diff --git a/.gitignore b/.gitignore
index 9df3a22..9ebd609 100644
--- a/.gitignore
+++ b/.gitignore
@@ -28,4 +28,11 @@ npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
 .pytest_cache/
-__pycache__/
\ No newline at end of file
+__pycache__/
+
+# Secrets
+secrets/
+
+.idea/
+
+k8s/secrets.yaml
\ No newline at end of file
diff --git a/apps/agent-backend/.dockerignore b/apps/agent-backend/.dockerignore
new file mode 100644
index 0000000..cc25703
--- /dev/null
+++ b/apps/agent-backend/.dockerignore
@@ -0,0 +1,17 @@
+__pycache__
+*.py[cod]
+*.egg-info
+.venv
+venv
+.env
+.env.*
+.git
+.gitignore
+.dockerignore
+Dockerfile
+docker-compose.yml
+requirements.txt
+.ruff_cache
+.mypy_cache
+tests
+chroma_db
diff --git a/apps/agent-backend/.env.example b/apps/agent-backend/.env.example
new file mode 100644
index 0000000..a0c63ce
--- /dev/null
+++ b/apps/agent-backend/.env.example
@@ -0,0 +1,21 @@
+# Copy to `.env` and fill in your values:
+
+# Local dev:  poetry run uvicorn server.serve:app --host 0.0.0.0 --port 8002
+# Docker:     docker compose up agent-service
+
+# Required — Groq LLM
+GROQ_API_KEY=gsk_your_groq_key_here
+MODEL_NAME=llama3.1
+LLM_LOCAL=False
+
+# Auth — session cookie validation
+CORE_BACKEND_URL=http://localhost:8000
+
+# Optional — Tavily web search
+TAVILY_API_KEY=
+
+ENVIRONMENT=dev
+PORT=8002
+LOGGING_LEVEL=INFO
+
+ALLOWED_ORIGINS=http://localhost:5173,http://127.0.0.1:5173
diff --git a/apps/agent-backend/Dockerfile b/apps/agent-backend/Dockerfile
new file mode 100644
index 0000000..688a207
--- /dev/null
+++ b/apps/agent-backend/Dockerfile
@@ -0,0 +1,23 @@
+FROM python:3.12-slim
+
+WORKDIR /app
+
+ENV POETRY_VERSION=2.2.1 \
+    POETRY_VIRTUALENVS_CREATE=false \
+    POETRY_NO_INTERACTION=1 \
+    PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    PYTHONPATH=/app
+
+RUN pip install --no-cache-dir poetry==${POETRY_VERSION}
+
+COPY pyproject.toml poetry.lock README.md ./
+RUN poetry install --no-root
+
+COPY galacticview_bot ./galacticview_bot
+COPY server ./server
+RUN poetry install
+
+EXPOSE 8002
+
+CMD ["uvicorn", "server.serve:app", "--host", "0.0.0.0", "--port", "8002", "--proxy-headers", "--forwarded-allow-ips", "*"]
diff --git a/apps/agent-backend/galacticview_bot/nodes/reasoner.py b/apps/agent-backend/galacticview_bot/nodes/reasoner.py
index 9f72ff6..f263fdd 100644
--- a/apps/agent-backend/galacticview_bot/nodes/reasoner.py
+++ b/apps/agent-backend/galacticview_bot/nodes/reasoner.py
@@ -1,4 +1,7 @@
+from groq import BadRequestError
+from langchain_core.messages import BaseMessage
 from loguru import logger
+
 from galacticview_bot.core.state import AgentState
 from galacticview_bot.nodes.model import llm
 from galacticview_bot.tools.search import tavily_search_tool
@@ -6,6 +9,38 @@
 tools = [tool for tool in [tavily_search_tool] if tool is not None]
 llm_with_tools = llm.bind_tools(tools, tool_choice="auto") if tools else llm
 
+MAX_TOOL_RETRIES = 3
+TOOL_TEMPERATURE = 0.3
+
+
+def _is_tool_use_failed(error: BadRequestError) -> bool:
+    body = str(error)
+    return "tool_use_failed" in body
+
+
+def _invoke_with_tool_retry(messages: list[BaseMessage]) -> BaseMessage:
+    """Invoke the tool-enabled LLM, retrying with lower temperature on Groq tool_use_failed."""
+    temperature = TOOL_TEMPERATURE
+
+    for attempt in range(MAX_TOOL_RETRIES):
+        try:
+            bound_llm = llm_with_tools.bind(temperature=temperature)
+            return bound_llm.invoke(messages)
+        except BadRequestError as error:
+            if not _is_tool_use_failed(error) or attempt == MAX_TOOL_RETRIES - 1:
+                raise
+
+            temperature = max(temperature - 0.1, 0.0)
+            logger.warning(
+                "Groq tool call failed (attempt {}/{}), retrying with temperature {}",
+                attempt + 1,
+                MAX_TOOL_RETRIES,
+                temperature,
+            )
+
+    raise RuntimeError("Tool invocation failed after retries")
+
+
 def reasoner(state: AgentState) -> dict:
     """
     The brain. Decides whether to search or answer.
@@ -13,5 +48,19 @@ def reasoner(state: AgentState) -> dict:
     logger.info("Entering Reasoner Node")
     messages = state["messages"]
 
-    response = llm_with_tools.invoke(messages)
+    if tools:
+        try:
+            response = _invoke_with_tool_retry(messages)
+        except BadRequestError as error:
+            if _is_tool_use_failed(error):
+                logger.warning(
+                    "Tool calling failed after retries, answering without search: {}",
+                    error,
+                )
+                response = llm.invoke(messages)
+            else:
+                raise
+    else:
+        response = llm_with_tools.invoke(messages)
+
     return {"messages": [response]}
diff --git a/apps/agent-backend/galacticview_bot/nodes/tool_node.py b/apps/agent-backend/galacticview_bot/nodes/tool_node.py
index 4de7767..32122ec 100644
--- a/apps/agent-backend/galacticview_bot/nodes/tool_node.py
+++ b/apps/agent-backend/galacticview_bot/nodes/tool_node.py
@@ -4,7 +4,7 @@
 from galacticview_bot.core.state import AgentState
 from galacticview_bot.tools.search import tavily_search_tool
 
-tools = [tavily_search_tool]
+tools = [tool for tool in [tavily_search_tool] if tool is not None]
 
 def custom_tool_node(state: AgentState) -> dict:
     """
diff --git a/apps/agent-backend/galacticview_bot/tools/search.py b/apps/agent-backend/galacticview_bot/tools/search.py
index 142ef27..735b50b 100644
--- a/apps/agent-backend/galacticview_bot/tools/search.py
+++ b/apps/agent-backend/galacticview_bot/tools/search.py
@@ -10,6 +10,8 @@
 class TavilyInput(BaseModel):
     query: str = Field(description="The search query to find information on the internet.")
 
+tavily_search_tool = None
+
 if os.getenv("TAVILY_API_KEY"):
     logger.info("TAVILY_API_KEY found. Initializing Tavily search tool.")
     tavily_search_tool = TavilySearch(
diff --git a/apps/agent-backend/poetry.lock b/apps/agent-backend/poetry.lock
index 671fe13..12fab2a 100644
--- a/apps/agent-backend/poetry.lock
+++ b/apps/agent-backend/poetry.lock
@@ -435,6 +435,11 @@ python-versions = ">=3.8"
 groups = ["main"]
 markers = "platform_python_implementation != \"CPython\""
 files = [
+    {file = "brotlicffi-1.2.0.0-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:b13fb476a96f02e477a506423cb5e7bc21e0e3ac4c060c20ba31c44056e38c68"},
+    {file = "brotlicffi-1.2.0.0-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:17db36fb581f7b951635cd6849553a95c6f2f53c1a707817d06eae5aeff5f6af"},
+    {file = "brotlicffi-1.2.0.0-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:40190192790489a7b054312163d0ce82b07d1b6e706251036898ce1684ef12e9"},
+    {file = "brotlicffi-1.2.0.0-cp314-cp314t-win32.whl", hash = "sha256:a8079e8ecc32ecef728036a1d9b7105991ce6a5385cf51ee8c02297c90fb08c2"},
+    {file = "brotlicffi-1.2.0.0-cp314-cp314t-win_amd64.whl", hash = "sha256:ca90c4266704ca0a94de8f101b4ec029624273380574e4cf19301acfa46c61a0"},
     {file = "brotlicffi-1.2.0.0-cp38-abi3-macosx_11_0_arm64.whl", hash = "sha256:9458d08a7ccde8e3c0afedbf2c70a8263227a68dea5ab13590593f4c0a4fd5f4"},
     {file = "brotlicffi-1.2.0.0-cp38-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:84e3d0020cf1bd8b8131f4a07819edee9f283721566fe044a20ec792ca8fd8b7"},
     {file = "brotlicffi-1.2.0.0-cp38-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:33cfb408d0cff64cd50bef268c0fed397c46fbb53944aa37264148614a62e990"},
@@ -6704,4 +6709,4 @@ dev = ["mypy", "pytest", "ruff", "types-requests", "types-urllib3"]
 [metadata]
 lock-version = "2.1"
 python-versions = ">=3.12,<3.14"
-content-hash = "9314843362ffd92157a7a805e90c6969885e6e7a83e1d69d1678f3ea9530e0e0"
+content-hash = "cb2a46322fb42fd1c0d86d28d465601a27ac979f52bd3c957825c8744aed0a64"
diff --git a/apps/agent-backend/pyproject.toml b/apps/agent-backend/pyproject.toml
index cfdd9c9..e99a9e8 100644
--- a/apps/agent-backend/pyproject.toml
+++ b/apps/agent-backend/pyproject.toml
@@ -20,6 +20,7 @@ dependencies = [
     "loguru (>=0.7.3,<0.8.0)",
     "fastapi[standard] (>=0.123.0,<0.124.0)",
     "slowapi (>=0.1.9,<0.2.0)",
+    "httpx (>=0.28.1,<0.29.0)",
     "langchain-community (>=0.4.1,<0.5.0)",
     "langchain-openai (>=1.2.1,<2.0.0)",
 ]
diff --git a/apps/agent-backend/server/cors.py b/apps/agent-backend/server/cors.py
new file mode 100644
index 0000000..149f939
--- /dev/null
+++ b/apps/agent-backend/server/cors.py
@@ -0,0 +1,33 @@
+import os
+
+from fastapi import FastAPI
+from fastapi.middleware.cors import CORSMiddleware
+
+_DEV_ORIGIN_REGEX = r"^https?://(localhost|127\.0\.0\.1)(:\d+)?$"
+_DEFAULT_ORIGINS = "http://localhost:5173,http://127.0.0.1:5173"
+
+
+def add_cors_middleware(app: FastAPI) -> None:
+    """Apply CORS. In dev, allow any localhost port; in prod, use ALLOWED_ORIGINS."""
+    if os.getenv("ENVIRONMENT", "prod") == "dev":
+        app.add_middleware(
+            CORSMiddleware,
+            allow_origin_regex=_DEV_ORIGIN_REGEX,
+            allow_credentials=True,
+            allow_methods=["*"],
+            allow_headers=["*"],
+        )
+        return
+
+    allowed_origins = [
+        origin.strip()
+        for origin in os.getenv("ALLOWED_ORIGINS", _DEFAULT_ORIGINS).split(",")
+        if origin.strip()
+    ]
+    app.add_middleware(
+        CORSMiddleware,
+        allow_origins=allowed_origins,
+        allow_credentials=True,
+        allow_methods=["*"],
+        allow_headers=["*"],
+    )
diff --git a/apps/agent-backend/server/dependencies.py b/apps/agent-backend/server/dependencies.py
new file mode 100644
index 0000000..bed6175
--- /dev/null
+++ b/apps/agent-backend/server/dependencies.py
@@ -0,0 +1,44 @@
+import os
+
+import httpx
+from dotenv import load_dotenv
+from fastapi import HTTPException, Request
+
+load_dotenv()
+
+CORE_BACKEND_URL = os.getenv("CORE_BACKEND_URL", "http://localhost:8000")
+AUTH_REQUEST_TIMEOUT = 5.0
+
+
+async def _verify_session(session_cookie: str) -> dict:
+    """
+    Forwards the session cookie to the core-backend and returns the user dict.
+    Raises HTTPException on any auth failure.
+    """
+    async with httpx.AsyncClient(timeout=AUTH_REQUEST_TIMEOUT) as client:
+        try:
+            response = await client.get(
+                f"{CORE_BACKEND_URL}/auth/me",
+                cookies={"session": session_cookie},
+            )
+        except httpx.RequestError as exc:
+            raise HTTPException(status_code=502, detail="Auth service unavailable") from exc
+
+    if response.status_code == 401:
+        raise HTTPException(status_code=401, detail="Invalid or expired session")
+
+    if response.status_code != 200:
+        raise HTTPException(status_code=502, detail="Auth service returned an error")
+
+    return response.json().get("user", {})
+
+
+async def require_auth(request: Request) -> None:
+    """
+    Lightweight auth guard — verifies the session cookie is present and valid.
+    """
+    session_cookie = request.cookies.get("session")
+    if not session_cookie:
+        raise HTTPException(status_code=401, detail="Not authenticated")
+
+    await _verify_session(session_cookie)
diff --git a/apps/agent-backend/server/dto/chat_type_out.py b/apps/agent-backend/server/dto/chat_type_out.py
index 4adf070..dc535c8 100644
--- a/apps/agent-backend/server/dto/chat_type_out.py
+++ b/apps/agent-backend/server/dto/chat_type_out.py
@@ -1,7 +1,11 @@
-from pydantic import BaseModel
+from pydantic import BaseModel, ConfigDict, Field
+
 
 class ChatTypeOut(BaseModel):
     """Data transfer object for chat type output."""
+
+    model_config = ConfigDict(populate_by_name=True)
+
     title: str
     content: str
-    key_metrics: list[str]
+    key_metrics: list[str] = Field(serialization_alias="keyMetrics")
diff --git a/apps/agent-backend/server/serve.py b/apps/agent-backend/server/serve.py
index 3711508..2d9bdc9 100644
--- a/apps/agent-backend/server/serve.py
+++ b/apps/agent-backend/server/serve.py
@@ -1,16 +1,15 @@
-from fastapi import FastAPI, Request
-from fastapi.middleware.cors import CORSMiddleware
-from slowapi import Limiter, _rate_limit_exceeded_handler
-from slowapi.errors import RateLimitExceeded
-import uvicorn
-
 import os
 
-from .service import chat_ask_question
+import uvicorn
+from fastapi import APIRouter, Depends, FastAPI, Request
+from loguru import logger
+from slowapi import Limiter, _rate_limit_exceeded_handler
+from slowapi.errors import RateLimitExceeded
 
+from .dependencies import require_auth  # loads .env via load_dotenv()
+from .cors import add_cors_middleware
 from .dto import ChatTypeIn, ChatTypeOut
-
-from loguru import logger
+from .service import chat_ask_question
 
 def get_real_ip(request: Request) -> str:
     """
@@ -31,27 +30,31 @@ def get_real_ip(request: Request) -> str:
 app.state.limiter = limiter
 app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler) # type: ignore
 
-app.add_middleware(
-    CORSMiddleware,
-    allow_origins=["*"],
-    allow_credentials=True,
-    allow_methods=["*"],
-    allow_headers=["*"],
-)
+add_cors_middleware(app)
 
 
-@app.post("/chat")
+agent_router = APIRouter(prefix="/agent", tags=["agent"])
+
+
+@agent_router.post("/chat")
 @limiter.limit("7/minute")
-def chat_endpoint(request: Request, body: ChatTypeIn) -> ChatTypeOut:
+def chat_endpoint(
+    request: Request,
+    body: ChatTypeIn,
+    _: None = Depends(require_auth),
+) -> ChatTypeOut:
     """
     Process chat questions using the agent and return structured responses.
     Rate limited to 7 requests per minute per IP.
     """
-    logger.info("Received request to /chat endpoint")
+    logger.info("Received request to /agent/chat endpoint")
     response_data: ChatTypeOut = chat_ask_question(body)
     logger.info("Sending response back to client")
     return response_data
 
+
+app.include_router(agent_router)
+
 def main() -> None:
     """
     Main function to run the FastAPI app using Uvicorn.
@@ -59,12 +62,11 @@ def main() -> None:
     env = os.getenv("ENVIRONMENT", "prod")
 
     reload = env == "dev"
-    host = "127.0.0.1"
-    if env == "prod":
-        host = "0.0.0.0"
+    host = "0.0.0.0"
 
-    logger.info(f"Starting server on {host}:8000 with reload={reload}")
-    uvicorn.run("server.serve:app", host=host, port=8000, reload=reload)
+    port = int(os.getenv("PORT", "8002"))
+    logger.info(f"Starting agent server on {host}:{port} (reload={reload}, ENVIRONMENT={env})")
+    uvicorn.run("server.serve:app", host=host, port=port, reload=reload)
 
 if __name__ == "__main__":
     main()
\ No newline at end of file
diff --git a/apps/agent-backend/server/service.py b/apps/agent-backend/server/service.py
index 63e170a..918e045 100644
--- a/apps/agent-backend/server/service.py
+++ b/apps/agent-backend/server/service.py
@@ -6,6 +6,8 @@
 from langchain_core.messages import HumanMessage
 
 import json
+import uuid
+
 
 def chat_ask_question(chat_input: ChatTypeIn) -> ChatTypeOut:
     """
@@ -20,8 +22,7 @@ def chat_ask_question(chat_input: ChatTypeIn) -> ChatTypeOut:
     }
 
     try:
-        # Hardcoded to a single thread ID to maintain context across all requests for initial testing.
-        thread_id = "initial-single-context-thread"
+        thread_id = str(uuid.uuid4())
 
         config = {
             "configurable": {"thread_id": thread_id},
diff --git a/apps/blogpost-backend/.dockerignore b/apps/blogpost-backend/.dockerignore
new file mode 100644
index 0000000..37dce10
--- /dev/null
+++ b/apps/blogpost-backend/.dockerignore
@@ -0,0 +1,16 @@
+__pycache__
+*.py[cod]
+*.egg-info
+.venv
+venv
+.env
+.env.*
+.git
+.gitignore
+.dockerignore
+Dockerfile
+docker-compose.yml
+requirements.txt
+.ruff_cache
+.mypy_cache
+tests
diff --git a/apps/blogpost-backend/.env.example b/apps/blogpost-backend/.env.example
new file mode 100644
index 0000000..0005d53
--- /dev/null
+++ b/apps/blogpost-backend/.env.example
@@ -0,0 +1,21 @@
+# Local dev:  poetry run uvicorn app.main:app --host 0.0.0.0 --port 8001
+#             Requires LocalStack on localhost:4566
+# Docker:     docker compose up blog-service
+#             Run once: docker compose exec blog-service python -m app.scripts.init_db
+
+ENVIRONMENT=dev
+PORT=8001
+
+CORE_BACKEND_URL=http://localhost:8000
+
+# LocalStack (local dev — use localhost; Docker overrides S3_ENDPOINT)
+DYNAMODB_ENDPOINT=http://localhost:4566
+S3_ENDPOINT=http://localhost:4566
+S3_PUBLIC_ENDPOINT=http://localhost:4566
+
+AWS_REGION=eu-central-1
+AWS_ACCESS_KEY_ID=test
+AWS_SECRET_ACCESS_KEY=test
+S3_BUCKET_NAME=galactic-blog-images
+
+ALLOWED_ORIGINS=http://localhost:5173,http://127.0.0.1:5173
diff --git a/apps/blogpost-backend/Dockerfile b/apps/blogpost-backend/Dockerfile
new file mode 100644
index 0000000..ffd2958
--- /dev/null
+++ b/apps/blogpost-backend/Dockerfile
@@ -0,0 +1,21 @@
+FROM python:3.12-slim
+
+WORKDIR /app
+
+ENV POETRY_VERSION=2.2.1 \
+    POETRY_VIRTUALENVS_CREATE=false \
+    POETRY_NO_INTERACTION=1 \
+    PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1
+
+RUN pip install --no-cache-dir poetry==${POETRY_VERSION}
+
+COPY pyproject.toml poetry.lock README.md ./
+RUN poetry install --no-root
+
+COPY app ./app
+RUN poetry install
+
+EXPOSE 8001
+
+CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8001", "--proxy-headers", "--forwarded-allow-ips", "*"]
diff --git a/apps/blogpost-backend/app/api/dependencies.py b/apps/blogpost-backend/app/api/dependencies.py
index eb66c1f..5fcaaac 100644
--- a/apps/blogpost-backend/app/api/dependencies.py
+++ b/apps/blogpost-backend/app/api/dependencies.py
@@ -3,7 +3,7 @@
 import httpx
 from fastapi import Request, HTTPException
 
-CORE_BACKEND_URL = os.getenv("CORE_BACKEND_URL", "http://localhost:8001")
+CORE_BACKEND_URL = os.getenv("CORE_BACKEND_URL", "http://localhost:8000")
 
 
 async def _verify_session(session_cookie: str) -> dict:
diff --git a/apps/blogpost-backend/app/core/aws.py b/apps/blogpost-backend/app/core/aws.py
index 2d3ebbe..01da0e1 100644
--- a/apps/blogpost-backend/app/core/aws.py
+++ b/apps/blogpost-backend/app/core/aws.py
@@ -17,11 +17,9 @@
 dynamodb = boto3.resource('dynamodb', **dynamodb_args)
 
 # Configure the S3 client (for future image uploads)
-s3_args = {
-    "region_name": AWS_REGION,
-    "config": Config(s3={'addressing_style': 'path'}) # Forces LocalStack compatibility
-}
+s3_args: dict[str, object] = {"region_name": AWS_REGION}
 if S3_ENDPOINT:
-    s3_args["endpoint_url"] = S3_ENDPOINT # Route traffic to LocalStack!
+    s3_args["endpoint_url"] = S3_ENDPOINT
+    s3_args["config"] = Config(s3={"addressing_style": "path"})
 
-s3_client = boto3.client('s3', **s3_args)
\ No newline at end of file
+s3_client = boto3.client("s3", **s3_args)
\ No newline at end of file
diff --git a/apps/blogpost-backend/app/main.py b/apps/blogpost-backend/app/main.py
index 3213b1b..22b92c7 100644
--- a/apps/blogpost-backend/app/main.py
+++ b/apps/blogpost-backend/app/main.py
@@ -11,16 +11,30 @@
 
 app = FastAPI(title="GalacticView Blog Content Service")
 
-ALLOWED_ORIGINS = [o.strip() 
-                    for o in os.getenv("ALLOWED_ORIGINS", "http://localhost:3000").split(",") if o.strip()]
-
-app.add_middleware(
-    CORSMiddleware,
-    allow_origins=ALLOWED_ORIGINS, 
-    allow_credentials=True,                  
-    allow_methods=["*"],
-    allow_headers=["*"],
-)
+_DEV_ORIGIN_REGEX = r"^https?://(localhost|127\.0\.0\.1)(:\d+)?$"
+_DEFAULT_ORIGINS = "http://localhost:5173,http://127.0.0.1:5173"
+
+if os.getenv("ENVIRONMENT", "prod") == "dev":
+    app.add_middleware(
+        CORSMiddleware,
+        allow_origin_regex=_DEV_ORIGIN_REGEX,
+        allow_credentials=True,
+        allow_methods=["*"],
+        allow_headers=["*"],
+    )
+else:
+    allowed_origins = [
+        origin.strip()
+        for origin in os.getenv("ALLOWED_ORIGINS", _DEFAULT_ORIGINS).split(",")
+        if origin.strip()
+    ]
+    app.add_middleware(
+        CORSMiddleware,
+        allow_origins=allowed_origins,
+        allow_credentials=True,
+        allow_methods=["*"],
+        allow_headers=["*"],
+    )
 
 @app.get("/health", tags=["System"])
 def health_check() -> dict[str, str]:
diff --git a/apps/blogpost-backend/app/scripts/init_db.py b/apps/blogpost-backend/app/scripts/init_db.py
index e5ddebd..23511ae 100644
--- a/apps/blogpost-backend/app/scripts/init_db.py
+++ b/apps/blogpost-backend/app/scripts/init_db.py
@@ -30,15 +30,14 @@ def setup_s3():
     """
     bucket_name = os.getenv("S3_BUCKET_NAME", "galactic-blog-images")
     region = os.getenv("AWS_REGION", "eu-central-1")
-    
+
     try:
-        # AWS requires a specific LocationConstraint for regions outside us-east-1
         if region == "us-east-1":
             s3_client.create_bucket(Bucket=bucket_name)
         else:
             s3_client.create_bucket(
                 Bucket=bucket_name,
-                CreateBucketConfiguration={'LocationConstraint': region}
+                CreateBucketConfiguration={"LocationConstraint": region},
             )
         print(f"✅ S3 Bucket '{bucket_name}' created successfully!")
     except Exception as e:
diff --git a/apps/blogpost-backend/app/services/blog_service.py b/apps/blogpost-backend/app/services/blog_service.py
index fd6d491..b0d92f8 100644
--- a/apps/blogpost-backend/app/services/blog_service.py
+++ b/apps/blogpost-backend/app/services/blog_service.py
@@ -36,7 +36,13 @@ def fetch_all_blogs(self) -> list:
         """
         Fetches all blog posts from the repository.
         """
-        return self.repo.get_all_posts()
+        posts = self.repo.get_all_posts()
+        for post in posts:
+            post["image_urls"] = [
+                self.storage_service.presign_from_url(url)
+                for url in post.get("image_urls", [])
+            ]
+        return posts
 
     def delete_blog(self, blog_id: str, requesting_author: str) -> dict:
         """
diff --git a/apps/blogpost-backend/app/services/storage_service.py b/apps/blogpost-backend/app/services/storage_service.py
index a9a0d40..6c7e6d9 100644
--- a/apps/blogpost-backend/app/services/storage_service.py
+++ b/apps/blogpost-backend/app/services/storage_service.py
@@ -1,6 +1,7 @@
 import os
 import uuid
 from typing import BinaryIO
+from urllib.parse import urlparse
 
 from botocore.exceptions import ClientError
 
@@ -22,11 +23,12 @@ class StorageService:
     def __init__(self) -> None:
         self.bucket_name = os.getenv("S3_BUCKET_NAME", "galactic-blog-images")
         self.s3_endpoint = os.getenv("S3_ENDPOINT")
+        self.s3_public_endpoint = os.getenv("S3_PUBLIC_ENDPOINT", self.s3_endpoint)
         self.aws_region = os.getenv("AWS_REGION", "eu-central-1")
 
     def _get_base_url(self) -> str:
-        if self.s3_endpoint:
-            return f"{self.s3_endpoint}/{self.bucket_name}"
+        if self.s3_public_endpoint:
+            return f"{self.s3_public_endpoint.rstrip('/')}/{self.bucket_name}"
         return f"https://{self.bucket_name}.s3.{self.aws_region}.amazonaws.com"
 
     def _object_exists(self, key: str) -> bool:
@@ -38,6 +40,53 @@ def _object_exists(self, key: str) -> bool:
                 return False
             raise
 
+    def _upload_extra_args(self, content_type: str) -> dict[str, str]:
+        extra_args: dict[str, str] = {"ContentType": content_type}
+        if self.s3_endpoint:
+            extra_args["ACL"] = "public-read"
+        return extra_args
+
+    def _canonical_url(self, s3_key: str) -> str:
+        return f"{self._get_base_url()}/{s3_key}"
+
+    def _presign_url(self, s3_key: str, expires_in: int = 86400) -> str:
+        if self.s3_endpoint:
+            return self._canonical_url(s3_key)
+        return s3_client.generate_presigned_url(
+            "get_object",
+            Params={"Bucket": self.bucket_name, "Key": s3_key},
+            ExpiresIn=expires_in,
+        )
+
+    def presign_from_url(self, image_url: str, expires_in: int = 86400) -> str:
+        key = self._url_to_key(image_url)
+        return self._presign_url(key, expires_in=expires_in)
+
+    def _url_to_key(self, image_url: str) -> str:
+        url_without_query = image_url.split("?", 1)[0].rstrip("/")
+        parsed = urlparse(url_without_query)
+        host = parsed.netloc
+        path = parsed.path.lstrip("/")
+
+        if host.startswith("s3.") or host == "s3.amazonaws.com":
+            bucket, _, key = path.partition("/")
+            if bucket == self.bucket_name and key:
+                return key
+
+        if host.startswith(f"{self.bucket_name}."):
+            if path:
+                return path
+
+        if self.s3_public_endpoint:
+            localstack_host = urlparse(self.s3_public_endpoint.rstrip("/")).netloc
+            if host == localstack_host and path.startswith(f"{self.bucket_name}/"):
+                return path[len(self.bucket_name) + 1 :]
+
+        raise ImagePromotionError(
+            temp_image_url=image_url,
+            message="Unrecognized image URL — only uploaded images are accepted.",
+        )
+
     def upload_image(self, file_obj: BinaryIO, original_filename: str, content_type: str) -> str:
         """
         Uploads an image to S3 under the "temp/" folder and returns its URL.
@@ -51,7 +100,7 @@ def upload_image(self, file_obj: BinaryIO, original_filename: str, content_type:
             file_obj,
             self.bucket_name,
             s3_key,
-            ExtraArgs={"ContentType": content_type, "ACL": "public-read"}
+            ExtraArgs=self._upload_extra_args(content_type),
         )
 
         if not self._object_exists(s3_key):
@@ -60,24 +109,17 @@ def upload_image(self, file_obj: BinaryIO, original_filename: str, content_type:
                 message="Image upload did not persist in storage. Please try again.",
             )
 
-        return f"{self._get_base_url()}/{s3_key}"
+        return self._presign_url(s3_key)
 
     def promote_image(self, temp_image_url: str) -> str:
         """
         Moves an image from temp/ to published/ and returns the new URL.
         All URLs are guaranteed to come from our own upload endpoint.
         """
-        base = f"{self._get_base_url()}/"
-        if not temp_image_url.startswith(base):
-            raise ImagePromotionError(
-                temp_image_url=temp_image_url,
-                message="Unrecognized image URL — only uploaded images are accepted.",
-            )
-
-        source_key = temp_image_url[len(base):]
+        source_key = self._url_to_key(temp_image_url)
 
         if source_key.startswith("published/"):
-            return temp_image_url
+            return self._canonical_url(source_key)
 
         if not source_key.startswith("temp/"):
             raise ImagePromotionError(
@@ -89,7 +131,7 @@ def promote_image(self, temp_image_url: str) -> str:
         new_key = f"published/{filename}"
 
         if self._object_exists(new_key):
-            return f"{self._get_base_url()}/{new_key}"
+            return self._canonical_url(new_key)
 
         if not self._object_exists(source_key):
             raise ImagePromotionError(
@@ -101,12 +143,14 @@ def promote_image(self, temp_image_url: str) -> str:
             )
 
         copy_source = {"Bucket": self.bucket_name, "Key": source_key}
-        s3_client.copy_object(
-            CopySource=copy_source,
-            Bucket=self.bucket_name,
-            Key=new_key,
-            ACL="public-read",
-        )
+        copy_args: dict[str, object] = {
+            "CopySource": copy_source,
+            "Bucket": self.bucket_name,
+            "Key": new_key,
+        }
+        if self.s3_endpoint:
+            copy_args["ACL"] = "public-read"
+        s3_client.copy_object(**copy_args)
         s3_client.delete_object(Bucket=self.bucket_name, Key=source_key)
 
-        return f"{self._get_base_url()}/{new_key}"
\ No newline at end of file
+        return self._canonical_url(new_key)
diff --git a/apps/blogpost-backend/docker-compose.yml b/apps/blogpost-backend/docker-compose.yml
deleted file mode 100644
index c186c4f..0000000
--- a/apps/blogpost-backend/docker-compose.yml
+++ /dev/null
@@ -1,15 +0,0 @@
-version: "3.8"
-services:
-  dynamodb-local:
-    image: amazon/dynamodb-local:latest
-    command: "-jar DynamoDBLocal.jar -sharedDb -inMemory"
-    ports:
-      - "8000:8000"
-
-  localstack:
-    image: localstack/localstack:3.8.0
-    container_name: galactic-localstack
-    ports:
-      - "4566:4566"
-    environment:
-      - SERVICES=s3
diff --git a/apps/blogpost-backend/poetry.lock b/apps/blogpost-backend/poetry.lock
index cb8af62..0c4f926 100644
--- a/apps/blogpost-backend/poetry.lock
+++ b/apps/blogpost-backend/poetry.lock
@@ -393,10 +393,7 @@ files = [
 librt = {version = ">=0.8.0", markers = "platform_python_implementation != \"PyPy\""}
 mypy_extensions = ">=1.0.0"
 pathspec = ">=1.0.0"
-typing_extensions = [
-    {version = ">=4.6.0", markers = "python_version < \"3.15\""},
-    {version = ">=4.14.0", markers = "python_version >= \"3.15\""},
-]
+typing_extensions = {version = ">=4.6.0", markers = "python_version < \"3.15\""}
 
 [package.extras]
 dmypy = ["psutil (>=4.0)"]
@@ -418,9 +415,6 @@ files = [
     {file = "mypy_boto3_dynamodb-1.43.0.tar.gz", hash = "sha256:f0cea38e058f1d07361ecb55d8f40665d824b42cf4864724c7fccc8bf3946fcd"},
 ]
 
-[package.dependencies]
-typing-extensions = {version = "*", markers = "python_version < \"3.12\""}
-
 [[package]]
 name = "mypy-extensions"
 version = "1.1.0"
@@ -813,5 +807,5 @@ dev = ["mypy", "ruff", "types-requests"]
 
 [metadata]
 lock-version = "2.1"
-python-versions = "^3.11"
-content-hash = "e8453873e3ad39bbab9712463102812a33f0677d791176afab4b519058ac438a"
+python-versions = ">=3.12,<3.14"
+content-hash = "356778f3872764ebc5d9e2f69143c25fe7479be5d072bcc667c469b48fd42d3d"
diff --git a/apps/blogpost-backend/pyproject.toml b/apps/blogpost-backend/pyproject.toml
index 4d4080b..3db429c 100644
--- a/apps/blogpost-backend/pyproject.toml
+++ b/apps/blogpost-backend/pyproject.toml
@@ -6,7 +6,7 @@ authors = [
     {name = "Daroczi Levente",email = "daroczilevente2@gmail.com"}
 ]
 readme = "README.md"
-requires-python = "^3.11"
+requires-python = ">=3.12,<3.14"
 dependencies = [
     "fastapi (>=0.136.1,<0.137.0)",
     "uvicorn (>=0.47.0,<0.48.0)",
diff --git a/apps/core-backend/.dockerignore b/apps/core-backend/.dockerignore
new file mode 100644
index 0000000..37dce10
--- /dev/null
+++ b/apps/core-backend/.dockerignore
@@ -0,0 +1,16 @@
+__pycache__
+*.py[cod]
+*.egg-info
+.venv
+venv
+.env
+.env.*
+.git
+.gitignore
+.dockerignore
+Dockerfile
+docker-compose.yml
+requirements.txt
+.ruff_cache
+.mypy_cache
+tests
diff --git a/apps/core-backend/.env.example b/apps/core-backend/.env.example
new file mode 100644
index 0000000..cf87b85
--- /dev/null
+++ b/apps/core-backend/.env.example
@@ -0,0 +1,16 @@
+# Local dev:  poetry run python -m app.main
+# Docker:     docker compose up auth-service
+#             Mount Firebase credentials at ./secrets/firebase-service-account.json
+
+POSTGRESQL_USER=galactic
+POSTGRESQL_PASSWORD=galactic
+POSTGRESQL_HOST=localhost
+
+ENVIRONMENT=dev
+PORT=8000
+
+# Comma-separated frontend origins
+ALLOWED_ORIGINS=http://localhost:5173,http://127.0.0.1:5173
+
+# Local dev only — Docker Compose sets this via GOOGLE_APPLICATION_CREDENTIALS mount
+# GOOGLE_APPLICATION_CREDENTIALS=./config/firebase-service-account.json
diff --git a/apps/core-backend/Dockerfile b/apps/core-backend/Dockerfile
new file mode 100644
index 0000000..25f39eb
--- /dev/null
+++ b/apps/core-backend/Dockerfile
@@ -0,0 +1,24 @@
+FROM python:3.12-slim
+
+WORKDIR /app
+
+ENV POETRY_VERSION=2.2.1 \
+    POETRY_VIRTUALENVS_CREATE=false \
+    POETRY_NO_INTERACTION=1 \
+    PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends libpq5 \
+    && rm -rf /var/lib/apt/lists/* \
+    && pip install --no-cache-dir poetry==${POETRY_VERSION}
+
+COPY pyproject.toml poetry.lock README.md ./
+RUN poetry install --no-root
+
+COPY app ./app
+RUN poetry install
+
+EXPOSE 8000
+
+CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000", "--proxy-headers", "--forwarded-allow-ips", "*"]
diff --git a/apps/core-backend/app/api/routes/auth.py b/apps/core-backend/app/api/routes/auth.py
index afe794d..513b2ef 100644
--- a/apps/core-backend/app/api/routes/auth.py
+++ b/apps/core-backend/app/api/routes/auth.py
@@ -42,7 +42,8 @@ async def register(
         max_age=cookie_data["expires"],
         httponly=True,
         samesite="lax",
-        secure=False # True in production
+        secure=False,  # True in production
+        path="/",
     )
     return {"status": "success", "message": "Registered and logged in"}
 
@@ -58,8 +59,13 @@ async def login(
     cookie_data = service.login_user(request.id_token)
     
     response.set_cookie(
-        key="session", value=cookie_data["cookie"], max_age=cookie_data["expires"],
-        httponly=True, samesite="lax", secure=False
+        key="session",
+        value=cookie_data["cookie"],
+        max_age=cookie_data["expires"],
+        httponly=True,
+        samesite="lax",
+        secure=False,
+        path="/",
     )
     return {"status": "success", "message": "Login successful"}
 
@@ -69,7 +75,7 @@ async def logout(response: Response) -> dict[str, str]:
     """
     Clear the session cookie to log the user out.
     """
-    response.delete_cookie(key="session")
+    response.delete_cookie(key="session", path="/")
     return {"status": "success", "message": "Logout successful"}
 
 
diff --git a/apps/core-backend/app/main.py b/apps/core-backend/app/main.py
index df002dc..ca8d8ca 100644
--- a/apps/core-backend/app/main.py
+++ b/apps/core-backend/app/main.py
@@ -48,13 +48,30 @@ async def lifespan(app: FastAPI) -> AsyncGenerator[None, None]:
 app.state.limiter = limiter
 app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler) # type: ignore
 
-app.add_middleware(
-    CORSMiddleware,
-    allow_origins=["*"],
-    allow_credentials=True,
-    allow_methods=["*"],
-    allow_headers=["*"],
-)
+_DEV_ORIGIN_REGEX = r"^https?://(localhost|127\.0\.0\.1)(:\d+)?$"
+_DEFAULT_ORIGINS = "http://localhost:5173,http://127.0.0.1:5173"
+
+if os.getenv("ENVIRONMENT", "prod") == "dev":
+    app.add_middleware(
+        CORSMiddleware,
+        allow_origin_regex=_DEV_ORIGIN_REGEX,
+        allow_credentials=True,
+        allow_methods=["*"],
+        allow_headers=["*"],
+    )
+else:
+    allowed_origins = [
+        origin.strip()
+        for origin in os.getenv("ALLOWED_ORIGINS", _DEFAULT_ORIGINS).split(",")
+        if origin.strip()
+    ]
+    app.add_middleware(
+        CORSMiddleware,
+        allow_origins=allowed_origins,
+        allow_credentials=True,
+        allow_methods=["*"],
+        allow_headers=["*"],
+    )
 
 app.include_router(auth.router)
 
@@ -76,8 +93,9 @@ def main() -> None:
     if env == "prod":
         host = "0.0.0.0"
 
-    print(f"Starting server on {host}:8001 with reload={reload}")
-    uvicorn.run("app.main:app", host=host, port=8001, reload=reload)
+    port = int(os.getenv("PORT", "8000"))
+    print(f"Starting server on {host}:{port} with reload={reload}")
+    uvicorn.run("app.main:app", host=host, port=port, reload=reload)
 
 if __name__ == "__main__":
     main()
\ No newline at end of file
diff --git a/apps/core-backend/app/services/auth_service.py b/apps/core-backend/app/services/auth_service.py
index 02f0e81..1dfb7fb 100644
--- a/apps/core-backend/app/services/auth_service.py
+++ b/apps/core-backend/app/services/auth_service.py
@@ -43,8 +43,20 @@ def register_user(
 
     def login_user(self, id_token: str) -> dict[str, Any]:
         """
-        Creates cookie on login
+        Verify the Firebase token, ensure the user exists in PostgreSQL, then mint a session cookie.
         """
+        try:
+            decoded_token = auth.verify_id_token(id_token)
+            uid = decoded_token["uid"]
+        except Exception:
+            raise HTTPException(status_code=401, detail="Invalid Firebase Token")
+
+        if not self.user_repo.get_user_by_id(uid):
+            raise HTTPException(
+                status_code=404,
+                detail="User not found. Complete registration to create your profile.",
+            )
+
         return self._create_cookie(id_token)
     
     def get_user_by_id(self, user_id: str) -> User:
diff --git a/apps/core-backend/poetry.lock b/apps/core-backend/poetry.lock
index f256dd5..5c2c9b0 100644
--- a/apps/core-backend/poetry.lock
+++ b/apps/core-backend/poetry.lock
@@ -553,14 +553,8 @@ files = [
 [package.dependencies]
 google-auth = ">=2.14.1,<3.0.0"
 googleapis-common-protos = ">=1.63.2,<2.0.0"
-grpcio = [
-    {version = ">=1.75.1,<2.0.0", optional = true, markers = "python_version >= \"3.14\" and extra == \"grpc\""},
-    {version = ">=1.49.1,<2.0.0", optional = true, markers = "python_version >= \"3.11\" and extra == \"grpc\" and python_version < \"3.14\""},
-]
-grpcio-status = [
-    {version = ">=1.75.1,<2.0.0", optional = true, markers = "python_version >= \"3.14\" and extra == \"grpc\""},
-    {version = ">=1.49.1,<2.0.0", optional = true, markers = "python_version >= \"3.11\" and extra == \"grpc\""},
-]
+grpcio = {version = ">=1.49.1,<2.0.0", optional = true, markers = "python_version >= \"3.11\" and extra == \"grpc\""}
+grpcio-status = {version = ">=1.49.1,<2.0.0", optional = true, markers = "python_version >= \"3.11\" and extra == \"grpc\""}
 proto-plus = [
     {version = ">=1.25.0,<2.0.0", markers = "python_version >= \"3.13\""},
     {version = ">=1.22.3,<2.0.0"},
@@ -636,10 +630,7 @@ files = [
 google-api-core = {version = ">=2.11.0,<3.0.0", extras = ["grpc"]}
 google-auth = ">=2.14.1,<2.24.0 || >2.24.0,<2.25.0 || >2.25.0,<3.0.0"
 google-cloud-core = ">=2.0.0,<3.0.0"
-grpcio = [
-    {version = ">=1.75.1,<2.0.0", markers = "python_version >= \"3.14\""},
-    {version = ">=1.33.2,<2.0.0"},
-]
+grpcio = ">=1.33.2,<2.0.0"
 proto-plus = [
     {version = ">=1.25.0,<2.0.0", markers = "python_version >= \"3.13\""},
     {version = ">=1.22.3,<2.0.0"},
@@ -1297,10 +1288,7 @@ files = [
 librt = {version = ">=0.8.0", markers = "platform_python_implementation != \"PyPy\""}
 mypy_extensions = ">=1.0.0"
 pathspec = ">=1.0.0"
-typing_extensions = [
-    {version = ">=4.6.0", markers = "python_version < \"3.15\""},
-    {version = ">=4.14.0", markers = "python_version >= \"3.15\""},
-]
+typing_extensions = {version = ">=4.6.0", markers = "python_version < \"3.15\""}
 
 [package.extras]
 dmypy = ["psutil (>=4.0)"]
@@ -2075,5 +2063,5 @@ dev = ["mypy", "ruff", "types-requests"]
 
 [metadata]
 lock-version = "2.1"
-python-versions = "^3.11"
-content-hash = "2bf125a3396926ff3fc40a082e0aa1c614aae644c72d03f79e890bf146091212"
+python-versions = ">=3.12,<3.14"
+content-hash = "867ac62a1edbe3b403729d8a5c6b0fbb8838e29f4c6f3302d6518512b8f7033f"
diff --git a/apps/core-backend/pyproject.toml b/apps/core-backend/pyproject.toml
index 2b77160..03f62b9 100644
--- a/apps/core-backend/pyproject.toml
+++ b/apps/core-backend/pyproject.toml
@@ -6,7 +6,7 @@ authors = [
     {name = "Daroczi Levente",email = "daroczilevente2@gmail.com"}
 ]
 readme = "README.md"
-requires-python = "^3.11"
+requires-python = ">=3.12,<3.14"
 dependencies = [
     "fastapi (>=0.136.1,<0.137.0)",
     "sqlalchemy[asyncio] (>=2.0.49,<3.0.0)",
diff --git a/apps/frontend/.dockerignore b/apps/frontend/.dockerignore
index 82119a7..b63e47f 100644
--- a/apps/frontend/.dockerignore
+++ b/apps/frontend/.dockerignore
@@ -2,8 +2,6 @@ node_modules
 dist
 dist-ssr
 *.local
-.env
-.env.*
 .git
 .gitignore
 .dockerignore
diff --git a/apps/frontend/.env.example b/apps/frontend/.env.example
new file mode 100644
index 0000000..6142ca0
--- /dev/null
+++ b/apps/frontend/.env.example
@@ -0,0 +1,18 @@
+# Local Vite dev:  yarn dev  (UI at http://localhost:5173)
+# Docker Compose:  UI at http://localhost:8080
+
+# NASA APOD / image library
+VITE_NASA_API_KEY=your-nasa-api-key
+
+# Backend API base URLs
+VITE_CORE_API_BASE_URL=http://localhost:8000
+VITE_BLOGPOSTS_API_BASE_URL=http://localhost:8001
+VITE_AGENT_API_BASE_URL=http://localhost:8002
+
+# Firebase web app config (Firebase console → Project settings)
+VITE_FIREBASE_API_KEY=your-firebase-api-key
+VITE_FIREBASE_AUTH_DOMAIN=your-project.firebaseapp.com
+VITE_FIREBASE_PROJECT_ID=your-project-id
+VITE_FIREBASE_STORAGE_BUCKET=your-project.firebasestorage.app
+VITE_FIREBASE_MESSAGING_SENDER_ID=123456789012
+VITE_FIREBASE_APP_ID=1:123456789012:web:abcdef0123456789
diff --git a/apps/frontend/.env.production b/apps/frontend/.env.production
new file mode 100644
index 0000000..4f17776
--- /dev/null
+++ b/apps/frontend/.env.production
@@ -0,0 +1,21 @@
+# Production build (yarn build) — loaded ON TOP of .env when Vite is in
+# `production` mode. Keep secrets in .env (gitignored); this file is safe
+# to commit because it only contains routing paths.
+#
+# Relative paths make every API call same-origin via the Traefik Ingress:
+#   browser  → http://<host>/auth/...   → auth-service  (k8s Service)
+#   browser  → http://<host>/blogs/...  → blog-service
+#   browser  → http://<host>/agent/...  → agent-service
+#
+# Same-origin removes CORS entirely and means the same image works behind
+# any DNS name without rebuilding.
+
+# auth.api.ts and blogposts.api.ts already include "/auth/..." and "/blogs/..."
+# in every call, so their base URL must be "/" (NOT "/auth" or "/blogs", which
+# would produce "/auth/auth/register" → 404).
+#
+# agent.api.ts only calls "/chat", so its base needs the "/agent" prefix.
+
+VITE_CORE_API_BASE_URL=/
+VITE_BLOGPOSTS_API_BASE_URL=/
+VITE_AGENT_API_BASE_URL=/agent
diff --git a/apps/frontend/Dockerfile b/apps/frontend/Dockerfile
index 17e0497..c6cf3ae 100644
--- a/apps/frontend/Dockerfile
+++ b/apps/frontend/Dockerfile
@@ -7,17 +7,13 @@ RUN yarn install --frozen-lockfile
 
 COPY . .
 
-ARG VITE_AGENT_API_BASE_URL
-ENV VITE_AGENT_API_BASE_URL=$VITE_AGENT_API_BASE_URL
-
 RUN yarn build
 
-
 FROM nginx:alpine
 
 COPY --from=builder /app/dist /usr/share/nginx/html
 COPY nginx.conf /etc/nginx/conf.d/default.conf
 
-EXPOSE 3000
+EXPOSE 80
 
-CMD ["nginx", "-g", "daemon off;"]
\ No newline at end of file
+CMD ["nginx", "-g", "daemon off;"]
diff --git a/apps/frontend/docker-compose.yml b/apps/frontend/docker-compose.yml
deleted file mode 100644
index 770fbe1..0000000
--- a/apps/frontend/docker-compose.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-version: '3.8'
-
-services:
-  galactic-view:
-    build:
-      context: .
-      dockerfile: Dockerfile
-      args:
-        - VITE_AGENT_API_BASE_URL=https://localhost:8080
-    ports:
-      - "3000:3000"
-    restart: always
\ No newline at end of file
diff --git a/apps/frontend/nginx.conf b/apps/frontend/nginx.conf
index 04b890f..aa75871 100644
--- a/apps/frontend/nginx.conf
+++ b/apps/frontend/nginx.conf
@@ -1,20 +1,17 @@
 server {
-    listen 3000;
+    listen 80;
+    listen [::]:80;
     server_name localhost;
+    root /usr/share/nginx/html;
+    index index.html;
 
     location / {
-        root /usr/share/nginx/html;
-        index index.html index.htm;
-
         try_files $uri $uri/ /index.html;
     }
 
-    location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
-        root /usr/share/nginx/html;
+    location ~* \.(?:ico|css|js|gif|jpe?g|png|svg|woff2?|ttf|eot)$ {
         expires 1y;
         access_log off;
         add_header Cache-Control "public";
     }
-
-
-}
\ No newline at end of file
+}
diff --git a/apps/frontend/package.json b/apps/frontend/package.json
index 304dbd8..64670e1 100644
--- a/apps/frontend/package.json
+++ b/apps/frontend/package.json
@@ -27,8 +27,8 @@
         "react-i18next": "^16.5.0",
         "react-icons": "^5.5.0",
         "react-medium-image-zoom": "^5.4.0",
-        "react-router": "^7.9.5",
-        "react-router-dom": "^7.9.5",
+        "react-router": "^7.15.0",
+        "react-router-dom": "^7.15.0",
         "react-textarea-autosize": "^8.5.9",
         "uuid": "^14.0.0"
     },
@@ -52,5 +52,8 @@
         "typescript": "^5.9.3",
         "typescript-eslint": "^8.46.4",
         "vite": "^7.1.7"
+    },
+    "resolutions": {
+        "esbuild": "^0.28.1"
     }
 }
diff --git a/apps/frontend/public/locales/en/translation.json b/apps/frontend/public/locales/en/translation.json
index 8fc4dad..cf8d7ad 100644
--- a/apps/frontend/public/locales/en/translation.json
+++ b/apps/frontend/public/locales/en/translation.json
@@ -112,7 +112,9 @@
   },
   "agent": {
     "welcome": "\uD83D\uDC4B How can I help you explore the cosmos today?",
-    "placeholder": "Ask me anything about space..."
+    "placeholder": "Ask me anything about space...",
+    "loginRequired": "Please log in to ask the Galactic Agent.",
+    "oneQuestionOnly": "Refresh the page to ask a new question."
   },
   "loading": "Loading..."
 }
\ No newline at end of file
diff --git a/apps/frontend/src/api/auth.api.ts b/apps/frontend/src/api/auth.api.ts
index 4c67bc0..5e278c8 100644
--- a/apps/frontend/src/api/auth.api.ts
+++ b/apps/frontend/src/api/auth.api.ts
@@ -25,14 +25,18 @@ export const coreAPI = axios.create({
     withCredentials: true,
 });
 
+const AUTH_FLOW_ENDPOINTS = new Set(['/auth/login', '/auth/register', '/auth/logout', '/auth/me']);
+
 coreAPI.interceptors.response.use(
     (response) => {
         return response;
     },
     async (error: AxiosError) => {
         const originalRequest = error.config;
+        const requestUrl = originalRequest?.url ?? '';
+        const isAuthFlowRequest = AUTH_FLOW_ENDPOINTS.has(requestUrl);
 
-        if (error.response?.status === 401 && originalRequest?.url !== '/auth/me') {
+        if (error.response?.status === 401 && !isAuthFlowRequest) {
             console.warn('Session expired. Logging out...');
             try {
                 await coreAPI.post('/auth/logout');
diff --git a/apps/frontend/src/api/blogposts.api.ts b/apps/frontend/src/api/blogposts.api.ts
index 4609e70..b70834c 100644
--- a/apps/frontend/src/api/blogposts.api.ts
+++ b/apps/frontend/src/api/blogposts.api.ts
@@ -17,12 +17,12 @@ export const blogPostsApi = axios.create({
 });
 
 export async function getAllBlogPosts(): Promise<BlogPostTypeIn[]> {
-    const res = await blogPostsApi.get<BlogPostTypeIn[]>('/blogs');
+    const res = await blogPostsApi.get<BlogPostTypeIn[]>('/blogs/');
     return res.data;
 }
 
 export async function createBlogPosts(newBlogPost: BlogPostTypeOut): Promise<BlogPostTypeIn> {
-    const res = await blogPostsApi.post<BlogPostTypeIn>('/blogs', newBlogPost);
+    const res = await blogPostsApi.post<BlogPostTypeIn>('/blogs/', newBlogPost);
     return res.data;
 }
 
diff --git a/apps/frontend/src/components/AgentChatWidget.module.css b/apps/frontend/src/components/AgentChatWidget.module.css
index 93d3215..01e095a 100644
--- a/apps/frontend/src/components/AgentChatWidget.module.css
+++ b/apps/frontend/src/components/AgentChatWidget.module.css
@@ -93,6 +93,12 @@
     padding: 0.75rem;
 }
 
+.authHint {
+    font-size: 0.875rem;
+    color: #6c757d;
+    margin-bottom: 0.5rem;
+}
+
 .inputGroup {
     position: relative;
 }
diff --git a/apps/frontend/src/components/AgentChatWidget.tsx b/apps/frontend/src/components/AgentChatWidget.tsx
index f701fdc..4fedb47 100644
--- a/apps/frontend/src/components/AgentChatWidget.tsx
+++ b/apps/frontend/src/components/AgentChatWidget.tsx
@@ -3,8 +3,10 @@ import * as React from 'react';
 import { Button, Card, CloseButton, Form, InputGroup } from 'react-bootstrap';
 import { useTranslation } from 'react-i18next';
 import { IoSend } from 'react-icons/io5';
+import { Link } from 'react-router-dom';
 import TextareaAutosize from 'react-textarea-autosize';
 
+import { useAuth } from '../context/AuthContext.tsx';
 import useAgentChat from '../hooks/useAgentChat.ts';
 import style from './AgentChatWidget.module.css';
 
@@ -12,12 +14,15 @@ const MAX_MESSAGE_LENGTH = 512;
 
 function AgentChatWidget() {
     const { t } = useTranslation();
+    const { isAuthenticated } = useAuth();
 
     const [isOpen, setIsOpen] = useState(false);
     const [inputMessage, setInputMessage] = useState('');
-    const { messages, isLoading, sendMessage } = useAgentChat();
+    const { messages, isLoading, questionSent, sendMessage } = useAgentChat();
     const messagesEndRef = useRef<HTMLDivElement>(null);
 
+    const inputDisabled = !isAuthenticated || questionSent || isLoading;
+
     useEffect(() => {
         if (messagesEndRef.current) {
             messagesEndRef.current.scrollIntoView({ behavior: 'smooth' });
@@ -31,7 +36,7 @@ function AgentChatWidget() {
     const handleSendMessage = async (e: React.FormEvent) => {
         e.preventDefault();
 
-        if (inputMessage.trim() === '' || inputMessage.length > MAX_MESSAGE_LENGTH) return;
+        if (inputDisabled || inputMessage.trim() === '' || inputMessage.length > MAX_MESSAGE_LENGTH) return;
         setInputMessage('');
 
         try {
@@ -42,12 +47,19 @@ function AgentChatWidget() {
     };
 
     const handleKeyDown = (e: React.KeyboardEvent) => {
+        if (inputDisabled) return;
         if (e.key === 'Enter' && !e.shiftKey) {
             e.preventDefault();
             void handleSendMessage(e);
         }
     };
 
+    const placeholder = !isAuthenticated
+        ? t('agent.loginRequired')
+        : questionSent
+          ? t('agent.oneQuestionOnly')
+          : t('agent.placeholder');
+
     return (
         <div className={style.agentContainer}>
             {isOpen ? (
@@ -77,18 +89,25 @@ function AgentChatWidget() {
                         <div ref={messagesEndRef} />
                     </Card.Body>
                     <Card.Footer className={style.cardFooter}>
-                        <Form onSubmit={(e) => void handleSendMessage(e)} onKeyDown={handleKeyDown}>
+                        {!isAuthenticated ? (
+                            <p className={`m-0 text-center ${style.authHint}`}>
+                                {t('agent.loginRequired')} <Link to="/login">{t('navigation.login')}</Link>
+                            </p>
+                        ) : null}
+                        <Form onSubmit={(e) => void handleSendMessage(e)}>
                             <InputGroup className={style.inputGroup}>
                                 <Form.Control
                                     as={TextareaAutosize}
                                     minRows={1}
                                     maxRows={5}
-                                    placeholder={t('agent.placeholder')}
+                                    placeholder={placeholder}
                                     className={style.chatInput}
                                     value={inputMessage}
                                     onChange={(e) => setInputMessage(e.target.value)}
+                                    onKeyDown={handleKeyDown}
+                                    disabled={inputDisabled}
                                 />
-                                <Button type="submit" variant="dark" disabled={isLoading}>
+                                <Button type="submit" variant="dark" disabled={inputDisabled}>
                                     <IoSend size={18} />
                                 </Button>
                             </InputGroup>
diff --git a/apps/frontend/src/context/AuthContext.tsx b/apps/frontend/src/context/AuthContext.tsx
index 91a9e96..50adaff 100644
--- a/apps/frontend/src/context/AuthContext.tsx
+++ b/apps/frontend/src/context/AuthContext.tsx
@@ -53,21 +53,41 @@ export const AuthProvider: React.FC<{ children: React.ReactNode }> = ({ children
     const handleLogin: AuthContextType['login'] = async (email, password) => {
         try {
             const userCredential = await signInWithEmailAndPassword(auth, email, password);
-            await sendLoginRequest(userCredential);
+            const response = await sendLoginRequest(userCredential);
+            if (response.status !== 'success') {
+                throw new Error(response.message || 'Login failed.');
+            }
             await refreshUser();
         } catch (error) {
+            try {
+                await signOut(auth);
+            } catch (signOutError) {
+                console.warn('Failed signing out firebase after login failure:', signOutError);
+            }
             throw new Error(getApiErrorMessage(error, 'Login failed.'));
         }
     };
 
     const handleRegister: AuthContextType['register'] = async (email, password, username, firstName, lastName) => {
+        let createdFirebaseUser = false;
         try {
-            const userCredential = await createUserWithEmailAndPassword(auth, email, password);
+            let userCredential;
+            try {
+                userCredential = await createUserWithEmailAndPassword(auth, email, password);
+                createdFirebaseUser = true;
+            } catch (error) {
+                const code = (error as { code?: string }).code;
+                if (code === 'auth/email-already-in-use') {
+                    userCredential = await signInWithEmailAndPassword(auth, email, password);
+                } else {
+                    throw error;
+                }
+            }
             await sendRegisterRequest(userCredential, username, firstName, lastName);
             await refreshUser();
         } catch (error) {
             console.error('Error during registration:', error);
-            if (auth.currentUser) {
+            if (createdFirebaseUser && auth.currentUser) {
                 try {
                     await auth.currentUser.delete();
                 } catch (e) {
diff --git a/apps/frontend/src/hooks/useAgentChat.ts b/apps/frontend/src/hooks/useAgentChat.ts
index 390988a..2f9f184 100644
--- a/apps/frontend/src/hooks/useAgentChat.ts
+++ b/apps/frontend/src/hooks/useAgentChat.ts
@@ -1,7 +1,8 @@
-import { useEffect, useState } from 'react';
+import { useState } from 'react';
 import { v4 as uuidv4 } from 'uuid';
 
 import { sendPromptToAgent } from '../api/agent.api.ts';
+import { getApiErrorMessage } from '../utils/authUtils';
 
 export interface ChatMessage {
     id: string;
@@ -14,28 +15,10 @@ export interface ChatMessage {
     error?: string;
 }
 
-const SESSION_STORAGE_KEY = 'agent_chat_messages';
-
 const useAgentChat = () => {
-    const [messages, setMessages] = useState<ChatMessage[]>(() => {
-        try {
-            const storedMessages = sessionStorage.getItem(SESSION_STORAGE_KEY);
-            return storedMessages ? (JSON.parse(storedMessages) as ChatMessage[]) : [];
-        } catch (error) {
-            console.error('Failed to parse stored messages:', error);
-            return [];
-        }
-    });
-
-    useEffect(() => {
-        try {
-            sessionStorage.setItem(SESSION_STORAGE_KEY, JSON.stringify(messages));
-        } catch (error) {
-            console.error('Failed to store messages:', error);
-        }
-    }, [messages]);
-
+    const [messages, setMessages] = useState<ChatMessage[]>([]);
     const [isLoading, setIsLoading] = useState<boolean>(false);
+    const [questionSent, setQuestionSent] = useState<boolean>(false);
 
     const sendMessage = async (msg: string) => {
         const userMessage: ChatMessage = {
@@ -44,7 +27,7 @@ const useAgentChat = () => {
             sender: 'user',
         };
 
-        setMessages((prev) => [...prev, userMessage]);
+        setMessages([userMessage]);
         setIsLoading(true);
 
         try {
@@ -60,13 +43,14 @@ const useAgentChat = () => {
             };
 
             setMessages((prev) => [...prev, agentMessage]);
+            setQuestionSent(true);
         } catch (error) {
             const errorMessage: ChatMessage = {
                 id: uuidv4(),
-                message: 'Sorry, there was an error processing your request.',
+                message: getApiErrorMessage(error, 'Sorry, there was an error processing your request.'),
                 sender: 'agent',
                 isError: true,
-                error: (error as Error).message,
+                error: getApiErrorMessage(error, 'Sorry, there was an error processing your request.'),
             };
             setMessages((prev) => [...prev, errorMessage]);
         } finally {
@@ -74,17 +58,11 @@ const useAgentChat = () => {
         }
     };
 
-    const clearChat = () => {
-        setMessages([]);
-        sessionStorage.removeItem(SESSION_STORAGE_KEY);
-        setIsLoading(false);
-    };
-
     return {
         messages,
         isLoading,
+        questionSent,
         sendMessage,
-        clearChat,
     };
 };
 
diff --git a/apps/frontend/src/pages/BlogPostPageCreate.tsx b/apps/frontend/src/pages/BlogPostPageCreate.tsx
index 31ffcba..0220ef2 100644
--- a/apps/frontend/src/pages/BlogPostPageCreate.tsx
+++ b/apps/frontend/src/pages/BlogPostPageCreate.tsx
@@ -169,12 +169,6 @@ function BlogPostPageCreate() {
                                                 className={`d-flex flex-column mb-3 ${style.imageUrlItem}`}
                                             >
                                                 <div className="d-flex align-items-center mb-2">
-                                                    <span
-                                                        className={`me-auto text-truncate ${style.imageUrlText}`}
-                                                        style={{ maxWidth: '80%' }}
-                                                    >
-                                                        {url}
-                                                    </span>
                                                     <Button
                                                         variant="outline-danger"
                                                         size="sm"
diff --git a/apps/frontend/src/pages/LoginPage.tsx b/apps/frontend/src/pages/LoginPage.tsx
index c75c57b..95d64c7 100644
--- a/apps/frontend/src/pages/LoginPage.tsx
+++ b/apps/frontend/src/pages/LoginPage.tsx
@@ -16,6 +16,7 @@ function LoginPage() {
 
     const onSubmitHandler = async (e: React.SubmitEvent<HTMLFormElement>) => {
         e.preventDefault();
+        setError('');
 
         try {
             await login(email, password);
diff --git a/apps/frontend/yarn.lock b/apps/frontend/yarn.lock
index d78586f..3822ced 100644
--- a/apps/frontend/yarn.lock
+++ b/apps/frontend/yarn.lock
@@ -174,135 +174,135 @@
     "@babel/helper-string-parser" "^7.27.1"
     "@babel/helper-validator-identifier" "^7.28.5"
 
-"@esbuild/aix-ppc64@0.27.7":
-  version "0.27.7"
-  resolved "https://registry.yarnpkg.com/@esbuild/aix-ppc64/-/aix-ppc64-0.27.7.tgz#82b74f92aa78d720b714162939fb248c90addf53"
-  integrity sha512-EKX3Qwmhz1eMdEJokhALr0YiD0lhQNwDqkPYyPhiSwKrh7/4KRjQc04sZ8db+5DVVnZ1LmbNDI1uAMPEUBnQPg==
-
-"@esbuild/android-arm64@0.27.7":
-  version "0.27.7"
-  resolved "https://registry.yarnpkg.com/@esbuild/android-arm64/-/android-arm64-0.27.7.tgz#f78cb8a3121fc205a53285adb24972db385d185d"
-  integrity sha512-62dPZHpIXzvChfvfLJow3q5dDtiNMkwiRzPylSCfriLvZeq0a1bWChrGx/BbUbPwOrsWKMn8idSllklzBy+dgQ==
-
-"@esbuild/android-arm@0.27.7":
-  version "0.27.7"
-  resolved "https://registry.yarnpkg.com/@esbuild/android-arm/-/android-arm-0.27.7.tgz#593e10a1450bbfcac6cb321f61f468453bac209d"
-  integrity sha512-jbPXvB4Yj2yBV7HUfE2KHe4GJX51QplCN1pGbYjvsyCZbQmies29EoJbkEc+vYuU5o45AfQn37vZlyXy4YJ8RQ==
-
-"@esbuild/android-x64@0.27.7":
-  version "0.27.7"
-  resolved "https://registry.yarnpkg.com/@esbuild/android-x64/-/android-x64-0.27.7.tgz#453143d073326033d2d22caf9e48de4bae274b07"
-  integrity sha512-x5VpMODneVDb70PYV2VQOmIUUiBtY3D3mPBG8NxVk5CogneYhkR7MmM3yR/uMdITLrC1ml/NV1rj4bMJuy9MCg==
-
-"@esbuild/darwin-arm64@0.27.7":
-  version "0.27.7"
-  resolved "https://registry.yarnpkg.com/@esbuild/darwin-arm64/-/darwin-arm64-0.27.7.tgz#6f23000fb9b40b7e04b7d0606c0693bd0632f322"
-  integrity sha512-5lckdqeuBPlKUwvoCXIgI2D9/ABmPq3Rdp7IfL70393YgaASt7tbju3Ac+ePVi3KDH6N2RqePfHnXkaDtY9fkw==
-
-"@esbuild/darwin-x64@0.27.7":
-  version "0.27.7"
-  resolved "https://registry.yarnpkg.com/@esbuild/darwin-x64/-/darwin-x64-0.27.7.tgz#27393dd18bb1263c663979c5f1576e00c2d024be"
-  integrity sha512-rYnXrKcXuT7Z+WL5K980jVFdvVKhCHhUwid+dDYQpH+qu+TefcomiMAJpIiC2EM3Rjtq0sO3StMV/+3w3MyyqQ==
-
-"@esbuild/freebsd-arm64@0.27.7":
-  version "0.27.7"
-  resolved "https://registry.yarnpkg.com/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.7.tgz#22e4638fa502d1c0027077324c97640e3adf3a62"
-  integrity sha512-B48PqeCsEgOtzME2GbNM2roU29AMTuOIN91dsMO30t+Ydis3z/3Ngoj5hhnsOSSwNzS+6JppqWsuhTp6E82l2w==
-
-"@esbuild/freebsd-x64@0.27.7":
-  version "0.27.7"
-  resolved "https://registry.yarnpkg.com/@esbuild/freebsd-x64/-/freebsd-x64-0.27.7.tgz#9224b8e4fea924ce2194e3efc3e9aebf822192d6"
-  integrity sha512-jOBDK5XEjA4m5IJK3bpAQF9/Lelu/Z9ZcdhTRLf4cajlB+8VEhFFRjWgfy3M1O4rO2GQ/b2dLwCUGpiF/eATNQ==
-
-"@esbuild/linux-arm64@0.27.7":
-  version "0.27.7"
-  resolved "https://registry.yarnpkg.com/@esbuild/linux-arm64/-/linux-arm64-0.27.7.tgz#4f5d1c27527d817b35684ae21419e57c2bda0966"
-  integrity sha512-RZPHBoxXuNnPQO9rvjh5jdkRmVizktkT7TCDkDmQ0W2SwHInKCAV95GRuvdSvA7w4VMwfCjUiPwDi0ZO6Nfe9A==
-
-"@esbuild/linux-arm@0.27.7":
-  version "0.27.7"
-  resolved "https://registry.yarnpkg.com/@esbuild/linux-arm/-/linux-arm-0.27.7.tgz#b9e9d070c8c1c0449cf12b20eac37d70a4595921"
-  integrity sha512-RkT/YXYBTSULo3+af8Ib0ykH8u2MBh57o7q/DAs3lTJlyVQkgQvlrPTnjIzzRPQyavxtPtfg0EopvDyIt0j1rA==
-
-"@esbuild/linux-ia32@0.27.7":
-  version "0.27.7"
-  resolved "https://registry.yarnpkg.com/@esbuild/linux-ia32/-/linux-ia32-0.27.7.tgz#3f80fb696aa96051a94047f35c85b08b21c36f9e"
-  integrity sha512-GA48aKNkyQDbd3KtkplYWT102C5sn/EZTY4XROkxONgruHPU72l+gW+FfF8tf2cFjeHaRbWpOYa/uRBz/Xq1Pg==
-
-"@esbuild/linux-loong64@0.27.7":
-  version "0.27.7"
-  resolved "https://registry.yarnpkg.com/@esbuild/linux-loong64/-/linux-loong64-0.27.7.tgz#9be1f2c28210b13ebb4156221bba356fe1675205"
-  integrity sha512-a4POruNM2oWsD4WKvBSEKGIiWQF8fZOAsycHOt6JBpZ+JN2n2JH9WAv56SOyu9X5IqAjqSIPTaJkqN8F7XOQ5Q==
-
-"@esbuild/linux-mips64el@0.27.7":
-  version "0.27.7"
-  resolved "https://registry.yarnpkg.com/@esbuild/linux-mips64el/-/linux-mips64el-0.27.7.tgz#4ab5ee67a3dfcbcb5e8fd7883dae6e735b1163b8"
-  integrity sha512-KabT5I6StirGfIz0FMgl1I+R1H73Gp0ofL9A3nG3i/cYFJzKHhouBV5VWK1CSgKvVaG4q1RNpCTR2LuTVB3fIw==
-
-"@esbuild/linux-ppc64@0.27.7":
-  version "0.27.7"
-  resolved "https://registry.yarnpkg.com/@esbuild/linux-ppc64/-/linux-ppc64-0.27.7.tgz#dac78c689f6499459c4321e5c15032c12307e7ea"
-  integrity sha512-gRsL4x6wsGHGRqhtI+ifpN/vpOFTQtnbsupUF5R5YTAg+y/lKelYR1hXbnBdzDjGbMYjVJLJTd2OFmMewAgwlQ==
-
-"@esbuild/linux-riscv64@0.27.7":
-  version "0.27.7"
-  resolved "https://registry.yarnpkg.com/@esbuild/linux-riscv64/-/linux-riscv64-0.27.7.tgz#050f7d3b355c3a98308e935bc4d6325da91b0027"
-  integrity sha512-hL25LbxO1QOngGzu2U5xeXtxXcW+/GvMN3ejANqXkxZ/opySAZMrc+9LY/WyjAan41unrR3YrmtTsUpwT66InQ==
-
-"@esbuild/linux-s390x@0.27.7":
-  version "0.27.7"
-  resolved "https://registry.yarnpkg.com/@esbuild/linux-s390x/-/linux-s390x-0.27.7.tgz#d61f715ce61d43fe5844ad0d8f463f88cbe4fef6"
-  integrity sha512-2k8go8Ycu1Kb46vEelhu1vqEP+UeRVj2zY1pSuPdgvbd5ykAw82Lrro28vXUrRmzEsUV0NzCf54yARIK8r0fdw==
-
-"@esbuild/linux-x64@0.27.7":
-  version "0.27.7"
-  resolved "https://registry.yarnpkg.com/@esbuild/linux-x64/-/linux-x64-0.27.7.tgz#ca8e1aa478fc8209257bf3ac8f79c4dc2982f32a"
-  integrity sha512-hzznmADPt+OmsYzw1EE33ccA+HPdIqiCRq7cQeL1Jlq2gb1+OyWBkMCrYGBJ+sxVzve2ZJEVeePbLM2iEIZSxA==
-
-"@esbuild/netbsd-arm64@0.27.7":
-  version "0.27.7"
-  resolved "https://registry.yarnpkg.com/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.7.tgz#1650f2c1b948deeb3ef948f2fc30614723c09690"
-  integrity sha512-b6pqtrQdigZBwZxAn1UpazEisvwaIDvdbMbmrly7cDTMFnw/+3lVxxCTGOrkPVnsYIosJJXAsILG9XcQS+Yu6w==
-
-"@esbuild/netbsd-x64@0.27.7":
-  version "0.27.7"
-  resolved "https://registry.yarnpkg.com/@esbuild/netbsd-x64/-/netbsd-x64-0.27.7.tgz#65772ab342c4b3319bf0705a211050aac1b6e320"
-  integrity sha512-OfatkLojr6U+WN5EDYuoQhtM+1xco+/6FSzJJnuWiUw5eVcicbyK3dq5EeV/QHT1uy6GoDhGbFpprUiHUYggrw==
-
-"@esbuild/openbsd-arm64@0.27.7":
-  version "0.27.7"
-  resolved "https://registry.yarnpkg.com/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.7.tgz#37ed7cfa66549d7955852fce37d0c3de4e715ea1"
-  integrity sha512-AFuojMQTxAz75Fo8idVcqoQWEHIXFRbOc1TrVcFSgCZtQfSdc1RXgB3tjOn/krRHENUB4j00bfGjyl2mJrU37A==
-
-"@esbuild/openbsd-x64@0.27.7":
-  version "0.27.7"
-  resolved "https://registry.yarnpkg.com/@esbuild/openbsd-x64/-/openbsd-x64-0.27.7.tgz#01bf3d385855ef50cb33db7c4b52f957c34cd179"
-  integrity sha512-+A1NJmfM8WNDv5CLVQYJ5PshuRm/4cI6WMZRg1by1GwPIQPCTs1GLEUHwiiQGT5zDdyLiRM/l1G0Pv54gvtKIg==
-
-"@esbuild/openharmony-arm64@0.27.7":
-  version "0.27.7"
-  resolved "https://registry.yarnpkg.com/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.7.tgz#6c1f94b34086599aabda4eac8f638294b9877410"
-  integrity sha512-+KrvYb/C8zA9CU/g0sR6w2RBw7IGc5J2BPnc3dYc5VJxHCSF1yNMxTV5LQ7GuKteQXZtspjFbiuW5/dOj7H4Yw==
-
-"@esbuild/sunos-x64@0.27.7":
-  version "0.27.7"
-  resolved "https://registry.yarnpkg.com/@esbuild/sunos-x64/-/sunos-x64-0.27.7.tgz#4b0dd17ae0a6941d2d0fd35a906392517071a90d"
-  integrity sha512-ikktIhFBzQNt/QDyOL580ti9+5mL/YZeUPKU2ivGtGjdTYoqz6jObj6nOMfhASpS4GU4Q/Clh1QtxWAvcYKamA==
-
-"@esbuild/win32-arm64@0.27.7":
-  version "0.27.7"
-  resolved "https://registry.yarnpkg.com/@esbuild/win32-arm64/-/win32-arm64-0.27.7.tgz#34193ab5565d6ff68ca928ac04be75102ccb2e77"
-  integrity sha512-7yRhbHvPqSpRUV7Q20VuDwbjW5kIMwTHpptuUzV+AA46kiPze5Z7qgt6CLCK3pWFrHeNfDd1VKgyP4O+ng17CA==
-
-"@esbuild/win32-ia32@0.27.7":
-  version "0.27.7"
-  resolved "https://registry.yarnpkg.com/@esbuild/win32-ia32/-/win32-ia32-0.27.7.tgz#eb67f0e4482515d8c1894ede631c327a4da9fc4d"
-  integrity sha512-SmwKXe6VHIyZYbBLJrhOoCJRB/Z1tckzmgTLfFYOfpMAx63BJEaL9ExI8x7v0oAO3Zh6D/Oi1gVxEYr5oUCFhw==
-
-"@esbuild/win32-x64@0.27.7":
-  version "0.27.7"
-  resolved "https://registry.yarnpkg.com/@esbuild/win32-x64/-/win32-x64-0.27.7.tgz#8fe30b3088b89b4873c3a6cc87597ae3920c0a8b"
-  integrity sha512-56hiAJPhwQ1R4i+21FVF7V8kSD5zZTdHcVuRFMW0hn753vVfQN8xlx4uOPT4xoGH0Z/oVATuR82AiqSTDIpaHg==
+"@esbuild/aix-ppc64@0.28.1":
+  version "0.28.1"
+  resolved "https://registry.yarnpkg.com/@esbuild/aix-ppc64/-/aix-ppc64-0.28.1.tgz#7a01a8d2ec2fbb2dac78adad09b0fa781e4082be"
+  integrity sha512-Svl7tq8k/08+p6CXPpRjQ1fKX+1odH/BQbb48fV6fj3CWHhsoIOoY87w1oHXm0qEpkIK3ZfVgp0hed3XBXzXMQ==
+
+"@esbuild/android-arm64@0.28.1":
+  version "0.28.1"
+  resolved "https://registry.yarnpkg.com/@esbuild/android-arm64/-/android-arm64-0.28.1.tgz#b540a27d14e4afd058496a4dbec4d3f414db110a"
+  integrity sha512-34EGEbCIAgosYz6goLcopX6Mo7NyGv9tfwEM2/7Ce2VcVRk568iSvniGWcUXIy7wEDR1wzolcxcriFVrWYcwBg==
+
+"@esbuild/android-arm@0.28.1":
+  version "0.28.1"
+  resolved "https://registry.yarnpkg.com/@esbuild/android-arm/-/android-arm-0.28.1.tgz#704bd297de6d762de54eabbeafbf55f6756abe2f"
+  integrity sha512-0k2F129Xdio1TdJfzJ8sy1Q47vUD2NnwdhiAf7drUN1EBTfPf4hsFCtmMgu/6m8JSzsBrlmVjudMBQqOfG8usQ==
+
+"@esbuild/android-x64@0.28.1":
+  version "0.28.1"
+  resolved "https://registry.yarnpkg.com/@esbuild/android-x64/-/android-x64-0.28.1.tgz#d1cb166d34b0fbf0fe8ab460a5594f24a378701e"
+  integrity sha512-dbwY7ltSMDWsRatcRpCnES4F+im88OCUgGZjy52shC7GqHRE/cYlxNbB4Z4UpJswpcc4Qxd2oE/ufM0p61IKng==
+
+"@esbuild/darwin-arm64@0.28.1":
+  version "0.28.1"
+  resolved "https://registry.yarnpkg.com/@esbuild/darwin-arm64/-/darwin-arm64-0.28.1.tgz#1034b26457fc886368fe61bbd09f653f6afa8e54"
+  integrity sha512-TZbWkQY7kvTAXbXUT7uVACR5cMHsDiSz9z7ZKAX/RTq/WJEk3QyRr0wZpNhBDX+/0CtdqUIJlOiodQcta6tY3Q==
+
+"@esbuild/darwin-x64@0.28.1":
+  version "0.28.1"
+  resolved "https://registry.yarnpkg.com/@esbuild/darwin-x64/-/darwin-x64-0.28.1.tgz#65556a432a1e4d72032d8218c1932fcca1a49772"
+  integrity sha512-zfdzgK9ACBNZLI/CyHTOx81SyNbM6YXn7rxSgX97VjyiPl9W1i4Ka4fgKECEoFCKGpvBj5qArWIGgQjOwkgskQ==
+
+"@esbuild/freebsd-arm64@0.28.1":
+  version "0.28.1"
+  resolved "https://registry.yarnpkg.com/@esbuild/freebsd-arm64/-/freebsd-arm64-0.28.1.tgz#2e61e0592f9030d7e3dae18ee25ebc535918aef6"
+  integrity sha512-wG2EA8ENdEI0qhkSZMjfqrdY+ziCYCPMmtZjjIwOmXFjmyzEHn+UUxk5of+SYsjtfs3VpnlC7QLzSI5hY/rOAw==
+
+"@esbuild/freebsd-x64@0.28.1":
+  version "0.28.1"
+  resolved "https://registry.yarnpkg.com/@esbuild/freebsd-x64/-/freebsd-x64-0.28.1.tgz#c95ec289959ef8079c4dca817a1e2c4be66b9bd3"
+  integrity sha512-i7dZ9vQgnvSCzi/rYCXNgtF/U+eKZNJBzu3eTQbRgHnM7tNSizLOkRFAl3qzVc/Op/u5YkHHa4pf/3DOYHthLQ==
+
+"@esbuild/linux-arm64@0.28.1":
+  version "0.28.1"
+  resolved "https://registry.yarnpkg.com/@esbuild/linux-arm64/-/linux-arm64-0.28.1.tgz#40b22175dda06182f3ee8141186c5ff304c4a717"
+  integrity sha512-yHs+0uc8+nvEAfAfxrWQKK5peSNzBc4PegcMO0EJ2hT71uA7vB8Ihg2e77R2P7SG5uYjPbHlLLmve4LLLRCf0g==
+
+"@esbuild/linux-arm@0.28.1":
+  version "0.28.1"
+  resolved "https://registry.yarnpkg.com/@esbuild/linux-arm/-/linux-arm-0.28.1.tgz#c09a0f67917592ac0de892a9be4d3814debd2a6c"
+  integrity sha512-qVXBOHQS+d5Y722GwJzJUtOLlX7km3CraOaGormF1pDtPd2C/l1SHRPgjLunLGe51Sh5YYWKMFDyV4SxgMQYTQ==
+
+"@esbuild/linux-ia32@0.28.1":
+  version "0.28.1"
+  resolved "https://registry.yarnpkg.com/@esbuild/linux-ia32/-/linux-ia32-0.28.1.tgz#a580f9c676797833891e519fc7a1337c8afd8db3"
+  integrity sha512-d1z4ZuP0ajrfz/FhGT4vv278rX8KnPPJx8i5+AtK7TYbx9Le9F1hyzurZpkEyjkGa9dUGhQow4C1NmeGvqxN2w==
+
+"@esbuild/linux-loong64@0.28.1":
+  version "0.28.1"
+  resolved "https://registry.yarnpkg.com/@esbuild/linux-loong64/-/linux-loong64-0.28.1.tgz#46452cf321dc7f9e91c2fa780a56bb56e79cd68b"
+  integrity sha512-M5sRjUVZrkm1OAPR3dlOYzNmN+loZKGVi1VUQGrwuqLcbR6qeAz+famMhjASeH3YVKvZz+zT1jlh/keC3Rj/lg==
+
+"@esbuild/linux-mips64el@0.28.1":
+  version "0.28.1"
+  resolved "https://registry.yarnpkg.com/@esbuild/linux-mips64el/-/linux-mips64el-0.28.1.tgz#4211b3184dd6608f53dcb22e39f5d34ee08852c8"
+  integrity sha512-mRObBZeHh2OxcBFPWE/FjylkRgZdYuiTR3vaTozquCGOH14iP9oN4x4Ge81CoIDYQrXmIxpFumJBu5MtZpnQJQ==
+
+"@esbuild/linux-ppc64@0.28.1":
+  version "0.28.1"
+  resolved "https://registry.yarnpkg.com/@esbuild/linux-ppc64/-/linux-ppc64-0.28.1.tgz#697857c2a61cb9b0b6bb6652e40c1dc5e1ca8e5d"
+  integrity sha512-slScBsMAb3GFDcdrCgLwZtPYRoH2H/youv10QiZyRjmsP48fznoveWytSgCI/R0ZcUgpc0ZhIUEx6LHts8yrfQ==
+
+"@esbuild/linux-riscv64@0.28.1":
+  version "0.28.1"
+  resolved "https://registry.yarnpkg.com/@esbuild/linux-riscv64/-/linux-riscv64-0.28.1.tgz#d192943eb146a40ac4c6497d0cf7be35b986bf08"
+  integrity sha512-kw0owk1o0GFETUJyW0jc0G4Yzs0BHZn0JDZ8JRT088vjJYX777BAs1fDGxAC+q831qOs2DTC96mNsG2opdfyyQ==
+
+"@esbuild/linux-s390x@0.28.1":
+  version "0.28.1"
+  resolved "https://registry.yarnpkg.com/@esbuild/linux-s390x/-/linux-s390x-0.28.1.tgz#acea0356da0e0ebc08f97cf7b9c2e401e1e648dc"
+  integrity sha512-/lAIjX8aYFRByhh6L5rYtPEDRqa9de/4V/juOXcta5frjvzXO4/sqEtyytse0g3zZFuWu5cDN0MkLz2qRDD2Ag==
+
+"@esbuild/linux-x64@0.28.1":
+  version "0.28.1"
+  resolved "https://registry.yarnpkg.com/@esbuild/linux-x64/-/linux-x64-0.28.1.tgz#6f0c3ce0cb64c534b70c4c45ecb2c16d34e35dfd"
+  integrity sha512-u/anNYF2mmVOEDwLtnQ1wOr3EZ9sTNGLWrsYGYwHWzGA3Si84IOkHXlbWTD1NB+9/1lcnweYKO54uhxZydNzfA==
+
+"@esbuild/netbsd-arm64@0.28.1":
+  version "0.28.1"
+  resolved "https://registry.yarnpkg.com/@esbuild/netbsd-arm64/-/netbsd-arm64-0.28.1.tgz#8bcd77077a0dce3378b574fedb26d2a253b73d36"
+  integrity sha512-oks0DYbLwWMmaakTsCb+zL4E+aHRVLom9IJZOAthMQEPiQmydXHkziYEsGYRx0uNV/IjEKGAV941JzH02pflqw==
+
+"@esbuild/netbsd-x64@0.28.1":
+  version "0.28.1"
+  resolved "https://registry.yarnpkg.com/@esbuild/netbsd-x64/-/netbsd-x64-0.28.1.tgz#e7fb2a01e99c830c94e6623cd9fefb4c8fb58347"
+  integrity sha512-aeL6lAnN89Hz43Mlh1G8ARasbuoYvSITDEx0tHh5b7jJnHcssqgjy9Yx430GDpmCa6OyrKoS0aNRjKundRizGg==
+
+"@esbuild/openbsd-arm64@0.28.1":
+  version "0.28.1"
+  resolved "https://registry.yarnpkg.com/@esbuild/openbsd-arm64/-/openbsd-arm64-0.28.1.tgz#c52909372db8b86e2c55e05a8940033b5660a3b2"
+  integrity sha512-MEFJe5C3R8pwXdZ5Y21oo6m7ePiS0d9pWucn99O/wvyJZChoIQKrQDxKrGeW8F5+T0okTHesAmDeiHDTIq0V/Q==
+
+"@esbuild/openbsd-x64@0.28.1":
+  version "0.28.1"
+  resolved "https://registry.yarnpkg.com/@esbuild/openbsd-x64/-/openbsd-x64-0.28.1.tgz#c427b9be5a64c262ff9a7eb70b5fbbaadf446c6c"
+  integrity sha512-i/ZLIOafE0Z8cI/XANJAixoJL/uRAoS2xOA3rb0xN+KK0K177cMAsQYkzHtBrtMXAKuAc7HGgcWiZ/sRC1Nxgw==
+
+"@esbuild/openharmony-arm64@0.28.1":
+  version "0.28.1"
+  resolved "https://registry.yarnpkg.com/@esbuild/openharmony-arm64/-/openharmony-arm64-0.28.1.tgz#dc9b147baca2e6c4b3c85571741ef4860a489097"
+  integrity sha512-ge+Z7EXFNt2BO1oAMsVpiQ8EwndV9i1xXerAeTIK7AtPs3bKFXQM7nlRxDSIUIMeueR1CNXxqztLzdNeReKBJg==
+
+"@esbuild/sunos-x64@0.28.1":
+  version "0.28.1"
+  resolved "https://registry.yarnpkg.com/@esbuild/sunos-x64/-/sunos-x64-0.28.1.tgz#ce866d12df13c15e4c99f073a3d466f6e0649b3a"
+  integrity sha512-BEjgtECkL3vY+SaSQ6nzVfiALUeFxpawyp8Jmf5PtYhf1Ug40N1h/hxlhts+f1FvSvarEigdxS3BlSMI2PJLcQ==
+
+"@esbuild/win32-arm64@0.28.1":
+  version "0.28.1"
+  resolved "https://registry.yarnpkg.com/@esbuild/win32-arm64/-/win32-arm64-0.28.1.tgz#7468e3692d01d629d5941e5d83817bb80f9e39b4"
+  integrity sha512-lCv9eK/H6ZJWbE7bh2nw54CZ9M2nupBxJcTsdk/QQnWkdSjKGuxmmH8/GWrlT1eMmZfn4dGcCjRte397WqfQXA==
+
+"@esbuild/win32-ia32@0.28.1":
+  version "0.28.1"
+  resolved "https://registry.yarnpkg.com/@esbuild/win32-ia32/-/win32-ia32-0.28.1.tgz#a5bc0063fb2bcab6d0ed63f2a1537958bc269ec6"
+  integrity sha512-zvb/mB2bSCoJOpoCBgYKKpX6YM6mJBlBUVUtVj41DlZJVEB6/0CKlRYxP5wWl1C1ILiCoAU5wZZ4q1P3qeS6Eg==
+
+"@esbuild/win32-x64@0.28.1":
+  version "0.28.1"
+  resolved "https://registry.yarnpkg.com/@esbuild/win32-x64/-/win32-x64-0.28.1.tgz#10064ee44f4347b90c9a02b446bbf80a91632b12"
+  integrity sha512-bm4Mowrv+GXMlpWX++EcXw/iLyd1o3+bJkC2DkWXYVvgZCqD/bSj9ctZeAMC3cIxgjRVR2Dufaiu4YPxr5gW1A==
 
 "@eslint-community/eslint-utils@^4.8.0", "@eslint-community/eslint-utils@^4.9.1":
   version "4.9.1"
@@ -855,9 +855,9 @@
   integrity sha512-RiB/yIh78pcIxl6lLMG0CgBXAZ2Y0eVHqMPYugu+9U0AeT6YBeiJpf7lbdJNIugFP5SIjwNRgo4DhR1Qxi26Gg==
 
 "@grpc/grpc-js@~1.9.0":
-  version "1.9.15"
-  resolved "https://registry.yarnpkg.com/@grpc/grpc-js/-/grpc-js-1.9.15.tgz#433d7ac19b1754af690ea650ab72190bd700739b"
-  integrity sha512-nqE7Hc0AzI+euzUwDAy0aY5hCp10r734gMGRdU+qOPX0XSceI2ULrcXB5U2xSc5VkWwalCj4M7GzCAygZl2KoQ==
+  version "1.9.16"
+  resolved "https://registry.yarnpkg.com/@grpc/grpc-js/-/grpc-js-1.9.16.tgz#614f85036ac8e3c957374c1bd1ebb05934a79a1c"
+  integrity "sha1-YU+FA2rI48lXN0wb0euwWTSnmhw= sha512-wE4Ut/olIzfKqp631XrG+wbF0v1vWFN4YL9FyXC2LJiG33DsV7PLzURjrCvY/6je2ntdRkeLpPDluzSRGaVltQ=="
   dependencies:
     "@grpc/proto-loader" "^0.7.8"
     "@types/node" ">=12.12.47"
@@ -2002,37 +2002,37 @@ es-to-primitive@^1.3.0:
     is-date-object "^1.0.5"
     is-symbol "^1.0.4"
 
-esbuild@^0.27.0:
-  version "0.27.7"
-  resolved "https://registry.yarnpkg.com/esbuild/-/esbuild-0.27.7.tgz#bcadce22b2f3fd76f257e3a64f83a64986fea11f"
-  integrity sha512-IxpibTjyVnmrIQo5aqNpCgoACA/dTKLTlhMHihVHhdkxKyPO1uBBthumT0rdHmcsk9uMonIWS0m4FljWzILh3w==
+esbuild@^0.27.0, esbuild@^0.28.1:
+  version "0.28.1"
+  resolved "https://registry.yarnpkg.com/esbuild/-/esbuild-0.28.1.tgz#ef45b4634c9c9d97a296aea4114a5f9840f95578"
+  integrity sha512-HrJrvZv5ayxBzPfwphOoNzkzOIIlifzk0KJrGK2c8R4+LKpMtpYLQeUdjnwjWv/LZlkH2laZk+4w78pi99D4Vw==
   optionalDependencies:
-    "@esbuild/aix-ppc64" "0.27.7"
-    "@esbuild/android-arm" "0.27.7"
-    "@esbuild/android-arm64" "0.27.7"
-    "@esbuild/android-x64" "0.27.7"
-    "@esbuild/darwin-arm64" "0.27.7"
-    "@esbuild/darwin-x64" "0.27.7"
-    "@esbuild/freebsd-arm64" "0.27.7"
-    "@esbuild/freebsd-x64" "0.27.7"
-    "@esbuild/linux-arm" "0.27.7"
-    "@esbuild/linux-arm64" "0.27.7"
-    "@esbuild/linux-ia32" "0.27.7"
-    "@esbuild/linux-loong64" "0.27.7"
-    "@esbuild/linux-mips64el" "0.27.7"
-    "@esbuild/linux-ppc64" "0.27.7"
-    "@esbuild/linux-riscv64" "0.27.7"
-    "@esbuild/linux-s390x" "0.27.7"
-    "@esbuild/linux-x64" "0.27.7"
-    "@esbuild/netbsd-arm64" "0.27.7"
-    "@esbuild/netbsd-x64" "0.27.7"
-    "@esbuild/openbsd-arm64" "0.27.7"
-    "@esbuild/openbsd-x64" "0.27.7"
-    "@esbuild/openharmony-arm64" "0.27.7"
-    "@esbuild/sunos-x64" "0.27.7"
-    "@esbuild/win32-arm64" "0.27.7"
-    "@esbuild/win32-ia32" "0.27.7"
-    "@esbuild/win32-x64" "0.27.7"
+    "@esbuild/aix-ppc64" "0.28.1"
+    "@esbuild/android-arm" "0.28.1"
+    "@esbuild/android-arm64" "0.28.1"
+    "@esbuild/android-x64" "0.28.1"
+    "@esbuild/darwin-arm64" "0.28.1"
+    "@esbuild/darwin-x64" "0.28.1"
+    "@esbuild/freebsd-arm64" "0.28.1"
+    "@esbuild/freebsd-x64" "0.28.1"
+    "@esbuild/linux-arm" "0.28.1"
+    "@esbuild/linux-arm64" "0.28.1"
+    "@esbuild/linux-ia32" "0.28.1"
+    "@esbuild/linux-loong64" "0.28.1"
+    "@esbuild/linux-mips64el" "0.28.1"
+    "@esbuild/linux-ppc64" "0.28.1"
+    "@esbuild/linux-riscv64" "0.28.1"
+    "@esbuild/linux-s390x" "0.28.1"
+    "@esbuild/linux-x64" "0.28.1"
+    "@esbuild/netbsd-arm64" "0.28.1"
+    "@esbuild/netbsd-x64" "0.28.1"
+    "@esbuild/openbsd-arm64" "0.28.1"
+    "@esbuild/openbsd-x64" "0.28.1"
+    "@esbuild/openharmony-arm64" "0.28.1"
+    "@esbuild/sunos-x64" "0.28.1"
+    "@esbuild/win32-arm64" "0.28.1"
+    "@esbuild/win32-ia32" "0.28.1"
+    "@esbuild/win32-x64" "0.28.1"
 
 escalade@^3.1.1, escalade@^3.2.0:
   version "3.2.0"
@@ -3267,17 +3267,17 @@ react-refresh@^0.18.0:
   resolved "https://registry.yarnpkg.com/react-refresh/-/react-refresh-0.18.0.tgz#2dce97f4fe932a4d8142fa1630e475c1729c8062"
   integrity sha512-QgT5//D3jfjJb6Gsjxv0Slpj23ip+HtOpnNgnb2S5zU3CB26G/IDPGoy4RJB42wzFE46DRsstbW6tKHoKbhAxw==
 
-react-router-dom@^7.9.5:
-  version "7.14.2"
-  resolved "https://registry.yarnpkg.com/react-router-dom/-/react-router-dom-7.14.2.tgz#0b043c1534fe58596771b82a318a7e4c2e5f1279"
-  integrity sha512-YZcM5ES8jJSM+KrJ9BdvHHqlnGTg5tH3sC5ChFRj4inosKctdyzBDhOyyHdGk597q2OT6NTrCA1OvB/YDwfekQ==
+react-router-dom@^7.15.0:
+  version "7.17.0"
+  resolved "https://registry.yarnpkg.com/react-router-dom/-/react-router-dom-7.17.0.tgz#e77527b4b7862f7b47ff26dd5b9315fb897b82a7"
+  integrity "sha1-53UntLeGL3tH/ybdW5MV+4l7gqc= sha512-fyU2yjGups/hE6Xz0I5ZYbVL8Gx29eCjgpHaRaTaVU+OOAdfRX05KsvyRm0GO8YQwOkhpU3MurW1jyMUJn+zSw=="
   dependencies:
-    react-router "7.14.2"
+    react-router "7.17.0"
 
-react-router@7.14.2, react-router@^7.9.5:
-  version "7.14.2"
-  resolved "https://registry.yarnpkg.com/react-router/-/react-router-7.14.2.tgz#d86e5b01049365b2c982363ebd2baa4928824603"
-  integrity sha512-yCqNne6I8IB6rVCH7XUvlBK7/QKyqypBFGv+8dj4QBFJiiRX+FG7/nkdAvGElyvVZ/HQP5N19wzteuTARXi5Gw==
+react-router@7.17.0, react-router@^7.15.0:
+  version "7.17.0"
+  resolved "https://registry.yarnpkg.com/react-router/-/react-router-7.17.0.tgz#88bbe817c6e37ab36faf140623b5d4678bf81e41"
+  integrity sha512-FDELK7rTMlCHO5+reyXsPlmfr7N1F91lPHsWYfMEGQm/KQ+F4JFM8jGoeQDmDvdTs93Fw9aSilH+uKRb4/jXvQ==
   dependencies:
     cookie "^1.0.1"
     set-cookie-parser "^2.6.0"
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..f9d17d8
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,122 @@
+services:
+  frontend:
+    build:
+      context: ./apps/frontend
+      dockerfile: Dockerfile
+    ports:
+      - "8080:80"
+    networks:
+      - galactic-network
+    depends_on:
+      - auth-service
+      - blog-service
+      - agent-service
+
+  auth-service:
+    build:
+      context: ./apps/core-backend
+      dockerfile: Dockerfile
+    env_file:
+      - ./apps/core-backend/.env
+    ports:
+      - "8000:8000"
+    environment:
+      ENVIRONMENT: prod
+      ALLOWED_ORIGINS: http://localhost:8080,http://127.0.0.1:8080
+      POSTGRESQL_HOST: postgres
+      GOOGLE_APPLICATION_CREDENTIALS: /run/secrets/firebase-service-account.json
+    volumes:
+      - ./secrets/firebase-service-account.json:/run/secrets/firebase-service-account.json:ro
+    networks:
+      - galactic-network
+    depends_on:
+      postgres:
+        condition: service_healthy
+
+  blog-service:
+    build:
+      context: ./apps/blogpost-backend
+      dockerfile: Dockerfile
+    env_file:
+      - ./apps/blogpost-backend/.env
+    ports:
+      - "8001:8001"
+    environment:
+      ENVIRONMENT: prod
+      ALLOWED_ORIGINS: http://localhost:8080,http://127.0.0.1:8080
+      DYNAMODB_ENDPOINT: http://localstack:4566
+      S3_ENDPOINT: http://localstack:4566
+      S3_PUBLIC_ENDPOINT: http://localhost:4566
+      CORE_BACKEND_URL: http://auth-service:8000
+    networks:
+      - galactic-network
+    depends_on:
+      localstack:
+        condition: service_healthy
+      auth-service:
+        condition: service_started
+
+  agent-service:
+    build:
+      context: ./apps/agent-backend
+      dockerfile: Dockerfile
+    env_file:
+      - ./apps/agent-backend/.env
+    ports:
+      - "8002:8002"
+    environment:
+      ENVIRONMENT: prod
+      ALLOWED_ORIGINS: http://localhost:8080,http://127.0.0.1:8080
+      PORT: "8002"
+      CORE_BACKEND_URL: http://auth-service:8000
+    networks:
+      - galactic-network
+    depends_on:
+      auth-service:
+        condition: service_started
+
+  postgres:
+    image: postgres:15-alpine
+    ports:
+      - "5432:5432"
+    environment:
+      POSTGRES_USER: galactic
+      POSTGRES_PASSWORD: galactic
+      POSTGRES_DB: galacticview
+    volumes:
+      - postgres-data:/var/lib/postgresql/data
+    networks:
+      - galactic-network
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U galactic -d galacticview"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+      start_period: 10s
+
+  localstack:
+    image: localstack/localstack:3.8.0
+    ports:
+      - "4566:4566"
+    environment:
+      SERVICES: s3,dynamodb
+      DEBUG: "0"
+      AWS_DEFAULT_REGION: eu-central-1
+    volumes:
+      - localstack-data:/var/lib/localstack
+    networks:
+      - galactic-network
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:4566/_localstack/health"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+      start_period: 15s
+
+networks:
+  galactic-network:
+    driver: bridge
+
+volumes:
+  postgres-data:
+  localstack-data:
diff --git a/k8s/.gitignore b/k8s/.gitignore
new file mode 100644
index 0000000..c03ca4c
--- /dev/null
+++ b/k8s/.gitignore
@@ -0,0 +1,2 @@
+doc.md
+secrets.yaml
\ No newline at end of file
diff --git a/k8s/agent-service.yaml b/k8s/agent-service.yaml
new file mode 100644
index 0000000..4a5a12f
--- /dev/null
+++ b/k8s/agent-service.yaml
@@ -0,0 +1,52 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: agent-service
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: agent-service
+  template:
+    metadata:
+      labels:
+        app: agent-service
+    spec:
+      imagePullSecrets:
+        - name: registry-credentials
+      containers:
+        - name: agent-service
+          image: leventedaroczi/galactic-private:agent-latest
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 8002
+          env:
+            - name: ENVIRONMENT
+              value: "prod"
+            - name: LOGGING_LEVEL
+              value: "INFO"
+            - name: CORE_BACKEND_URL
+              value: "http://auth-service"
+            - name: GROQ_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: galactic-secrets
+                  key: GROQ_API_KEY
+            - name: TAVILY_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: galactic-secrets
+                  key: TAVILY_API_KEY
+                  optional: true
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: agent-service
+spec:
+  selector:
+    app: agent-service
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8002
diff --git a/k8s/auth-service.yaml b/k8s/auth-service.yaml
new file mode 100644
index 0000000..af98ef0
--- /dev/null
+++ b/k8s/auth-service.yaml
@@ -0,0 +1,61 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: auth-service
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: auth-service
+  template:
+    metadata:
+      labels:
+        app: auth-service
+    spec:
+      imagePullSecrets:
+        - name: registry-credentials
+      containers:
+        - name: auth-service
+          image: leventedaroczi/galactic-private:auth-latest
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 8000
+          env:
+            - name: POSTGRESQL_HOST
+              value: "galactic-prod-postgres.ctu6e660itca.eu-central-1.rds.amazonaws.com"
+            - name: POSTGRESQL_PORT
+              value: "5432"
+            - name: POSTGRESQL_DB
+              value: "galacticview"
+            - name: POSTGRESQL_USER
+              value: "galactic_admin"
+            - name: POSTGRESQL_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: galactic-secrets
+                  key: POSTGRESQL_PASSWORD
+            - name: ENVIRONMENT
+              value: "prod"
+            - name: GOOGLE_APPLICATION_CREDENTIALS
+              value: /run/secrets/firebase/firebase-service-account.json
+          volumeMounts:
+            - name: firebase-credentials
+              mountPath: /run/secrets/firebase
+              readOnly: true
+      volumes:
+        - name: firebase-credentials
+          secret:
+            secretName: firebase-credentials
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: auth-service
+spec:
+  selector:
+    app: auth-service
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8000
\ No newline at end of file
diff --git a/k8s/blog-service.yaml b/k8s/blog-service.yaml
new file mode 100644
index 0000000..e6c229a
--- /dev/null
+++ b/k8s/blog-service.yaml
@@ -0,0 +1,54 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: blog-service
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: blog-service
+  template:
+    metadata:
+      labels:
+        app: blog-service
+    spec:
+      imagePullSecrets:
+        - name: registry-credentials
+      containers:
+        - name: blog-service
+          image: leventedaroczi/galactic-private:blog-latest
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 8001
+          env:
+            - name: AWS_REGION
+              value: "eu-central-1"
+            - name: S3_BUCKET_NAME
+              value: "galactic-blog-images-a54ebf00"
+            - name: DYNAMODB_TABLE_NAME
+              value: "GalacticBlogPosts"
+            - name: CORE_BACKEND_URL
+              value: "http://auth-service"
+            
+            - name: AWS_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: galactic-secrets
+                  key: AWS_ACCESS_KEY_ID
+            - name: AWS_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: galactic-secrets
+                  key: AWS_SECRET_ACCESS_KEY
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: blog-service
+spec:
+  selector:
+    app: blog-service
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8001
\ No newline at end of file
diff --git a/k8s/frontend.yaml b/k8s/frontend.yaml
new file mode 100644
index 0000000..7496834
--- /dev/null
+++ b/k8s/frontend.yaml
@@ -0,0 +1,34 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: frontend
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: frontend
+  template:
+    metadata:
+      labels:
+        app: frontend
+    spec:
+      imagePullSecrets:
+        - name: registry-credentials
+      containers:
+        - name: frontend
+          image: leventedaroczi/galactic-private:frontend-latest
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: frontend
+spec:
+  selector:
+    app: frontend
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
diff --git a/k8s/ingress.yaml b/k8s/ingress.yaml
new file mode 100644
index 0000000..cfa5449
--- /dev/null
+++ b/k8s/ingress.yaml
@@ -0,0 +1,40 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: galactic-ingress
+spec:
+  ingressClassName: traefik
+  rules:
+    - http:
+        paths:
+          - path: /auth
+            pathType: Prefix
+            backend:
+              service:
+                name: auth-service
+                port:
+                  number: 80
+
+          - path: /blogs
+            pathType: Prefix
+            backend:
+              service:
+                name: blog-service
+                port:
+                  number: 80
+
+          - path: /agent
+            pathType: Prefix
+            backend:
+              service:
+                name: agent-service
+                port:
+                  number: 80
+
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: frontend
+                port:
+                  number: 80
diff --git a/k8s/secrets.example.yaml b/k8s/secrets.example.yaml
new file mode 100644
index 0000000..efe5a58
--- /dev/null
+++ b/k8s/secrets.example.yaml
@@ -0,0 +1,16 @@
+# Create the Firebase Admin secret separately (do NOT commit the JSON file):
+#
+#   kubectl create secret generic firebase-credentials \
+#     --from-file=firebase-service-account.json=./secrets/firebase-service-account.json
+#
+apiVersion: v1
+kind: Secret
+metadata:
+  name: galactic-secrets
+type: Opaque
+stringData:
+  POSTGRESQL_PASSWORD: "<set me>"
+  AWS_ACCESS_KEY_ID: "<set me>"
+  AWS_SECRET_ACCESS_KEY: "<set me>"
+  GROQ_API_KEY: "<set me>"
+  TAVILY_API_KEY: "<optional — leave empty to disable web search>"
diff --git a/terraform/.gitignore b/terraform/.gitignore
new file mode 100644
index 0000000..d9a21d7
--- /dev/null
+++ b/terraform/.gitignore
@@ -0,0 +1,35 @@
+# Local .terraform directories
+**/.terraform/*
+
+# Terraform state files (may contain secrets)
+*.tfstate
+*.tfstate.*
+*.tfstate.backup
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Variable files with real secrets (keep the example file in git)
+*.tfvars
+*.tfvars.json
+!*.tfvars.example
+
+# Override files for local-only changes
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# CLI configuration / plan output
+.terraformrc
+terraform.rc
+tfplan
+*.tfplan
+
+doc.md
+
+
+*.pem
+
+k3s-remote.yaml
\ No newline at end of file
diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl
new file mode 100644
index 0000000..d288b11
--- /dev/null
+++ b/terraform/.terraform.lock.hcl
@@ -0,0 +1,86 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "5.100.0"
+  constraints = "~> 5.0"
+  hashes = [
+    "h1:Ijt7pOlB7Tr7maGQIqtsLFbl7pSMIj06TVdkoSBcYOw=",
+    "zh:054b8dd49f0549c9a7cc27d159e45327b7b65cf404da5e5a20da154b90b8a644",
+    "zh:0b97bf8d5e03d15d83cc40b0530a1f84b459354939ba6f135a0086c20ebbe6b2",
+    "zh:1589a2266af699cbd5d80737a0fe02e54ec9cf2ca54e7e00ac51c7359056f274",
+    "zh:6330766f1d85f01ae6ea90d1b214b8b74cc8c1badc4696b165b36ddd4cc15f7b",
+    "zh:7c8c2e30d8e55291b86fcb64bdf6c25489d538688545eb48fd74ad622e5d3862",
+    "zh:99b1003bd9bd32ee323544da897148f46a527f622dc3971af63ea3e251596342",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:9f8b909d3ec50ade83c8062290378b1ec553edef6a447c56dadc01a99f4eaa93",
+    "zh:aaef921ff9aabaf8b1869a86d692ebd24fbd4e12c21205034bb679b9caf883a2",
+    "zh:ac882313207aba00dd5a76dbd572a0ddc818bb9cbf5c9d61b28fe30efaec951e",
+    "zh:bb64e8aff37becab373a1a0cc1080990785304141af42ed6aa3dd4913b000421",
+    "zh:dfe495f6621df5540d9c92ad40b8067376350b005c637ea6efac5dc15028add4",
+    "zh:f0ddf0eaf052766cfe09dea8200a946519f653c384ab4336e2a4a64fdd6310e9",
+    "zh:f1b7e684f4c7ae1eed272b6de7d2049bb87a0275cb04dbb7cda6636f600699c9",
+    "zh:ff461571e3f233699bf690db319dfe46aec75e58726636a0d97dd9ac6e32fb70",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/local" {
+  version = "2.9.0"
+  hashes = [
+    "h1:m24fjcInWvTVZ1XSo2MaNuKPe+X/gfG8SIi09rA7a7M=",
+    "zh:0baa4566cf77f1ff52f4293d1c8536202dd23edc197c3196413a28343c3ac3a0",
+    "zh:16b5559c3c07088ddad11a9bb9e9c0799999363c2958e9a5be2bcbbf2cd9ca64",
+    "zh:197c79015a10d1cce904a8ea722cbc750c42aeae2da53f44a6a0751d9fd1aa90",
+    "zh:29d0b03e5343a80677ebfeb2e2c31cbe4b1f65e736e53417454a4277fec2544c",
+    "zh:4896bfa6cf1d2fd562b47ef2e87f47862ae92a04f8ad5d764380f0c6653473b8",
+    "zh:531f8529cbca49f681883e57761a05a8398afaef6d1ab0d205d26bf12f4428e8",
+    "zh:6aaf5011d83161c86d2bfb80c0923ec934e578288758da2f37acb7aec129004b",
+    "zh:7430275253d3d3c40aa6179e0ec0d63212874dbbc06c5a51b9d07ec590f9756c",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:be17dc611e95e26cdf6cad79dfccf1064f0e32032a2efeb939a9bbe7fb1cbfe9",
+    "zh:f0e3b0aa644202e1d79d2000dca91f6019425da71e9800fa23f27e51c034f195",
+    "zh:f62bae4519e4ead49182ddc8afe8cf61e2a4c3ba3973b0fbba967736a2696aa3",
+    "zh:fcafa360a5b0b96244f26f4e3a6d642b716a376557142c2442ff2fb12d11da18",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version     = "3.9.0"
+  constraints = "~> 3.5"
+  hashes = [
+    "h1:OO+IuvQJSPmWdN8AyyIEvPJbLvDQpgX/zbktoa9KsJE=",
+    "zh:161ad0bd9a75768c82f53fb6e7172a9d8be2d4889b012645a34795031aaf1bf1",
+    "zh:19dc9a5b17729725ccfc4f45b0500af0ee5bc6b6b160c7adb8f2bf617d2c80ea",
+    "zh:269eda8fe42daa7974d5a34d166c3ba9defe80cde86c01e4dadcfdf2e1f05e5f",
+    "zh:373f7c65566f8f2cc7f45d698654feb9d988996957e1266a69ca00c52d6d16d0",
+    "zh:5599d16804c41c83009ec621b6d6b6f74e102f5827678a4750f8809055546b61",
+    "zh:583be0440469a22bff70dcfa56593b01566860b29607437264adb51060cf46fc",
+    "zh:5f211d8ec3f2e1f414870d9584bfe26e6995560ef81c748f8447a48164767398",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:7b547fd16216761ef86efc3ed516ac5ac0c5c42b7c7eb24a08cef2d93f69ed5e",
+    "zh:7e7c0679daf2a382151d05068c8c3f0dae6b7b7dccf818827b73dd08638df2ef",
+    "zh:8089dec888a8038b9b4fb23b3df7e1057293dbc5b60b42cc47ff690d69d4b61b",
+    "zh:c51f15a031edfd6f23ce8ced3446ca7f8d8d647e2499890d7d5d10d5016d7257",
+    "zh:c94784f005708890dc6895afd53636ec00ec1e430b15d41e5aebfb1d4b39bd04",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/tls" {
+  version = "4.3.0"
+  hashes = [
+    "h1:5bCU/c+2HUh7GhclzNSH6gAuoCS4inW3obEtRAwu6WQ=",
+    "zh:0ab58d6f8991d436c7d2dbd89ed814709b949b07ac5a54ee53b0aec1fa772a8b",
+    "zh:60b347abcb56f45d97c56f14d895069cd15a83993f199777f571b79fea3642ee",
+    "zh:6889be32640349230de3f23856e6f04e0e9ced4a84a27d3f552fa54684448218",
+    "zh:73f8e1ecf7135033165fb14b7e8bf4d656f3ce13065ec35762ea0481975328c7",
+    "zh:94ce25ee253eca0b42cae9c856b36bca8103b6453012d1b279c3623c805f2d42",
+    "zh:96bc6de9fd67bc446fd11257872e1ffb1029a996ed1d65a3f6b43f6d408ad9ab",
+    "zh:97c609a310a51bfd504d704e036d72064a84bf0bdb36cc08cd4cc66098212b41",
+    "zh:a12c16e94533c5bd123f75032576b9dc91dd5d5ccd5f7cf331d0f2e1adc55cf8",
+    "zh:c4f014f876adf7af57188795050bda5b0029d8c7d7773031102b6c36dcf1fc21",
+    "zh:d9b0a21583aaa3df3a95394fb949a3c515ff71c2ff5a1fc4a73d364aa90bfca5",
+    "zh:da510d22f0c6d71ad19a76406f106b782448f512375787ecfabb338ed1e311a7",
+    "zh:f0e9447a9ce3a24cdaa113089e65663c836d8b9bfdb915a1c0284e0112cab5c0",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
diff --git a/terraform/compute.tf b/terraform/compute.tf
new file mode 100644
index 0000000..b3b0ed3
--- /dev/null
+++ b/terraform/compute.tf
@@ -0,0 +1,94 @@
+resource "tls_private_key" "pk" {
+  algorithm = "RSA"
+  rsa_bits  = 4048
+}
+
+resource "aws_key_pair" "kp" {
+  key_name   = "galactic-prod-key"
+  public_key = tls_private_key.pk.public_key_openssh
+}
+
+
+resource "local_file" "ssh_key" {
+  filename        = "${path.module}/galactic-key.pem"
+  content         = tls_private_key.pk.private_key_pem
+  file_permission = "0400"
+}
+
+data "aws_ami" "ubuntu_22_04" {
+  most_recent = true
+  owners      = ["099720109477"] # Canonical
+
+  filter {
+    name   = "name"
+    values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+
+  filter {
+    name   = "root-device-type"
+    values = ["ebs"]
+  }
+
+  filter {
+    name   = "architecture"
+    values = ["x86_64"]
+  }
+}
+
+locals {
+  user_data = <<-EOT
+    #!/bin/bash
+    set -euxo pipefail
+
+    export DEBIAN_FRONTEND=noninteractive
+    apt-get update -y
+    apt-get install -y curl ca-certificates
+
+    curl -sfL https://get.k3s.io | sh -
+
+    mkdir -p /home/ubuntu/.kube
+    cp /etc/rancher/k3s/k3s.yaml /home/ubuntu/.kube/config
+    chown -R ubuntu:ubuntu /home/ubuntu/.kube
+    chmod 600 /home/ubuntu/.kube/config
+  EOT
+}
+
+resource "aws_instance" "web" {
+  ami           = data.aws_ami.ubuntu_22_04.id
+  instance_type = var.ec2_instance_type
+
+  key_name      = aws_key_pair.kp.key_name
+  subnet_id                   = aws_subnet.public[0].id
+  vpc_security_group_ids      = [aws_security_group.web.id]
+  associate_public_ip_address = true
+
+  user_data                   = local.user_data
+  user_data_replace_on_change = false
+
+  root_block_device {
+    volume_size           = 30
+    volume_type           = "gp3"
+    encrypted             = true
+    delete_on_termination = true
+  }
+
+  metadata_options {
+    http_tokens                 = "required"
+    http_endpoint               = "enabled"
+    http_put_response_hop_limit = 2
+  }
+
+  tags = {
+    Name = "${local.name_prefix}-web"
+    Role = "k3s-node"
+  }
+
+  lifecycle {
+    ignore_changes = [ami]
+  }
+}
diff --git a/terraform/database.tf b/terraform/database.tf
new file mode 100644
index 0000000..8843344
--- /dev/null
+++ b/terraform/database.tf
@@ -0,0 +1,104 @@
+resource "aws_db_subnet_group" "main" {
+  name        = "${local.name_prefix}-db-subnet-group"
+  description = "Subnet group spanning two AZs for the ${local.name_prefix} RDS instance."
+  subnet_ids  = aws_subnet.public[*].id
+
+  tags = {
+    Name = "${local.name_prefix}-db-subnet-group"
+  }
+}
+
+resource "aws_db_instance" "postgres" {
+  identifier     = "${local.name_prefix}-postgres"
+  engine         = "postgres"
+  engine_version = var.db_engine_version
+  instance_class = var.db_instance_class
+
+  allocated_storage     = var.db_allocated_storage
+  max_allocated_storage = 100
+  storage_type          = "gp3"
+  storage_encrypted     = true
+
+  db_name  = var.db_name
+  username = var.db_username
+  password = var.db_password
+  port     = 5432
+
+  db_subnet_group_name   = aws_db_subnet_group.main.name
+  vpc_security_group_ids = [aws_security_group.rds.id]
+  publicly_accessible    = false
+  multi_az               = false
+
+  backup_retention_period    = 7
+  auto_minor_version_upgrade = true
+  skip_final_snapshot        = true
+  deletion_protection        = false
+  apply_immediately          = true
+
+  tags = {
+    Name = "${local.name_prefix}-postgres"
+  }
+}
+
+resource "aws_dynamodb_table" "blog_posts" {
+  name         = var.dynamodb_table_name
+  billing_mode = "PAY_PER_REQUEST"
+  hash_key     = "id"
+
+  attribute {
+    name = "id"
+    type = "S"
+  }
+
+  point_in_time_recovery {
+    enabled = true
+  }
+
+  server_side_encryption {
+    enabled = true
+  }
+
+  tags = {
+    Name = var.dynamodb_table_name
+  }
+}
+
+resource "random_id" "bucket_suffix" {
+  byte_length = 4
+}
+
+resource "aws_s3_bucket" "blog_images" {
+  bucket        = "${var.project_prefix}-blog-images-${random_id.bucket_suffix.hex}"
+  force_destroy = true
+
+  tags = {
+    Name = "${var.project_prefix}-blog-images"
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "blog_images" {
+  bucket = aws_s3_bucket.blog_images.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_versioning" "blog_images" {
+  bucket = aws_s3_bucket.blog_images.id
+
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "blog_images" {
+  bucket = aws_s3_bucket.blog_images.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+}
diff --git a/terraform/main.tf b/terraform/main.tf
new file mode 100644
index 0000000..fde342c
--- /dev/null
+++ b/terraform/main.tf
@@ -0,0 +1,36 @@
+terraform {
+  required_version = ">= 1.5.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.5"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.aws_region
+
+  default_tags {
+    tags = {
+      Project     = var.project_prefix
+      Environment = var.environment
+      ManagedBy   = "Terraform"
+    }
+  }
+}
+
+locals {
+  name_prefix = "${var.project_prefix}-${var.environment}"
+
+  common_tags = {
+    Project     = var.project_prefix
+    Environment = var.environment
+    ManagedBy   = "Terraform"
+  }
+}
diff --git a/terraform/network.tf b/terraform/network.tf
new file mode 100644
index 0000000..dda7429
--- /dev/null
+++ b/terraform/network.tf
@@ -0,0 +1,131 @@
+data "aws_availability_zones" "available" {
+  state = "available"
+}
+
+resource "aws_vpc" "main" {
+  cidr_block           = var.vpc_cidr
+  enable_dns_support   = true
+  enable_dns_hostnames = true
+
+  tags = {
+    Name = "${local.name_prefix}-vpc"
+  }
+}
+
+resource "aws_internet_gateway" "main" {
+  vpc_id = aws_vpc.main.id
+
+  tags = {
+    Name = "${local.name_prefix}-igw"
+  }
+}
+
+resource "aws_subnet" "public" {
+  count = length(var.public_subnet_cidrs)
+
+  vpc_id                  = aws_vpc.main.id
+  cidr_block              = var.public_subnet_cidrs[count.index]
+  availability_zone       = data.aws_availability_zones.available.names[count.index]
+  map_public_ip_on_launch = true
+
+  tags = {
+    Name = "${local.name_prefix}-public-${count.index + 1}"
+    Tier = "public"
+  }
+}
+
+resource "aws_route_table" "public" {
+  vpc_id = aws_vpc.main.id
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.main.id
+  }
+
+  tags = {
+    Name = "${local.name_prefix}-public-rt"
+  }
+}
+
+resource "aws_route_table_association" "public" {
+  count = length(aws_subnet.public)
+
+  subnet_id      = aws_subnet.public[count.index].id
+  route_table_id = aws_route_table.public.id
+}
+
+resource "aws_security_group" "web" {
+  name        = "${local.name_prefix}-web-sg"
+  description = "Allow SSH, HTTP and HTTPS inbound traffic to the web/k3s host."
+  vpc_id      = aws_vpc.main.id
+
+  ingress {
+    description      = "Kubernetes API"
+    from_port        = 6443
+    to_port          = 6443
+    protocol         = "tcp"
+    cidr_blocks      = ["0.0.0.0/0"]
+  }
+  
+  ingress {
+    description = "SSH"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = [var.ssh_allowed_cidr]
+  }
+
+  ingress {
+    description = "HTTP"
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    description = "HTTPS"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    description = "Allow all outbound traffic"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${local.name_prefix}-web-sg"
+  }
+}
+
+resource "aws_security_group" "rds" {
+  name        = "${local.name_prefix}-rds-sg"
+  description = "Allow PostgreSQL traffic only from the web security group."
+  vpc_id      = aws_vpc.main.id
+
+  ingress {
+    description     = "PostgreSQL from web SG"
+    from_port       = 5432
+    to_port         = 5432
+    protocol        = "tcp"
+    security_groups = [aws_security_group.web.id]
+  }
+
+  egress {
+    description = "Allow all outbound traffic"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${local.name_prefix}-rds-sg"
+  }
+}
diff --git a/terraform/outputs.tf b/terraform/outputs.tf
new file mode 100644
index 0000000..fb6c57e
--- /dev/null
+++ b/terraform/outputs.tf
@@ -0,0 +1,39 @@
+output "ec2_public_ip" {
+  description = "Public IP address of the EC2 web/k3s instance."
+  value       = aws_instance.web.public_ip
+}
+
+output "ec2_public_dns" {
+  description = "Public DNS name of the EC2 web/k3s instance."
+  value       = aws_instance.web.public_dns
+}
+
+output "rds_endpoint" {
+  description = "PostgreSQL RDS endpoint URL (host:port)."
+  value       = aws_db_instance.postgres.endpoint
+}
+
+output "rds_address" {
+  description = "PostgreSQL RDS hostname (without port)."
+  value       = aws_db_instance.postgres.address
+}
+
+output "s3_bucket_name" {
+  description = "Name of the S3 bucket created for blog images."
+  value       = aws_s3_bucket.blog_images.bucket
+}
+
+output "dynamodb_table_name" {
+  description = "Name of the DynamoDB table used for blog post metadata."
+  value       = aws_dynamodb_table.blog_posts.name
+}
+
+output "vpc_id" {
+  description = "ID of the created VPC."
+  value       = aws_vpc.main.id
+}
+
+output "public_subnet_ids" {
+  description = "IDs of the two public subnets."
+  value       = aws_subnet.public[*].id
+}
diff --git a/terraform/terraform.tfvars.example b/terraform/terraform.tfvars.example
new file mode 100644
index 0000000..d1e4727
--- /dev/null
+++ b/terraform/terraform.tfvars.example
@@ -0,0 +1,9 @@
+aws_region     = "eu-central-1"
+project_prefix = "galactic"
+environment    = "prod"
+
+db_username = "galactic_admin"
+db_name     = "galacticview"
+db_password = "change-me-to-a-strong-password"
+
+ssh_allowed_cidr = "0.0.0.0/0"
diff --git a/terraform/variables.tf b/terraform/variables.tf
new file mode 100644
index 0000000..b820480
--- /dev/null
+++ b/terraform/variables.tf
@@ -0,0 +1,93 @@
+variable "aws_region" {
+  description = "AWS region where all resources will be deployed."
+  type        = string
+  default     = "eu-central-1"
+}
+
+variable "project_prefix" {
+  description = "Short project name used as a prefix for resource names and tags."
+  type        = string
+  default     = "galactic"
+
+  validation {
+    condition     = can(regex("^[a-z][a-z0-9-]*$", var.project_prefix))
+    error_message = "project_prefix must start with a lowercase letter and contain only lowercase letters, digits, and hyphens."
+  }
+}
+
+variable "environment" {
+  description = "Deployment environment (e.g. dev, staging, prod)."
+  type        = string
+  default     = "prod"
+}
+
+variable "vpc_cidr" {
+  description = "CIDR block for the VPC."
+  type        = string
+  default     = "10.0.0.0/16"
+}
+
+variable "public_subnet_cidrs" {
+  description = "CIDR blocks for the public subnets (one per AZ)."
+  type        = list(string)
+  default     = ["10.0.1.0/24", "10.0.2.0/24"]
+}
+
+variable "ssh_allowed_cidr" {
+  description = "CIDR block allowed to reach the EC2 instance on port 22."
+  type        = string
+  default     = "0.0.0.0/0"
+}
+
+variable "ec2_instance_type" {
+  description = "EC2 instance type for the k3s web node (t3.small recommended for k3s memory)."
+  type        = string
+  default     = "t3.small"
+}
+
+variable "db_engine_version" {
+  description = "PostgreSQL major engine version."
+  type        = string
+  default     = "15"
+}
+
+variable "db_instance_class" {
+  description = "RDS instance class."
+  type        = string
+  default     = "db.t3.micro"
+}
+
+variable "db_allocated_storage" {
+  description = "Allocated storage for the RDS instance, in GB."
+  type        = number
+  default     = 20
+}
+
+variable "db_name" {
+  description = "Initial PostgreSQL database name."
+  type        = string
+  default     = "galacticview"
+}
+
+variable "db_username" {
+  description = "Master username for the PostgreSQL database."
+  type        = string
+  default     = "galactic_admin"
+}
+
+variable "db_password" {
+  description = "Master password for the PostgreSQL database. Provide via TF_VAR_db_password or terraform.tfvars."
+  type        = string
+  sensitive   = true
+
+  validation {
+    condition     = length(var.db_password) >= 8
+    error_message = "db_password must be at least 8 characters long."
+  }
+}
+
+variable "dynamodb_table_name" {
+  description = "Name of the DynamoDB table for blog post metadata."
+  type        = string
+  default     = "GalacticBlogPosts"
+}