diff --git a/.gitignore b/.gitignore
index 999dfe1..297e88b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -17,3 +17,4 @@ e2e/.cleanup-ledger.json
 .content/
 
 coverage/
+.claude/worktrees/
diff --git a/src/layout/PublicShell.test.tsx b/src/layout/PublicShell.test.tsx
index 7f9201c..bce9b3d 100644
--- a/src/layout/PublicShell.test.tsx
+++ b/src/layout/PublicShell.test.tsx
@@ -94,3 +94,18 @@ describe('PublicShell — dark/light theme toggle (B3-P2-4)', () => {
     expect(document.documentElement.hasAttribute('data-theme')).toBe(false)
   })
 })
+
+describe('PublicShell — footer support email consistency (2026-06-11)', () => {
+  it('footer Contact link uses the canonical contact@ address, not hello@', () => {
+    render(<PublicShell><p>hi</p></PublicShell>)
+    const mailtos = Array.from(document.querySelectorAll('a[href^="mailto:"]')).map(
+      (a) => a.getAttribute('href') ?? '',
+    )
+    expect(mailtos.some((h) => h.includes('hello@instanode.dev'))).toBe(false)
+    const contact = Array.from(document.querySelectorAll('a')).find(
+      (a) => (a.textContent ?? '').trim() === 'Contact',
+    ) as HTMLAnchorElement | undefined
+    expect(contact).toBeTruthy()
+    expect(contact!.getAttribute('href')).toContain('mailto:contact@instanode.dev')
+  })
+})
diff --git a/src/layout/PublicShell.tsx b/src/layout/PublicShell.tsx
index 05f32ff..c073e0d 100644
--- a/src/layout/PublicShell.tsx
+++ b/src/layout/PublicShell.tsx
@@ -263,7 +263,10 @@ function PublicFooter() {
                 served as text/markdown — a visitor saw unrendered
                 "## Reporting a vulnerability" source. */}
             <a href="/security">Security</a>
-            <a href="mailto:hello@instanode.dev">Contact</a>
+            {/* 2026-06-11: standardized on contact@ — the canonical support
+                address (FAQ, cancel/downgrade, billing, terms, content repo).
+                sales@ is reserved for Team/Enterprise lead capture. */}
+            <a href="mailto:contact@instanode.dev">Contact</a>
           </div>
         </div>
       </div>
@@ -491,7 +494,9 @@ function PublicShellStyles() {
       .public-footer-h {
         font-family: var(--font-mono);
         font-size: 10.5px;
-        color: var(--text-faint);
+        /* WCAG AA: --text-muted (5.1:1 on --surface) not --text-faint (2.4:1).
+           Footer column headers ("Product", "Legal") are read content. */
+        color: var(--text-muted);
         text-transform: uppercase;
         letter-spacing: 0.06em;
         margin-bottom: 4px;
diff --git a/src/lib/planLimits.test.ts b/src/lib/planLimits.test.ts
new file mode 100644
index 0000000..7df6953
--- /dev/null
+++ b/src/lib/planLimits.test.ts
@@ -0,0 +1,105 @@
+/* planLimits.test.ts — registry-iterating guard (rule 18).
+ *
+ * The Overview "connection limit" and "object storage" tiles bind to these
+ * per-tier caps. Two real production bugs motivated the binding:
+ *   - connection limit read "∞ unlimited" for a Pro user (cap is 20)
+ *   - object-storage denominator read a conflated ~81 GiB sum
+ *
+ * This test pins each tier's numbers to api/plans.yaml AND iterates the whole
+ * `Tier` union so a future tier (or a renamed one) can't silently fall through
+ * to the fallback and ship a tile bound to the wrong number. If plans.yaml
+ * changes a connection or object-storage cap, this test fails until the mirror
+ * is updated (rule 22 — contract change touches all surfaces).
+ */
+
+import { describe, it, expect } from 'vitest'
+import {
+  PLAN_LIMITS,
+  planLimitsFor,
+  connectionLimitFor,
+  objectStorageLimitMBFor,
+  objectStorageLimitGBFor,
+} from './planLimits'
+import type { Tier } from '../api'
+
+// The full Tier union, enumerated so the iteration test below is itself not a
+// single-site hand-typed slice — a new tier added to the union but not here
+// would still be caught by ALL_TIERS coverage below (we assert PLAN_LIMITS has
+// exactly these keys).
+const ALL_TIERS: Tier[] = [
+  'anonymous',
+  'free',
+  'hobby',
+  'hobby_plus',
+  'pro',
+  'growth',
+  'team',
+]
+
+// Expected values mirror api/plans.yaml (origin/master, verified 2026-06-11).
+// connections = postgres_connections (== mongodb_connections == vector_connections).
+// objectStorageMB = storage_storage_mb.
+const EXPECTED: Record<Tier, { connections: number; objectStorageMB: number }> = {
+  anonymous:  { connections: 2,   objectStorageMB: 10 },
+  free:       { connections: 2,   objectStorageMB: 10 },
+  hobby:      { connections: 8,   objectStorageMB: 512 },
+  hobby_plus: { connections: 8,   objectStorageMB: 5120 },
+  pro:        { connections: 20,  objectStorageMB: 51200 },
+  growth:     { connections: 20,  objectStorageMB: 153600 },
+  team:       { connections: 100, objectStorageMB: 307200 },
+}
+
+describe('PLAN_LIMITS — every Tier has a row (rule 18)', () => {
+  it('PLAN_LIMITS has exactly the Tier-union keys (no missing, no extra)', () => {
+    expect(Object.keys(PLAN_LIMITS).sort()).toEqual([...ALL_TIERS].sort())
+  })
+
+  for (const tier of ALL_TIERS) {
+    it(`${tier}: connection + object-storage caps match plans.yaml`, () => {
+      expect(PLAN_LIMITS[tier].connections).toBe(EXPECTED[tier].connections)
+      expect(PLAN_LIMITS[tier].objectStorageMB).toBe(EXPECTED[tier].objectStorageMB)
+    })
+  }
+})
+
+describe('connectionLimitFor', () => {
+  for (const tier of ALL_TIERS) {
+    it(`${tier} → ${EXPECTED[tier].connections}`, () => {
+      expect(connectionLimitFor(tier)).toBe(EXPECTED[tier].connections)
+    })
+  }
+
+  it('Pro is a finite 20, never ∞ — the exact production bug', () => {
+    expect(connectionLimitFor('pro')).toBe(20)
+    expect(connectionLimitFor('pro')).toBeGreaterThan(0)
+  })
+
+  it('falls back to free for an unknown/undefined tier (understate, not overstate)', () => {
+    expect(connectionLimitFor('mystery_tier')).toBe(EXPECTED.free.connections)
+    expect(connectionLimitFor(undefined)).toBe(EXPECTED.free.connections)
+    expect(connectionLimitFor(null)).toBe(EXPECTED.free.connections)
+  })
+})
+
+describe('objectStorageLimit helpers', () => {
+  it('Pro object cap is 50 GB (51200 MB), NOT a conflated multi-service sum', () => {
+    expect(objectStorageLimitMBFor('pro')).toBe(51200)
+    expect(objectStorageLimitGBFor('pro')).toBe(50)
+  })
+
+  for (const tier of ALL_TIERS) {
+    it(`${tier} object-storage GB == MB/1024`, () => {
+      const mb = objectStorageLimitMBFor(tier)
+      expect(objectStorageLimitGBFor(tier)).toBeCloseTo(mb / 1024, 6)
+    })
+  }
+
+  it('free shows its real 10 MB cap, never unlimited (∞)', () => {
+    expect(objectStorageLimitMBFor('free')).toBe(10)
+    expect(objectStorageLimitGBFor('free')).toBeGreaterThan(0)
+  })
+
+  it('planLimitsFor returns the matching row object', () => {
+    expect(planLimitsFor('team')).toEqual(PLAN_LIMITS.team)
+  })
+})
diff --git a/src/lib/planLimits.ts b/src/lib/planLimits.ts
new file mode 100644
index 0000000..071f5f3
--- /dev/null
+++ b/src/lib/planLimits.ts
@@ -0,0 +1,99 @@
+// planLimits — the dashboard's single, registry-shaped mirror of the per-tier
+// numeric caps the Overview tiles bind to.
+//
+// WHY THIS FILE EXISTS (rule 18 — registry-iterating, not hand-typed-at-call-site):
+// Before this, the Overview "connection limit" and "storage" tiles derived
+// their numbers from per-RESOURCE fields (`connections_limit` / `storage_limit_bytes`)
+// summed across the user's live resources. That produced two confirmed bugs on
+// real dashboards:
+//
+//   1. CONNECTION LIMIT showed "∞ unlimited" for a Pro user. The summing logic
+//      flipped the whole tile to ∞ the moment ANY resource carried
+//      connections_limit < 0 — and queue/redis/storage/webhook resources are
+//      legitimately -1 (connection caps don't apply to them). So a Pro user
+//      (real cap: 20 Postgres connections) with a single Redis saw ∞.
+//
+//   2. STORAGE denominator showed a conflated SUM of every per-service cap
+//      (e.g. 50 GB object + 10 GB pg + 5 GB mongo + 10 GB vector + queue …
+//      ≈ 81.3 GiB) presented under one "STORAGE" label. Pro's object-storage
+//      cap is 50 GB; the tile must reflect object storage specifically, not a
+//      sum across unlike services.
+//
+// The honest fix is to bind each tile to the TIER's published cap, not to a
+// derived per-resource sum. The source of truth is api/plans.yaml. The
+// `PLAN_LIMITS` table below mirrors it; the matching test
+// (planLimits.test.ts) iterates EVERY tier in the `Tier` union so a future
+// tier (or a renamed one) can't silently fall through to a wrong number.
+//
+// Connection semantics: only the connection-BEARING services (postgres,
+// mongodb, vector) have a finite per-tier connection cap. redis / queue /
+// storage / webhook do not take SQL-style connections — their per-resource
+// connections_limit is -1 by design and must NOT be read as "the tier is
+// unlimited". The connection tile therefore shows the connection-bearing cap
+// (postgres == mongodb == vector on every tier today) and is only "∞" when
+// that cap is itself -1 in plans.yaml (no tier is, post strict-80% redesign).
+
+import type { Tier } from '../api'
+
+const MB_PER_GB = 1024
+
+export interface PlanLimits {
+  /** Per-connection-bearing-service connection cap (postgres/mongodb/vector).
+   *  -1 means unlimited. plans.yaml: postgres_connections / mongodb_connections /
+   *  vector_connections — equal on every tier today. */
+  connections: number
+  /** Object-storage cap in MB. plans.yaml: storage_storage_mb. -1 = unlimited
+   *  (no tier today). This is the OBJECT-STORE cap only — never a sum across
+   *  postgres / mongodb / vector / queue. */
+  objectStorageMB: number
+}
+
+// PLAN_LIMITS — mirror of api/plans.yaml. Keep in lock-step with that file
+// (rule 22: a tier/limit change touches plans.yaml AND this mirror). Every
+// member of the `Tier` union MUST have a row — planLimits.test.ts fails if one
+// is missing, so a new tier can't ship a tile bound to the fallback.
+//
+// connections column source (plans.yaml, verified 2026-06-11 @ origin/master):
+//   anonymous/free  postgres_connections=2   storage_storage_mb=10
+//   hobby           postgres_connections=8   storage_storage_mb=512
+//   hobby_plus      postgres_connections=8   storage_storage_mb=5120
+//   pro             postgres_connections=20  storage_storage_mb=51200  (50 GB)
+//   growth          postgres_connections=20  storage_storage_mb=153600 (150 GB)
+//   team            postgres_connections=100 storage_storage_mb=307200 (300 GB)
+export const PLAN_LIMITS: Record<Tier, PlanLimits> = {
+  anonymous:  { connections: 2,   objectStorageMB: 10 },
+  free:       { connections: 2,   objectStorageMB: 10 },
+  hobby:      { connections: 8,   objectStorageMB: 512 },
+  hobby_plus: { connections: 8,   objectStorageMB: 5120 },
+  pro:        { connections: 20,  objectStorageMB: 51200 },
+  growth:     { connections: 20,  objectStorageMB: 153600 },
+  team:       { connections: 100, objectStorageMB: 307200 },
+}
+
+// Fallback used only when the live tier string is somehow outside the union
+// (defensive — TS guarantees the union, but the wire could in theory send a
+// future tier the build doesn't know yet). Free is the safest assumption: it
+// understates rather than overstates the user's ceiling.
+const FALLBACK: PlanLimits = PLAN_LIMITS.free
+
+export function planLimitsFor(tier: Tier | string | undefined | null): PlanLimits {
+  if (tier && tier in PLAN_LIMITS) return PLAN_LIMITS[tier as Tier]
+  return FALLBACK
+}
+
+/** The connection-bearing connection cap for a tier. -1 → unlimited. */
+export function connectionLimitFor(tier: Tier | string | undefined | null): number {
+  return planLimitsFor(tier).connections
+}
+
+/** The object-storage cap for a tier, in MB. -1 → unlimited. */
+export function objectStorageLimitMBFor(tier: Tier | string | undefined | null): number {
+  return planLimitsFor(tier).objectStorageMB
+}
+
+/** Object-storage cap as a GB number (decimal-GB to match how plans.yaml /
+ *  the pricing page talk about "50 GB"). -1 stays -1 (unlimited). */
+export function objectStorageLimitGBFor(tier: Tier | string | undefined | null): number {
+  const mb = objectStorageLimitMBFor(tier)
+  return mb < 0 ? -1 : mb / MB_PER_GB
+}
diff --git a/src/pages/MarketingPage.test.tsx b/src/pages/MarketingPage.test.tsx
index 20086fc..e306270 100644
--- a/src/pages/MarketingPage.test.tsx
+++ b/src/pages/MarketingPage.test.tsx
@@ -212,3 +212,72 @@ describe('MarketingPage — claim consistency (T18 P1-4 / P1-6)', () => {
     expect(text).not.toMatch(/medium deployments/i)
   })
 })
+
+// ─── 2026-06-11 a11y + email-standardization fixes ─────────────────────────
+describe('MarketingPage — a11y + support-email consistency', () => {
+  function renderHome() {
+    return render(
+      <MemoryRouter initialEntries={['/']}>
+        <MarketingPage />
+      </MemoryRouter>,
+    )
+  }
+
+  it("brand link aria-label contains the visible text 'instanode.dev' (WCAG 2.5.3 Label in Name)", () => {
+    renderHome()
+    const brand = document.querySelector('a.mkt-brand-link') as HTMLAnchorElement
+    expect(brand).not.toBeNull()
+    const label = brand.getAttribute('aria-label') ?? ''
+    // The brand renders "instanode.dev" — the accessible name must include it.
+    expect(label).toContain('instanode.dev')
+    // The visible text the brand renders, sans markup.
+    expect((brand.textContent ?? '').replace(/\s+/g, '')).toContain('instanode.dev')
+  })
+
+  it('footer column headers are <h3>, not <h4> (no skipped heading level)', () => {
+    renderHome()
+    const footerCols = Array.from(document.querySelectorAll('.mkt-footer-col'))
+    const headers = footerCols.map((c) => c.querySelector('h1,h2,h3,h4,h5,h6'))
+    // Every footer column has a heading and it's an <h3>.
+    expect(headers.length).toBeGreaterThanOrEqual(2)
+    for (const h of headers) {
+      expect(h).not.toBeNull()
+      expect(h!.tagName).toBe('H3')
+    }
+    // And no <h4> anywhere skips the level on the page.
+    expect(document.querySelector('.mkt-footer-col h4')).toBeNull()
+  })
+
+  it('heading levels never skip (no <hN> without an <hN-1> before it)', () => {
+    renderHome()
+    const levels = Array.from(document.querySelectorAll('h1,h2,h3,h4,h5,h6')).map((h) =>
+      Number(h.tagName[1]),
+    )
+    let max = 0
+    for (const lvl of levels) {
+      // A heading may be at most one deeper than the deepest seen so far.
+      expect(lvl).toBeLessThanOrEqual(max + 1)
+      if (lvl > max) max = lvl
+    }
+  })
+
+  it("general-contact CTA uses the canonical contact@ address, not hello@", () => {
+    renderHome()
+    const mailtos = Array.from(document.querySelectorAll('a[href^="mailto:"]')).map(
+      (a) => a.getAttribute('href') ?? '',
+    )
+    // No hello@ anywhere on the homepage.
+    expect(mailtos.some((h) => h.includes('hello@instanode.dev'))).toBe(false)
+    // The "talk to us" CTA points at contact@.
+    const talk = findAnchorByText('talk to us')
+    expect(talk).not.toBeNull()
+    expect(talk!.getAttribute('href')).toContain('mailto:contact@instanode.dev')
+  })
+
+  it('Team CTA still uses sales@ (lead capture is a deliberate split)', () => {
+    renderHome()
+    const teamCta = findAnchorByText('Contact sales →')
+    expect(teamCta).not.toBeNull()
+    expect(teamCta!.getAttribute('href')).toContain('mailto:sales@instanode.dev')
+  })
+})
diff --git a/src/pages/MarketingPage.tsx b/src/pages/MarketingPage.tsx
index faeb81c..605ba7c 100644
--- a/src/pages/MarketingPage.tsx
+++ b/src/pages/MarketingPage.tsx
@@ -249,7 +249,12 @@ export function MarketingPage() {
       {/* ---------- top nav (sticky, glassmorphic) ---------- */}
       <nav className="mkt-nav" aria-label="Primary">
         <div className="mkt-wrap mkt-nav-inner">
-          <a href="/" className="mkt-brand-link" aria-label="instanode home">
+          {/* WCAG 2.5.3 (Label in Name): the accessible name must contain the
+              visible text. The brand renders "instanode.dev", so the
+              aria-label must include "instanode.dev" (was "instanode home",
+              which dropped the visible ".dev" — a label/name mismatch a
+              voice-control user can't target). Matches PublicShell's brand. */}
+          <a href="/" className="mkt-brand-link" aria-label="instanode.dev — home">
             <Brand />
           </a>
           {/* B1-P0-1 (2026-05-20): nav links read from the shared
@@ -612,9 +617,11 @@ export function MarketingPage() {
               product run in production + staging + development. Team is for the company
               that ships every day —{' '}
               {/* BugBash P3-09: the teaser said "talk to us" but had no
-                  contact path. Link to the real address used elsewhere
-                  (PublicShell footer Contact, support FAQ). */}
-              <a href="mailto:hello@instanode.dev">talk to us</a> about your needs.
+                  contact path. 2026-06-11: standardized on contact@ — the
+                  canonical support address used by the FAQ, cancel/downgrade
+                  links, billing, terms, and the content repo. (sales@ stays
+                  for Team/Enterprise lead capture only.) */}
+              <a href="mailto:contact@instanode.dev">talk to us</a> about your needs.
             </p>
           </div>
 
@@ -770,15 +777,21 @@ export function MarketingPage() {
                 <code>npm create</code> to a live URL.
               </p>
             </div>
+            {/* WCAG 1.3.1 / heading-order: these footer column headers were
+                <h4> while the page's deepest preceding heading was <h3> (the
+                how-it-works step cards). An <h4> with no <h3> ancestor in the
+                footer skips a level, breaking the document outline for screen
+                readers. They're <h3> now — the next level below the page's
+                <h2> sections, no skipped level. */}
             <div className="mkt-footer-col">
-              <h4>Product</h4>
+              <h3>Product</h3>
               <a href={ROUTES.pricing}>Pricing</a>
               <a href={ROUTES.forAgents}>For agents</a>
               <a href={ROUTES.docs}>Docs</a>
               <a href={ROUTES.blog}>Blog</a>
             </div>
             <div className="mkt-footer-col">
-              <h4>Legal</h4>
+              <h3>Legal</h3>
               {/* W12 H15: /privacy and /terms are real routes again
                   (stop-gap placeholder pages with a legal@ email).
                   /llms.txt is served from the apex by the prerender
@@ -1746,10 +1759,11 @@ const MKT_CSS = `
   font-size: 12px;
   color: var(--text);
 }
-.mkt-footer-col h4 {
+.mkt-footer-col h3 {
   font-family: var(--font-mono);
   font-size: 11px;
-  color: var(--text-faint);
+  /* WCAG AA: --text-muted (5.1:1) not --text-faint (2.4:1) — read content. */
+  color: var(--text-muted);
   text-transform: uppercase;
   letter-spacing: 0.05em;
   margin: 0 0 16px;
diff --git a/src/pages/OverviewPage.test.tsx b/src/pages/OverviewPage.test.tsx
index 06be54c..5610711 100644
--- a/src/pages/OverviewPage.test.tsx
+++ b/src/pages/OverviewPage.test.tsx
@@ -507,7 +507,10 @@ describe('OverviewPage — Stat sparklines (no fake trend data)', () => {
 // this site, this test fails loudly.
 describe('OverviewPage — W12 XSS hardening (activity feed is plain text)', () => {
   it('renders an activity row with hostile HTML as a text node — no <img> element materialises', async () => {
-    const hostile = '<img src=x onerror=alert(1)>'
+    // Text-bearing hostile input: the leading "deployed " survives the
+    // tag-strip empty-row filter (2026-06-11) so the row still renders, while
+    // the <img> payload must NOT materialise as an element.
+    const hostile = 'deployed <img src=x onerror=alert(1)>'
     ;(api.listResources as any).mockResolvedValueOnce({ ok: true, total: 0, items: [] })
     ;(api.fetchActivity as any).mockResolvedValueOnce({
       ok: true,
diff --git a/src/pages/OverviewPage.tiles.test.tsx b/src/pages/OverviewPage.tiles.test.tsx
new file mode 100644
index 0000000..44695dc
--- /dev/null
+++ b/src/pages/OverviewPage.tiles.test.tsx
@@ -0,0 +1,190 @@
+/* OverviewPage.tiles.test.tsx — 2026-06-11 tile-accuracy fix coverage.
+ *
+ * Two confirmed production bugs on real dashboards:
+ *   1. CONNECTION LIMIT tile read "∞" for a Pro user (cap is 20) because the
+ *      old code summed per-resource connections_limit and any -1 resource
+ *      (redis/queue/storage/webhook are legitimately -1) flipped it to ∞.
+ *   2. OBJECT-STORAGE denominator read a conflated ~81 GiB sum of every
+ *      per-service cap. Pro's object cap is 50 GB.
+ *   3. Recent-activity rendered ~20 blank "—" rows when audit summaries were
+ *      empty.
+ *
+ * These tests render the page with a Pro tier + a Redis resource present (the
+ * exact trigger for bug 1) and assert the honest values.
+ */
+
+import { describe, it, expect, afterEach, vi } from 'vitest'
+import { render, cleanup, screen, waitFor } from '@testing-library/react'
+import { MemoryRouter } from 'react-router-dom'
+import type { Resource, ActivityItem } from '../api'
+
+const listResourcesMock = vi.fn()
+const fetchActivityMock = vi.fn()
+const listDeploymentsMock = vi.fn()
+
+vi.mock('../api', async () => {
+  const actual = await vi.importActual<typeof import('../api')>('../api')
+  return {
+    ...actual,
+    listResources: (...a: unknown[]) => listResourcesMock(...a),
+    fetchActivity: (...a: unknown[]) => fetchActivityMock(...a),
+    listDeployments: (...a: unknown[]) => listDeploymentsMock(...a),
+  }
+})
+
+vi.mock('../hooks/useDashboardCtx', () => ({
+  useDashboardCtx: vi.fn(),
+}))
+
+import { OverviewPage } from './OverviewPage'
+import { useDashboardCtx } from '../hooks/useDashboardCtx'
+
+afterEach(() => {
+  cleanup()
+  vi.clearAllMocks()
+})
+
+function ctxFor(tier: string) {
+  return {
+    me: { user: { id: 'u', email: 'me@test', tier }, team: { id: 't', slug: 's', name: 's', tier } },
+    meErr: null,
+    meLoading: false,
+    env: 'production',
+    envs: ['production'],
+    counts: { resources: 0, deployments: 0, vault: 0, team: 1 },
+    resources: [],
+  }
+}
+
+function makeResource(over: Partial<Resource>): Resource {
+  return {
+    id: over.id ?? 'r1',
+    token: over.token ?? 'tok_abc',
+    resource_type: over.resource_type ?? 'postgres',
+    tier: (over.tier ?? 'pro') as Resource['tier'],
+    status: 'active',
+    name: over.name ?? 'db',
+    env: 'production',
+    storage_bytes: over.storage_bytes ?? 0,
+    storage_limit_bytes: over.storage_limit_bytes ?? 0,
+    storage_exceeded: false,
+    connections_limit: over.connections_limit,
+    created_at: new Date().toISOString(),
+    expires_at: null,
+    ...over,
+  } as Resource
+}
+
+async function renderOverview(tier: string, resources: Resource[], activity: ActivityItem[] = []) {
+  vi.mocked(useDashboardCtx).mockReturnValue(ctxFor(tier) as never)
+  listResourcesMock.mockResolvedValue({ ok: true, items: resources, total: resources.length })
+  fetchActivityMock.mockResolvedValue({ ok: true, items: activity })
+  listDeploymentsMock.mockResolvedValue({ ok: true, items: [], total: 0 })
+  const r = render(
+    <MemoryRouter>
+      <OverviewPage />
+    </MemoryRouter>,
+  )
+  // Wait for the async useEffect to settle (loading cleared).
+  await waitFor(() => expect(listResourcesMock).toHaveBeenCalled())
+  return r
+}
+
+// Helper: find the .stat tile whose .k label contains `label`, return its .v.
+function statValue(container: HTMLElement, label: string): string {
+  const tiles = Array.from(container.querySelectorAll('.stat'))
+  const tile = tiles.find((t) => (t.querySelector('.k')?.textContent ?? '').includes(label))
+  if (!tile) throw new Error(`no stat tile with label containing "${label}"`)
+  return tile.querySelector('.v')?.textContent?.trim() ?? ''
+}
+function statLabel(container: HTMLElement, label: string): string {
+  const tiles = Array.from(container.querySelectorAll('.stat'))
+  const tile = tiles.find((t) => (t.querySelector('.k')?.textContent ?? '').includes(label))
+  if (!tile) throw new Error(`no stat tile with label containing "${label}"`)
+  return tile.querySelector('.k')?.textContent ?? ''
+}
+
+describe('Overview connection-limit tile (bug 1)', () => {
+  it('Pro with a Redis resource present shows 20, NOT ∞', async () => {
+    // The exact production trigger: a -1 (redis) resource alongside finite dbs.
+    const { container } = await renderOverview('pro', [
+      makeResource({ id: 'pg', resource_type: 'postgres', connections_limit: 20 }),
+      makeResource({ id: 'rd', resource_type: 'redis', connections_limit: -1 }),
+    ])
+    await waitFor(() => {
+      expect(statValue(container, 'connection limit')).toBe('20')
+    })
+    expect(statValue(container, 'connection limit')).not.toBe('∞')
+  })
+
+  it('free shows 2 (its real per-db cap)', async () => {
+    const { container } = await renderOverview('free', [])
+    await waitFor(() => expect(statValue(container, 'connection limit')).toBe('2'))
+  })
+
+  it('team shows 100', async () => {
+    const { container } = await renderOverview('team', [])
+    await waitFor(() => expect(statValue(container, 'connection limit')).toBe('100'))
+  })
+})
+
+describe('Overview object-storage tile (bug 2)', () => {
+  it('Pro denominator is the 50 GB object cap, not a conflated sum', async () => {
+    // Resources whose summed storage_limit_bytes would be huge — but only the
+    // object-store cap should drive the denominator.
+    const { container } = await renderOverview('pro', [
+      makeResource({ id: 'pg', resource_type: 'postgres', storage_bytes: 1e9, storage_limit_bytes: 10 * 1024 ** 3 }),
+      makeResource({ id: 'mg', resource_type: 'mongodb', storage_bytes: 5e8, storage_limit_bytes: 5 * 1024 ** 3 }),
+      makeResource({ id: 'st', resource_type: 'storage', storage_bytes: 2e9, storage_limit_bytes: -1 }),
+    ])
+    await waitFor(() => {
+      expect(statLabel(container, 'object storage')).toContain('50 GB')
+    })
+    // numerator = object-store bytes (2e9) in GiB ≈ 1.86, not the pg/mongo sum.
+    // (.v includes the "GiB" unit span — assert the numeric prefix.)
+    expect(statValue(container, 'object storage')).toContain((2e9 / 1024 ** 3).toFixed(2))
+  })
+
+  it('free shows its real 0.0097 GB cap label (not ∞)', async () => {
+    const { container } = await renderOverview('free', [])
+    await waitFor(() => {
+      const label = statLabel(container, 'object storage')
+      expect(label).not.toContain('∞')
+      // free object cap is 10 MB == 10/1024 GB.
+      expect(label).toContain((10 / 1024).toString())
+    })
+  })
+})
+
+describe('Overview recent-activity empty-state (bug 3)', () => {
+  it('renders a single empty-state row, not blank rows, when summaries are empty', async () => {
+    const blank: ActivityItem[] = Array.from({ length: 20 }, (_, i) => ({
+      id: `a${i}`,
+      at: new Date().toISOString(),
+      level: 'info',
+      text: '   ', // whitespace-only / empty summary — the bug input
+    })) as unknown as ActivityItem[]
+    await renderOverview('pro', [makeResource({})], blank)
+    await waitFor(() => {
+      expect(screen.getByTestId('recent-activity-empty')).toBeTruthy()
+    })
+    // No content-ful feed rows survived the filter.
+    const feedRows = document.querySelectorAll('.feed-row')
+    expect(feedRows.length).toBe(1) // only the empty-state row
+  })
+
+  it('renders real rows and drops only the empty ones', async () => {
+    const mixed: ActivityItem[] = [
+      { id: 'a1', at: new Date().toISOString(), level: 'info', text: 'agent provisioned postgres tok_x' },
+      { id: 'a2', at: new Date().toISOString(), level: 'info', text: '' },
+      { id: 'a3', at: new Date().toISOString(), level: 'info', text: 'agent provisioned redis tok_y' },
+    ] as unknown as ActivityItem[]
+    await renderOverview('pro', [makeResource({})], mixed)
+    await waitFor(() => {
+      expect(screen.queryByTestId('recent-activity-empty')).toBeNull()
+    })
+    const feed = document.querySelector('.feed') as HTMLElement
+    const texts = Array.from(feed.querySelectorAll('.feed-row .text')).map((n) => n.textContent)
+    expect(texts).toEqual(['agent provisioned postgres tok_x', 'agent provisioned redis tok_y'])
+  })
+})
diff --git a/src/pages/OverviewPage.tsx b/src/pages/OverviewPage.tsx
index f653d67..aee287a 100644
--- a/src/pages/OverviewPage.tsx
+++ b/src/pages/OverviewPage.tsx
@@ -9,6 +9,7 @@ import { UpgradeButton } from '../components/UpgradeButton'
 import * as api from '../api'
 import type { Resource, ActivityItem, DashboardDeployment } from '../api'
 import { useDashboardCtx } from '../hooks/useDashboardCtx'
+import { connectionLimitFor, objectStorageLimitGBFor } from '../lib/planLimits'
 
 // D6 (2026-05-18): the hardcoded TIER_LIMIT_GB table was dropped. It drifted
 // from api/plans.yaml on every tier change (every paid tier was wrong at one
@@ -144,33 +145,47 @@ export function OverviewPage() {
 
   // computed stats — no /overview endpoint exists, derived client-side.
   //
-  // D6 (2026-05-18): storage now uses server-supplied per-resource limits.
-  // Both the used total and the limit total come from the same byte-count
-  // fields (`storage_bytes` / `storage_limit_bytes`) and are converted with
-  // the same binary base — so the numerator and denominator no longer mix
-  // decimal MB with binary MiB. A resource with `storage_limit_bytes < 0`
-  // is unlimited; if any resource is unlimited the tile drops the % bar.
-  const totalStorageBytes = resources.reduce((s, r) => s + r.storage_bytes, 0)
-  const storageUnlimited = resources.some((r) => (r.storage_limit_bytes ?? 0) < 0)
-  const totalStorageLimitBytes = resources.reduce(
-    (s, r) => s + ((r.storage_limit_bytes ?? 0) > 0 ? r.storage_limit_bytes : 0),
-    0,
-  )
-  const totalStorageGiB = totalStorageBytes / BYTES_PER_GIB
-  const totalStorageLimitGiB = totalStorageLimitBytes / BYTES_PER_GIB
+  // OBJECT-STORAGE TILE (2026-06-11 tile-accuracy fix).
+  //
+  // The tile previously summed `storage_limit_bytes` across EVERY resource for
+  // the denominator. That conflated unlike services — a Pro user's "STORAGE"
+  // denominator read ~81 GiB because it added object storage (50 GB) + pg
+  // (10 GB) + mongo (5 GB) + vector (10 GB) + queue (…) into one number, which
+  // is meaningless as a single "storage" figure. The honest tile reflects the
+  // OBJECT-STORE cap specifically (plans.yaml storage_storage_mb — 50 GB on
+  // Pro), bound from the per-tier registry mirror so a tier change can't drift
+  // it. The numerator is the bytes used by the user's `storage`-type resources
+  // (the object store), not every resource's bytes.
+  const objectStorageBytes = resources
+    .filter((r) => r.resource_type === 'storage')
+    .reduce((s, r) => s + r.storage_bytes, 0)
+  const objectStorageLimitGB = objectStorageLimitGBFor(tier) // -1 → unlimited
+  const storageUnlimited = objectStorageLimitGB < 0
+  // Bytes-vs-decimal-GB note: plans.yaml states the object cap in decimal GB
+  // ("50 GB"). storage_bytes is a raw byte count. We render the used figure in
+  // GiB (binary) for the numerator since that's the on-disk unit, and the cap
+  // in GB (decimal) to match the published tier number — they're labelled
+  // distinctly (used "GiB" vs the cap), and the % bar divides like-for-like by
+  // converting the cap to bytes with the decimal base it was authored in.
+  const objectStorageLimitBytes = storageUnlimited ? -1 : objectStorageLimitGB * 1000 * 1000 * 1000
+  const totalStorageGiB = objectStorageBytes / BYTES_PER_GIB
   const storagePct =
-    !storageUnlimited && totalStorageLimitBytes > 0
-      ? Math.round((totalStorageBytes / totalStorageLimitBytes) * 100)
+    !storageUnlimited && objectStorageLimitBytes > 0
+      ? Math.round((objectStorageBytes / objectStorageLimitBytes) * 100)
       : 0
   // Connections tile: the API never emits `connections_in_use`, so a numerator
   // sourced from it is always 0 — show the per-tier connection ceiling only.
-  // `-1` (team/growth unlimited) is excluded from the sum so it can't corrupt
-  // the denominator; if any resource is unlimited the tile reports ∞.
-  const connUnlimited = resources.some((r) => (r.connections_limit ?? 0) < 0)
-  const connLim = resources.reduce(
-    (s, r) => s + ((r.connections_limit ?? 0) > 0 ? (r.connections_limit as number) : 0),
-    0,
-  )
+  //
+  // 2026-06-11 fix: the ceiling now comes from the per-tier registry
+  // (connectionLimitFor), NOT from summing per-resource `connections_limit`.
+  // The old sum flipped the whole tile to ∞ the instant ANY resource carried
+  // connections_limit < 0 — and redis/queue/storage/webhook are legitimately
+  // -1 (they take no SQL-style connections). So a Pro user (cap 20) with a
+  // single Redis saw "∞ unlimited". The tier's connection-bearing cap
+  // (postgres == mongodb == vector) is the honest number; it's only ∞ when
+  // plans.yaml itself sets that cap to -1 (no tier does today).
+  const connLim = connectionLimitFor(tier)
+  const connUnlimited = connLim < 0
   const recent = [...resources].sort((a, b) => +new Date(b.created_at) - +new Date(a.created_at)).slice(0, 4)
 
   const now = Date.now()
@@ -186,13 +201,13 @@ export function OverviewPage() {
   const deployHealthy = deployments.filter((d) => d.status === 'running').length
   const webhookCount = resources.filter((r) => r.resource_type === 'webhook').length
 
-  const storageSub =
-    resources.length === 0
-      ? tier
-      : storageUnlimited
-        ? `unlimited · ${tier} tier`
-        : `${storagePct}% of ${tier} tier`
-  const connSub = connUnlimited ? 'unlimited' : connLim === 0 ? '' : `${connLim} max`
+  const storageSub = storageUnlimited
+    ? `unlimited · ${tier} tier`
+    : `${storagePct}% of ${tier} object cap`
+  // Connection tile sub-line: name the connection-bearing services so the
+  // number isn't read as "every resource". Postgres/Mongo/Vector share the
+  // same per-tier cap today, so one figure is honest for all three.
+  const connSub = connUnlimited ? 'unlimited' : `${connLim} per db · ${tier} tier`
   const deploySub = deployCount === 0 ? 'none yet' : `${deployHealthy}/${deployCount} healthy`
   const vaultSub = vaultCount === 0 ? '' : `scoped to ${env}`
 
@@ -214,20 +229,23 @@ export function OverviewPage() {
             Wire up real series in a follow-up (W7-G) once /api/v1/
             stats/series is live. */}
         <Stat k="resources" v={loading ? '—' : envScopedCount.toString()} d={newThisWeek === 0 ? '—' : `+${newThisWeek} this week`} series={undefined} />
-        {/* Storage tile — used + limit both in binary GiB from the server's
-            per-resource byte counts. "∞" denominator when any resource is
-            unlimited (team/growth-tier headroom). */}
+        {/* Object-storage tile — used (object-store bytes, binary GiB) over the
+            tier's object-store cap (plans.yaml storage_storage_mb, shown in the
+            published GB). NOT a sum across pg/mongo/vector/queue. "∞" only when
+            the tier's object cap is itself unlimited (no tier today). */}
         <Stat
-          k={`storage / ${storageUnlimited || totalStorageLimitGiB <= 0 ? '∞' : totalStorageLimitGiB.toFixed(1)} GiB`}
+          k={`object storage / ${storageUnlimited ? '∞' : `${objectStorageLimitGB} GB`}`}
           v={loading ? '—' : totalStorageGiB.toFixed(2)}
           unit="GiB"
           d={storageSub}
           dCls="dim"
           series={undefined}
         />
-        {/* Connections tile shows the aggregate per-tier connection ceiling.
-            The API does not emit a live in-use count, so a numerator would
-            always read 0 — show the ceiling honestly instead. */}
+        {/* Connection-limit tile shows the tier's per-database connection
+            ceiling (postgres/mongodb/vector share it). The API emits no live
+            in-use count, so the ceiling is the honest figure. Bound to the
+            per-tier registry, not a per-resource sum (which used to read ∞ the
+            moment a redis/queue resource — legitimately -1 — was present). */}
         <Stat k="connection limit" v={loading ? '—' : connUnlimited ? '∞' : connLim.toString()} d={connSub} dCls="dim" series={undefined} />
         <Stat k="deployments" v={loading ? '—' : deployCount.toString()} d={deploySub} series={undefined} />
         <Stat k="webhooks · 24h" v={loading ? '—' : webhookCount.toString()} d="" series={undefined} />
@@ -365,25 +383,46 @@ export function OverviewPage() {
               and is out of scope for FIX-G. */}
           <Card title="Recent activity" right="last 20 events" className="" style={{ padding: 0 }}>
             <div className="feed">
-              {activity.map((a) => (
-                <div key={a.id} className="feed-row">
-                  <span className={`dot ${a.level}`} />
-                  {/* W12 XSS hardening (2026-05-14): a.text used to be
-                      rendered via dangerouslySetInnerHTML so server-emitted
-                      <strong>/<code> tags would format. The risk: if any
-                      future server path interpolated a user-controlled
-                      resource name into a summary, that name would execute
-                      as HTML. The current /api/v1/audit summaries never
-                      include user-controlled bytes, but the client-side
-                      synth fallback in api/index.ts did. We now render
-                      activity text as plain JSX. Bold formatting goes
-                      away; XSS surface closes. Follow-up: switch the
-                      server to emit structured fields ({event, resource_name})
-                      so the client can format safely with JSX. */}
-                  <span className="text">{stripHtmlTags(a.text)}</span>
-                  <RelTime at={a.at} />
-                </div>
-              ))}
+              {/* 2026-06-11: drop rows whose summary is empty after tag-strip.
+                  A Pro account with real resources was rendering ~20 blank "—"
+                  feed rows: the audit endpoint returned events whose `summary`
+                  was empty/whitespace, and the old map painted one content-less
+                  row each. Rendering blank rows is worse than rendering fewer —
+                  filter to rows with real text, then show a single honest
+                  empty-state if nothing survives (rather than a wall of "—"). */}
+              {(() => {
+                const rows = activity
+                  .map((a) => ({ ...a, body: stripHtmlTags(a.text).trim() }))
+                  .filter((a) => a.body.length > 0)
+                if (rows.length === 0) {
+                  return (
+                    <div
+                      className="feed-row"
+                      data-testid="recent-activity-empty"
+                      style={{ gridTemplateColumns: '1fr', color: 'var(--text-faint)', fontSize: 12.5 }}
+                    >
+                      {loading ? 'loading activity…' : 'no activity yet — your agent’s actions show up here'}
+                    </div>
+                  )
+                }
+                return rows.map((a) => (
+                  <div key={a.id} className="feed-row">
+                    <span className={`dot ${a.level}`} />
+                    {/* W12 XSS hardening (2026-05-14): a.text used to be
+                        rendered via dangerouslySetInnerHTML so server-emitted
+                        <strong>/<code> tags would format. The risk: if any
+                        future server path interpolated a user-controlled
+                        resource name into a summary, that name would execute
+                        as HTML. The current /api/v1/audit summaries never
+                        include user-controlled bytes, but the client-side
+                        synth fallback in api/index.ts did. We now render
+                        activity text as plain JSX. Bold formatting goes
+                        away; XSS surface closes. */}
+                    <span className="text">{a.body}</span>
+                    <RelTime at={a.at} />
+                  </div>
+                ))
+              })()}
             </div>
           </Card>
         </div>
diff --git a/src/pages/OverviewPage.unlimited.test.tsx b/src/pages/OverviewPage.unlimited.test.tsx
new file mode 100644
index 0000000..61e5faa
--- /dev/null
+++ b/src/pages/OverviewPage.unlimited.test.tsx
@@ -0,0 +1,72 @@
+/* OverviewPage.unlimited.test.tsx — exercises the storage-tile unlimited (∞)
+ * branch. No tier in plans.yaml has an unlimited object-storage cap today, so
+ * the only way to reach the `storageUnlimited ? '∞'` path (and cover that line)
+ * is to mock the per-tier limit helper to return -1. This guarantees the tile
+ * renders ∞ honestly if a future tier ever sets storage_storage_mb: -1. */
+
+import { describe, it, expect, afterEach, vi } from 'vitest'
+import { render, cleanup, waitFor } from '@testing-library/react'
+import { MemoryRouter } from 'react-router-dom'
+
+const listResourcesMock = vi.fn().mockResolvedValue({ ok: true, items: [], total: 0 })
+const fetchActivityMock = vi.fn().mockResolvedValue({ ok: true, items: [] })
+const listDeploymentsMock = vi.fn().mockResolvedValue({ ok: true, items: [], total: 0 })
+
+vi.mock('../api', async () => {
+  const actual = await vi.importActual<typeof import('../api')>('../api')
+  return {
+    ...actual,
+    listResources: (...a: unknown[]) => listResourcesMock(...a),
+    fetchActivity: (...a: unknown[]) => fetchActivityMock(...a),
+    listDeployments: (...a: unknown[]) => listDeploymentsMock(...a),
+  }
+})
+
+vi.mock('../hooks/useDashboardCtx', () => ({ useDashboardCtx: vi.fn() }))
+
+// Force the object-storage cap to -1 (unlimited) for this suite only.
+vi.mock('../lib/planLimits', async () => {
+  const actual = await vi.importActual<typeof import('../lib/planLimits')>('../lib/planLimits')
+  return {
+    ...actual,
+    objectStorageLimitGBFor: () => -1,
+  }
+})
+
+import { OverviewPage } from './OverviewPage'
+import { useDashboardCtx } from '../hooks/useDashboardCtx'
+
+afterEach(() => {
+  cleanup()
+  vi.clearAllMocks()
+})
+
+describe('Overview object-storage tile — unlimited (∞) branch', () => {
+  it('renders "∞" in the tile label when the tier object cap is -1', async () => {
+    vi.mocked(useDashboardCtx).mockReturnValue({
+      me: { user: { id: 'u', email: 'e', tier: 'team' }, team: { id: 't', slug: 's', name: 's', tier: 'team' } },
+      meErr: null,
+      meLoading: false,
+      env: 'production',
+      envs: ['production'],
+      counts: { resources: 0, deployments: 0, vault: 0, team: 1 },
+      resources: [],
+    } as never)
+
+    const { container } = render(
+      <MemoryRouter>
+        <OverviewPage />
+      </MemoryRouter>,
+    )
+    await waitFor(() => expect(listResourcesMock).toHaveBeenCalled())
+
+    const tiles = Array.from(container.querySelectorAll('.stat .k'))
+    const objTile = tiles.find((k) => (k.textContent ?? '').includes('object storage'))
+    expect(objTile).toBeTruthy()
+    expect(objTile!.textContent).toContain('∞')
+    // sub-line also reflects unlimited
+    await waitFor(() => {
+      expect(container.textContent).toContain('unlimited · team tier')
+    })
+  })
+})
diff --git a/src/pages/PricingPage.tsx b/src/pages/PricingPage.tsx
index e200ab7..6fbeb49 100644
--- a/src/pages/PricingPage.tsx
+++ b/src/pages/PricingPage.tsx
@@ -808,7 +808,10 @@ function PricingStyles() {
       .pricing-feature-label { font-weight: 500; font-size: 13px; }
       .pricing-feature-sub {
         font-family: var(--font-mono);
-        font-size: 10.5px; color: var(--text-faint);
+        /* WCAG AA: --text-muted (5.1:1 on --surface) not --text-faint (2.4:1).
+           These uppercase sub-labels ("NATS STORAGE", "PGVECTOR", "24h ttl")
+           are real content the user reads. */
+        font-size: 10.5px; color: var(--text-muted);
         text-transform: uppercase; letter-spacing: 0.06em;
       }
 
diff --git a/src/styles/contrast.test.ts b/src/styles/contrast.test.ts
new file mode 100644
index 0000000..be9e364
--- /dev/null
+++ b/src/styles/contrast.test.ts
@@ -0,0 +1,78 @@
+/* contrast.test.ts — WCAG AA guard for the de-emphasized text tokens.
+ *
+ * A live a11y dogfood found the pricing-page sub-labels (.pricing-feature-sub)
+ * and the footer column headers (.public-footer-h / .mkt-footer-col h3) using
+ * --text-faint (#50505a), which clears only ~2.4:1 on the dark surface — well
+ * under WCAG AA's 4.5:1 floor for normal text. The fix routes those READ-content
+ * labels through a new --text-muted token.
+ *
+ * This test reads the actual hex values out of tokens.css (so it can't drift
+ * from the stylesheet) and asserts:
+ *   - --text-muted clears AA (>=4.5:1) on every dark + light surface
+ *   - --text-faint still FAILS AA on the dark surface (documents WHY the
+ *     faint tier must not be used for readable text — if someone "fixes" faint
+ *     to pass, this assertion flags that the two tiers have merged and the
+ *     muted indirection is now redundant)
+ */
+
+import { describe, it, expect } from 'vitest'
+import { readFileSync } from 'node:fs'
+import { fileURLToPath } from 'node:url'
+import { dirname, join } from 'node:path'
+
+const here = dirname(fileURLToPath(import.meta.url))
+const css = readFileSync(join(here, 'tokens.css'), 'utf8')
+
+// Relative luminance + WCAG contrast ratio (WCAG 2.x formula).
+function luminance(hex: string): number {
+  const h = hex.replace('#', '')
+  const [r, g, b] = [0, 2, 4].map((i) => parseInt(h.slice(i, i + 2), 16) / 255)
+  const lin = (c: number) => (c <= 0.03928 ? c / 12.92 : ((c + 0.055) / 1.055) ** 2.4)
+  return 0.2126 * lin(r) + 0.7152 * lin(g) + 0.0722 * lin(b)
+}
+function ratio(a: string, b: string): number {
+  const la = luminance(a)
+  const lb = luminance(b)
+  const [hi, lo] = la > lb ? [la, lb] : [lb, la]
+  return (hi + 0.05) / (lo + 0.05)
+}
+
+// Pull a token value out of the FIRST :root block (dark theme defaults).
+function darkToken(name: string): string {
+  const root = css.slice(css.indexOf(':root'))
+  const m = root.match(new RegExp(`${name}:\\s*(#[0-9a-fA-F]{6})`))
+  if (!m) throw new Error(`dark token ${name} not found`)
+  return m[1]
+}
+// Pull from the explicit light-theme block.
+function lightToken(name: string): string {
+  const block = css.slice(css.indexOf("html[data-theme='light']"))
+  const m = block.match(new RegExp(`${name}:\\s*(#[0-9a-fA-F]{6})`))
+  if (!m) throw new Error(`light token ${name} not found`)
+  return m[1]
+}
+
+const AA = 4.5
+
+describe('--text-muted clears WCAG AA on every surface', () => {
+  it('dark mode: muted vs --surface and --ink both >= 4.5:1', () => {
+    const muted = darkToken('--text-muted')
+    expect(ratio(muted, darkToken('--surface'))).toBeGreaterThanOrEqual(AA)
+    expect(ratio(muted, darkToken('--ink'))).toBeGreaterThanOrEqual(AA)
+  })
+
+  it('light mode: muted vs --surface and --ink both >= 4.5:1', () => {
+    const muted = lightToken('--text-muted')
+    expect(ratio(muted, lightToken('--surface'))).toBeGreaterThanOrEqual(AA)
+    expect(ratio(muted, lightToken('--ink'))).toBeGreaterThanOrEqual(AA)
+  })
+})
+
+describe('--text-faint documents why it cannot back readable labels', () => {
+  it('dark --text-faint still fails AA on --surface (the original bug color)', () => {
+    const faint = darkToken('--text-faint')
+    const r = ratio(faint, darkToken('--surface'))
+    // ~2.4:1 — kept faint on purpose for ghost/decorative use only.
+    expect(r).toBeLessThan(AA)
+  })
+})
diff --git a/src/styles/tokens.css b/src/styles/tokens.css
index 03f262b..c54f93f 100644
--- a/src/styles/tokens.css
+++ b/src/styles/tokens.css
@@ -13,6 +13,14 @@
   --border-hi: #2c2c38;
   --text: #f4f4f6;
   --text-dim: #91919c;
+  /* --text-muted: AA-passing tier for SMALL, de-emphasized labels that must
+     still be readable (pricing feature sub-labels, footer column headers).
+     --text-faint (#50505a) is intentionally a ghost tier and clears only
+     ~2.4:1 on --surface, which fails WCAG AA (≥4.5:1) for the ~10.5px
+     uppercase sub-labels. #82828e clears 5.1:1 on --surface (#0d0d11) and
+     5.3:1 on --ink (#08080a). Use --text-muted, not --text-faint, for any
+     text the user is expected to read. */
+  --text-muted: #82828e;
   --text-faint: #50505a;
   --text-ghost: #2a2a33;
 
@@ -70,6 +78,9 @@ html[data-theme='light'] {
   --border-hi: #c4c6ce;
   --text: #18181c;
   --text-dim: #4d4d57;
+  /* Light-mode --text-muted: #62626c clears 6.0:1 on white / 5.7:1 on --ink
+     (#f7f8fa) — comfortably past AA for the small sub-labels. */
+  --text-muted: #62626c;
   --text-faint: #80808a;
   --text-ghost: #d1d3da;
 
@@ -98,6 +109,9 @@ html[data-theme='light'] {
     --border-hi: #c4c6ce;
     --text: #18181c;
     --text-dim: #4d4d57;
+    /* Light-mode --text-muted (system-preference path) — mirror the explicit
+       data-theme=light value above. */
+    --text-muted: #62626c;
     --text-faint: #80808a;
     --text-ghost: #d1d3da;