diff --git a/.github/workflows/nginx.yml b/.github/workflows/nginx.yml
new file mode 100644
index 00000000..02585466
--- /dev/null
+++ b/.github/workflows/nginx.yml
@@ -0,0 +1,59 @@
+name: Nginx Config
+
+# Validates app/nginx.conf via scripts/validate-nginx.sh (single source of truth,
+# also run locally). `nginx -t` syntax errors block; gixy security findings are
+# advisory (surfaced as a warning), mirroring the Trivy pattern in docker.yml.
+
+on:
+  workflow_dispatch:
+    inputs:
+      reason:
+        description: 'Optional reason for manual run'
+        required: false
+        default: 'manual trigger'
+  push:
+    branches: ["main", "develop", "release/*"]
+    paths:
+      - 'app/nginx.conf'
+      - 'app/Dockerfile'          # script auto-detects the pinned nginx image from here
+      - 'scripts/validate-nginx.sh'
+      - '.github/workflows/nginx.yml'
+  pull_request:
+    branches: ["main", "develop", "release/*"]
+    paths:
+      - 'app/nginx.conf'
+      - 'app/Dockerfile'
+      - 'scripts/validate-nginx.sh'
+      - '.github/workflows/nginx.yml'
+
+permissions: read-all
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
+
+      # validate-nginx.sh exit codes:
+      #   0 ok | 1 syntax fail | 2 missing prereq | 3 gixy findings | 4 gixy could not run
+      # We block on syntax/prereq (1/2) and on gixy failing to run (4 — a scan that
+      # never executed must not pass silently). Only real gixy findings (3) are
+      # downgraded to an advisory warning, mirroring docker.yml's Trivy pattern.
+      - name: Validate nginx config (syntax blocking, gixy advisory)
+        run: |
+          set +e
+          ./scripts/validate-nginx.sh
+          code=$?
+          set -e
+          case "${code}" in
+            0) echo "nginx config valid and clean" ;;
+            3) echo "::warning title=gixy::nginx security findings (advisory) — see log above" ;;
+            4) echo "::error title=gixy::gixy could not run — scan did not execute"; exit 1 ;;
+            *) exit "${code}" ;;
+          esac
diff --git a/.gitignore b/.gitignore
index 846982cd..ef97607e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -11,3 +11,4 @@ blocklists/.env
 libs/vendor
 tests/docker_logs
 .qodo
+.nginx-validate.*
diff --git a/api/api/server.go b/api/api/server.go
index 80190362..92c1a6f4 100644
--- a/api/api/server.go
+++ b/api/api/server.go
@@ -6,6 +6,7 @@ import (
 	"time"
 
 	"github.com/gofiber/fiber/v2"
+	"github.com/gofiber/fiber/v2/middleware/compress"
 	"github.com/gofiber/fiber/v2/middleware/healthcheck"
 	"github.com/gofiber/fiber/v2/middleware/helmet"
 	"github.com/gofiber/fiber/v2/middleware/limiter"
@@ -69,6 +70,7 @@ func NewServer(config *config.Config, service service.Service, db db.Db, cache c
 func (s *APIServer) setupMiddlewares() {
 	s.App.Use(middleware.SentryFiber())
 	s.App.Use(middleware.Recover())
+	s.App.Use(compress.New(compress.Config{Level: compress.LevelBestSpeed}))
 	s.App.Use(requestid.New())
 	s.App.Use(logger.New(logger.Config{
 		Next: func(c *fiber.Ctx) bool {
diff --git a/api/db/mongodb/migrations/018_profiles_account_id_index.down.json b/api/db/mongodb/migrations/018_profiles_account_id_index.down.json
new file mode 100644
index 00000000..656f6d83
--- /dev/null
+++ b/api/db/mongodb/migrations/018_profiles_account_id_index.down.json
@@ -0,0 +1,6 @@
+[
+    {
+      "dropIndexes": "profiles",
+      "index": "account_id"
+    }
+]
diff --git a/api/db/mongodb/migrations/018_profiles_account_id_index.up.json b/api/db/mongodb/migrations/018_profiles_account_id_index.up.json
new file mode 100644
index 00000000..e81da147
--- /dev/null
+++ b/api/db/mongodb/migrations/018_profiles_account_id_index.up.json
@@ -0,0 +1,12 @@
+[{
+  "createIndexes": "profiles",
+  "indexes": [
+    {
+      "key": {
+        "account_id": 1
+      },
+      "name": "account_id",
+      "background": true
+    }
+  ]
+}]
diff --git a/api/docs/docs.go b/api/docs/docs.go
index ba1e148b..b10c8b6d 100644
--- a/api/docs/docs.go
+++ b/api/docs/docs.go
@@ -2553,9 +2553,6 @@ const docTemplate = `{
                     "items": {
                         "type": "string"
                     }
-                },
-                "queries": {
-                    "type": "integer"
                 }
             }
         },
diff --git a/api/docs/swagger.json b/api/docs/swagger.json
index d0a6de98..f89adfe3 100644
--- a/api/docs/swagger.json
+++ b/api/docs/swagger.json
@@ -2545,9 +2545,6 @@
                     "items": {
                         "type": "string"
                     }
-                },
-                "queries": {
-                    "type": "integer"
                 }
             }
         },
diff --git a/api/docs/swagger.yaml b/api/docs/swagger.yaml
index 3150a4de..8649022e 100644
--- a/api/docs/swagger.yaml
+++ b/api/docs/swagger.yaml
@@ -104,8 +104,6 @@ definitions:
         items:
           type: string
         type: array
-      queries:
-        type: integer
     type: object
   model.AccountUpdate:
     properties:
diff --git a/api/mocks/account_servicer.go b/api/mocks/account_servicer.go
index c579aaf2..811bae64 100644
--- a/api/mocks/account_servicer.go
+++ b/api/mocks/account_servicer.go
@@ -314,80 +314,6 @@ func (_c *AccountServicer_GetAccount_Call) RunAndReturn(run func(ctx context.Con
 	return _c
 }
 
-// GetAccountMetrics provides a mock function for the type AccountServicer
-func (_mock *AccountServicer) GetAccountMetrics(ctx context.Context, account *model.Account, timespan string) (*model.StatisticsAggregated, error) {
-	ret := _mock.Called(ctx, account, timespan)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetAccountMetrics")
-	}
-
-	var r0 *model.StatisticsAggregated
-	var r1 error
-	if returnFunc, ok := ret.Get(0).(func(context.Context, *model.Account, string) (*model.StatisticsAggregated, error)); ok {
-		return returnFunc(ctx, account, timespan)
-	}
-	if returnFunc, ok := ret.Get(0).(func(context.Context, *model.Account, string) *model.StatisticsAggregated); ok {
-		r0 = returnFunc(ctx, account, timespan)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*model.StatisticsAggregated)
-		}
-	}
-	if returnFunc, ok := ret.Get(1).(func(context.Context, *model.Account, string) error); ok {
-		r1 = returnFunc(ctx, account, timespan)
-	} else {
-		r1 = ret.Error(1)
-	}
-	return r0, r1
-}
-
-// AccountServicer_GetAccountMetrics_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetAccountMetrics'
-type AccountServicer_GetAccountMetrics_Call struct {
-	*mock.Call
-}
-
-// GetAccountMetrics is a helper method to define mock.On call
-//   - ctx context.Context
-//   - account *model.Account
-//   - timespan string
-func (_e *AccountServicer_Expecter) GetAccountMetrics(ctx interface{}, account interface{}, timespan interface{}) *AccountServicer_GetAccountMetrics_Call {
-	return &AccountServicer_GetAccountMetrics_Call{Call: _e.mock.On("GetAccountMetrics", ctx, account, timespan)}
-}
-
-func (_c *AccountServicer_GetAccountMetrics_Call) Run(run func(ctx context.Context, account *model.Account, timespan string)) *AccountServicer_GetAccountMetrics_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		var arg0 context.Context
-		if args[0] != nil {
-			arg0 = args[0].(context.Context)
-		}
-		var arg1 *model.Account
-		if args[1] != nil {
-			arg1 = args[1].(*model.Account)
-		}
-		var arg2 string
-		if args[2] != nil {
-			arg2 = args[2].(string)
-		}
-		run(
-			arg0,
-			arg1,
-			arg2,
-		)
-	})
-	return _c
-}
-
-func (_c *AccountServicer_GetAccountMetrics_Call) Return(statisticsAggregated *model.StatisticsAggregated, err error) *AccountServicer_GetAccountMetrics_Call {
-	_c.Call.Return(statisticsAggregated, err)
-	return _c
-}
-
-func (_c *AccountServicer_GetAccountMetrics_Call) RunAndReturn(run func(ctx context.Context, account *model.Account, timespan string) (*model.StatisticsAggregated, error)) *AccountServicer_GetAccountMetrics_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
 // GetUnfinishedSignupOrPostAccount provides a mock function for the type AccountServicer
 func (_mock *AccountServicer) GetUnfinishedSignupOrPostAccount(ctx context.Context, email string, password string, subscriptionID string, sessionID string) (*model.Account, error) {
 	ret := _mock.Called(ctx, email, password, subscriptionID, sessionID)
diff --git a/api/mocks/servicer.go b/api/mocks/servicer.go
index 0045f93b..a7bd35fa 100644
--- a/api/mocks/servicer.go
+++ b/api/mocks/servicer.go
@@ -2218,80 +2218,6 @@ func (_c *Servicer_GetAccount_Call) RunAndReturn(run func(ctx context.Context, a
 	return _c
 }
 
-// GetAccountMetrics provides a mock function for the type Servicer
-func (_mock *Servicer) GetAccountMetrics(ctx context.Context, account *model.Account, timespan string) (*model.StatisticsAggregated, error) {
-	ret := _mock.Called(ctx, account, timespan)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetAccountMetrics")
-	}
-
-	var r0 *model.StatisticsAggregated
-	var r1 error
-	if returnFunc, ok := ret.Get(0).(func(context.Context, *model.Account, string) (*model.StatisticsAggregated, error)); ok {
-		return returnFunc(ctx, account, timespan)
-	}
-	if returnFunc, ok := ret.Get(0).(func(context.Context, *model.Account, string) *model.StatisticsAggregated); ok {
-		r0 = returnFunc(ctx, account, timespan)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(*model.StatisticsAggregated)
-		}
-	}
-	if returnFunc, ok := ret.Get(1).(func(context.Context, *model.Account, string) error); ok {
-		r1 = returnFunc(ctx, account, timespan)
-	} else {
-		r1 = ret.Error(1)
-	}
-	return r0, r1
-}
-
-// Servicer_GetAccountMetrics_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetAccountMetrics'
-type Servicer_GetAccountMetrics_Call struct {
-	*mock.Call
-}
-
-// GetAccountMetrics is a helper method to define mock.On call
-//   - ctx context.Context
-//   - account *model.Account
-//   - timespan string
-func (_e *Servicer_Expecter) GetAccountMetrics(ctx interface{}, account interface{}, timespan interface{}) *Servicer_GetAccountMetrics_Call {
-	return &Servicer_GetAccountMetrics_Call{Call: _e.mock.On("GetAccountMetrics", ctx, account, timespan)}
-}
-
-func (_c *Servicer_GetAccountMetrics_Call) Run(run func(ctx context.Context, account *model.Account, timespan string)) *Servicer_GetAccountMetrics_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		var arg0 context.Context
-		if args[0] != nil {
-			arg0 = args[0].(context.Context)
-		}
-		var arg1 *model.Account
-		if args[1] != nil {
-			arg1 = args[1].(*model.Account)
-		}
-		var arg2 string
-		if args[2] != nil {
-			arg2 = args[2].(string)
-		}
-		run(
-			arg0,
-			arg1,
-			arg2,
-		)
-	})
-	return _c
-}
-
-func (_c *Servicer_GetAccountMetrics_Call) Return(statisticsAggregated *model.StatisticsAggregated, err error) *Servicer_GetAccountMetrics_Call {
-	_c.Call.Return(statisticsAggregated, err)
-	return _c
-}
-
-func (_c *Servicer_GetAccountMetrics_Call) RunAndReturn(run func(ctx context.Context, account *model.Account, timespan string) (*model.StatisticsAggregated, error)) *Servicer_GetAccountMetrics_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
 // GetBlocklist provides a mock function for the type Servicer
 func (_mock *Servicer) GetBlocklist(ctx context.Context, filter map[string]any, sortBy string) ([]*model.Blocklist, error) {
 	ret := _mock.Called(ctx, filter, sortBy)
diff --git a/api/model/account.go b/api/model/account.go
index 00fcdb9a..073bbe66 100644
--- a/api/model/account.go
+++ b/api/model/account.go
@@ -10,10 +10,6 @@ import (
 	"golang.org/x/crypto/bcrypt"
 )
 
-const (
-	QUERIES_NUMBER_LIMIT = 300000
-)
-
 const (
 	AuthMethodPassword = "password"
 	AuthMethodPasskey  = "passkey"
@@ -29,7 +25,6 @@ type Account struct {
 	Tokens              []Token            `json:"-" bson:"tokens"`
 	Password            *string            `json:"-" bson:"password,omitempty"`
 	Profiles            []string           `json:"profiles" bson:"profiles"`
-	Queries             int                `json:"queries" bson:"-"`
 	ErrorReportsConsent bool               `json:"error_reports_consent" bson:"error_reports_consent"`
 	MFA                 MFASettings        `json:"mfa" bson:"mfa"`
 	AuthMethods         []string           `json:"auth_methods,omitempty" bson:"-"`
@@ -70,10 +65,6 @@ func NewAccount(email, password, accountId, profileId string) (*Account, error)
 	return acc, nil
 }
 
-func (a *Account) IsQueriesNumberExceeded() bool {
-	return a.Queries > QUERIES_NUMBER_LIMIT
-}
-
 // WebAuthnID implements webauthn.User
 func (a *Account) WebAuthnID() []byte {
 	return []byte(a.ID.Hex())
diff --git a/api/service/account/account.go b/api/service/account/account.go
index f7df68d9..c978b613 100644
--- a/api/service/account/account.go
+++ b/api/service/account/account.go
@@ -317,11 +317,6 @@ func (p *AccountService) GetAccount(ctx context.Context, accountId string) (*mod
 		return nil, err
 	}
 
-	stats, err := p.GetAccountMetrics(ctx, account, model.LAST_MONTH)
-	if err != nil {
-		return nil, err
-	}
-	account.Queries = stats.Total
 	if err := p.populateAuthMethods(ctx, account); err != nil {
 		return nil, err
 	}
@@ -348,21 +343,6 @@ func (a *AccountService) populateAuthMethods(ctx context.Context, acc *model.Acc
 	return nil
 }
 
-// GetAccountStatistics returns profile DNS statistics data
-func (a *AccountService) GetAccountMetrics(ctx context.Context, account *model.Account, timespan string) (*model.StatisticsAggregated, error) {
-	accMetricsAggregated := &model.StatisticsAggregated{}
-	for _, profileId := range account.Profiles {
-		profileStats, err := a.ProfileService.GetStatistics(ctx, account.ID.Hex(), profileId, timespan)
-		if err != nil {
-			return nil, err
-		}
-
-		accMetricsAggregated.Total += profileStats[0].Total
-	}
-
-	return accMetricsAggregated, nil
-}
-
 // UpdateAccount updates account data
 func (a *AccountService) UpdateAccount(ctx context.Context, accountId string, updates []model.AccountUpdate, mfa *model.MfaData) error {
 	var profileUpdates []model.AccountUpdate
diff --git a/api/service/account/service_test.go b/api/service/account/service_test.go
index 518e0624..baa7f563 100644
--- a/api/service/account/service_test.go
+++ b/api/service/account/service_test.go
@@ -367,15 +367,6 @@ func (suite *AccountTestSuite) TestGetAccount() {
 				suite.mockAccountRepo.On("GetAccountById", context.Background(), tt.accountID).Return(nil, tt.repoError)
 			} else {
 				suite.mockAccountRepo.On("GetAccountById", context.Background(), tt.accountID).Return(tt.account, nil)
-				// Mock GetAccountMetrics dependencies
-				for _, profileID := range tt.account.Profiles {
-					stats := []model.StatisticsAggregated{
-						{
-							Total: 100,
-						},
-					}
-					suite.mockStatsRepo.On("GetProfileStatistics", context.Background(), profileID, 720).Return(stats, nil)
-				}
 			}
 
 			// Execute the method
@@ -395,94 +386,6 @@ func (suite *AccountTestSuite) TestGetAccount() {
 	}
 }
 
-// TestGetAccountMetrics tests the GetAccountMetrics method
-func (suite *AccountTestSuite) TestGetAccountMetrics() {
-	tests := []struct {
-		name          string
-		account       *model.Account
-		timespan      string
-		statsError    error
-		expectedError string
-		expectSuccess bool
-	}{
-		{
-			name: "Successful metrics retrieval",
-			account: &model.Account{
-				ID:       primitive.NewObjectID(),
-				Email:    "test@example.com",
-				Profiles: []string{"profile1", "profile2"},
-			},
-			timespan:      "LAST_1_DAY",
-			expectSuccess: true,
-		},
-		{
-			name: "Statistics error",
-			account: &model.Account{
-				ID:       primitive.NewObjectID(),
-				Email:    "test@example.com",
-				Profiles: []string{"profile1"},
-			},
-			timespan:      "LAST_1_DAY",
-			statsError:    errors.New("stats error"),
-			expectedError: "stats error",
-		},
-		{
-			name: "No profiles",
-			account: &model.Account{
-				ID:       primitive.NewObjectID(),
-				Email:    "test@example.com",
-				Profiles: []string{},
-			},
-			timespan:      "LAST_1_DAY",
-			expectSuccess: true,
-		},
-	}
-
-	for _, tt := range tests {
-		suite.Run(tt.name, func() {
-			// Reset mock expectations
-			suite.mockStatsRepo.ExpectedCalls = nil
-			suite.mockProfileRepo.ExpectedCalls = nil
-
-			// Mock statistics calls for each profile
-			for _, profileID := range tt.account.Profiles {
-				stats := []model.StatisticsAggregated{
-					{
-						Total: 100,
-					},
-				}
-
-				// Mock profile validation in profile service (always successful)
-				profile := &model.Profile{
-					ProfileId: profileID,
-					AccountId: tt.account.ID.Hex(),
-				}
-				suite.mockProfileRepo.On("GetProfileById", context.Background(), profileID).Return(profile, nil)
-
-				if tt.statsError != nil {
-					suite.mockStatsRepo.On("GetProfileStatistics", context.Background(), profileID, 24).Return(nil, tt.statsError)
-					break // Only need one error to trigger the test condition
-				} else {
-					suite.mockStatsRepo.On("GetProfileStatistics", context.Background(), profileID, 24).Return(stats, nil)
-				}
-			}
-
-			// Execute the method
-			result, err := suite.service.GetAccountMetrics(context.Background(), tt.account, tt.timespan)
-
-			// Verify results
-			if tt.expectedError != "" {
-				suite.Error(err)
-				suite.Contains(err.Error(), tt.expectedError)
-				suite.Nil(result)
-			} else {
-				suite.NoError(err)
-				suite.NotNil(result)
-			}
-		})
-	}
-}
-
 // TestSendResetPasswordEmail tests the SendResetPasswordEmail method
 func (suite *AccountTestSuite) TestSendResetPasswordEmail() {
 	tests := []struct {
diff --git a/api/service/service.go b/api/service/service.go
index 85ae8f63..877026e8 100644
--- a/api/service/service.go
+++ b/api/service/service.go
@@ -106,7 +106,6 @@ type SessionServicer interface {
 
 type AccountServicer interface {
 	GetAccount(ctx context.Context, accountId string) (*model.Account, error)
-	GetAccountMetrics(ctx context.Context, account *model.Account, timespan string) (*model.StatisticsAggregated, error)
 	UpdateAccount(ctx context.Context, accountId string, updates []model.AccountUpdate, mfa *model.MfaData) error
 	DeleteAccount(ctx context.Context, accountId string, req requests.AccountDeletionRequest, mfa *model.MfaData) error
 	GenerateDeletionCode(ctx context.Context, accountId string) (*responses.DeletionCodeResponse, error)
diff --git a/app/nginx.conf b/app/nginx.conf
index f6b8bda9..55410d6c 100644
--- a/app/nginx.conf
+++ b/app/nginx.conf
@@ -5,6 +5,36 @@ events {
 }
 
 http {
+    # Don't advertise the nginx version in the Server header or error pages —
+    # it hands attackers a version to match against known CVEs (gixy: version_disclosure).
+    server_tokens off;
+
+    # Compression — shrinks text assets (JS/CSS/JSON/SVG) 70-90% on the wire.
+    # Already-compressed formats (woff2, png, jpg) are intentionally excluded.
+    gzip on;
+    gzip_comp_level 6;
+    gzip_min_length 1024;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_types
+    text/plain
+    text/css
+    application/javascript
+    application/json
+    application/manifest+json
+    image/svg+xml
+    application/wasm;
+
+    # Cache-Control by file type, computed once so it can be set with a single
+    # server-level add_header (see below). Content-hashed assets (Vite emits e.g.
+    # index-AbC123.js) are immutable for a year; everything else — notably the
+    # un-hashed index.html entry point — must revalidate so deploys take effect.
+    # $uri is the normalized path (decoded, query string stripped).
+    map $uri $cache_control {
+        default "no-cache";
+        ~*\.(?:js|mjs|css|woff2?|ttf|eot|svg|png|jpe?g|gif|webp|avif|ico|wasm|map)$ "public, max-age=31536000, immutable";
+    }
+
     server {
         listen 80;
         root /usr/share/nginx/html/app;
@@ -19,18 +49,33 @@ http {
         add_header Cross-Origin-Resource-Policy "same-origin";
         add_header Origin-Agent-Cluster "?1";
         add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
         # CSP: the sha256 hash whitelists the inline theme bootstrap script in index.html.
         # If that script changes, regenerate with:
         # python3 -c "import hashlib,base64,re;h=re.search(r'<script>(.*?)</script>',open('index.html').read(),re.DOTALL).group(1);print(base64.b64encode(hashlib.sha256(h.encode()).digest()).decode())"
         add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'sha256-cdVSBJUTkdt+/1Hv5fQ1ypvOVNP5cRMEKnfA9q6dHo4='; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self' ${VITE_API_URL} https://*.${VITE_DNS_CHECK_DOMAIN} ; frame-ancestors 'none'; base-uri 'self'; form-action 'self'" always;
+
         add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
+        # Per-request Cache-Control (map above). Set here at server level so the
+        # security headers above are NOT reset: nginx's add_header inherits into a
+        # location only if that location declares no add_header of its own
+        # (ngx_http_headers_module). Keeping every add_header at this level avoids
+        # that footgun — the asset location below intentionally adds none.
+        add_header Cache-Control $cache_control always;
 
         # Access Control
         include /etc/nginx/access_rules.conf;
 
+        # Content-hashed static assets get long-lived caching via $cache_control;
+        # this block only enforces that a missing asset 404s instead of falling
+        # through to the SPA's index.html. No add_header here — see note above.
+        location ~* \.(?:js|mjs|css|woff2?|ttf|eot|svg|png|jpe?g|gif|webp|avif|ico|wasm|map)$ {
+            try_files $uri =404;
+        }
+
         location / {
             alias /usr/share/nginx/html/app/;
             try_files $uri $uri/ /index.html;
         }
     }
-}
\ No newline at end of file
+}
diff --git a/app/src/App.tsx b/app/src/App.tsx
index 051de80a..77d89c55 100644
--- a/app/src/App.tsx
+++ b/app/src/App.tsx
@@ -29,6 +29,19 @@ const MobileconfigDownload = lazyWithRetry(() => import('@/pages/mobileconfig/Mo
 const HomeScreen = lazyWithRetry(() => import('./pages/home/HomeScreen'));
 const Landing = lazyWithRetry(() => import('./pages/landing/Landing'));
 
+// Maps a nav route to its lazy chunk's preloader. Nav components call this on
+// hover/focus/touch so the route's JS is warm by the time the user clicks —
+// turning first-visit-per-session tab switches from "download then render" into
+// "render immediately". Keys must stay in sync with NavigationMenu/BottomNav.
+const routePreload: Partial<Record<string, () => void>> = {
+  '/setup': () => { void Setup.preload(); },
+  '/blocklists': () => { void Blocklists.preload(); },
+  '/custom-rules': () => { void CustomRules.preload(); },
+  '/query-logs': () => { void Logs.preload(); },
+  '/settings': () => { void Settings.preload(); },
+  '/account-preferences': () => { void AccountPreferences.preload(); },
+};
+
 import { createBrowserRouter, RouterProvider, Navigate, Outlet, useLoaderData, useLocation, useNavigate, redirect, ScrollRestoration } from 'react-router-dom';
 import { ThemeProvider } from "@/components/theme-provider"
 import api from "@/api/api";
@@ -155,6 +168,44 @@ export const AuthProvider: React.FC<{ children: React.ReactNode }> = ({ children
   );
 };
 
+// Treats 401/404 from an API call as a session-expiry signal.
+function isAuthExpiryError(error: unknown): boolean {
+  const err = error as Record<string, unknown>;
+  const status = (err?.response as Record<string, unknown>)?.status ?? err?.status;
+  return status === 401 || status === 404;
+}
+
+// Background refresh of account+profiles for warm-cache navigations. Updates the
+// Zustand store in place and surfaces session expiry through the same event the
+// blocking loader path uses, so a stale-cache navigation still logs the user out
+// if their session died.
+function revalidateAccountAndProfiles() {
+  void Promise.allSettled([
+    api.Client.accountsApi.apiV1AccountsCurrentGet(),
+    api.Client.profilesApi.apiV1ProfilesGet(),
+  ]).then(([accountResult, profilesResult]) => {
+    const { setAccount, setProfiles, restoreActiveProfile } = useAppStore.getState();
+    if (accountResult.status === 'fulfilled') {
+      setAccount(accountResult.value.data as ModelAccount);
+    }
+    if (profilesResult.status === 'fulfilled') {
+      const profiles = profilesResult.value.data as ModelProfile[];
+      setProfiles(profiles);
+      restoreActiveProfile(profiles);
+    }
+    // A 401/404 from EITHER call means the session died — surface it once so a
+    // warm-cache navigation still logs the user out even if only the profiles
+    // call failed. (A 403 from /profiles in pending_delete state is intentionally
+    // not treated as expiry by isAuthExpiryError, so it won't trip this.)
+    const sessionExpired =
+      (accountResult.status === 'rejected' && isAuthExpiryError(accountResult.reason)) ||
+      (profilesResult.status === 'rejected' && isAuthExpiryError(profilesResult.reason));
+    if (sessionExpired) {
+      dispatch({ type: 'auth/sessionExpired' });
+    }
+  });
+}
+
 // Loader for protected routes that need both account and profiles data
 async function rootLoader() {
   try {
@@ -165,6 +216,19 @@ async function rootLoader() {
       throw redirect("/login");
     }
 
+    // Render-from-cache: on a warm client navigation (store already hydrated by
+    // a prior load), return the cached data synchronously and revalidate in the
+    // background. This removes the blocking account+profiles round-trip from
+    // every tab switch — the fetch below only runs on cold start / hard reload,
+    // where account/profiles are not persisted and the store is empty.
+    if (typeof window !== "undefined") {
+      const cached = useAppStore.getState();
+      if (cached.account && cached.profiles.length > 0) {
+        revalidateAccountAndProfiles();
+        return { account: cached.account, profiles: cached.profiles };
+      }
+    }
+
     // Use allSettled so a partial failure (e.g. /profiles returning 403 in
     // pending_delete subscription state, where /accounts/current is still
     // allowlisted by the server's subscription guard) does not collapse the
@@ -237,6 +301,23 @@ async function profilesOnlyLoader() {
       throw redirect("/login");
     }
 
+    // Render-from-cache: serve the hydrated store synchronously on warm
+    // navigations and revalidate profiles in the background (see rootLoader).
+    if (typeof window !== "undefined") {
+      const cached = useAppStore.getState();
+      if (cached.profiles.length > 0) {
+        void api.Client.profilesApi.apiV1ProfilesGet()
+          .then((res) => {
+            const { setProfiles, restoreActiveProfile } = useAppStore.getState();
+            const fresh = res.data as ModelProfile[];
+            setProfiles(fresh);
+            restoreActiveProfile(fresh);
+          })
+          .catch((e) => { if (isAuthExpiryError(e)) dispatch({ type: 'auth/sessionExpired' }); });
+        return { account: null, profiles: cached.profiles };
+      }
+    }
+
     const profilesRes = await api.Client.profilesApi.apiV1ProfilesGet();
 
     // Save to Zustand store
@@ -671,4 +752,4 @@ function App() {
 
 export default App;
 // eslint-disable-next-line react-refresh/only-export-components
-export { useAuth, AuthContext, RootIndexRedirect };
+export { useAuth, AuthContext, RootIndexRedirect, routePreload };
diff --git a/app/src/__tests__/mocks/apiMocks.ts b/app/src/__tests__/mocks/apiMocks.ts
index aa22c01f..3e8399f3 100644
--- a/app/src/__tests__/mocks/apiMocks.ts
+++ b/app/src/__tests__/mocks/apiMocks.ts
@@ -40,7 +40,6 @@ export function createMockAccount(overrides: Partial<ModelAccount> = {}): ModelA
     error_reports_consent: false,
     mfa: { totp: { enabled: false } },
     profiles: ['p1'],
-    queries: 0,
     ...overrides
   };
   return base;
diff --git a/app/src/api/client/api.ts b/app/src/api/client/api.ts
index a31846ae..830dc763 100644
--- a/app/src/api/client/api.ts
+++ b/app/src/api/client/api.ts
@@ -212,12 +212,6 @@ export interface ModelAccount {
      * @memberof ModelAccount
      */
     'profiles'?: Array<string>;
-    /**
-     * 
-     * @type {number}
-     * @memberof ModelAccount
-     */
-    'queries'?: number;
 }
 /**
  * 
diff --git a/app/src/components/navigation/BottomNav.tsx b/app/src/components/navigation/BottomNav.tsx
index 870f778e..bb6dcfb3 100644
--- a/app/src/components/navigation/BottomNav.tsx
+++ b/app/src/components/navigation/BottomNav.tsx
@@ -1,6 +1,7 @@
 import { useLocation, useNavigate } from "react-router-dom";
 import { GlobeIcon, ShieldIcon, ListIcon, FilterX, Menu } from "lucide-react";
 import { cn } from "@/lib/utils";
+import { routePreload } from "@/App";
 
 interface BottomNavProps {
   onMoreClick: () => void;
@@ -29,6 +30,9 @@ export default function BottomNav({ onMoreClick }: BottomNavProps) {
         <button
           key={path}
           onClick={() => navigate(path)}
+          onMouseEnter={() => routePreload[path]?.()}
+          onFocus={() => routePreload[path]?.()}
+          onTouchStart={() => routePreload[path]?.()}
           className={cn(
             "flex flex-col items-center justify-center flex-1 min-h-[56px] gap-0.5 text-xs transition-colors",
             isActive(path)
diff --git a/app/src/lib/lazyWithRetry.ts b/app/src/lib/lazyWithRetry.ts
index 50e52e4f..aa65d974 100644
--- a/app/src/lib/lazyWithRetry.ts
+++ b/app/src/lib/lazyWithRetry.ts
@@ -1,4 +1,11 @@
-import { lazy, ComponentType } from 'react';
+import { lazy, ComponentType, LazyExoticComponent } from 'react';
+
+/**
+ * A lazy component that can also be preloaded imperatively (e.g. on nav hover)
+ * to warm its chunk before the user clicks.
+ */
+export type PreloadableComponent<T extends ComponentType<unknown>> =
+  LazyExoticComponent<T> & { preload: () => Promise<{ default: T }> };
 
 /**
  * Wrapper around React.lazy that retries failed dynamic imports.
@@ -6,12 +13,16 @@ import { lazy, ComponentType } from 'react';
  * During Vite HMR, dynamic imports can fail when modules are invalidated.
  * This wrapper catches those failures and either retries the import
  * or forces a page reload to get fresh modules.
+ *
+ * The returned component also exposes `preload()`, which kicks off the same
+ * import ahead of render. The import promise is memoized, so preload() on hover
+ * followed by React.lazy resolving on click share a single in-flight request.
  */
 export function lazyWithRetry<T extends ComponentType<unknown>>(
   importFn: () => Promise<{ default: T }>,
   retries = 2
-): React.LazyExoticComponent<T> {
-  return lazy(async () => {
+): PreloadableComponent<T> {
+  const loadWithRetry = async (): Promise<{ default: T }> => {
     let lastError: Error | undefined;
 
     for (let attempt = 0; attempt <= retries; attempt++) {
@@ -61,5 +72,23 @@ export function lazyWithRetry<T extends ComponentType<unknown>>(
 
     // If we can't reload or it didn't help, throw the error
     throw lastError;
-  });
+  };
+
+  // Memoize the in-flight import so hover-preload and lazy-on-click dedupe.
+  // On failure we clear it so a later attempt can retry rather than replaying
+  // the rejected promise.
+  let cached: Promise<{ default: T }> | undefined;
+  const load = (): Promise<{ default: T }> => {
+    if (!cached) {
+      cached = loadWithRetry().catch((error) => {
+        cached = undefined;
+        throw error;
+      });
+    }
+    return cached;
+  };
+
+  const Component = lazy(load) as PreloadableComponent<T>;
+  Component.preload = load;
+  return Component;
 }
diff --git a/app/src/pages/navigation_menu/NavigationMenu.tsx b/app/src/pages/navigation_menu/NavigationMenu.tsx
index 5d4cc003..35affb2c 100644
--- a/app/src/pages/navigation_menu/NavigationMenu.tsx
+++ b/app/src/pages/navigation_menu/NavigationMenu.tsx
@@ -22,7 +22,7 @@ import modDNSLogoCollapsedBlack from '@/assets/logos/o_black_250.png';
 import { type JSX, useContext, useState } from "react";
 import { useLocation, useNavigate } from 'react-router-dom';
 import { useNavigationCollapse } from "@/context/NavigationCollapseContext";
-import { AuthContext } from "@/App";
+import { AuthContext, routePreload } from "@/App";
 import LogoutConfirmDialog from "@/components/dialogs/LogoutConfirmDialog";
 import api from "@/api/api";
 
@@ -181,6 +181,9 @@ export default function NavigationSection({ isMobile = false, onClose, offsetLef
                                 className={`flex ${isMobile ? 'min-h-12' : 'min-h-10'} w-full justify-start gap-2 rounded-md px-2 py-2 transition-colors focus:outline-none focus:ring-0 ${isActive(item.route) ? "bg-[var(--sidebar-accent-bg)] text-[var(--tailwind-colors-rdns-600)]" : "text-[var(--sidebar-foreground)] hover:bg-[var(--sidebar-muted)]"} ${!isMobile && collapsed ? "justify-center px-0" : "px-4"}`}
                                 title={!isMobile && collapsed ? item.label : undefined}
                                 onClick={() => handleNavigation(item.route)}
+                                onMouseEnter={() => routePreload[item.route]?.()}
+                                onFocus={() => routePreload[item.route]?.()}
+                                onTouchStart={() => routePreload[item.route]?.()}
                             >
                                 <span className={`flex items-center ${isActive(item.route) ? "text-[var(--tailwind-colors-rdns-600)]" : "text-[var(--sidebar-foreground)]"}`}>{item.icon}</span>
                                 {showLabels && (
diff --git a/libs/store/migrator/migrator.go b/libs/store/migrator/migrator.go
index 29f6a3f5..881b7455 100644
--- a/libs/store/migrator/migrator.go
+++ b/libs/store/migrator/migrator.go
@@ -1,57 +1,151 @@
 package migrator
 
 import (
+	"context"
+	"errors"
+	"fmt"
+	"time"
+
 	"github.com/golang-migrate/migrate/v4"
 	"github.com/golang-migrate/migrate/v4/database/mongodb"
 	_ "github.com/golang-migrate/migrate/v4/source/file"
 	"github.com/rs/zerolog/log"
+	"go.mongodb.org/mongo-driver/bson"
 	"go.mongodb.org/mongo-driver/mongo"
+	"go.mongodb.org/mongo-driver/mongo/options"
+)
+
+const (
+	// lockCollectionName mirrors mongodb.DefaultLockingCollection. Duplicated
+	// here so we can reach the collection without importing the driver's
+	// private internals.
+	lockCollectionName = "migrate_advisory_lock"
+	// lockTTLSeconds bounds how long a stale lock survives a crashed migration.
+	// Must exceed the Locking.Timeout below (300s) plus the longest realistic
+	// migration runtime so a slow-but-healthy migration is never evicted while
+	// still running.
+	lockTTLSeconds = 600
 )
 
 type DBMigrator struct {
 	migrator *migrate.Migrate
 }
 
+// migrateLogger adapts zerolog into golang-migrate's Logger interface
+// (Printf + Verbose). Without this, the library swallows its own per-step
+// logs ("scheduling", "running", "finished") and we only see what our wrapper
+// chooses to print — which makes "stuck dirty" failures invisible.
+type migrateLogger struct{}
+
+func (migrateLogger) Printf(format string, v ...interface{}) {
+	log.Info().Msgf("migrate: "+format, v...)
+}
+
+func (migrateLogger) Verbose() bool { return true }
+
 func NewMigrator(dbClient *mongo.Client, dbName, migrationsSource string) (*DBMigrator, error) {
 	driverMongo, err := mongodb.WithInstance(dbClient, &mongodb.Config{
 		DatabaseName: dbName,
+		// Advisory locking serializes Migrate() across concurrently-starting
+		// service instances. Without it, two pods can read the same clean
+		// version, both mark dirty, and one observes the other's dirty state
+		// and crashes — leaving the migrations table stuck dirty even though
+		// the underlying operation succeeded. Timeout is generous so a slow
+		// index build on a large collection doesn't starve a peer's startup.
+		Locking: mongodb.Locking{
+			Enabled: true,
+			Timeout: 300,
+		},
 	})
 	if err != nil {
 		return nil, err
 	}
+	// WithInstance has just created the lock collection. Add a TTL on its
+	// created_at field so a stale lock (from a crashed migration) self-cleans
+	// instead of blocking every subsequent deploy. Best-effort: a TTL failure
+	// here would only impair self-healing, not correctness, so it must not
+	// prevent service startup.
+	ensureLockTTL(dbClient, dbName)
+
 	m, err := migrate.NewWithDatabaseInstance(
 		migrationsSource,
 		dbName, driverMongo)
 	if err != nil {
 		return nil, err
 	}
+	m.Log = migrateLogger{}
 	return &DBMigrator{migrator: m}, nil
 }
 
-func (m *DBMigrator) Migrate() error {
-	versionBefore, dirty, err := m.migrator.Version()
+// ensureLockTTL creates a TTL index on migrate_advisory_lock.created_at if
+// one doesn't already exist. createIndex is idempotent for matching specs,
+// so this is safe to call on every startup. Any error is logged and swallowed
+// — the worst-case effect of failure is that stale locks need manual cleanup,
+// which is the pre-patch status quo.
+func ensureLockTTL(dbClient *mongo.Client, dbName string) {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	coll := dbClient.Database(dbName).Collection(lockCollectionName)
+	ttl := int32(lockTTLSeconds)
+	_, err := coll.Indexes().CreateOne(ctx, mongo.IndexModel{
+		Keys: bson.D{{Key: "created_at", Value: 1}},
+		Options: options.Index().
+			SetName("created_at_ttl").
+			SetExpireAfterSeconds(ttl),
+	})
 	if err != nil {
-		if err != migrate.ErrNilVersion {
-			log.Error().Err(err).Msg("Failed to get DB version before migrations")
-			return err
-		}
+		log.Warn().Err(err).Str("collection", lockCollectionName).Msg("Failed to ensure TTL index on migration lock collection; stale locks may need manual cleanup")
+		return
 	}
-	log.Info().Uint("version", versionBefore).Bool("dirty", dirty).Msgf("DB version before migrations: %v", versionBefore)
-
-	if err := m.migrator.Up(); err != nil {
-		if err == migrate.ErrNoChange {
-			log.Info().Msg("No migrations to apply")
-		} else {
-			log.Error().Err(err).Msg("Failed to apply DB migrations")
-			return err
+	log.Debug().Str("collection", lockCollectionName).Int32("ttl_seconds", ttl).Msg("Ensured TTL index on migration lock collection")
+}
+
+func (m *DBMigrator) Migrate() error {
+	versionBefore, dirtyBefore, err := m.migrator.Version()
+	if err != nil && err != migrate.ErrNilVersion {
+		log.Error().Err(err).Msg("Failed to get DB version before migrations")
+		return err
+	}
+	log.Info().Uint("version", versionBefore).Bool("dirty", dirtyBefore).Msg("DB version before migrations")
+
+	upErr := m.migrator.Up()
+	switch {
+	case upErr == nil:
+		log.Info().Msg("Migrations applied successfully")
+	case errors.Is(upErr, migrate.ErrNoChange):
+		log.Info().Msg("No migrations to apply")
+	default:
+		// Type-discriminate so the operator gets an actionable message
+		// instead of a generic "Failed to apply DB migrations".
+		var dirtyErr migrate.ErrDirty
+		switch {
+		case errors.As(upErr, &dirtyErr):
+			log.Error().
+				Err(upErr).
+				Int("dirty_version", dirtyErr.Version).
+				Msg("Cannot migrate: database is in dirty state. Recover with: db.schema_migrations.updateOne({}, {$set: {dirty: false}})")
+		case errors.Is(upErr, migrate.ErrLocked):
+			log.Error().Err(upErr).Msg("Cannot acquire migration lock (another instance is migrating or stale lock — check migrate_advisory_lock collection)")
+		default:
+			log.Error().Err(upErr).Str("error_type", fmt.Sprintf("%T", upErr)).Msg("Failed to apply DB migrations")
 		}
+		return upErr
 	}
 
-	versionAfter, dirty, err := m.migrator.Version()
-	if err != nil {
-		log.Error().Err(err).Msg("Failed to get DB version after migrations")
-		return err
+	versionAfter, dirtyAfter, verErr := m.migrator.Version()
+	if verErr != nil {
+		log.Error().Err(verErr).Msg("Failed to get DB version after migrations")
+		return verErr
 	}
-	log.Info().Uint("version", versionAfter).Bool("dirty", dirty).Msgf("DB version after migrations: %v", versionAfter)
+	log.Info().Uint("version", versionAfter).Bool("dirty", dirtyAfter).Msg("DB version after migrations")
+
+	// Previously we returned nil even when the post-migration state was dirty,
+	// silently leaving the API running against a half-migrated schema. Surface
+	// it as a hard failure so main.go's log.Panic fires with a clear message.
+	if dirtyAfter {
+		return fmt.Errorf("migration completed but schema_migrations still marked dirty at version %d — manual recovery required", versionAfter)
+	}
+
 	return nil
 }
diff --git a/scripts/validate-nginx.sh b/scripts/validate-nginx.sh
new file mode 100755
index 00000000..fa10f9cd
--- /dev/null
+++ b/scripts/validate-nginx.sh
@@ -0,0 +1,101 @@
+#!/usr/bin/env bash
+# validate-nginx.sh — Validate app/nginx.conf: syntax (`nginx -t`) + security scan (gixy).
+#
+# The config is a deploy-time template, so validation can't run on the raw file:
+#   1. ${VITE_API_URL} / ${VITE_DNS_CHECK_DOMAIN} are substituted by envsubst in
+#      the Dockerfile. nginx parses `$...` as variable references even inside
+#      quoted strings, so the un-rendered template fails with "unknown variable".
+#      We render it with dummy values (we only check structure, not the URLs).
+#   2. `include /etc/nginx/access_rules.conf` is mounted at deploy time. The
+#      nginx -t step stubs it with an empty file; the gixy step uses
+#      --disable-includes so it doesn't try to follow host-only includes.
+#
+# Stage 1 (nginx -t) runs in the SAME nginx image pinned in app/Dockerfile, so the
+# directive set tested matches production exactly.
+# Stage 2 (gixy) uses gixy-ng — the maintained fork — for security findings such as
+# version disclosure, add_header pitfalls, and SSRF/host-header issues.
+#
+# Usage: ./scripts/validate-nginx.sh [path/to/nginx.conf]
+#   Defaults to app/nginx.conf relative to the repo root.
+#   SKIP_GIXY=1 runs syntax only (e.g. offline — gixy pip-installs in a container).
+#
+# Requirements: docker, envsubst (gettext). The gixy stage needs network on first
+# run to pip-install gixy-ng inside the python container.
+#
+# Exit codes:
+#   0 — configuration is valid and clean
+#   1 — nginx -t syntax test failed
+#   2 — missing prerequisite (docker / envsubst / config file)
+#   3 — gixy ran and reported security findings (CI treats as advisory)
+#   4 — gixy could not run (image pull / pip / docker failure; CI must NOT ignore)
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
+
+CONF="${1:-${REPO_ROOT}/app/nginx.conf}"
+DOCKERFILE="${REPO_ROOT}/app/Dockerfile"
+GIXY_IMAGE="${GIXY_IMAGE:-python:3.12-alpine}"
+
+# gixy-ng (getpagespeed fork) bundles performance opinions alongside security
+# checks. Skip the non-security ones so the gate reflects security posture:
+#   try_files_is_evil_too            — perf blog opinion; try_files is the standard
+#                                      SPA routing pattern for this static bundle.
+#   worker_rlimit_nofile_vs_connections — ops/fd tuning, managed at the container
+#                                      runtime level, not a config security issue.
+GIXY_SKIPS="try_files_is_evil_too,worker_rlimit_nofile_vs_connections"
+
+# Dummy values — we only care about structure, not the substituted URLs.
+export VITE_API_URL="${VITE_API_URL:-https://api.example.com}"
+export VITE_DNS_CHECK_DOMAIN="${VITE_DNS_CHECK_DOMAIN:-check.example.com}"
+
+err() { echo "validate-nginx: $*" >&2; }
+
+command -v docker   >/dev/null 2>&1 || { err "docker not found"; exit 2; }
+command -v envsubst >/dev/null 2>&1 || { err "envsubst not found (install gettext)"; exit 2; }
+[ -f "${CONF}" ] || { err "config not found: ${CONF}"; exit 2; }
+
+# Stay in sync with production: use the nginx image pinned in app/Dockerfile.
+NGINX_IMAGE="$(sed -n 's/^FROM \(nginx:[^ ]*\).*/\1/p' "${DOCKERFILE}" 2>/dev/null | head -1)"
+NGINX_IMAGE="${NGINX_IMAGE:-nginx:alpine}"
+
+# Render into a temp dir UNDER the repo. snap-confined docker cannot bind-mount
+# /tmp, and it rejects single-file mounts, so we mount this directory instead.
+WORK="$(mktemp -d "${REPO_ROOT}/.nginx-validate.XXXXXX")"
+trap 'rm -rf "${WORK}"' EXIT
+
+REL="${CONF#"${REPO_ROOT}/"}"
+envsubst '${VITE_API_URL} ${VITE_DNS_CHECK_DOMAIN}' < "${CONF}" > "${WORK}/nginx.conf"
+
+echo "validate-nginx: [1/2] syntax check ${REL} (${NGINX_IMAGE})"
+docker run --rm -v "${WORK}:/work:ro" "${NGINX_IMAGE}" sh -c '
+  cp /work/nginx.conf /etc/nginx/nginx.conf &&
+  : > /etc/nginx/access_rules.conf &&
+  nginx -t
+' || { err "nginx -t failed"; exit 1; }
+
+if [ "${SKIP_GIXY:-0}" = "1" ]; then
+  echo "validate-nginx: [2/2] gixy scan skipped (SKIP_GIXY=1)"
+else
+  echo "validate-nginx: [2/2] security scan (gixy-ng)"
+  # Distinguish "gixy ran and found issues" from "gixy never ran". The inner
+  # script exits 40 if setup (pip) fails; docker itself returns 125-127 if the
+  # image can't be pulled or the container can't start. Everything else non-zero
+  # is gixy's own exit — i.e. real findings. Conflating the two would let a
+  # broken scanner pass silently when CI downgrades findings to a warning.
+  set +e
+  docker run --rm -e GIXY_SKIPS="${GIXY_SKIPS}" -v "${WORK}:/work:ro" "${GIXY_IMAGE}" sh -c '
+    pip install --quiet --disable-pip-version-check --root-user-action=ignore gixy-ng || exit 40
+    gixy --disable-includes --skips="${GIXY_SKIPS}" /work/nginx.conf
+  '
+  rc=$?
+  set -e
+  case "${rc}" in
+    0) ;;
+    40|125|126|127) err "gixy could not run (setup/docker failure, rc=${rc})"; exit 4 ;;
+    *) err "gixy reported security findings (rc=${rc})"; exit 3 ;;
+  esac
+fi
+
+echo "validate-nginx: OK"
diff --git a/tests/moddns_client/moddns/models/model_account.py b/tests/moddns_client/moddns/models/model_account.py
index 09242725..c3ec797e 100644
--- a/tests/moddns_client/moddns/models/model_account.py
+++ b/tests/moddns_client/moddns/models/model_account.py
@@ -17,7 +17,7 @@
 import re  # noqa: F401
 import json
 
-from pydantic import BaseModel, ConfigDict, StrictBool, StrictInt, StrictStr
+from pydantic import BaseModel, ConfigDict, StrictBool, StrictStr
 from typing import Any, ClassVar, Dict, List, Optional
 from moddns.models.model_mfa_settings import ModelMFASettings
 from typing import Optional, Set
@@ -34,8 +34,7 @@ class ModelAccount(BaseModel):
     id: Optional[StrictStr] = None
     mfa: Optional[ModelMFASettings] = None
     profiles: Optional[List[StrictStr]] = None
-    queries: Optional[StrictInt] = None
-    __properties: ClassVar[List[str]] = ["auth_methods", "email", "email_verified", "error_reports_consent", "id", "mfa", "profiles", "queries"]
+    __properties: ClassVar[List[str]] = ["auth_methods", "email", "email_verified", "error_reports_consent", "id", "mfa", "profiles"]
 
     model_config = ConfigDict(
         populate_by_name=True,
@@ -97,8 +96,7 @@ def from_dict(cls, obj: Optional[Dict[str, Any]]) -> Optional[Self]:
             "error_reports_consent": obj.get("error_reports_consent"),
             "id": obj.get("id"),
             "mfa": ModelMFASettings.from_dict(obj["mfa"]) if obj.get("mfa") is not None else None,
-            "profiles": obj.get("profiles"),
-            "queries": obj.get("queries")
+            "profiles": obj.get("profiles")
         })
         return _obj
 
diff --git a/tests/moddns_client/moddns/models/model_subscription.py b/tests/moddns_client/moddns/models/model_subscription.py
index 9d78b245..264f6803 100644
--- a/tests/moddns_client/moddns/models/model_subscription.py
+++ b/tests/moddns_client/moddns/models/model_subscription.py
@@ -31,8 +31,9 @@ class ModelSubscription(BaseModel):
     outage: Optional[StrictBool] = None
     status: Optional[ModelSubscriptionStatus] = Field(default=None, description="Computed fields (not persisted)")
     tier: Optional[StrictStr] = None
+    type: Optional[StrictStr] = Field(default=None, description="Type is a legacy pre-0.1.8 enum (\"Free\"/\"Managed\") retained so old documents surface to clients (the beta-ending banner gates on Type == \"Managed\"). Cleared to \"\" by the resync flow once the user re-syncs with IVPN.")
     updated_at: Optional[StrictStr] = None
-    __properties: ClassVar[List[str]] = ["active_until", "outage", "status", "tier", "updated_at"]
+    __properties: ClassVar[List[str]] = ["active_until", "outage", "status", "tier", "type", "updated_at"]
 
     model_config = ConfigDict(
         populate_by_name=True,
@@ -89,6 +90,7 @@ def from_dict(cls, obj: Optional[Dict[str, Any]]) -> Optional[Self]:
             "outage": obj.get("outage"),
             "status": obj.get("status"),
             "tier": obj.get("tier"),
+            "type": obj.get("type"),
             "updated_at": obj.get("updated_at")
         })
         return _obj