Aureliolo
diff --git a/‎docs/design/brand-and-ux.md‎
Lines changed: 2 additions & 0 deletions b/‎docs/design/brand-and-ux.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎docs/design/operations.md‎
Lines changed: 3 additions & 3 deletions b/‎docs/design/operations.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎docs/design/page-structure.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/design/page-structure.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/synthorg/api/dto.py‎
Lines changed: 39 additions & 4 deletions b/‎src/synthorg/api/dto.py‎
Lines changed: 39 additions & 4 deletions
diff --git a/‎src/synthorg/config/schema.py‎
Lines changed: 8 additions & 8 deletions b/‎src/synthorg/config/schema.py‎
Lines changed: 8 additions & 8 deletions
diff --git a/‎src/synthorg/providers/drivers/litellm_driver.py‎
Lines changed: 7 additions & 6 deletions b/‎src/synthorg/providers/drivers/litellm_driver.py‎
Lines changed: 7 additions & 6 deletions
diff --git a/‎src/synthorg/providers/management/_helpers.py‎
Lines changed: 25 additions & 17 deletions b/‎src/synthorg/providers/management/_helpers.py‎
Lines changed: 25 additions & 17 deletions
diff --git a/‎src/synthorg/providers/management/service.py‎
Lines changed: 14 additions & 9 deletions b/‎src/synthorg/providers/management/service.py‎
Lines changed: 14 additions & 9 deletions
@@ -240,6 +240,7 @@ The following shared components live in `web/src/components/ui/` and form the bu
 | `getPriorityColor()` | `utils/tasks.ts` | Maps `Priority` to `SemanticColor`. |
 | `getPriorityLabel()` | `utils/tasks.ts` | Maps `Priority` to display label. |
 | `getTaskTypeLabel()` | `utils/tasks.ts` | Maps `TaskType` to display label. |
+| `getProviderHealthColor()` | `utils/providers.ts` | Maps `ProviderHealthStatus` to `SemanticColor`. |
 
 ### Animation Hooks
 
@@ -257,6 +258,7 @@ The following shared components live in `web/src/components/ui/` and form the bu
 | `SemanticColor` | `lib/utils.ts` | `"success"`, `"accent"`, `"warning"`, `"danger"` |
 | `TaskStatus` | `api/types` | `"created"`, `"assigned"`, `"in_progress"`, `"in_review"`, `"completed"`, `"blocked"`, `"failed"`, `"interrupted"`, `"cancelled"` |
 | `Priority` | `api/types` | `"critical"`, `"high"`, `"medium"`, `"low"` |
+| `ProviderHealthStatus` | `api/types` | `"up"`, `"degraded"`, `"down"` |
 
 ### When to Create a New Shared Component
 
 
@@ -117,8 +117,8 @@ Providers can be managed at runtime through the API without restarting:
   - Auto-triggered on preset creation for no-auth providers with empty model lists.
   - SSRF trust is determined by a dynamic `host:port` allowlist (`ProviderDiscoveryPolicy`), seeded from preset `candidate_urls` at startup and auto-updated on provider create/update/delete. Trusted URLs bypass SSRF validation; untrusted URLs go through full private-IP/DNS-rebinding checks. Bypasses are logged at WARNING level (`PROVIDER_DISCOVERY_SSRF_BYPASSED`).
 - **Discovery allowlist**: `GET /api/v1/providers/discovery-policy` (read), `POST /api/v1/providers/discovery-policy/entries` (add entry), `POST /api/v1/providers/discovery-policy/remove-entry` (remove entry) -- manage the dynamic SSRF allowlist of trusted `host:port` pairs for provider discovery. Persisted in the settings system (DB > env > YAML > code).
-- **Presets**: `GET /api/v1/providers/presets` lists built-in cloud and local provider templates (11 presets: Anthropic, OpenAI, Google AI, Mistral, Groq, DeepSeek, Azure OpenAI, Ollama, LM Studio, vLLM, OpenRouter); `POST /api/v1/providers/from-preset` creates from a template
-- **Preset auto-probe**: `POST /api/v1/providers/probe-preset` -- for presets with `candidate_urls` (local providers: Ollama, LM Studio, vLLM), probes each URL in priority order (`host.docker.internal`, Docker bridge IP, `localhost`) with a 5-second timeout. Returns the first reachable URL and discovered model count. Used by the setup wizard to auto-detect local providers running on the host machine. SSRF validation is intentionally skipped because only hardcoded preset URLs are probed, never user input.
+- **Presets**: `GET /api/v1/providers/presets` lists built-in cloud and local provider templates (11 presets: Anthropic, OpenAI, Google AI, Mistral, Groq, DeepSeek, Azure OpenAI, Ollama, LM Studio, vLLM, OpenRouter); `POST /api/v1/providers/from-preset` creates from a template. Each preset declares `supported_auth_types` (e.g. `["api_key"]`, `["none"]`, `["api_key", "subscription"]`) which the UI uses to present the available authentication options during provider creation.
+- **Preset auto-probe**: `POST /api/v1/providers/probe-preset` -- for presets with `candidate_urls` (local providers: Ollama and LM Studio), probes each URL in priority order (`host.docker.internal`, Docker bridge IP, `localhost`) with a 5-second timeout. Returns the first reachable URL and discovered model count. Used by the setup wizard to auto-detect local providers running on the host machine. SSRF validation is intentionally skipped because only hardcoded preset URLs are probed, never user input. Note: vLLM's `candidate_urls` is intentionally empty (users deploy vLLM at arbitrary endpoints), so it cannot be auto-probed and requires manual URL configuration.
 - **Hot-reload**: On mutation, `ProviderManagementService` rebuilds `ProviderRegistry` + `ModelRouter` and atomically swaps them in `AppState` -- no downtime
 - **Auth types**: `api_key` (default), `subscription` (OAuth bearer token for provider subscription plans, requires ToS acceptance), `oauth` (stores credentials, MVP uses pre-fetched token), `custom_header`, `none` (local providers)
 - **Routing key**: Optional `litellm_provider` field decouples the provider display name from LiteLLM routing (e.g. a provider named "my-claude" can route to `anthropic` via `litellm_provider: anthropic`). Falls back to provider name when unset.
@@ -1103,7 +1103,7 @@ future CLI tool are thin clients that call the API -- they contain no business l
 | `/api/v1/approvals` | Pending human approvals queue |
 | `/api/v1/analytics` | `GET /overview` (metrics summary with budget status, 7d spend sparkline, agent counts), `GET /trends?period=7d\|30d\|90d&metric=spend\|tasks_completed\|active_agents\|success_rate` (time-series bucketed metrics; hourly buckets for 7d, daily for 30d/90d; defaults: `period=7d`, `metric=spend`), `GET /forecast?horizon_days=1..90` (budget spend projection with daily projections and exhaustion estimate; default 14; 400 on out-of-range) |
 | `/api/v1/settings` | Runtime-editable configuration (9 namespaces), schema discovery |
-| `GET /api/v1/providers`, `POST /api/v1/providers`, `PUT /api/v1/providers/{name}`, `DELETE /api/v1/providers/{name}`, `POST /api/v1/providers/{name}/test`, `GET /api/v1/providers/presets`, `POST /api/v1/providers/from-preset`, `POST /api/v1/providers/{name}/discover-models`, `POST /api/v1/providers/probe-preset`, `GET /api/v1/providers/discovery-policy`, `POST /api/v1/providers/discovery-policy/entries`, `POST /api/v1/providers/discovery-policy/remove-entry` | Provider CRUD, connection testing, presets, preset auto-probe, model discovery, discovery SSRF allowlist management, 5 auth types (api_key, subscription, oauth, custom_header, none) |
+| `GET /api/v1/providers`, `GET /api/v1/providers/{name}`, `GET /api/v1/providers/{name}/models`, `POST /api/v1/providers`, `PUT /api/v1/providers/{name}`, `DELETE /api/v1/providers/{name}`, `POST /api/v1/providers/{name}/test`, `GET /api/v1/providers/presets`, `POST /api/v1/providers/from-preset`, `POST /api/v1/providers/{name}/discover-models`, `POST /api/v1/providers/probe-preset`, `GET /api/v1/providers/discovery-policy`, `POST /api/v1/providers/discovery-policy/entries`, `POST /api/v1/providers/discovery-policy/remove-entry` | Provider CRUD, single provider detail, model listing, connection testing, presets, preset auto-probe, model discovery, discovery SSRF allowlist management, 5 auth types (api_key, subscription, oauth, custom_header, none) |
 | `GET /api/v1/setup/status`, `GET /api/v1/setup/templates`, `POST /api/v1/setup/company`, `POST /api/v1/setup/agent`, `GET /api/v1/setup/agents`, `PUT /api/v1/setup/agents/{index}/model` (`{index}` = zero-based position in the list returned by `GET /api/v1/setup/agents`; not a stable ID -- re-fetch to resolve; out-of-range returns 404), `GET /api/v1/setup/name-locales/available`, `GET /api/v1/setup/name-locales`, `PUT /api/v1/setup/name-locales`, `POST /api/v1/setup/complete` | First-run setup wizard: status check (public, reports `has_company`/`has_agents`/`has_providers`/`has_name_locales` for step resume), template listing, company creation (auto-creates template agents with model matching), agent listing + model reassignment, manual agent creation (blank path), name locale management (list available Faker locales, get/set selected locales for agent name generation), completion gate (requires company + agents + providers) |
 | `/api/v1/users` | CEO-only user CRUD: create, list, get, update role, delete human user accounts |
 | `/api/v1/admin/backups` | Manual backup, list, detail, delete |
 
@@ -99,7 +99,7 @@ Meeting history list with status/type filters. Click opens meeting detail (`/mee
 
 #### Providers (`/providers`)
 
-LLM provider management. CRUD cards for configured providers. Connection test button. Preset-based creation flow. Model auto-discovery. Provider detail/edit at `/providers/{name}`.
+LLM provider management. CRUD cards for configured providers with health status display (up/degraded/down) and health metrics (average response time, error rate percentage, call count). Connection test button. Preset-based creation flow with subscription auth support requiring ToS acceptance for applicable providers. Model auto-discovery. Provider list supports filtering and sorting by health status, name, and model count. Provider detail/edit at `/providers/{name}`.
 
 No WebSocket subscription -- provider changes are low-frequency admin operations. TanStack Query polling is sufficient.
 
 
@@ -529,7 +529,19 @@ def _validate_provider_name(v: str) -> str:
 
 
 class CreateProviderRequest(BaseModel):
-    """Payload for creating a new provider."""
+    """Payload for creating a new provider.
+
+    Attributes:
+        name: Unique provider name (2-64 chars, lowercase alphanumeric + hyphens).
+        driver: Driver backend name (default ``"litellm"``).
+        litellm_provider: LiteLLM routing identifier override.
+        auth_type: Authentication mechanism for this provider.
+        api_key: API key credential (optional, depends on auth_type).
+        subscription_token: Bearer token for subscription-based auth.
+        tos_accepted: Whether the user accepted the subscription ToS warning.
+        base_url: Provider API base URL.
+        models: Pre-configured model definitions.
+    """
 
     model_config = ConfigDict(frozen=True)
 
@@ -583,8 +595,8 @@ class UpdateProviderRequest(BaseModel):
     models: tuple[ProviderModelConfig, ...] | None = None
 
     @model_validator(mode="after")
-    def _validate_api_key_clear_consistency(self) -> Self:
-        """Reject simultaneous api_key and clear_api_key."""
+    def _validate_credential_clear_consistency(self) -> Self:
+        """Reject simultaneous set and clear for credential fields."""
         if self.api_key is not None and self.clear_api_key:
             msg = "api_key and clear_api_key are mutually exclusive"
             raise ValueError(msg)
@@ -641,6 +653,20 @@ class ProviderResponse(BaseModel):
     """Safe provider config for API responses -- secrets stripped.
 
     Non-secret auth fields are included for frontend edit form UX.
+    Boolean ``has_*`` indicators signal credential presence without
+    exposing values.
+
+    Attributes:
+        driver: Driver backend name.
+        litellm_provider: LiteLLM routing identifier override.
+        auth_type: Authentication mechanism.
+        base_url: Provider API base URL.
+        models: Configured model definitions.
+        has_api_key: Whether an API key is set.
+        has_oauth_credentials: Whether OAuth credentials are configured.
+        has_custom_header: Whether a custom auth header is configured.
+        has_subscription_token: Whether a subscription token is set.
+        tos_accepted_at: ISO timestamp of ToS acceptance (or ``None``).
     """
 
     model_config = ConfigDict(frozen=True)
@@ -662,7 +688,16 @@ class ProviderResponse(BaseModel):
 
 
 class CreateFromPresetRequest(BaseModel):
-    """Payload for creating a provider from a preset."""
+    """Payload for creating a provider from a preset.
+
+    Attributes:
+        preset_name: Name of the preset to create from.
+        name: Unique provider name (2-64 chars, lowercase alphanumeric + hyphens).
+        auth_type: Override the preset's default auth type (optional).
+        subscription_token: Bearer token for subscription-based auth.
+        tos_accepted: Whether the user accepted the subscription ToS warning.
+        base_url: Override the preset's default base URL (optional).
+    """
 
     model_config = ConfigDict(frozen=True)
 
 
@@ -47,8 +47,8 @@ class ProviderModelConfig(BaseModel):
     Attributes:
         id: Model identifier (e.g. ``"example-medium-001"``).
         alias: Short alias for referencing this model in routing rules.
-        cost_per_1k_input: Cost per 1,000 input tokens in USD (base currency).
-        cost_per_1k_output: Cost per 1,000 output tokens in USD (base currency).
+        cost_per_1k_input: Cost per 1,000 input tokens (base currency).
+        cost_per_1k_output: Cost per 1,000 output tokens (base currency).
         max_context: Maximum context window size in tokens.
         estimated_latency_ms: Estimated median latency in milliseconds.
     """
@@ -88,13 +88,13 @@ class ProviderConfig(BaseModel):
 
     Attributes:
         driver: Driver backend name (e.g. ``"litellm"``).
-        litellm_provider: LiteLLM routing identifier (e.g. ``"anthropic"``,
-            ``"openai"``).  When set, the driver uses this instead of the
-            provider name as the model prefix for LiteLLM routing.  Falls
-            back to the provider name when ``None``.
+        litellm_provider: LiteLLM routing identifier (e.g.
+            ``"example-provider"``).  When set, the driver uses this instead
+            of the provider name as the model prefix for LiteLLM routing.
+            Falls back to the provider name when ``None``.
         auth_type: Authentication type for this provider.
         api_key: API key (typically injected by secret management).
-        subscription_token: OAuth bearer token for subscription-based auth
+        subscription_token: Bearer token for subscription-based auth
             (e.g. provider subscription plans).  Encrypted at rest.
         tos_accepted_at: Timestamp when the user accepted the subscription
             Terms of Service warning.  Required when ``auth_type`` is
@@ -124,7 +124,7 @@ class ProviderConfig(BaseModel):
         default=None,
         description=(
             "LiteLLM provider identifier for routing "
-            "(e.g. 'anthropic', 'openai').  Falls back to "
+            "(e.g. 'example-provider').  Falls back to "
             "the provider name when None."
         ),
     )
 
@@ -108,9 +108,10 @@ class LiteLLMDriver(BaseCompletionProvider):
     """Completion driver backed by LiteLLM.
 
     Uses ``litellm.acompletion`` for both streaming and non-streaming
-    calls.  Model identifiers are prefixed with the provider name
-    (e.g. ``example-provider/example-medium-001``) so LiteLLM routes to
-    the correct backend.
+    calls.  Model identifiers are prefixed with the LiteLLM routing key
+    (``litellm_provider`` if set, otherwise the provider name -- e.g.
+    ``example-provider/example-medium-001``) so LiteLLM routes to the
+    correct backend.
 
     Args:
         provider_name: Provider key from config (e.g. ``"example-provider"``).
@@ -351,9 +352,9 @@ def _build_kwargs(  # noqa: C901
                     }
             case AuthType.SUBSCRIPTION:
                 if self._config.subscription_token is not None:
-                    kwargs.setdefault("extra_headers", {})["Authorization"] = (
-                        f"Bearer {self._config.subscription_token}"
-                    )
+                    kwargs["extra_headers"] = {
+                        "Authorization": f"Bearer {self._config.subscription_token}",
+                    }
             case AuthType.NONE:
                 pass
 
 
@@ -25,13 +25,16 @@ def build_provider_config(
     Returns:
         Frozen ProviderConfig.
     """
-    tos_accepted_at = datetime.now(UTC) if request.tos_accepted else None
+    is_subscription = request.auth_type == AuthType.SUBSCRIPTION
+    tos_accepted_at = (
+        datetime.now(UTC) if is_subscription and request.tos_accepted else None
+    )
     return ProviderConfig(
         driver=request.driver,
         litellm_provider=request.litellm_provider,
         auth_type=request.auth_type,
         api_key=request.api_key,
-        subscription_token=request.subscription_token,
+        subscription_token=request.subscription_token if is_subscription else None,
         tos_accepted_at=tos_accepted_at,
         base_url=request.base_url,
         oauth_token_url=request.oauth_token_url,
@@ -58,20 +61,25 @@ def build_provider_config(
 )
 
 
-# Credential fields to clear when switching away from an auth type.
-_AUTH_OWNED_FIELDS: dict[AuthType, tuple[str, ...]] = {
-    AuthType.API_KEY: ("api_key",),
-    AuthType.OAUTH: (
-        "api_key",
-        "oauth_client_secret",
-        "oauth_token_url",
-        "oauth_client_id",
-        "oauth_scope",
-    ),
-    AuthType.CUSTOM_HEADER: ("custom_header_name", "custom_header_value"),
-    AuthType.SUBSCRIPTION: ("subscription_token", "tos_accepted_at"),
-    AuthType.NONE: (),
-}
+# Fields owned by each auth type.  When switching auth types, fields
+# not owned by the new type are cleared.
+_AUTH_OWNED_FIELDS: Final[MappingProxyType[AuthType, tuple[str, ...]]] = (
+    MappingProxyType(
+        {
+            AuthType.API_KEY: ("api_key",),
+            AuthType.OAUTH: (
+                "api_key",
+                "oauth_client_secret",
+                "oauth_token_url",
+                "oauth_client_id",
+                "oauth_scope",
+            ),
+            AuthType.CUSTOM_HEADER: ("custom_header_name", "custom_header_value"),
+            AuthType.SUBSCRIPTION: ("subscription_token", "tos_accepted_at"),
+            AuthType.NONE: (),
+        }
+    )
+)
 
 
 def apply_update(
@@ -118,7 +126,7 @@ def _apply_credential_updates(
     request: UpdateProviderRequest,
     final_auth_type: AuthType,
 ) -> None:
-    """Apply set/clear logic for api_key and subscription_token."""
+    """Apply set/clear logic for api_key, subscription_token, and tos_accepted_at."""
     # api_key: only set/clear when the resulting auth type supports it
     if final_auth_type in (AuthType.API_KEY, AuthType.OAUTH):
         if request.api_key is not None:
 
@@ -362,8 +362,10 @@ async def create_from_preset(
     ) -> ProviderConfig:
         """Create a provider from a preset template.
 
-        When the preset has ``auth_type=none`` and a base URL but no
-        models, attempts auto-discovery before creating the provider.
+        The request's ``auth_type`` overrides the preset default when
+        provided.  When the effective auth type is ``AuthType.NONE``
+        and a base URL is available but no models are given, attempts
+        auto-discovery before creating the provider.
 
         Args:
             request: Preset-based creation request.
@@ -387,13 +389,13 @@ async def create_from_preset(
 
         models = request.models if request.models is not None else preset.default_models
         base_url = request.base_url or preset.default_base_url
+        auth_type = request.auth_type or preset.auth_type
         models = await self._maybe_discover_preset_models(
             preset,
             base_url,
             models,
+            auth_type=auth_type,
         )
-
-        auth_type = request.auth_type or preset.auth_type
         create_request = CreateProviderRequest(
             name=request.name,
             driver=preset.driver,
@@ -412,23 +414,26 @@ async def _maybe_discover_preset_models(
         preset: ProviderPreset,
         base_url: str | None,
         models: tuple[ProviderModelConfig, ...],
+        *,
+        auth_type: AuthType,
     ) -> tuple[ProviderModelConfig, ...]:
         """Auto-discover models for no-auth presets when none are provided.
 
-        Only attempts discovery when the preset uses ``AuthType.NONE``,
-        a base URL is available, and no models were explicitly provided.
-        Trust is determined by the discovery allowlist -- preset default
-        URLs are seeded on first access, so they are automatically trusted.
+        Only attempts discovery when the effective auth type is
+        ``AuthType.NONE``, a base URL is available, and no models were
+        explicitly provided.  The request's ``auth_type`` override is
+        applied before this check.
 
         Args:
             preset: Resolved preset definition.
             base_url: Provider base URL (may be user-overridden).
             models: Explicitly provided models (may be empty).
+            auth_type: Effective auth type (request override or preset default).
 
         Returns:
             Discovered models if any, otherwise the original models.
         """
-        if models or preset.auth_type != AuthType.NONE or not base_url:
+        if models or auth_type != AuthType.NONE or not base_url:
             return models
         if self._is_self_connection(base_url):
             return models