diff --git a/apps/api/package.json b/apps/api/package.json
index 75fead8ab..48a9de0b2 100644
--- a/apps/api/package.json
+++ b/apps/api/package.json
@@ -4,8 +4,6 @@
   "version": "0.0.1",
   "author": "",
   "dependencies": {
-    "@prisma/client": "^6.13.0",
-    "prisma": "^6.13.0",
     "@aws-sdk/client-s3": "^3.859.0",
     "@aws-sdk/s3-request-presigner": "^3.859.0",
     "@nestjs/common": "^11.0.1",
@@ -13,13 +11,16 @@
     "@nestjs/core": "^11.0.1",
     "@nestjs/platform-express": "^11.1.5",
     "@nestjs/swagger": "^11.2.0",
-    "@trycompai/db": "^1.3.7",
+    "@prisma/client": "^6.13.0",
+    "@trycompai/db": "^1.3.17",
     "archiver": "^7.0.1",
     "axios": "^1.12.2",
     "better-auth": "^1.3.27",
     "class-transformer": "^0.5.1",
     "class-validator": "^0.14.2",
+    "dotenv": "^17.2.3",
     "jose": "^6.0.12",
+    "prisma": "^6.13.0",
     "reflect-metadata": "^0.2.2",
     "rxjs": "^7.8.1",
     "swagger-ui-express": "^5.0.1",
diff --git a/apps/api/src/app.module.ts b/apps/api/src/app.module.ts
index 35b97a098..22e1f6794 100644
--- a/apps/api/src/app.module.ts
+++ b/apps/api/src/app.module.ts
@@ -9,6 +9,7 @@ import { PeopleModule } from './people/people.module';
 import { DevicesModule } from './devices/devices.module';
 import { DeviceAgentModule } from './device-agent/device-agent.module';
 import { awsConfig } from './config/aws.config';
+import { betterAuthConfig } from './config/better-auth.config';
 import { HealthModule } from './health/health.module';
 import { OrganizationModule } from './organization/organization.module';
 import { PoliciesModule } from './policies/policies.module';
@@ -23,7 +24,8 @@ import { TaskTemplateModule } from './framework-editor/task-template/task-templa
   imports: [
     ConfigModule.forRoot({
       isGlobal: true,
-      load: [awsConfig],
+      // .env file is loaded manually in main.ts before NestJS starts
+      load: [awsConfig, betterAuthConfig],
       validationOptions: {
         allowUnknown: true,
         abortEarly: true,
diff --git a/apps/api/src/auth/hybrid-auth.guard.ts b/apps/api/src/auth/hybrid-auth.guard.ts
index ea2bde011..0e027e873 100644
--- a/apps/api/src/auth/hybrid-auth.guard.ts
+++ b/apps/api/src/auth/hybrid-auth.guard.ts
@@ -4,14 +4,32 @@ import {
   Injectable,
   UnauthorizedException,
 } from '@nestjs/common';
+import { ConfigService } from '@nestjs/config';
 import { db } from '@trycompai/db';
 import { createRemoteJWKSet, jwtVerify } from 'jose';
 import { ApiKeyService } from './api-key.service';
+import type { BetterAuthConfig } from '../config/better-auth.config';
 import { AuthenticatedRequest } from './types';
 
 @Injectable()
 export class HybridAuthGuard implements CanActivate {
-  constructor(private readonly apiKeyService: ApiKeyService) {}
+  private readonly betterAuthUrl: string;
+
+  constructor(
+    private readonly apiKeyService: ApiKeyService,
+    private readonly configService: ConfigService,
+  ) {
+    const betterAuthConfig =
+      this.configService.get<BetterAuthConfig>('betterAuth');
+    this.betterAuthUrl =
+      betterAuthConfig?.url || process.env.BETTER_AUTH_URL || '';
+
+    if (!this.betterAuthUrl) {
+      console.warn(
+        '[HybridAuthGuard] BETTER_AUTH_URL not configured. JWT authentication will fail.',
+      );
+    }
+  }
 
   async canActivate(context: ExecutionContext): Promise<boolean> {
     const request = context.switchToHttp().getRequest<AuthenticatedRequest>();
@@ -61,20 +79,71 @@ export class HybridAuthGuard implements CanActivate {
     authHeader: string,
   ): Promise<boolean> {
     try {
+      // Validate BETTER_AUTH_URL is configured
+      if (!this.betterAuthUrl) {
+        console.error(
+          '[HybridAuthGuard] BETTER_AUTH_URL environment variable is not set',
+        );
+        throw new UnauthorizedException(
+          'Authentication configuration error: BETTER_AUTH_URL not configured',
+        );
+      }
+
       // Extract token from "Bearer <token>"
       const token = authHeader.substring(7);
 
-      // Create JWKS for token verification using Better Auth endpoint
-      const JWKS = createRemoteJWKSet(
-        new URL(`${process.env.BETTER_AUTH_URL}/api/auth/jwks`),
-      );
+      const jwksUrl = `${this.betterAuthUrl}/api/auth/jwks`;
 
-      // Verify JWT token
-      const { payload } = await jwtVerify(token, JWKS, {
-        issuer: process.env.BETTER_AUTH_URL,
-        audience: process.env.BETTER_AUTH_URL,
+      // Create JWKS for token verification using Better Auth endpoint
+      // Use shorter cache time to handle key rotation better
+      const JWKS = createRemoteJWKSet(new URL(jwksUrl), {
+        cacheMaxAge: 60000, // 1 minute cache (default is 5 minutes)
+        cooldownDuration: 10000, // 10 seconds cooldown before refetching
       });
 
+      // Verify JWT token with automatic retry on key mismatch
+      let payload;
+      try {
+        payload = (
+          await jwtVerify(token, JWKS, {
+            issuer: this.betterAuthUrl,
+            audience: this.betterAuthUrl,
+          })
+        ).payload;
+      } catch (verifyError: any) {
+        // If we get a key mismatch error, retry with a fresh JWKS fetch
+        if (
+          verifyError.code === 'ERR_JWKS_NO_MATCHING_KEY' ||
+          verifyError.message?.includes('no applicable key found') ||
+          verifyError.message?.includes('JWKSNoMatchingKey')
+        ) {
+          console.log(
+            '[HybridAuthGuard] Key mismatch detected, fetching fresh JWKS and retrying...',
+          );
+
+          // Create a fresh JWKS instance with no cache to force immediate fetch
+          const freshJWKS = createRemoteJWKSet(new URL(jwksUrl), {
+            cacheMaxAge: 0, // No cache - force fresh fetch
+            cooldownDuration: 0, // No cooldown - allow immediate retry
+          });
+
+          // Retry verification with fresh keys
+          payload = (
+            await jwtVerify(token, freshJWKS, {
+              issuer: this.betterAuthUrl,
+              audience: this.betterAuthUrl,
+            })
+          ).payload;
+
+          console.log(
+            '[HybridAuthGuard] Successfully verified token with fresh JWKS',
+          );
+        } else {
+          // Re-throw if it's not a key mismatch error
+          throw verifyError;
+        }
+      }
+
       // Extract user information from JWT payload (user data is directly in payload for Better Auth JWT)
       const userId = payload.id as string;
       const userEmail = payload.email as string;
@@ -112,6 +181,41 @@ export class HybridAuthGuard implements CanActivate {
       return true;
     } catch (error) {
       console.error('JWT verification failed:', error);
+
+      // Provide more helpful error messages
+      if (error instanceof Error) {
+        // Connection errors
+        if (
+          error.message.includes('ECONNREFUSED') ||
+          error.message.includes('fetch failed')
+        ) {
+          console.error(
+            `[HybridAuthGuard] Cannot connect to Better Auth JWKS endpoint at ${this.betterAuthUrl}/api/auth/jwks`,
+          );
+          console.error(
+            '[HybridAuthGuard] Make sure BETTER_AUTH_URL is set correctly and the Better Auth server is running',
+          );
+          throw new UnauthorizedException(
+            `Cannot connect to authentication service. Please check BETTER_AUTH_URL configuration.`,
+          );
+        }
+
+        // Key mismatch errors should have been handled by retry logic above
+        // If we still get one here, it means the retry also failed (token truly invalid)
+        if (
+          (error as any).code === 'ERR_JWKS_NO_MATCHING_KEY' ||
+          error.message.includes('no applicable key found') ||
+          error.message.includes('JWKSNoMatchingKey')
+        ) {
+          console.error(
+            '[HybridAuthGuard] Token key not found even after fetching fresh JWKS. Token may be from a different environment or truly invalid.',
+          );
+          throw new UnauthorizedException(
+            'Authentication token is invalid. Please log out and log back in to refresh your session.',
+          );
+        }
+      }
+
       throw new UnauthorizedException('Invalid or expired JWT token');
     }
   }
diff --git a/apps/api/src/config/better-auth.config.ts b/apps/api/src/config/better-auth.config.ts
new file mode 100644
index 000000000..1df4de48a
--- /dev/null
+++ b/apps/api/src/config/better-auth.config.ts
@@ -0,0 +1,34 @@
+import { registerAs } from '@nestjs/config';
+import { z } from 'zod';
+
+const betterAuthConfigSchema = z.object({
+  url: z.string().url('BETTER_AUTH_URL must be a valid URL'),
+});
+
+export type BetterAuthConfig = z.infer<typeof betterAuthConfigSchema>;
+
+export const betterAuthConfig = registerAs(
+  'betterAuth',
+  (): BetterAuthConfig => {
+    const url = process.env.BETTER_AUTH_URL;
+
+    if (!url) {
+      throw new Error('BETTER_AUTH_URL environment variable is required');
+    }
+
+    const config = { url };
+
+    // Validate configuration at startup
+    const result = betterAuthConfigSchema.safeParse(config);
+
+    if (!result.success) {
+      throw new Error(
+        `Better Auth configuration validation failed: ${result.error.issues
+          .map((e) => `${e.path.join('.')}: ${e.message}`)
+          .join(', ')}`,
+      );
+    }
+
+    return result.data;
+  },
+);
diff --git a/apps/api/src/main.ts b/apps/api/src/main.ts
index 06001fcde..44e218727 100644
--- a/apps/api/src/main.ts
+++ b/apps/api/src/main.ts
@@ -4,9 +4,24 @@ import { NestFactory } from '@nestjs/core';
 import type { OpenAPIObject } from '@nestjs/swagger';
 import { DocumentBuilder, SwaggerModule } from '@nestjs/swagger';
 import * as express from 'express';
+import { config } from 'dotenv';
+import path from 'path';
 import { AppModule } from './app.module';
 import { existsSync, mkdirSync, writeFileSync } from 'fs';
-import path from 'path';
+
+// Load .env file from apps/api directory before anything else
+// This ensures .env values override any shell environment variables
+// __dirname in compiled code is dist/src, so go up two levels to apps/api
+const envPath = path.join(__dirname, '..', '..', '.env');
+if (existsSync(envPath)) {
+  config({ path: envPath, override: true });
+} else {
+  // Fallback: try current working directory (when run from apps/api)
+  const cwdEnvPath = path.join(process.cwd(), '.env');
+  if (existsSync(cwdEnvPath)) {
+    config({ path: cwdEnvPath, override: true });
+  }
+}
 
 async function bootstrap(): Promise<void> {
   const app: INestApplication = await NestFactory.create(AppModule);
diff --git a/apps/app/package.json b/apps/app/package.json
index 63a720e59..4fa4694a8 100644
--- a/apps/app/package.json
+++ b/apps/app/package.json
@@ -4,7 +4,7 @@
   "dependencies": {
     "@ai-sdk/anthropic": "^2.0.0",
     "@ai-sdk/groq": "^2.0.0",
-    "@ai-sdk/openai": "^2.0.0",
+    "@ai-sdk/openai": "^2.0.65",
     "@ai-sdk/provider": "^2.0.0",
     "@ai-sdk/react": "^2.0.60",
     "@ai-sdk/rsc": "^1.0.0",
@@ -51,7 +51,7 @@
     "@tiptap/extension-table-row": "^3.4.4",
     "@trigger.dev/react-hooks": "4.0.6",
     "@trigger.dev/sdk": "4.0.6",
-    "@trycompai/db": "^1.3.7",
+    "@trycompai/db": "^1.3.17",
     "@trycompai/email": "workspace:*",
     "@types/canvas-confetti": "^1.9.0",
     "@types/react-syntax-highlighter": "^15.5.13",
diff --git a/apps/app/src/actions/organization/invite-member.ts b/apps/app/src/actions/organization/invite-member.ts
index 6ffe84644..ea826671d 100644
--- a/apps/app/src/actions/organization/invite-member.ts
+++ b/apps/app/src/actions/organization/invite-member.ts
@@ -8,7 +8,7 @@ import type { ActionResponse } from '../types';
 
 const inviteMemberSchema = z.object({
   email: z.string().email(),
-  role: z.enum(['owner', 'admin', 'auditor', 'employee']),
+  role: z.enum(['owner', 'admin', 'auditor', 'employee', 'contractor']),
 });
 
 export const inviteMember = authActionClient
diff --git a/apps/app/src/actions/policies/publish-all.ts b/apps/app/src/actions/policies/publish-all.ts
index 4aa24a9e5..8ce0cdf79 100644
--- a/apps/app/src/actions/policies/publish-all.ts
+++ b/apps/app/src/actions/policies/publish-all.ts
@@ -104,9 +104,10 @@ export const publishAllPoliciesAction = authActionClient
         where: {
           organizationId: parsedInput.organizationId,
           isActive: true,
-          role: {
-            contains: Role.employee,
-          },
+          OR: [
+            { role: { contains: Role.employee } },
+            { role: { contains: Role.contractor } },
+          ],
         },
         include: {
           user: {
diff --git a/apps/app/src/app/(app)/[orgId]/people/all/components/MemberRow.tsx b/apps/app/src/app/(app)/[orgId]/people/all/components/MemberRow.tsx
index 62882a69b..cfc421958 100644
--- a/apps/app/src/app/(app)/[orgId]/people/all/components/MemberRow.tsx
+++ b/apps/app/src/app/(app)/[orgId]/people/all/components/MemberRow.tsx
@@ -93,6 +93,7 @@ export function MemberRow({ member, onRemove, onUpdateRole, canEdit }: MemberRow
   const canRemove = !isOwner;
 
   const isEmployee = currentRoles.includes('employee');
+  const isContractor = currentRoles.includes('contractor');
 
   const handleDialogItemSelect = () => {
     focusRef.current = dropdownTriggerRef.current;
@@ -142,7 +143,7 @@ export function MemberRow({ member, onRemove, onUpdateRole, canEdit }: MemberRow
           <div className="min-w-0 flex-1 gap-2">
             <div className="flex items-center flex-wrap gap-1.5">
               <span className="truncate text-sm font-medium">{memberName}</span>
-              {isEmployee && (
+              {(isEmployee || isContractor) && (
                 <Link
                   href={`/${orgId}/people/${memberId}`}
                   className="text-xs text-blue-600 hover:underline flex-shrink-0"
diff --git a/apps/app/src/app/(app)/[orgId]/people/all/components/MultiRoleCombobox.tsx b/apps/app/src/app/(app)/[orgId]/people/all/components/MultiRoleCombobox.tsx
index 40ef17b4e..694bfef7f 100644
--- a/apps/app/src/app/(app)/[orgId]/people/all/components/MultiRoleCombobox.tsx
+++ b/apps/app/src/app/(app)/[orgId]/people/all/components/MultiRoleCombobox.tsx
@@ -111,22 +111,7 @@ export function MultiRoleCombobox({
     selectedRoles.length > 0 ? `${selectedRoles.length} selected` : placeholder || 'Select role(s)';
 
   const filteredRoles = availableRoles.filter((role) => {
-    const label = (() => {
-      switch (role.value) {
-        case 'admin':
-          return 'Admin';
-        case 'auditor':
-          return 'Auditor';
-        case 'employee':
-          return 'Employee';
-        case 'contractor':
-          return 'Contractor';
-        case 'owner':
-          return 'Owner';
-        default:
-          return role.value;
-      }
-    })();
+    const label = getRoleLabel(role.value);
     return label.toLowerCase().includes(searchTerm.toLowerCase());
   });
 
diff --git a/apps/app/src/app/(app)/[orgId]/people/devices/components/HostDetails.tsx b/apps/app/src/app/(app)/[orgId]/people/devices/components/HostDetails.tsx
index d5fcfca59..d1786cbdf 100644
--- a/apps/app/src/app/(app)/[orgId]/people/devices/components/HostDetails.tsx
+++ b/apps/app/src/app/(app)/[orgId]/people/devices/components/HostDetails.tsx
@@ -2,9 +2,22 @@ import { Button } from '@comp/ui/button';
 import { Card, CardContent, CardHeader, CardTitle } from '@comp/ui/card';
 import { cn } from '@comp/ui/cn';
 import { ArrowLeft, CheckCircle2, XCircle } from 'lucide-react';
+import { useMemo } from 'react';
 import type { Host } from '../types';
 
 export const HostDetails = ({ host, onClose }: { host: Host; onClose: () => void }) => {
+  const isMacOS = useMemo(() => {
+    return host.cpu_type && (host.cpu_type.includes('arm64') || host.cpu_type.includes('intel'));
+  }, [host]);
+
+  const mdmEnabledStatus = useMemo(() => {
+    return {
+      id: 'mdm',
+      response: host?.mdm.connected_to_fleet ? 'pass' : 'fail',
+      name: 'MDM Enabled',
+    };
+  }, [host]);
+
   return (
     <div className="space-y-4">
       <Button variant="outline" className="w-min" onClick={onClose}>
@@ -17,28 +30,52 @@ export const HostDetails = ({ host, onClose }: { host: Host; onClose: () => void
         </CardHeader>
         <CardContent className="space-y-3">
           {host.policies.length > 0 ? (
-            host.policies.map((policy) => (
-              <div
-                key={policy.id}
-                className={cn(
-                  'hover:bg-muted/50 flex items-center justify-between rounded-md border border-l-4 p-3 shadow-sm transition-colors',
-                  policy.response === 'pass' ? 'border-l-primary' : 'border-l-red-500',
-                )}
-              >
-                <p className="font-medium">{policy.name}</p>
-                {policy.response === 'pass' ? (
-                  <div className="flex items-center gap-1 text-primary">
-                    <CheckCircle2 size={16} />
-                    <span>Pass</span>
-                  </div>
-                ) : (
-                  <div className="flex items-center gap-1 text-red-600">
-                    <XCircle size={16} />
-                    <span>Fail</span>
-                  </div>
-                )}
-              </div>
-            ))
+            <>
+              {host.policies.map((policy) => (
+                <div
+                  key={policy.id}
+                  className={cn(
+                    'hover:bg-muted/50 flex items-center justify-between rounded-md border border-l-4 p-3 shadow-sm transition-colors',
+                    policy.response === 'pass' ? 'border-l-primary' : 'border-l-red-500',
+                  )}
+                >
+                  <p className="font-medium">{policy.name}</p>
+                  {policy.response === 'pass' ? (
+                    <div className="flex items-center gap-1 text-primary">
+                      <CheckCircle2 size={16} />
+                      <span>Pass</span>
+                    </div>
+                  ) : (
+                    <div className="flex items-center gap-1 text-red-600">
+                      <XCircle size={16} />
+                      <span>Fail</span>
+                    </div>
+                  )}
+                </div>
+              ))}
+              {isMacOS && (
+                <div
+                  key={mdmEnabledStatus.id}
+                  className={cn(
+                    'hover:bg-muted/50 flex items-center justify-between rounded-md border border-l-4 p-3 shadow-sm transition-colors',
+                    mdmEnabledStatus.response === 'pass' ? 'border-l-primary' : 'border-l-red-500',
+                  )}
+                >
+                  <p className="font-medium">{mdmEnabledStatus.name}</p>
+                  {mdmEnabledStatus.response === 'pass' ? (
+                    <div className="flex items-center gap-1 text-primary">
+                      <CheckCircle2 size={16} />
+                      <span>Pass</span>
+                    </div>
+                  ) : (
+                    <div className="flex items-center gap-1 text-red-600">
+                      <XCircle size={16} />
+                      <span>Fail</span>
+                    </div>
+                  )}
+                </div>
+              )}
+            </>
           ) : (
             <p className="text-muted-foreground">No policies found for this device.</p>
           )}
diff --git a/apps/app/src/app/(app)/[orgId]/people/devices/types/index.ts b/apps/app/src/app/(app)/[orgId]/people/devices/types/index.ts
index 4a8541205..8c8f8f3a3 100644
--- a/apps/app/src/app/(app)/[orgId]/people/devices/types/index.ts
+++ b/apps/app/src/app/(app)/[orgId]/people/devices/types/index.ts
@@ -66,7 +66,7 @@ export interface Host {
   gigs_total_disk_space: number;
   disk_encryption_enabled: boolean;
   issues: object;
-  mdm: object;
+  mdm: MDM;
   refetch_critical_queries_until: string | null;
   last_restarted_at: string;
   policies: FleetPolicy[];
@@ -80,3 +80,12 @@ export interface Host {
   display_text: string;
   display_name: string;
 }
+
+export type MDM = {
+  connected_to_fleet: boolean;
+  dep_profile_error: boolean;
+  encryption_key_available: boolean;
+  enrollment_status: string;
+  name?: string;
+  server_url?: string;
+};
diff --git a/apps/app/src/app/(app)/[orgId]/policies/[policyId]/data/index.ts b/apps/app/src/app/(app)/[orgId]/policies/[policyId]/data/index.ts
index ebbf58b83..314c0cb43 100644
--- a/apps/app/src/app/(app)/[orgId]/policies/[policyId]/data/index.ts
+++ b/apps/app/src/app/(app)/[orgId]/policies/[policyId]/data/index.ts
@@ -135,7 +135,7 @@ export const getAssignees = async () => {
     where: {
       organizationId,
       role: {
-        notIn: ['employee'],
+        notIn: ['employee', 'contractor'],
       },
     },
     include: {
diff --git a/apps/app/src/app/(app)/[orgId]/risk/(overview)/page.tsx b/apps/app/src/app/(app)/[orgId]/risk/(overview)/page.tsx
index 87115bbce..fd0f15dec 100644
--- a/apps/app/src/app/(app)/[orgId]/risk/(overview)/page.tsx
+++ b/apps/app/src/app/(app)/[orgId]/risk/(overview)/page.tsx
@@ -108,7 +108,7 @@ const getAssignees = cache(async () => {
       organizationId: session.session.activeOrganizationId,
       isActive: true,
       role: {
-        notIn: ['employee'],
+        notIn: ['employee', 'contractor'],
       },
     },
     include: {
diff --git a/apps/app/src/app/(app)/[orgId]/risk/[riskId]/page.tsx b/apps/app/src/app/(app)/[orgId]/risk/[riskId]/page.tsx
index 1c860f8a0..7ad8e795e 100644
--- a/apps/app/src/app/(app)/[orgId]/risk/[riskId]/page.tsx
+++ b/apps/app/src/app/(app)/[orgId]/risk/[riskId]/page.tsx
@@ -89,7 +89,7 @@ const getAssignees = cache(async () => {
     where: {
       organizationId: session.session.activeOrganizationId,
       role: {
-        notIn: ['employee'],
+        notIn: ['employee', 'contractor'],
       },
     },
     include: {
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/actions/generate-suggestions.ts b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/actions/generate-suggestions.ts
new file mode 100644
index 000000000..69d14425a
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/actions/generate-suggestions.ts
@@ -0,0 +1,100 @@
+'use server';
+
+import { openai } from '@ai-sdk/openai';
+import { db } from '@db';
+import { generateObject } from 'ai';
+import { performance } from 'perf_hooks';
+import { z } from 'zod';
+import {
+  AUTOMATION_SUGGESTIONS_SYSTEM_PROMPT,
+  getAutomationSuggestionsPrompt,
+} from './prompts/automation-suggestions';
+
+const SuggestionsSchema = z.object({
+  suggestions: z.array(
+    z.object({
+      title: z.string(),
+      prompt: z.string(),
+      vendorName: z.string().optional(),
+      vendorWebsite: z.string().optional(),
+    }),
+  ),
+});
+
+export async function generateAutomationSuggestions(
+  taskDescription: string,
+  organizationId: string,
+): Promise<{ title: string; prompt: string; vendorName?: string; vendorWebsite?: string }[]> {
+  const startTime = performance.now();
+  console.log('[generateAutomationSuggestions] Starting suggestion generation...');
+
+  // Get vendors from the Vendor table
+  const vendorsStartTime = performance.now();
+  const vendors = await db.vendor.findMany({
+    where: {
+      organizationId,
+    },
+    select: {
+      name: true,
+      website: true,
+      description: true,
+    },
+  });
+  const vendorsTime = performance.now() - vendorsStartTime;
+  console.log(
+    `[generateAutomationSuggestions] Fetched ${vendors.length} vendors in ${vendorsTime.toFixed(2)}ms`,
+  );
+
+  // Get vendors from context table as well
+  const contextStartTime = performance.now();
+  const contextEntries = await db.context.findMany({
+    where: {
+      organizationId,
+    },
+    select: {
+      question: true,
+      answer: true,
+    },
+  });
+  const contextTime = performance.now() - contextStartTime;
+  console.log(
+    `[generateAutomationSuggestions] Fetched ${contextEntries.length} context entries in ${contextTime.toFixed(2)}ms`,
+  );
+
+  const vendorList =
+    vendors.length > 0
+      ? vendors.map((v) => `${v.name}${v.website ? ` (${v.website})` : ''}`).join(', ')
+      : 'No vendors configured yet';
+
+  const contextInfo =
+    contextEntries.length > 0
+      ? contextEntries.map((c) => `Q: ${c.question}\nA: ${c.answer}`).join('\n\n')
+      : 'No additional context available';
+
+  const promptLength = getAutomationSuggestionsPrompt(
+    taskDescription,
+    vendorList,
+    contextInfo,
+  ).length;
+  console.log(`[generateAutomationSuggestions] Prompt length: ${promptLength} characters`);
+
+  // Generate AI suggestions
+  const aiStartTime = performance.now();
+  const { object, usage } = await generateObject({
+    model: openai('gpt-4.1-mini'), // Testing gpt-5-nano for suggestions
+    schema: SuggestionsSchema,
+    system: AUTOMATION_SUGGESTIONS_SYSTEM_PROMPT,
+    prompt: getAutomationSuggestionsPrompt(taskDescription, vendorList, contextInfo),
+  });
+  const aiTime = performance.now() - aiStartTime;
+  console.log(
+    `[generateAutomationSuggestions] AI generation completed in ${aiTime.toFixed(2)}ms (total tokens: ${usage?.totalTokens || 'unknown'})`,
+  );
+
+  const totalTime = performance.now() - startTime;
+  console.log(
+    `[generateAutomationSuggestions] Total time: ${totalTime.toFixed(2)}ms (vendors: ${vendorsTime.toFixed(2)}ms, context: ${contextTime.toFixed(2)}ms, AI: ${aiTime.toFixed(2)}ms)`,
+  );
+
+  return object.suggestions;
+}
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/actions/prompts/automation-suggestions.ts b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/actions/prompts/automation-suggestions.ts
new file mode 100644
index 000000000..f49dd1ce0
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/actions/prompts/automation-suggestions.ts
@@ -0,0 +1,98 @@
+export function getAutomationSuggestionsPrompt(
+  taskDescription: string,
+  vendorList: string,
+  contextInfo: string,
+): string {
+  return `TASK DESCRIPTION (THIS IS THE PRIMARY FOCUS):
+${taskDescription}
+
+Configured Vendors: ${vendorList}
+
+Organization Context:
+${contextInfo}
+
+CRITICAL REQUIREMENTS:
+1. **ANALYZE THE TASK TOPIC FIRST**: Before generating suggestions, identify the SPECIFIC topic/domain the task is about (e.g., TLS/HTTPS, secure code, data encryption at rest, access controls, etc.)
+2. Generate 5-6 automation suggestions that are DIRECTLY relevant to the EXACT topic mentioned in the task description
+3. Every suggestion MUST match the specific topic - do NOT suggest related but different concepts
+   - Example: If task is about TLS/HTTPS (encryption in transit), do NOT suggest disk encryption (encryption at rest)
+   - Example: If task is about secure code practices, do NOT suggest network security configurations
+4. Do NOT generate generic suggestions - they must relate to the SPECIFIC topic in the task description
+5. Only suggest automations for vendors in the "Configured Vendors" list above
+6. **VENDOR DIVERSITY**: Avoid suggesting multiple examples from the same vendor. Only include multiple suggestions from the same vendor if there are very few vendors available (3 or fewer). Otherwise, prioritize diversity across different vendors.
+7. Use plain, simple English and keep prompts short and conversational
+8. **NEVER suggest screenshots or manual evidence collection** - all suggestions must be API integrations that programmatically pull data
+9. All suggestions must involve connecting to a vendor's API/integration to fetch data automatically
+
+The suggestions should help collect evidence that directly relates to verifying compliance with the SPECIFIC topic and requirements mentioned in the task description. Each suggestion must be an API integration that pulls data programmatically and must match the exact topic domain.`;
+}
+
+export const AUTOMATION_SUGGESTIONS_SYSTEM_PROMPT = `You are an expert at creating automation suggestions for compliance evidence collection.
+
+IMPORTANT CONTEXT:
+- The automation agent can ONLY read and fetch data from APIs (no write/modify operations)
+- The agent will write an integration with any API to pull necessary evidence to verify compliance
+- These are read-only evidence collection automations that check compliance status
+- Automations connect to vendor APIs/integrations to programmatically fetch data - NO screenshots or manual collection
+
+CRITICAL RULES - READ CAREFULLY:
+1. **IDENTIFY THE EXACT TOPIC FIRST**: Before generating any suggestions, analyze the task description to identify the SPECIFIC topic/domain it's about (e.g., TLS/HTTPS, secure code practices, disk encryption, access controls, etc.). Do NOT conflate related but different concepts.
+2. **TOPIC-SPECIFIC RELEVANCE**: Every suggestion MUST match the EXACT topic mentioned in the task. Do NOT suggest concepts that are related but different:
+   - If task is about TLS/HTTPS (encryption in transit) → suggest HTTPS/TLS configurations, NOT disk encryption (encryption at rest)
+   - If task is about secure code → suggest code security tools, NOT network security
+   - If task is about disk encryption → suggest storage encryption, NOT TLS/HTTPS
+3. **PRIMARY FOCUS**: Every suggestion MUST be directly tailored to the specific task description provided. Do NOT generate generic suggestions that could apply to any task.
+4. Analyze the task description carefully and generate suggestions that help verify compliance with the SPECIFIC topic and requirements mentioned in that task.
+5. ONLY suggest automations for vendors that are in the "Configured Vendors" list provided
+6. Do NOT suggest generic vendors or vendors not in the list
+7. **VENDOR DIVERSITY**: Avoid suggesting multiple examples from the same vendor. Only include multiple suggestions from the same vendor if there are very few vendors available (3 or fewer). Otherwise, prioritize diversity across different vendors to give users a variety of options.
+8. **NEVER suggest screenshots, manual evidence collection, or UI-based checks** - all suggestions must be API integrations that programmatically pull data
+9. All suggestions must involve connecting to a vendor's API/integration to fetch data automatically
+10. Use plain, simple English - avoid technical jargon or overwhelming details
+11. Keep prompts short and conversational
+
+Examples showing topic-specific relevance: 
+- Task: "Ensure secure code practices are followed"
+  - ✅ Good: "Check if Dependabot is enabled in my GitHub repository" (directly relates to secure code)
+  - ❌ Bad: "Check AWS load balancers use HTTPS" (network security, not secure code)
+  - ❌ Bad: "Check if disk encryption is enabled" (encryption at rest, not secure code)
+
+- Task: "TLS/HTTPS compliance"
+  - ✅ Good: "Check HTTPS on all AWS load balancers" (directly relates to TLS/HTTPS)
+  - ✅ Good: "Verify CloudFront requires HTTPS and TLS ≥1.2" (directly relates to TLS/HTTPS)
+  - ✅ Good: "Verify Gmail enforces TLS for company mail" (directly relates to TLS/HTTPS)
+  - ❌ Bad: "Check if disk encryption is enabled" (encryption at rest, NOT TLS/HTTPS)
+  - ❌ Bad: "Report disk encryption status of company laptops" (encryption at rest, NOT TLS/HTTPS)
+  - ❌ Bad: "Check RDS storage encryption" (encryption at rest, NOT TLS/HTTPS)
+
+- Task: "Data encryption at rest"
+  - ✅ Good: "Check if RDS databases are encrypted at rest" (directly relates to encryption at rest)
+  - ✅ Good: "Verify EBS volumes are encrypted" (directly relates to encryption at rest)
+  - ❌ Bad: "Check if load balancers use HTTPS" (TLS/HTTPS, NOT encryption at rest)
+
+Generate 5-6 automation suggestions that:
+1. **Match the EXACT topic** identified in the task description (do NOT suggest related but different concepts)
+2. Are DIRECTLY relevant to the specific task description (not generic)
+3. Help collect evidence that verifies compliance with the task's specific topic and requirements
+4. ONLY use vendors from the configured vendors list
+5. **Prioritize vendor diversity** - avoid multiple suggestions from the same vendor unless there are very few vendors (3 or fewer)
+6. Are tailored to what the task is actually asking about (the specific topic domain)
+7. **Involve API integrations that programmatically pull data** (NO screenshots, NO manual checks)
+
+Each suggestion should:
+- **Match the EXACT topic domain** mentioned in the task (e.g., if task is TLS/HTTPS, only suggest TLS/HTTPS-related checks)
+- Be specifically related to the task description (not generic)
+- **Involve connecting to a vendor API/integration to fetch data programmatically**
+- **NEVER involve screenshots, manual checks, or UI-based evidence collection**
+- Use plain, simple English that anyone can understand
+- Be short and conversational (avoid long technical descriptions)
+- Focus on READ-ONLY API operations that check compliance status
+- ONLY reference vendors from the configured vendors list
+- Be formatted as a clear, simple prompt (e.g., "Check if Dependabot is enabled in my GitHub repository")
+- Focus on evidence collection via API calls (checking settings, configurations, status, etc. through API endpoints)
+
+Return suggestions in a format that includes:
+- title: A short, plain English title (max 60 characters, simple language) that relates to the task
+- prompt: The full prompt text in plain English (e.g., "Check if Dependabot is enabled in my GitHub repository")
+- vendorName: The vendor name from the configured vendors list (required if suggestion is vendor-specific)
+- vendorWebsite: The vendor website/domain from the configured vendors list (optional, e.g., "github.com", "vercel.com")`;
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/chat.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/chat.tsx
index 5c9070988..060830ffd 100644
--- a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/chat.tsx
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/chat.tsx
@@ -27,9 +27,19 @@ interface Props {
   taskId: string;
   taskName?: string;
   automationId: string;
+  suggestions?: { title: string; prompt: string; vendorName?: string; vendorWebsite?: string }[];
+  isLoadingSuggestions?: boolean;
 }
 
-export function Chat({ className, orgId, taskId, taskName, automationId }: Props) {
+export function Chat({
+  className,
+  orgId,
+  taskId,
+  taskName,
+  automationId,
+  suggestions,
+  isLoadingSuggestions = false,
+}: Props) {
   const [input, setInput] = useState('');
   const { chat, updateAutomationId, automationIdRef } = useSharedChatContext();
   const { messages, sendMessage, status } = useChat<ChatUIMessage>({
@@ -126,6 +136,8 @@ export function Chat({ className, orgId, taskId, taskName, automationId }: Props
             status={status}
             inputRef={inputRef}
             onSubmit={() => validateAndSubmitMessage(input)}
+            suggestions={suggestions}
+            isLoadingSuggestions={isLoadingSuggestions}
           />
         </form>
       ) : (
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/components/AutomationPageClient.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/components/AutomationPageClient.tsx
index 645c1647e..e29f9425e 100644
--- a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/components/AutomationPageClient.tsx
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/components/AutomationPageClient.tsx
@@ -1,6 +1,9 @@
 'use client';
 
 import { useChat } from '@ai-sdk/react';
+import { useEffect, useState } from 'react';
+import { flushSync } from 'react-dom';
+import { generateAutomationSuggestions } from '../actions/generate-suggestions';
 import { Chat } from '../chat';
 import { useSharedChatContext } from '../lib';
 import { useTaskAutomationStore } from '../lib/task-automation-store';
@@ -13,12 +16,63 @@ interface Props {
   taskId: string;
   automationId: string;
   taskName: string;
+  taskDescription?: string;
 }
 
-export function AutomationPageClient({ orgId, taskId, automationId, taskName }: Props) {
+export function AutomationPageClient({
+  orgId,
+  taskId,
+  automationId,
+  taskName,
+  taskDescription,
+}: Props) {
   const { scriptUrl } = useTaskAutomationStore();
   const { chat } = useSharedChatContext();
   const { messages } = useChat<ChatUIMessage>({ chat });
+  const [suggestions, setSuggestions] = useState<
+    {
+      title: string;
+      prompt: string;
+      vendorName?: string;
+      vendorWebsite?: string;
+    }[]
+  >([]);
+  // Initialize loading state to true for new automations to show skeletons immediately
+  const [isLoadingSuggestions, setIsLoadingSuggestions] = useState(
+    automationId === 'new' && !!taskDescription,
+  );
+
+  // Load suggestions asynchronously (non-blocking - page renders immediately)
+  useEffect(() => {
+    if (automationId === 'new' && taskDescription) {
+      setIsLoadingSuggestions(true);
+      const clientStartTime = performance.now();
+      generateAutomationSuggestions(taskDescription, orgId)
+        .then((result) => {
+          const clientReceiveTime = performance.now();
+          console.log(
+            `[AutomationPageClient] Received suggestions in ${(clientReceiveTime - clientStartTime).toFixed(2)}ms`,
+          );
+          // Use flushSync to force immediate re-render
+          flushSync(() => {
+            setSuggestions(result);
+            setIsLoadingSuggestions(false);
+          });
+          const clientUpdateTime = performance.now();
+          console.log(
+            `[AutomationPageClient] State updated and flushed in ${(clientUpdateTime - clientReceiveTime).toFixed(2)}ms`,
+          );
+        })
+        .catch((error) => {
+          console.error('Failed to generate suggestions:', error);
+          setIsLoadingSuggestions(false);
+          // Keep empty array, will use static suggestions
+        });
+    } else {
+      // Not a new automation, no need to load suggestions
+      setIsLoadingSuggestions(false);
+    }
+  }, [automationId, taskDescription, orgId]);
 
   const hasMessages = messages.length > 0;
 
@@ -38,6 +92,8 @@ export function AutomationPageClient({ orgId, taskId, automationId, taskName }:
             taskId={taskId}
             automationId={automationId}
             taskName={taskName}
+            suggestions={suggestions}
+            isLoadingSuggestions={isLoadingSuggestions}
           />
         </TabContent>
         <TabContent tabId="workflow" className="flex-1">
@@ -58,6 +114,8 @@ export function AutomationPageClient({ orgId, taskId, automationId, taskName }:
             taskId={taskId}
             automationId={automationId}
             taskName={taskName}
+            suggestions={suggestions}
+            isLoadingSuggestions={isLoadingSuggestions}
           />
         </div>
 
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/components/chat/EmptyState.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/components/chat/EmptyState.tsx
index db61533ef..dffc6e446 100644
--- a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/components/chat/EmptyState.tsx
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/components/chat/EmptyState.tsx
@@ -1,5 +1,6 @@
 import { Card, CardDescription, CardHeader } from '@comp/ui/card';
-import Image from 'next/image';
+import { Skeleton } from '@comp/ui/skeleton';
+import { useState } from 'react';
 import { Textarea } from '../../components/ui/textarea';
 import { AUTOMATION_EXAMPLES, AutomationExample } from '../../constants/automation-examples';
 
@@ -10,6 +11,107 @@ interface EmptyStateProps {
   status: string;
   inputRef: React.RefObject<HTMLTextAreaElement | null>;
   onSubmit: () => void;
+  suggestions?: { title: string; prompt: string; vendorName?: string; vendorWebsite?: string }[];
+  isLoadingSuggestions?: boolean;
+}
+
+function getVendorLogoUrl(vendorName?: string, vendorWebsite?: string): string {
+  // Prefer vendorWebsite if provided
+  if (vendorWebsite) {
+    // Clean up the website - remove protocol, www, and paths
+    const cleanDomain = vendorWebsite
+      .replace(/^https?:\/\//i, '')
+      .replace(/^www\./i, '')
+      .split('/')[0]
+      .split('?')[0];
+    return `https://img.logo.dev/${cleanDomain}?token=pk_AZatYxV5QDSfWpRDaBxzRQ`;
+  }
+
+  if (!vendorName) {
+    return 'https://img.logo.dev/trycomp.ai?token=pk_AZatYxV5QDSfWpRDaBxzRQ';
+  }
+
+  // Try to extract domain from vendor name or use a default
+  // Common vendor mappings
+  const vendorDomainMap: Record<string, string> = {
+    github: 'github.com',
+    vercel: 'vercel.com',
+    cloudflare: 'cloudflare.com',
+    aws: 'aws.amazon.com',
+    gcp: 'cloud.google.com',
+    azure: 'azure.microsoft.com',
+  };
+
+  const lowerName = vendorName.toLowerCase();
+  for (const [key, domain] of Object.entries(vendorDomainMap)) {
+    if (lowerName.includes(key)) {
+      return `https://img.logo.dev/${domain}?token=pk_AZatYxV5QDSfWpRDaBxzRQ`;
+    }
+  }
+
+  // Try to extract domain from vendor name if it looks like a URL
+  const urlMatch = vendorName.match(/(?:https?:\/\/)?(?:www\.)?([^\/\s]+)/i);
+  if (urlMatch) {
+    return `https://img.logo.dev/${urlMatch[1]}?token=pk_AZatYxV5QDSfWpRDaBxzRQ`;
+  }
+
+  return 'https://img.logo.dev/trycomp.ai?token=pk_AZatYxV5QDSfWpRDaBxzRQ';
+}
+
+function VendorCard({
+  example,
+  onExampleClick,
+}: {
+  example: AutomationExample;
+  onExampleClick: (prompt: string) => void;
+}) {
+  const [imageError, setImageError] = useState(false);
+  const fallbackUrl = 'https://img.logo.dev/trycomp.ai?token=pk_AZatYxV5QDSfWpRDaBxzRQ';
+  const imageUrl = imageError ? fallbackUrl : example.url;
+
+  return (
+    <Card
+      className="cursor-pointer transition-all duration-200 hover:scale-[1.02] hover:shadow-xl"
+      onClick={() => onExampleClick(example.prompt)}
+    >
+      <CardHeader className="p-4">
+        <div className="flex items-start gap-3">
+          <div className="relative flex-shrink-0">
+            <img
+              src={imageUrl}
+              alt={example.title}
+              width={24}
+              height={24}
+              className="rounded-sm"
+              onError={() => {
+                if (!imageError) {
+                  setImageError(true);
+                }
+              }}
+            />
+          </div>
+          <CardDescription className="flex-1">
+            <p className="text-sm font-normal text-foreground leading-relaxed">{example.title}</p>
+          </CardDescription>
+        </div>
+      </CardHeader>
+    </Card>
+  );
+}
+
+function SuggestionCardSkeleton() {
+  return (
+    <Card className="transition-all duration-200">
+      <CardHeader className="p-4">
+        <div className="flex items-start gap-3">
+          <Skeleton className="h-6 w-6 rounded-sm flex-shrink-0" />
+          <div className="flex-1">
+            <Skeleton className="h-4 w-full" />
+          </div>
+        </div>
+      </CardHeader>
+    </Card>
+  );
 }
 
 export function EmptyState({
@@ -19,7 +121,21 @@ export function EmptyState({
   status,
   inputRef,
   onSubmit,
+  suggestions,
+  isLoadingSuggestions = false,
 }: EmptyStateProps) {
+  // Use dynamic suggestions if provided, otherwise fall back to static examples
+  const examplesToShow: AutomationExample[] = suggestions
+    ? suggestions.map((s) => ({
+        title: s.title,
+        prompt: s.prompt,
+        url: getVendorLogoUrl(s.vendorName, s.vendorWebsite),
+      }))
+    : AUTOMATION_EXAMPLES;
+
+  // Show skeleton loaders when loading suggestions for new automations
+  const showSkeletons = isLoadingSuggestions && suggestions?.length === 0;
+
   return (
     <div className="flex-1 min-h-0 overflow-y-auto h-full z-20">
       <div className="w-full h-full flex flex-col items-center py-48 px-4">
@@ -29,7 +145,7 @@ export function EmptyState({
           </p>
           <Textarea
             ref={inputRef}
-            placeholder="Check if GitHub dependabot is enabled and tell me the result"
+            placeholder="Describe what evidence you want to collect..."
             className="w-full max-w-3xl transition-all duration-200 hover:shadow-md hover:shadow-primary/5 focus:shadow-lg focus:shadow-primary/10 focus:ring-2 focus:ring-primary/30 min-h-[44px] max-h-[200px] resize-none overflow-y-auto"
             value={input}
             onChange={(e) => {
@@ -58,30 +174,19 @@ export function EmptyState({
           <h3 className="text-lg font-normal text-center">Get started with examples</h3>
 
           <div className="grid grid-cols-2 md:grid-cols-3 gap-3 max-w-3xl mx-auto">
-            {AUTOMATION_EXAMPLES.map((example: AutomationExample) => (
-              <Card
-                key={example.title}
-                className="cursor-pointer transition-all duration-200 hover:scale-[1.02] hover:shadow-xl"
-                onClick={() => onExampleClick(example.prompt)}
-              >
-                <CardHeader className="p-4">
-                  <div className="flex items-start gap-3">
-                    <Image
-                      src={example.url}
-                      alt={example.title}
-                      width={24}
-                      height={24}
-                      className="rounded-sm"
-                    />
-                    <CardDescription className="flex-1">
-                      <p className="text-sm font-normal text-foreground leading-relaxed">
-                        {example.title}
-                      </p>
-                    </CardDescription>
-                  </div>
-                </CardHeader>
-              </Card>
-            ))}
+            {showSkeletons
+              ? // Show 6 skeleton cards while loading
+                Array.from({ length: 6 }).map((_, index) => (
+                  <SuggestionCardSkeleton key={`skeleton-${index}`} />
+                ))
+              : // Show actual suggestion cards
+                examplesToShow.map((example: AutomationExample, index: number) => (
+                  <VendorCard
+                    key={`${example.title}-${index}`}
+                    example={example}
+                    onExampleClick={onExampleClick}
+                  />
+                ))}
           </div>
         </div>
       </div>
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/components/chat/message-part/prompt-secret.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/components/chat/message-part/prompt-secret.tsx
index 76f7c38b4..d379c650e 100644
--- a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/components/chat/message-part/prompt-secret.tsx
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/components/chat/message-part/prompt-secret.tsx
@@ -187,7 +187,7 @@ export const PromptSecret = memo(function PromptSecret({
         {secretData?.description && (
           <div className="grid gap-2">
             <Label className="text-sm">Description</Label>
-            <div className="text-sm text-muted-foreground bg-muted/50 rounded-md p-3">
+            <div className="text-sm text-muted-foreground bg-muted/50 rounded-md p-3 break-words whitespace-pre-wrap max-h-48 overflow-y-auto">
               {secretData.description}
             </div>
           </div>
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/components/evaluation/EvaluationCriteriaCard.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/components/evaluation/EvaluationCriteriaCard.tsx
index ab14e15c3..aa52ba278 100644
--- a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/components/evaluation/EvaluationCriteriaCard.tsx
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/components/evaluation/EvaluationCriteriaCard.tsx
@@ -30,7 +30,9 @@ export function EvaluationCriteriaCard({
     }
   }, [automation?.evaluationCriteria]);
 
-  const handleSave = async () => {
+  const handleSave = async (e?: React.MouseEvent) => {
+    e?.preventDefault();
+    e?.stopPropagation();
     setIsSaving(true);
     try {
       const result = await updateEvaluationCriteria(automationId, criteria);
@@ -49,7 +51,9 @@ export function EvaluationCriteriaCard({
     }
   };
 
-  const handleCancel = () => {
+  const handleCancel = (e?: React.MouseEvent) => {
+    e?.preventDefault();
+    e?.stopPropagation();
     setCriteria(initialCriteria || '');
     setIsEditing(false);
   };
@@ -121,6 +125,7 @@ export function EvaluationCriteriaCard({
             />
             <div className="flex items-center justify-end gap-2">
               <Button
+                type="button"
                 size="sm"
                 variant="ghost"
                 onClick={handleCancel}
@@ -129,7 +134,13 @@ export function EvaluationCriteriaCard({
               >
                 Cancel
               </Button>
-              <Button size="sm" onClick={handleSave} disabled={isSaving} className="h-8">
+              <Button
+                type="button"
+                size="sm"
+                onClick={handleSave}
+                disabled={isSaving}
+                className="h-8"
+              >
                 <Save className="w-3.5 h-3.5 mr-1.5" />
                 Save
               </Button>
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/loading.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/loading.tsx
new file mode 100644
index 000000000..6edc8b644
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/loading.tsx
@@ -0,0 +1,10 @@
+import Loader from '@/components/ui/loader';
+
+export default function Loading() {
+  return (
+    <div className="h-screen overflow-hidden">
+      <Loader />
+    </div>
+  );
+}
+
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/page.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/page.tsx
index 29b582d24..03b122f87 100644
--- a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/page.tsx
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/page.tsx
@@ -42,6 +42,9 @@ export default async function Page({
     }
   }
 
+  // Pass task info for client-side suggestion loading (non-blocking)
+  const taskDescription = task.description || task.title;
+
   return (
     <ChatProvider initialMessages={initialMessages}>
       <AutomationLayoutWrapper>
@@ -51,6 +54,7 @@ export default async function Page({
             taskId={taskId}
             automationId={automationId}
             taskName={taskName}
+            taskDescription={automationId === 'new' ? taskDescription : undefined}
           />
         </div>
       </AutomationLayoutWrapper>
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/hooks/use-task.ts b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/hooks/use-task.ts
index c8db40aef..dd0310c58 100644
--- a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/hooks/use-task.ts
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/hooks/use-task.ts
@@ -27,8 +27,14 @@ export function useTask({ initialData }: UseTaskOptions = {}): UseTaskReturn {
   }>();
 
   const { data, error, isLoading, mutate } = useSWR(
-    [`task-${taskId}`, orgId, taskId],
+    // Only fetch if both orgId and taskId are available
+    orgId && taskId ? [`task-${taskId}`, orgId, taskId] : null,
     async () => {
+      // Guard clause - should not happen due to key check, but extra safety
+      if (!orgId || !taskId) {
+        throw new Error('Organization ID and Task ID are required');
+      }
+
       const response = await api.get<TaskData>(`/v1/tasks/${taskId}`, orgId);
 
       if (response.error) {
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/page.tsx b/apps/app/src/app/(app)/[orgId]/tasks/page.tsx
index cfb7cb04b..f84318fa6 100644
--- a/apps/app/src/app/(app)/[orgId]/tasks/page.tsx
+++ b/apps/app/src/app/(app)/[orgId]/tasks/page.tsx
@@ -83,7 +83,7 @@ const getMembersWithMetadata = async () => {
     where: {
       organizationId: orgId,
       role: {
-        notIn: [Role.employee, Role.auditor],
+        notIn: [Role.employee, Role.auditor, Role.contractor],
       },
     },
     include: {
diff --git a/apps/app/src/app/(app)/[orgId]/vendors/(overview)/data/queries.ts b/apps/app/src/app/(app)/[orgId]/vendors/(overview)/data/queries.ts
index 1579a8172..a50090586 100644
--- a/apps/app/src/app/(app)/[orgId]/vendors/(overview)/data/queries.ts
+++ b/apps/app/src/app/(app)/[orgId]/vendors/(overview)/data/queries.ts
@@ -57,7 +57,7 @@ export const getAssignees = cache(async (orgId: string): Promise<GetAssigneesRes
     where: {
       organizationId: orgId,
       role: {
-        notIn: ['employee'],
+        notIn: ['employee', 'contractor'],
       },
     },
     include: {
diff --git a/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/page.tsx b/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/page.tsx
index d1fd53ab9..1d03a7c75 100644
--- a/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/page.tsx
+++ b/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/page.tsx
@@ -105,7 +105,7 @@ const getAssignees = cache(async () => {
     where: {
       organizationId: session.session.activeOrganizationId,
       role: {
-        notIn: ['employee'],
+        notIn: ['employee', 'contractor'],
       },
     },
     include: {
diff --git a/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/tasks/[taskId]/page.tsx b/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/tasks/[taskId]/page.tsx
index 2276efa3a..8d4239106 100644
--- a/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/tasks/[taskId]/page.tsx
+++ b/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/tasks/[taskId]/page.tsx
@@ -48,7 +48,7 @@ export default async function TaskPage({ params }: PageProps) {
       where: {
         organizationId: orgId,
         role: {
-          notIn: ['employee'],
+          notIn: ['employee', 'contractor'],
         },
       },
       include: {
diff --git a/apps/app/src/app/(app)/[orgId]/vendors/backup-overview/layout.tsx b/apps/app/src/app/(app)/[orgId]/vendors/backup-overview/layout.tsx
index 056f41476..e7317863d 100644
--- a/apps/app/src/app/(app)/[orgId]/vendors/backup-overview/layout.tsx
+++ b/apps/app/src/app/(app)/[orgId]/vendors/backup-overview/layout.tsx
@@ -94,7 +94,7 @@ const getAssignees = cache(async () => {
     where: {
       organizationId: activeOrganizationId,
       role: {
-        notIn: ['employee'],
+        notIn: ['employee', 'contractor'],
       },
     },
     include: {
diff --git a/apps/app/src/app/(app)/no-access/page.tsx b/apps/app/src/app/(app)/no-access/page.tsx
index 1369d4706..376a971c9 100644
--- a/apps/app/src/app/(app)/no-access/page.tsx
+++ b/apps/app/src/app/(app)/no-access/page.tsx
@@ -38,7 +38,7 @@ export default async function NoAccess() {
         <h1 className="text-2xl font-bold">Access Denied</h1>
         <div className="flex flex-col text-center">
           <p>
-            <b>Employees</b> don&apos;t have access to app.trycomp.ai, did you mean to go to{' '}
+            <b>Employees</b> and <b>Contractors</b> don&apos;t have access to app.trycomp.ai, did you mean to go to{' '}
             <Link href="https://portal.trycomp.ai" className="text-primary underline">
               portal.trycomp.ai
             </Link>
diff --git a/apps/app/src/hooks/use-organization-members.ts b/apps/app/src/hooks/use-organization-members.ts
index d79b17a2d..d233d4be7 100644
--- a/apps/app/src/hooks/use-organization-members.ts
+++ b/apps/app/src/hooks/use-organization-members.ts
@@ -27,8 +27,12 @@ export function useOrganizationMembers({
   }>();
 
   const { data, error, isLoading, mutate } = useSWR(
-    [`organization-members-${orgId}`, orgId],
+    orgId ? [`organization-members-${orgId}`, orgId] : null,
     async () => {
+      if (!orgId) {
+        throw new Error('Organization ID is required');
+      }
+
       const { data } = await api.get<{
         data: MemberData[];
         error: string;
@@ -37,7 +41,7 @@ export function useOrganizationMembers({
 
       if (!data?.data) {
         console.error('[useOrganizationMembers] Failed to fetch organization members', data?.error);
-        throw new Error(data?.error);
+        throw new Error(data?.error || 'Failed to fetch organization members');
       }
 
       return data?.data || [];
diff --git a/apps/app/src/lib/api-client.ts b/apps/app/src/lib/api-client.ts
index bdc693a98..b9367f56f 100644
--- a/apps/app/src/lib/api-client.ts
+++ b/apps/app/src/lib/api-client.ts
@@ -28,8 +28,13 @@ export class ApiClient {
   /**
    * Make an authenticated API call
    * Uses Bearer token authentication + explicit org context
+   * Automatically handles token refresh on 401 errors
    */
-  async call<T = unknown>(endpoint: string, options: ApiCallOptions = {}): Promise<ApiResponse<T>> {
+  async call<T = unknown>(
+    endpoint: string,
+    options: ApiCallOptions = {},
+    retryOnAuthError = true,
+  ): Promise<ApiResponse<T>> {
     const { organizationId, headers: customHeaders, ...fetchOptions } = options;
 
     // Build headers
@@ -64,6 +69,69 @@ export class ApiClient {
         headers,
       });
 
+      // Handle 401 Unauthorized - token might be invalid, try refreshing
+      if (response.status === 401 && retryOnAuthError && typeof window !== 'undefined') {
+        console.log('🔄 Received 401, refreshing token and retrying request...');
+
+        // Force refresh token (clear cache and get fresh one)
+        const newToken = await jwtManager.forceRefresh();
+
+        if (newToken) {
+          // Retry the request with the new token (only once)
+          const retryHeaders = {
+            ...headers,
+            Authorization: `Bearer ${newToken}`,
+          };
+
+          const retryResponse = await fetch(`${this.baseUrl}${endpoint}`, {
+            credentials: 'include',
+            ...fetchOptions,
+            headers: retryHeaders,
+          });
+
+          let retryData = null;
+
+          // Handle different response types based on status and content
+          if (retryResponse.status === 204) {
+            retryData = null;
+          } else {
+            const text = await retryResponse.text();
+            if (text) {
+              try {
+                retryData = JSON.parse(text);
+              } catch (parseError) {
+                retryData = { message: text };
+              }
+            }
+          }
+
+          return {
+            data: retryResponse.ok ? retryData : undefined,
+            error: !retryResponse.ok
+              ? retryData?.message || `HTTP ${retryResponse.status}: ${retryResponse.statusText}`
+              : undefined,
+            status: retryResponse.status,
+          };
+        } else {
+          // Failed to refresh token, read original response and return error
+          console.error('❌ Failed to refresh token after 401 error');
+          const text = await response.text();
+          let errorData = null;
+          if (text) {
+            try {
+              errorData = JSON.parse(text);
+            } catch {
+              errorData = { message: text };
+            }
+          }
+          return {
+            data: undefined,
+            error: errorData?.message || `HTTP ${response.status}: ${response.statusText}`,
+            status: response.status,
+          };
+        }
+      }
+
       let data = null;
 
       // Handle different response types based on status and content
diff --git a/apps/app/src/test-utils/mocks/auth.ts b/apps/app/src/test-utils/mocks/auth.ts
index 3c8bc37b0..c54e5512e 100644
--- a/apps/app/src/test-utils/mocks/auth.ts
+++ b/apps/app/src/test-utils/mocks/auth.ts
@@ -62,6 +62,7 @@ export const createMockMember = (overrides?: Partial<Member>): Member => ({
   department: Departments.none,
   isActive: true,
   fleetDmLabelId: null,
+  deactivated: false,
   ...overrides,
 });
 
diff --git a/apps/app/src/utils/jwt-manager.ts b/apps/app/src/utils/jwt-manager.ts
index 9599947e7..45bd7a303 100644
--- a/apps/app/src/utils/jwt-manager.ts
+++ b/apps/app/src/utils/jwt-manager.ts
@@ -9,7 +9,10 @@ interface TokenInfo {
 
 class JWTManager {
   private refreshTimer: NodeJS.Timeout | null = null;
+  private refreshPromise: Promise<string | null> | null = null; // Prevent concurrent refreshes
+  private lastRefreshAttempt: number = 0; // Track last refresh attempt time
   private readonly REFRESH_THRESHOLD = 5 * 60 * 1000; // Refresh 5 minutes before expiry
+  private readonly REFRESH_COOLDOWN = 2000; // 2 seconds cooldown between refresh attempts
   private readonly STORAGE_KEY = 'bearer_token';
   private readonly EXPIRY_KEY = 'bearer_token_expiry';
 
@@ -36,8 +39,50 @@ class JWTManager {
 
   /**
    * Get a fresh JWT token from Better Auth
+   * Prevents concurrent refresh attempts and enforces cooldown period
    */
   async refreshToken(): Promise<string | null> {
+    // If a refresh is already in progress, wait for it instead of starting a new one
+    if (this.refreshPromise) {
+      console.log('🔄 Token refresh already in progress, waiting...');
+      return await this.refreshPromise;
+    }
+
+    // Enforce cooldown period to prevent rapid refresh attempts
+    const now = Date.now();
+    const timeSinceLastAttempt = now - this.lastRefreshAttempt;
+    if (timeSinceLastAttempt < this.REFRESH_COOLDOWN) {
+      console.log(
+        `⏳ Refresh cooldown active, waiting ${Math.ceil((this.REFRESH_COOLDOWN - timeSinceLastAttempt) / 1000)}s...`,
+      );
+      // Return existing token if available, otherwise wait for cooldown
+      const stored = this.getStoredToken();
+      if (stored && !this.isTokenExpiringSoon(stored.expiresAt)) {
+        return stored.token;
+      }
+      // Wait for cooldown
+      await new Promise((resolve) =>
+        setTimeout(resolve, this.REFRESH_COOLDOWN - timeSinceLastAttempt),
+      );
+    }
+
+    // Start refresh and store promise to prevent concurrent attempts
+    this.lastRefreshAttempt = Date.now();
+    this.refreshPromise = this._doRefreshToken();
+
+    try {
+      const result = await this.refreshPromise;
+      return result;
+    } finally {
+      // Clear promise after refresh completes (success or failure)
+      this.refreshPromise = null;
+    }
+  }
+
+  /**
+   * Internal method to actually perform the token refresh
+   */
+  private async _doRefreshToken(): Promise<string | null> {
     try {
       console.log('🔄 Refreshing JWT token...');
 
@@ -202,9 +247,16 @@ class JWTManager {
 
   /**
    * Force refresh token (useful for testing or manual refresh)
+   * Clears stored token first to ensure a fresh fetch
+   * Respects cooldown and concurrent refresh protection
    */
   async forceRefresh(): Promise<string | null> {
     console.log('🔄 Force refreshing JWT token...');
+    // Clear stored token to force a fresh fetch
+    localStorage.removeItem(this.STORAGE_KEY);
+    localStorage.removeItem(this.EXPIRY_KEY);
+    // Reset last refresh attempt to allow immediate refresh (but still respect concurrent protection)
+    this.lastRefreshAttempt = 0;
     return await this.refreshToken();
   }
 }
diff --git a/apps/portal/package.json b/apps/portal/package.json
index b14d95424..ad6d53685 100644
--- a/apps/portal/package.json
+++ b/apps/portal/package.json
@@ -9,7 +9,7 @@
     "@react-email/render": "^1.1.2",
     "@t3-oss/env-nextjs": "^0.13.8",
     "@trycompai/analytics": "workspace:*",
-    "@trycompai/db": "^1.3.7",
+    "@trycompai/db": "^1.3.17",
     "@trycompai/email": "workspace:*",
     "@trycompai/kv": "workspace:*",
     "@trycompai/ui": "workspace:*",
diff --git a/apps/portal/src/app/(app)/(home)/[orgId]/components/tasks/DeviceAgentAccordionItem.tsx b/apps/portal/src/app/(app)/(home)/[orgId]/components/tasks/DeviceAgentAccordionItem.tsx
index d3f4a5006..b5d80258e 100644
--- a/apps/portal/src/app/(app)/(home)/[orgId]/components/tasks/DeviceAgentAccordionItem.tsx
+++ b/apps/portal/src/app/(app)/(home)/[orgId]/components/tasks/DeviceAgentAccordionItem.tsx
@@ -36,7 +36,7 @@ export function DeviceAgentAccordionItem({
   const mdmEnabledStatus = useMemo(() => {
     return {
       id: 'mdm',
-      response: host?.mdm.enrollment_status === 'On' ? 'pass' : 'fail',
+      response: host?.mdm.connected_to_fleet ? 'pass' : 'fail',
       name: 'MDM Enabled',
     };
   }, [host]);
diff --git a/apps/portal/src/app/(app)/(home)/[orgId]/types/index.ts b/apps/portal/src/app/(app)/(home)/[orgId]/types/index.ts
index ea337dc9b..c132d164f 100644
--- a/apps/portal/src/app/(app)/(home)/[orgId]/types/index.ts
+++ b/apps/portal/src/app/(app)/(home)/[orgId]/types/index.ts
@@ -85,7 +85,7 @@ export type MDM = {
   connected_to_fleet: boolean;
   dep_profile_error: boolean;
   encryption_key_available: boolean;
-  enrollment_status: "Off" | "On";
+  enrollment_status: string;
   name?: string;
   server_url?: string;
 };
\ No newline at end of file
diff --git a/bun.lock b/bun.lock
index 185c04e5d..12bc0ef88 100644
--- a/bun.lock
+++ b/bun.lock
@@ -72,12 +72,13 @@
         "@nestjs/platform-express": "^11.1.5",
         "@nestjs/swagger": "^11.2.0",
         "@prisma/client": "^6.13.0",
-        "@trycompai/db": "^1.3.7",
+        "@trycompai/db": "^1.3.17",
         "archiver": "^7.0.1",
         "axios": "^1.12.2",
         "better-auth": "^1.3.27",
         "class-transformer": "^0.5.1",
         "class-validator": "^0.14.2",
+        "dotenv": "^17.2.3",
         "jose": "^6.0.12",
         "prisma": "^6.13.0",
         "reflect-metadata": "^0.2.2",
@@ -119,7 +120,7 @@
       "dependencies": {
         "@ai-sdk/anthropic": "^2.0.0",
         "@ai-sdk/groq": "^2.0.0",
-        "@ai-sdk/openai": "^2.0.0",
+        "@ai-sdk/openai": "^2.0.65",
         "@ai-sdk/provider": "^2.0.0",
         "@ai-sdk/react": "^2.0.60",
         "@ai-sdk/rsc": "^1.0.0",
@@ -166,7 +167,7 @@
         "@tiptap/extension-table-row": "^3.4.4",
         "@trigger.dev/react-hooks": "4.0.6",
         "@trigger.dev/sdk": "4.0.6",
-        "@trycompai/db": "^1.3.7",
+        "@trycompai/db": "^1.3.17",
         "@trycompai/email": "workspace:*",
         "@types/canvas-confetti": "^1.9.0",
         "@types/react-syntax-highlighter": "^15.5.13",
@@ -267,7 +268,7 @@
         "@react-email/render": "^1.1.2",
         "@t3-oss/env-nextjs": "^0.13.8",
         "@trycompai/analytics": "workspace:*",
-        "@trycompai/db": "^1.3.7",
+        "@trycompai/db": "^1.3.17",
         "@trycompai/email": "workspace:*",
         "@trycompai/kv": "workspace:*",
         "@trycompai/ui": "workspace:*",
@@ -492,7 +493,7 @@
 
     "@ai-sdk/groq": ["@ai-sdk/groq@2.0.24", "", { "dependencies": { "@ai-sdk/provider": "2.0.0", "@ai-sdk/provider-utils": "3.0.12" }, "peerDependencies": { "zod": "^3.25.76 || ^4.1.8" } }, "sha512-PCtNwFsakxR6B/o+l3gtxlPIwN8lawK3vvOjRdC759Y8WtNxCv5RUs0JsxIKyAZxO+RBEy0AoL8xTQUy8fn3gw=="],
 
-    "@ai-sdk/openai": ["@ai-sdk/openai@2.0.52", "", { "dependencies": { "@ai-sdk/provider": "2.0.0", "@ai-sdk/provider-utils": "3.0.12" }, "peerDependencies": { "zod": "^3.25.76 || ^4.1.8" } }, "sha512-n1arAo4+63e6/FFE6z/1ZsZbiOl4cfsoZ3F4i2X7LPIEea786Y2yd7Qdr7AdB4HTLVo3OSb1PHVIcQmvYIhmEA=="],
+    "@ai-sdk/openai": ["@ai-sdk/openai@2.0.65", "", { "dependencies": { "@ai-sdk/provider": "2.0.0", "@ai-sdk/provider-utils": "3.0.17" }, "peerDependencies": { "zod": "^3.25.76 || ^4.1.8" } }, "sha512-Wqo4iNCsxUYJFmEAzAHO0XDnnS76rqvPRX2AUhEAOX3cgL9UEfouFmiNQS2jM9AZhMdWj5GIG41hgr4YOr20tA=="],
 
     "@ai-sdk/provider": ["@ai-sdk/provider@2.0.0", "", { "dependencies": { "json-schema": "^0.4.0" } }, "sha512-6o7Y2SeO9vFKB8lArHXehNuusnpddKPk7xqL7T2/b+OvXMRIXUO1rR4wcv1hAFUAT9avGZshty3Wlua/XA7TvA=="],
 
@@ -1902,7 +1903,7 @@
 
     "@trycompai/analytics": ["@trycompai/analytics@workspace:packages/analytics"],
 
-    "@trycompai/db": ["@trycompai/db@1.3.13", "", { "dependencies": { "@prisma/client": "^6.13.0", "dotenv": "^16.4.5" } }, "sha512-+olTmT0/zb+6M2UDU1/lefBb7ZX8BRtMV6VULq0ScgHZEXfhP4IM9Aj19z28piRW7k5no63ZxfCkbZ/grXm3uQ=="],
+    "@trycompai/db": ["@trycompai/db@1.3.17", "", { "dependencies": { "@prisma/client": "^6.13.0", "dotenv": "^16.4.5" } }, "sha512-vrKf+/YGdQhpP470xWhysL3RDL8v16pS90AafF718YcRI6mI/XUqlirNMS43+XtOksrc5CHITyBLLOd848bFDA=="],
 
     "@trycompai/email": ["@trycompai/email@workspace:packages/email"],
 
@@ -2912,7 +2913,7 @@
 
     "dot-prop": ["dot-prop@5.3.0", "", { "dependencies": { "is-obj": "^2.0.0" } }, "sha512-QM8q3zDe58hqUqjraQOmzZ1LIH9SWQJTlEKCH4kJ2oQvLZk7RbQXvtDM2XEq3fwkV9CCvvH4LA0AV+ogFsBM2Q=="],
 
-    "dotenv": ["dotenv@16.4.7", "", {}, "sha512-47qPchRCykZC03FhkYAhrvwU4xDBFIj1QPqaarj6mdM/hgUzfPHcpkHJOn3mJAufFeeAxAzeGsr5X0M4k6fLZQ=="],
+    "dotenv": ["dotenv@17.2.3", "", {}, "sha512-JVUnt+DUIzu87TABbhPmNfVdBDt18BLOWjMUFJMSi/Qqg7NTYtabbvSNJGOJ7afbRuv9D/lngizHtP7QyLQ+9w=="],
 
     "dotenv-expand": ["dotenv-expand@12.0.1", "", { "dependencies": { "dotenv": "^16.4.5" } }, "sha512-LaKRbou8gt0RNID/9RoI+J2rvXsBRPMV7p+ElHlPhcSARbCPDYcYG2s1TIzAfWv4YSgyY5taidWzzs31lNV3yQ=="],
 
@@ -5206,6 +5207,8 @@
 
     "@ai-sdk/gateway/@vercel/oidc": ["@vercel/oidc@3.0.2", "", {}, "sha512-JekxQ0RApo4gS4un/iMGsIL1/k4KUBe3HmnGcDvzHuFBdQdudEJgTqcsJC7y6Ul4Yw5CeykgvQbX2XeEJd0+DA=="],
 
+    "@ai-sdk/openai/@ai-sdk/provider-utils": ["@ai-sdk/provider-utils@3.0.17", "", { "dependencies": { "@ai-sdk/provider": "2.0.0", "@standard-schema/spec": "^1.0.0", "eventsource-parser": "^3.0.6" }, "peerDependencies": { "zod": "^3.25.76 || ^4.1.8" } }, "sha512-TR3Gs4I3Tym4Ll+EPdzRdvo/rc8Js6c4nVhFLuvGLX/Y4V9ZcQMa/HTiYsHEgmYrf1zVi6Q145UEZUfleOwOjw=="],
+
     "@angular-devkit/core/ajv": ["ajv@8.17.1", "", { "dependencies": { "fast-deep-equal": "^3.1.3", "fast-uri": "^3.0.1", "json-schema-traverse": "^1.0.0", "require-from-string": "^2.0.2" } }, "sha512-B/gBuNg5SiMTrPkC+A2+cW0RszwxYmn6VYxB/inlBStS5nx6xHIt/ehKRhIMhqusl7a8LjQoZnjCs5vhwxOQ1g=="],
 
     "@angular-devkit/core/rxjs": ["rxjs@7.8.1", "", { "dependencies": { "tslib": "^2.1.0" } }, "sha512-AA3TVj+0A2iuIoQkWEK/tqFjBq2j+6PO6Y0zJcvzLAFhEFIO3HL0vls9hWLncZbAAbK0mar7oZ4V079I/qPMxg=="],
@@ -5408,6 +5411,8 @@
 
     "@nestjs/cli/typescript": ["typescript@5.8.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ=="],
 
+    "@nestjs/config/dotenv": ["dotenv@16.4.7", "", {}, "sha512-47qPchRCykZC03FhkYAhrvwU4xDBFIj1QPqaarj6mdM/hgUzfPHcpkHJOn3mJAufFeeAxAzeGsr5X0M4k6fLZQ=="],
+
     "@nestjs/schematics/@angular-devkit/core": ["@angular-devkit/core@19.2.17", "", { "dependencies": { "ajv": "8.17.1", "ajv-formats": "3.0.1", "jsonc-parser": "3.3.1", "picomatch": "4.0.2", "rxjs": "7.8.1", "source-map": "0.7.4" }, "peerDependencies": { "chokidar": "^4.0.0" }, "optionalPeers": ["chokidar"] }, "sha512-Ah008x2RJkd0F+NLKqIpA34/vUGwjlprRCkvddjDopAWRzYn6xCkz1Tqwuhn0nR1Dy47wTLKYD999TYl5ONOAQ=="],
 
     "@nestjs/schematics/@angular-devkit/schematics": ["@angular-devkit/schematics@19.2.17", "", { "dependencies": { "@angular-devkit/core": "19.2.17", "jsonc-parser": "3.3.1", "magic-string": "0.30.17", "ora": "5.4.1", "rxjs": "7.8.1" } }, "sha512-ADfbaBsrG8mBF6Mfs+crKA/2ykB8AJI50Cv9tKmZfwcUcyAdmTr+vVvhsBCfvUAEokigSsgqgpYxfkJVxhJYeg=="],
@@ -5576,6 +5581,8 @@
 
     "@trycompai/db/dotenv": ["dotenv@16.6.1", "", {}, "sha512-uBq4egWHTcTt33a72vpSG0z3HnPuIl6NqYcTrKEg2azoEyl2hpW0zqlxysq2pK9HlDIHyHyakeYaYnSAwd8bow=="],
 
+    "@trycompai/integrations/@ai-sdk/openai": ["@ai-sdk/openai@2.0.52", "", { "dependencies": { "@ai-sdk/provider": "2.0.0", "@ai-sdk/provider-utils": "3.0.12" }, "peerDependencies": { "zod": "^3.25.76 || ^4.1.8" } }, "sha512-n1arAo4+63e6/FFE6z/1ZsZbiOl4cfsoZ3F4i2X7LPIEea786Y2yd7Qdr7AdB4HTLVo3OSb1PHVIcQmvYIhmEA=="],
+
     "@trycompai/integrations/zod": ["zod@4.1.12", "", {}, "sha512-JInaHOamG8pt5+Ey8kGmdcAcg3OL9reK8ltczgHTAwNhMys/6ThXHityHxVV2p3fkw/c+MAvBHFVYHFZDmjMCQ=="],
 
     "@typescript-eslint/eslint-plugin/ignore": ["ignore@7.0.5", "", {}, "sha512-Hs59xBNfUIunMFgWAbGX5cq6893IbWg4KnrjbYwX3tx0ztorVgTDA6B2sxf8ejHJ4wz8BqGUMYlnzNBer5NvGg=="],
@@ -5646,6 +5653,8 @@
 
     "discord.js/undici": ["undici@6.21.3", "", {}, "sha512-gBLkYIlEnSp8pFbT64yFgGE6UIB9tAkhukC23PmMDCe5Nd+cRqKxSjw5y54MK2AZMgZfJWMaNE4nYUHgi1XEOw=="],
 
+    "dotenv-expand/dotenv": ["dotenv@16.4.7", "", {}, "sha512-47qPchRCykZC03FhkYAhrvwU4xDBFIj1QPqaarj6mdM/hgUzfPHcpkHJOn3mJAufFeeAxAzeGsr5X0M4k6fLZQ=="],
+
     "duplexer2/readable-stream": ["readable-stream@2.3.8", "", { "dependencies": { "core-util-is": "~1.0.0", "inherits": "~2.0.3", "isarray": "~1.0.0", "process-nextick-args": "~2.0.0", "safe-buffer": "~5.1.1", "string_decoder": "~1.1.1", "util-deprecate": "~1.0.1" } }, "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA=="],
 
     "ecdsa-sig-formatter/safe-buffer": ["safe-buffer@5.2.1", "", {}, "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ=="],
diff --git a/packages/db/package.json b/packages/db/package.json
index 0c4fb1b5f..0f7f8a793 100644
--- a/packages/db/package.json
+++ b/packages/db/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@trycompai/db",
   "description": "Database package with Prisma client and schema for Comp AI",
-  "version": "1.3.15",
+  "version": "1.3.17",
   "dependencies": {
     "@prisma/client": "^6.13.0",
     "dotenv": "^16.4.5"
diff --git a/packages/db/prisma/migrations/20251112145246_add_deactivated_to_member/migration.sql b/packages/db/prisma/migrations/20251112145246_add_deactivated_to_member/migration.sql
new file mode 100644
index 000000000..7ff63c6e6
--- /dev/null
+++ b/packages/db/prisma/migrations/20251112145246_add_deactivated_to_member/migration.sql
@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "Member" ADD COLUMN     "deactivated" BOOLEAN NOT NULL DEFAULT false;
diff --git a/packages/db/prisma/schema/auth.prisma b/packages/db/prisma/schema/auth.prisma
index 30f37b9f0..db60eae95 100644
--- a/packages/db/prisma/schema/auth.prisma
+++ b/packages/db/prisma/schema/auth.prisma
@@ -93,6 +93,7 @@ model Member {
 
     department                      Departments                       @default(none)
     isActive                        Boolean                           @default(true)
+    deactivated                     Boolean                           @default(false)
     employeeTrainingVideoCompletion EmployeeTrainingVideoCompletion[]
     fleetDmLabelId                  Int?