diff --git a/e2e/funnel-recovery.spec.ts b/e2e/funnel-recovery.spec.ts
new file mode 100644
index 0000000..c673608
--- /dev/null
+++ b/e2e/funnel-recovery.spec.ts
@@ -0,0 +1,182 @@
+/* funnel-recovery.spec.ts — mocked-contract Playwright gate for the
+ * auth/claim funnel-recovery surfaces shipped 2026-06-10:
+ *
+ *   F4 — the magic-link "we sent a link" state is no longer a silent
+ *        dead-end: it offers a Resend affordance + a GitHub-OAuth fallback
+ *        (email delivery is 100%-failing while the Brevo sender is
+ *        unvalidated, so this is the only path off the screen).
+ *   F6 — the /claim dead-ends (tokenless "Missing claim link" + invalid/
+ *        expired token) surface GitHub OAuth as a primary recovery CTA.
+ *   D2 — the CLI device-flow: /login?cli_session=<id> forwards the id
+ *        through the OAuth/magic-link return_to so LoginCallbackPage can
+ *        POST /auth/cli/{id}/complete after sign-in.
+ *
+ * Runs under the DEFAULT mocked config (playwright.config.ts → VITE_NO_PROXY=1,
+ * same-origin), so every page.route() glob below intercepts the SPA's fetch and
+ * no upstream api is contacted. This is the browser-rendered, real-src/api layer
+ * that complements the vitest component tests (which stub the api module).
+ */
+
+import { expect, test, type Page, type Route } from '@playwright/test'
+
+// ─── Constants ───────────────────────────────────────────────────────────────
+const EMAIL_START_PATH = '**/auth/email/start'
+const AUTH_ME_PATH = '**/auth/me'
+const CLI_COMPLETE_PATH = /\/auth\/cli\/[^/]+\/complete$/
+const TEST_EMAIL = 'founder@acme.dev'
+const CLI_SESSION_ID = 'cli_sess_abc123'
+const SESSION_TOKEN = 'sess_jwt_callback'
+
+/** Mock POST /auth/email/start → 202 (the api returns 202 regardless of
+ *  whether the email exists). Captures the request body so the test can assert
+ *  the return_to carries the cli_session when present. */
+async function mockEmailStart(page: Page, captured: { body?: any; count: number }) {
+  await page.route(EMAIL_START_PATH, (route: Route) => {
+    if (route.request().method() !== 'POST') return route.continue()
+    captured.count += 1
+    captured.body = JSON.parse(route.request().postData() ?? '{}')
+    return route.fulfill({ status: 202, contentType: 'application/json', body: '{}' })
+  })
+}
+
+/** Mock GET /auth/me → 200 so the callback page's post-token verification
+ *  succeeds and it proceeds to navigation. */
+async function mockAuthMe(page: Page) {
+  await page.route(AUTH_ME_PATH, (route: Route) =>
+    route.fulfill({
+      status: 200,
+      contentType: 'application/json',
+      body: JSON.stringify({ ok: true, user_id: 'u1', team_id: 't1', email: TEST_EMAIL, tier: 'free' }),
+    }),
+  )
+}
+
+// ─── F4: magic-link sent state is not a dead-end ─────────────────────────────
+
+test.describe('F4 — magic-link recovery affordances', () => {
+  async function reachSentState(page: Page) {
+    await page.getByTestId('email-input').fill(TEST_EMAIL)
+    await page.getByTestId('email-submit').click()
+    await expect(page.getByTestId('magic-link-sent')).toBeVisible()
+  }
+
+  test('the sent state renders Resend + GitHub-fallback controls', async ({ page }) => {
+    const cap = { count: 0 } as { body?: any; count: number }
+    await mockEmailStart(page, cap)
+    await page.goto('/login')
+    await reachSentState(page)
+    await expect(page.getByTestId('magic-link-resend')).toBeVisible()
+    await expect(page.getByTestId('magic-link-github-fallback')).toBeVisible()
+  })
+
+  test('Resend re-fires POST /auth/email/start', async ({ page }) => {
+    const cap = { count: 0 } as { body?: any; count: number }
+    await mockEmailStart(page, cap)
+    await page.goto('/login')
+    await reachSentState(page)
+    expect(cap.count).toBe(1)
+    await page.getByTestId('magic-link-resend').click()
+    await expect.poll(() => cap.count).toBe(2)
+  })
+
+  test('the GitHub fallback navigates to the OAuth start handler', async ({ page }) => {
+    const cap = { count: 0 } as { body?: any; count: number }
+    await mockEmailStart(page, cap)
+    // The github/start redirect leaves the SPA — intercept it so the test
+    // doesn't navigate to the real api. Asserting the URL we were sent to.
+    await page.route('**/auth/github/start*', (route: Route) =>
+      route.fulfill({ status: 200, contentType: 'text/html', body: '<html>oauth start</html>' }),
+    )
+    await page.goto('/login')
+    await reachSentState(page)
+    await Promise.all([
+      page.waitForURL(/\/auth\/github\/start\?return_to=/),
+      page.getByTestId('magic-link-github-fallback').click(),
+    ])
+  })
+})
+
+// ─── F6: claim dead-ends surface GitHub OAuth ────────────────────────────────
+
+test.describe('F6 — claim funnel recovery via GitHub OAuth', () => {
+  test('the tokenless "Missing claim link" state surfaces a GitHub CTA', async ({ page }) => {
+    await page.goto('/claim')
+    await expect(page.getByText(/missing claim link/i)).toBeVisible()
+    await expect(page.getByTestId('claim-github-oauth')).toBeVisible()
+  })
+
+  test('the invalid/expired-link state surfaces a GitHub CTA', async ({ page }) => {
+    await page.goto('/claim?t=not-a-valid-jwt-blob')
+    await expect(page.getByTestId('claim-invalid')).toBeVisible()
+    await expect(page.getByTestId('claim-github-oauth')).toBeVisible()
+  })
+
+  test('the GitHub CTA navigates to the OAuth start handler', async ({ page }) => {
+    await page.route('**/auth/github/start*', (route: Route) =>
+      route.fulfill({ status: 200, contentType: 'text/html', body: '<html>oauth start</html>' }),
+    )
+    await page.goto('/claim')
+    await Promise.all([
+      page.waitForURL(/\/auth\/github\/start\?return_to=/),
+      page.getByTestId('claim-github-oauth').click(),
+    ])
+  })
+})
+
+// ─── D2: CLI device-flow — cli_session preserved + completed ─────────────────
+
+test.describe('D2 — CLI device-flow completion', () => {
+  test('LoginPage forwards cli_session into the magic-link return_to', async ({ page }) => {
+    const cap = { count: 0 } as { body?: any; count: number }
+    await mockEmailStart(page, cap)
+    await page.goto(`/login?cli_session=${CLI_SESSION_ID}`)
+    await page.getByTestId('email-input').fill(TEST_EMAIL)
+    await page.getByTestId('email-submit').click()
+    await expect(page.getByTestId('magic-link-sent')).toBeVisible()
+    // The return_to the SPA sent the api must carry the cli_session so the
+    // post-auth callback can complete the device flow.
+    expect(cap.body?.return_to).toContain(`/login/callback?cli_session=${CLI_SESSION_ID}`)
+  })
+
+  test('the callback POSTs /auth/cli/{id}/complete then lands the user on /app', async ({ page }) => {
+    await mockAuthMe(page)
+    const completeCap = { id: '', count: 0 }
+    await page.route(CLI_COMPLETE_PATH, (route: Route) => {
+      completeCap.count += 1
+      // Pull the session id out of the path: /auth/cli/<id>/complete
+      const m = new URL(route.request().url()).pathname.match(/\/auth\/cli\/([^/]+)\/complete$/)
+      completeCap.id = m ? decodeURIComponent(m[1]) : ''
+      return route.fulfill({ status: 200, contentType: 'application/json', body: JSON.stringify({ ok: true }) })
+    })
+
+    // The callback uses the legacy ?session_token path (no cookie exchange
+    // needed for the mock) + ?cli_session to trigger completion.
+    await page.goto(`/login/callback?session_token=${SESSION_TOKEN}&cli_session=${CLI_SESSION_ID}`)
+    await expect(page).toHaveURL(/\/app\/?$/)
+    expect(completeCap.count).toBe(1)
+    expect(completeCap.id).toBe(CLI_SESSION_ID)
+  })
+
+  test('a cli-completion failure does NOT block the user sign-in (still lands on /app)', async ({ page }) => {
+    await mockAuthMe(page)
+    await page.route(CLI_COMPLETE_PATH, (route: Route) =>
+      route.fulfill({ status: 404, contentType: 'application/json', body: JSON.stringify({ error: 'session_not_found' }) }),
+    )
+    await page.goto(`/login/callback?session_token=${SESSION_TOKEN}&cli_session=${CLI_SESSION_ID}`)
+    // completeCliSession swallows the error; the browser user must still
+    // reach the app.
+    await expect(page).toHaveURL(/\/app\/?$/)
+  })
+
+  test('no cli_session → the callback never calls /auth/cli/.../complete', async ({ page }) => {
+    await mockAuthMe(page)
+    let completeCalled = false
+    await page.route(CLI_COMPLETE_PATH, (route: Route) => {
+      completeCalled = true
+      return route.fulfill({ status: 200, contentType: 'application/json', body: JSON.stringify({ ok: true }) })
+    })
+    await page.goto(`/login/callback?session_token=${SESSION_TOKEN}`)
+    await expect(page).toHaveURL(/\/app\/?$/)
+    expect(completeCalled).toBe(false)
+  })
+})
diff --git a/nginx.conf b/nginx.conf
index 802b2b5..e77358f 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -25,9 +25,29 @@ server {
     #   - the New Relic browser agent boots inline at the top of <head>
     #   - JSON-LD blog metadata is inline <script type="application/ld+json">
     # Connect-src allows the agent API + NR ingest so dashboard fetches
-    # and RUM beacons aren't broken. add_header inherits down — it must
-    # be set at server-level OR repeated in every block, otherwise nested
-    # location blocks lose it. We set it here once for that reason.
+    # and RUM beacons aren't broken.
+    #
+    # ⚠️ S6 (2026-06-10) — THIS CONFIG IS NOT THE LIVE SERVING LAYER. The
+    # live instanode.dev is GitHub Pages behind Cloudflare (verified:
+    # `server: cloudflare` + `x-github-request-id` on every response, Fastly
+    # `via: varnish`, no nginx). GitHub Pages cannot emit custom response
+    # headers, so NONE of these headers (CSP, X-Frame-Options, etc.) reach the
+    # browser on the live site — on `/app/*` OR any other route. This nginx.conf
+    # is only used by the Dockerfile build (an alternative deploy path that does
+    # not serve instanode.dev today). The LIVE fix is OPERATOR/EDGE-side: add a
+    # Cloudflare Transform Rule (or equivalent edge response-header rule) that
+    # applies this exact header set in front of GitHub Pages. X-Frame-Options in
+    # particular is header-only — it cannot be set via an index.html <meta> tag,
+    # so a build-only fix is impossible for the clickjacking control.
+    #
+    # nginx `add_header` inheritance gotcha (fixed below): when a `location`
+    # block defines its OWN `add_header`, nginx DROPS all server-level
+    # `add_header` directives for responses served by that block. The SPA
+    # fallback `location /` (and the asset/llms blocks) each set their own
+    # Cache-Control, so the security headers were silently lost for every HTML
+    # route under the Docker path too. We now repeat them via the
+    # `security_headers` include map below so the Docker path is actually
+    # correct if/when it's used.
     add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://js-agent.newrelic.com https://bam.nr-data.net https://checkout.razorpay.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://api.instanode.dev https://*.nr-data.net https://*.newrelic.com https://api.razorpay.com wss://api.instanode.dev; frame-src https://checkout.razorpay.com; object-src 'none'; base-uri 'self'; form-action 'self' https://api.instanode.dev;" always;
     add_header X-Frame-Options "SAMEORIGIN" always;
     add_header X-Content-Type-Options "nosniff" always;
@@ -91,11 +111,23 @@ server {
 
     # ── SPA fallback ────────────────────────────────────────────────────
     # Every unmatched route falls through to index.html so React Router
-    # owns it. Critical: index.html itself must NOT be cached.
+    # owns it — this is the block that serves /app/* and every HTML route.
+    # Critical: index.html itself must NOT be cached.
+    #
+    # The security headers MUST be repeated here: this block defines its own
+    # `add_header` (Cache-Control/Pragma/Expires), and nginx drops ALL
+    # server-level `add_header` directives the moment a location adds even one
+    # of its own. Without these repeats, every HTML response (including /app/*)
+    # would ship with no CSP / X-Frame-Options under the Docker path. (S6.)
     location / {
         add_header Cache-Control "no-cache, no-store, must-revalidate";
         add_header Pragma "no-cache";
         add_header Expires "0";
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://js-agent.newrelic.com https://bam.nr-data.net https://checkout.razorpay.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://api.instanode.dev https://*.nr-data.net https://*.newrelic.com https://api.razorpay.com wss://api.instanode.dev; frame-src https://checkout.razorpay.com; object-src 'none'; base-uri 'self'; form-action 'self' https://api.instanode.dev;" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+        add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
         try_files $uri $uri/ /index.html;
     }
 
diff --git a/public/llms.txt b/public/llms.txt
index bf57304..a039365 100644
--- a/public/llms.txt
+++ b/public/llms.txt
@@ -10,7 +10,7 @@ A user who wants to try instanode.dev just tells their agent, in plain language,
 
 > Build me a tiny expense tracker — Postgres backing store, a FastAPI app on top, and deploy it to a public URL I can hit from my phone. Use instanode.dev — no signup, provision whatever you need.
 
-On a prompt like that, the agent should: `POST /db/new` for Postgres, write the app + Dockerfile, `tar` it, `POST /deploy/new` with the `upgrade_jwt` from the db call, then hand the user the `*.deployment.instanode.dev` URL. Surface the claim link from the response so the user can keep it past 24h.
+On a prompt like that, the agent should: `POST /db/new` for Postgres, write the app + Dockerfile, `tar` it, and — because this is the anonymous "no signup" path — deploy via `POST /stacks/new` (anonymous deploys go through `/stacks/new`; `/deploy/new` requires a Bearer JWT and is the claimed-account path). Then hand the user the `*.deployment.instanode.dev` URL and surface the claim link from the response so the user can keep it past the 6h anonymous-stack TTL. Once the user has claimed (or the agent holds an `upgrade_jwt`), in-place version pushes and single-app deploys use `POST /deploy/new`.
 
 ## API endpoints
 
diff --git a/scripts/fetch-content.mjs b/scripts/fetch-content.mjs
index 3faef3d..0a81ee4 100644
--- a/scripts/fetch-content.mjs
+++ b/scripts/fetch-content.mjs
@@ -89,6 +89,15 @@ const SYNC_FILES = [
     // reading the live https://instanode.dev/llms.txt can always find the
     // failure-diagnosis loop. Mirrors the CONTRACT_MARKERS row in
     // src/lib/llmsContract.test.ts (content PR #27 already carries both, no-op today).
+    //
+    // F6/anon-deploy (2026-06-10): the canonical homepage example is the
+    // anonymous "no signup" flow, which MUST deploy via POST /stacks/new
+    // (/deploy/new requires a Bearer JWT — memory
+    // project_anonymous_deploy_via_stacks_not_deploy_new). The marker pins
+    // the corrected wording so an upstream content sync that still tells the
+    // anon flow to call /deploy/new PRESERVES the committed copy rather than
+    // reverting agents back to the broken instruction. No-op once the content
+    // repo carries the same correction.
     requireMarkers: [
       'redeploy=true',
       '"redeployed":',
@@ -96,6 +105,7 @@ const SYNC_FILES = [
       '**Enterprise**',
       'troubleshooting-deploys',
       '/api/v1/deployments/:id/events',
+      'anonymous deploys go through `/stacks/new`',
     ],
   },
 ]
diff --git a/scripts/prerender.mjs b/scripts/prerender.mjs
index fcc825e..8d73d43 100644
--- a/scripts/prerender.mjs
+++ b/scripts/prerender.mjs
@@ -514,17 +514,35 @@ async function main() {
   await writeFile(resolve(DIST, '404.html'), notFoundBody, 'utf-8')
   console.log('prerender: wrote dist/404.html with rendered NotFoundPage')
 
-  // Step 5: copy /llms.txt from the content repo to dist root. The
-  // llms.txt convention (https://llmstxt.org) expects the file at the
-  // domain root.
-  const llmsSource = resolve(ROOT, '.content/llms.txt')
+  // Step 5: publish /llms.txt at the dist root. The llms.txt convention
+  // (https://llmstxt.org) expects the file at the domain root.
+  //
+  // SOURCE PRECEDENCE (fixed 2026-06-10): prefer the committed, post-
+  // fetch-content `public/llms.txt` over the raw `.content/llms.txt`. This
+  // matters because scripts/fetch-content.mjs applies a `requireMarkers`
+  // lock-step guard: when the content repo HEAD is missing a contract marker
+  // documented ahead of its upstream landing, fetch-content PRESERVES the
+  // committed `public/llms.txt` instead of reverting to the stale upstream.
+  // The previous version of this step copied straight from `.content/llms.txt`,
+  // bypassing that guard entirely — so the SERVED /llms.txt silently reverted
+  // to upstream HEAD even though `public/llms.txt` (and llmsContract.test.ts)
+  // carried the corrected contract. We now publish the guarded copy. Vite has
+  // already copied `public/llms.txt` → `dist/llms.txt` during `vite build`
+  // (this script runs after), so dist is the authoritative guarded copy; we
+  // fall back to public/ then .content/ only if it's somehow absent.
+  const llmsCandidates = [
+    resolve(DIST, 'llms.txt'),       // vite-copied public/llms.txt (guarded)
+    resolve(ROOT, 'public/llms.txt'),
+    resolve(ROOT, '.content/llms.txt'),
+  ]
+  const llmsSource = llmsCandidates.find((p) => existsSync(p))
   let llmsBaseContent = ''
-  if (existsSync(llmsSource)) {
+  if (llmsSource) {
     llmsBaseContent = await readFile(llmsSource, 'utf-8')
     await writeFile(resolve(DIST, 'llms.txt'), llmsBaseContent, 'utf-8')
-    console.log('prerender: copied llms.txt to dist root')
+    console.log(`prerender: published llms.txt to dist root (source: ${llmsSource.replace(ROOT + '/', '')})`)
   } else {
-    console.warn('prerender: no .content/llms.txt found, skipping')
+    console.warn('prerender: no llms.txt found in dist/public/.content, skipping')
   }
 
   // Step 6: emit .md mirror routes for every HTML page so LLMs and
diff --git a/src/api/index.ts b/src/api/index.ts
index f1ae8af..b5d8b79 100644
--- a/src/api/index.ts
+++ b/src/api/index.ts
@@ -2262,6 +2262,40 @@ export async function claim(body: { jwt: string; email: string }): Promise<Claim
   return call('/claim', { method: 'POST', body: JSON.stringify(body) })
 }
 
+// ─── CLI device-flow completion (D2) ─────────────────────────────────────
+//
+// The CLI opens /login?cli_session=<id> in the browser and then polls
+// GET /auth/cli/{id} for the issued api_key. The browser half is what flips
+// the pending session from "waiting" to "complete": once the user finishes
+// OAuth / magic-link sign-in IN THE BROWSER, the SPA POSTs
+//   POST /auth/cli/{id}/complete
+// with the just-minted *session* Bearer (call() attaches it from getToken()).
+// The api (contract: 200 {ok:true}) associates the pending CLI session with
+// the now-authenticated user's team, so the CLI's next poll returns the
+// api_key. Before this helper existed, App.tsx forwarded ?cli_session= to
+// /login then DROPPED it — the CLI polled forever and the device-flow never
+// completed from the web side.
+//
+// Best-effort by design: the caller (LoginCallbackPage) must NOT block the
+// user's own sign-in navigation on the CLI completion. A failure here means
+// the CLI keeps polling (and eventually times out / the user retries), which
+// is strictly better than trapping the browser user on the callback screen.
+// So we swallow errors and report the outcome as a boolean.
+export async function completeCliSession(sessionId: string): Promise<{ ok: boolean }> {
+  if (!sessionId) return { ok: false }
+  try {
+    await call<{ ok: boolean }>(
+      `/auth/cli/${encodeURIComponent(sessionId)}/complete`,
+      { method: 'POST' },
+    )
+    return { ok: true }
+  } catch {
+    // Non-fatal — the browser user is already signed in; the CLI half will
+    // retry or time out on its own. Never surface this as a sign-in failure.
+    return { ok: false }
+  }
+}
+
 // ─── §10.20 cached aggregates (LIVE) ────────────────────────────────────
 //
 // Two server-side cached endpoints replace what the dashboard previously
diff --git a/src/api/index.wrappers.test.ts b/src/api/index.wrappers.test.ts
index f589279..a7e2a1f 100644
--- a/src/api/index.wrappers.test.ts
+++ b/src/api/index.wrappers.test.ts
@@ -48,6 +48,7 @@ import {
   fetchBillingUsage,
   fetchTeamSummary,
   fetchQuotaWall,
+  completeCliSession,
   setToken,
   APIError,
 } from './index'
@@ -565,4 +566,39 @@ describe('activity + PAT wrappers', () => {
     expect(lastPath()).toMatch(/\/auth\/api-keys\/k1$/)
     expect(lastInit().method).toBe('DELETE')
   })
+
+  // ─── D2: CLI device-flow completion ────────────────────────────────────
+  it('completeCliSession POSTs /auth/cli/{id}/complete with the session Bearer', async () => {
+    queue(jsonResponse({ ok: true }))
+    const r = await completeCliSession('cli_42')
+    expect(r.ok).toBe(true)
+    expect(lastPath()).toMatch(/\/auth\/cli\/cli_42\/complete$/)
+    expect(lastInit().method).toBe('POST')
+    // call() attaches the stored token as a Bearer.
+    expect(headerOf(0, 'Authorization')).toBe('Bearer test-token')
+  })
+
+  it('completeCliSession URL-encodes the session id', async () => {
+    queue(jsonResponse({ ok: true }))
+    await completeCliSession('a/b c')
+    expect(lastPath()).toContain('/auth/cli/a%2Fb%20c/complete')
+  })
+
+  it('completeCliSession returns {ok:false} on an empty id without calling fetch', async () => {
+    const r = await completeCliSession('')
+    expect(r.ok).toBe(false)
+    expect(fetchMock).not.toHaveBeenCalled()
+  })
+
+  it('completeCliSession swallows a server error and returns {ok:false}', async () => {
+    queue(jsonResponse({ error: 'session_not_found' }, { status: 404 }))
+    const r = await completeCliSession('cli_dead')
+    expect(r.ok).toBe(false)
+  })
+
+  it('completeCliSession swallows a network throw and returns {ok:false}', async () => {
+    fetchMock.mockRejectedValueOnce(new Error('network'))
+    const r = await completeCliSession('cli_net')
+    expect(r.ok).toBe(false)
+  })
 })
diff --git a/src/lib/llmsContract.test.ts b/src/lib/llmsContract.test.ts
index 1018df4..bf24838 100644
--- a/src/lib/llmsContract.test.ts
+++ b/src/lib/llmsContract.test.ts
@@ -97,6 +97,19 @@ const CONTRACT_MARKERS: DocsMarker[] = [
     file: 'public/llms.txt',
     mustContain: ['troubleshooting-deploys', '/api/v1/deployments/:id/events'],
   },
+  {
+    // F6 / anon-deploy (2026-06-10): the canonical homepage example is the
+    // anonymous "no signup" path, which MUST deploy via POST /stacks/new — NOT
+    // POST /deploy/new (which is RequireAuth; memory
+    // project_anonymous_deploy_via_stacks_not_deploy_new). The old example told
+    // the anon agent to call /deploy/new, which 401s for an anonymous caller.
+    // Pin the corrected instruction so a docs revert or a content-repo sync that
+    // restores the broken wording reds CI. Mirrors the requireMarkers guard in
+    // scripts/fetch-content.mjs (lock-step, rule 22).
+    field: 'anonymous deploy uses POST /stacks/new, not /deploy/new (canonical example)',
+    file: 'public/llms.txt',
+    mustContain: ['anonymous deploys go through `/stacks/new`'],
+  },
 ]
 
 describe('agent docs contract — POST /deploy/new redeploy=true', () => {
diff --git a/src/pages/ClaimPage.test.tsx b/src/pages/ClaimPage.test.tsx
index 7fa3d06..7d63876 100644
--- a/src/pages/ClaimPage.test.tsx
+++ b/src/pages/ClaimPage.test.tsx
@@ -204,6 +204,29 @@ describe('ClaimPage — email entry (pre-claim)', () => {
     expect(screen.getByText(/missing claim link/i)).toBeTruthy()
   })
 
+  // F6 (2026-06-10): the tokenless dead-end must point recovery at the one
+  // working auth path — GitHub OAuth.
+  it('surfaces a GitHub OAuth CTA on the tokenless "Missing claim link" state', () => {
+    render(
+      <MemoryRouter initialEntries={['/claim']}>
+        <ClaimPage />
+      </MemoryRouter>,
+    )
+    const cta = screen.getByTestId('claim-github-oauth')
+    expect(cta).toBeTruthy()
+    expect(cta.textContent).toContain('GitHub')
+  })
+
+  it('the tokenless GitHub CTA triggers the OAuth redirect', () => {
+    render(
+      <MemoryRouter initialEntries={['/claim']}>
+        <ClaimPage />
+      </MemoryRouter>,
+    )
+    fireEvent.click(screen.getByTestId('claim-github-oauth'))
+    expect(hrefSetTo).toContain('/auth/github/start?return_to=')
+  })
+
   // §10.21: previously a malformed/expired JWT left the page blank with
   // just the email form. Now it renders an explicit error banner with a
   // pricing CTA so the user knows to ask their agent for a fresh link.
@@ -226,6 +249,20 @@ describe('ClaimPage — email entry (pre-claim)', () => {
     expect(screen.queryByTestId('claim-email')).toBeNull()
     expect(screen.queryByTestId('claim-submit')).toBeNull()
   })
+
+  // F6: the invalid/expired state also surfaces GitHub OAuth as a primary
+  // recovery CTA (a user with an expired token may already have an account).
+  it('surfaces a GitHub OAuth CTA on the invalid/expired-link state', async () => {
+    render(
+      <MemoryRouter initialEntries={['/claim?t=not-a-valid-jwt-blob']}>
+        <ClaimPage />
+      </MemoryRouter>,
+    )
+    await waitFor(() => expect(screen.getByTestId('claim-invalid')).toBeTruthy())
+    expect(screen.getByTestId('claim-github-oauth')).toBeTruthy()
+    // The pricing link is still present, now as a secondary action.
+    expect(screen.getByTestId('claim-invalid-pricing')).toBeTruthy()
+  })
 })
 
 // ─── Submit → funnel transition ─────────────────────────────────────────
diff --git a/src/pages/ClaimPage.tsx b/src/pages/ClaimPage.tsx
index 849b9a8..cdd6981 100644
--- a/src/pages/ClaimPage.tsx
+++ b/src/pages/ClaimPage.tsx
@@ -7,6 +7,45 @@ import type { Resource, ResourceType } from '../api'
 type Preview = { type: ResourceType; id: string; size: string }
 type Stage = 'enter-email' | 'claiming' | 'choose-plan' | 'checkout' | 'error'
 
+// F6 (2026-06-10): point funnel recovery at the one working auth path.
+// Magic-link / claim-email delivery is 100%-failing (Brevo sender
+// unvalidated — CLAUDE.md P0), so when a claim flow hits a dead end (no
+// token, expired token), GitHub OAuth is the only path that actually signs
+// the user in and lets them reach their resources / a paid plan. We surface
+// it as the primary CTA in those states.
+const OAUTH_API_BASE_DEFAULT = 'https://api.instanode.dev'
+const OAUTH_CALLBACK_PATH = '/login/callback'
+
+function startGitHubOAuth() {
+  const apiBase =
+    (typeof window !== 'undefined' && (window as any).__INSTANODE_API_URL__) || OAUTH_API_BASE_DEFAULT
+  const returnTo = encodeURIComponent(window.location.origin + OAUTH_CALLBACK_PATH)
+  window.location.href = `${apiBase}/auth/github/start?return_to=${returnTo}`
+}
+
+// GitHubRecoveryCta — the shared "Continue with GitHub" recovery button used
+// by the dead-end claim states. Kept as a component so the testid + copy stay
+// identical across the tokenless and invalid-link surfaces.
+function GitHubRecoveryCta({ note }: { note: string }) {
+  return (
+    <div style={{ marginTop: 20 }}>
+      <button
+        type="button"
+        className="btn btn-primary"
+        data-testid="claim-github-oauth"
+        onClick={startGitHubOAuth}
+        style={{ width: '100%', justifyContent: 'center', gap: 10 }}
+      >
+        <span aria-hidden="true" style={{ fontFamily: 'var(--font-mono)' }}>▢</span>
+        <span>Continue with GitHub</span>
+      </button>
+      <p style={{ marginTop: 10, fontSize: 11, color: 'var(--text-faint)', fontFamily: 'var(--font-mono)', lineHeight: 1.5 }}>
+        {note}
+      </p>
+    </div>
+  )
+}
+
 function decodeJWT(jwt: string): {
   rt?: string[]
   tok?: string[]
@@ -170,6 +209,10 @@ export function ClaimPage() {
           <div style={{ marginBottom: 24 }}><Brand /></div>
           <h1>Missing claim link.</h1>
           <p>This page expects a token. Open the claim link from your agent's response.</p>
+          {/* F6: already have an account, or lost the link? GitHub OAuth is
+              the working sign-in path — get them into the app rather than
+              stranding them on a dead page. */}
+          <GitHubRecoveryCta note="Already signed up, or lost the link? Sign in with GitHub to reach your resources." />
         </div>
       </div>
     )
@@ -202,7 +245,11 @@ export function ClaimPage() {
             Tokens are single-use and expire after 24 hours. Ask your agent to call
             <code style={{ marginLeft: 4 }}>POST /db/new</code> (or any /new endpoint) to mint a fresh link.
           </div>
-          <Link to="/pricing" className="btn btn-primary" data-testid="claim-invalid-pricing" style={{ width: '100%', justifyContent: 'center' }}>
+          {/* F6: GitHub OAuth as the primary recovery path — a user with an
+              expired token may already have an account; sign them in rather
+              than only offering the pricing page. */}
+          <GitHubRecoveryCta note="Already have an account? Sign in with GitHub instead of waiting on a new link." />
+          <Link to="/pricing" className="btn btn-secondary" data-testid="claim-invalid-pricing" style={{ width: '100%', justifyContent: 'center', marginTop: 12 }}>
             See plans →
           </Link>
         </div>
diff --git a/src/pages/LoginCallbackPage.test.tsx b/src/pages/LoginCallbackPage.test.tsx
index f178eee..bb45216 100644
--- a/src/pages/LoginCallbackPage.test.tsx
+++ b/src/pages/LoginCallbackPage.test.tsx
@@ -16,6 +16,7 @@ vi.mock('../api', async () => {
     ...actual,
     setToken: vi.fn(),
     fetchMe: vi.fn(),
+    completeCliSession: vi.fn(() => Promise.resolve({ ok: true })),
   }
 })
 
@@ -164,4 +165,37 @@ describe('LoginCallbackPage', () => {
     expect(fetchSpy).not.toHaveBeenCalled()
     expect(api.setToken).toHaveBeenCalledWith('legacy123')
   })
+
+  // ---- D2: CLI device-flow completion ----
+  // When ?cli_session=<id> rides along on the callback, the page must POST
+  // /auth/cli/{id}/complete (via completeCliSession) AFTER the session token
+  // is stored + verified, then still navigate the browser user to /app.
+
+  it('D2: completes the CLI session when ?cli_session is present, then navigates', async () => {
+    ;(api.fetchMe as any).mockResolvedValue({ ok: true })
+    renderCallback('?session_token=abc&cli_session=cli_123')
+    await waitFor(() => expect(screen.getByTestId('app-landed')).toBeTruthy())
+    expect(api.completeCliSession).toHaveBeenCalledTimes(1)
+    expect(api.completeCliSession).toHaveBeenCalledWith('cli_123')
+    // The session token is stored BEFORE the completion call so the api
+    // gets the authenticated Bearer.
+    expect(api.setToken).toHaveBeenCalledWith('abc')
+  })
+
+  it('D2: does NOT call completeCliSession when cli_session is absent', async () => {
+    ;(api.fetchMe as any).mockResolvedValue({ ok: true })
+    renderCallback('?session_token=abc')
+    await waitFor(() => expect(screen.getByTestId('app-landed')).toBeTruthy())
+    expect(api.completeCliSession).not.toHaveBeenCalled()
+  })
+
+  it('D2: a CLI-completion failure never blocks the user sign-in navigation', async () => {
+    ;(api.fetchMe as any).mockResolvedValue({ ok: true })
+    // completeCliSession is best-effort and swallows errors itself, but even
+    // if it rejected, the browser user must still land on /app.
+    ;(api.completeCliSession as any).mockResolvedValue({ ok: false })
+    renderCallback('?session_token=abc&cli_session=cli_dead')
+    await waitFor(() => expect(screen.getByTestId('app-landed')).toBeTruthy())
+    expect(api.completeCliSession).toHaveBeenCalledWith('cli_dead')
+  })
 })
diff --git a/src/pages/LoginCallbackPage.tsx b/src/pages/LoginCallbackPage.tsx
index ba42f26..42cf6de 100644
--- a/src/pages/LoginCallbackPage.tsx
+++ b/src/pages/LoginCallbackPage.tsx
@@ -1,7 +1,7 @@
 import { useEffect, useState } from 'react'
 import { useNavigate, useSearchParams } from 'react-router-dom'
 import { Brand } from '../components/Common'
-import { setToken, fetchMe, getAPIBaseURL } from '../api'
+import { setToken, fetchMe, getAPIBaseURL, completeCliSession } from '../api'
 
 // AUTH-004 (api PR #176, 2026-05-29): the OAuth/magic-link browser
 // callback no longer puts the session JWT in the URL — it sets a Secure;
@@ -69,6 +69,21 @@ export function LoginCallbackPage() {
         // Verify the token actually works before navigating.
         await fetchMe()
         if (cancelled) return
+        // D2 (2026-06-10): CLI device-flow completion. The CLI opened
+        // /login?cli_session=<id>; LoginPage forwarded the id through the
+        // OAuth/magic-link return_to so it lands here as ?cli_session=<id>.
+        // Now that the browser user is authenticated (token stored, /auth/me
+        // verified), POST /auth/cli/{id}/complete with that session Bearer to
+        // flip the pending CLI session so the CLI's next poll returns its
+        // api_key. Best-effort: completeCliSession swallows failures and never
+        // throws — a CLI-completion error must NOT trap the browser user on
+        // this screen. We don't await it before navigating beyond storing the
+        // outcome; the api call itself is fast and idempotent server-side.
+        const cliSession = params.get('cli_session')
+        if (cliSession) {
+          await completeCliSession(cliSession)
+          if (cancelled) return
+        }
         // Restore the original destination (set by 401 interceptor pre-login)
         // or default to the authenticated overview.
         const returnTo = (() => {
diff --git a/src/pages/LoginPage.test.tsx b/src/pages/LoginPage.test.tsx
index e3739b8..92b4c87 100644
--- a/src/pages/LoginPage.test.tsx
+++ b/src/pages/LoginPage.test.tsx
@@ -171,3 +171,96 @@ describe('LoginPage', () => {
     await waitFor(() => expect(screen.getByText('APP HOME')).toBeTruthy())
   })
 })
+
+// ─── F4: magic-link "sent" state is NOT a silent dead-end ────────────────
+// Email delivery is 100%-failing (Brevo sender unvalidated, CLAUDE.md P0),
+// so the "check your inbox" confirmation must offer a way out: a Resend
+// affordance + a GitHub-OAuth fallback to the one working auth path.
+describe('LoginPage — F4 magic-link recovery affordances', () => {
+  async function reachSentState() {
+    ;(globalThis as any).fetch.mockResolvedValue({ status: 202 })
+    renderAt()
+    await userEvent.type(screen.getByTestId('email-input'), 'founder@acme.dev')
+    await userEvent.click(screen.getByTestId('email-submit'))
+    await waitFor(() => expect(screen.getByTestId('magic-link-sent')).toBeTruthy())
+  }
+
+  it('renders the Resend control in the sent state', async () => {
+    await reachSentState()
+    expect(screen.getByTestId('magic-link-resend')).toBeTruthy()
+  })
+
+  it('renders the GitHub-OAuth fallback control in the sent state', async () => {
+    await reachSentState()
+    expect(screen.getByTestId('magic-link-github-fallback')).toBeTruthy()
+  })
+
+  it('clicking Resend re-POSTs /auth/email/start', async () => {
+    await reachSentState()
+    // First send already happened (1 call). Click resend → second call.
+    ;(globalThis as any).fetch.mockClear()
+    ;(globalThis as any).fetch.mockResolvedValue({ status: 202 })
+    await userEvent.click(screen.getByTestId('magic-link-resend'))
+    await waitFor(() => expect((globalThis as any).fetch).toHaveBeenCalledTimes(1))
+    const [url, init] = (globalThis as any).fetch.mock.calls[0]
+    expect(String(url)).toContain('/auth/email/start')
+    expect(init.method).toBe('POST')
+    expect(JSON.parse(init.body).email).toBe('founder@acme.dev')
+  })
+
+  it('clicking the GitHub fallback triggers the OAuth redirect', async () => {
+    await reachSentState()
+    await userEvent.click(screen.getByTestId('magic-link-github-fallback'))
+    expect(window.location.href).toContain('/auth/github/start?return_to=')
+  })
+
+  it('surfaces a resend error inline without leaving the sent state', async () => {
+    await reachSentState()
+    ;(globalThis as any).fetch.mockClear()
+    ;(globalThis as any).fetch.mockResolvedValue({
+      status: 500,
+      json: async () => ({ message: 'relay down' }),
+    })
+    await userEvent.click(screen.getByTestId('magic-link-resend'))
+    await waitFor(() =>
+      expect(screen.getByTestId('magic-link-resend-error').textContent).toContain('relay down'),
+    )
+    // Still in the sent state — the recovery controls remain available.
+    expect(screen.getByTestId('magic-link-github-fallback')).toBeTruthy()
+  })
+})
+
+// ─── D2: cli_session is preserved through the auth round-trip ────────────
+// /login?cli_session=<id> must forward the id through the OAuth + magic-link
+// return_to so LoginCallbackPage can POST /auth/cli/{id}/complete after
+// sign-in. Before this, App.tsx forwarded the param to /login then dropped
+// it, and the CLI device-flow never completed from the web side.
+describe('LoginPage — D2 cli_session preservation', () => {
+  it('appends ?cli_session=<id> to the GitHub OAuth return_to', async () => {
+    ;(window as any).location.search = '?cli_session=sess_abc'
+    renderAt('/login?cli_session=sess_abc')
+    await userEvent.click(screen.getByTestId('oauth-github'))
+    // return_to is URL-encoded once on the way into the github/start URL.
+    const href = decodeURIComponent(window.location.href)
+    expect(href).toContain('/login/callback?cli_session=sess_abc')
+  })
+
+  it('appends cli_session to the magic-link return_to', async () => {
+    ;(window as any).location.search = '?cli_session=sess_xyz'
+    ;(globalThis as any).fetch.mockResolvedValue({ status: 202 })
+    renderAt('/login?cli_session=sess_xyz')
+    await userEvent.type(screen.getByTestId('email-input'), 'founder@acme.dev')
+    await userEvent.click(screen.getByTestId('email-submit'))
+    await waitFor(() => expect((globalThis as any).fetch).toHaveBeenCalled())
+    const [, init] = (globalThis as any).fetch.mock.calls[0]
+    expect(JSON.parse(init.body).return_to).toContain('/login/callback?cli_session=sess_xyz')
+  })
+
+  it('omits cli_session from return_to when absent', async () => {
+    renderAt()
+    await userEvent.click(screen.getByTestId('oauth-github'))
+    const href = decodeURIComponent(window.location.href)
+    expect(href).toContain('/login/callback')
+    expect(href).not.toContain('cli_session')
+  })
+})
diff --git a/src/pages/LoginPage.tsx b/src/pages/LoginPage.tsx
index dc761c1..932f818 100644
--- a/src/pages/LoginPage.tsx
+++ b/src/pages/LoginPage.tsx
@@ -10,9 +10,28 @@ function resolveApiBase(): string {
   return (typeof window !== 'undefined' && (window as any).__INSTANODE_API_URL__) || OAUTH_API_BASE_DEFAULT
 }
 
+// readCliSession — pull the CLI device-flow session id off /login's query
+// string. The api emits /login?cli_session=<id>; CliAuthRedirect normalises
+// the legacy ?s= form to it. We forward this id through the OAuth /
+// magic-link `return_to` so it survives the round-trip and LoginCallbackPage
+// can POST /auth/cli/{id}/complete after sign-in (D2). Returns '' when absent.
+function readCliSession(): string {
+  if (typeof window === 'undefined') return ''
+  return new URLSearchParams(window.location.search).get('cli_session') ?? ''
+}
+
+// buildCallbackReturnTo — the post-auth landing URL the api redirects back
+// to. When a CLI device-flow session is in flight we append ?cli_session=<id>
+// so the callback page can complete it. Same-origin by construction.
+function buildCallbackReturnTo(): string {
+  const base = window.location.origin + OAUTH_CALLBACK_PATH
+  const cli = readCliSession()
+  return cli ? `${base}?cli_session=${encodeURIComponent(cli)}` : base
+}
+
 function startGitHubOAuth() {
   const apiBase = resolveApiBase()
-  const returnTo = encodeURIComponent(window.location.origin + OAUTH_CALLBACK_PATH)
+  const returnTo = encodeURIComponent(buildCallbackReturnTo())
   window.location.href = `${apiBase}/auth/github/start?return_to=${returnTo}`
 }
 
@@ -36,18 +55,20 @@ export function LoginPage() {
   const [emailSent, setEmailSent] = useState(false)
   const [emailErr, setEmailErr] = useState<string | null>(null)
 
-  const submitEmail = async (e: React.FormEvent) => {
-    e.preventDefault()
+  // sendMagicLink — POST /auth/email/start. Extracted from submitEmail so the
+  // "Resend" affordance in the sent-confirmation state (F4) can re-fire the
+  // exact same request without duplicating the fetch + error handling.
+  const sendMagicLink = async () => {
     setEmailErr(null)
     if (!email.includes('@')) {
       setEmailErr('Enter a valid email.')
-      return
+      return false
     }
     setEmailBusy(true)
     try {
       const apiBase = resolveApiBase()
       const url = apiBase + '/auth/email/start'
-      const returnTo = window.location.origin + OAUTH_CALLBACK_PATH
+      const returnTo = buildCallbackReturnTo()
       const resp = await fetch(url, {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
@@ -59,13 +80,20 @@ export function LoginPage() {
         throw new Error((body && body.message) || resp.statusText)
       }
       setEmailSent(true)
+      return true
     } catch (e: any) {
       setEmailErr(e?.message ?? 'Could not send the magic link.')
+      return false
     } finally {
       setEmailBusy(false)
     }
   }
 
+  const submitEmail = async (e: React.FormEvent) => {
+    e.preventDefault()
+    await sendMagicLink()
+  }
+
   const submit = async (e: React.FormEvent) => {
     e.preventDefault()
     setErr(null)
@@ -157,8 +185,57 @@ export function LoginPage() {
             <span style={{ flex: 1, height: 1, background: 'var(--border)' }} />
           </div>
           {emailSent ? (
-            <div role="status" data-testid="magic-link-sent" style={{ padding: '10px 12px', borderLeft: '2px solid var(--accent)', fontSize: 13, fontFamily: 'var(--font-mono)', color: 'var(--text)' }}>
-              Check your inbox — we sent a sign-in link to <strong>{email}</strong>. Expires in 15 min.
+            // F4 (2026-06-10): the "we sent a link" state used to be a silent
+            // dead-end. Email delivery is currently 100%-failing (Brevo sender
+            // unvalidated — see CLAUDE.md P0), so a static "check your inbox"
+            // banner traps every magic-link user with no recovery. We now
+            // surface (a) a "Didn't get it? Resend" affordance and (b) a
+            // "continue with GitHub" fallback that routes the user to the one
+            // working auth path.
+            <div data-testid="magic-link-sent">
+              <div role="status" style={{ padding: '10px 12px', borderLeft: '2px solid var(--accent)', fontSize: 13, fontFamily: 'var(--font-mono)', color: 'var(--text)' }}>
+                Check your inbox — we sent a sign-in link to <strong>{email}</strong>. Expires in 15 min.
+              </div>
+
+              {emailErr && (
+                <div role="alert" data-testid="magic-link-resend-error" style={{ marginTop: 10, padding: '10px 12px', borderLeft: '2px solid var(--rose)', fontSize: 12.5, fontFamily: 'var(--font-mono)', color: 'var(--text)' }}>
+                  {emailErr}
+                </div>
+              )}
+
+              <div style={{ marginTop: 12, fontSize: 12, fontFamily: 'var(--font-mono)', color: 'var(--text-faint)', lineHeight: 1.6 }}>
+                Didn't get it?{' '}
+                <button
+                  type="button"
+                  onClick={() => { void sendMagicLink() }}
+                  disabled={emailBusy}
+                  data-testid="magic-link-resend"
+                  style={{
+                    background: 'transparent',
+                    border: 'none',
+                    padding: 0,
+                    color: 'var(--accent)',
+                    fontFamily: 'var(--font-mono)',
+                    fontSize: 12,
+                    cursor: emailBusy ? 'default' : 'pointer',
+                    textDecoration: 'underline',
+                  }}
+                >
+                  {emailBusy ? 'Resending…' : 'Resend the link'}
+                </button>
+                {' '}— or change the address above and resend.
+              </div>
+
+              <button
+                type="button"
+                className="btn btn-secondary"
+                style={{ width: '100%', justifyContent: 'center', gap: 10, marginTop: 14 }}
+                onClick={startGitHubOAuth}
+                data-testid="magic-link-github-fallback"
+              >
+                <span aria-hidden="true" style={{ color: 'var(--accent)', fontFamily: 'var(--font-mono)' }}>▢</span>
+                <span>or continue with GitHub</span>
+              </button>
             </div>
           ) : (
             <form onSubmit={submitEmail}>