diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b932f8368..3bb315bbf 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,8 +2,6 @@ name: ci
 "on":
   push:
   pull_request:
-permissions:
-  contents: read
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/AGENTS.md b/AGENTS.md
index e5f12ccf0..16bb11485 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -58,7 +58,7 @@
     behaviour being corrected both to validate the fix and to guard against
     regression.
   - Passes all relevant unit and behavioural tests according to the guidelines
-    above. See “### Testing”. (Use `make test` to verify).
+    above. (Use `make test` to verify).
   - Passes lint checks. (Use `make lint` to verify).
   - Adheres to formatting standards tested using a formatting validator. (Use
     `make check-fmt` to verify).
@@ -79,7 +79,7 @@
 
 ## Refactoring Heuristics & Workflow
 
-- **Recognizing Refactoring Needs:** Regularly assess the codebase for potential
+- **Recognising Refactoring Needs:** Regularly assess the codebase for potential
   refactoring opportunities. Consider refactoring when you observe:
   - **Long Methods/Functions:** Functions or methods that are excessively long
     or try to do too many things.
@@ -242,9 +242,9 @@ browser‑only runtime.
   - `preview`: `vite preview`
   - `test`: `vitest run --coverage`
   - `audit`: `bun x npm@latest audit`
-  - `audit:snyk`: `bun x snyk test` (requires `snyk` CLI and authentication;
-    run `snyk auth` locally, and set `SNYK_TOKEN` in CI secrets)
-
+  - `audit:snyk`: `bun x snyk test`
+  - Note: `audit` requires a committed `bun.lock`; `audit:snyk` requires
+    installed dependencies—run `bun install` before invoking it.
 ### Compiler Configuration (Make It Sharp)
 
 Use a strict `tsconfig.json` suitable for browser builds:
@@ -330,7 +330,7 @@ Keep docs close to code.
 - **Version policy**: Use caret requirements (`^x.y.z`) for all direct
   dependencies. Avoid `*`, `>=` or tag aliases like `latest`. Use tilde
   (`~x.y.z`) only with a documented justification.
-- **Lockfile**: Commit `bun.lock`. Recreate on major tool upgrades; keep 
+- **Lockfile**: Commit `bun.lock`. Recreate on major tool upgrades; keep
   `bun.lockb` ignored.
 - **Audit**: Run `bun run audit` locally and in automation. Track exceptions
   with explicit expiry dates.
@@ -434,7 +434,7 @@ Keep docs close to code.
 
 ### Quick Checklist (Before Commit)
 
-- `bun run fmt`, `bun run lint`, `bun test` all clean; no Biome warnings;
+ - `bun run fmt`, `bun run lint`, `bun run test` all clean; no Biome warnings;
   no TypeScript errors; coverage thresholds hold.
 - `bun run audit` passes or has justified, time‑boxed exceptions.
 - No `any`, no `@ts-ignore`; use `@ts-expect-error` only with a reason.
diff --git a/frontend-pwa/index.html b/frontend-pwa/index.html
new file mode 100644
index 000000000..e6ef728fd
--- /dev/null
+++ b/frontend-pwa/index.html
@@ -0,0 +1,13 @@
+<!-- @file Root HTML document for Vite entry. -->
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>myapp</title>
+  </head>
+  <body>
+    <div id="root"></div>
+    <script type="module" src="/src/main.tsx"></script>
+  </body>
+</html>
diff --git a/frontend-pwa/src/api/client.ts b/frontend-pwa/src/api/client.ts
index 4c496780c..5f44d82a1 100644
--- a/frontend-pwa/src/api/client.ts
+++ b/frontend-pwa/src/api/client.ts
@@ -8,8 +8,8 @@ const userSchema = z.object({
   id: z.string(),
   display_name: z.string(),
 });
+
 export type User = z.infer<typeof userSchema>;
-const usersSchema = z.array(userSchema);
 
-export const listUsers = ({ signal }: { signal?: AbortSignal } = {}) =>
-  customFetchParsed('/api/users', usersSchema, { signal });
+export const listUsers = (signal?: AbortSignal) =>
+  customFetchParsed('/api/users', z.array(userSchema), { signal });
diff --git a/frontend-pwa/src/app/App.tsx b/frontend-pwa/src/app/App.tsx
index 06d71d97e..e5e65ca9e 100644
--- a/frontend-pwa/src/app/App.tsx
+++ b/frontend-pwa/src/app/App.tsx
@@ -7,30 +7,26 @@ import { listUsers } from '../api/client';
 export function App() {
   const { data, isLoading, isError, error } = useQuery({
     queryKey: ['users'],
-    queryFn: listUsers,
+    queryFn: ({ signal }) => listUsers(signal),
     staleTime: 60_000,
   });
 
   if (isLoading) {
     return (
-      <p
-        className="p-6 min-h-screen bg-base-200 text-base-content"
-        role="status"
-        aria-live="polite"
-      >
+      <output className="p-6 min-h-screen bg-base-200 text-base-content">
         Loading users…
-      </p>
+      </output>
     );
   }
 
   if (isError) {
     if (import.meta.env.DEV) {
       // eslint-disable-next-line no-console
-      console.error({ msg: 'Failed to load users', error });
+      console.error(error);
     }
     return (
       <p className="p-6 min-h-screen bg-base-200 text-base-content" role="alert">
-        Failed to load users. Please try again.
+        Failed to load users.
       </p>
     );
   }
diff --git a/frontend-pwa/src/main.tsx b/frontend-pwa/src/main.tsx
index deef95ff7..d77bee0b2 100644
--- a/frontend-pwa/src/main.tsx
+++ b/frontend-pwa/src/main.tsx
@@ -4,7 +4,7 @@
 import React from 'react';
 import { createRoot } from 'react-dom/client';
 import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
-import '@app/tokens/dist/css/variables.css';
+import '@app/tokens/css/variables.css';
 import './index.css';
 import { App } from './app/App';
 
diff --git a/packages/tokens/build/style-dictionary.js b/packages/tokens/build/style-dictionary.js
index 0ecac8d0a..215df4a75 100644
--- a/packages/tokens/build/style-dictionary.js
+++ b/packages/tokens/build/style-dictionary.js
@@ -1,7 +1,7 @@
 import StyleDictionary from 'style-dictionary';
 import fs from 'node:fs';
 
-const sd = StyleDictionary.extend({
+const sd = new StyleDictionary({
   source: ['src/tokens.json', 'src/themes/*.json'],
   platforms: {
     css: {