diff --git a/Cargo.lock b/Cargo.lock
index cc158053..5f97a7c3 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -370,24 +370,12 @@ dependencies = [
  "syn",
 ]
 
-[[package]]
-name = "base16ct"
-version = "0.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4c7f02d4ea65f2c1853089ffd8d2787bdbc63de2f0d29dedbcf8ccdfa0ccd4cf"
-
 [[package]]
 name = "base64"
 version = "0.13.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8"
 
-[[package]]
-name = "base64"
-version = "0.21.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9d297deb1925b89f2ccc13d7635fa0714f12c87adce1c75356b39ca9b7178567"
-
 [[package]]
 name = "base64"
 version = "0.22.1"
@@ -451,15 +439,6 @@ dependencies = [
  "hybrid-array",
 ]
 
-[[package]]
-name = "bs58"
-version = "0.5.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bf88ba1141d185c399bee5288d850d63b8369520c1eafc32a0430b5b6c287bf4"
-dependencies = [
- "tinyvec",
-]
-
 [[package]]
 name = "built"
 version = "0.8.0"
@@ -793,18 +772,6 @@ version = "0.2.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "460fbee9c2c2f33933d720630a6a0bac33ba7053db5344fac858d4b8952d77d5"
 
-[[package]]
-name = "crypto-bigint"
-version = "0.5.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0dc92fb57ca44df6db8059111ab3af99a63d5d0f8375d9972e319a379c6bab76"
-dependencies = [
- "generic-array",
- "rand_core 0.6.4",
- "subtle",
- "zeroize",
-]
-
 [[package]]
 name = "crypto-common"
 version = "0.1.7"
@@ -876,18 +843,8 @@ version = "0.20.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fc7f46116c46ff9ab3eb1597a45688b6715c6e628b5c133e288e709a29bcb4ee"
 dependencies = [
- "darling_core 0.20.11",
- "darling_macro 0.20.11",
-]
-
-[[package]]
-name = "darling"
-version = "0.23.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "25ae13da2f202d56bd7f91c25fba009e7717a1e4a1cc98a76d844b65ae912e9d"
-dependencies = [
- "darling_core 0.23.0",
- "darling_macro 0.23.0",
+ "darling_core",
+ "darling_macro",
 ]
 
 [[package]]
@@ -904,37 +861,13 @@ dependencies = [
  "syn",
 ]
 
-[[package]]
-name = "darling_core"
-version = "0.23.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9865a50f7c335f53564bb694ef660825eb8610e0a53d3e11bf1b0d3df31e03b0"
-dependencies = [
- "ident_case",
- "proc-macro2",
- "quote",
- "strsim",
- "syn",
-]
-
 [[package]]
 name = "darling_macro"
 version = "0.20.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fc34b93ccb385b40dc71c6fceac4b2ad23662c7eeb248cf10d529b7e055b6ead"
 dependencies = [
- "darling_core 0.20.11",
- "quote",
- "syn",
-]
-
-[[package]]
-name = "darling_macro"
-version = "0.23.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ac3984ec7bd6cfa798e62b4a642426a5be0e68f9401cfc2a01e3fa9ea2fcdb8d"
-dependencies = [
- "darling_core 0.23.0",
+ "darling_core",
  "quote",
  "syn",
 ]
@@ -991,16 +924,6 @@ dependencies = [
  "zeroize",
 ]
 
-[[package]]
-name = "deranged"
-version = "0.5.8"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7cd812cc2bc1d69d4764bd80df88b4317eaef9e773c75226407d9bc0876b211c"
-dependencies = [
- "powerfmt",
- "serde_core",
-]
-
 [[package]]
 name = "derive_builder"
 version = "0.20.2"
@@ -1016,7 +939,7 @@ version = "0.20.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2d5bcf7b024d6835cfb3d473887cd966994907effbe9227e8c8219824d06c4e8"
 dependencies = [
- "darling 0.20.11",
+ "darling",
  "proc-macro2",
  "quote",
  "syn",
@@ -1100,26 +1023,6 @@ version = "1.0.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "92773504d58c093f6de2459af4af33faa518c13451eb8f2b5698ed3d36e7c813"
 
-[[package]]
-name = "dyn-clone"
-version = "1.0.20"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d0881ea181b1df73ff77ffaaf9c7544ecc11e82fba9b5f27b262a3c73a332555"
-
-[[package]]
-name = "ecdsa"
-version = "0.16.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ee27f32b5c5292967d2d4a9d7f1e0b0aed2c15daded5a60300e4abb9d8020bca"
-dependencies = [
- "der",
- "digest 0.10.7",
- "elliptic-curve",
- "rfc6979",
- "signature",
- "spki",
-]
-
 [[package]]
 name = "ed25519"
 version = "2.2.3"
@@ -1154,27 +1057,6 @@ dependencies = [
  "serde",
 ]
 
-[[package]]
-name = "elliptic-curve"
-version = "0.13.8"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b5e6043086bf7973472e0c7dff2142ea0b680d30e18d9cc40f267efbf222bd47"
-dependencies = [
- "base16ct",
- "crypto-bigint",
- "digest 0.10.7",
- "ff",
- "generic-array",
- "group",
- "hkdf",
- "pem-rfc7468",
- "pkcs8",
- "rand_core 0.6.4",
- "sec1",
- "subtle",
- "zeroize",
-]
-
 [[package]]
 name = "encode_unicode"
 version = "1.0.0"
@@ -1307,16 +1189,6 @@ dependencies = [
  "simd-adler32",
 ]
 
-[[package]]
-name = "ff"
-version = "0.13.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c0b50bfb653653f9ca9095b427bed08ab8d75a137839d9ad64eb11810d5b6393"
-dependencies = [
- "rand_core 0.6.4",
- "subtle",
-]
-
 [[package]]
 name = "fiat-crypto"
 version = "0.2.9"
@@ -1531,7 +1403,6 @@ checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
 dependencies = [
  "typenum",
  "version_check",
- "zeroize",
 ]
 
 [[package]]
@@ -1638,17 +1509,6 @@ dependencies = [
  "web-time",
 ]
 
-[[package]]
-name = "group"
-version = "0.13.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f0f9ef7462f7c099f518d754361858f86d8a07af53ba9af0fe635bbccb151a63"
-dependencies = [
- "ff",
- "rand_core 0.6.4",
- "subtle",
-]
-
 [[package]]
 name = "h2"
 version = "0.4.14"
@@ -1661,7 +1521,7 @@ dependencies = [
  "futures-core",
  "futures-sink",
  "http",
- "indexmap 2.13.0",
+ "indexmap",
  "slab",
  "tokio",
  "tokio-util",
@@ -1679,12 +1539,6 @@ dependencies = [
  "zerocopy",
 ]
 
-[[package]]
-name = "hashbrown"
-version = "0.12.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888"
-
 [[package]]
 name = "hashbrown"
 version = "0.14.5"
@@ -1888,7 +1742,6 @@ dependencies = [
  "tokio",
  "tokio-rustls",
  "tower-service",
- "webpki-roots 1.0.7",
 ]
 
 [[package]]
@@ -2123,17 +1976,6 @@ version = "1.12.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "40fac9d56ed6437b198fddba683305e8e2d651aa42647f00f5ae542e7f5c94a2"
 
-[[package]]
-name = "indexmap"
-version = "1.9.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bd070e393353796e801d209ad339e89596eb4c8d430d18ede6a1cced8fafbd99"
-dependencies = [
- "autocfg",
- "hashbrown 0.12.3",
- "serde",
-]
-
 [[package]]
 name = "indexmap"
 version = "2.13.0"
@@ -2220,15 +2062,6 @@ version = "1.70.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a6cb138bb79a146c1bd460005623e142ef0181e3d0219cb493e02f7d08a35695"
 
-[[package]]
-name = "itertools"
-version = "0.10.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b0fd2260e829bddf4cb6ea802289de2f86d6a7a690192fbe91b3f46e0f2c8473"
-dependencies = [
- "either",
-]
-
 [[package]]
 name = "itertools"
 version = "0.14.0"
@@ -2714,12 +2547,6 @@ dependencies = [
  "num-traits",
 ]
 
-[[package]]
-name = "num-conv"
-version = "0.2.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "521739c6d2bac4aa25192232afe6841231376b2b26d4d9fae5ecf8ca5772e441"
-
 [[package]]
 name = "num-derive"
 version = "0.4.2"
@@ -2788,26 +2615,6 @@ version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "830b246a0e5f20af87141b25c173cd1b609bd7779a4617d6ec582abaf90870f3"
 
-[[package]]
-name = "oauth2"
-version = "5.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "51e219e79014df21a225b1860a479e2dcd7cbd9130f4defd4bd0e191ea31d67d"
-dependencies = [
- "base64 0.22.1",
- "chrono",
- "getrandom 0.2.17",
- "http",
- "rand 0.8.6",
- "reqwest 0.12.28",
- "serde",
- "serde_json",
- "serde_path_to_error",
- "sha2 0.10.9",
- "thiserror 1.0.69",
- "url",
-]
-
 [[package]]
 name = "once_cell"
 version = "1.21.4"
@@ -2859,37 +2666,6 @@ dependencies = [
  "pathdiff",
 ]
 
-[[package]]
-name = "openidconnect"
-version = "4.0.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0d8c6709ba2ea764bbed26bce1adf3c10517113ddea6f2d4196e4851757ef2b2"
-dependencies = [
- "base64 0.21.7",
- "chrono",
- "dyn-clone",
- "ed25519-dalek",
- "hmac 0.12.1",
- "http",
- "itertools 0.10.5",
- "log",
- "oauth2",
- "p256",
- "p384",
- "rand 0.8.6",
- "rsa",
- "serde",
- "serde-value",
- "serde_json",
- "serde_path_to_error",
- "serde_plain",
- "serde_with",
- "sha2 0.10.9",
- "subtle",
- "thiserror 1.0.69",
- "url",
-]
-
 [[package]]
 name = "openssl"
 version = "0.10.80"
@@ -2945,15 +2721,6 @@ version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "04744f49eae99ab78e0d5c0b603ab218f515ea8cfe5a456d7629ad883a3b6e7d"
 
-[[package]]
-name = "ordered-float"
-version = "2.10.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "68f19d67e5a2795c94e73e0bb1cc1a7edeb2e28efd39e2e1c9b7a40c1108b11c"
-dependencies = [
- "num-traits",
-]
-
 [[package]]
 name = "ort"
 version = "2.0.0-rc.9"
@@ -2978,30 +2745,6 @@ dependencies = [
  "ureq",
 ]
 
-[[package]]
-name = "p256"
-version = "0.13.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c9863ad85fa8f4460f9c48cb909d38a0d689dba1f6f6988a5e3e0d31071bcd4b"
-dependencies = [
- "ecdsa",
- "elliptic-curve",
- "primeorder",
- "sha2 0.10.9",
-]
-
-[[package]]
-name = "p384"
-version = "0.13.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fe42f1670a52a47d448f14b6a5c61dd78fce51856e68edaa38f7ae3a46b8d6b6"
-dependencies = [
- "ecdsa",
- "elliptic-curve",
- "primeorder",
- "sha2 0.10.9",
-]
-
 [[package]]
 name = "parking"
 version = "2.2.1"
@@ -3192,12 +2935,6 @@ dependencies = [
  "zerovec",
 ]
 
-[[package]]
-name = "powerfmt"
-version = "0.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391"
-
 [[package]]
 name = "ppv-lite86"
 version = "0.2.21"
@@ -3217,15 +2954,6 @@ dependencies = [
  "syn",
 ]
 
-[[package]]
-name = "primeorder"
-version = "0.13.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "353e1ca18966c16d9deb1c69278edbc5f194139612772bd9537af60ac231e1e6"
-dependencies = [
- "elliptic-curve",
-]
-
 [[package]]
 name = "proc-macro2"
 version = "1.0.106"
@@ -3436,7 +3164,7 @@ dependencies = [
  "built",
  "cfg-if",
  "interpolate_name",
- "itertools 0.14.0",
+ "itertools",
  "libc",
  "libfuzzer-sys",
  "log",
@@ -3502,7 +3230,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2964d0cf57a3e7a06e8183d14a8b527195c706b7983549cd5462d5aa3747438f"
 dependencies = [
  "either",
- "itertools 0.14.0",
+ "itertools",
  "rayon",
 ]
 
@@ -3545,26 +3273,6 @@ dependencies = [
  "thiserror 2.0.18",
 ]
 
-[[package]]
-name = "ref-cast"
-version = "1.0.25"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f354300ae66f76f1c85c5f84693f0ce81d747e2c3f21a45fef496d89c960bf7d"
-dependencies = [
- "ref-cast-impl",
-]
-
-[[package]]
-name = "ref-cast-impl"
-version = "1.0.25"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b7186006dcb21920990093f30e3dea63b7d6e977bf1256be20c3563a5db070da"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
-]
-
 [[package]]
 name = "regex"
 version = "1.12.3"
@@ -3619,8 +3327,6 @@ dependencies = [
  "native-tls",
  "percent-encoding",
  "pin-project-lite",
- "quinn",
- "rustls",
  "rustls-pki-types",
  "serde",
  "serde_json",
@@ -3628,7 +3334,6 @@ dependencies = [
  "sync_wrapper",
  "tokio",
  "tokio-native-tls",
- "tokio-rustls",
  "tokio-util",
  "tower",
  "tower-http",
@@ -3638,7 +3343,6 @@ dependencies = [
  "wasm-bindgen-futures",
  "wasm-streams",
  "web-sys",
- "webpki-roots 1.0.7",
 ]
 
 [[package]]
@@ -3681,16 +3385,6 @@ dependencies = [
  "web-sys",
 ]
 
-[[package]]
-name = "rfc6979"
-version = "0.4.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f8dd2a808d456c4a54e300a23e9f5a67e122c3024119acbfd73e3bf664491cb2"
-dependencies = [
- "hmac 0.12.1",
- "subtle",
-]
-
 [[package]]
 name = "rgb"
 version = "0.8.53"
@@ -3866,50 +3560,12 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
-[[package]]
-name = "schemars"
-version = "0.9.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4cd191f9397d57d581cddd31014772520aa448f65ef991055d7f61582c65165f"
-dependencies = [
- "dyn-clone",
- "ref-cast",
- "serde",
- "serde_json",
-]
-
-[[package]]
-name = "schemars"
-version = "1.2.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a2b42f36aa1cd011945615b92222f6bf73c599a102a300334cd7f8dbeec726cc"
-dependencies = [
- "dyn-clone",
- "ref-cast",
- "serde",
- "serde_json",
-]
-
 [[package]]
 name = "scopeguard"
 version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
 
-[[package]]
-name = "sec1"
-version = "0.7.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d3e97a565f76233a6003f9f5c54be1d9c5bdfa3eccfb189469f11ec4901c47dc"
-dependencies = [
- "base16ct",
- "der",
- "generic-array",
- "pkcs8",
- "subtle",
- "zeroize",
-]
-
 [[package]]
 name = "security-framework"
 version = "3.7.0"
@@ -3949,16 +3605,6 @@ dependencies = [
  "serde_derive",
 ]
 
-[[package]]
-name = "serde-value"
-version = "0.7.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f3a1a3341211875ef120e117ea7fd5228530ae7e7036a779fdc9117be6b3282c"
-dependencies = [
- "ordered-float",
- "serde",
-]
-
 [[package]]
 name = "serde_core"
 version = "1.0.228"
@@ -4003,15 +3649,6 @@ dependencies = [
  "serde_core",
 ]
 
-[[package]]
-name = "serde_plain"
-version = "1.0.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9ce1fc6db65a611022b23a0dec6975d63fb80a302cb3388835ff02c097258d50"
-dependencies = [
- "serde",
-]
-
 [[package]]
 name = "serde_urlencoded"
 version = "0.7.1"
@@ -4024,38 +3661,6 @@ dependencies = [
  "serde",
 ]
 
-[[package]]
-name = "serde_with"
-version = "3.20.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e72c1c2cb7b223fafb600a619537a871c2818583d619401b785e7c0b746ccde2"
-dependencies = [
- "base64 0.22.1",
- "bs58",
- "chrono",
- "hex",
- "indexmap 1.9.3",
- "indexmap 2.13.0",
- "schemars 0.9.0",
- "schemars 1.2.1",
- "serde_core",
- "serde_json",
- "serde_with_macros",
- "time",
-]
-
-[[package]]
-name = "serde_with_macros"
-version = "3.20.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b90c488738ecb4fb0262f41f43bc40efc5868d9fb744319ddf5f5317f417bfac"
-dependencies = [
- "darling 0.23.0",
- "proc-macro2",
- "quote",
- "syn",
-]
-
 [[package]]
 name = "sha1"
 version = "0.10.6"
@@ -4247,7 +3852,7 @@ dependencies = [
  "futures-util",
  "hashbrown 0.15.5",
  "hashlink",
- "indexmap 2.13.0",
+ "indexmap",
  "log",
  "memchr",
  "once_cell",
@@ -4591,37 +4196,6 @@ dependencies = [
  "zune-jpeg",
 ]
 
-[[package]]
-name = "time"
-version = "0.3.47"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "743bd48c283afc0388f9b8827b976905fb217ad9e647fae3a379a9283c4def2c"
-dependencies = [
- "deranged",
- "itoa",
- "num-conv",
- "powerfmt",
- "serde_core",
- "time-core",
- "time-macros",
-]
-
-[[package]]
-name = "time-core"
-version = "0.1.8"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7694e1cfe791f8d31026952abf09c69ca6f6fa4e1a1229e18988f06a04a12dca"
-
-[[package]]
-name = "time-macros"
-version = "0.2.27"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2e70e4c5a0e0a8a4823ad65dfe1a6930e4f4d756dcd9dd7939022b5e8c501215"
-dependencies = [
- "num-conv",
- "time-core",
-]
-
 [[package]]
 name = "tinystr"
 version = "0.8.2"
@@ -4660,7 +4234,7 @@ dependencies = [
  "derive_builder",
  "esaxx-rs",
  "getrandom 0.3.4",
- "itertools 0.14.0",
+ "itertools",
  "log",
  "macro_rules_attribute",
  "monostate",
@@ -4789,7 +4363,7 @@ checksum = "ebe5ef63511595f1344e2d5cfa636d973292adc0eec1f0ad45fae9f0851ab1d4"
 dependencies = [
  "futures-core",
  "futures-util",
- "indexmap 2.13.0",
+ "indexmap",
  "pin-project-lite",
  "slab",
  "sync_wrapper",
@@ -4850,7 +4424,7 @@ dependencies = [
 
 [[package]]
 name = "tracevault-cli"
-version = "0.15.0"
+version = "0.16.0"
 dependencies = [
  "chrono",
  "clap",
@@ -4869,7 +4443,7 @@ dependencies = [
 
 [[package]]
 name = "tracevault-core"
-version = "0.15.0"
+version = "0.16.0"
 dependencies = [
  "async-trait",
  "chrono",
@@ -4895,27 +4469,13 @@ dependencies = [
 name = "tracevault-enterprise"
 version = "0.1.0"
 dependencies = [
- "aes-gcm",
  "async-trait",
- "base64 0.22.1",
- "chrono",
- "ed25519-dalek",
- "glob-match",
- "hex",
- "openidconnect",
- "rand 0.8.6",
- "reqwest 0.13.2",
- "serde",
- "serde_json",
- "sha2 0.11.0",
  "tracevault-core",
- "tracing",
- "uuid",
 ]
 
 [[package]]
 name = "tracevault-server"
-version = "0.15.0"
+version = "0.16.0"
 dependencies = [
  "aes-gcm",
  "argon2",
@@ -5220,7 +4780,6 @@ dependencies = [
  "idna",
  "percent-encoding",
  "serde",
- "serde_derive",
 ]
 
 [[package]]
@@ -5407,7 +4966,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bb0e353e6a2fbdc176932bbaab493762eb1255a7900fe0fea1a2f96c296cc909"
 dependencies = [
  "anyhow",
- "indexmap 2.13.0",
+ "indexmap",
  "wasm-encoder",
  "wasmparser",
 ]
@@ -5433,7 +4992,7 @@ checksum = "47b807c72e1bac69382b3a6fb3dbe8ea4c0ed87ff5629b8685ae6b9a611028fe"
 dependencies = [
  "bitflags",
  "hashbrown 0.15.5",
- "indexmap 2.13.0",
+ "indexmap",
  "semver",
 ]
 
@@ -5949,7 +5508,7 @@ checksum = "b7c566e0f4b284dd6561c786d9cb0142da491f46a9fbed79ea69cdad5db17f21"
 dependencies = [
  "anyhow",
  "heck",
- "indexmap 2.13.0",
+ "indexmap",
  "prettyplease",
  "syn",
  "wasm-metadata",
@@ -5980,7 +5539,7 @@ checksum = "9d66ea20e9553b30172b5e831994e35fbde2d165325bec84fc43dbf6f4eb9cb2"
 dependencies = [
  "anyhow",
  "bitflags",
- "indexmap 2.13.0",
+ "indexmap",
  "log",
  "serde",
  "serde_derive",
@@ -5999,7 +5558,7 @@ checksum = "ecc8ac4bc1dc3381b7f59c34f00b67e18f910c2c0f50015669dde7def656a736"
 dependencies = [
  "anyhow",
  "id-arena",
- "indexmap 2.13.0",
+ "indexmap",
  "log",
  "semver",
  "serde",
diff --git a/Cargo.toml b/Cargo.toml
index 26cf2b93..a6cedb25 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -3,7 +3,7 @@ members = ["crates/tracevault-core", "crates/tracevault-cli", "crates/tracevault
 resolver = "2"
 
 [workspace.package]
-version = "0.15.0"
+version = "0.16.0"
 edition = "2021"
 license = "Apache-2.0"
 repository = "https://github.com/softwaremill/tracevault"
diff --git a/crates/tracevault-cli/CHANGELOG.md b/crates/tracevault-cli/CHANGELOG.md
index b371a782..a65b788c 100644
--- a/crates/tracevault-cli/CHANGELOG.md
+++ b/crates/tracevault-cli/CHANGELOG.md
@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.16.0](https://github.com/softwaremill/tracevault/compare/v0.15.0...v0.16.0) - 2026-05-27
+
+### Added
+
+- agent-policies — server-rendered policy instructions for agents
+
 ## [0.15.0](https://github.com/softwaremill/tracevault/compare/v0.14.0...v0.15.0) - 2026-05-22
 
 ### Changed
diff --git a/crates/tracevault-cli/Cargo.toml b/crates/tracevault-cli/Cargo.toml
index efebc803..1c7b5bfc 100644
--- a/crates/tracevault-cli/Cargo.toml
+++ b/crates/tracevault-cli/Cargo.toml
@@ -18,7 +18,7 @@ name = "tracevault"
 path = "src/main.rs"
 
 [dependencies]
-tracevault-core = { path = "../tracevault-core", version = "0.15" }
+tracevault-core = { path = "../tracevault-core", version = "0.16" }
 clap = { version = "4", features = ["derive"] }
 chrono.workspace = true
 tokio.workspace = true
diff --git a/crates/tracevault-core/CHANGELOG.md b/crates/tracevault-core/CHANGELOG.md
index ffd8a74d..ceb94762 100644
--- a/crates/tracevault-core/CHANGELOG.md
+++ b/crates/tracevault-core/CHANGELOG.md
@@ -7,6 +7,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.16.0](https://github.com/softwaremill/tracevault/compare/v0.15.0...v0.16.0) - 2026-05-27
+
+### Added
+
+- agent-policies — server-rendered policy instructions for agents
+
+### Changed
+
+- *(core)* rename has_window/window_* to has_validation/validation_*
+- *(core)* drop ActionTag, use PolicyAction directly
+- address review feedback on PR #200
+
 ## [0.15.0](https://github.com/softwaremill/tracevault/compare/v0.14.0...v0.15.0) - 2026-05-22
 
 ### Documentation
diff --git a/crates/tracevault-server/CHANGELOG.md b/crates/tracevault-server/CHANGELOG.md
index 94102f9f..b0444761 100644
--- a/crates/tracevault-server/CHANGELOG.md
+++ b/crates/tracevault-server/CHANGELOG.md
@@ -7,6 +7,230 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.16.0](https://github.com/softwaremill/tracevault/compare/v0.15.0...v0.16.0) - 2026-05-27
+
+### Added
+
+- agent-policies — server-rendered policy instructions for agents
+- *(branches)* add Repo column to branches view
+- *(sessions)* add tool, user, and file changes filters
+- *(ui)* multi-select filters for policy activity table
+- *(mcp)* add TraceVault MCP server and stateless chat/ask endpoint
+- *(ui)* add token and cost breakdown split to author detail stats
+- *(policies)* persist validation_window_gate evaluations to policy_evaluations
+- *(policies)* validation window for scoped policy enforcement
+- *(policies)* add must_succeed flag to tool call policies
+- *(ui)* add server-side pagination to policy evaluations table
+- *(orgs)* allow renaming org slug and match it case-insensitively
+- *(login)* replace org text input with dropdown and SSO-first UX
+- add detailed logging to chat indexing and summarization pipeline
+- auto-reindex sessions when transcript grows beyond indexed chunk count
+- accept mention overrides in chat message endpoint
+- add GET /chat/mentions endpoint for @ autocomplete
+- add chat API endpoints with conversation CRUD and RAG message handler
+- add chat query pipeline with filter extraction, two-stage retrieval, and response generation
+- add chat indexing pipeline with session completion hook and backfill
+- add chat conversations and messages repo layer
+- add session summarization service for RAG indexing
+- add transcript chunking logic with sliding windows for RAG
+- add chat summarization LLM settings endpoints
+- add fastembed wrapper service for local text embedding
+- add chat_search feature flag, ChatUse permission, and pgvector/fastembed deps
+- add migration for chat RAG tables, pgvector, and summarization config
+- enrich stories with session transcripts and clickable references
+- enrich story with session transcripts and clickable references
+- add GET /code/sessions endpoint for function sessions
+- add gather_function_sessions for code sessions endpoint
+- unify transcript display with timestamps across traces and analytics views
+- report attributed_sessions_sealed in CI verification
+- include session seal verification in chain verification
+- background sweep to seal stale sessions after 30min inactivity
+- seal sessions on SessionEnd when signing is enabled
+- seal commits on push when signing is enabled
+- add SealingService with commit and session sealing logic
+- add sealing repo layer for commit and session seals
+- migration for multi-seal sessions and verification counts
+- add sign method to SigningService
+- revamp invite flow UI, add invite acceptance page, improve error handling
+- wire invite routes, remove old invite_member endpoint
+- add invite link handlers (create, list, revoke, details, accept)
+- add generate_invite_token utility
+- add invite_expiry_minutes and cors_origin to AppState
+- add org_invites migration for invite link flow
+- add keyset pagination types and rewrite IN-subqueries
+- add hook adapter architecture with multi-tool detection
+- add SQL indexes, materialized views, and tool field migration
+- add repository layer for analytics, policies, compliance, pricing, code_stories
+- add repository layer for sessions, events, commits
+- add repository layer for users, orgs, repos, api_keys
+- add AppError type with IntoResponse and permission helper
+- add top AI tools section to author detail page and fix DataTable clickability
+- register AI tools analytics routes
+- add AI tools analytics endpoints and software summary
+- add AI tool usage tracking (migration + extraction)
+- add top authors leaderboard to dashboard
+- add author detail endpoint
+- add user_id to AuthorLeaderboard, drop unused fields
+- register software analytics routes
+- add software user detail endpoint
+- add software analytics list endpoint
+- extract software usage from Bash events at ingest
+- add user_software_usage migration
+- add manual pricing sync endpoint and sync status endpoint
+- wire startup + daily background pricing sync
+- add sync_pricing function with diff, update, and recalculation
+- add LiteLLM JSON parsing with model mapping and tests
+- add source field to PricingEntry struct and queries
+- add pricing sync migration (source column + sync log table)
+- *(stream)* extract token usage and costs from transcript chunks in real-time
+- *(api)* add traces UI endpoints (sessions, commits, timeline, attribution, branches) and remove old traces module
+- *(branch-tracking)* track commits reaching branches and tags via webhooks
+- *(attribution)* add line-level attribution engine with confidence scoring
+- *(api)* add streaming event endpoint
+- *(api)* add commit push endpoint with file-level attribution
+- *(schema)* add streaming architecture tables
+- *(pricing)* add pricing CRUD and recalculate API endpoints
+- *(dashboard)* add handler and register GET /dashboard route
+- *(dashboard)* add compliance query
+- *(dashboard)* add KPI aggregation and sparkline queries
+- *(dashboard)* add types, response struct, and period range helper
+- register session detail API route
+- add session detail transcript parser with per-call breakdown
+- add model_pricing table with seed data
+
+### Changed
+
+- extract row mapper helper and copy-label derived
+- address review feedback on PR #200
+- eliminate WHERE clause duplication and fix repo detail commit pagination
+- extract all inline SQL in traces_ui submodules to sql/ files
+- split traces_ui.rs into focused submodules
+- *(server)* extract author detail stats query to sql file
+- *(policies)* replace magic-name check with is_synthetic flag on policy_evaluations
+- *(policies)* extract inline SQL queries to sql/ files
+- *(policies)* address nit comments
+- address review comments
+- *(server)* extract count_evaluations SQL to .sql file
+- *(policy)* honest action set, shared evaluator, exact tool matching, RBAC
+- simplify backfill to rely solely on chunk count comparison
+- extract SessionSearchFilter struct to fix clippy too_many_arguments
+- make resolve_org_llm public for chat module reuse
+- replace regex session linkification with structured Linked Sessions section
+- extract collect_file_commit_shas helper from story context
+- make is_valid_email public for reuse in invite handler
+- migrate all handlers to AppError and repo/service layers
+- strip non-software data from software user detail endpoint
+- slim get_software to org-wide tools only
+- remove git-ai, compute attribution server-side from sessions
+- clean up v2 references in comments, remove dead code and legacy script
+- extract seal fields into commit_seals table in compliance and CI
+- extract seal fields into session_seals in dashboard compliance query
+- rename sessions_v2/commits_v2 in analytics
+- rename sessions_v2/commits_v2 in remaining files
+- rename sessions_v2/commits_v2 in traces_ui
+- rename sessions_v2/commits_v2 in stream and commit_push endpoints
+- consolidate migrations, remove v2 suffixes from schema
+- use real session model names for pricing instead of canonical names
+- extract shared recalculate_sessions_for_pricing function
+- migrate all queries from old sessions table to sessions_v2
+- remove old traces.rs and legacy endpoints entirely
+- pricing module to support DB-backed rates with fallback
+
+### Documentation
+
+- rename product TraceVault → Visdom Trace across all documentation
+
+### Fixed
+
+- update stale comment about 'both' scope after removal
+- *(policies)* remove 'both' scope, rename 'Window' to 'Validation'
+- *(tokens)* store raw input_tokens, compute fresh only for pricing
+- prevent memberless ghost orgs in login dropdown
+- *(sso)* update comments to reflect owner-or-admin access
+- *(sso)* allow admin role to manage SSO configuration
+- *(ui)* add token breakdown to session detail page
+- *(ui)* show actual total tokens + breakdown in sessions views
+- address review agent findings in traces_ui
+- *(pagination)* convert sessions and commits to server-side pagination
+- *(mcp)* address review comments
+- address review comments and failing permission count tests
+- *(permissions)* grant ChatUse permission to owner, admin, developer roles
+- *(tests)* update insert_evaluation calls for Option<Uuid> + is_synthetic params
+- *(tests)* supply required tool field in window stats test sessions
+- *(policies)* include skip in worst-result severity ordering
+- *(policies)* address self-review findings
+- *(policies)* address review comments
+- *(ci)* fix rustfmt indentation in repo_policies_test
+- *(auth)* move device status poll off strict rate limiter and handle 429 in CLI
+- *(tests)* add missing tool_is_error field to InsertToolEvent in server tests
+- *(server)* fix rustfmt indentation in count_evaluations
+- *(security)* autofix Path traversal attack possible
+- *(auth)* disable public registration once first user exists
+- *(server)* remove unused Arc import that breaks enterprise build
+- *(invites)* route existing accounts to login on invite accept
+- *(chat)* dedupe referenced commits across matched sessions
+- resolve clippy warnings in chat_indexing and story
+- *(chat-indexing)* cap embedding batch size to prevent OOM
+- replace nightly floor_char_boundary with stable helper
+- use div_ceil instead of manual reimplementation
+- exclude sessions without transcripts from indexing status and add backfill diagnostics
+- segment large transcripts for summarization and fix byte-boundary panic
+- use floor_char_boundary for string truncation to avoid panics on multi-byte chars
+- index all sessions regardless of status in chat backfill
+- grant admin role to API key auth instead of developer
+- chat UX improvements and bug fixes
+- make pgvector migration conditional for community installs without the extension
+- fallback to file_path query when git SHAs miss DB sessions
+- query sessions by file_path instead of git-walking
+- unify password minimum length to 10 characters
+- force-fetch refspecs and normalize deploy key PEM newline
+- add sealed_at to session hash, fix chain race condition with advisory lock
+- compute avg session duration from timestamps when duration_ms is missing
+- remove needless borrows in encryption tests (clippy)
+- resolve CI failures — add dead_code allows and avoid CodeQL hard-coded password flag
+- use DB pricing rates during ingestion instead of hardcoded fallbacks
+- prevent duplicate token/cost accumulation from overlapping transcript batches
+- apply repo/author filters to AI summary and filter empty sessions
+- apply repo/author filters to software analytics query
+- cast SUM(total_tokens) to BIGINT in software user detail query
+- resolve TypeScript narrowing errors in software pages
+- use git CLI for clone/fetch to support all SSH key formats
+- update migration 008 to use renamed sessions table
+- populate tool frequency data in session analytics
+- compute duration and messages from fallback sources in analytics sessions
+- resolve clippy warning in startup sync
+- auto-sync repos on startup, improve attribution blame and error UX
+- fix attribution confidence scoring and deduplicate file changes
+- *(api)* restore legacy POST /traces endpoint for backward compatibility with old CLI
+- *(api)* add committed_at to GROUP BY for linked commits query
+- *(ui)* fix navigation responsiveness, transcript rendering, file change display, linked commits dedup, and branch tracking from commit-push
+- *(stream)* process piggybacked transcript lines on all event types, not just Transcript
+- *(dashboard)* cast SUM() results to int8 for sqlx type compatibility
+- *(dashboard)* fill sparkline date gaps and parallelize queries
+- never drop transcript records when message field is missing
+- remove audit log from login to avoid nil org_id FK violation
+- fix display github hashes for real commits
+- fix warnings
+- fix cargo clippy
+
+### Security
+
+- implement NIST 800-63B password policy with breached password check
+- add email format validation on registration
+- add per-IP rate limiting on public and auth endpoints
+- add HMAC-SHA256 verification for GitHub webhook signatures
+- require CORS_ORIGIN env var, remove permissive fallback
+- sanitize Sqlx and Git error responses to prevent info leakage
+
+### Test
+
+- add coverage before dep upgrades (rand, reqwest, tower_governor)
+- add integration tests for invite link flow
+- add Tier 2 repo layer integration tests (api_keys, commits, policies, pricing, repos)
+- add API layer unit tests (policies, dashboard, pagination)
+- add server unit tests (auth, encryption, error, permissions, signing, pricing, config, attribution, stream)
+- add repository layer integration tests
+
 ## [0.15.0](https://github.com/softwaremill/tracevault/compare/v0.14.0...v0.15.0) - 2026-05-22
 
 ### Added
diff --git a/crates/tracevault-server/Cargo.toml b/crates/tracevault-server/Cargo.toml
index df1ba558..d2ead617 100644
--- a/crates/tracevault-server/Cargo.toml
+++ b/crates/tracevault-server/Cargo.toml
@@ -10,7 +10,7 @@ keywords = ["tracing", "attribution", "ai", "server"]
 categories = ["web-programming", "development-tools"]
 
 [dependencies]
-tracevault-core = { path = "../tracevault-core", version = "0.15" }
+tracevault-core = { path = "../tracevault-core", version = "0.16" }
 axum = { version = "0.8", features = ["macros"] }
 tokio.workspace = true
 serde.workspace = true