diff --git a/.env.example b/.env.example
index 181b273..04c769f 100644
--- a/.env.example
+++ b/.env.example
@@ -3,6 +3,3 @@ CLAUDE_BIN=claude
 
 # Backend server port (default: 9998)
 PORT=9998
-
-# Allowed CORS origin for the Vite dev server (dev only; not needed in production)
-FRONTEND_ORIGIN=http://localhost:9999
diff --git a/CLAUDE.md b/CLAUDE.md
index 4993eb0..e4ee894 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -46,7 +46,6 @@ cp .env.example backend/.env
 | `CLAUDE_BIN` | `claude` | Path to the `claude` binary |
 | `PORT` | `9998` | Backend listen port |
 | `HOST` | `0.0.0.0` | Backend listen address |
-| `FRONTEND_ORIGIN` | `http://localhost:9999` | CORS allowed origin (dev only) |
 
 ## Dev ports
 
diff --git a/Makefile b/Makefile
index ee2522d..f09ee18 100644
--- a/Makefile
+++ b/Makefile
@@ -1,16 +1,10 @@
 .PHONY: dev dev-backend dev-frontend build lint test install clean run service-install service-uninstall service-test
 
-# Fedora / RHEL hosts lack the Google Trust Services intermediate CA that
-# Anthropic's API uses.  Set NODE_EXTRA_CA_CERTS only when the bundle exists
-# so the fix is a no-op on macOS, Ubuntu, Alpine, etc.
-CA_BUNDLE := /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
-CA_ENV    := $(if $(wildcard $(CA_BUNDLE)),NODE_EXTRA_CA_CERTS=$(CA_BUNDLE),)
-
 dev:
 	@make -j2 dev-backend dev-frontend
 
 dev-backend:
-	cd backend && $(CA_ENV) npm run dev
+	cd backend && npm run dev
 
 dev-frontend:
 	cd frontend && npm run dev
diff --git a/README.md b/README.md
index 0b067ed..cc8f78a 100644
--- a/README.md
+++ b/README.md
@@ -75,7 +75,6 @@ cp .env.example backend/.env
 | `CLAUDE_BIN` | `claude` | Path to the `claude` binary |
 | `PORT` | `9998` | Backend listen port |
 | `HOST` | `0.0.0.0` | Backend listen address |
-| `FRONTEND_ORIGIN` | `http://localhost:9999` | Allowed CORS origin (dev only) |
 
 ## Development
 
diff --git a/backend/src/routes/account.ts b/backend/src/routes/account.ts
index b23ae4f..079a070 100644
--- a/backend/src/routes/account.ts
+++ b/backend/src/routes/account.ts
@@ -1,9 +1,8 @@
 import type { FastifyInstance } from 'fastify'
-import { getAccountInfo } from '../services/claudeAccount'
+import { getCachedAccount } from '../services/accountCache'
 
 export async function accountRoutes(fastify: FastifyInstance) {
   fastify.get('/api/account', async (_req, reply) => {
-    const info = await getAccountInfo()
-    return reply.send(info)
+    return reply.send(getCachedAccount())
   })
 }
diff --git a/backend/src/routes/sessions.ts b/backend/src/routes/sessions.ts
index b43e57d..bfddf35 100644
--- a/backend/src/routes/sessions.ts
+++ b/backend/src/routes/sessions.ts
@@ -27,6 +27,23 @@ export async function sessionRoutes(fastify: FastifyInstance) {
     }
   })
 
+  fastify.get<{ Params: { id: string } }>('/api/sessions/:id', async (req, reply) => {
+    const { id } = req.params
+    const row = db
+      .prepare(
+        `SELECT s.*,
+          CASE WHEN s.ended_at IS NULL THEN 1 ELSE 0 END as is_active,
+          COUNT(m.id) as message_count
+        FROM sessions s
+        LEFT JOIN messages m ON m.session_id = s.id
+        WHERE s.id = ?
+        GROUP BY s.id`,
+      )
+      .get(id)
+    if (!row) return reply.status(404).send({ error: 'Session not found' })
+    return reply.send(row)
+  })
+
   fastify.get('/api/sessions', async (_req, reply) => {
     const rows = db
       .prepare(
diff --git a/backend/src/routes/settings.test.ts b/backend/src/routes/settings.test.ts
index d52fcdd..310c183 100644
--- a/backend/src/routes/settings.test.ts
+++ b/backend/src/routes/settings.test.ts
@@ -32,7 +32,7 @@ describe('settings routes', () => {
     expect(res.statusCode).toBe(200)
     const body = res.json()
     expect(body).toMatchObject({
-      bypass_permissions: 'true',
+      bypass_permissions: 'false',
       session_mode: 'terminal',
     })
   })
diff --git a/backend/src/routes/settings.ts b/backend/src/routes/settings.ts
index 4beffd3..a183a2f 100644
--- a/backend/src/routes/settings.ts
+++ b/backend/src/routes/settings.ts
@@ -2,7 +2,7 @@ import type { FastifyInstance } from 'fastify'
 import { db } from '../db/schema'
 
 const DEFAULTS: Record<string, string> = {
-  bypass_permissions: 'true',
+  bypass_permissions: 'false',
   session_mode: 'terminal',
 }
 
diff --git a/backend/src/server.ts b/backend/src/server.ts
index 91e68af..734de65 100644
--- a/backend/src/server.ts
+++ b/backend/src/server.ts
@@ -10,6 +10,7 @@ import { sessionRoutes } from './routes/sessions'
 import { sessionWsRoutes } from './ws/session'
 import { terminalWsRoutes } from './ws/terminal'
 import { settingsRoutes } from './routes/settings'
+import { initAccountCache } from './services/accountCache'
 
 // TODO: add bearer token auth — add @fastify/bearer-auth plugin here
 // and set token via DASHBOARD_TOKEN env var
@@ -18,15 +19,16 @@ import { settingsRoutes } from './routes/settings'
 const fastify = Fastify({ logger: true })
 
 async function start() {
-  const devOrigin = process.env.FRONTEND_ORIGIN
+  const PORT = Number(process.env.PORT ?? 9998)
+  const HOST = process.env.HOST ?? '0.0.0.0'
   await fastify.register(cors, {
     methods: ['GET', 'HEAD', 'PUT', 'PATCH', 'POST', 'DELETE'],
     origin: (origin, cb) => {
       if (!origin) return cb(null, true)                       // same-origin / curl / no-CORS
       try {
-        if (new URL(origin).port === '9999') return cb(null, true)
+        const { port } = new URL(origin)
+        if (port === '9999' || port === String(PORT)) return cb(null, true)
       } catch { /* ignore malformed */ }
-      if (devOrigin && origin === devOrigin) return cb(null, true)
       cb(new Error('Not allowed by CORS'), false)
     },
   })
@@ -57,15 +59,14 @@ async function start() {
     })
   }
 
-  const PORT = Number(process.env.PORT ?? 9998)
-  const HOST = process.env.HOST ?? '0.0.0.0'
-
   try {
     await fastify.listen({ port: PORT, host: HOST })
   } catch (err) {
     fastify.log.error(err)
     process.exit(1)
   }
+
+  initAccountCache().catch((err) => fastify.log.error(err))
 }
 
 start()
diff --git a/backend/src/services/accountCache.ts b/backend/src/services/accountCache.ts
new file mode 100644
index 0000000..d394b75
--- /dev/null
+++ b/backend/src/services/accountCache.ts
@@ -0,0 +1,17 @@
+import { getAccountInfo } from './claudeAccount'
+import type { AccountInfo } from './claudeAccount'
+
+const REFRESH_MS = 60_000
+
+let cached: AccountInfo | null = null
+
+export async function initAccountCache(): Promise<void> {
+  cached = await getAccountInfo()
+  setInterval(async () => {
+    cached = await getAccountInfo()
+  }, REFRESH_MS).unref()
+}
+
+export function getCachedAccount(): AccountInfo | null {
+  return cached
+}
diff --git a/backend/src/services/claudeAccount.ts b/backend/src/services/claudeAccount.ts
index 6afbdee..90f9c14 100644
--- a/backend/src/services/claudeAccount.ts
+++ b/backend/src/services/claudeAccount.ts
@@ -27,7 +27,11 @@ export async function getAccountInfo(): Promise<AccountInfo> {
     authStatus: 'unknown',
   }
 
-  const versionResult = await execFileNoThrow(claudeBin(), ['--version'])
+  const [versionResult, authResult] = await Promise.all([
+    execFileNoThrow(claudeBin(), ['--version']),
+    execFileNoThrow(claudeBin(), ['config', 'get', 'oauthToken']),
+  ])
+
   if (versionResult.status !== 0) return base
 
   base.claudeInstalled = true
@@ -42,7 +46,6 @@ export async function getAccountInfo(): Promise<AccountInfo> {
     // settings.json absent or malformed — model stays null
   }
 
-  const authResult = await execFileNoThrow(claudeBin(), ['config', 'get', 'oauthToken'])
   base.authStatus = authResult.status === 0 && authResult.stdout.trim().length > 0
     ? 'authenticated'
     : 'unauthenticated'
diff --git a/backend/src/utils/resolveBin.test.ts b/backend/src/utils/resolveBin.test.ts
new file mode 100644
index 0000000..57bcf05
--- /dev/null
+++ b/backend/src/utils/resolveBin.test.ts
@@ -0,0 +1,70 @@
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest'
+
+const existsSyncMock = vi.hoisted(() => vi.fn<(p: string) => boolean>())
+
+vi.mock('fs', async (importOriginal) => {
+  const original = await importOriginal<typeof import('fs')>()
+  return { ...original, existsSync: existsSyncMock, default: { ...original, existsSync: existsSyncMock } }
+})
+
+const { resolveBin } = await import('./resolveBin')
+
+const originalPlatform = process.platform
+const originalPath = process.env.PATH
+const originalPathExt = process.env.PATHEXT
+
+function setPlatform(p: NodeJS.Platform): void {
+  Object.defineProperty(process, 'platform', { value: p, configurable: true })
+}
+
+describe('resolveBin', () => {
+  beforeEach(() => {
+    existsSyncMock.mockReset()
+  })
+
+  afterEach(() => {
+    Object.defineProperty(process, 'platform', { value: originalPlatform, configurable: true })
+    process.env.PATH = originalPath
+    process.env.PATHEXT = originalPathExt
+  })
+
+  it('returns input unchanged on POSIX', () => {
+    setPlatform('linux')
+    expect(resolveBin('claude')).toBe('claude')
+    expect(resolveBin('/usr/local/bin/claude')).toBe('/usr/local/bin/claude')
+    expect(existsSyncMock).not.toHaveBeenCalled()
+  })
+
+  it('on Windows, resolves a bare name to <dir>\\<name>.CMD when only .cmd exists', () => {
+    setPlatform('win32')
+    process.env.PATH = 'C:\\bin;C:\\other'
+    process.env.PATHEXT = '.COM;.EXE;.CMD'
+    existsSyncMock.mockImplementation((p) => p === 'C:\\bin\\claude.CMD')
+
+    expect(resolveBin('claude')).toBe('C:\\bin\\claude.CMD')
+  })
+
+  it('on Windows, falls back to input when nothing matches on PATH', () => {
+    setPlatform('win32')
+    process.env.PATH = 'C:\\bin'
+    process.env.PATHEXT = '.EXE;.CMD'
+    existsSyncMock.mockReturnValue(false)
+
+    expect(resolveBin('claude')).toBe('claude')
+  })
+
+  it('on Windows, an absolute path with an existing extension is returned as-is', () => {
+    setPlatform('win32')
+    existsSyncMock.mockImplementation((p) => p === 'C:\\tools\\claude.cmd')
+
+    expect(resolveBin('C:\\tools\\claude.cmd')).toBe('C:\\tools\\claude.cmd')
+  })
+
+  it('on Windows, an absolute path without extension gets PATHEXT appended', () => {
+    setPlatform('win32')
+    process.env.PATHEXT = '.EXE;.CMD'
+    existsSyncMock.mockImplementation((p) => p === 'C:\\tools\\claude.CMD')
+
+    expect(resolveBin('C:\\tools\\claude')).toBe('C:\\tools\\claude.CMD')
+  })
+})
diff --git a/backend/src/utils/resolveBin.ts b/backend/src/utils/resolveBin.ts
new file mode 100644
index 0000000..c61b6bf
--- /dev/null
+++ b/backend/src/utils/resolveBin.ts
@@ -0,0 +1,39 @@
+import * as fs from 'fs'
+import * as path from 'path'
+
+// node-pty on Windows uses CreateProcessW, which does not honor PATHEXT.
+// Spawning a bare name like "claude" fails with "File not found: claude"
+// even though `claude.cmd` is on PATH. Resolve PATH + PATHEXT explicitly here.
+// On POSIX this is a no-op — node-pty's own PATH search works fine there.
+export function resolveBin(bin: string): string {
+  if (process.platform !== 'win32') return bin
+
+  const exts = (process.env.PATHEXT ?? '.COM;.EXE;.BAT;.CMD')
+    .split(';')
+    .map((e) => e.trim())
+    .filter(Boolean)
+
+  if (path.win32.isAbsolute(bin)) {
+    if (path.win32.extname(bin) && fs.existsSync(bin)) return bin
+    for (const ext of exts) {
+      const candidate = bin + ext
+      if (fs.existsSync(candidate)) return candidate
+    }
+    return bin
+  }
+
+  const dirs = (process.env.PATH ?? '').split(';').filter(Boolean)
+  const hasExt = !!path.win32.extname(bin)
+  for (const dir of dirs) {
+    if (hasExt) {
+      const candidate = path.win32.join(dir, bin)
+      if (fs.existsSync(candidate)) return candidate
+    } else {
+      for (const ext of exts) {
+        const candidate = path.win32.join(dir, bin + ext)
+        if (fs.existsSync(candidate)) return candidate
+      }
+    }
+  }
+  return bin
+}
diff --git a/backend/src/ws/session.ts b/backend/src/ws/session.ts
index 159026c..574e917 100644
--- a/backend/src/ws/session.ts
+++ b/backend/src/ws/session.ts
@@ -4,6 +4,7 @@ import * as path from 'path'
 import type { WebSocket } from 'ws'
 import type { FastifyInstance } from 'fastify'
 import { db } from '../db/schema'
+import { resolveBin } from '../utils/resolveBin'
 
 const IDLE_TIMEOUT_MS = 30 * 60 * 1000
 
@@ -128,7 +129,7 @@ class ActiveSession {
       ).run(this.id, 'user', text, Date.now())
     }
 
-    const claudeBin = process.env.CLAUDE_BIN ?? 'claude'
+    const claudeBin = resolveBin(process.env.CLAUDE_BIN?.trim() || 'claude')
     const bypassPermissions = getBypassPermissions()
 
     // --print + -p: non-interactive print mode with the prompt passed as a CLI
diff --git a/backend/src/ws/terminal.ts b/backend/src/ws/terminal.ts
index d118468..a68139a 100644
--- a/backend/src/ws/terminal.ts
+++ b/backend/src/ws/terminal.ts
@@ -4,6 +4,7 @@ import * as path from 'path'
 import type { WebSocket } from 'ws'
 import type { FastifyInstance } from 'fastify'
 import { db } from '../db/schema'
+import { resolveBin } from '../utils/resolveBin'
 
 const IDLE_TIMEOUT_MS = 30 * 60 * 1000
 
@@ -52,7 +53,7 @@ class ActiveTerminalSession {
   }
 
   private spawnPty(cols: number, rows: number) {
-    const claudeBin = process.env.CLAUDE_BIN ?? 'claude'
+    const claudeBin = resolveBin(process.env.CLAUDE_BIN?.trim() || 'claude')
     const bypassPermissions = getBypassPermissions()
     const args: string[] = []
     if (bypassPermissions) args.push('--dangerously-skip-permissions')
diff --git a/frontend/src/App.tsx b/frontend/src/App.tsx
index 262f6c3..d544e3d 100644
--- a/frontend/src/App.tsx
+++ b/frontend/src/App.tsx
@@ -1,16 +1,19 @@
-import { HashRouter, Routes, Route, Navigate } from 'react-router-dom'
+import { BrowserRouter, Routes, Route, Navigate } from 'react-router-dom'
 import DashboardView from './views/DashboardView'
+import SessionRoute from './views/SessionRoute'
 import SettingsView from './views/SettingsView'
 import { SessionProvider } from './context/SessionContext'
 
 export default function App() {
   return (
-    <HashRouter>
+    <BrowserRouter>
       <SessionProvider>
         <div className="flex h-screen bg-bg-base text-text-primary overflow-hidden font-mono">
           <main className="flex-1 overflow-hidden flex flex-col">
             <Routes>
               <Route path="/" element={<DashboardView />} />
+              <Route path="/session/:sessionId" element={<SessionRoute />} />
+              <Route path="/new" element={<Navigate to="/" state={{ openModal: true }} replace />} />
               <Route path="/settings" element={<SettingsView />} />
               <Route path="/account" element={<Navigate to="/" replace />} />
               <Route path="/usage" element={<Navigate to="/" replace />} />
@@ -19,6 +22,6 @@ export default function App() {
           </main>
         </div>
       </SessionProvider>
-    </HashRouter>
+    </BrowserRouter>
   )
 }
diff --git a/frontend/src/components/SessionHeader.tsx b/frontend/src/components/SessionHeader.tsx
index c03ad1e..6737a1d 100644
--- a/frontend/src/components/SessionHeader.tsx
+++ b/frontend/src/components/SessionHeader.tsx
@@ -1,5 +1,6 @@
 import { useState, useEffect } from 'react'
 import { Plus, List, Square, Pencil } from 'lucide-react'
+import { Link } from 'react-router-dom'
 import { useSession } from '../context/SessionContext'
 import { formatModelName, formatTokens, formatDuration } from '../utils/format'
 
@@ -164,13 +165,14 @@ export default function SessionHeader({
       </div>
 
       <div className="flex items-center gap-2 ml-auto">
-        <button
-          onClick={onNewSession}
+        <Link
+          to="/new"
+          onClick={(e) => { e.preventDefault(); onNewSession() }}
           className="flex items-center gap-1.5 text-text-muted hover:text-accent text-xs bg-bg-elevated border border-border-subtle hover:border-accent px-2 py-1 rounded transition-colors"
         >
           <Plus size={11} />
           New session
-        </button>
+        </Link>
         <button
           onClick={onStopSession}
           className="flex items-center gap-1.5 text-text-muted hover:text-status-red text-xs bg-bg-elevated border border-border-subtle hover:border-status-red px-2 py-1 rounded transition-colors"
diff --git a/frontend/src/components/SessionList.tsx b/frontend/src/components/SessionList.tsx
index 792638a..8f74457 100644
--- a/frontend/src/components/SessionList.tsx
+++ b/frontend/src/components/SessionList.tsx
@@ -1,10 +1,10 @@
 import { Plus, Play, Square, Trash2 } from 'lucide-react'
+import { Link } from 'react-router-dom'
 import type { Session } from '../hooks/useDashboard'
 import { formatRelativeTime, lastSegment } from '../utils/format'
 
 interface SessionListProps {
   sessions: Session[]
-  onResume: (session: Session) => void
   onStop: (sessionId: string) => void
   onDelete: (sessionId: string) => void
   onNewSession: () => void
@@ -17,7 +17,6 @@ async function deleteSession(sessionId: string): Promise<void> {
 
 export default function SessionList({
   sessions,
-  onResume,
   onStop,
   onDelete,
   onNewSession,
@@ -37,13 +36,14 @@ export default function SessionList({
       {/* Header */}
       <div className="px-4 py-2.5 border-b border-border-subtle bg-bg-surface flex items-center justify-between flex-shrink-0">
         <span className="text-text-muted text-xs uppercase tracking-widest">Sessions</span>
-        <button
-          onClick={onNewSession}
+        <Link
+          to="/new"
+          onClick={(e) => { e.preventDefault(); onNewSession() }}
           className="flex items-center gap-1.5 px-3 py-1.5 text-xs bg-accent text-black hover:bg-accent-hover rounded transition-colors"
         >
           <Plus size={11} />
           New Session
-        </button>
+        </Link>
       </div>
 
       {/* Session rows */}
@@ -51,13 +51,14 @@ export default function SessionList({
         {sessions.length === 0 ? (
           <div className="flex flex-col items-center justify-center h-full gap-4 p-6">
             <p className="text-text-muted text-sm">No sessions yet</p>
-            <button
-              onClick={onNewSession}
+            <Link
+              to="/new"
+              onClick={(e) => { e.preventDefault(); onNewSession() }}
               className="flex items-center gap-2 px-4 py-2 text-sm bg-accent text-black hover:bg-accent-hover rounded transition-colors"
             >
               <Plus size={14} />
               Start New Session
-            </button>
+            </Link>
           </div>
         ) : (
           sessions.map((session) => (
@@ -92,13 +93,14 @@ export default function SessionList({
 
               {/* Right: actions */}
               <div className="flex items-center gap-1.5 flex-shrink-0">
-                <button
-                  onClick={() => onResume(session)}
+                <Link
+                  to={`/session/${session.id}`}
+                  state={{ session }}
                   title={session.is_active ? 'Reconnect' : 'Resume'}
                   className="flex items-center justify-center px-2.5 py-1.5 text-xs border border-accent text-accent hover:bg-accent hover:text-black rounded transition-colors"
                 >
                   <Play size={11} />
-                </button>
+                </Link>
                 <button
                   onClick={() => onStop(session.id)}
                   disabled={!session.is_active}
diff --git a/frontend/src/components/TerminalSession.tsx b/frontend/src/components/TerminalSession.tsx
index 1ded0e8..69cb017 100644
--- a/frontend/src/components/TerminalSession.tsx
+++ b/frontend/src/components/TerminalSession.tsx
@@ -12,7 +12,16 @@ export default function TerminalSession() {
   const fitRef = useRef<FitAddon | null>(null)
   const lastSessionIdRef = useRef<string | null>(null)
 
+  // Output arriving while history is being replayed is buffered here and flushed
+  // after the replay write completes, preserving correct ordering.
+  const pendingOutputRef = useRef<string[]>([])
+  const replayingRef = useRef(false)
+
   const onOutput = useCallback((data: string) => {
+    if (replayingRef.current) {
+      pendingOutputRef.current.push(data)
+      return
+    }
     termRef.current?.write(data)
   }, [])
 
@@ -30,12 +39,28 @@ export default function TerminalSession() {
     })
   }, [])
 
-  // Replay scrollback from the backend on reconnect (covers page refresh).
-  // Clears first so history isn't duplicated on top of live content from CSS-toggle sessions.
+  // Replay scrollback from the backend on reconnect.
+  // write() is async (goes through xterm's write queue via setTimeout). reset() is
+  // synchronous — it resets parser state but does NOT flush or clear the pending write
+  // queue. Any onOutput writes already queued would therefore be processed BEFORE the
+  // history write, producing partial/garbled display.
+  // Fix: write('', callback) to drain the queue first, then reset + write history.
+  // Output that arrives from the new connection during this async wait is buffered and
+  // flushed after the history write completes.
   const onHistory = useCallback((data: string) => {
-    if (!termRef.current) return
-    termRef.current.clear()
-    termRef.current.write(data)
+    const term = termRef.current
+    if (!term) return
+    replayingRef.current = true
+    pendingOutputRef.current = []
+    term.write('', () => {
+      term.reset()
+      term.write(data, () => {
+        replayingRef.current = false
+        const pending = pendingOutputRef.current
+        pendingOutputRef.current = []
+        for (const chunk of pending) term.write(chunk)
+      })
+    })
   }, [])
 
   const { send } = useTerminalSession(onOutput, onConnect, onHistory)
@@ -69,12 +94,12 @@ export default function TerminalSession() {
     return () => term.dispose()
   }, []) // eslint-disable-line react-hooks/exhaustive-deps
 
-  // Clear xterm when switching to a different session so stale output isn't shown.
-  // Navigating to the sessions list and back to the SAME session skips the clear.
+  // Reset xterm when switching to a different session so stale VT state isn't carried over.
+  // Navigating to the sessions list and back to the SAME session skips the reset.
   useEffect(() => {
     if (!state.sessionId) return
     if (lastSessionIdRef.current !== null && lastSessionIdRef.current !== state.sessionId) {
-      termRef.current?.clear()
+      termRef.current?.reset()
     }
     lastSessionIdRef.current = state.sessionId
   }, [state.sessionId])
diff --git a/frontend/src/hooks/useDashboard.ts b/frontend/src/hooks/useDashboard.ts
index 0d098a3..6f919f5 100644
--- a/frontend/src/hooks/useDashboard.ts
+++ b/frontend/src/hooks/useDashboard.ts
@@ -38,15 +38,14 @@ export function useDashboard(month?: string): DashboardData & { refresh: () => v
     setLoading(true)
     setError(null)
 
+    // Fast group: account (cached), sessions, settings — unblocks the UI immediately.
     Promise.all([
       fetch('/api/account').then((r) => r.json() as Promise<AccountInfo>),
-      fetch(`/api/usage?month=${target}`).then((r) => r.json() as Promise<UsageData>),
       fetch('/api/sessions').then((r) => r.json() as Promise<Session[]>),
       fetch('/api/settings').then((r) => r.json() as Promise<Record<string, string>>),
     ])
-      .then(([acc, usg, sess, settings]) => {
+      .then(([acc, sess, settings]) => {
         setAccount(acc)
-        setUsage(usg)
         setSessions(Array.isArray(sess) ? sess : [])
         setDefaultSessionMode(settings.session_mode === 'terminal' ? 'terminal' : 'chat')
         setLoading(false)
@@ -55,6 +54,12 @@ export function useDashboard(month?: string): DashboardData & { refresh: () => v
         setError(e.message)
         setLoading(false)
       })
+
+    // Slow group: usage (file I/O + optional network) fills in independently.
+    fetch(`/api/usage?month=${target}`)
+      .then((r) => r.json() as Promise<UsageData>)
+      .then(setUsage)
+      .catch(() => {})
   }, [target])
 
   useEffect(() => {
diff --git a/frontend/src/hooks/useTerminalSession.ts b/frontend/src/hooks/useTerminalSession.ts
index cd674e4..ce445f7 100644
--- a/frontend/src/hooks/useTerminalSession.ts
+++ b/frontend/src/hooks/useTerminalSession.ts
@@ -55,7 +55,7 @@ export function useTerminalSession(onOutput: (data: string) => void, onConnect?:
         if (attemptsRef.current < MAX_RECONNECT_ATTEMPTS) {
           const delay = BASE_DELAY_MS * 2 ** attemptsRef.current
           attemptsRef.current++
-          setTimeout(connect, delay)
+          setTimeout(() => { if (!closed) connect() }, delay)
         } else {
           dispatch({ type: 'WS_STATE', timestamp: Date.now(), state: 'disconnected' })
           setTimeout(() => {
@@ -69,8 +69,14 @@ export function useTerminalSession(onOutput: (data: string) => void, onConnect?:
     return () => {
       closed = true
       attemptsRef.current = 0
-      wsRef.current?.close()
+      const ws = wsRef.current
       wsRef.current = null
+      if (ws) {
+        ws.onmessage = null
+        ws.onerror = null
+        ws.onclose = null
+        ws.close()
+      }
     }
   }, [state.sessionId, state.mode]) // eslint-disable-line react-hooks/exhaustive-deps
 
diff --git a/frontend/src/views/DashboardView.tsx b/frontend/src/views/DashboardView.tsx
index 89939ab..2063564 100644
--- a/frontend/src/views/DashboardView.tsx
+++ b/frontend/src/views/DashboardView.tsx
@@ -1,9 +1,9 @@
 import { useState, useRef, useCallback, useEffect } from 'react'
+import { useLocation, useNavigate } from 'react-router-dom'
 import { ChevronDown, ChevronUp } from 'lucide-react'
 import { useSession } from '../context/SessionContext'
 import { useWebSocket } from '../hooks/useWebSocket'
-import { useDashboard } from '../hooks/useDashboard'
-import type { Session } from '../hooks/useDashboard'
+import { useDashboard, type Session } from '../hooks/useDashboard'
 import StatsStrip from '../components/StatsStrip'
 import SessionList from '../components/SessionList'
 import SessionHeader from '../components/SessionHeader'
@@ -17,8 +17,10 @@ import TerminalSession from '../components/TerminalSession'
 
 export default function DashboardView() {
   const { state, dispatch } = useSession()
+  const location = useLocation()
+  const navigate = useNavigate()
   const terminalRef = useRef<TerminalDrawerHandle>(null)
-  const [showModal, setShowModal] = useState(false)
+  const [showModal, setShowModal] = useState(location.state?.openModal === true)
   const [chartOpen, setChartOpen] = useState(false)
 
   const { account, usage, sessions, activeSessions, defaultSessionMode, loading, refresh } = useDashboard()
@@ -58,6 +60,7 @@ export default function DashboardView() {
     if (account?.model) dispatch({ type: 'MODEL_SET', model: account.model })
     setShowModal(false)
     refresh()
+    navigate(`/session/${sessionId}`)
   }
 
   function handleNewSession() {
@@ -65,12 +68,12 @@ export default function DashboardView() {
       fetch(`/api/sessions/${state.sessionId}/stop`, { method: 'POST' }).catch(() => {})
     }
     dispatch({ type: 'SESSION_CLEARED' })
-    setShowModal(true)
+    navigate('/new')
   }
 
   function handleSessionsList() {
-    // Detach from the session (PTY keeps running on backend; user can reconnect from the list)
     dispatch({ type: 'SESSION_CLEARED' })
+    navigate('/')
   }
 
   function handleStopSession() {
@@ -79,6 +82,7 @@ export default function DashboardView() {
     }
     dispatch({ type: 'SESSION_CLEARED' })
     refresh()
+    navigate('/')
   }
 
   function handleStopListSession(sessionId: string) {
@@ -96,11 +100,6 @@ export default function DashboardView() {
     send({ type: 'chat', data: text + '\n' })
   }
 
-  function handleResume(session: Session) {
-    dispatch({ type: 'RESUME_SESSION', id: session.id, workdir: session.workdir, mode: session.mode, ...(session.name ? { name: session.name } : {}) })
-    if (account?.model) dispatch({ type: 'MODEL_SET', model: account.model })
-  }
-
   async function handleRenameSession(name: string) {
     if (!state.sessionId) return
     const res = await fetch(`/api/sessions/${state.sessionId}`, {
@@ -217,7 +216,6 @@ export default function DashboardView() {
         ) : (
           <SessionList
             sessions={displaySessions}
-            onResume={handleResume}
             onStop={handleStopListSession}
             onDelete={handleDelete}
             onNewSession={() => setShowModal(true)}
diff --git a/frontend/src/views/SessionRoute.tsx b/frontend/src/views/SessionRoute.tsx
new file mode 100644
index 0000000..26502ec
--- /dev/null
+++ b/frontend/src/views/SessionRoute.tsx
@@ -0,0 +1,79 @@
+import { useEffect, useState } from 'react'
+import { useParams, Navigate, useLocation, useNavigate } from 'react-router-dom'
+import { useSession } from '../context/SessionContext'
+import DashboardView from './DashboardView'
+import type { Session } from '../hooks/useDashboard'
+
+export default function SessionRoute() {
+  const { sessionId } = useParams<{ sessionId: string }>()
+  const { state, dispatch } = useSession()
+  const location = useLocation()
+  const navigate = useNavigate()
+  // Skip loading state if the session is already in context (e.g. right after SESSION_CREATED).
+  const [loading, setLoading] = useState(state.sessionId !== sessionId)
+  const [error, setError] = useState(false)
+
+  useEffect(() => {
+    if (!sessionId) return
+
+    // Already in context — nothing to fetch.
+    if (state.sessionId === sessionId) {
+      setLoading(false)
+      return
+    }
+
+    // Fast path: session row passed via Link state (Reconnect button in SessionList).
+    const linked = location.state?.session as Session | undefined
+    if (linked?.id === sessionId) {
+      dispatch({ type: 'RESUME_SESSION', id: linked.id, workdir: linked.workdir, mode: linked.mode, ...(linked.name ? { name: linked.name } : {}) })
+      fetchAndSetModel()
+      setLoading(false)
+      return
+    }
+
+    // Slow path: new tab or direct URL — fetch session + account from API.
+    Promise.all([
+      fetch(`/api/sessions/${sessionId}`).then((r) => (r.ok ? r.json() as Promise<Session> : Promise.reject())),
+      fetch('/api/account').then((r) => (r.ok ? r.json() : null)).catch(() => null),
+    ])
+      .then(([session, account]) => {
+        dispatch({ type: 'RESUME_SESSION', id: session.id, workdir: session.workdir, mode: session.mode, ...(session.name ? { name: session.name } : {}) })
+        if (account?.model) dispatch({ type: 'MODEL_SET', model: account.model })
+        setLoading(false)
+      })
+      .catch(() => setError(true))
+  }, [sessionId]) // eslint-disable-line react-hooks/exhaustive-deps
+
+  // Keep URL and context in sync: clear session state whenever this route unmounts.
+  // This handles browser Back/Forward navigation, which bypasses the explicit navigate()
+  // calls in the session handlers and would otherwise leave a stale sessionId in context,
+  // causing DashboardView at "/" to render the session view instead of the session list.
+  useEffect(() => {
+    return () => { dispatch({ type: 'SESSION_CLEARED' }) }
+  }, [dispatch])
+
+  // Safety net: if session is cleared while mounted (e.g. an explicit navigate call already
+  // fired — this effect just cleans up any edge case where it didn't).
+  useEffect(() => {
+    if (!loading && !state.sessionId) navigate('/', { replace: true })
+  }, [loading, state.sessionId, navigate])
+
+  function fetchAndSetModel() {
+    fetch('/api/account')
+      .then((r) => (r.ok ? r.json() : null))
+      .then((account: { model?: string } | null) => { if (account?.model) dispatch({ type: 'MODEL_SET', model: account.model }) })
+      .catch(() => {})
+  }
+
+  if (error) return <Navigate to="/" replace />
+
+  if (loading) {
+    return (
+      <div className="flex-1 flex items-center justify-center text-text-dim text-sm">
+        Loading session…
+      </div>
+    )
+  }
+
+  return <DashboardView />
+}
diff --git a/run.sh b/run.sh
index 51d4d76..02a392c 100755
--- a/run.sh
+++ b/run.sh
@@ -3,10 +3,6 @@ set -euo pipefail
 
 ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
-# Fedora / RHEL: include system CA bundle so Anthropic API calls succeed
-CA_BUNDLE="/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
-[[ -f "$CA_BUNDLE" ]] && export NODE_EXTRA_CA_CERTS="$CA_BUNDLE"
-
 # Bootstrap .env on first run
 if [[ ! -f "$ROOT_DIR/backend/.env" ]]; then
   echo "backend/.env not found — copying from .env.example"
diff --git a/scripts/test-service-install.sh b/scripts/test-service-install.sh
index 2915c23..1deacab 100755
--- a/scripts/test-service-install.sh
+++ b/scripts/test-service-install.sh
@@ -58,7 +58,6 @@ cat > "$TMPDIR/.env" <<'DOT_ENV'
 ANTHROPIC_API_KEY=test-key-abc
 CLAUDE_BIN=/home/user/.local/bin/claude
 PORT=8888
-FRONTEND_ORIGIN=http://localhost:9999
 DOT_ENV
 
 read_env_var() {
@@ -82,7 +81,6 @@ ENV=$(cat "$TMPDIR/test.env")
 assert_contains     "ANTHROPIC_API_KEY written"  "ANTHROPIC_API_KEY=test-key-abc"              "$ENV"
 assert_contains     "CLAUDE_BIN written"         "CLAUDE_BIN=/home/user/.local/bin/claude"     "$ENV"
 assert_contains     "PORT written"               "PORT=8888"                                   "$ENV"
-assert_not_contains "FRONTEND_ORIGIN excluded"   "FRONTEND_ORIGIN"                             "$ENV"
 
 echo ""
 echo "=== Env file defaults (no .env) ==="