14264,7.238555 0.003,9.995827 0.2284,4.329979 0.77071,7.974309 1.62693,10.932989 0.76576,2.646078 2.9587,6.698538 5.10515,8.411115 0.83008,0.662288 1.73176,1.192461 2.70504,1.59052 2.53975,1.038716 7.23501,1.043889 9.77185,-0.0013 z"
+   id="text1"
+   style="font-size:96px;line-height:0.9;font-family:'Public Sans';-inkscape-font-specification:'Public Sans, @wght=500';font-variation-settings:'wght' 500;text-align:center;letter-spacing:-10px;text-anchor:middle;stroke-width:6;stroke-linecap:round;stroke-linejoin:round;paint-order:stroke fill markers;fill:#ffffff;fill-opacity:1"
+   inkscape:label="MLSEC 2.0"
+   aria-label="MLSEC  2 .0"
+   inkscape:path-effect="#path-effect2"
+   inkscape:original-d="m 110,84.655998 v -69.408 h 14.496 l 19.536,55.2 19.824,-55.2 h 14.4 v 69.408 h -10.512 v -55.296 l -19.2,55.296 h -8.976 l -19.104,-54.864 v 54.864 z m 75.82392,0 0.048,-69.408 h 10.416 v 60.384 h 32.064 v 9.024 z m 71.31193,0.96 q -5.088,0 -9.792,-1.248 -4.656,-1.248 -8.496,-3.696 -3.792,-2.496 -6.288,-6.192 -2.448,-3.696 -3.072,-8.64 h 10.704 q 0.816,3.744 3.216,6.288 2.448,2.544 6.096,3.84 3.696,1.296 8.16,1.296 4.128,0 7.632,-1.296 3.504,-1.296 5.664,-3.744 2.16,-2.448 2.16,-6 0,-3.984 -2.688,-6.288 -2.64,-2.352 -7.968,-3.744 l -13.92,-3.456 q -5.04,-1.2 -8.88,-3.408 -3.84,-2.256 -5.952,-5.904 -2.112,-3.696 -2.112,-9.12 0,-6.048 3.312,-10.512 3.36,-4.512 9.072,-6.96 5.76,-2.448 13.008,-2.448 8.304,0 13.968,2.832 5.712,2.832 8.64,7.488 2.976,4.608 3.024,10.032 h -10.464 q -0.432,-4.416 -2.64,-7.008 -2.16,-2.64 -5.52,-3.792 -3.312,-1.152 -7.344,-1.152 -7.104,0 -10.704,3.168 -3.552,3.12 -3.552,7.44 0,3.984 2.592,6.288 2.64,2.304 7.776,3.552 l 13.44,3.312 q 6.336,1.392 10.128,4.176 3.84,2.736 5.52,6.48 1.68,3.696 1.68,8.112 0,5.904 -3.312,10.512 -3.312,4.56 -9.264,7.2 -5.904,2.592 -13.824,2.592 z m 30.43416,-0.96 v -69.408 h 44.832 l -0.048,8.928 h -34.464 v 21.072 h 30.768 v 8.784 h -30.816 v 21.552 l 35.376,0.048 v 9.024 z m 75.99801,0.96 q -9.408,0 -16.128,-4.32 -6.72,-4.368 -10.32,-12.384 -3.552,-8.064 -3.552,-19.296 0,-11.184 3.552,-19.056 3.552,-7.92 10.272,-12.096 6.72,-4.176 16.176,-4.176 7.488,0 13.296,3.072 5.808,3.072 9.312,8.256 3.552,5.184 4.224,11.472 h -10.944 q -0.72,-3.936 -2.784,-7.104 -2.016,-3.216 -5.376,-5.04 -3.36,-1.872 -7.968,-1.872 -5.904,0 -10.032,2.784 -4.128,2.784 -6.288,8.688 -2.112,5.904 -2.112,15.216 0,14.064 4.752,20.592 4.752,6.48 13.68,6.48 4.608,0 7.968,-1.968 3.36,-2.016 5.376,-5.328 2.064,-3.36 2.784,-7.296 h 10.944 q -0.576,4.56 -2.4,8.784 -1.824,4.176 -5.088,7.488 -3.216,3.312 -8.016,5.232 -4.8,1.872 -11.328,1.872 z m 53.32824,-0.96 v -5.808 -3.072 q 0,-5.28 1.968,-9.168 2.016,-3.888 5.28,-6.768 3.264,-2.928 7.152,-5.184 3.936,-2.256 7.824,-4.32 3.888,-2.064 7.152,-4.272 3.264,-2.256 5.232,-5.04 2.016,-2.832 2.016,-6.624 0,-4.992 -3.504,-8.112 -3.504,-3.12 -9.504,-3.12 -6.384,0 -10.368,3.6 -3.984,3.6 -4.608,9.936 h -10.08 q 0.144,-6.192 3.024,-11.28 2.88,-5.088 8.496,-8.112 5.616,-3.024 13.92,-3.024 7.2,0 12.432,2.544 5.28,2.496 8.16,7.008 2.88,4.512 2.88,10.512 0,5.328 -1.968,9.168 -1.968,3.84 -5.184,6.624 -3.168,2.784 -7.008,4.944 -3.84,2.112 -7.68,4.08 -3.84,1.92 -7.056,4.08 -3.216,2.112 -5.184,4.8 -1.968,2.688 -1.968,6.48 v 1.2 h 36.288 v 8.928 z m 60.40014,0 v -12.384 h 11.856 v 12.384 z m 37.42395,1.056 q -11.76,0 -18.528,-8.976 -6.768,-9.024 -6.768,-26.544 0,-11.76 3.12,-19.728 3.12,-8.016 8.784,-12.096 5.712,-4.08 13.44,-4.08 11.568,0 18.384,9.12 6.864,9.072 6.864,26.688 0,17.52 -6.816,26.592 -6.768,9.024 -18.48,9.024 z m 0.048,-8.736 q 7.104,0 10.656,-6.24 3.552,-6.288 3.552,-20.592 0,-14.592 -3.6,-20.976 -3.6,-6.432 -10.656,-6.432 -7.008,0 -10.704,6.48 -3.696,6.432 -3.696,20.928 0,14.256 3.648,20.544 3.696,6.288 10.8,6.288 z"
+   transform="translate(9.536,0.208002)" />
+<text
+   xml:space="preserve"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:12px;line-height:1;font-family:arial;-inkscape-font-specification:arial;text-align:center;letter-spacing:0px;text-anchor:middle;display:none;fill:#000000;stroke-width:6;stroke-linecap:square;paint-order:stroke fill markers"
+   x="50.294922"
+   y="28.212891"
+   id="text2"
+   inkscape:label="attribution"><tspan
+     sodipodi:role="line"
+     id="tspan1"
+     x="50.294922"
+     y="28.212891"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:8px;font-family:Sans;-inkscape-font-specification:'Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Created by</tspan><tspan
+     sodipodi:role="line"
+     x="50.294922"
+     y="40.212891"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:8px;font-family:Sans;-inkscape-font-specification:'Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal"
+     id="tspan5">Aaron Thompson</tspan><tspan
+     sodipodi:role="line"
+     x="50.294922"
+     y="52.212891"
+     id="tspan2"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:8px;font-family:Sans;-inkscape-font-specification:'Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Graham Dungan</tspan><tspan
+     sodipodi:role="line"
+     x="50.294922"
+     y="64.212891"
+     id="tspan4"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:8px;font-family:Sans;-inkscape-font-specification:'Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Karl Farrar</tspan><tspan
+     sodipodi:role="line"
+     x="50.294922"
+     y="76.212891"
+     id="tspan3"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:8px;font-family:Sans;-inkscape-font-specification:'Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Maxim Mouget</tspan></text>
+</g>
+</svg>
diff --git a/services/frontend/src/components/Attack_submit.astro b/services/frontend/src/components/Attack_submit.astro
index 732523b..f2c1b53 100644
--- a/services/frontend/src/components/Attack_submit.astro
+++ b/services/frontend/src/components/Attack_submit.astro
@@ -1,9 +1,11 @@
 ---
 ---
 
-<div class="flex flex-col flex-1 bg-white border border-gray-200 shadow-sm ml-6 mr-3 mb-6 mt-3 p-6 rounded-xl">
+<div class="flex flex-col bg-white border border-gray-200 shadow-sm ml-6 mr-3 mb-6 mt-3 p-6 rounded-xl">
   <h2 class="text-xl font-semibold text-gray-900 mb-5">Attack Submission</h2>
 
+  <p id="attack-cooldown" class="hidden text-xs text-amber-700 bg-amber-50 border border-amber-200 rounded-lg px-3 py-2 mb-3"></p>
+
   <form id="attack-form" class="flex flex-col gap-4">
 
     <div>
@@ -90,6 +92,74 @@
     }
   });
 
+  function _extractDetail(detail: unknown): string {
+    if (typeof detail === 'string') return detail;
+    if (Array.isArray(detail) && detail.length > 0) {
+      return (detail as { msg?: string }[]).map(e => e.msg ?? String(e)).join('; ');
+    }
+    return 'An unexpected error occurred.';
+  }
+
+  function _attachDismiss(el: HTMLElement) {
+    const btn = document.createElement('button');
+    btn.type = 'button';
+    btn.textContent = '×';
+    btn.className = 'ml-3 text-current opacity-60 hover:opacity-100 leading-none flex-shrink-0';
+    btn.setAttribute('aria-label', 'Dismiss');
+    btn.addEventListener('click', () => {
+      el.className = 'hidden text-sm rounded-lg px-3 py-2';
+      el.textContent = '';
+    });
+    el.appendChild(btn);
+  }
+
+  (function initAttackCooldown() {
+    const cooldownEl = document.getElementById('attack-cooldown') as HTMLParagraphElement;
+    let timer: ReturnType<typeof setInterval> | null = null;
+
+    function startCountdown(seconds: number) {
+      let remaining = seconds;
+      if (timer) clearInterval(timer);
+
+      function tick() {
+        if (remaining <= 0) {
+          cooldownEl.classList.add('hidden');
+          cooldownEl.textContent = '';
+          if (timer) clearInterval(timer);
+          return;
+        }
+        const mm = String(Math.floor(remaining / 60)).padStart(2, '0');
+        const ss = String(remaining % 60).padStart(2, '0');
+        cooldownEl.textContent = `You can submit again in ${mm}:${ss}`;
+        cooldownEl.classList.remove('hidden');
+        remaining--;
+      }
+
+      tick();
+      timer = setInterval(tick, 1000);
+    }
+
+    async function checkCooldown() {
+      try {
+        const res = await fetch('/api/submissions/cooldown');
+        if (!res.ok) return;
+        const data = await res.json();
+        const secs: number | null = data.attack_remaining_seconds;
+        if (secs && secs > 0) {
+          startCountdown(secs);
+        }
+      } catch {}
+    }
+
+    checkCooldown();
+
+    document.addEventListener('submission-created', (e: Event) => {
+      if ((e as CustomEvent).detail?.type === 'attack') {
+        checkCooldown();
+      }
+    });
+  })();
+
   document.getElementById('attack-form')!.addEventListener('submit', async (e) => {
     e.preventDefault();
 
@@ -102,7 +172,8 @@
 
     if (!file) {
       feedback.textContent = 'Please select a ZIP file.';
-      feedback.className   = 'text-sm rounded-lg px-3 py-2 bg-red-50 text-red-700 border border-red-200';
+      feedback.className   = 'flex items-center justify-between text-sm rounded-lg px-3 py-2 bg-red-50 text-red-700 border border-red-200';
+      _attachDismiss(feedback);
       return;
     }
 
@@ -118,10 +189,11 @@
 
       const res  = await fetch('/api/submissions/attack/zip', { method: 'POST', body: fd });
       const data = await res.json();
-      if (!res.ok) throw new Error(data.detail ?? `Error ${res.status}`);
+      if (!res.ok) throw new Error(_extractDetail(data.detail) || `Error ${res.status}`);
 
       feedback.textContent = `Submitted (ID: ${data.submission_id})`;
-      feedback.className   = 'text-sm rounded-lg px-3 py-2 bg-green-50 text-green-700 border border-green-200';
+      feedback.className   = 'flex items-center justify-between text-sm rounded-lg px-3 py-2 bg-green-50 text-green-700 border border-green-200';
+      _attachDismiss(feedback);
       (e.target as HTMLFormElement).reset();
       attackIdleView.classList.remove('hidden');
       attackChosenView.classList.add('hidden');
@@ -130,7 +202,8 @@
 
     } catch (err: unknown) {
       feedback.textContent = (err instanceof Error ? err.message : null) ?? 'Submission failed.';
-      feedback.className   = 'text-sm rounded-lg px-3 py-2 bg-red-50 text-red-700 border border-red-200';
+      feedback.className   = 'flex items-center justify-between text-sm rounded-lg px-3 py-2 bg-red-50 text-red-700 border border-red-200';
+      _attachDismiss(feedback);
     } finally {
       btn.disabled    = false;
       btn.textContent = 'Submit Attack';
diff --git a/services/frontend/src/components/Defense_submit.astro b/services/frontend/src/components/Defense_submit.astro
index 313150e..0ff006e 100644
--- a/services/frontend/src/components/Defense_submit.astro
+++ b/services/frontend/src/components/Defense_submit.astro
@@ -1,8 +1,10 @@
 ---
 ---
 
-<div class="flex flex-col flex-1 bg-white border border-gray-200 shadow-sm ml-6 mr-3 mt-6 mb-3 p-6 rounded-xl">
-  <h2 class="text-xl font-semibold text-gray-900 mb-5">Model Submission</h2>
+<div class="flex flex-col bg-white border border-gray-200 shadow-sm ml-6 mr-3 mt-6 mb-3 p-6 rounded-xl">
+  <h2 class="text-xl font-semibold text-gray-900 mb-5">Defense Submission</h2>
+
+  <p id="defense-cooldown" class="hidden text-xs text-amber-700 bg-amber-50 border border-amber-200 rounded-lg px-3 py-2 mb-3"></p>
 
   <form id="defense-form" class="flex flex-col gap-4">
 
@@ -95,7 +97,7 @@
       type="submit"
       class="w-full bg-primary hover:bg-secondary text-white font-semibold py-2.5 rounded-lg transition duration-200"
     >
-      Submit Model
+      Submit Defense
     </button>
 
   </form>
@@ -146,6 +148,74 @@
 </script>
 
 <script>
+  function _extractDetail(detail: unknown): string {
+    if (typeof detail === 'string') return detail;
+    if (Array.isArray(detail) && detail.length > 0) {
+      return (detail as { msg?: string }[]).map(e => e.msg ?? String(e)).join('; ');
+    }
+    return 'An unexpected error occurred.';
+  }
+
+  function _attachDismiss(el: HTMLElement) {
+    const btn = document.createElement('button');
+    btn.type = 'button';
+    btn.textContent = '×';
+    btn.className = 'ml-3 text-current opacity-60 hover:opacity-100 leading-none flex-shrink-0';
+    btn.setAttribute('aria-label', 'Dismiss');
+    btn.addEventListener('click', () => {
+      el.className = 'hidden text-sm rounded-lg px-3 py-2';
+      el.textContent = '';
+    });
+    el.appendChild(btn);
+  }
+
+  (function initDefenseCooldown() {
+    const cooldownEl = document.getElementById('defense-cooldown') as HTMLParagraphElement;
+    let timer: ReturnType<typeof setInterval> | null = null;
+
+    function startCountdown(seconds: number) {
+      let remaining = seconds;
+      if (timer) clearInterval(timer);
+
+      function tick() {
+        if (remaining <= 0) {
+          cooldownEl.classList.add('hidden');
+          cooldownEl.textContent = '';
+          if (timer) clearInterval(timer);
+          return;
+        }
+        const mm = String(Math.floor(remaining / 60)).padStart(2, '0');
+        const ss = String(remaining % 60).padStart(2, '0');
+        cooldownEl.textContent = `You can submit again in ${mm}:${ss}`;
+        cooldownEl.classList.remove('hidden');
+        remaining--;
+      }
+
+      tick();
+      timer = setInterval(tick, 1000);
+    }
+
+    async function checkCooldown() {
+      try {
+        const res = await fetch('/api/submissions/cooldown');
+        if (!res.ok) return;
+        const data = await res.json();
+        const secs: number | null = data.defense_remaining_seconds;
+        if (secs && secs > 0) {
+          startCountdown(secs);
+        }
+      } catch {}
+    }
+
+    checkCooldown();
+
+    document.addEventListener('submission-created', (e: Event) => {
+      if ((e as CustomEvent).detail?.type === 'defense') {
+        checkCooldown();
+      }
+    });
+  })();
+
   document.getElementById('defense-form')!.addEventListener('submit', async (e) => {
     e.preventDefault();
 
@@ -188,10 +258,11 @@
       }
 
       const data = await res.json();
-      if (!res.ok) throw new Error(data.detail ?? `Error ${res.status}`);
+      if (!res.ok) throw new Error(_extractDetail(data.detail) || `Error ${res.status}`);
 
       feedback.textContent = `Submitted (ID: ${data.submission_id})`;
-      feedback.className   = 'text-sm rounded-lg px-3 py-2 bg-green-50 text-green-700 border border-green-200';
+      feedback.className   = 'flex items-center justify-between text-sm rounded-lg px-3 py-2 bg-green-50 text-green-700 border border-green-200';
+      _attachDismiss(feedback);
       (e.target as HTMLFormElement).reset();
       document.getElementById('defense-file-idle')!.classList.remove('hidden');
       document.getElementById('defense-file-chosen')!.classList.add('hidden');
@@ -200,10 +271,11 @@
 
     } catch (err: unknown) {
       feedback.textContent = (err instanceof Error ? err.message : null) ?? 'Submission failed.';
-      feedback.className   = 'text-sm rounded-lg px-3 py-2 bg-red-50 text-red-700 border border-red-200';
+      feedback.className   = 'flex items-center justify-between text-sm rounded-lg px-3 py-2 bg-red-50 text-red-700 border border-red-200';
+      _attachDismiss(feedback);
     } finally {
       btn.disabled    = false;
-      btn.textContent = 'Submit Model';
+      btn.textContent = 'Submit Defense';
     }
   });
 </script>
diff --git a/services/frontend/src/components/EvaluationMatrix.tsx b/services/frontend/src/components/EvaluationMatrix.tsx
index 64e2c82..eceea82 100644
--- a/services/frontend/src/components/EvaluationMatrix.tsx
+++ b/services/frontend/src/components/EvaluationMatrix.tsx
@@ -24,28 +24,28 @@ interface LeaderboardData {
 
 /**
  * Maps a score (0.0 to 1.0) to an RGB color.
- * 0%  = red   rgb(220, 50, 50)
- * 50% = white rgb(255, 255, 255)
- * 100% = green rgb(50, 175, 80)
+ * 0%  = orange   rgb(254, 179, 56)
+ * 50% = white rgb(230, 230, 230)
+ * 100% = blue rgb(2, 81, 150)
  */
 function scoreToColor(score: number): string {
   const s = Math.max(0, Math.min(1, score));
   if (s <= 0.5) {
     const t = s / 0.5;
-    const r = Math.round(220 + (255 - 220) * t);
-    const g = Math.round(50  + (255 - 50)  * t);
-    const b = Math.round(50  + (255 - 50)  * t);
+    const r = Math.round(254 + (230 - 254) * t);
+    const g = Math.round(179  + (230 - 179)  * t);
+    const b = Math.round(56  + (230 - 56)  * t);
     return `rgb(${r},${g},${b})`;
   }
   const t = (s - 0.5) / 0.5;
-  const r = Math.round(255 + (50  - 255) * t);
-  const g = Math.round(255 + (175 - 255) * t);
-  const b = Math.round(255 + (80  - 255) * t);
+  const r = Math.round(230 + (2  - 230) * t);
+  const g = Math.round(230 + (81 - 230) * t);
+  const b = Math.round(230 + (150  - 230) * t);
   return `rgb(${r},${g},${b})`;
 }
 
 function textColorForScore(score: number): string {
-  return score < 0.35 || score > 0.65 ? '#ffffff' : '#374151';
+  return score > 0.70 ? '#ffffff' : '#374151';
 }
 
 export default function EvaluationMatrix() {
@@ -82,10 +82,10 @@ export default function EvaluationMatrix() {
 
   const { attackers, defenders, scores } = data;
 
-  if (attackers.length === 0 && defenders.length === 0) {
+  if (attackers.length === 0 || defenders.length === 0) {
     return (
       <p className="text-sm text-gray-500">
-        No active submissions yet. Once participants activate a submission, the matrix will appear here.
+        The matrix will appear once there is at least one active attack submission and one active defense submission.
       </p>
     );
   }
@@ -126,47 +126,77 @@ export default function EvaluationMatrix() {
         </div>
       )}
 
-      <div className="overflow-x-auto rounded-xl border border-gray-200 bg-white shadow-sm">
-        <table className="min-w-full border-collapse text-sm">
-          <thead>
+      <div className="overflow-x-auto">
+        <div className="w-fit rounded-xl border border-gray-200 bg-white shadow-sm">
+        <table className="w-auto border-collapse text-sm">
+          <tbody>
+            {/* Row 1: Attack axis label. Spans name col + all score cols (no separate corner cell). */}
+            <tr>
+              <th className="sticky left-0 z-10 bg-white border-b border-r border-gray-200 w-7 min-w-[28px]" />
+              {attackers.length > 0 && (
+                <th
+                  colSpan={attackers.length + 1}
+                  className="border-b border-r border-gray-200 bg-white py-1.5 text-center text-xs font-semibold text-gray-600"
+                >
+                  Attack
+                </th>
+              )}
+            </tr>
+            {/* Row 2: Column headers. Defense label starts here and spans down through all defender rows. */}
             <tr>
-              <th className="sticky left-0 z-10 bg-gray-50 border-b border-r border-gray-200 px-4 py-3 text-left text-xs font-semibold text-gray-500 whitespace-nowrap">
-                Defense \ Attack
+              <th
+                rowSpan={defenders.length + 1}
+                className="sticky left-0 z-10 bg-white border-r border-gray-200 w-7 min-w-[28px]"
+                style={{ verticalAlign: 'middle', textAlign: 'center' }}
+              >
+                <span
+                  className="text-xs font-semibold text-gray-600 select-none"
+                  style={{ writingMode: 'vertical-rl', transform: 'rotate(180deg)', display: 'inline-block' }}
+                >
+                  Defense
+                </span>
               </th>
-              {attackers.map(atk => (
+              <th className="sticky left-7 z-10 bg-white border-b border-r border-gray-200 px-2 py-2 md:px-4 md:py-3 w-[112px] min-w-[112px] md:w-[160px] md:min-w-[160px]" />
+              {attackers.map((atk, ai) => (
                 <th
                   key={atk.submission_id}
-                  className="border-b border-r border-gray-200 px-4 py-3 text-center bg-gray-50 whitespace-nowrap"
+                  className={`border-b border-r border-gray-200 px-1 py-2 md:px-3 md:py-3 text-center w-[96px] min-w-[96px] max-w-[96px] md:w-[144px] md:min-w-[144px] md:max-w-[144px] ${ai % 2 === 0 ? 'bg-white' : 'bg-gray-100'}`}
+                  title={[atk.username, atk.display_name, `v${atk.version}`].filter(Boolean).join(' · ')}
                 >
-                  <div className="text-xs font-semibold text-gray-700">{atk.username}</div>
-                  {atk.display_name && (
-                    <div className="text-xs font-normal text-gray-400 mt-0.5">{atk.display_name}</div>
-                  )}
-                  <div className="text-xs font-mono font-normal text-gray-400">v{atk.version}</div>
+                  <div className="w-full overflow-hidden">
+                    <div className="text-xs font-semibold text-gray-700 truncate">{atk.username}</div>
+                    {atk.display_name && (
+                      <div className="hidden md:block text-xs font-normal text-gray-400 mt-0.5 truncate">{atk.display_name}</div>
+                    )}
+                    <div className="hidden md:block text-xs font-mono font-normal text-gray-400 truncate">v{atk.version}</div>
+                  </div>
                 </th>
               ))}
             </tr>
-          </thead>
-          <tbody>
+            {/* Defender rows. Defense label column is covered by the rowSpan above. */}
             {defenders.map((def, di) => (
-              <tr key={def.submission_id} className={di % 2 === 0 ? 'bg-white' : 'bg-gray-50/40'}>
-                <td className="sticky left-0 z-10 border-b border-r border-gray-200 px-4 py-3 whitespace-nowrap bg-inherit">
-                  <div className="text-xs font-semibold text-gray-700">{def.username}</div>
-                  {def.display_name && (
-                    <div className="text-xs text-gray-400">{def.display_name}</div>
-                  )}
-                  <div className="text-xs font-mono text-gray-400">v{def.version}</div>
+              <tr key={def.submission_id}>
+                <td
+                  className={`sticky left-7 z-10 border-b border-r border-gray-200 px-2 py-2 md:px-3 md:py-3 w-[112px] min-w-[112px] max-w-[112px] md:w-[160px] md:min-w-[160px] md:max-w-[160px] ${di % 2 === 0 ? 'bg-white' : 'bg-gray-100'}`}
+                  title={[def.username, def.display_name, `v${def.version}`].filter(Boolean).join(' · ')}
+                >
+                  <div className="w-full overflow-hidden">
+                    <div className="text-xs font-semibold text-gray-700 truncate">{def.username}</div>
+                    {def.display_name && (
+                      <div className="hidden md:block text-xs text-gray-400 truncate">{def.display_name}</div>
+                    )}
+                    <div className="hidden md:block text-xs font-mono text-gray-400 truncate">v{def.version}</div>
+                  </div>
                 </td>
                 {attackers.map(atk => {
                   const key = `${atk.submission_id}/${def.submission_id}`;
                   const entry = scores[key];
                   const bgColor = entry && showGradient ? scoreToColor(entry.score) : undefined;
                   const fgColor = entry && showGradient ? textColorForScore(entry.score) : '#374151';
-
                   return (
                     <td
                       key={atk.submission_id}
-                      className="border-b border-r border-gray-200 px-3 py-3 text-center transition-colors duration-300"
+                      className="border-b border-r border-gray-200 px-1 py-2 md:px-3 md:py-3 text-center transition-colors duration-300 w-[96px] min-w-[96px] md:w-[144px] md:min-w-[144px] bg-white"
                       style={bgColor ? { backgroundColor: bgColor } : undefined}
                       title={
                         entry
@@ -193,6 +223,7 @@ export default function EvaluationMatrix() {
             ))}
           </tbody>
         </table>
+        </div>
       </div>
     </div>
   );
diff --git a/services/frontend/src/components/Footer.astro b/services/frontend/src/components/Footer.astro
index 31072ef..34f1c49 100644
--- a/services/frontend/src/components/Footer.astro
+++ b/services/frontend/src/components/Footer.astro
@@ -3,9 +3,7 @@ const currentYear = new Date().getFullYear();
 ---
 
 <footer class="w-full bg-gray-200">
-  <div class="flex felx-col my-2 items-center justify-center">
-    <span>Copyright &#169; {currentYear}</span>
-    <span>&nbsp;|&nbsp;</span>
-    <span>All rights reserved</span>
+  <div class="flex flex-col my-2 items-center justify-center">
+    <span>Copyright &#169; {currentYear} &nbsp;|&nbsp; All rights reserved</span>
   </div>
 </footer>
\ No newline at end of file
diff --git a/services/frontend/src/components/LoginModal.astro b/services/frontend/src/components/LoginModal.astro
index 4584f63..e48f926 100644
--- a/services/frontend/src/components/LoginModal.astro
+++ b/services/frontend/src/components/LoginModal.astro
@@ -203,6 +203,13 @@
     openModal(tab);
   });
 
+  window.addEventListener('pageshow', (e) => {
+    if (e.persisted) {
+      (document.getElementById('login-form') as HTMLFormElement)?.reset();
+      (document.getElementById('register-form') as HTMLFormElement)?.reset();
+    }
+  });
+
   closeBtn.addEventListener('click', closeModal);
   modal.addEventListener('click', (e) => { if (e.target === modal) closeModal(); });
   document.addEventListener('keydown', (e) => {
@@ -270,6 +277,9 @@
       return;
     }
 
+    (document.getElementById("login-form") as HTMLFormElement).reset();
+    (document.getElementById("register-form") as HTMLFormElement).reset();
+    window.location.href = "/submission";
     if (data.authenticated) {
       window.location.href = "/submission";
       return;
diff --git a/services/frontend/src/components/Navbar.astro b/services/frontend/src/components/Navbar.astro
index 16bdc39..89b510e 100644
--- a/services/frontend/src/components/Navbar.astro
+++ b/services/frontend/src/components/Navbar.astro
@@ -9,45 +9,103 @@ import Account from './Account.astro';
 const session = await getSession(Astro.request);
 ---
 
-<nav class="bg-primary shadow-lg flex items-center justify-around py-4">
-  <a href="/" class="font-bold text-white text-xl">
-    MLSEC
-  </a>
-
-  <div class="space-x-6">
-    <a
-      href="/rules"
-      class:list={[
-        "font-semibold transition-colors",
-        currentPath === '/rules' ? 'text-white underline underline-offset-4' : 'text-white/80 hover:text-white'
-      ]}>
-      Rules
-    </a>
-    <a
-      href="/submission"
-      class:list={[
-        "font-semibold transition-colors",
-        currentPath === '/submission' ? 'text-white underline underline-offset-4' : 'text-white/80 hover:text-white'
-      ]}>
-      Submission
-    </a>
-    <a
-      href="/leaderboard"
-      class:list={[
-        "font-semibold transition-colors",
-        currentPath === '/leaderboard' ? 'text-white underline underline-offset-4' : 'text-white/80 hover:text-white'
-      ]}>
-      Leaderboard
+<nav class="bg-primary shadow-lg">
+  <div class="flex items-center justify-between px-4 sm:px-6 py-4">
+    <a href="/" class="shrink-0" aria-label="MLSEC home">
+      <img src="/mlsec-title.svg" alt="MLSEC" class="h-8 w-auto" />
     </a>
+
+    <div class="hidden md:flex items-center space-x-6">
+      <a
+        href="/rules"
+        class:list={[
+          "font-semibold transition-colors",
+          currentPath === '/rules' ? 'text-white underline underline-offset-4' : 'text-white/80 hover:text-white'
+        ]}>
+        Rules
+      </a>
+      <a
+        href="/submission"
+        class:list={[
+          "font-semibold transition-colors",
+          currentPath === '/submission' ? 'text-white underline underline-offset-4' : 'text-white/80 hover:text-white'
+        ]}>
+        Submission
+      </a>
+      <a
+        href="/leaderboard"
+        class:list={[
+          "font-semibold transition-colors",
+          currentPath === '/leaderboard' ? 'text-white underline underline-offset-4' : 'text-white/80 hover:text-white'
+        ]}>
+        Leaderboard
+      </a>
+    </div>
+
+    <div class="flex items-center gap-3 shrink-0">
+      <Account session={session}>
+        <LoginModal slot="modal" />
+        <Logout slot="logout" />
+      </Account>
+
+      <button
+        id="nav-hamburger"
+        class="md:hidden p-1.5 rounded text-white/80 hover:text-white hover:bg-white/10 transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-white"
+        aria-label="Toggle navigation"
+        aria-expanded="false"
+        aria-controls="nav-mobile-menu"
+      >
+        <svg id="nav-icon-open" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="2" stroke="currentColor" class="w-5 h-5">
+          <path stroke-linecap="round" stroke-linejoin="round" d="M3.75 6.75h16.5M3.75 12h16.5m-16.5 5.25h16.5" />
+        </svg>
+        <svg id="nav-icon-close" xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="2" stroke="currentColor" class="w-5 h-5 hidden">
+          <path stroke-linecap="round" stroke-linejoin="round" d="M6 18 18 6M6 6l12 12" />
+        </svg>
+      </button>
+    </div>
   </div>
 
-  <Account session={session}>
-    <LoginModal slot="modal" />
-    <Logout slot="logout" />
-  </Account>
+  <div id="nav-mobile-menu" class="hidden md:hidden border-t border-white/20 bg-gray-800">
+    <div class="flex flex-col px-4 py-2">
+      <a
+        href="/rules"
+        class:list={[
+          "font-semibold transition-colors py-2.5",
+          currentPath === '/rules' ? 'text-white underline underline-offset-4' : 'text-white/80 hover:text-white'
+        ]}>
+        Rules
+      </a>
+      <a
+        href="/submission"
+        class:list={[
+          "font-semibold transition-colors py-2.5",
+          currentPath === '/submission' ? 'text-white underline underline-offset-4' : 'text-white/80 hover:text-white'
+        ]}>
+        Submission
+      </a>
+      <a
+        href="/leaderboard"
+        class:list={[
+          "font-semibold transition-colors py-2.5",
+          currentPath === '/leaderboard' ? 'text-white underline underline-offset-4' : 'text-white/80 hover:text-white'
+        ]}>
+        Leaderboard
+      </a>
+    </div>
+  </div>
+</nav>
 
 <script>
-  document.getElementById('open-login-btn')!.addEventListener('click', () => {
-    document.dispatchEvent(new CustomEvent('open-login-modal'));
+  const hamburger = document.getElementById('nav-hamburger');
+  const mobileMenu = document.getElementById('nav-mobile-menu');
+  const iconOpen   = document.getElementById('nav-icon-open');
+  const iconClose  = document.getElementById('nav-icon-close');
+
+  hamburger?.addEventListener('click', () => {
+    const isCurrentlyOpen = !mobileMenu!.classList.contains('hidden');
+    mobileMenu!.classList.toggle('hidden', isCurrentlyOpen);
+    iconOpen!.classList.toggle('hidden', !isCurrentlyOpen);
+    iconClose!.classList.toggle('hidden', isCurrentlyOpen);
+    hamburger.setAttribute('aria-expanded', String(!isCurrentlyOpen));
   });
-</script>
\ No newline at end of file
+</script>
diff --git a/services/frontend/src/components/Past_submit.astro b/services/frontend/src/components/Past_submit.astro
index 4801475..8b52804 100644
--- a/services/frontend/src/components/Past_submit.astro
+++ b/services/frontend/src/components/Past_submit.astro
@@ -2,7 +2,7 @@
 import SubmissionHistory from './SubmissionHistory';
 ---
 
-<div class="flex flex-col w-96 shrink-0 bg-white border border-gray-200 shadow-sm ml-3 mr-6 my-6 p-6 rounded-xl overflow-hidden">
+<div class="flex flex-col md:w-96 md:shrink-0 bg-white border border-gray-200 shadow-sm mx-3 my-3 md:ml-3 md:mr-6 md:my-6 p-6 rounded-xl overflow-hidden">
   <div class="flex items-center justify-between mb-4 shrink-0">
     <h1 class="text-xl font-semibold text-gray-900">Submission History</h1>
     <div class="relative">
diff --git a/services/frontend/src/components/SubmissionHistory.tsx b/services/frontend/src/components/SubmissionHistory.tsx
index cbe9e92..df42e6b 100644
--- a/services/frontend/src/components/SubmissionHistory.tsx
+++ b/services/frontend/src/components/SubmissionHistory.tsx
@@ -12,6 +12,11 @@ interface Submission {
   is_active: boolean;
   heurval_tpr: number | null;
   heurval_fpr: number | null;
+  detail_loaded?: boolean;
+  source_type?: string | null;
+  sha256?: string | null;
+  docker_image?: string | null;
+  git_repo?: string | null;
 }
 
 interface Props {
@@ -45,6 +50,16 @@ function formatDate(iso: string): string {
   });
 }
 
+function formatDateTime(iso: string): string {
+  return new Date(iso).toLocaleString(undefined, {
+    month: 'short',
+    day: 'numeric',
+    year: 'numeric',
+    hour: '2-digit',
+    minute: '2-digit',
+  });
+}
+
 function StarIcon({ filled }: { filled: boolean }) {
   if (filled) {
     return (
@@ -115,44 +130,64 @@ function ExpandedDetail({ sub }: { sub: Submission }) {
   const { status, functional_error, submission_type, heurval_tpr, heurval_fpr } = sub;
   const showHeurval = submission_type === 'defense' && (heurval_tpr !== null || heurval_fpr !== null);
 
-  if (status === 'submitted') {
-    return <p className="text-xs text-gray-500">Queued for processing.</p>;
-  }
-  if (status === 'validating') {
-    return <p className="text-xs text-blue-500">Validation in progress.</p>;
-  }
-  if (status === 'validated') {
-    return (
-      <>
-        <p className="text-xs text-blue-600">Validation passed. Waiting for evaluation.</p>
-        {showHeurval && <HeurvalStats tpr={heurval_tpr} fpr={heurval_fpr} />}
-      </>
-    );
-  }
-  if (status === 'evaluating') {
-    return (
-      <>
-        <p className="text-xs text-amber-600">Currently being evaluated.</p>
-        {showHeurval && <HeurvalStats tpr={heurval_tpr} fpr={heurval_fpr} />}
-      </>
-    );
-  }
-  if (status === 'evaluated') {
-    return (
-      <>
-        <p className="text-xs text-green-600">Evaluation complete.</p>
-        {showHeurval && <HeurvalStats tpr={heurval_tpr} fpr={heurval_fpr} />}
-      </>
-    );
-  }
-  if (status === 'error') {
-    return (
-      <p className="text-xs text-red-600">
-        {functional_error ?? 'An error occurred during processing.'}
-      </p>
-    );
-  }
-  return null;
+  return (
+    <>
+      {status === 'submitted' && <p className="text-xs text-gray-500">Queued for processing.</p>}
+      {status === 'validating' && <p className="text-xs text-blue-500">Validation in progress.</p>}
+      {(status === 'validated') && (
+        <>
+          <p className="text-xs text-blue-600">Validation passed. Waiting for evaluation.</p>
+          {showHeurval && <HeurvalStats tpr={heurval_tpr} fpr={heurval_fpr} />}
+        </>
+      )}
+      {status === 'evaluating' && (
+        <>
+          <p className="text-xs text-amber-600">Currently being evaluated.</p>
+          {showHeurval && <HeurvalStats tpr={heurval_tpr} fpr={heurval_fpr} />}
+        </>
+      )}
+      {status === 'evaluated' && (
+        <>
+          <p className="text-xs text-green-600">Evaluation complete.</p>
+          {showHeurval && <HeurvalStats tpr={heurval_tpr} fpr={heurval_fpr} />}
+        </>
+      )}
+      {status === 'error' && (
+        <p className="text-xs text-red-600">
+          {functional_error ?? 'An error occurred during processing.'}
+        </p>
+      )}
+
+      {sub.detail_loaded ? (
+        <dl className="mt-2 pt-2 border-t border-gray-100 grid grid-cols-[auto_1fr] gap-x-3 gap-y-1 text-xs">
+          <dt className="text-gray-400 whitespace-nowrap">Submitted</dt>
+          <dd className="text-gray-600">{formatDateTime(sub.created_at)}</dd>
+          {sub.sha256 && (
+            <>
+              <dt className="text-gray-400 whitespace-nowrap">File Hash</dt>
+              <dd className="font-mono text-gray-600 truncate" title={sub.sha256}>
+                {sub.sha256.slice(0, 16)}...
+              </dd>
+            </>
+          )}
+          {sub.docker_image && (
+            <>
+              <dt className="text-gray-400 whitespace-nowrap">DockerHub</dt>
+              <dd className="text-gray-600 truncate" title={sub.docker_image}>{sub.docker_image}</dd>
+            </>
+          )}
+          {sub.git_repo && (
+            <>
+              <dt className="text-gray-400 whitespace-nowrap">GitHub</dt>
+              <dd className="text-gray-600 truncate" title={sub.git_repo}>{sub.git_repo}</dd>
+            </>
+          )}
+        </dl>
+      ) : (
+        <p className="mt-1 text-xs text-gray-400">Loading details...</p>
+      )}
+    </>
+  );
 }
 
 export default function SubmissionHistory({ type, title }: Props) {
@@ -205,12 +240,24 @@ export default function SubmissionHistory({ type, title }: Props) {
     );
   };
 
-  const toggleExpanded = (id: string) => {
+  const toggleExpanded = async (id: string) => {
     setExpanded(prev => {
       const next = new Set(prev);
       next.has(id) ? next.delete(id) : next.add(id);
       return next;
     });
+    const sub = submissions.find(s => s.submission_id === id);
+    if (!sub || sub.detail_loaded) return;
+    try {
+      const res = await fetch(`/api/submissions/${id}/detail`);
+      if (!res.ok) return;
+      const d = await res.json();
+      setSubmissions(prev => prev.map(s =>
+        s.submission_id === id
+          ? { ...s, detail_loaded: true, source_type: d.source_type, sha256: d.sha256, docker_image: d.docker_image, git_repo: d.git_repo }
+          : s
+      ));
+    } catch {}
   };
 
   return (
@@ -247,7 +294,10 @@ export default function SubmissionHistory({ type, title }: Props) {
                     <span className="text-xs text-gray-400">{formatDate(sub.created_at)}</span>
                   </div>
 
-                  <span className="text-xs font-mono bg-gray-100 text-gray-500 px-1.5 py-0.5 rounded flex-shrink-0">
+                  <span
+                    className="text-xs font-mono bg-gray-100 text-gray-500 px-1.5 py-0.5 rounded flex-shrink-0 max-w-[6rem] truncate block"
+                    title={`v${sub.version}`}
+                  >
                     v{sub.version}
                   </span>
 
diff --git a/services/frontend/src/components/admin/AdminLayout.astro b/services/frontend/src/components/admin/AdminLayout.astro
index f35d8da..19491ef 100644
--- a/services/frontend/src/components/admin/AdminLayout.astro
+++ b/services/frontend/src/components/admin/AdminLayout.astro
@@ -24,15 +24,33 @@ const navLinks = [
     <link rel="icon" type="image/svg+xml" href="/favicon.svg" />
     <link rel="icon" href="/favicon.ico" />
     <meta name="viewport" content="width=device-width" />
-    <title>{title} | MLSEC Admin</title>
+    <title>MLSEC 2.0 Admin - {title}</title>
   </head>
   <body class="flex flex-col h-screen overflow-hidden bg-gray-50">
 
     <Navbar />
 
+    <!-- Mobile: horizontal scrollable tab strip (hidden on md+) -->
+    <div class="md:hidden flex overflow-x-auto shrink-0 bg-gray-800 border-b border-gray-700" style="scrollbar-width: none;">
+      {navLinks.map(link => (
+        <a
+          href={link.href}
+          class:list={[
+            'px-4 py-3 text-sm font-medium whitespace-nowrap border-b-2 transition-colors',
+            currentPage === link.id
+              ? 'border-white text-white'
+              : 'border-transparent text-gray-400 hover:text-gray-200',
+          ]}
+        >
+          {link.label}
+        </a>
+      ))}
+    </div>
+
     <div class="flex flex-1 min-h-0">
 
-      <nav class="w-52 bg-gray-800 flex flex-col shrink-0">
+      <!-- Desktop: sidebar (hidden on mobile) -->
+      <nav class="hidden md:flex w-52 bg-gray-800 flex-col shrink-0">
         <div class="px-5 py-3 border-b border-gray-700">
           <span class="text-xs font-semibold text-gray-400 uppercase tracking-wider">
             Admin Panel
@@ -55,7 +73,7 @@ const navLinks = [
         </div>
       </nav>
 
-      <main class="flex-1 overflow-auto p-6">
+      <main class="flex-1 overflow-auto p-3 md:p-6">
         <slot />
       </main>
 
diff --git a/services/frontend/src/components/admin/competition/CompetitionPage.tsx b/services/frontend/src/components/admin/competition/CompetitionPage.tsx
index 6b86aef..1a13287 100644
--- a/services/frontend/src/components/admin/competition/CompetitionPage.tsx
+++ b/services/frontend/src/components/admin/competition/CompetitionPage.tsx
@@ -194,6 +194,7 @@ function SubmissionSection() {
             <p className="text-xs font-medium text-gray-600 uppercase tracking-wide">
               Schedule Auto-Close
             </p>
+            <p className="text-xs font-small text-gray-400 tracking-wide">Opening submissions after scheduled auto-close will empty the auto-close date.</p>
             {status.close_at && (
               <p className="text-sm text-gray-500">
                 Scheduled:{' '}
@@ -444,6 +445,201 @@ function ValidationSamplesSection() {
   );
 }
 
+// ---------------------------------------------------------------------------
+// Downloads
+// ---------------------------------------------------------------------------
+
+interface UserOption { id: string; username: string; email: string; }
+interface SubOption  { id: string; display_name: string | null; version: string; status: string; }
+
+async function triggerCsvDownload(path: string, filename: string): Promise<void> {
+  const res = await adminFetch(path);
+  if (!res.ok) throw new Error(`Download failed (${res.status})`);
+  const blob = await res.blob();
+  const url = URL.createObjectURL(blob);
+  const a = document.createElement('a');
+  a.href = url;
+  a.download = filename;
+  a.click();
+  URL.revokeObjectURL(url);
+}
+
+function DownloadButton({
+  label, path, filename,
+}: { label: string; path: string; filename: string }) {
+  const [busy, setBusy] = useState(false);
+  const [err, setErr]   = useState<string | null>(null);
+
+  async function handle() {
+    setBusy(true);
+    setErr(null);
+    try {
+      await triggerCsvDownload(path, filename);
+    } catch (e) {
+      setErr(e instanceof Error ? e.message : 'Download failed.');
+    } finally {
+      setBusy(false);
+    }
+  }
+
+  return (
+    <div className="flex items-center gap-3 shrink-0">
+      <button
+        onClick={handle}
+        disabled={busy}
+        className="rounded border border-gray-200 bg-white px-3 py-1.5 text-xs font-medium text-gray-700 hover:bg-gray-100 transition-colors disabled:opacity-40 disabled:cursor-not-allowed"
+      >
+        {busy ? 'Downloading...' : label}
+      </button>
+      {err && <span className="text-xs text-red-600">{err}</span>}
+    </div>
+  );
+}
+
+function IndividualScoresDownload() {
+  const [users, setUsers]           = useState<UserOption[]>([]);
+  const [defUserId, setDefUserId]   = useState('');
+  const [atkUserId, setAtkUserId]   = useState('');
+  const [defSubs, setDefSubs]       = useState<SubOption[]>([]);
+  const [atkSubs, setAtkSubs]       = useState<SubOption[]>([]);
+  const [defSubId, setDefSubId]     = useState('');
+  const [atkSubId, setAtkSubId]     = useState('');
+  const [busy, setBusy]             = useState(false);
+  const [err, setErr]               = useState<string | null>(null);
+
+  useEffect(() => {
+    adminFetch('/admin/users?limit=200')
+      .then(r => r.ok ? r.json() : null)
+      .then(d => { if (d) setUsers(d.items ?? []); })
+      .catch(() => {});
+  }, []);
+
+  useEffect(() => {
+    if (!defUserId) { setDefSubs([]); setDefSubId(''); return; }
+    adminFetch(`/admin/submissions/users/${defUserId}`)
+      .then(r => r.ok ? r.json() : null)
+      .then(d => {
+        setDefSubs((d?.submissions ?? []).filter((s: { submission_type: string }) => s.submission_type === 'defense'));
+        setDefSubId('');
+      })
+      .catch(() => {});
+  }, [defUserId]);
+
+  useEffect(() => {
+    if (!atkUserId) { setAtkSubs([]); setAtkSubId(''); return; }
+    adminFetch(`/admin/submissions/users/${atkUserId}`)
+      .then(r => r.ok ? r.json() : null)
+      .then(d => {
+        setAtkSubs((d?.submissions ?? []).filter((s: { submission_type: string }) => s.submission_type === 'attack'));
+        setAtkSubId('');
+      })
+      .catch(() => {});
+  }, [atkUserId]);
+
+  async function handle() {
+    if (!defSubId || !atkSubId) return;
+    setBusy(true);
+    setErr(null);
+    try {
+      await triggerCsvDownload(
+        `/admin/export/scores/individual?defense_submission_id=${defSubId}&attack_submission_id=${atkSubId}`,
+        'evaluation_scores_individual.csv',
+      );
+    } catch (e) {
+      setErr(e instanceof Error ? e.message : 'Download failed.');
+    } finally {
+      setBusy(false);
+    }
+  }
+
+  const selectCls = "text-xs border border-gray-200 rounded px-2 py-1.5 m-1 text-gray-700 focus:outline-none focus:ring-2 focus:ring-primary/30 disabled:opacity-40 max-w-48";
+
+  return (
+    <div className="space-y-3">
+      <div>
+        <p className="text-sm font-medium text-gray-800">Individual Evaluation Scores</p>
+        <p className="text-xs text-gray-500">Per-file model output for a specific attacker-defender submission pair.</p>
+      </div>
+      <div className="grid grid-cols-1 sm:grid-cols-2 gap-3">
+        <div className="space-y-1.5">
+          <p className="text-xs text-gray-400">Defender</p>
+          <select value={defUserId} onChange={e => setDefUserId(e.target.value)} className={selectCls}>
+            <option value="">Select user...</option>
+            {users.map(u => <option key={u.id} value={u.id}>{u.username}</option>)}
+          </select>
+          <select value={defSubId} onChange={e => setDefSubId(e.target.value)} disabled={!defSubs.length} className={selectCls}>
+            <option value="">Select submission...</option>
+            {defSubs.map(s => <option key={s.id} value={s.id}>{s.display_name || s.version} (v{s.version})</option>)}
+          </select>
+        </div>
+        <div className="space-y-1.5">
+          <p className="text-xs text-gray-400">Attacker</p>
+          <select value={atkUserId} onChange={e => setAtkUserId(e.target.value)} className={selectCls}>
+            <option value="">Select user...</option>
+            {users.map(u => <option key={u.id} value={u.id}>{u.username}</option>)}
+          </select>
+          <select value={atkSubId} onChange={e => setAtkSubId(e.target.value)} disabled={!atkSubs.length} className={selectCls}>
+            <option value="">Select submission...</option>
+            {atkSubs.map(s => <option key={s.id} value={s.id}>{s.display_name || s.version} (v{s.version})</option>)}
+          </select>
+        </div>
+      </div>
+      <div className="flex items-center gap-3">
+        <button
+          onClick={handle}
+          disabled={busy || !defSubId || !atkSubId}
+          className="rounded border border-gray-200 bg-white px-3 py-1.5 text-xs font-medium text-gray-700 hover:bg-gray-100 transition-colors disabled:opacity-40 disabled:cursor-not-allowed"
+        >
+          {busy ? 'Downloading...' : 'Download CSV'}
+        </button>
+        {err && <span className="text-xs text-red-600">{err}</span>}
+      </div>
+    </div>
+  );
+}
+
+const BULK_EXPORTS: { label: string; description: string; path: string; filename: string }[] = [
+  {
+    label: 'All Evaluation Scores',
+    description: 'Confusion-matrix results (TP/FP/FN/TN) for every active attacker-defender pair.',
+    path: '/admin/export/scores/all',
+    filename: 'evaluation_scores_all.csv',
+  },
+  {
+    label: 'Defense Validation Scores',
+    description: 'Per-sample model output for each defense submission across all defense validation samples.',
+    path: '/admin/export/validation-scores',
+    filename: 'validation_scores.csv',
+  },
+  {
+    label: 'Behavioral Analysis',
+    description: 'Behavior classification status for each attack file relative to its source template.',
+    path: '/admin/export/behavioral-analysis',
+    filename: 'behavioral_analysis.csv',
+  },
+];
+
+function DownloadsSection() {
+  return (
+    <Section title="Export Data">
+      <div className="space-y-2">
+        {BULK_EXPORTS.map(({ label, description, path, filename }) => (
+          <div key={path} className="flex items-center justify-between gap-4 rounded-lg border border-gray-200 bg-gray-50 px-4 py-3">
+            <div>
+              <p className="text-sm font-medium text-gray-800">{label}</p>
+              <p className="text-xs text-gray-500">{description}</p>
+            </div>
+            <DownloadButton label="Download CSV" path={path} filename={filename} />
+          </div>
+        ))}
+        <div className="rounded-lg border border-gray-200 bg-gray-50 px-4 py-3">
+          <IndividualScoresDownload />
+        </div>
+      </div>
+    </Section>
+  );
+}
+
 // ---------------------------------------------------------------------------
 // Main
 // ---------------------------------------------------------------------------
@@ -455,6 +651,7 @@ export default function CompetitionPage() {
       <SubmissionSection />
       <AttackTemplateSection />
       <ValidationSamplesSection />
+      <DownloadsSection />
     </div>
   );
 }
diff --git a/services/frontend/src/components/admin/logs/LogsPage.tsx b/services/frontend/src/components/admin/logs/LogsPage.tsx
index cb51809..dc76d11 100644
--- a/services/frontend/src/components/admin/logs/LogsPage.tsx
+++ b/services/frontend/src/components/admin/logs/LogsPage.tsx
@@ -1,4 +1,4 @@
-import { useState, useEffect, useRef } from 'react';
+import { useState, useEffect, useRef, Fragment } from 'react';
 import { adminFetch } from '../../../lib/adminApi';
 
 type Tab = 'audit' | 'jobs' | 'evaluations' | 'sessions';
@@ -218,13 +218,117 @@ interface JobRecord {
   updated_at: string;
 }
 
+interface JobDetailSub {
+  submission_id: string;
+  version: string;
+  display_name: string | null;
+  status: string;
+  source_type?: string | null;
+  file_count?: number | null;
+  heurval_done?: number | null;
+  heurval_total?: number | null;
+}
+
+interface JobDetailRun {
+  id: string;
+  counterpart_id: string;
+  status: string | null;
+  duration_ms: number | null;
+  files_done?: number | null;
+  files_total?: number | null;
+}
+
+interface JobDetail {
+  submission: JobDetailSub | null;
+  evaluation_runs: JobDetailRun[];
+  fetching?: boolean;
+}
+
 const JOB_STATUSES = ['queued', 'running', 'done', 'failed'];
 
+function JobDetailPanel({ detail, jobType }: { detail: JobDetail; jobType: string }) {
+  if (detail.fetching) {
+    return <p className="text-xs text-gray-400">Loading details...</p>;
+  }
+  const { submission, evaluation_runs } = detail;
+  const counterpartLabel = jobType === 'D' ? 'Attack' : 'Defense';
+  return (
+    <div className="flex flex-col sm:flex-row gap-6">
+      <div className="space-y-1">
+        <p className="text-xs font-medium text-gray-400 uppercase tracking-wide mb-2">Submission</p>
+        {submission ? (
+          <dl className="grid grid-cols-[auto_1fr] gap-x-4 gap-y-1 text-xs">
+            {submission.display_name && (
+              <>
+                <dt className="text-gray-400">Name</dt>
+                <dd className="text-gray-700 font-medium">{submission.display_name}</dd>
+              </>
+            )}
+            <dt className="text-gray-400">Version</dt>
+            <dd className="text-gray-700 font-mono">{submission.version}</dd>
+            <dt className="text-gray-400">Status</dt>
+            <dd><StatusBadge status={submission.status} /></dd>
+            {jobType === 'D' && submission.source_type && (
+              <>
+                <dt className="text-gray-400">Source</dt>
+                <dd className="text-gray-700 capitalize">{submission.source_type}</dd>
+              </>
+            )}
+            {jobType === 'D' && submission.heurval_total != null && (
+              <>
+                <dt className="text-gray-400">Heurval</dt>
+                <dd className="text-gray-700">{submission.heurval_done ?? 0}/{submission.heurval_total} samples</dd>
+              </>
+            )}
+            {jobType === 'A' && submission.file_count != null && (
+              <>
+                <dt className="text-gray-400">Files</dt>
+                <dd className="text-gray-700">{submission.file_count}</dd>
+              </>
+            )}
+          </dl>
+        ) : (
+          <p className="text-xs text-gray-400">No submission data.</p>
+        )}
+      </div>
+      {evaluation_runs.length > 0 && (
+        <div className="flex-1 min-w-0">
+          <p className="text-xs font-medium text-gray-400 uppercase tracking-wide mb-2">Evaluation Runs</p>
+          <table className="w-full text-xs">
+            <thead>
+              <tr className="text-gray-400">
+                <th className="text-left font-medium pb-1 pr-4">{counterpartLabel}</th>
+                <th className="text-left font-medium pb-1 pr-4">Status</th>
+                <th className="text-left font-medium pb-1 pr-4">Progress</th>
+                <th className="text-left font-medium pb-1">Duration</th>
+              </tr>
+            </thead>
+            <tbody className="divide-y divide-gray-100">
+              {evaluation_runs.map(r => (
+                <tr key={r.id}>
+                  <td className="font-mono text-gray-600 py-1 pr-4">{shortId(r.counterpart_id)}</td>
+                  <td className="py-1 pr-4"><StatusBadge status={r.status} /></td>
+                  <td className="text-gray-500 py-1 pr-4">
+                    {r.files_total != null ? `${r.files_done ?? 0}/${r.files_total}` : '-'}
+                  </td>
+                  <td className="text-gray-500 py-1">{r.duration_ms != null ? `${r.duration_ms} ms` : '-'}</td>
+                </tr>
+              ))}
+            </tbody>
+          </table>
+        </div>
+      )}
+    </div>
+  );
+}
+
 function JobsTab() {
-  const [records, setRecords] = useState<JobRecord[]>([]);
-  const [loading, setLoading]       = useState(true);
-  const [statusFilter, setStatus]   = useState('');
-  const [limit, setLimit]           = useState(50);
+  const [records, setRecords]   = useState<JobRecord[]>([]);
+  const [loading, setLoading]   = useState(true);
+  const [statusFilter, setStatus] = useState('');
+  const [limit, setLimit]       = useState(50);
+  const [expanded, setExpanded] = useState<Set<string>>(new Set());
+  const [details, setDetails]   = useState<Record<string, JobDetail>>({});
   const first = useRef(true);
 
   async function load(s: string, lim: number) {
@@ -244,6 +348,29 @@ function JobsTab() {
     return () => clearTimeout(t);
   }, [statusFilter, limit]);
 
+  async function toggleExpand(id: string) {
+    setExpanded(prev => {
+      const next = new Set(prev);
+      next.has(id) ? next.delete(id) : next.add(id);
+      return next;
+    });
+    if (details[id]) return;
+    setDetails(prev => ({ ...prev, [id]: { submission: null, evaluation_runs: [], fetching: true } }));
+    try {
+      const res = await adminFetch(`/admin/logs/jobs/${id}/detail`);
+      const d = res.ok ? await res.json() : null;
+      setDetails(prev => ({
+        ...prev,
+        [id]: {
+          submission: d?.submission ?? null,
+          evaluation_runs: d?.evaluation_runs ?? [],
+        },
+      }));
+    } catch {
+      setDetails(prev => ({ ...prev, [id]: { submission: null, evaluation_runs: [] } }));
+    }
+  }
+
   return (
     <>
       <FilterBar onRefresh={() => load(statusFilter, limit)}>
@@ -258,23 +385,51 @@ function JobsTab() {
         <LimitSelect value={limit} onChange={setLimit} />
       </FilterBar>
       <TableShell
-        headers={['Timestamp', 'Type', 'Status', 'Requested By', 'Updated At']}
+        headers={['', 'Timestamp', 'Type', 'Status', 'Requested By', 'Updated At']}
         loading={loading}
         empty={records.length === 0}
       >
-        {records.map(r => (
-          <tr key={r.id} className="hover:bg-gray-50 transition-colors">
-            <td className="px-4 py-2.5 text-gray-500 whitespace-nowrap">{formatDateTime(r.created_at)}</td>
-            <td className="px-4 py-2.5">
-              <span className="font-medium text-gray-800">
-                {r.job_type === 'D' ? 'Defense' : r.job_type === 'A' ? 'Attack' : r.job_type === 'S' ? 'Seeding' : r.job_type}
-              </span>
-            </td>
-            <td className="px-4 py-2.5"><StatusBadge status={r.status} /></td>
-            <td className="px-4 py-2.5 font-mono text-xs text-gray-500">{shortId(r.requested_by_user_id)}</td>
-            <td className="px-4 py-2.5 text-gray-500 whitespace-nowrap">{formatDateTime(r.updated_at)}</td>
-          </tr>
-        ))}
+        {records.map(r => {
+          const isOpen = expanded.has(r.id);
+          const detail = details[r.id];
+          return (
+            <Fragment key={r.id}>
+              <tr className="hover:bg-gray-50 transition-colors">
+                <td className="pl-3 pr-1 py-2.5 w-8">
+                  <button
+                    onClick={() => toggleExpand(r.id)}
+                    aria-label={isOpen ? 'Collapse' : 'Expand'}
+                    className="text-gray-400 hover:text-gray-600 transition-colors"
+                  >
+                    <svg className={`w-3.5 h-3.5 transition-transform duration-150 ${isOpen ? 'rotate-90' : ''}`} fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                      <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 5l7 7-7 7" />
+                    </svg>
+                  </button>
+                </td>
+                <td className="px-4 py-2.5 text-gray-500 whitespace-nowrap">{formatDateTime(r.created_at)}</td>
+                <td className="px-4 py-2.5">
+                  <span className="font-medium text-gray-800">
+                    {r.job_type === 'D' ? 'Defense' : r.job_type === 'A' ? 'Attack' : r.job_type === 'S' ? 'Seeding' : r.job_type}
+                  </span>
+                </td>
+                <td className="px-4 py-2.5"><StatusBadge status={r.status} /></td>
+                <td className="px-4 py-2.5 font-mono text-xs text-gray-500">{shortId(r.requested_by_user_id)}</td>
+                <td className="px-4 py-2.5 text-gray-500 whitespace-nowrap">{formatDateTime(r.updated_at)}</td>
+              </tr>
+              {isOpen && (
+                <tr>
+                  <td colSpan={6} className="bg-gray-50 px-6 py-4 border-b border-gray-100">
+                    {detail ? (
+                      <JobDetailPanel detail={detail} jobType={r.job_type} />
+                    ) : (
+                      <p className="text-xs text-gray-400">Loading details...</p>
+                    )}
+                  </td>
+                </tr>
+              )}
+            </Fragment>
+          );
+        })}
       </TableShell>
     </>
   );
diff --git a/services/frontend/src/components/admin/submissions/SubmissionsPage.tsx b/services/frontend/src/components/admin/submissions/SubmissionsPage.tsx
index 1447539..1d19f00 100644
--- a/services/frontend/src/components/admin/submissions/SubmissionsPage.tsx
+++ b/services/frontend/src/components/admin/submissions/SubmissionsPage.tsx
@@ -399,10 +399,10 @@ export default function SubmissionsPage() {
     <div className="flex flex-col h-full space-y-0" style={{ minHeight: 0 }}>
       <h1 className="text-xl font-semibold text-gray-900 mb-4">Submissions</h1>
 
-      <div className="flex gap-4 flex-1 min-h-0" style={{ height: 'calc(100vh - 160px)' }}>
+      <div className="flex flex-col md:flex-row gap-4 flex-1 min-h-0">
 
         {/* Panel 1: user list */}
-        <div className="w-72 flex-shrink-0 bg-white rounded-xl border border-gray-200 shadow-sm flex flex-col min-h-0">
+        <div className="w-full md:w-72 flex-shrink-0 bg-white rounded-xl border border-gray-200 shadow-sm flex flex-col min-h-0">
           <div className="px-3 py-2.5 border-b border-gray-100">
             <input
               type="text"
@@ -474,7 +474,7 @@ export default function SubmissionsPage() {
         </div>
 
         {/* Panel 3: evaluation pairs */}
-        <div className="w-80 flex-shrink-0 bg-white rounded-xl border border-gray-200 shadow-sm min-h-0 overflow-hidden">
+        <div className="w-full md:w-80 flex-shrink-0 bg-white rounded-xl border border-gray-200 shadow-sm min-h-0 overflow-hidden">
           {selectedSubId ? (
             <EvalPairsPanel key={selectedSubId} submissionId={selectedSubId} />
           ) : (
diff --git a/services/frontend/src/lib/adminApi.ts b/services/frontend/src/lib/adminApi.ts
index 40906b9..cc02002 100644
--- a/services/frontend/src/lib/adminApi.ts
+++ b/services/frontend/src/lib/adminApi.ts
@@ -8,8 +8,7 @@
  */
 
 export async function adminFetch(path: string, init: RequestInit = {}): Promise<Response> {
-  const apiPath = path.startsWith('/admin') ? `/api${path}` : path;
-  return fetch(apiPath, {
+  return fetch(path, {
     ...init,
     credentials: 'include',
   });
diff --git a/services/frontend/src/pages/index.astro b/services/frontend/src/pages/index.astro
index f754c21..17be251 100644
--- a/services/frontend/src/pages/index.astro
+++ b/services/frontend/src/pages/index.astro
@@ -12,7 +12,7 @@ import { Content } from '../content/home.md';
 		<link rel="icon" href="/favicon.ico" />
 		<meta name="viewport" content="width=device-width" />
 		<meta name="generator" content={Astro.generator} />
-		<title>MLSEC</title>
+		<title>MLSEC 2.0</title>
 	</head>
 	<body class="flex flex-col min-h-screen">
 		<Navbar />
diff --git a/services/frontend/src/pages/leaderboard.astro b/services/frontend/src/pages/leaderboard.astro
index 4efffa8..e264ff8 100644
--- a/services/frontend/src/pages/leaderboard.astro
+++ b/services/frontend/src/pages/leaderboard.astro
@@ -11,13 +11,13 @@ import EvaluationMatrix from "../components/EvaluationMatrix";
     <link rel="icon" href="/favicon.ico" />
     <meta name="viewport" content="width=device-width" />
     <meta name="generator" content={Astro.generator} />
-    <title>MLSEC Leaderboard</title>
+    <title>MLSEC 2.0 - Leaderboard</title>
   </head>
   <body class="flex flex-col min-h-screen bg-gray-50">
     <Navbar />
-    <div class="flex-grow max-w-7xl mx-auto w-full px-6 py-10">
-      <div class="mb-6">
-        <h1 class="text-2xl font-semibold text-gray-900">Evaluation Matrix</h1>
+    <div class="flex-grow max-w-7xl mx-auto w-full px-3 md:px-6 py-6 md:py-10">
+      <div class="mb-4 md:mb-6">
+        <h1 class="text-xl md:text-2xl font-semibold text-gray-900">Evaluation Matrix</h1>
       </div>
       <EvaluationMatrix client:load />
     </div>
diff --git a/services/frontend/src/pages/rules.astro b/services/frontend/src/pages/rules.astro
index 47a1802..2550b92 100644
--- a/services/frontend/src/pages/rules.astro
+++ b/services/frontend/src/pages/rules.astro
@@ -12,9 +12,9 @@ import { Content } from '../content/rules.md';
 		<link rel="icon" href="/favicon.ico" />
 		<meta name="viewport" content="width=device-width" />
 		<meta name="generator" content={Astro.generator} />
-		<title>MLSEC Rules</title>
+		<title>MLSEC 2.0 - Rules</title>
 	</head>
-	<body class="flex flex-col min-h-screen">
+	<body class="flex flex-col min-h-screen bg-gray-50">
 		<Navbar />
 		<div class="prose max-w-5xl mx-auto w-full bg-gray-100 p-7 my-10 rounded-xl h-full flex-grow">
 			<Content />
diff --git a/services/frontend/src/pages/submission.astro b/services/frontend/src/pages/submission.astro
index 25505d6..a25d594 100644
--- a/services/frontend/src/pages/submission.astro
+++ b/services/frontend/src/pages/submission.astro
@@ -16,12 +16,12 @@ const session = await getSession(Astro.request);
 		<link rel="icon" href="/favicon.ico" />
 		<meta name="viewport" content="width=device-width" />
 		<meta name="generator" content={Astro.generator} />
-		<title>MLSEC Submission</title>
+		<title>MLSEC 2.0 - Submission</title>
 	</head>
-	<body class="flex flex-col h-screen overflow-hidden bg-gray-50">
+	<body class="flex flex-col min-h-screen bg-gray-50">
 		<Navbar />
 		{session ? (
-			<div class="flex flex-1 flex-row min-h-0">
+			<div class="flex flex-1 flex-col md:flex-row">
 				<Submit />
 				<PastSubmit />
 			</div>
diff --git a/services/nginx/nginx.conf b/services/nginx/nginx.conf
index 00c257c..6824c67 100644
--- a/services/nginx/nginx.conf
+++ b/services/nginx/nginx.conf
@@ -8,7 +8,32 @@ upstream frontend {
 
 server {
     listen 80;
-    client_max_body_size 2G;
+    listen [::]:80;
+
+    # Let's Encrypt ACME challenge
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    # Redirect all other HTTP traffic to HTTPS
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    client_max_body_size 2048M;
+
+    ssl_certificate     /etc/letsencrypt/live/mlsec2.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/mlsec2.com/privkey.pem;
+
+    ssl_protocols             TLSv1.2 TLSv1.3;
+    ssl_ciphers               HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache         shared:SSL:10m;
+    ssl_session_timeout       10m;
 
     location = /health {
         proxy_pass         http://api;
@@ -121,6 +146,8 @@ server {
         proxy_set_header   X-Real-IP         $remote_addr;
         proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
         proxy_set_header   X-Forwarded-Proto $scheme;
+        proxy_read_timeout 600s;
+        proxy_send_timeout 600s;
     }
 
     location / {
diff --git a/services/worker/Dockerfile b/services/worker/Dockerfile
index 49d414b..1d1a85e 100644
--- a/services/worker/Dockerfile
+++ b/services/worker/Dockerfile
@@ -21,5 +21,5 @@ COPY . /app
 # RUN useradd --create-home --uid 10001 appuser
 # USER appuser
 
-CMD ["sh", "-c", "celery -A worker.celery_app:celery_app worker --loglevel=INFO --concurrency=${CELERY_CONCURRENCY:-4}"]
+CMD ["sh", "-c", "celery -A worker.celery_app:celery_app worker --loglevel=INFO --concurrency=${CELERY_CONCURRENCY:-1}"]
 
diff --git a/services/worker/tests/conftest.py b/services/worker/tests/conftest.py
index 0b2e290..eb3e53c 100644
--- a/services/worker/tests/conftest.py
+++ b/services/worker/tests/conftest.py
@@ -14,10 +14,10 @@
 os.environ.setdefault("CELERY_BROKER_URL", "redis://localhost:6379/0")
 os.environ.setdefault("CELERY_RESULT_BACKEND", "redis://localhost:6379/0")
 os.environ.setdefault(
-    "DATABASE_URL", "postgresql://postgres:password123@localhost:5433/mlsec_test")
+    "DATABASE_URL", "postgresql://mlsec2:mlsec2_pw@localhost:5433/mlsec_test")
 os.environ.setdefault("MINIO_ENDPOINT", "minio:9000")
-os.environ.setdefault("MINIO_ACCESS_KEY", "minioadmin")
-os.environ.setdefault("MINIO_SECRET_KEY", "minioadmin")
+os.environ.setdefault("MINIO_ACCESS_KEY", "mlsec2")
+os.environ.setdefault("MINIO_SECRET_KEY", "mlsec2_pw")
 os.environ.setdefault("CELERY_DEFAULT_QUEUE", "mlsec")
 
 
@@ -26,8 +26,8 @@
 def set_env_vars():
     """Environment variables are already set at module level."""
     pass
-    os.environ.setdefault("MINIO_ACCESS_KEY", "minioadmin")
-    os.environ.setdefault("MINIO_SECRET_KEY", "minioadmin")
+    os.environ.setdefault("MINIO_ACCESS_KEY", "mlsec2")
+    os.environ.setdefault("MINIO_SECRET_KEY", "mlsec2_pw")
     os.environ.setdefault("MINIO_BUCKET", "mlsec-submissions")
     os.environ.setdefault("GATEWAY_URL", "http://mlsec-gateway:8080/")
     os.environ.setdefault("GATEWAY_SECRET", "test_secret")
@@ -35,7 +35,7 @@ def set_env_vars():
 
 
 # Test database configuration
-TEST_DB_URL = "postgresql://postgres:password123@localhost:5433/mlsec_test"
+TEST_DB_URL = os.environ.get("DATABASE_URL", "postgresql://mlsec2:mlsec2_pw@localhost:5433/mlsec_test")
 
 engine = create_engine(TEST_DB_URL)
 TestingSessionLocal = sessionmaker(bind=engine)
@@ -157,8 +157,8 @@ def config_dict():
         },
         "minio": {
             "endpoint": "minio:9000",
-            "access_key": "minioadmin",
-            "secret_key": "minioadmin",
+            "access_key": "mlsec2",
+            "secret_key": "mlsec2_pw",
             "bucket": "mlsec-submissions",
             "attack_files_bucket": "attack-files",
             "secure": False,
diff --git a/services/worker/tests/manual_api_queue_test.py b/services/worker/tests/manual_api_queue_test.py
index a35412b..93e3331 100644
--- a/services/worker/tests/manual_api_queue_test.py
+++ b/services/worker/tests/manual_api_queue_test.py
@@ -7,7 +7,7 @@
 
 # Configuration - Use test database
 API_URL = "http://localhost:8000"
-DATABASE_URL = "postgresql://postgres:password123@localhost:5432/mlsec"
+DATABASE_URL = os.getenv("DATABASE_URL", "postgresql://mlsec2:mlsec2_pw@localhost:5432/mlsec")
 SESSION_COOKIE_NAME = os.getenv("AUTH_SESSION_COOKIE_NAME", "mlsec_session")
 
 @pytest.fixture(scope="function")
diff --git a/services/worker/tests/manual_test_defense_pipeline.py b/services/worker/tests/manual_test_defense_pipeline.py
index df4cdb3..7b9d864 100644
--- a/services/worker/tests/manual_test_defense_pipeline.py
+++ b/services/worker/tests/manual_test_defense_pipeline.py
@@ -9,8 +9,8 @@
 from minio import Minio
 
 # Configuration
-DATABASE_URL = os.getenv("DATABASE_URL", "postgresql://postgres:password123@localhost:5432/mlsec")
-CELERY_BROKER_URL = os.getenv("CELERY_BROKER_URL", "amqp://mlsec:mlsec@localhost:5672//")
+DATABASE_URL = os.getenv("DATABASE_URL", "postgresql://mlsec2:mlsec2_pw@localhost:5432/mlsec")
+CELERY_BROKER_URL = os.getenv("CELERY_BROKER_URL", "amqp://mlsec2:mlsec2_pw@localhost:5672//")
 REDIS_URL = os.getenv("REDIS_URL", "redis://localhost:6379/0")
 DOCKER_IMAGE = "https://hub.docker.com/r/thompaar003/notconv"
 # https://hub.docker.com/r/thompaar003/notconv
@@ -18,8 +18,8 @@
 # https://hub.docker.com/r/thompaar003/evil-defense
 
 MINIO_ENDPOINT = os.getenv("MINIO_ENDPOINT", "localhost:9000")
-MINIO_ACCESS_KEY = os.getenv("MINIO_ACCESS_KEY", "mlsec_minio_admin")
-MINIO_SECRET_KEY = os.getenv("MINIO_SECRET_KEY", "mlsec_minio_password_change_in_production")
+MINIO_ACCESS_KEY = os.getenv("MINIO_ACCESS_KEY", "mlsec2")
+MINIO_SECRET_KEY = os.getenv("MINIO_SECRET_KEY", "mlsec2_pw")
 MINIO_BUCKET = os.getenv("MINIO_BUCKET", "mlsec-submissions")
 
 def setup_test_data():
diff --git a/services/worker/tests/test_attack_job_integration.py b/services/worker/tests/test_attack_job_integration.py
index f6df04b..f743365 100644
--- a/services/worker/tests/test_attack_job_integration.py
+++ b/services/worker/tests/test_attack_job_integration.py
@@ -551,8 +551,13 @@ def fake_init(self):
 
     monkeypatch.setattr(WorkerRegistry, "__init__", fake_init)
 
-    # Create attack
+    # Create attack in submitted state to trigger validation logic
     attack_id = test_helpers.create_attack()
+    db_session.execute(
+        text("UPDATE submissions SET status = 'submitted' WHERE id = CAST(:id AS uuid)"),
+        {"id": attack_id}
+    )
+    db_session.commit()
 
     # Create job
     job_id = test_helpers.create_job(
@@ -613,8 +618,15 @@ def fake_redis_init(self):
         self.client = fake_redis
 
     monkeypatch.setattr(WorkerRegistry, "__init__", fake_redis_init)
-
+    
+    # Create attack in submitted state to trigger validation logic
     attack_id = test_helpers.create_attack()
+    db_session.execute(
+        text("UPDATE submissions SET status = 'submitted' WHERE id = CAST(:id AS uuid)"),
+        {"id": attack_id}
+    )
+    db_session.commit()
+
     job_id = test_helpers.create_job(
         job_type="attack",
         status="queued",
@@ -677,6 +689,7 @@ def test_attack_job_heuristic_validation_rejected(db_session, fake_redis, test_h
     # Override config: enable similarity check
     mock_attack_cfg = Mock()
     mock_attack_cfg.check_similarity = True
+    mock_attack_cfg.skip_seeding = False
     mock_attack_cfg.reject_dissimilar_attacks = True
     mock_attack_cfg.minimum_attack_similarity = 50
     mock_attack_cfg.max_zip_size_mb = 100
@@ -731,6 +744,7 @@ def test_attack_job_heuristic_sandbox_unavailable(db_session, fake_redis, test_h
     # Override config: enable similarity check
     mock_attack_cfg = Mock()
     mock_attack_cfg.check_similarity = True
+    mock_attack_cfg.skip_seeding = False
     mock_attack_cfg.reject_dissimilar_attacks = True
     mock_attack_cfg.minimum_attack_similarity = 50
     mock_attack_cfg.max_zip_size_mb = 100
diff --git a/services/worker/tests/test_db_results.py b/services/worker/tests/test_db_results.py
index 7d80778..2b9cb69 100644
--- a/services/worker/tests/test_db_results.py
+++ b/services/worker/tests/test_db_results.py
@@ -1,7 +1,7 @@
 import os
 from sqlalchemy import create_engine, text
 
-DATABASE_URL = os.getenv("DATABASE_URL", "postgresql://postgres:password123@localhost:5432/mlsec")
+DATABASE_URL = os.getenv("DATABASE_URL", "postgresql://mlsec2:mlsec2_pw@localhost:5432/mlsec")
 
 def dump_results():
     engine = create_engine(DATABASE_URL)
diff --git a/services/worker/tests/test_defense_job_integration.py b/services/worker/tests/test_defense_job_integration.py
index 6c016ae..bfc8e2c 100644
--- a/services/worker/tests/test_defense_job_integration.py
+++ b/services/worker/tests/test_defense_job_integration.py
@@ -412,11 +412,11 @@ def fake_init(self):
 
     monkeypatch.setattr(WorkerRegistry, "__init__", fake_init)
 
-    # Create defense with GitHub source
+    # Create defense with GitHub source (not validated yet to ensure setup runs)
     defense_id = test_helpers.create_defense(
         source_type="github",
         git_repo="https://github.com/user/defense",
-        is_functional=True
+        is_functional=None
     )
 
     # Create job
@@ -480,11 +480,11 @@ def fake_init(self):
 
     monkeypatch.setattr(WorkerRegistry, "__init__", fake_init)
 
-    # Create defense with ZIP source
+    # Create defense with ZIP source (not validated yet to ensure setup runs)
     defense_id = test_helpers.create_defense(
         source_type="zip",
         object_key="defenses/test-defense.zip",
-        is_functional=True
+        is_functional=None
     )
 
     # Create job
@@ -555,6 +555,9 @@ def fake_init(self):
         is_functional=True
     )
 
+    # Create attack so evaluation starts
+    test_helpers.create_attack()
+
     # Create job
     job_id = test_helpers.create_job(
         job_type="defense",
@@ -643,6 +646,9 @@ def fake_init(self):
         is_functional=True
     )
 
+    # Create attack so evaluation starts
+    test_helpers.create_attack()
+
     # Create job
     job_id = test_helpers.create_job(
         job_type="defense",
diff --git a/services/worker/tests/test_evaluate_core.py b/services/worker/tests/test_evaluate_core.py
index 1b8f643..68dfb9c 100644
--- a/services/worker/tests/test_evaluate_core.py
+++ b/services/worker/tests/test_evaluate_core.py
@@ -3,10 +3,10 @@
 from __future__ import annotations
 
 import asyncio
-from unittest.mock import MagicMock, patch
+from unittest.mock import AsyncMock, MagicMock, patch
 
-import httpx
 import pytest
+import requests
 
 from worker.config import EvaluationConfig
 from worker.defense.evaluate import (
@@ -46,7 +46,7 @@ def _mock_docker(usage_mb: float = 100.0) -> MagicMock:
 
 
 def _mock_response(result: int, status_code: int = 200) -> MagicMock:
-    resp = MagicMock(spec=httpx.Response)
+    resp = MagicMock(spec=requests.Response)
     resp.status_code = status_code
     resp.json.return_value = {"result": result}
     return resp
@@ -72,14 +72,11 @@ def test_normal_response_returns_correct_model_output():
     restart_ref = [0]
 
     async def run():
-        async with httpx.AsyncClient(
-            transport=httpx.MockTransport(
-                lambda req: httpx.Response(200, json={"result": 1})
-            )
-        ) as client:
-            return await evaluate_sample_against_container(
-                client, URL, docker_client, CONTAINER, SAMPLE, eval_cfg, restart_ref, ctx={}
-            )
+        with patch("worker.defense.evaluate.requests.post", return_value=_mock_response(1)):
+            with patch("worker.defense.evaluate.requests.get", return_value=_mock_response(1)):
+                return await evaluate_sample_against_container(
+                    URL, docker_client, CONTAINER, SAMPLE, eval_cfg, restart_ref, ctx={}
+                )
 
     outcome = _run(run())
     assert outcome.model_output == 1
@@ -93,14 +90,11 @@ def test_normal_response_result_zero():
     docker_client = _mock_docker(usage_mb=50)
 
     async def run():
-        async with httpx.AsyncClient(
-            transport=httpx.MockTransport(
-                lambda req: httpx.Response(200, json={"result": 0})
-            )
-        ) as client:
-            return await evaluate_sample_against_container(
-                client, URL, docker_client, CONTAINER, SAMPLE, eval_cfg, [0], ctx={}
-            )
+        with patch("worker.defense.evaluate.requests.post", return_value=_mock_response(0)):
+            with patch("worker.defense.evaluate.requests.get", return_value=_mock_response(0)):
+                return await evaluate_sample_against_container(
+                    URL, docker_client, CONTAINER, SAMPLE, eval_cfg, [0], ctx={}
+                )
 
     outcome = _run(run())
     assert outcome.model_output == 0
@@ -116,27 +110,16 @@ def test_timeout_returns_time_limit_evaded():
     eval_cfg = _make_eval_cfg(defense_max_time=1, defense_max_timeout=2)
     docker_client = _mock_docker()
 
-    call_count = [0]
-
-    async def transport_handler(request):
-        call_count[0] += 1
-        # Both the initial request and the extended-wait request succeed quickly
-        # so no restart is triggered, but the first timeout already marked evaded.
-        return httpx.Response(200, json={"result": 1})
-
-    # Simulate the first POST timing out, extended wait succeeds (no restart).
+    # First POST times out; extended-wait POST succeeds (no restart).
     async def run():
-        async with httpx.AsyncClient() as client:
-            with patch.object(
-                client,
-                "post",
-                side_effect=[
-                    httpx.TimeoutException("timed out"),
-                    httpx.Response(200, json={"result": 1}),
-                ],
-            ):
+        post_side_effects = [
+            requests.exceptions.Timeout("timed out"),
+            _mock_response(1),
+        ]
+        with patch("worker.defense.evaluate.requests.post", side_effect=post_side_effects):
+            with patch("worker.defense.evaluate.requests.get", return_value=_mock_response(1)):
                 return await evaluate_sample_against_container(
-                    client, URL, docker_client, CONTAINER, SAMPLE, eval_cfg, [0], ctx={}
+                    URL, docker_client, CONTAINER, SAMPLE, eval_cfg, [0], ctx={}
                 )
 
     outcome = _run(run())
@@ -155,17 +138,14 @@ def test_full_timeout_triggers_restart():
     restart_ref = [0]
 
     async def run():
-        async with httpx.AsyncClient() as client:
-            with patch.object(
-                client,
-                "post",
-                side_effect=[
-                    httpx.TimeoutException("initial timeout"),
-                    httpx.TimeoutException("extended timeout"),
-                ],
-            ):
+        post_side_effects = [
+            requests.exceptions.Timeout("initial timeout"),
+            requests.exceptions.Timeout("extended timeout"),
+        ]
+        with patch("worker.defense.evaluate.requests.post", side_effect=post_side_effects):
+            with patch("worker.defense.evaluate._wait_for_container_ready", new_callable=AsyncMock):
                 return await evaluate_sample_against_container(
-                    client, URL, docker_client, CONTAINER, SAMPLE, eval_cfg, restart_ref, ctx={}
+                    URL, docker_client, CONTAINER, SAMPLE, eval_cfg, restart_ref, ctx={}
                 )
 
     outcome = _run(run())
@@ -187,17 +167,14 @@ def test_full_timeout_raises_when_max_restarts_exceeded():
     restart_ref = [2]  # already at max
 
     async def run():
-        async with httpx.AsyncClient() as client:
-            with patch.object(
-                client,
-                "post",
-                side_effect=[
-                    httpx.TimeoutException("initial"),
-                    httpx.TimeoutException("extended"),
-                ],
-            ):
+        post_side_effects = [
+            requests.exceptions.Timeout("initial"),
+            requests.exceptions.Timeout("extended"),
+        ]
+        with patch("worker.defense.evaluate.requests.post", side_effect=post_side_effects):
+            with patch("worker.defense.evaluate.requests.get", return_value=_mock_response(1)):
                 return await evaluate_sample_against_container(
-                    client, URL, docker_client, CONTAINER, SAMPLE, eval_cfg, restart_ref, ctx={}
+                    URL, docker_client, CONTAINER, SAMPLE, eval_cfg, restart_ref, ctx={}
                 )
 
     with pytest.raises(ContainerRestartError):
@@ -214,14 +191,11 @@ def test_ram_overuse_returns_ram_limit_evaded():
     docker_client = _mock_docker(usage_mb=600)
 
     async def run():
-        async with httpx.AsyncClient(
-            transport=httpx.MockTransport(
-                lambda req: httpx.Response(200, json={"result": 1})
-            )
-        ) as client:
-            return await evaluate_sample_against_container(
-                client, URL, docker_client, CONTAINER, SAMPLE, eval_cfg, [0], ctx={}
-            )
+        with patch("worker.defense.evaluate.requests.post", return_value=_mock_response(1)):
+            with patch("worker.defense.evaluate._wait_for_container_ready", new_callable=AsyncMock):
+                return await evaluate_sample_against_container(
+                    URL, docker_client, CONTAINER, SAMPLE, eval_cfg, [0], ctx={}
+                )
 
     outcome = _run(run())
     assert outcome.evaded_reason == "ram_limit"
@@ -236,14 +210,11 @@ def test_ram_overuse_raises_when_max_restarts_exceeded():
     restart_ref = [1]  # already at max
 
     async def run():
-        async with httpx.AsyncClient(
-            transport=httpx.MockTransport(
-                lambda req: httpx.Response(200, json={"result": 1})
-            )
-        ) as client:
-            return await evaluate_sample_against_container(
-                client, URL, docker_client, CONTAINER, SAMPLE, eval_cfg, restart_ref, ctx={}
-            )
+        with patch("worker.defense.evaluate.requests.post", return_value=_mock_response(1)):
+            with patch("worker.defense.evaluate.requests.get", return_value=_mock_response(1)):
+                return await evaluate_sample_against_container(
+                    URL, docker_client, CONTAINER, SAMPLE, eval_cfg, restart_ref, ctx={}
+                )
 
     with pytest.raises(ContainerRestartError):
         _run(run())
@@ -255,14 +226,11 @@ def test_ram_within_limit_does_not_evade():
     docker_client = _mock_docker(usage_mb=100)
 
     async def run():
-        async with httpx.AsyncClient(
-            transport=httpx.MockTransport(
-                lambda req: httpx.Response(200, json={"result": 1})
-            )
-        ) as client:
-            return await evaluate_sample_against_container(
-                client, URL, docker_client, CONTAINER, SAMPLE, eval_cfg, [0], ctx={}
-            )
+        with patch("worker.defense.evaluate.requests.post", return_value=_mock_response(1)):
+            with patch("worker.defense.evaluate.requests.get", return_value=_mock_response(1)):
+                return await evaluate_sample_against_container(
+                    URL, docker_client, CONTAINER, SAMPLE, eval_cfg, [0], ctx={}
+                )
 
     outcome = _run(run())
     assert outcome.evaded_reason is None
@@ -290,14 +258,11 @@ def test_docker_stats_failure_does_not_crash():
     docker_client.containers.get.side_effect = Exception("Docker unavailable")
 
     async def run():
-        async with httpx.AsyncClient(
-            transport=httpx.MockTransport(
-                lambda req: httpx.Response(200, json={"result": 0})
-            )
-        ) as client:
-            return await evaluate_sample_against_container(
-                client, URL, docker_client, CONTAINER, SAMPLE, eval_cfg, [0], ctx={}
-            )
+        with patch("worker.defense.evaluate.requests.post", return_value=_mock_response(0)):
+            with patch("worker.defense.evaluate.requests.get", return_value=_mock_response(0)):
+                return await evaluate_sample_against_container(
+                    URL, docker_client, CONTAINER, SAMPLE, eval_cfg, [0], ctx={}
+                )
 
     outcome = _run(run())
     assert outcome.evaded_reason is None
diff --git a/services/worker/tests/test_evaluate_redis.py b/services/worker/tests/test_evaluate_redis.py
index dcd4303..8e9fe1d 100644
--- a/services/worker/tests/test_evaluate_redis.py
+++ b/services/worker/tests/test_evaluate_redis.py
@@ -6,6 +6,7 @@
 from unittest.mock import AsyncMock, MagicMock, Mock, patch
 
 import pytest
+import requests as requests_lib
 
 from worker.defense.evaluate import (
     ContainerRestartError,
@@ -42,12 +43,22 @@ def pop_next_attack(self, worker_id):
     return pop_next_attack
 
 
+def _make_ok_response(result: int = 1) -> MagicMock:
+    resp = MagicMock(spec=requests_lib.Response)
+    resp.status_code = 200
+    resp.json.return_value = {"result": result}
+    return resp
+
+
+def _fake_requests_get(url, timeout=None):
+    """Readiness-check GET always succeeds."""
+    resp = MagicMock(spec=requests_lib.Response)
+    resp.status_code = 200
+    return resp
+
+
 def test_evaluate_polls_redis_queue(db_session, fake_redis, test_helpers, monkeypatch, config_dict, tmp_path):
     """Test evaluation polls Redis queue for attacks."""
-    import asyncio
-    from unittest.mock import AsyncMock, MagicMock
-
-    # Monkeypatch Redis client
     from worker.redis_client import WorkerRegistry
 
     def fake_init(self):
@@ -93,22 +104,10 @@ async def _fake_get_sample_path(key):
 
     monkeypatch.setattr("worker.defense.evaluate.get_sample_path", _fake_get_sample_path)
 
-    # Mock httpx async client
-    mock_http_response = MagicMock()
-    mock_http_response.status_code = 200
-    mock_http_response.json.return_value = {"result": 1}
-
-    mock_http_client = AsyncMock()
-    mock_http_client.post = AsyncMock(return_value=mock_http_response)
-
-    class FakeAsyncClient:
-        async def __aenter__(self):
-            return mock_http_client
-
-        async def __aexit__(self, *args):
-            pass
-
-    monkeypatch.setattr("httpx.AsyncClient", FakeAsyncClient)
+    # Mock requests.post (sync - called via asyncio.to_thread)
+    monkeypatch.setattr("worker.defense.evaluate.requests.post",
+                        lambda url, data=None, headers=None, timeout=None: _make_ok_response())
+    monkeypatch.setattr("worker.defense.evaluate.requests.get", _fake_requests_get)
 
     # Skip real sleeps between empty polls
     async def instant_sleep(seconds):
@@ -137,7 +136,6 @@ async def instant_sleep(seconds):
 def test_evaluate_downloads_from_minio(db_session, fake_redis, test_helpers, monkeypatch, config_dict, tmp_path):
     """Test evaluation fetches attack files via the cache layer."""
     from worker.redis_client import WorkerRegistry
-    from worker.config import EvaluationConfig
 
     def fake_init(self):
         self.client = fake_redis
@@ -166,21 +164,9 @@ async def fake_get_sample_path(key):
 
     monkeypatch.setattr("worker.defense.evaluate.get_sample_path", fake_get_sample_path)
 
-    mock_http_response = MagicMock()
-    mock_http_response.status_code = 200
-    mock_http_response.json.return_value = {"result": 1}
-
-    mock_http_client = AsyncMock()
-    mock_http_client.post = AsyncMock(return_value=mock_http_response)
-
-    class FakeAsyncClient:
-        async def __aenter__(self):
-            return mock_http_client
-
-        async def __aexit__(self, *args):
-            pass
-
-    monkeypatch.setattr("httpx.AsyncClient", FakeAsyncClient)
+    monkeypatch.setattr("worker.defense.evaluate.requests.post",
+                        lambda url, data=None, headers=None, timeout=None: _make_ok_response())
+    monkeypatch.setattr("worker.defense.evaluate.requests.get", _fake_requests_get)
 
     eval_cfg = EvaluationConfig(
         defense_max_time=5000,
@@ -230,7 +216,6 @@ async def instant_sleep(_):
 def test_evaluate_sends_to_gateway(db_session, fake_redis, test_helpers, monkeypatch, config_dict, tmp_path):
     """Test evaluation sends samples to container with correct headers."""
     from worker.redis_client import WorkerRegistry
-    from worker.config import EvaluationConfig
 
     def fake_init(self):
         self.client = fake_redis
@@ -251,36 +236,25 @@ def fake_init(self):
     sample_bytes = b"malware_sample_content"
     fake_sample = tmp_path / "sample.exe"
     fake_sample.write_bytes(sample_bytes)
+
     async def _fake_get_sample_path_gw(key):
         return fake_sample
 
     monkeypatch.setattr("worker.defense.evaluate.get_sample_path", _fake_get_sample_path_gw)
 
-    # Track httpx requests
+    # Track requests.post calls
     http_requests = []
 
-    async def fake_post(url, content=None, headers=None, timeout=None):
+    def fake_post(url, data=None, headers=None, timeout=None):
         http_requests.append({
             "url": url,
-            "content": content,
+            "content": data,
             "headers": headers,
         })
-        mock_response = MagicMock()
-        mock_response.status_code = 200
-        mock_response.json.return_value = {"result": 1}
-        return mock_response
-
-    mock_http_client = MagicMock()
-    mock_http_client.post = fake_post
-
-    class FakeAsyncClient:
-        async def __aenter__(self):
-            return mock_http_client
+        return _make_ok_response()
 
-        async def __aexit__(self, *args):
-            pass
-
-    monkeypatch.setattr("httpx.AsyncClient", FakeAsyncClient)
+    monkeypatch.setattr("worker.defense.evaluate.requests.post", fake_post)
+    monkeypatch.setattr("worker.defense.evaluate.requests.get", _fake_requests_get)
 
     eval_cfg = EvaluationConfig(
         defense_max_time=5000,
@@ -331,7 +305,6 @@ async def instant_sleep(_):
 def test_evaluate_records_results(db_session, fake_redis, test_helpers, monkeypatch, config_dict, tmp_path):
     """Test evaluation records results in database."""
     from worker.redis_client import WorkerRegistry
-    from worker.config import EvaluationConfig
 
     def fake_init(self):
         self.client = fake_redis
@@ -351,6 +324,7 @@ def fake_init(self):
 
     fake_sample = tmp_path / "sample.exe"
     fake_sample.write_bytes(b"sample")
+
     async def _fake_get_sample_path_rr(key):
         return fake_sample
 
@@ -359,25 +333,13 @@ async def _fake_get_sample_path_rr(key):
     # Alternate predictions across calls
     http_call_count = [0]
 
-    async def fake_post(url, content=None, headers=None, timeout=None):
-        mock_response = MagicMock()
-        mock_response.status_code = 200
+    def fake_post(url, data=None, headers=None, timeout=None):
         result = 0 if http_call_count[0] % 2 == 0 else 1
         http_call_count[0] += 1
-        mock_response.json.return_value = {"result": result}
-        return mock_response
-
-    mock_http_client = MagicMock()
-    mock_http_client.post = fake_post
+        return _make_ok_response(result)
 
-    class FakeAsyncClient:
-        async def __aenter__(self):
-            return mock_http_client
-
-        async def __aexit__(self, *args):
-            pass
-
-    monkeypatch.setattr("httpx.AsyncClient", FakeAsyncClient)
+    monkeypatch.setattr("worker.defense.evaluate.requests.post", fake_post)
+    monkeypatch.setattr("worker.defense.evaluate.requests.get", _fake_requests_get)
 
     eval_cfg = EvaluationConfig(
         defense_max_time=5000,
@@ -443,7 +405,6 @@ async def instant_sleep(_):
 def test_evaluate_updates_heartbeat(db_session, fake_redis, test_helpers, monkeypatch, config_dict, tmp_path):
     """Test evaluation updates heartbeat after processing each attack."""
     from worker.redis_client import WorkerRegistry
-    from worker.config import EvaluationConfig
 
     def fake_init(self):
         self.client = fake_redis
@@ -472,26 +433,15 @@ def fake_heartbeat(self, wid):
 
     fake_sample = tmp_path / "sample.exe"
     fake_sample.write_bytes(b"sample")
+
     async def _fake_get_sample_path_hb(key):
         return fake_sample
 
     monkeypatch.setattr("worker.defense.evaluate.get_sample_path", _fake_get_sample_path_hb)
 
-    mock_http_response = MagicMock()
-    mock_http_response.status_code = 200
-    mock_http_response.json.return_value = {"result": 1}
-
-    mock_http_client = AsyncMock()
-    mock_http_client.post = AsyncMock(return_value=mock_http_response)
-
-    class FakeAsyncClient:
-        async def __aenter__(self):
-            return mock_http_client
-
-        async def __aexit__(self, *args):
-            pass
-
-    monkeypatch.setattr("httpx.AsyncClient", FakeAsyncClient)
+    monkeypatch.setattr("worker.defense.evaluate.requests.post",
+                        lambda url, data=None, headers=None, timeout=None: _make_ok_response())
+    monkeypatch.setattr("worker.defense.evaluate.requests.get", _fake_requests_get)
 
     eval_cfg = EvaluationConfig(
         defense_max_time=5000,
@@ -540,7 +490,6 @@ async def instant_sleep(_):
 def test_evaluate_handles_minio_error(db_session, fake_redis, test_helpers, monkeypatch, config_dict):
     """Test evaluation handles cache/MinIO download errors gracefully."""
     from worker.redis_client import WorkerRegistry
-    from worker.config import EvaluationConfig
 
     def fake_init(self):
         self.client = fake_redis
@@ -615,9 +564,7 @@ async def instant_sleep(_):
 
 def test_evaluate_handles_gateway_timeout(db_session, fake_redis, test_helpers, monkeypatch, config_dict, tmp_path):
     """Test evaluation handles gateway timeout by storing evaded_reason='time_limit'."""
-    import httpx as _httpx
     from worker.redis_client import WorkerRegistry
-    from worker.config import EvaluationConfig
 
     def fake_init(self):
         self.client = fake_redis
@@ -637,25 +584,18 @@ def fake_init(self):
 
     fake_sample = tmp_path / "sample.exe"
     fake_sample.write_bytes(b"sample")
+
     async def _fake_get_sample_path_gt(key):
         return fake_sample
 
     monkeypatch.setattr("worker.defense.evaluate.get_sample_path", _fake_get_sample_path_gt)
 
-    async def fake_post(url, content=None, headers=None, timeout=None):
-        raise _httpx.TimeoutException("Request timed out")
-
-    mock_http_client = MagicMock()
-    mock_http_client.post = fake_post
+    # Both initial and extended-wait POST calls time out, triggering time_limit
+    def fake_post_timeout(url, data=None, headers=None, timeout=None):
+        raise requests_lib.exceptions.Timeout("Request timed out")
 
-    class FakeAsyncClient:
-        async def __aenter__(self):
-            return mock_http_client
-
-        async def __aexit__(self, *args):
-            pass
-
-    monkeypatch.setattr("httpx.AsyncClient", FakeAsyncClient)
+    monkeypatch.setattr("worker.defense.evaluate.requests.post", fake_post_timeout)
+    monkeypatch.setattr("worker.defense.evaluate.requests.get", _fake_requests_get)
 
     eval_cfg = EvaluationConfig(
         defense_max_time=5000,
@@ -716,7 +656,6 @@ async def instant_sleep(_):
 def test_evaluate_handles_invalid_response(db_session, fake_redis, test_helpers, monkeypatch, config_dict, tmp_path):
     """Test evaluation handles invalid defense responses by leaving model_output as NULL."""
     from worker.redis_client import WorkerRegistry
-    from worker.config import EvaluationConfig
 
     def fake_init(self):
         self.client = fake_redis
@@ -736,28 +675,20 @@ def fake_init(self):
 
     fake_sample = tmp_path / "sample.exe"
     fake_sample.write_bytes(b"sample")
+
     async def _fake_get_sample_path_ir(key):
         return fake_sample
 
     monkeypatch.setattr("worker.defense.evaluate.get_sample_path", _fake_get_sample_path_ir)
 
-    async def fake_post(url, content=None, headers=None, timeout=None):
-        mock_response = MagicMock()
-        mock_response.status_code = 200
-        mock_response.json.return_value = {"result": 99}
-        return mock_response
+    def fake_post_invalid(url, data=None, headers=None, timeout=None):
+        resp = MagicMock(spec=requests_lib.Response)
+        resp.status_code = 200
+        resp.json.return_value = {"result": 99}
+        return resp
 
-    mock_http_client = MagicMock()
-    mock_http_client.post = fake_post
-
-    class FakeAsyncClient:
-        async def __aenter__(self):
-            return mock_http_client
-
-        async def __aexit__(self, *args):
-            pass
-
-    monkeypatch.setattr("httpx.AsyncClient", FakeAsyncClient)
+    monkeypatch.setattr("worker.defense.evaluate.requests.post", fake_post_invalid)
+    monkeypatch.setattr("worker.defense.evaluate.requests.get", _fake_requests_get)
 
     eval_cfg = EvaluationConfig(
         defense_max_time=5000,
@@ -815,7 +746,7 @@ async def instant_sleep(_):
 
 
 # ---------------------------------------------------------------------------
-# Phase 9: evaded_reason stored in evaluation_file_results
+# evaded_reason stored in evaluation_file_results
 # ---------------------------------------------------------------------------
 
 def test_time_limit_evaded_reason_stored_in_db(
@@ -848,6 +779,7 @@ def fake_init(self):
 
     fake_sample = tmp_path / "sample.exe"
     fake_sample.write_bytes(b"MZ" + b"\x00" * 64)
+
     async def _fake_get_sample_path_tl(key):
         return fake_sample
 
@@ -914,7 +846,7 @@ async def fake_sleep(_):
 
 
 # ---------------------------------------------------------------------------
-# Phase 9: ContainerRestartError removes defense from batch
+# ContainerRestartError removes defense from batch
 # ---------------------------------------------------------------------------
 
 def test_container_restart_error_removes_defense_from_batch(
@@ -950,6 +882,7 @@ def fake_init(self):
 
     fake_sample = tmp_path / "sample.exe"
     fake_sample.write_bytes(b"MZ" + b"\x00" * 64)
+
     async def _fake_get_sample_path_cr(key):
         return fake_sample
 
@@ -1012,23 +945,3 @@ def side_effect_fn(**kwargs):
             )
         finally:
             loop.close()
-
-    assert defense1_id in failed_defenses
-
-    from sqlalchemy import text
-
-    result = db_session.execute(
-        text(
-            """
-            SELECT e.model_output
-            FROM evaluation_file_results e
-            JOIN evaluation_runs er ON e.evaluation_run_id = er.id
-            WHERE er.defense_submission_id = CAST(:def_id AS uuid)
-            AND er.attack_submission_id = CAST(:attack_id AS uuid)
-            """
-        ),
-        {"def_id": defense2_id, "attack_id": attack_id},
-    ).fetchone()
-
-    assert result is not None
-    assert result[0] == 1
diff --git a/services/worker/tests/test_github_handler.py b/services/worker/tests/test_github_handler.py
index e954650..50577f9 100644
--- a/services/worker/tests/test_github_handler.py
+++ b/services/worker/tests/test_github_handler.py
@@ -5,8 +5,110 @@
 import pytest
 import docker
 import random
+from unittest.mock import MagicMock, patch
 
-from worker.defense.github_handler import build_from_github_repo
+from worker.defense.github_handler import build_from_github_repo, _parse_github_url
+
+
+# ============================================================================
+# Unit tests for _parse_github_url (no network, no docker)
+# ============================================================================
+
+def test_parse_github_url_no_branch():
+    """Plain URL returns (url, None)."""
+    url = "https://github.com/user/repo"
+    clone_url, branch = _parse_github_url(url)
+    assert clone_url == "https://github.com/user/repo"
+    assert branch is None
+
+
+def test_parse_github_url_simple_branch():
+    """URL with /tree/<branch> returns correct tuple."""
+    clone_url, branch = _parse_github_url("https://github.com/user/repo/tree/my-branch")
+    assert clone_url == "https://github.com/user/repo"
+    assert branch == "my-branch"
+
+
+def test_parse_github_url_slash_branch():
+    """URL with a multi-segment branch (feature/foo) parses correctly."""
+    clone_url, branch = _parse_github_url("https://github.com/user/repo/tree/feature/my-feature")
+    assert clone_url == "https://github.com/user/repo"
+    assert branch == "feature/my-feature"
+
+
+def test_parse_github_url_git_suffix():
+    """.git suffix is accepted and stripped from the returned clone_url."""
+    clone_url, branch = _parse_github_url("https://github.com/user/repo.git")
+    assert clone_url == "https://github.com/user/repo"
+    assert branch is None
+
+
+def test_parse_github_url_invalid_raises():
+    """Garbage URL raises ValueError."""
+    with pytest.raises(ValueError, match="Unparseable"):
+        _parse_github_url("not-a-github-url")
+
+
+def test_build_clones_with_branch(config_dict):
+    """build_from_github_repo passes branch= to git.Repo.clone_from for branch URLs."""
+    mock_repo = MagicMock()
+
+    with patch("worker.defense.github_handler.git") as mock_git, \
+         patch("worker.defense.github_handler.validate_dockerfile_safety"), \
+         patch("worker.defense.github_handler.validate_build_context"), \
+         patch("worker.defense.github_handler.Path") as mock_path, \
+         patch("worker.defense.github_handler.docker") as mock_docker:
+
+        mock_git.Repo.clone_from.return_value = mock_repo
+        mock_git.GitCommandError = Exception
+
+        dockerfile = MagicMock()
+        dockerfile.exists.return_value = True
+        mock_path.return_value.__truediv__ = lambda self, other: dockerfile
+
+        mock_image = MagicMock()
+        mock_docker.from_env.return_value.images.build.return_value = (mock_image, [])
+
+        build_from_github_repo(
+            "https://github.com/user/repo/tree/my-branch",
+            12345,
+            config_dict,
+        )
+
+    call_kwargs = mock_git.Repo.clone_from.call_args
+    assert call_kwargs[0][0] == "https://github.com/user/repo"
+    assert call_kwargs[1].get("branch") == "my-branch"
+
+
+def test_build_clones_without_branch(config_dict):
+    """build_from_github_repo omits branch= kwarg for plain URLs."""
+    mock_repo = MagicMock()
+
+    with patch("worker.defense.github_handler.git") as mock_git, \
+         patch("worker.defense.github_handler.validate_dockerfile_safety"), \
+         patch("worker.defense.github_handler.validate_build_context"), \
+         patch("worker.defense.github_handler.Path") as mock_path, \
+         patch("worker.defense.github_handler.docker") as mock_docker:
+
+        mock_git.Repo.clone_from.return_value = mock_repo
+        mock_git.GitCommandError = Exception
+
+        dockerfile = MagicMock()
+        dockerfile.exists.return_value = True
+        mock_path.return_value.__truediv__ = lambda self, other: dockerfile
+
+        mock_image = MagicMock()
+        mock_docker.from_env.return_value.images.build.return_value = (mock_image, [])
+
+        build_from_github_repo(
+            "https://github.com/user/repo",
+            12345,
+            config_dict,
+        )
+
+    call_kwargs = mock_git.Repo.clone_from.call_args
+    assert call_kwargs[0][0] == "https://github.com/user/repo"
+    assert "branch" not in call_kwargs[1]
 
 
 def test_build_from_real_github_repo(config_dict):
diff --git a/services/worker/worker/cache_handler.py b/services/worker/worker/cache_handler.py
index 88b9bcb..35d8f36 100644
--- a/services/worker/worker/cache_handler.py
+++ b/services/worker/worker/cache_handler.py
@@ -10,7 +10,9 @@
 from pathlib import Path
 from typing import Optional
 
+import time
 from worker.minio_client import get_minio_client, get_bucket_name
+from worker.redis_client import get_redis_client
 
 logger = logging.getLogger(__name__)
 
@@ -31,36 +33,152 @@ async def get_sample_path(object_key: str) -> Path:
     # Create valid local filename from object key
     local_path = CACHE_DIR / object_key
     
-    if await asyncio.to_thread(local_path.exists):
-        return local_path
-        
-    await asyncio.to_thread(local_path.parent.mkdir, parents=True, exist_ok=True)
-    
-    # Download to temporary file
-    temp_path = local_path.with_suffix(f".tmp.{uuid.uuid4()}")
-    
+    # Wait for potential clearing to finish
     try:
-        minio_client = get_minio_client()
-        bucket_name = get_bucket_name()
-        
-        logger.info(f"Downloading {object_key} from MinIO")
-        await asyncio.to_thread(minio_client.fget_object, bucket_name, object_key, str(temp_path))
+        redis_client = get_redis_client()
+        while redis_client.exists("lock:cache_clearing"):
+            await asyncio.sleep(0.5)
+        # Register as a reader
+        redis_client.incr("cache:readers")
+    except Exception:
+        logger.debug("Redis unavailable for cache locking, proceeding blindly")
 
-        await asyncio.to_thread(os.rename, temp_path, local_path)
-        logger.info(f"Cached {object_key}")
+    try:
+        if await asyncio.to_thread(local_path.exists):
+            return local_path
+            
+        await asyncio.to_thread(local_path.parent.mkdir, parents=True, exist_ok=True)
         
-    except Exception as e:
-        logger.error(f"Failed to cache sample {object_key}: {e}")
-        if await asyncio.to_thread(temp_path.exists):
-            await asyncio.to_thread(os.unlink, temp_path)
-        raise
+        # Download to temporary file
+        temp_path = local_path.with_suffix(f".tmp.{uuid.uuid4()}")
+        
+        try:
+            minio_client = get_minio_client()
+            bucket_name = get_bucket_name()
+            
+            logger.info(f"Downloading {object_key} from MinIO")
+            await asyncio.to_thread(minio_client.fget_object, bucket_name, object_key, str(temp_path))
+
+            await asyncio.to_thread(os.rename, temp_path, local_path)
+            logger.info(f"Cached {object_key}")
+            
+        except Exception as e:
+            logger.error(f"Failed to cache sample {object_key}: {e}")
+            if await asyncio.to_thread(temp_path.exists):
+                await asyncio.to_thread(os.unlink, temp_path)
+            raise
+    finally:
+        try:
+            get_redis_client().decr("cache:readers")
+        except Exception:
+            pass
         
     return local_path
 
-# TODO: Implement some kind of scheduled cleanup 
 def clear_cache() -> None:
-    """Clear the entire local cache."""
-    if CACHE_DIR.exists():
-        logger.info("Clearing local sample cache")
-        shutil.rmtree(CACHE_DIR)
-        CACHE_DIR.mkdir(exist_ok=True)
+    """Clear the entire local cache with lock."""
+    try:
+        redis_client = get_redis_client()
+        # Acquire clearing lock
+        if not redis_client.set("lock:cache_clearing", "1", nx=True, ex=300):
+            logger.info("Skipping cache clear: another process is already clearing it.")
+            return
+
+        # Wait for any active readers to finish their work
+        wait_start = time.time()
+        while int(redis_client.get("cache:readers") or 0) > 0:
+            if time.time() - wait_start > 60:
+                logger.warning("Timed out waiting for cache readers, forcing clear anyway.")
+                break
+            time.sleep(0.5)
+
+        if CACHE_DIR.exists():
+            logger.info("Clearing local sample cache")
+            for item in CACHE_DIR.iterdir():
+                try:
+                    if item.is_dir():
+                        shutil.rmtree(item)
+                    else:
+                        item.unlink()
+                except Exception as e:
+                    logger.warning(f"Failed to delete {item}: {e}")
+    except Exception:
+        logger.exception("Failed to clear cache")
+    finally:
+        try:
+            redis_client.delete("lock:cache_clearing")
+        except Exception:
+            pass
+
+def get_cache_size_bytes() -> int:
+    """Return total size of samples in the cache directory."""
+    if not CACHE_DIR.exists():
+        return 0
+    return sum(f.stat().st_size for f in CACHE_DIR.glob("**/*") if f.is_file())
+
+def prune_cache(max_size_bytes: int) -> None:
+    """Oldest-file-first pruning to keep cache under size limit."""
+    try:
+        redis_client = get_redis_client()
+        if not redis_client.set("lock:cache_clearing", "1", nx=True, ex=300):
+            logger.info("Skipping cache prune: clearing lock already held")
+            return
+
+        wait_start = time.time()
+        while int(redis_client.get("cache:readers") or 0) > 0:
+            if time.time() - wait_start > 60:
+                logger.warning("Pruner timed out waiting for readers, proceeding anyway")
+                break
+            time.sleep(0.5)
+
+        files = []
+        for f in CACHE_DIR.glob("**/*"):
+            if f.is_file():
+                try:
+                    stat = f.stat()
+                    files.append((f, stat.st_atime or stat.st_mtime, stat.st_size))
+                except Exception:
+                    continue
+
+        # Sort by time
+        files.sort(key=lambda x: x[1])
+        current_size = sum(f[2] for f in files)
+
+        if current_size <= max_size_bytes:
+            return
+
+        logger.info(
+            f"Pruning cache: {current_size/1e6:.2f}MB exceeds limit {max_size_bytes/1e6:.2f}MB"
+        )
+
+        deleted_count = 0
+        deleted_size = 0
+        for f_path, _, f_size in files:
+            if current_size <= max_size_bytes:
+                break
+            try:
+                f_path.unlink()
+                current_size -= f_size
+                deleted_size += f_size
+                deleted_count += 1
+            except Exception as e:
+                logger.warning(f"Failed to prune {f_path}: {e}")
+
+        for d in sorted(CACHE_DIR.glob("**/*"), key=lambda x: len(str(x)), reverse=True):
+            if d.is_dir() and not any(d.iterdir()):
+                try:
+                    d.rmdir()
+                except Exception:
+                    pass
+
+        logger.info(
+            f"Cache pruning complete: deleted {deleted_count} files ({deleted_size/1e6:.2f}MB)"
+        )
+
+    except Exception:
+        logger.exception("Error during cache pruning")
+    finally:
+        try:
+            redis_client.delete("lock:cache_clearing")
+        except Exception:
+            pass
diff --git a/services/worker/worker/cache_monitor.py b/services/worker/worker/cache_monitor.py
index 7d5b47b..1cc97e0 100644
--- a/services/worker/worker/cache_monitor.py
+++ b/services/worker/worker/cache_monitor.py
@@ -7,6 +7,7 @@
 import time
 
 from worker.cache_handler import clear_cache
+from worker.redis_client import get_redis_client
 
 logger = logging.getLogger(__name__)
 
@@ -25,10 +26,17 @@ class CacheMonitor:
         monitor.on_job_end()     # call from task_postrun signal
     """
 
-    def __init__(self, celery_app, queue_name: str, persistence_duration: int) -> None:
+    def __init__(
+        self,
+        celery_app: Celery,
+        persistence_duration: int,
+        max_size_gb: float,
+        queue_name: str = "mlsec"
+    ) -> None:
         self._celery_app = celery_app
         self._queue_name = queue_name
         self._persistence_duration = persistence_duration
+        self._max_size_gb = max_size_gb
 
         self._lock = threading.Lock()
         self._active_job_count: int = 0
@@ -40,6 +48,16 @@ def __init__(self, celery_app, queue_name: str, persistence_duration: int) -> No
         )
 
     def start(self) -> None:
+        try:
+            redis_client = get_redis_client()
+            lock_key = "lock:cache_monitor"
+            if not redis_client.set(lock_key, "1", nx=True, ex=120):
+                logger.info("Skipping cache monitor: another worker is already running it.")
+                return
+        except Exception as e:
+            logger.error(f"Redis connection failed in CacheMonitor: {e}")
+            return
+
         self._thread.start()
         logger.info(
             f"Cache monitor started "
@@ -51,20 +69,36 @@ def stop(self) -> None:
         self._stop_event.set()
 
     def on_job_start(self) -> None:
+        """Called by Celery signal before job execution."""
         with self._lock:
             self._active_job_count += 1
             self._last_active_time = time.monotonic()
+        
+        try:
+            get_redis_client().incr("cache:global_busy_count")
+        except Exception:
+            logger.exception("Failed to increment global busy count in Redis")
 
     def on_job_end(self) -> None:
+        """Called by Celery signal after job execution."""
         with self._lock:
             self._active_job_count = max(0, self._active_job_count - 1)
             self._last_active_time = time.monotonic()
+        
+        try:
+            redis_client = get_redis_client()
+            count = redis_client.decr("cache:global_busy_count")
+            if count < 0:
+                redis_client.set("cache:global_busy_count", 0)
+        except Exception:
+            logger.exception("Failed to decrement global busy count in Redis")
 
     def _is_queue_empty(self) -> bool:
         """Return True if the broker queue has no waiting messages."""
         try:
-            with self._celery_app.connection_or_connect() as conn:
-                result = conn.default_channel.queue_declare(
+            with self._celery_app.connection() as conn:
+                channel = conn.channel()
+                result = channel.queue_declare(
                     queue=self._queue_name, passive=True
                 )
                 return result.message_count == 0
@@ -73,12 +107,40 @@ def _is_queue_empty(self) -> bool:
             return False
 
     def _run(self) -> None:
+        redis_client = get_redis_client()
+        lock_key = "lock:cache_monitor"
+        max_size_bytes = int(self._max_size_gb * 1024 * 1024 * 1024)
+
         while not self._stop_event.wait(_POLL_INTERVAL):
+            # Refresh owner lock
+            try:
+                # Extend the lock to show this worker is still active
+                redis_client.expire(lock_key, 60)
+            except Exception:
+                logger.warning("Failed to refresh cache monitor lock")
+
+            try:
+                from worker.cache_handler import get_cache_size_bytes, prune_cache
+
+                current_size = get_cache_size_bytes()
+                if current_size > max_size_bytes:
+                    prune_cache(max_size_bytes)
+            except Exception:
+                logger.error("Failed to perform disk quota check")
+
             with self._lock:
-                active_jobs = self._active_job_count
+                local_active = self._active_job_count
                 last_active = self._last_active_time
 
-            if active_jobs > 0:
+            if local_active > 0:
+                continue
+
+            # Check status across all workers
+            try:
+                global_busy = int(redis_client.get("cache:global_busy_count") or 0)
+                if global_busy > 0:
+                    continue
+            except Exception:
                 continue
 
             elapsed = time.monotonic() - last_active
diff --git a/services/worker/worker/celery_app.py b/services/worker/worker/celery_app.py
index b7333fc..7902fa1 100644
--- a/services/worker/worker/celery_app.py
+++ b/services/worker/worker/celery_app.py
@@ -63,11 +63,15 @@ def on_worker_ready(**_) -> None:  # type: ignore[no-untyped-def]
     try:
         from worker.cache_monitor import CacheMonitor
         from worker.config import get_config
-        persistence_duration = get_config().worker.attack.cache_persistence_duration
+        config = get_config()
+        persistence_duration = config.worker.attack.cache_persistence_duration
+        max_size_gb = getattr(config.worker.attack, "cache_max_size_gb", 10.0)
+
         _cache_monitor = CacheMonitor(
             celery_app=celery_app,
             queue_name=default_queue,
             persistence_duration=persistence_duration,
+            max_size_gb=max_size_gb,
         )
         _cache_monitor.start()
     except Exception:
diff --git a/services/worker/worker/config.py b/services/worker/worker/config.py
index 62d6d1d..b24de51 100644
--- a/services/worker/worker/config.py
+++ b/services/worker/worker/config.py
@@ -73,6 +73,10 @@ class SourceConfig(BaseModel):
 
 class AttackConfig(BaseModel):
     """Configuration for attack validation and evaluation."""
+    # True = skip template seeding and all behavioral checks entirely.
+    # Overrides check_similarity when set to True.
+    skip_seeding: bool = False
+
     # Whether to run similarity evaluation at all.
     # False = skip evaluation, accept all attacks that pass validation.
     check_similarity: bool = True
@@ -98,9 +102,9 @@ class MinIOConfig(BaseModel):
     endpoint: str = Field(default_factory=lambda: os.getenv(
         "MINIO_ENDPOINT", "minio:9000"))
     access_key: str = Field(default_factory=lambda: os.getenv(
-        "MINIO_ACCESS_KEY", "minioadmin"))
+        "MINIO_ACCESS_KEY", "mlsec2"))
     secret_key: str = Field(default_factory=lambda: os.getenv(
-        "MINIO_SECRET_KEY", "minioadmin"))
+        "MINIO_SECRET_KEY", "mlsec2_pw"))
     bucket_name: str = "mlsec-submissions"
     secure: bool = Field(default_factory=lambda: os.getenv(
         "MINIO_SECURE", "false").lower() == "true")
diff --git a/services/worker/worker/db.py b/services/worker/worker/db.py
index c9a6dff..7b66c74 100644
--- a/services/worker/worker/db.py
+++ b/services/worker/worker/db.py
@@ -49,6 +49,17 @@ def set_job_status(*, job_id: str, status: str, error: str | None = None) -> Non
             )
 
 
+def get_submission_status(submission_id: str) -> str | None:
+    from sqlalchemy import text
+    engine = get_engine()
+    with engine.connect() as conn:
+        result = conn.execute(
+            text("SELECT status FROM submissions WHERE id = :id"),
+            {"id": submission_id},
+        ).scalar()
+        return result
+
+
 def get_defense_docker_image(*, submission_id: str) -> str | None:
     from sqlalchemy import text
     engine = get_engine()
@@ -84,20 +95,27 @@ def ensure_evaluation_run(*, defense_submission_id: str, attack_submission_id: s
         return str(result)
 
 
-def set_evaluation_run_status(evaluation_run_id: str, status: str) -> None:
+def set_evaluation_run_status(
+    evaluation_run_id: str,
+    status: str,
+    *,
+    error: str | None = None,
+) -> None:
     from sqlalchemy import text
     engine = get_engine()
     with engine.begin() as conn:
         conn.execute(
             text(
                 """
-                UPDATE evaluation_runs 
+                UPDATE evaluation_runs
                 SET status = :status,
+                    error = :error,
+                    duration_ms = EXTRACT(EPOCH FROM (CURRENT_TIMESTAMP - created_at)) * 1000,
                     updated_at = CURRENT_TIMESTAMP
                 WHERE id = :id
                 """
             ),
-            {"status": status, "id": evaluation_run_id},
+            {"status": status, "error": error, "id": evaluation_run_id},
         )
 
 
@@ -317,7 +335,7 @@ def check_if_needs_validation(defense_submission_id: str) -> bool:
 
 def mark_defense_validated(defense_submission_id: str) -> None:
     """
-    Mark defense as functionally validated.
+    Mark defense as functionally validated and activate it for the user.
 
     Args:
         defense_submission_id: Defense submission UUID
@@ -354,13 +372,15 @@ def mark_defense_validated(defense_submission_id: str) -> None:
 
 def mark_defense_failed(defense_submission_id: str, error: str) -> None:
     """
-    Mark defense as failed validation.
+    Mark defense as failed and deactivate it, falling back to the user's most
+    recent other validated/evaluated submission if one exists.
 
     Args:
         defense_submission_id: Defense submission UUID
-        error: Error message describing validation failure
+        error: Error message describing the failure
     """
     from sqlalchemy import text
+    from worker.redis_client import get_redis_client
     engine = get_engine()
     with engine.begin() as conn:
         conn.execute(
@@ -373,6 +393,32 @@ def mark_defense_failed(defense_submission_id: str, error: str) -> None:
             """),
             {"id": defense_submission_id, "error": error}
         )
+        conn.execute(
+            text("DELETE FROM active_submissions WHERE submission_id = :id"),
+            {"id": defense_submission_id},
+        )
+        conn.execute(
+            text("""
+                INSERT INTO active_submissions (user_id, submission_type, submission_id, updated_at)
+                SELECT s_fail.user_id, 'defense', s_cand.id, NOW()
+                FROM submissions s_fail
+                JOIN submissions s_cand
+                  ON s_cand.user_id = s_fail.user_id
+                 AND s_cand.id != :id
+                 AND s_cand.submission_type = 'defense'
+                 AND s_cand.status IN ('validated', 'evaluated')
+                 AND s_cand.deleted_at IS NULL
+                WHERE s_fail.id = :id
+                ORDER BY s_cand.created_at DESC
+                LIMIT 1
+                ON CONFLICT (user_id, submission_type) DO NOTHING
+            """),
+            {"id": defense_submission_id},
+        )
+    try:
+        get_redis_client().publish("leaderboard:updated", "defense_failed")
+    except Exception:
+        pass
 
 
 def mark_defense_validating(defense_submission_id: str) -> None:
diff --git a/services/worker/worker/defense/evaluate.py b/services/worker/worker/defense/evaluate.py
index 7d7c320..3c6ccfe 100644
--- a/services/worker/worker/defense/evaluate.py
+++ b/services/worker/worker/defense/evaluate.py
@@ -9,7 +9,7 @@
 from typing import Any
 
 import docker
-import httpx
+import requests
 
 from worker.config import EvaluationConfig, get_config
 from worker.db import (
@@ -39,8 +39,29 @@ class EvalOutcome:
     duration_ms: int
 
 
+_CONTAINER_READY_TIMEOUT = 30  # seconds to wait for container to accept requests after restart
+
+
+async def _wait_for_container_ready(container_url: str, container_name: str) -> None:
+    """Poll container_url until it responds or the timeout expires."""
+    start_wait = time.monotonic()
+    while (time.monotonic() - start_wait) < _CONTAINER_READY_TIMEOUT:
+        try:
+            resp = await asyncio.to_thread(requests.get, container_url, timeout=2)
+            if resp.status_code != 502:
+                logger.info("Container %s is ready after restart.", container_name)
+                return
+        except Exception:
+            pass
+        await asyncio.sleep(0.5)
+    logger.warning(
+        "Container %s did not become ready within %ds after restart.",
+        container_name,
+        _CONTAINER_READY_TIMEOUT,
+    )
+
+
 async def evaluate_sample_against_container(
-    client: httpx.AsyncClient,
     container_url: str,
     docker_client: docker.DockerClient,
     container_name: str,
@@ -64,8 +85,15 @@ async def evaluate_sample_against_container(
 
     Note: restart handling behavior may change in future iterations.
 
+    Uses requests.post via asyncio.to_thread rather than an async HTTP client.
+    This avoids a known issue where async clients interleave sending a large
+    request body with reading the response: if the WSGI handler returns before
+    consuming the request body, the server closes the connection while the
+    async client is still writing, producing a spurious ReadError. Synchronous
+    requests sends the full body before reading the response, so this race
+    cannot occur.
+
     Args:
-        client: Shared httpx async client.
         container_url: URL to POST sample bytes to.
         docker_client: Docker SDK client for stats and restart operations.
         container_name: Name of the container to monitor and restart.
@@ -73,6 +101,9 @@ async def evaluate_sample_against_container(
         eval_cfg: Evaluation configuration with resource limits.
         restart_count_ref: Single-element list used as a mutable counter
             shared across calls for the same container.
+        ctx: Shared per-defense context dict (holds cached container object).
+        file_index: Index of this file within the current attack, used to
+            control stats sampling rate.
 
     Returns:
         EvalOutcome with model_output, evaded_reason, and duration_ms.
@@ -88,9 +119,10 @@ async def evaluate_sample_against_container(
     short_timeout = eval_cfg.defense_max_time / 1000.0
 
     try:
-        response = await client.post(
+        response = await asyncio.to_thread(
+            requests.post,
             container_url,
-            content=sample_content,
+            data=sample_content,
             headers=headers,
             timeout=short_timeout,
         )
@@ -124,6 +156,7 @@ async def evaluate_sample_against_container(
                             f"({eval_cfg.defense_max_restarts})."
                         )
                     await asyncio.to_thread(container.restart)
+                    await _wait_for_container_ready(container_url, container_name)
             except ContainerRestartError:
                 raise
             except Exception as exc:
@@ -149,7 +182,7 @@ async def evaluate_sample_against_container(
                     response.status_code,
                 )
 
-    except httpx.TimeoutException:
+    except requests.exceptions.Timeout:
         evaded_reason = "time_limit"
         model_output = 0
         logger.warning(
@@ -162,13 +195,14 @@ async def evaluate_sample_against_container(
             eval_cfg.defense_max_timeout - eval_cfg.defense_max_time
         ) / 1000.0
         try:
-            await client.post(
+            await asyncio.to_thread(
+                requests.post,
                 container_url,
-                content=sample_content,
+                data=sample_content,
                 headers=headers,
                 timeout=max(extended_timeout, 0.0),
             )
-        except httpx.TimeoutException:
+        except requests.exceptions.Timeout:
             logger.warning(
                 "Container %s unresponsive after full timeout (%d ms); restarting.",
                 container_name,
@@ -185,6 +219,9 @@ async def evaluate_sample_against_container(
                     ctx["container_obj"] = await asyncio.to_thread(docker_client.containers.get, container_name)
                 container = ctx["container_obj"]
                 await asyncio.to_thread(container.restart)
+                await _wait_for_container_ready(container_url, container_name)
+            except ContainerRestartError:
+                raise
             except Exception as exc:
                 logger.warning(
                     "Failed to restart container %s: %s", container_name, exc
@@ -194,6 +231,37 @@ async def evaluate_sample_against_container(
                 "Extended wait request failed for %s: %s", container_url, exc
             )
 
+    except requests.exceptions.ConnectionError as exc:
+        # Connection dropped mid-request.
+        # Treat this as a container crash: mark evaded, restart.
+        evaded_reason = "connection_error"
+        model_output = 0
+        logger.warning(
+            "Container %s dropped connection (%s: %s); restarting.",
+            container_name,
+            type(exc).__name__,
+            exc or "no message",
+        )
+        restart_count_ref[0] += 1
+        if restart_count_ref[0] > eval_cfg.defense_max_restarts:
+            raise ContainerRestartError(
+                f"Container {container_name!r} exceeded maximum restarts "
+                f"({eval_cfg.defense_max_restarts})."
+            )
+        try:
+            ctx.pop("container_obj", None)  # Force re-fetch after restart
+            ctx["container_obj"] = await asyncio.to_thread(docker_client.containers.get, container_name)
+            await asyncio.to_thread(ctx["container_obj"].restart)
+            await _wait_for_container_ready(container_url, container_name)
+        except ContainerRestartError:
+            raise
+        except Exception as restart_exc:
+            logger.warning(
+                "Failed to restart container %s after connection error: %s",
+                container_name,
+                restart_exc,
+            )
+
     duration_ms = int((time.monotonic() - start) * 1000)
     return EvalOutcome(
         model_output=model_output,
@@ -203,7 +271,6 @@ async def evaluate_sample_against_container(
 
 
 async def _evaluate_single_sample(
-    client: httpx.AsyncClient,
     ctx: dict[str, Any],
     sample_content: bytes,
     run_id: str,
@@ -217,7 +284,6 @@ async def _evaluate_single_sample(
     loop can remove the failed defense from the active set.
     """
     outcome = await evaluate_sample_against_container(
-        client=client,
         container_url=ctx["url"],
         docker_client=ctx["docker_client"],
         container_name=ctx["container_name"],
@@ -271,116 +337,114 @@ async def evaluate_defenses_async(
         ctx.setdefault("restart_count_ref", [0])
     active_contexts = list(defense_contexts)
 
-    async with httpx.AsyncClient() as client:
-        while True:
-            attack_id = registry.pop_next_attack(worker_id)
-
-            if attack_id is None:
-                empty_poll_count += 1
-                if empty_poll_count >= max_empty_polls:
-                    logger.info("Queue exhausted after %d empty polls", empty_poll_count)
-                    registry.close_queue(worker_id)
-                    break
-                await asyncio.sleep(1)
-                continue
-
-            empty_poll_count = 0
-            logger.info("Processing attack %s for batch", attack_id)
-
-            # Ensure evaluation runs exist for all active defenses in batch.
-            runs: list[str] = []
-            for ctx in active_contexts:
-                def_id = ctx["defense_submission_id"]
-                key = (def_id, attack_id)
-                if key not in evaluation_runs:
-                    run_id = ensure_evaluation_run(
-                        defense_submission_id=def_id,
-                        attack_submission_id=attack_id,
-                    )
-                    evaluation_runs[key] = run_id
-                    mark_defense_evaluating(def_id)
-                runs.append(evaluation_runs[key])
+    while True:
+        attack_id = registry.pop_next_attack(worker_id)
+
+        if attack_id is None:
+            empty_poll_count += 1
+            if empty_poll_count >= max_empty_polls:
+                logger.info("Queue exhausted after %d empty polls", empty_poll_count)
+                registry.close_queue(worker_id)
+                break
+            await asyncio.sleep(1)
+            continue
+
+        empty_poll_count = 0
+        logger.info("Processing attack %s for batch", attack_id)
+
+        # Ensure evaluation runs exist for all active defenses in batch.
+        runs: list[str] = []
+        for ctx in active_contexts:
+            def_id = ctx["defense_submission_id"]
+            key = (def_id, attack_id)
+            if key not in evaluation_runs:
+                run_id = ensure_evaluation_run(
+                    defense_submission_id=def_id,
+                    attack_submission_id=attack_id,
+                )
+                evaluation_runs[key] = run_id
+                mark_defense_evaluating(def_id)
+            runs.append(evaluation_runs[key])
 
-            # Process attack files
-            attack_files = get_attack_files(attack_id)
-            for f_idx, file_info in enumerate(attack_files):
-                file_id = file_info["id"]
-                object_key = file_info["object_key"]
+        # Process attack files
+        attack_files = get_attack_files(attack_id)
+        for f_idx, file_info in enumerate(attack_files):
+            file_id = file_info["id"]
+            object_key = file_info["object_key"]
 
-                try:
-                    local_path = await get_sample_path(object_key)
-                    with open(local_path, "rb") as f:
-                        sample_content = f.read()
-                except Exception as e:
-                    for run_id in runs:
-                        upsert_evaluation(
-                            evaluation_run_id=run_id,
-                            attack_file_id=file_id,
-                            result=None,
-                            error=f"Cache/MinIO error: {e}",
-                            duration_ms=0,
-                        )
-                    continue
-
-                # Broadcast to all active defenses concurrently.
-                tasks = [
-                    _evaluate_single_sample(
-                        client=client,
-                        ctx=ctx,
-                        sample_content=sample_content,
-                        run_id=runs[i],
-                        file_id=file_id,
-                        eval_cfg=eval_cfg,
-                        file_index=f_idx,
+            try:
+                local_path = await get_sample_path(object_key)
+                with open(local_path, "rb") as f:
+                    sample_content = f.read()
+            except Exception as e:
+                for run_id in runs:
+                    upsert_evaluation(
+                        evaluation_run_id=run_id,
+                        attack_file_id=file_id,
+                        result=None,
+                        error=f"Cache/MinIO error: {e}",
+                        duration_ms=0,
                     )
-                    for i, ctx in enumerate(active_contexts)
-                ]
-
-                results = await asyncio.gather(*tasks, return_exceptions=True)
-
-                # Remove any defense that exhausted its restart budget.
-                failed_indices = []
-                for i, result in enumerate(results):
-                    if isinstance(result, ContainerRestartError):
-                        ctx = active_contexts[i]
-                        error_msg = (
-                            "Container exceeded maximum restarts during evaluation."
-                        )
-                        logger.error(
-                            "Defense %s exceeded maximum restarts; removing from batch.",
-                            ctx["defense_submission_id"],
-                        )
-                        set_evaluation_run_status(runs[i], "failed")
-                        mark_defense_failed(ctx["defense_submission_id"], error_msg)
-                        failed_indices.append(i)
-                    elif isinstance(result, Exception):
-                        logger.error(
-                            "Unexpected error evaluating defense %s: %s",
-                            active_contexts[i]["defense_submission_id"],
-                            result,
-                        )
+                continue
 
-                for i in reversed(failed_indices):
-                    active_contexts.pop(i)
-                    runs.pop(i)
-
-                if not active_contexts:
-                    logger.warning("All defenses failed; stopping evaluation.")
-                    registry.close_queue(worker_id)
-                    return
-
-            # Mark evaluation runs as done and aggregate pair scores.
-            for ctx, run_id in zip(active_contexts, runs):
-                set_evaluation_run_status(run_id, "done")
-                mark_defense_evaluated(ctx["defense_submission_id"])
-                upsert_pair_score(
-                    evaluation_run_id=run_id,
-                    defense_submission_id=ctx["defense_submission_id"],
-                    attack_submission_id=attack_id,
+            # Broadcast to all active defenses concurrently.
+            tasks = [
+                _evaluate_single_sample(
+                    ctx=ctx,
+                    sample_content=sample_content,
+                    run_id=runs[i],
+                    file_id=file_id,
+                    eval_cfg=eval_cfg,
+                    file_index=f_idx,
                 )
+                for i, ctx in enumerate(active_contexts)
+            ]
+
+            results = await asyncio.gather(*tasks, return_exceptions=True)
+
+            # Remove any defense that exhausted its restart budget.
+            failed_indices = []
+            for i, result in enumerate(results):
+                if isinstance(result, ContainerRestartError):
+                    ctx = active_contexts[i]
+                    error_msg = (
+                        "Container exceeded maximum restarts during evaluation."
+                    )
+                    logger.error(
+                        "Defense %s exceeded maximum restarts; removing from batch.",
+                        ctx["defense_submission_id"],
+                    )
+                    set_evaluation_run_status(runs[i], "failed", error=error_msg)
+                    mark_defense_failed(ctx["defense_submission_id"], error_msg)
+                    failed_indices.append(i)
+                elif isinstance(result, Exception):
+                    logger.error(
+                        "Unexpected error evaluating defense %s: %s",
+                        active_contexts[i]["defense_submission_id"],
+                        result,
+                    )
+
+            for i in reversed(failed_indices):
+                active_contexts.pop(i)
+                runs.pop(i)
+
+            if not active_contexts:
+                logger.warning("All defenses failed; stopping evaluation.")
+                registry.close_queue(worker_id)
+                return
+
+        # Mark evaluation runs as done and aggregate pair scores.
+        for ctx, run_id in zip(active_contexts, runs):
+            set_evaluation_run_status(run_id, "done")
+            mark_defense_evaluated(ctx["defense_submission_id"])
+            upsert_pair_score(
+                evaluation_run_id=run_id,
+                defense_submission_id=ctx["defense_submission_id"],
+                attack_submission_id=attack_id,
+            )
 
-            registry.publish_leaderboard_update()
-            registry.heartbeat(worker_id)
+        registry.publish_leaderboard_update()
+        registry.heartbeat(worker_id)
 
     logger.info("Async batch evaluation complete")
 
diff --git a/services/worker/worker/defense/github_handler.py b/services/worker/worker/defense/github_handler.py
index dbd84a8..8122d09 100644
--- a/services/worker/worker/defense/github_handler.py
+++ b/services/worker/worker/defense/github_handler.py
@@ -3,6 +3,7 @@
 from __future__ import annotations
 
 import concurrent.futures
+import re as _re
 import shutil
 import tempfile
 from pathlib import Path
@@ -13,6 +14,22 @@
 
 logger = get_task_logger(__name__)
 
+_GITHUB_TREE_RE = _re.compile(
+    r'^(https://github\.com/[\w-]+/[\w-]+)(?:\.git)?(?:/tree/(?!.*\.\.)([\w.\-/]+))?$'
+)
+
+
+def _parse_github_url(url: str) -> tuple[str, str | None]:
+    """Return (clone_url, branch) from a stored GitHub URL. branch is None if not present.
+
+    Handles optional .git suffix and optional /tree/<branch> segment.
+    The returned clone_url never contains a .git suffix.
+    """
+    m = _GITHUB_TREE_RE.match(url)
+    if not m:
+        raise ValueError(f"Unparseable GitHub URL: {url!r}")
+    return m.group(1), m.group(2)
+
 
 def build_from_github_repo(
     git_repo_url: str,
@@ -38,17 +55,17 @@ def build_from_github_repo(
     try:
         # Create temporary directory for cloning
         temp_dir = tempfile.mkdtemp(prefix=f"defense_{submission_id}_")
-        logger.info(f"Cloning GitHub repo {git_repo_url} to {temp_dir}")
+
+        clone_url, branch = _parse_github_url(git_repo_url)
+        logger.info(f"Cloning GitHub repo {clone_url} (branch={branch!r}) to {temp_dir}")
 
         # Shallow clone for efficiency (depth=1)
         try:
-            git.Repo.clone_from(
-                git_repo_url,
-                temp_dir,
-                depth=1,
-                single_branch=True
-            )
-            logger.info(f"Successfully cloned {git_repo_url}")
+            clone_kwargs: dict = dict(depth=1, single_branch=True)
+            if branch is not None:
+                clone_kwargs["branch"] = branch
+            git.Repo.clone_from(clone_url, temp_dir, **clone_kwargs)
+            logger.info(f"Successfully cloned {clone_url}")
         except git.GitCommandError as e:
             raise ValueError(f"Failed to clone repository: {e}") from e
 
diff --git a/services/worker/worker/defense/validation.py b/services/worker/worker/defense/validation.py
index 9ffc15e..e97fff1 100644
--- a/services/worker/worker/defense/validation.py
+++ b/services/worker/worker/defense/validation.py
@@ -8,7 +8,6 @@
 from pathlib import Path
 
 import docker
-import httpx
 import requests
 from celery.utils.log import get_task_logger
 
@@ -319,36 +318,33 @@ async def validate_heuristic(
     malware_outputs: list[int] = []
     goodware_outputs: list[int] = []
 
-    async with httpx.AsyncClient() as client:
-        for i, sample in enumerate(samples):
-            sample_path = await get_sample_path(sample["object_key"])
-            sample_content = Path(sample_path).read_bytes()
-
-            outcome = await evaluate_sample_against_container(
-                client=client,
-                container_url=container_url,
-                docker_client=docker_client,
-                container_name=container_name,
-                sample_content=sample_content,
-                eval_cfg=eval_cfg,
-                restart_count_ref=restart_count_ref,
-                ctx=heurval_ctx,
-                file_index=i,
-            )
+    for sample in samples:
+        sample_path = await get_sample_path(sample["object_key"])
+        sample_content = Path(sample_path).read_bytes()
+
+        outcome = await evaluate_sample_against_container(
+            container_url=container_url,
+            docker_client=docker_client,
+            container_name=container_name,
+            sample_content=sample_content,
+            eval_cfg=eval_cfg,
+            restart_count_ref=restart_count_ref,
+            ctx=heurval_ctx,
+        )
 
-            insert_heurval_file_result(
-                heurval_result_id=result_id,
-                sample_id=sample["id"],
-                model_output=outcome.model_output,
-                evaded_reason=outcome.evaded_reason,
-                duration_ms=outcome.duration_ms,
-            )
+        insert_heurval_file_result(
+            heurval_result_id=result_id,
+            sample_id=sample["id"],
+            model_output=outcome.model_output,
+            evaded_reason=outcome.evaded_reason,
+            duration_ms=outcome.duration_ms,
+        )
 
-            effective_output = outcome.model_output if outcome.model_output is not None else 0
-            if sample["is_malware"]:
-                malware_outputs.append(effective_output)
-            else:
-                goodware_outputs.append(effective_output)
+        effective_output = outcome.model_output if outcome.model_output is not None else 0
+        if sample["is_malware"]:
+            malware_outputs.append(effective_output)
+        else:
+            goodware_outputs.append(effective_output)
 
     malware_tpr = (
         sum(1 for o in malware_outputs if o == 1) / len(malware_outputs)
diff --git a/services/worker/worker/tasks.py b/services/worker/worker/tasks.py
index 1f0a980..563df39 100644
--- a/services/worker/worker/tasks.py
+++ b/services/worker/worker/tasks.py
@@ -377,6 +377,12 @@ async def _validate_defense_container(
                     mark_defense_failed(defense_submission_id, error_msg)
                     return False
 
+        else:
+            logger.info(
+                "Heuristic validation disabled; skipping for defense %s.",
+                defense_submission_id,
+            )
+
         mark_defense_validated(defense_submission_id)
         logger.info(f"Validation PASSED for defense {defense_submission_id}")
         return True
@@ -386,6 +392,7 @@ async def _validate_defense_container(
             "Unexpected error during validation of defense %s: %s",
             defense_submission_id,
             e,
+            exc_info=True,
         )
         try:
             mark_defense_failed(defense_submission_id, f"Unexpected validation error: {e}")
@@ -455,22 +462,36 @@ async def _body() -> None:
             f"Registered worker {worker_id} with Redis for {len(defense_submission_ids)} defenses"
         )
 
-        all_unevaluated_attacks: set[str] = set()
-        for dsid in defense_submission_ids:
-            all_unevaluated_attacks.update(get_unevaluated_attacks(dsid))
-
-        logger.info(f"Found {len(all_unevaluated_attacks)} unique unevaluated attacks for batch")
-        for attack_id in all_unevaluated_attacks:
-            registry.add_attack_to_queue(worker_id, attack_id)
-
         defense_specs: list[tuple[str, bool, str, dict]] = []
+        all_pending_attacks: set[str] = set()
+        
         for dsid in defense_submission_ids:
             needs_validation = check_if_needs_validation(dsid)
+            pending_attacks = get_unevaluated_attacks(dsid)
+            
+            if not needs_validation and not pending_attacks:
+                logger.info(f"Skipping container setup for defense {dsid}: already validated and no pending evaluations.")
+                continue
+                
             if needs_validation:
                 mark_defense_validating(dsid)
+            
             source_type, source_data = get_defense_submission_source(dsid)
             defense_specs.append((dsid, needs_validation, source_type, source_data))
+            
+            for attack_id in pending_attacks:
+                if attack_id not in all_pending_attacks:
+                    registry.add_attack_to_queue(worker_id, attack_id)
+                    all_pending_attacks.add(attack_id)
+
+        if not defense_specs:
+            logger.info(f"No defenses in batch job {job_id} require container setup. Finishing job.")
+            set_job_status(job_id=job_id, status="done")
+            return
 
+        logger.info(
+            f"Found {len(all_pending_attacks)} unique unevaluated attacks for {len(defense_specs)} active defense containers"
+        )
         logger.info(f"Setting up {len(defense_specs)} defense containers concurrently")
         setup_results = await asyncio.gather(*[
             _setup_defense_container(
@@ -609,6 +630,12 @@ def seed_attack_template(self, *, template_id: str, job_id: str | None = None) -
     if job_id:
         set_job_status(job_id=job_id, status="running")
 
+    if config.worker.attack.skip_seeding:
+        logger.info("skip_seeding=true; skipping template seeding for template %s.", template_id)
+        if job_id:
+            set_job_status(job_id=job_id, status="done")
+        return
+
     try:
         template_files = get_template_files(template_id)
         if not template_files:
@@ -668,6 +695,7 @@ def run_attack_job(self, *, job_id: str, attack_submission_id: str) -> None:
         get_template_reports,
         get_all_validated_defenses,
         is_evaluation_in_progress,
+        get_submission_status,
     )
     from worker.minio_client import get_minio_client, get_bucket_name
     from worker.attack.validation import (
@@ -683,212 +711,224 @@ def run_attack_job(self, *, job_id: str, attack_submission_id: str) -> None:
 
     try:
         set_job_status(job_id=job_id, status="running")
-        mark_attack_validating(attack_submission_id)
-        logger.info(
-            f"Starting attack job {job_id} for submission {attack_submission_id}")
-
-        # Attack validation logic
-        logger.info("Starting attack ZIP validation")
 
-        # Get attack source information
-        attack_source = get_attack_submission_source(attack_submission_id)
-        zip_object_key = attack_source["zip_object_key"]
-        logger.info(f"Attack ZIP object key: {zip_object_key}")
-
-        # Initialize MinIO client
-        minio_client = get_minio_client()
-        bucket_name = get_bucket_name()
-
-        # Download ZIP to temporary file
-        # TODO: Store as individual files instead of zips, maybe?
-        temp_zip = tempfile.NamedTemporaryFile(
-            suffix='.zip',
-            prefix=f'attack_{attack_submission_id}_',
-            delete=False
-        )
-        temp_zip.close()
-
-        temp_extract_dir = None
-
-        try:
-            logger.info(f"Downloading {zip_object_key} from MinIO")
-            minio_client.fget_object(
-                bucket_name, zip_object_key, temp_zip.name)
-            logger.info(f"Downloaded to {temp_zip.name}")
-
-            # Functional validation (ZIP structure, password, safety)
-            attack_cfg = config.worker.attack
-            active_template = get_active_template()
-
-            # Defer job if behavioral seeding is still in progress
-            if (
-                active_template is not None
-                and attack_cfg.check_similarity
-                and not is_template_fully_seeded(active_template["id"])
-            ):
-                logger.info(
-                    "Template seeding in progress, deferring attack job %s", job_id
-                )
-                raise self.retry(countdown=60)
-
-            if active_template is None:
-                if attack_cfg.check_similarity:
-                    error_msg = "No attack template is configured."
-                    logger.warning(
-                        "Attack %s rejected: %s", attack_submission_id, error_msg
-                    )
-                    mark_attack_failed(attack_submission_id, error_msg)
-                    set_job_status(job_id=job_id, status="failed", error=error_msg)
-                    return
-                expected_files: set[str] = set()
-            else:
-                template_file_rows = get_template_files(active_template["id"])
-                expected_files = {f["filename"] for f in template_file_rows}
+        # Check if validation or evaluation is already complete
+        status = get_submission_status(attack_submission_id)
+        if status == "evaluated":
+            logger.info(f"Attack {attack_submission_id} is already evaluated, skipping job.")
+            set_job_status(job_id=job_id, status="done")
+            return
 
-            try:
-                validate_attack_functional(
-                    temp_zip.name,
-                    expected_files,
-                    attack_cfg.max_zip_size_mb,
-                )
-            except AttackValidationError as e:
-                error_msg = str(e)
-                logger.warning(
-                    "Attack %s failed functional validation: %s",
-                    attack_submission_id,
-                    error_msg,
-                )
-                mark_attack_failed(attack_submission_id, error_msg)
-                set_job_status(job_id=job_id, status="failed", error=error_msg)
-                return
+        logger.info(
+            f"Starting attack job {job_id} for submission {attack_submission_id}")
 
-            # Extract ZIP with password "infected"
-            temp_extract_dir = tempfile.mkdtemp(
-                prefix=f"attack_{attack_submission_id}_extract_"
+        if status == "validated":
+            logger.info(f"Attack {attack_submission_id} is already validated, skipping validation logic.")
+        else:
+            # Attack validation logic
+            mark_attack_validating(attack_submission_id)
+            logger.info("Starting attack ZIP validation")
+
+            # Get attack source information
+            attack_source = get_attack_submission_source(attack_submission_id)
+            zip_object_key = attack_source["zip_object_key"]
+            logger.info(f"Attack ZIP object key: {zip_object_key}")
+
+            # Initialize MinIO client
+            minio_client = get_minio_client()
+            bucket_name = get_bucket_name()
+
+            # Download ZIP to temporary file
+            # TODO: Store as individual files instead of zips, maybe?
+            temp_zip = tempfile.NamedTemporaryFile(
+                suffix='.zip',
+                prefix=f'attack_{attack_submission_id}_',
+                delete=False
             )
-            logger.info(f"Extracting ZIP to {temp_extract_dir}")
+            temp_zip.close()
+
+            temp_extract_dir = None
 
             try:
-                import pyzipper
-                with pyzipper.AESZipFile(temp_zip.name, 'r') as zf:
-                    zf.setpassword(b'infected')
-                    zf.extractall(temp_extract_dir)
-                logger.info("Successfully extracted attack ZIP")
-            except RuntimeError as e:
-                if "password" in str(e).lower():
-                    raise ValueError(
-                        "Wrong password for attack ZIP (expected 'infected')")
-                raise ValueError(f"Failed to extract ZIP: {e}")
-
-            # Scan extracted files and populate attack_files table
-            extract_path = Path(temp_extract_dir)
-            extracted_files = []
-            submission_files: list[tuple[str, str]] = []
-
-            for file_path in extract_path.rglob('*'):
-                if file_path.is_file():
-                    # Calculate SHA256
-                    sha256_hash = hashlib.sha256()
-                    with open(file_path, 'rb') as f:
-                        for chunk in iter(lambda: f.read(8192), b''):
-                            sha256_hash.update(chunk)
-
-                    # Get relative path
-                    rel_path = file_path.relative_to(extract_path)
-
-                    # Inner filename (strips top-level wrapping folder)
-                    inner_name = _inner_filename(file_path, extract_path)
-                    submission_files.append((inner_name, str(file_path)))
-
-                    file_object_key = f"attack/{attack_submission_id}/{rel_path}"
-                    minio_client.fput_object(bucket_name, file_object_key, str(file_path))
-
-                    extracted_files.append({
-                        "filename": str(rel_path),
-                        "sha256": sha256_hash.hexdigest(),
-                        "byte_size": file_path.stat().st_size,
-                        "object_key": file_object_key,
-                        "is_malware": True  # Default assumption for attack samples
-                    })
-
-            logger.info(f"Found {len(extracted_files)} files in attack ZIP")
-
-            # Insert files into database
-            if extracted_files:
-                inserted_count = insert_attack_files(
-                    attack_submission_id, extracted_files)
-                logger.info(
-                    f"Inserted {inserted_count} attack files into database")
+                logger.info(f"Downloading {zip_object_key} from MinIO")
+                minio_client.fget_object(
+                    bucket_name, zip_object_key, temp_zip.name)
+                logger.info(f"Downloaded to {temp_zip.name}")
+
+                # Functional validation (ZIP structure, password, safety)
+                attack_cfg = config.worker.attack
+                active_template = get_active_template()
+
+                # Defer job if behavioral seeding is still in progress
+                if (
+                    active_template is not None
+                    and attack_cfg.check_similarity
+                    and not attack_cfg.skip_seeding
+                    and not is_template_fully_seeded(active_template["id"])
+                ):
+                    logger.info(
+                        "Template seeding in progress, deferring attack job %s", job_id
+                    )
+                    raise self.retry(countdown=60)
 
-            # Heuristic validation (behavioral similarity against template)
-            if attack_cfg.check_similarity:
                 if active_template is None:
-                    template_reports = {}
+                    if attack_cfg.check_similarity:
+                        error_msg = "No attack template is configured."
+                        logger.warning(
+                            "Attack %s rejected: %s", attack_submission_id, error_msg
+                        )
+                        mark_attack_failed(attack_submission_id, error_msg)
+                        set_job_status(job_id=job_id, status="failed", error=error_msg)
+                        return
+                    expected_files: set[str] = set()
                 else:
-                    template_reports = get_template_reports_for_template(
-                        active_template["id"]
+                    template_file_rows = get_template_files(active_template["id"])
+                    expected_files = {f["filename"] for f in template_file_rows}
+
+                try:
+                    validate_attack_functional(
+                        temp_zip.name,
+                        expected_files,
+                        attack_cfg.max_zip_size_mb,
                     )
-                if not template_reports:
+                except AttackValidationError as e:
+                    error_msg = str(e)
                     logger.warning(
-                        "No template reports available, skipping heuristic "
-                        "validation for attack %s.",
+                        "Attack %s failed functional validation: %s",
                         attack_submission_id,
+                        error_msg,
                     )
-                else:
-                    sandbox = get_sandbox_backend(attack_cfg)
-                    try:
-                        avg_similarity = validate_heuristic(
-                            submission_files, sandbox, template_reports
-                        )
-                    except SandboxUnavailableError as e:
-                        error_msg = str(e)
-                        logger.error(
-                            "Sandbox unavailable during heuristic validation "
-                            "for attack %s: %s",
-                            attack_submission_id,
-                            error_msg,
-                        )
-                        mark_attack_failed(attack_submission_id, error_msg)
-                        raise
-
-                    if (
-                        attack_cfg.reject_dissimilar_attacks
-                        and avg_similarity < attack_cfg.minimum_attack_similarity
-                    ):
-                        error_msg = (
-                            f"Behavioral similarity {avg_similarity:.1f}% is below "
-                            f"the minimum threshold of "
-                            f"{attack_cfg.minimum_attack_similarity}%."
+                    mark_attack_failed(attack_submission_id, error_msg)
+                    set_job_status(job_id=job_id, status="failed", error=error_msg)
+                    return
+
+                # Extract ZIP with password "infected"
+                temp_extract_dir = tempfile.mkdtemp(
+                    prefix=f"attack_{attack_submission_id}_extract_"
+                )
+                logger.info(f"Extracting ZIP to {temp_extract_dir}")
+
+                try:
+                    import pyzipper
+                    with pyzipper.AESZipFile(temp_zip.name, 'r') as zf:
+                        zf.setpassword(b'infected')
+                        zf.extractall(temp_extract_dir)
+                    logger.info("Successfully extracted attack ZIP")
+                except RuntimeError as e:
+                    if "password" in str(e).lower():
+                        raise ValueError(
+                            "Wrong password for attack ZIP (expected 'infected')")
+                    raise ValueError(f"Failed to extract ZIP: {e}")
+
+                # Scan extracted files and populate attack_files table
+                extract_path = Path(temp_extract_dir)
+                submission_files: list[tuple[str, str]] = []
+                extracted_files = []
+
+                for file_path in extract_path.rglob('*'):
+                    if file_path.is_file():
+                        # Calculate SHA256
+                        sha256_hash = hashlib.sha256()
+                        with open(file_path, 'rb') as f:
+                            for chunk in iter(lambda: f.read(8192), b''):
+                                sha256_hash.update(chunk)
+
+                        # Get relative path
+                        rel_path = file_path.relative_to(extract_path)
+
+                        # Inner filename (strips top-level wrapping folder)
+                        inner_name = _inner_filename(file_path, extract_path)
+                        submission_files.append((inner_name, str(file_path)))
+
+                        file_object_key = f"attack/{attack_submission_id}/{rel_path}"
+                        minio_client.fput_object(bucket_name, file_object_key, str(file_path))
+
+                        extracted_files.append({
+                            "filename": str(rel_path),
+                            "sha256": sha256_hash.hexdigest(),
+                            "byte_size": file_path.stat().st_size,
+                            "object_key": file_object_key,
+                            "is_malware": True  # Default assumption for attack samples
+                        })
+
+                logger.info(f"Found {len(extracted_files)} files in attack ZIP")
+
+                # Insert files into database
+                if extracted_files:
+                    inserted_count = insert_attack_files(
+                        attack_submission_id, extracted_files)
+                    logger.info(
+                        f"Inserted {inserted_count} attack files into database")
+
+                # Heuristic validation (behavioral similarity against template)
+                if attack_cfg.check_similarity and not attack_cfg.skip_seeding:
+                    if active_template is None:
+                        template_reports = {}
+                    else:
+                        template_reports = get_template_reports_for_template(
+                            active_template["id"]
                         )
+                    if not template_reports:
                         logger.warning(
-                            "Attack %s rejected: %s",
+                            "No template reports available, skipping heuristic "
+                            "validation for attack %s.",
                             attack_submission_id,
-                            error_msg,
-                        )
-                        mark_attack_failed(attack_submission_id, error_msg)
-                        set_job_status(
-                            job_id=job_id, status="failed", error=error_msg
                         )
-                        return
-                    elif not attack_cfg.reject_dissimilar_attacks:
-                        logger.info(
-                            "Attack %s heuristic similarity=%.1f%% "
-                            "(reject_dissimilar_attacks=False, accepting).",
-                            attack_submission_id,
-                            avg_similarity,
-                        )
-
-            # Mark attack as validated
-            mark_attack_validated(attack_submission_id)
-            logger.info(f"Attack {attack_submission_id} marked as validated")
-
-        finally:
-            # Cleanup temporary files
-            if os.path.exists(temp_zip.name):
-                os.unlink(temp_zip.name)
-            if temp_extract_dir and os.path.exists(temp_extract_dir):
-                import shutil
-                shutil.rmtree(temp_extract_dir)
+                    else:
+                        sandbox = get_sandbox_backend(attack_cfg)
+                        try:
+                            avg_similarity = validate_heuristic(
+                                submission_files, sandbox, template_reports
+                            )
+                        except SandboxUnavailableError as e:
+                            error_msg = str(e)
+                            logger.error(
+                                "Sandbox unavailable during heuristic validation "
+                                "for attack %s: %s",
+                                attack_submission_id,
+                                error_msg,
+                            )
+                            mark_attack_failed(attack_submission_id, error_msg)
+                            raise
+
+                        if (
+                            attack_cfg.reject_dissimilar_attacks
+                            and avg_similarity < attack_cfg.minimum_attack_similarity
+                        ):
+                            error_msg = (
+                                f"Behavioral similarity {avg_similarity:.1f}% is below "
+                                f"the minimum threshold of "
+                                f"{attack_cfg.minimum_attack_similarity}%."
+                            )
+                            logger.warning(
+                                "Attack %s rejected: %s",
+                                attack_submission_id,
+                                error_msg,
+                            )
+                            mark_attack_failed(attack_submission_id, error_msg)
+                            set_job_status(
+                                job_id=job_id, status="failed", error=error_msg
+                            )
+                            return
+                        elif not attack_cfg.reject_dissimilar_attacks:
+                            logger.info(
+                                "Attack %s heuristic similarity=%.1f%% "
+                                "(reject_dissimilar_attacks=False, accepting).",
+                                attack_submission_id,
+                                avg_similarity,
+                            )
+
+                # Mark attack as validated
+                mark_attack_validated(attack_submission_id)
+                logger.info(f"Attack {attack_submission_id} marked as validated")
+
+            finally:
+                # Cleanup temporary files
+                if os.path.exists(temp_zip.name):
+                    os.unlink(temp_zip.name)
+                if temp_extract_dir and os.path.exists(temp_extract_dir):
+                    import shutil
+                    shutil.rmtree(temp_extract_dir)
 
         # Initialize Redis client
         # Use a temporary worker ID for API-side operations