diff --git a/build/darwin/Taskfile.yml b/build/darwin/Taskfile.yml
index 6f21428..9ed3798 100644
--- a/build/darwin/Taskfile.yml
+++ b/build/darwin/Taskfile.yml
@@ -165,6 +165,7 @@ tasks:
       - cp build/darwin/icons.icns {{.BIN_DIR}}/{{.APP_NAME}}.dev.app/Contents/Resources
       - cp {{.BIN_DIR}}/{{.APP_NAME}} {{.BIN_DIR}}/{{.APP_NAME}}.dev.app/Contents/MacOS
       - cp build/darwin/Info.dev.plist {{.BIN_DIR}}/{{.APP_NAME}}.dev.app/Contents/Info.plist
+      - rm -f {{.BIN_DIR}}/{{.APP_NAME}}.dev.app/Contents/MacOS/*.cstemp
       - codesign --force --deep --sign - {{.BIN_DIR}}/{{.APP_NAME}}.dev.app
       - "{{.BIN_DIR}}/{{.APP_NAME}}.dev.app/Contents/MacOS/{{.APP_NAME}}"
 
diff --git a/cmd/serve/serve.go b/cmd/serve/serve.go
index 067e0d4..8eca76f 100644
--- a/cmd/serve/serve.go
+++ b/cmd/serve/serve.go
@@ -84,13 +84,98 @@ var Command = &cli.Command{
 		mux.HandleFunc(webhookPath, api.NewPolarWebhookHandler(apiService))
 		slog.Info("serving polar webhook handler", "path", webhookPath)
 
-		// Gemini API proxy endpoint
+		geminiProxyConfig := llmProxyConfig{
+			Provider:   "gemini",
+			BaseURL:    "https://generativelanguage.googleapis.com",
+			PathPrefix: "/api/v1/gemini",
+			SetupRequest: func(_ *http.Request, targetURL *url.URL, _ *http.Request) error {
+				apiKey := os.Getenv("GEMINI_API_KEY")
+				if apiKey == "" {
+					return fmt.Errorf("missing GEMINI_API_KEY")
+				}
+
+				query := targetURL.Query()
+				query.Set("key", apiKey)
+				targetURL.RawQuery = query.Encode()
+				return nil
+			},
+			ExtractUsage: extractGeminiUsageMetadata,
+		}
+
+		openAIProxyConfig := llmProxyConfig{
+			Provider:   "openai",
+			BaseURL:    "https://api.openai.com",
+			PathPrefix: "/api/v1/openai",
+			SetupRequest: func(_ *http.Request, _ *url.URL, proxyReq *http.Request) error {
+				apiKey := os.Getenv("OPENAI_API_KEY")
+				if apiKey == "" {
+					return fmt.Errorf("missing OPENAI_API_KEY")
+				}
+
+				proxyReq.Header.Set("Authorization", "Bearer "+apiKey)
+				return nil
+			},
+			ExtractUsage: extractOpenAIUsageMetadata,
+		}
+
+		anthropicProxyConfig := llmProxyConfig{
+			Provider:   "anthropic",
+			BaseURL:    "https://api.anthropic.com",
+			PathPrefix: "/api/v1/anthropic",
+			SetupRequest: func(_ *http.Request, _ *url.URL, proxyReq *http.Request) error {
+				apiKey := os.Getenv("ANTHROPIC_API_KEY")
+				if apiKey == "" {
+					return fmt.Errorf("missing ANTHROPIC_API_KEY")
+				}
+
+				version := os.Getenv("ANTHROPIC_VERSION")
+				if version == "" {
+					version = "2023-06-01"
+				}
+
+				proxyReq.Header.Set("x-api-key", apiKey)
+				proxyReq.Header.Set("anthropic-version", version)
+				if proxyReq.Header.Get("Content-Type") == "" {
+					proxyReq.Header.Set("Content-Type", "application/json")
+				}
+				return nil
+			},
+			ExtractUsage: extractAnthropicUsageMetadata,
+		}
+
+		grokProxyConfig := llmProxyConfig{
+			Provider:   "grok",
+			BaseURL:    "https://api.x.ai",
+			PathPrefix: "/api/v1/grok",
+			SetupRequest: func(_ *http.Request, _ *url.URL, proxyReq *http.Request) error {
+				apiKey := os.Getenv("GROK_API_KEY")
+				if apiKey == "" {
+					return fmt.Errorf("missing GROK_API_KEY")
+				}
+
+				proxyReq.Header.Set("Authorization", "Bearer "+apiKey)
+				return nil
+			},
+			ExtractUsage: extractGrokUsageMetadata,
+		}
+
+		// LLM API proxy endpoints
 		geminiProxyPath := "/api/v1/gemini/"
-		mux.HandleFunc(geminiProxyPath, func(w http.ResponseWriter, r *http.Request) {
-			geminiProxyHandler(w, r, gormDB)
-		})
+		mux.HandleFunc(geminiProxyPath, newLLMProxyHandler(gormDB, geminiProxyConfig))
 		slog.Info("serving gemini proxy handler", "path", geminiProxyPath)
 
+		openAIProxyPath := "/api/v1/openai/"
+		mux.HandleFunc(openAIProxyPath, newLLMProxyHandler(gormDB, openAIProxyConfig))
+		slog.Info("serving openai proxy handler", "path", openAIProxyPath)
+
+		anthropicProxyPath := "/api/v1/anthropic/"
+		mux.HandleFunc(anthropicProxyPath, newLLMProxyHandler(gormDB, anthropicProxyConfig))
+		slog.Info("serving anthropic proxy handler", "path", anthropicProxyPath)
+
+		grokProxyPath := "/api/v1/grok/"
+		mux.HandleFunc(grokProxyPath, newLLMProxyHandler(gormDB, grokProxyConfig))
+		slog.Info("serving grok proxy handler", "path", grokProxyPath)
+
 		slog.Info("serving rpc handler for api v1 service", "path", apiPath)
 
 		h2Handler := h2c.NewHandler(mux, &http2.Server{})
@@ -153,152 +238,172 @@ func setupDatabase(url, token string) (*gorm.DB, error) {
 
 // geminiProxyHandler proxies requests to Google's Generative Language API
 // Requests to /api/v1/gemini/* are forwarded to https://generativelanguage.googleapis.com/*
-func geminiProxyHandler(w http.ResponseWriter, r *http.Request, db *gorm.DB) {
-	const geminiBaseURL = "https://generativelanguage.googleapis.com"
-
-	// Fast-fail: Authenticate
-	authHeader := r.Header.Get("Authorization")
-	token := strings.TrimSpace(strings.TrimPrefix(authHeader, "Bearer "))
-	if token == "" {
-		http.Error(w, "Unauthorized: missing token", http.StatusUnauthorized)
-		return
-	}
+type llmProxyConfig struct {
+	Provider     string
+	BaseURL      string
+	PathPrefix   string
+	SetupRequest func(incomingReq *http.Request, targetURL *url.URL, proxyReq *http.Request) error
+	ExtractUsage func(body []byte) (input int, output int, total int)
+}
 
-	claims, err := api.ValidateToken(token)
-	if err != nil {
-		http.Error(w, "Unauthorized: invalid token", http.StatusUnauthorized)
-		return
-	}
+// newLLMProxyHandler proxies requests to a configured upstream LLM provider.
+func newLLMProxyHandler(db *gorm.DB, config llmProxyConfig) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
 
-	// Rate Limiting
-	var requestCount int64
-	todayUnix := time.Now().Add(-24 * time.Hour).Unix()
-	if err := db.Model(&api.LLMProxyUsage{}).Where("user_id = ? AND created_at >= ?", claims.UserID, todayUnix).Count(&requestCount).Error; err != nil {
-		slog.Error("failed to query proxy usage count", "error", err)
-		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
-		return
-	}
+		// Fast-fail: Authenticate
+		authHeader := r.Header.Get("Authorization")
+		token := strings.TrimSpace(strings.TrimPrefix(authHeader, "Bearer "))
+		if token == "" {
+			http.Error(w, "Unauthorized: missing token", http.StatusUnauthorized)
+			return
+		}
 
-	if requestCount >= 5000 {
-		slog.Warn("user exceeded daily proxy limit", "user_id", claims.UserID)
-		http.Error(w, "Too Many Requests", http.StatusTooManyRequests)
-		return
-	}
+		claims, err := api.ValidateToken(token)
+		if err != nil {
+			http.Error(w, "Unauthorized: invalid token", http.StatusUnauthorized)
+			return
+		}
 
-	// Strip the proxy prefix to get the target path
-	targetPath := strings.TrimPrefix(r.URL.Path, "/api/v1/gemini")
-	if targetPath == "" {
-		targetPath = "/"
-	}
+		// Rate Limiting
+		var requestCount int64
+		todayUnix := time.Now().Add(-24 * time.Hour).Unix()
+		if err := db.Model(&api.LLMProxyUsage{}).Where("user_id = ? AND created_at >= ?", claims.UserID, todayUnix).Count(&requestCount).Error; err != nil {
+			slog.Error("failed to query proxy usage count", "error", err)
+			http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+			return
+		}
 
-	// Build the target URL
-	targetURL, err := url.Parse(geminiBaseURL + targetPath)
-	if err != nil {
-		slog.Error("failed to parse target URL", "error", err)
-		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
-		return
-	}
+		if requestCount >= 5000 {
+			slog.Warn("user exceeded daily proxy limit", "user_id", claims.UserID)
+			http.Error(w, "Too Many Requests", http.StatusTooManyRequests)
+			return
+		}
 
-	// Preserve query parameters and append API key
-	query := targetURL.Query()
-	if r.URL.RawQuery != "" {
-		query, _ = url.ParseQuery(r.URL.RawQuery)
-	}
-	query.Set("key", os.Getenv("GEMINI_API_KEY"))
-	targetURL.RawQuery = query.Encode()
+		// Strip the proxy prefix to get the target path
+		targetPath := strings.TrimPrefix(r.URL.Path, config.PathPrefix)
+		if targetPath == "" {
+			targetPath = "/"
+		}
+		if !strings.HasPrefix(targetPath, "/") {
+			targetPath = "/" + targetPath
+		}
 
-	slog.Info("proxying request to Gemini API", "method", r.Method, "target", targetURL.String())
+		// Build the target URL
+		targetURL, err := url.Parse(config.BaseURL + targetPath)
+		if err != nil {
+			slog.Error("failed to parse target URL", "error", err)
+			http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+			return
+		}
 
-	// Create the proxy request
-	// Create the proxy request using a detached context so the upstream request
-	// to Google isn't canceled if the client disconnects mid-flight.
-	proxyReq, err := http.NewRequestWithContext(context.WithoutCancel(r.Context()), r.Method, targetURL.String(), r.Body)
-	if err != nil {
-		slog.Error("failed to create proxy request", "error", err)
-		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
-		return
-	}
+		// Preserve query parameters
+		targetURL.RawQuery = r.URL.RawQuery
 
-	// Copy headers from original request
-	for key, values := range r.Header {
-		for _, value := range values {
-			proxyReq.Header.Add(key, value)
+		slog.Info("proxying request to LLM API", "provider", config.Provider, "method", r.Method, "target", targetURL.String())
+
+		// Create the proxy request
+		// Create the proxy request using a detached context so the upstream request
+		// to Google isn't canceled if the client disconnects mid-flight.
+		proxyReq, err := http.NewRequestWithContext(context.WithoutCancel(r.Context()), r.Method, targetURL.String(), r.Body)
+		if err != nil {
+			slog.Error("failed to create proxy request", "error", err)
+			http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+			return
 		}
-	}
 
-	// Remove hop-by-hop headers
-	proxyReq.Header.Del("Connection")
-	proxyReq.Header.Del("Keep-Alive")
-	proxyReq.Header.Del("Proxy-Authenticate")
-	proxyReq.Header.Del("Proxy-Authorization")
-	proxyReq.Header.Del("Te")
-	proxyReq.Header.Del("Trailers")
-	proxyReq.Header.Del("Transfer-Encoding")
-	proxyReq.Header.Del("Upgrade")
-	proxyReq.Header.Del("Authorization")
-
-	// Execute the proxy request
-	client := &http.Client{Timeout: 120 * time.Second}
-	resp, err := client.Do(proxyReq)
-	if err != nil {
-		slog.Error("failed to execute proxy request", "error", err)
-		http.Error(w, "Bad Gateway", http.StatusBadGateway)
-		return
-	}
-	defer resp.Body.Close()
+		// Copy headers from original request
+		for key, values := range r.Header {
+			for _, value := range values {
+				proxyReq.Header.Add(key, value)
+			}
+		}
 
-	// Copy response headers
-	for key, values := range resp.Header {
-		for _, value := range values {
-			w.Header().Add(key, value)
+		// Remove hop-by-hop headers
+		proxyReq.Header.Del("Connection")
+		proxyReq.Header.Del("Keep-Alive")
+		proxyReq.Header.Del("Proxy-Authenticate")
+		proxyReq.Header.Del("Proxy-Authorization")
+		proxyReq.Header.Del("Te")
+		proxyReq.Header.Del("Trailers")
+		proxyReq.Header.Del("Transfer-Encoding")
+		proxyReq.Header.Del("Upgrade")
+		proxyReq.Header.Del("Authorization")
+
+		if config.SetupRequest != nil {
+			if err := config.SetupRequest(r, targetURL, proxyReq); err != nil {
+				slog.Error("failed to setup provider request", "provider", config.Provider, "error", err)
+				http.Error(w, "Bad Gateway", http.StatusBadGateway)
+				return
+			}
+			proxyReq.URL = targetURL
 		}
-	}
 
-	// Copy the response body
-	capturedBody, err := io.ReadAll(resp.Body)
-	if err != nil {
-		slog.Error("failed to read response body", "error", err)
-	}
+		// Execute the proxy request
+		client := &http.Client{Timeout: 120 * time.Second}
+		resp, err := client.Do(proxyReq)
+		if err != nil {
+			slog.Error("failed to execute proxy request", "error", err)
+			http.Error(w, "Bad Gateway", http.StatusBadGateway)
+			return
+		}
+		defer resp.Body.Close()
+
+		// Copy response headers
+		for key, values := range resp.Header {
+			for _, value := range values {
+				w.Header().Add(key, value)
+			}
+		}
+
+		// Copy the response body
+		capturedBody, err := io.ReadAll(resp.Body)
+		if err != nil {
+			slog.Error("failed to read response body", "error", err)
+		}
 
-	// if the status code is anything >= 400, print an error
-	if resp.StatusCode >= 400 {
-		logBody := capturedBody
-		if resp.Header.Get("Content-Encoding") == "gzip" {
-			if gr, err := gzip.NewReader(bytes.NewReader(capturedBody)); err == nil {
-				if decompressed, err := io.ReadAll(gr); err == nil {
-					logBody = decompressed
+		// if the status code is anything >= 400, print an error
+		if resp.StatusCode >= 400 {
+			logBody := capturedBody
+			if resp.Header.Get("Content-Encoding") == "gzip" {
+				if gr, err := gzip.NewReader(bytes.NewReader(capturedBody)); err == nil {
+					if decompressed, err := io.ReadAll(gr); err == nil {
+						logBody = decompressed
+					}
 				}
 			}
+			slog.Error("proxy request failed", "status code", resp.StatusCode, "body", string(logBody))
 		}
-		slog.Error("proxy request failed", "status code", resp.StatusCode, "body", string(logBody))
-	}
 
-	// Set the status code
-	w.WriteHeader(resp.StatusCode)
+		// Set the status code
+		w.WriteHeader(resp.StatusCode)
 
-	// Synchronously parse tokens and save usage
-	inputTokens, outputTokens, totalTokens := extractUsageMetadata(capturedBody)
+		// Synchronously parse tokens and save usage
+		inputTokens, outputTokens, totalTokens := 0, 0, 0
+		if config.ExtractUsage != nil {
+			inputTokens, outputTokens, totalTokens = config.ExtractUsage(capturedBody)
+		}
 
-	usage := api.LLMProxyUsage{
-		UserID:       claims.UserID,
-		CreatedAt:    time.Now().Unix(),
-		Provider:     "gemini",
-		InputTokens:  inputTokens,
-		OutputTokens: outputTokens,
-		TotalTokens:  totalTokens,
-	}
+		usage := api.LLMProxyUsage{
+			UserID:       claims.UserID,
+			CreatedAt:    time.Now().Unix(),
+			Provider:     config.Provider,
+			InputTokens:  inputTokens,
+			OutputTokens: outputTokens,
+			TotalTokens:  totalTokens,
+		}
 
-	if err := db.Create(&usage).Error; err != nil {
-		slog.Error("failed to save LLM proxy usage log", "error", err)
-	}
+		if err := db.Create(&usage).Error; err != nil {
+			slog.Error("failed to save LLM proxy usage log", "error", err)
+		}
 
-	// Write the captured body back to the client
-	if _, err := w.Write(capturedBody); err != nil {
-		slog.Error("failed to write response body", "error", err)
+		// Write the captured body back to the client
+		if _, err := w.Write(capturedBody); err != nil {
+			slog.Error("failed to write response body", "error", err)
+		}
 	}
 }
 
-func extractUsageMetadata(body []byte) (input int, output int, total int) {
+func extractGeminiUsageMetadata(body []byte) (input int, output int, total int) {
 	type geminiResponse struct {
 		UsageMetadata struct {
 			PromptTokenCount     int `json:"promptTokenCount"`
@@ -341,3 +446,93 @@ func extractUsageMetadata(body []byte) (input int, output int, total int) {
 
 	return input, output, total
 }
+
+func extractOpenAIUsageMetadata(body []byte) (input int, output int, total int) {
+	type openAIResponse struct {
+		Usage struct {
+			PromptTokens     int `json:"prompt_tokens"`
+			CompletionTokens int `json:"completion_tokens"`
+			TotalTokens      int `json:"total_tokens"`
+		} `json:"usage"`
+	}
+
+	// Try to parse the whole body as a single JSON object (non-streaming)
+	var resp openAIResponse
+	if err := json.Unmarshal(body, &resp); err == nil && resp.Usage.TotalTokens > 0 {
+		return resp.Usage.PromptTokens, resp.Usage.CompletionTokens, resp.Usage.TotalTokens
+	}
+
+	// If it failed or has 0 tokens, it might be an SSE stream.
+	// SSE chunks start with "data: " and end with "\n\n"
+	scanner := bufio.NewScanner(bytes.NewReader(body))
+	buf := make([]byte, 0, 64*1024)
+	scanner.Buffer(buf, 1024*1024)
+
+	for scanner.Scan() {
+		line := scanner.Text()
+		if after, ok := strings.CutPrefix(line, "data: "); ok {
+			jsonStr := strings.TrimSpace(after)
+			if jsonStr == "" || jsonStr == "[DONE]" {
+				continue
+			}
+			var streamResp openAIResponse
+			if err := json.Unmarshal([]byte(jsonStr), &streamResp); err == nil {
+				if streamResp.Usage.TotalTokens > total {
+					input = streamResp.Usage.PromptTokens
+					output = streamResp.Usage.CompletionTokens
+					total = streamResp.Usage.TotalTokens
+				}
+			}
+		}
+	}
+
+	return input, output, total
+}
+
+func extractAnthropicUsageMetadata(body []byte) (input int, output int, total int) {
+	type anthropicResponse struct {
+		Usage struct {
+			InputTokens  int `json:"input_tokens"`
+			OutputTokens int `json:"output_tokens"`
+		} `json:"usage"`
+	}
+
+	// Try to parse the whole body as a single JSON object (non-streaming)
+	var resp anthropicResponse
+	if err := json.Unmarshal(body, &resp); err == nil {
+		totalTokens := resp.Usage.InputTokens + resp.Usage.OutputTokens
+		if totalTokens > 0 {
+			return resp.Usage.InputTokens, resp.Usage.OutputTokens, totalTokens
+		}
+	}
+
+	// If it failed or has 0 tokens, it might be an SSE stream.
+	scanner := bufio.NewScanner(bytes.NewReader(body))
+	buf := make([]byte, 0, 64*1024)
+	scanner.Buffer(buf, 1024*1024)
+
+	for scanner.Scan() {
+		line := scanner.Text()
+		if strings.HasPrefix(line, "data: ") {
+			jsonStr := strings.TrimSpace(strings.TrimPrefix(line, "data: "))
+			if jsonStr == "" || jsonStr == "[DONE]" {
+				continue
+			}
+			var streamResp anthropicResponse
+			if err := json.Unmarshal([]byte(jsonStr), &streamResp); err == nil {
+				streamTotal := streamResp.Usage.InputTokens + streamResp.Usage.OutputTokens
+				if streamTotal > total {
+					input = streamResp.Usage.InputTokens
+					output = streamResp.Usage.OutputTokens
+					total = streamTotal
+				}
+			}
+		}
+	}
+
+	return input, output, total
+}
+
+func extractGrokUsageMetadata(body []byte) (input int, output int, total int) {
+	return extractOpenAIUsageMetadata(body)
+}
diff --git a/frontend/bindings/github.com/wailsapp/wails/v3/internal/eventcreate.js b/frontend/bindings/github.com/wailsapp/wails/v3/internal/eventcreate.js
index 444cb31..493eb33 100644
--- a/frontend/bindings/github.com/wailsapp/wails/v3/internal/eventcreate.js
+++ b/frontend/bindings/github.com/wailsapp/wails/v3/internal/eventcreate.js
@@ -14,7 +14,7 @@ function configure() {
     Object.freeze(Object.assign($Create.Events, {
         "daily-summary:ready": $$createType0,
         "protection:status": $$createType1,
-        "usage:update": $$createType2,
+        "usage:update": $$createType3,
     }));
 }
 
@@ -22,5 +22,6 @@ function configure() {
 const $$createType0 = usage$0.LLMDailySummary.createFrom;
 const $$createType1 = usage$0.ProtectionPause.createFrom;
 const $$createType2 = usage$0.ApplicationUsage.createFrom;
+const $$createType3 = $Create.Nullable($$createType2);
 
 configure();
diff --git a/frontend/bindings/github.com/wailsapp/wails/v3/internal/eventdata.d.ts b/frontend/bindings/github.com/wailsapp/wails/v3/internal/eventdata.d.ts
index 83e18a2..1c39dfd 100644
--- a/frontend/bindings/github.com/wailsapp/wails/v3/internal/eventdata.d.ts
+++ b/frontend/bindings/github.com/wailsapp/wails/v3/internal/eventdata.d.ts
@@ -15,7 +15,7 @@ declare module "@wailsio/runtime" {
             "authctx:updated": any;
             "daily-summary:ready": usage$0.LLMDailySummary;
             "protection:status": usage$0.ProtectionPause;
-            "usage:update": usage$0.ApplicationUsage;
+            "usage:update": usage$0.ApplicationUsage | null;
         }
     }
 }
diff --git a/frontend/package-lock.json b/frontend/package-lock.json
index fb70eca..330179e 100644
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
@@ -27,7 +27,7 @@
         "@tanstack/router-plugin": "^1.132.0",
         "@types/humanize-duration": "^3.27.4",
         "@typescript/vfs": "^1.6.2",
-        "@wailsio/runtime": "^3.0.0-alpha.77",
+        "@wailsio/runtime": "^3.0.0-alpha.74",
         "class-variance-authority": "^0.7.1",
         "clsx": "^2.1.1",
         "comlink": "^4.4.2",
@@ -4035,9 +4035,9 @@
       }
     },
     "node_modules/@wailsio/runtime": {
-      "version": "3.0.0-alpha.77",
-      "resolved": "https://registry.npmjs.org/@wailsio/runtime/-/runtime-3.0.0-alpha.77.tgz",
-      "integrity": "sha512-DMWjT8VFCk8O818mnw2dbrgZilOf1TzmGGp5lemZyGej7g+SSqAhMFOHp9eCiGQ32EbxmGOdTO4aNZVA00j9Nw==",
+      "version": "3.0.0-alpha.74",
+      "resolved": "https://registry.npmjs.org/@wailsio/runtime/-/runtime-3.0.0-alpha.74.tgz",
+      "integrity": "sha512-6N3F6MpLDgLfTRIwgwAzxSrIVtlPICxMYDrs0bz5uUJ58IPCQjcqxWOedoMysFdqVaogi5VmCxXLKRJzI5hW2A==",
       "license": "MIT"
     },
     "node_modules/acorn": {
diff --git a/frontend/package.json b/frontend/package.json
index 2ba5937..f45163a 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -31,7 +31,7 @@
     "@tanstack/router-plugin": "^1.132.0",
     "@types/humanize-duration": "^3.27.4",
     "@typescript/vfs": "^1.6.2",
-    "@wailsio/runtime": "^3.0.0-alpha.77",
+    "@wailsio/runtime": "^3.0.0-alpha.74",
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",
     "comlink": "^4.4.2",
diff --git a/frontend/src/components/app-sidebar.tsx b/frontend/src/components/app-sidebar.tsx
index c5755cf..3b1bfec 100644
--- a/frontend/src/components/app-sidebar.tsx
+++ b/frontend/src/components/app-sidebar.tsx
@@ -6,7 +6,7 @@ import {
 } from "@tabler/icons-react";
 import { Link, useMatchRoute } from "@tanstack/react-router";
 import { useQuery } from "@tanstack/react-query";
-import { GetVersion } from "../../bindings/github.com/focusd-so/focusd/internal/settings/service";
+import { GetCurrentVersion } from "../../bindings/github.com/focusd-so/focusd/internal/updater/service";
 
 import {
   Sidebar,
@@ -44,7 +44,7 @@ export function AppSidebar() {
   const matchRoute = useMatchRoute();
   const { data: version } = useQuery({
     queryKey: ["app-version"],
-    queryFn: GetVersion,
+    queryFn: () => (import.meta.env.DEV ? Promise.resolve("dev") : GetCurrentVersion()),
   });
 
   return (
diff --git a/frontend/src/components/custom-rules.tsx b/frontend/src/components/custom-rules.tsx
index 7c24397..c2194ab 100644
--- a/frontend/src/components/custom-rules.tsx
+++ b/frontend/src/components/custom-rules.tsx
@@ -7,15 +7,7 @@ import { useAccountStore } from "@/stores/account-store";
 import { DeviceHandshakeResponse_AccountTier } from "../../bindings/github.com/focusd-so/focusd/gen/api/v1/models";
 import { Browser } from "@wailsio/runtime";
 import { Button } from "@/components/ui/button";
-import {
-  DropdownMenu,
-  DropdownMenuContent,
-  DropdownMenuItem,
-  DropdownMenuLabel,
-  DropdownMenuSeparator,
-  DropdownMenuTrigger,
-} from "@/components/ui/dropdown-menu";
-import { IconDeviceFloppy, IconHistory, IconFileText, IconTerminal, IconTestPipe, IconCrown } from "@tabler/icons-react";
+import { IconDeviceFloppy, IconFileText, IconTerminal, IconTestPipe, IconCrown } from "@tabler/icons-react";
 import { toast } from "sonner";
 import { cn } from "@/lib/utils";
 import { ExecutionLogsSheet } from "@/components/execution-logs";
@@ -315,22 +307,10 @@ export function terminationMode(ctx: Context): TerminationDecision | undefined {
 }
 `;
 
-function formatDate(timestamp: number): string {
-  const date = new Date(timestamp * 1000);
-  return date.toLocaleDateString(undefined, {
-    month: "short",
-    day: "numeric",
-    hour: "2-digit",
-    minute: "2-digit",
-  });
-}
-
 export function CustomRules() {
   const {
     customRules,
-    customRulesHistory,
     updateSetting,
-    fetchCustomRulesHistory,
   } = useSettingsStore();
 
   const { checkoutLink, fetchAccountTier } = useAccountStore();
@@ -440,17 +420,6 @@ export function CustomRules() {
     []
   );
 
-  const handleHistoryOpen = (open: boolean) => {
-    if (open) {
-      fetchCustomRulesHistory(10);
-    }
-  };
-
-  const handleRestoreVersion = (value: string) => {
-    setDraft(value);
-    toast.info("Version restored. Click Save to apply changes.");
-  };
-
   const handleEditorWillMount = useCallback((monaco: Monaco) => {
     monacoRef.current = monaco;
 
@@ -513,41 +482,6 @@ export function CustomRules() {
           </div>
 
           <div className="flex items-center gap-2">
-            <DropdownMenu onOpenChange={handleHistoryOpen}>
-              <DropdownMenuTrigger asChild>
-                <button
-                  className="inline-flex items-center gap-1.5 h-8 px-2 text-xs font-medium text-muted-foreground/60 hover:text-foreground hover:underline underline-offset-4 transition-colors disabled:opacity-50 disabled:cursor-not-allowed disabled:hover:text-muted-foreground/60 disabled:hover:no-underline"
-                >
-                  <IconHistory className="w-3.5 h-3.5" />
-                  <span className="sr-only sm:not-sr-only">History</span>
-                </button>
-              </DropdownMenuTrigger>
-              <DropdownMenuContent align="end" className="w-64">
-                <DropdownMenuLabel className="text-xs font-semibold uppercase tracking-wider text-muted-foreground">Version History</DropdownMenuLabel>
-                <DropdownMenuSeparator />
-                {customRulesHistory.length === 0 ? (
-                  <DropdownMenuItem disabled className="text-xs">No history available</DropdownMenuItem>
-                ) : (
-                  customRulesHistory.map((version, index) => (
-                    <DropdownMenuItem
-                      key={version.id}
-                      onClick={() => handleRestoreVersion(version.value)}
-                      className="flex flex-col items-start gap-0.5 py-2"
-                    >
-                      <div className="flex items-center justify-between w-full">
-                        <span className="font-semibold text-sm">Version {version.version}</span>
-                        <span className="text-[10px] text-muted-foreground bg-muted px-1.5 py-0.5 rounded">
-                          {index === 0 && version.value === customRules
-                            ? "CURRENT"
-                            : formatDate(version.created_at)}
-                        </span>
-                      </div>
-                    </DropdownMenuItem>
-                  ))
-                )}
-              </DropdownMenuContent>
-            </DropdownMenu>
-
             <button
               onClick={() => setLogsOpen(true)}
               className="inline-flex items-center gap-1.5 h-8 px-2 text-xs font-medium text-muted-foreground/60 hover:text-foreground hover:underline underline-offset-4 transition-colors disabled:opacity-50 disabled:cursor-not-allowed disabled:hover:text-muted-foreground/60 disabled:hover:no-underline"
diff --git a/frontend/src/components/pause-confirmation-dialog.tsx b/frontend/src/components/pause-confirmation-dialog.tsx
index 39828c0..e2ea9ab 100644
--- a/frontend/src/components/pause-confirmation-dialog.tsx
+++ b/frontend/src/components/pause-confirmation-dialog.tsx
@@ -2,10 +2,12 @@ import { useState, useMemo, useEffect } from "react";
 import { useNavigate } from "@tanstack/react-router";
 import {
   IconAlertTriangle,
+  IconCalendar,
   IconClock,
   IconShieldOff,
   IconBulb,
 } from "@tabler/icons-react";
+import { format } from "date-fns";
 import { Button } from "@/components/ui/button";
 import {
   Dialog,
@@ -16,7 +18,21 @@ import {
   DialogTitle,
   DialogDescription,
 } from "@/components/ui/dialog";
+import { Calendar } from "@/components/ui/calendar";
+import {
+  Popover,
+  PopoverContent,
+  PopoverTrigger,
+} from "@/components/ui/popover";
+import {
+  Select,
+  SelectContent,
+  SelectItem,
+  SelectTrigger,
+  SelectValue,
+} from "@/components/ui/select";
 import { useUsageStore } from "@/stores/usage-store";
+import { cn } from "@/lib/utils";
 
 interface PauseConfirmationDialogProps {
   open: boolean;
@@ -29,6 +45,50 @@ const PAUSE_OPTIONS = [
   { label: "1 hour", value: 60 },
 ];
 
+const TIME_OPTIONS = Array.from({ length: 96 }, (_, index) => {
+  const hours = Math.floor(index / 4);
+  const minutes = (index % 4) * 15;
+  const value = `${String(hours).padStart(2, "0")}:${String(minutes).padStart(2, "0")}`;
+  const label = new Date(2024, 0, 1, hours, minutes).toLocaleTimeString([], {
+    hour: "numeric",
+    minute: "2-digit",
+  });
+
+  return { value, label };
+});
+
+function getNextQuarterHourValue(date = new Date()): string {
+  const next = new Date(date);
+  next.setSeconds(0, 0);
+  next.setMinutes(Math.ceil(next.getMinutes() / 15) * 15);
+
+  if (next.getMinutes() === 60) {
+    next.setHours(next.getHours() + 1, 0, 0, 0);
+  }
+
+  return `${String(next.getHours()).padStart(2, "0")}:${String(next.getMinutes()).padStart(2, "0")}`;
+}
+
+function formatPauseDuration(totalMinutes: number): string {
+  const days = Math.floor(totalMinutes / (60 * 24));
+  const hours = Math.floor((totalMinutes % (60 * 24)) / 60);
+  const minutes = totalMinutes % 60;
+
+  const parts: string[] = [];
+
+  if (days > 0) {
+    parts.push(`${days} day${days === 1 ? "" : "s"}`);
+  }
+  if (hours > 0) {
+    parts.push(`${hours} hour${hours === 1 ? "" : "s"}`);
+  }
+  if (days === 0 && minutes > 0) {
+    parts.push(`${minutes} minute${minutes === 1 ? "" : "s"}`);
+  }
+
+  return parts.join(" ");
+}
+
 export function PauseConfirmationDialog({
   open,
   onOpenChange,
@@ -39,20 +99,51 @@ export function PauseConfirmationDialog({
   const pauseHistory = useUsageStore((state) => state.pauseHistory);
   const getPauseHistory = useUsageStore((state) => state.getPauseHistory);
   const navigate = useNavigate();
+  const [pauseMode, setPauseMode] = useState<"duration" | "until">("duration");
   const [selectedDuration, setSelectedDuration] = useState<number | null>(null);
+  const [pauseUntilDate, setPauseUntilDate] = useState<Date | undefined>(undefined);
+  const [pauseUntilTime, setPauseUntilTime] = useState<string>("");
   const [isPausing, setIsPausing] = useState(false);
   const [allowingKey, setAllowingKey] = useState<string | null>(null);
 
+  const resetPauseForm = () => {
+    setPauseMode("duration");
+    setSelectedDuration(null);
+    setPauseUntilDate(undefined);
+    setPauseUntilTime("");
+  };
+
   // Fetch pause history for the last 30 days when the dialog opens
   // and reset selected duration when the dialog is closed.
   useEffect(() => {
     if (open) {
       getPauseHistory(30);
     } else {
-      setSelectedDuration(null);
+      resetPauseForm();
     }
   }, [open, getPauseHistory]);
 
+  const pauseUntilDateTime = useMemo(() => {
+    if (!pauseUntilDate || !pauseUntilTime) return null;
+    const [hours, minutes] = pauseUntilTime.split(":").map(Number);
+
+    if (Number.isNaN(hours) || Number.isNaN(minutes)) return null;
+
+    const date = new Date(pauseUntilDate);
+    date.setHours(hours, minutes, 0, 0);
+    return date;
+  }, [pauseUntilDate, pauseUntilTime]);
+
+  const pauseUntilDurationMinutes = useMemo(() => {
+    if (!pauseUntilDateTime) return null;
+    return Math.ceil((pauseUntilDateTime.getTime() - Date.now()) / (1000 * 60));
+  }, [pauseUntilDateTime]);
+
+  const canConfirmPause =
+    pauseMode === "duration"
+      ? !!selectedDuration
+      : !!pauseUntilDurationMinutes && pauseUntilDurationMinutes > 0;
+
   // Get last 2 blocked items to show as quick allow options
   const blockedItems = getBlockedItemsList().slice(0, 2);
 
@@ -80,13 +171,21 @@ export function PauseConfirmationDialog({
   }, [pauseHistory]);
 
   const handleConfirmPause = async () => {
-    if (!selectedDuration) return;
+    let durationMinutes: number | null = null;
+
+    if (pauseMode === "duration") {
+      durationMinutes = selectedDuration;
+    } else if (pauseUntilDateTime) {
+      durationMinutes = Math.ceil((pauseUntilDateTime.getTime() - Date.now()) / (1000 * 60));
+    }
+
+    if (!durationMinutes || durationMinutes <= 0) return;
 
     setIsPausing(true);
     try {
-      await pauseProtection(selectedDuration);
+      await pauseProtection(durationMinutes);
       onOpenChange(false);
-      setSelectedDuration(null);
+      resetPauseForm();
     } finally {
       setIsPausing(false);
     }
@@ -94,7 +193,7 @@ export function PauseConfirmationDialog({
 
   const handleCancel = () => {
     onOpenChange(false);
-    setSelectedDuration(null);
+    resetPauseForm();
   };
 
   const handleQuickAllow = async (appName: string, hostname: string, durationMinutes: number) => {
@@ -221,19 +320,112 @@ export function PauseConfirmationDialog({
             <div className="space-y-2">
               <div className="grid grid-cols-3 gap-2">
                 {PAUSE_OPTIONS.map((opt) => (
-                  <button
+                  <Button
                     key={opt.value}
-                    onClick={() => setSelectedDuration(opt.value)}
-                    className={`flex flex-col items-center gap-1.5 p-3 rounded-xl border transition-all cursor-pointer ${selectedDuration === opt.value
-                      ? "border-orange-500 bg-orange-500/10 text-orange-600 dark:text-orange-400"
-                      : "border-border/60 hover:border-border text-muted-foreground hover:bg-muted/50"
-                      }`}
+                    type="button"
+                    variant="ghost"
+                    onClick={() => {
+                      setPauseMode("duration");
+                      setSelectedDuration(opt.value);
+                    }}
+                    className={cn(
+                      "h-9 px-2 rounded-lg border transition-all text-xs font-medium gap-1.5",
+                      pauseMode === "duration" && selectedDuration === opt.value
+                        ? "border-orange-500 bg-orange-500/10 text-orange-600 dark:text-orange-400 hover:bg-orange-500/15"
+                        : "border-border/60 hover:border-border text-muted-foreground hover:bg-muted/50"
+                    )}
                   >
-                    <IconClock className="w-4 h-4" />
-                    <span className="text-xs font-semibold">{opt.label}</span>
-                  </button>
+                    <IconClock className="w-3.5 h-3.5" />
+                    <span>{opt.label}</span>
+                  </Button>
                 ))}
               </div>
+
+              <Button
+                type="button"
+                variant="ghost"
+                onClick={() => {
+                  if (pauseMode === "until") {
+                    setPauseMode("duration");
+                    setPauseUntilDate(undefined);
+                    setPauseUntilTime("");
+                    return;
+                  }
+
+                  setPauseMode("until");
+                  setSelectedDuration(null);
+                  if (!pauseUntilDate) {
+                    const now = new Date();
+                    setPauseUntilDate(now);
+                    setPauseUntilTime(getNextQuarterHourValue(now));
+                  }
+                }}
+                className={cn(
+                  "w-full h-9 px-3 rounded-lg border transition-all text-xs font-medium gap-1.5",
+                  pauseMode === "until"
+                    ? "border-orange-500 bg-orange-500/10 text-orange-600 dark:text-orange-400 hover:bg-orange-500/15"
+                    : "border-border/60 hover:border-border text-muted-foreground hover:bg-muted/50"
+                )}
+              >
+                <IconCalendar className="w-3.5 h-3.5" />
+                <span>Pause until</span>
+              </Button>
+
+              {pauseMode === "until" && (
+                <div className="rounded-xl border border-border/60 p-3 space-y-2 bg-muted/20">
+                  <div className="grid grid-cols-1 sm:grid-cols-2 gap-2">
+                    <Popover>
+                      <PopoverTrigger asChild>
+                        <Button
+                          type="button"
+                          variant="outline"
+                          className="justify-start text-left font-normal w-full min-w-0"
+                        >
+                          <IconCalendar className="mr-2 h-4 w-4" />
+                          <span className="truncate">
+                            {pauseUntilDate ? format(pauseUntilDate, "MMM d, yyyy") : "Select date"}
+                          </span>
+                        </Button>
+                      </PopoverTrigger>
+                      <PopoverContent className="w-auto p-0" align="start">
+                        <Calendar
+                          mode="single"
+                          selected={pauseUntilDate}
+                          onSelect={setPauseUntilDate}
+                          disabled={(date) => date < new Date(new Date().setHours(0, 0, 0, 0))}
+                          initialFocus
+                        />
+                      </PopoverContent>
+                    </Popover>
+
+                    <Select value={pauseUntilTime} onValueChange={setPauseUntilTime}>
+                      <SelectTrigger className="w-full">
+                        <SelectValue placeholder="Select time" />
+                      </SelectTrigger>
+                      <SelectContent>
+                        {TIME_OPTIONS.map((option) => (
+                          <SelectItem key={option.value} value={option.value}>
+                            {option.label}
+                          </SelectItem>
+                        ))}
+                      </SelectContent>
+                    </Select>
+                  </div>
+
+                  {pauseUntilDurationMinutes !== null && pauseUntilDurationMinutes > 0 && (
+                    <p className="text-[11px] text-muted-foreground">
+                      Protection will resume in {formatPauseDuration(pauseUntilDurationMinutes)}
+                      {pauseUntilDateTime ? ` · ${format(pauseUntilDateTime, "MMM d, yyyy h:mm a")}` : ""}.
+                    </p>
+                  )}
+
+                  {pauseUntilDurationMinutes !== null && pauseUntilDurationMinutes <= 0 && (
+                    <p className="text-[11px] text-destructive">
+                      Please select a future date and time.
+                    </p>
+                  )}
+                </div>
+              )}
             </div>
           </div>
         </DialogBody>
@@ -249,8 +441,8 @@ export function PauseConfirmationDialog({
           <Button
             variant="default"
             onClick={handleConfirmPause}
-            disabled={!selectedDuration || isPausing}
-            className={`flex-1 rounded-xl h-11 font-semibold transition-all shadow-sm ${selectedDuration
+            disabled={!canConfirmPause || isPausing}
+            className={`flex-1 rounded-xl h-11 font-semibold transition-all shadow-sm ${canConfirmPause
               ? "bg-orange-500 text-white hover:bg-orange-600 shadow-orange-500/10"
               : "bg-muted text-muted-foreground opacity-50"
               }`}
diff --git a/frontend/src/components/settings/about-settings.tsx b/frontend/src/components/settings/about-settings.tsx
index 7f1ce41..8188b52 100644
--- a/frontend/src/components/settings/about-settings.tsx
+++ b/frontend/src/components/settings/about-settings.tsx
@@ -1,11 +1,11 @@
 import { useQuery } from "@tanstack/react-query";
-import { GetVersion } from "../../../bindings/github.com/focusd-so/focusd/internal/settings/service";
+import { GetCurrentVersion } from "../../../bindings/github.com/focusd-so/focusd/internal/updater/service";
 import { Card, CardContent, CardDescription, CardHeader, CardTitle } from "@/components/ui/card";
 
 export function AboutSettings() {
   const { data: version } = useQuery({
     queryKey: ["app-version"],
-    queryFn: GetVersion,
+    queryFn: () => (import.meta.env.DEV ? Promise.resolve("dev") : GetCurrentVersion()),
   });
 
   return (
diff --git a/frontend/src/routes/__root.tsx b/frontend/src/routes/__root.tsx
index b5b4241..bbd79a4 100644
--- a/frontend/src/routes/__root.tsx
+++ b/frontend/src/routes/__root.tsx
@@ -81,7 +81,7 @@ function RootLayout() {
               </h1>
             )}
           </div>
-          <AccountStatus />
+          {!import.meta.env.DEV && <AccountStatus />}
         </header>
         <div className="flex flex-1 flex-col h-full overflow-hidden">
           <Outlet />
diff --git a/frontend/src/stores/settings-store.ts b/frontend/src/stores/settings-store.ts
index 4d19c20..517ebf5 100644
--- a/frontend/src/stores/settings-store.ts
+++ b/frontend/src/stores/settings-store.ts
@@ -1,62 +1,78 @@
 import { create } from "zustand";
 import {
-  GetAll,
-  GetVersionHistory,
-  Save,
+  GetConfig,
+  SaveConfig,
 } from "../../bindings/github.com/focusd-so/focusd/internal/settings/service";
-import type { Settings } from "../../bindings/github.com/focusd-so/focusd/internal/settings/models";
-import { SettingsKey } from "../../bindings/github.com/focusd-so/focusd/internal/settings/models";
+import { AppConfig, LLMProvider } from "../../bindings/github.com/focusd-so/focusd/internal/settings/models";
 
 interface SettingsState {
-  settings: Settings[];
   customRules: string;
-  idleThreshold: string;
-  historyRetention: string;
-  distractionAllowance: string;
-  customRulesHistory: Settings[];
   isLoading: boolean;
   error: string | null;
 
   fetchSettings: () => Promise<void>;
-  fetchCustomRulesHistory: (limit?: number) => Promise<void>;
   updateSetting: (key: string, value: string) => Promise<void>;
-  getSettingValue: (key: string) => string | undefined;
+}
+
+const SETTINGS_KEY = "custom_rules";
+
+function encodeBase64(value: string): string {
+  const bytes = new TextEncoder().encode(value);
+  let binary = "";
+  for (const byte of bytes) {
+    binary += String.fromCharCode(byte);
+  }
+  return btoa(binary);
+}
+
+function decodeBase64(value: string): string {
+  const binary = atob(value);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i += 1) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return new TextDecoder().decode(bytes);
+}
+
+function toAppConfig(config: AppConfig | null): AppConfig {
+  if (config) {
+    return config;
+  }
+
+  return new AppConfig({
+    idle_threshold_seconds: 120,
+    history_retention_days: 30,
+    distraction_allowance_minutes: 60,
+    custom_rules_js: [],
+    classification_llm_provider: LLMProvider.LLMProviderGoogle,
+  });
 }
 
 export const useSettingsStore = create<SettingsState>()((set, get) => ({
-  settings: [],
   customRules: "",
-  idleThreshold: "120", // default 120
-  historyRetention: "7", // default 7
-  distractionAllowance: "0", // default 0 / unlimited
-  customRulesHistory: [],
   isLoading: false,
   error: null,
 
   fetchSettings: async () => {
     set({ isLoading: true, error: null });
     try {
-      const settings = await GetAll();
-      const customRules =
-        settings?.find((s) => s.key === SettingsKey.SettingsKeyCustomRules)
-          ?.value || "";
-      const idleThreshold =
-        settings?.find((s) => s.key === SettingsKey.SettingsKeyIdleThreshold)
-          ?.value || "120";
-      const historyRetention =
-        settings?.find((s) => s.key === SettingsKey.SettingsKeyHistoryRetention)
-          ?.value || "7";
-      const distractionAllowance =
-        settings?.find((s) => s.key === SettingsKey.SettingsKeyDistractionAllowance)
-          ?.value || "0";
+      const config = await GetConfig();
+      const appConfig = toAppConfig(config);
+
+      const encodedCurrentRules = appConfig.custom_rules_js?.[0] ?? "";
+      let customRules = "";
+
+      if (encodedCurrentRules) {
+        try {
+          customRules = decodeBase64(encodedCurrentRules);
+        } catch {
+          customRules = "";
+        }
+      }
 
       set({
-        settings: settings || [],
         customRules,
-        idleThreshold,
-        historyRetention,
-        distractionAllowance,
-        isLoading: false
+        isLoading: false,
       });
     } catch (error) {
       console.error("Failed to fetch settings:", error);
@@ -64,50 +80,32 @@ export const useSettingsStore = create<SettingsState>()((set, get) => ({
     }
   },
 
-  fetchCustomRulesHistory: async (limit = 10) => {
-    try {
-      const history = await GetVersionHistory(
-        SettingsKey.SettingsKeyCustomRules,
-        limit
-      );
-      set({ customRulesHistory: history || [] });
-    } catch (error) {
-      console.error("Failed to fetch custom rules history:", error);
-      set({ error: String(error) });
-    }
-  },
-
   updateSetting: async (key, value) => {
     try {
-      await Save(key as SettingsKey, value);
-
-      // Update local state optimistically
-      if (key === SettingsKey.SettingsKeyCustomRules) {
-        set({ customRules: value });
-      } else if (key === SettingsKey.SettingsKeyIdleThreshold) {
-        set({ idleThreshold: value });
-      } else if (key === SettingsKey.SettingsKeyHistoryRetention) {
-        set({ historyRetention: value });
-      } else if (key === SettingsKey.SettingsKeyDistractionAllowance) {
-        set({ distractionAllowance: value });
+      if (key !== SETTINGS_KEY) {
+        return;
       }
 
+      const config = await GetConfig();
+      const appConfig = toAppConfig(config);
+      const encodedRules = encodeBase64(value);
+
+      await SaveConfig(
+        new AppConfig({
+          ...appConfig,
+          custom_rules_js: [encodedRules, ...(appConfig.custom_rules_js ?? [])],
+        })
+      );
+
+      set({ customRules: value });
+
       // Refresh to get the updated version from backend
       await get().fetchSettings();
-
-      // Refresh history if updating custom rules
-      if (key === SettingsKey.SettingsKeyCustomRules) {
-        await get().fetchCustomRulesHistory();
-      }
     } catch (error) {
       console.error("Failed to update setting:", error);
       set({ error: String(error) });
     }
   },
-
-  getSettingValue: (key) => {
-    return get().settings.find((s) => s.key === key)?.value;
-  },
 }));
 
 // Initialize on module load
diff --git a/go.mod b/go.mod
index 51945c3..8aa66e7 100644
--- a/go.mod
+++ b/go.mod
@@ -15,15 +15,17 @@ require (
 	github.com/joho/godotenv v1.5.1
 	github.com/o1egl/paseto v1.0.0
 	github.com/polarsource/polar-go v0.12.0
+	github.com/spf13/viper v1.21.0
 	github.com/standard-webhooks/standard-webhooks/libraries v0.0.0-20260218190227-a1773d7ffc57
 	github.com/stretchr/testify v1.11.1
+	github.com/tmc/langchaingo v0.1.14
 	github.com/tursodatabase/libsql-client-go v0.0.0-20251219100830-236aa1ff8acc
 	github.com/urfave/cli/v3 v3.6.2
-	github.com/wailsapp/wails/v3 v3.0.0-alpha.72
+	github.com/wailsapp/wails/v3 v3.0.0-alpha.74
 	github.com/zalando/go-keyring v0.2.6
 	golang.org/x/net v0.50.0
 	golang.org/x/sync v0.19.0
-	google.golang.org/genai v1.47.0
+	google.golang.org/api v0.264.0
 	google.golang.org/protobuf v1.36.11
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
 	gorm.io/driver/sqlite v1.6.0
@@ -36,8 +38,14 @@ require (
 	buf.build/go/protovalidate v1.1.3 // indirect
 	cel.dev/expr v0.25.1 // indirect
 	cloud.google.com/go v0.123.0 // indirect
+	cloud.google.com/go/ai v0.7.0 // indirect
+	cloud.google.com/go/aiplatform v1.114.0 // indirect
 	cloud.google.com/go/auth v0.18.2 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
 	cloud.google.com/go/compute/metadata v0.9.0 // indirect
+	cloud.google.com/go/iam v1.5.3 // indirect
+	cloud.google.com/go/longrunning v0.8.0 // indirect
+	cloud.google.com/go/vertexai v0.12.0 // indirect
 	code.gitea.io/sdk/gitea v0.22.1 // indirect
 	dario.cat/mergo v1.0.2 // indirect
 	github.com/42wim/httpsig v1.2.3 // indirect
@@ -56,11 +64,13 @@ require (
 	github.com/coder/websocket v1.8.14 // indirect
 	github.com/cyphar/filepath-securejoin v0.6.1 // indirect
 	github.com/danieljoos/wincred v1.2.3 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/davidmz/go-pageant v1.0.2 // indirect
+	github.com/dlclark/regexp2 v1.11.5 // indirect
 	github.com/ebitengine/purego v0.9.1 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/go-fed/httpsig v1.1.0 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.7.0 // indirect
@@ -69,11 +79,12 @@ require (
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-shiori/dom v0.0.0-20230515143342-73569d674e1c // indirect
+	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/godbus/dbus/v5 v5.2.2 // indirect
 	github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/google/cel-go v0.27.0 // indirect
-	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/google/generative-ai-go v0.15.1 // indirect
 	github.com/google/go-github/v74 v74.0.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
@@ -95,30 +106,41 @@ require (
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-sqlite3 v1.14.34 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/pjbgf/sha1cd v0.5.0 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/pkoukk/tiktoken-go v0.1.6 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/sagikazarmark/locafero v0.11.0 // indirect
 	github.com/samber/lo v1.52.0 // indirect
 	github.com/sergi/go-diff v1.4.0 // indirect
 	github.com/skeema/knownhosts v1.3.2 // indirect
+	github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect
+	github.com/spf13/afero v1.15.0 // indirect
+	github.com/spf13/cast v1.10.0 // indirect
+	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/spyzhov/ajson v0.9.6 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/ulikunitz/xz v0.5.15 // indirect
 	github.com/wailsapp/go-webview2 v1.0.23 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	gitlab.com/gitlab-org/api/client-go v1.9.1 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 // indirect
 	go.opentelemetry.io/otel v1.40.0 // indirect
 	go.opentelemetry.io/otel/metric v1.40.0 // indirect
 	go.opentelemetry.io/otel/trace v1.40.0 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/crypto v0.48.0 // indirect
 	golang.org/x/exp v0.0.0-20260218203240-3dfff04db8fa // indirect
 	golang.org/x/oauth2 v0.34.0 // indirect
 	golang.org/x/sys v0.41.0 // indirect
 	golang.org/x/text v0.34.0 // indirect
 	golang.org/x/time v0.14.0 // indirect
+	google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20260217215200-42d3e9bedb6d // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260217215200-42d3e9bedb6d // indirect
 	google.golang.org/grpc v1.79.1 // indirect
diff --git a/go.sum b/go.sum
index 06e0c31..ae83d71 100644
--- a/go.sum
+++ b/go.sum
@@ -8,10 +8,22 @@ cel.dev/expr v0.25.1 h1:1KrZg61W6TWSxuNZ37Xy49ps13NUovb66QLprthtwi4=
 cel.dev/expr v0.25.1/go.mod h1:hrXvqGP6G6gyx8UAHSHJ5RGk//1Oj5nXQ2NI02Nrsg4=
 cloud.google.com/go v0.123.0 h1:2NAUJwPR47q+E35uaJeYoNhuNEM9kM8SjgRgdeOJUSE=
 cloud.google.com/go v0.123.0/go.mod h1:xBoMV08QcqUGuPW65Qfm1o9Y4zKZBpGS+7bImXLTAZU=
+cloud.google.com/go/ai v0.7.0 h1:P6+b5p4gXlza5E+u7uvcgYlzZ7103ACg70YdZeC6oGE=
+cloud.google.com/go/ai v0.7.0/go.mod h1:7ozuEcraovh4ABsPbrec3o4LmFl9HigNI3D5haxYeQo=
+cloud.google.com/go/aiplatform v1.114.0 h1:TCrSLci+NFEAx0PZMv8btGe5j68RivArmDJbBLIc/3o=
+cloud.google.com/go/aiplatform v1.114.0/go.mod h1:W5yMrpIuHG/CSK8iF7XnwIfCJu6dcLRQ0cTqGR5vwwE=
 cloud.google.com/go/auth v0.18.2 h1:+Nbt5Ev0xEqxlNjd6c+yYUeosQ5TtEUaNcN/3FozlaM=
 cloud.google.com/go/auth v0.18.2/go.mod h1:xD+oY7gcahcu7G2SG2DsBerfFxgPAJz17zz2joOFF3M=
+cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
+cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
 cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
 cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
+cloud.google.com/go/iam v1.5.3 h1:+vMINPiDF2ognBJ97ABAYYwRgsaqxPbQDlMnbHMjolc=
+cloud.google.com/go/iam v1.5.3/go.mod h1:MR3v9oLkZCTlaqljW6Eb2d3HGDGK5/bDv93jhfISFvU=
+cloud.google.com/go/longrunning v0.8.0 h1:LiKK77J3bx5gDLi4SMViHixjD2ohlkwBi+mKA7EhfW8=
+cloud.google.com/go/longrunning v0.8.0/go.mod h1:UmErU2Onzi+fKDg2gR7dusz11Pe26aknR4kHmJJqIfk=
+cloud.google.com/go/vertexai v0.12.0 h1:zTadEo/CtsoyRXNx3uGCncoWAP1H2HakGqwznt+iMo8=
+cloud.google.com/go/vertexai v0.12.0/go.mod h1:8u+d0TsvBfAAd2x5R6GMgbYhsLgo3J7lmP4bR8g2ig8=
 code.gitea.io/sdk/gitea v0.22.1 h1:7K05KjRORyTcTYULQ/AwvlVS6pawLcWyXZcTr7gHFyA=
 code.gitea.io/sdk/gitea v0.22.1/go.mod h1:yyF5+GhljqvA30sRDreoyHILruNiy4ASufugzYg0VHM=
 codeberg.org/readeck/go-readability v0.0.0-20251125211941-0f57a445e5f1 h1:PM2Ygbn9YcX4Dqpk6dcymx+vf84jHPBxNpy+0IpaHEc=
@@ -58,6 +70,8 @@ github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UF
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cloudflare/circl v1.6.3 h1:9GPOhQGF9MCYUeXyMYlqTR6a5gTrgR/fBLXvUgtVcg8=
 github.com/cloudflare/circl v1.6.3/go.mod h1:2eXP6Qfat4O/Yhh8BznvKnJ+uzEoTQ6jVKJRn81BiS4=
+github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 h1:6xNmx7iTtyBRev0+D/Tv1FZd4SCg8axKApyNyRsAt/w=
+github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5/go.mod h1:KdCmV+x/BuvyMxRnYBlmVaq4OLiKW6iRQfvC62cvdkI=
 github.com/coder/websocket v1.8.14 h1:9L0p0iKiNOibykf283eHkKUHHrpG7f65OE3BhhO7v9g=
 github.com/coder/websocket v1.8.14/go.mod h1:NX3SzP+inril6yawo5CQXx8+fk145lPDC6pumgx0mVg=
 github.com/creativeprojects/go-selfupdate v1.5.2 h1:3KR3JLrq70oplb9yZzbmJ89qRP78D1AN/9u+l3k0LJ4=
@@ -67,22 +81,34 @@ github.com/cyphar/filepath-securejoin v0.6.1/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1
 github.com/danieljoos/wincred v1.2.3 h1:v7dZC2x32Ut3nEfRH+vhoZGvN72+dQ/snVXo/vMFLdQ=
 github.com/danieljoos/wincred v1.2.3/go.mod h1:6qqX0WNrS4RzPZ1tnroDzq9kY3fu1KwE7MRLQK4X0bs=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davidmz/go-pageant v1.0.2 h1:bPblRCh5jGU+Uptpz6LgMZGD5hJoOt7otgT454WvHn0=
 github.com/davidmz/go-pageant v1.0.2/go.mod h1:P2EDDnMqIwG5Rrp05dTRITj9z2zpGcD9efWSkTNKLIE=
+github.com/dlclark/regexp2 v1.11.5 h1:Q/sSnsKerHeCkc/jSTNq1oCm7KiVgUMZRDUoRu0JQZQ=
+github.com/dlclark/regexp2 v1.11.5/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
 github.com/ebitengine/purego v0.9.1 h1:a/k2f2HQU3Pi399RPW1MOaZyhKJL9w/xFpKAg4q1s0A=
 github.com/ebitengine/purego v0.9.1/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
 github.com/elazarl/goproxy v1.7.2 h1:Y2o6urb7Eule09PjlhQRGNsqRfPmYI3KKQLFpCAV3+o=
 github.com/elazarl/goproxy v1.7.2/go.mod h1:82vkLNir0ALaW14Rc399OTTjyNREgmdL2cVoIbS6XaE=
 github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
 github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
+github.com/envoyproxy/go-control-plane v0.14.0 h1:hbG2kr4RuFj222B6+7T83thSPqLjwBIfQawTkC++2HA=
+github.com/envoyproxy/go-control-plane/envoy v1.36.0 h1:yg/JjO5E7ubRyKX3m07GF3reDNEnfOboJ0QySbH736g=
+github.com/envoyproxy/go-control-plane/envoy v1.36.0/go.mod h1:ty89S1YCCVruQAm9OtKeEkQLTb+Lkz0k8v9W0Oxsv98=
+github.com/envoyproxy/protoc-gen-validate v1.3.0 h1:TvGH1wof4H33rezVKWSpqKz5NXWg5VPuZ0uONDT6eb4=
+github.com/envoyproxy/protoc-gen-validate v1.3.0/go.mod h1:HvYl7zwPa5mffgyeTUHA9zHIH36nmrm7oCbo4YKoSWA=
 github.com/evanw/esbuild v0.27.3 h1:dH/to9tBKybig6hl25hg4SKIWP7U8COdJKbGEwnUkmU=
 github.com/evanw/esbuild v0.27.3/go.mod h1:D2vIQZqV/vIf/VRHtViaUtViZmG7o+kKmlBfVQuRi48=
 github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
 github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
+github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
+github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
+github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
 github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU=
 github.com/go-chi/chi/v5 v5.2.5 h1:Eg4myHZBjyvJmAFjFvWgrqDTXFyOzjj7YIm3L3mu6Ug=
@@ -108,6 +134,8 @@ github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
 github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
 github.com/go-shiori/dom v0.0.0-20230515143342-73569d674e1c h1:wpkoddUomPfHiOziHZixGO5ZBS73cKqVzZipfrLmO1w=
 github.com/go-shiori/dom v0.0.0-20230515143342-73569d674e1c/go.mod h1:oVDCh3qjJMLVUSILBRwrm+Bc6RNXGZYtoh9xdvf1ffM=
+github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
+github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/godbus/dbus/v5 v5.2.2 h1:TUR3TgtSVDmjiXOgAAyaZbYmIeP3DPkld3jgKGV8mXQ=
 github.com/godbus/dbus/v5 v5.2.2/go.mod h1:3AAv2+hPq5rdnr5txxxRwiGjPXamgoIHgz9FPBfOp3c=
 github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f h1:3BSP1Tbs2djlpprl7wCLuiqMaUh5SJkkzI2gDs+FgLs=
@@ -118,6 +146,8 @@ github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/cel-go v0.27.0 h1:e7ih85+4qVrBuqQWTW4FKSqZYokVuc3HnhH5keboFTo=
 github.com/google/cel-go v0.27.0/go.mod h1:tTJ11FWqnhw5KKpnWpvW9CJC3Y9GK4EIS0WXnBbebzw=
+github.com/google/generative-ai-go v0.15.1 h1:n8aQUpvhPOlGVuM2DRkJ2jvx04zpp42B778AROJa+pQ=
+github.com/google/generative-ai-go v0.15.1/go.mod h1:AAucpWZjXsDKhQYWvCYuP6d0yB1kX998pJlOW1rAesw=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
@@ -187,6 +217,8 @@ github.com/o1egl/paseto v1.0.0 h1:bwpvPu2au176w4IBlhbyUv/S5VPptERIA99Oap5qUd0=
 github.com/o1egl/paseto v1.0.0/go.mod h1:5HxsZPmw/3RI2pAwGo1HhOOwSdvBpcuVzO7uDkm+CLU=
 github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k=
 github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY=
+github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
+github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/pjbgf/sha1cd v0.5.0 h1:a+UkboSi1znleCDUNT3M5YxjOnN1fz2FhN48FlwCxs0=
 github.com/pjbgf/sha1cd v0.5.0/go.mod h1:lhpGlyHLpQZoxMv8HcgXvZEhcGs0PG/vsZnEJ7H0iCM=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
@@ -194,8 +226,13 @@ github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjL
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pkoukk/tiktoken-go v0.1.6 h1:JF0TlJzhTbrI30wCvFuiw6FzP2+/bR+FIxUdgEAcUsw=
+github.com/pkoukk/tiktoken-go v0.1.6/go.mod h1:9NiV+i9mJKGj1rYOT+njbv+ZwA/zJxYdewGl6qVatpg=
+github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo=
+github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/polarsource/polar-go v0.12.0 h1:um+6ftOPUMg2TQq9Kv/6fKGBOAl7dOc2YiDdx4Bb0y8=
 github.com/polarsource/polar-go v0.12.0/go.mod h1:FB11Q4m2n3wIk6l/POOkz0MVOUx1o0Yt4Y97MnQfe0c=
 github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
@@ -206,6 +243,8 @@ github.com/rodaine/protogofakeit v0.1.1 h1:ZKouljuRM3A+TArppfBqnH8tGZHOwM/pjvtXe
 github.com/rodaine/protogofakeit v0.1.1/go.mod h1:pXn/AstBYMaSfc1/RqH3N82pBuxtWgejz1AlYpY1mI0=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/sagikazarmark/locafero v0.11.0 h1:1iurJgmM9G3PA/I+wWYIOw/5SyBtxapeHDcg+AAIFXc=
+github.com/sagikazarmark/locafero v0.11.0/go.mod h1:nVIGvgyzw595SUSUE6tvCp3YYTeHs15MvlmU87WwIik=
 github.com/samber/lo v1.52.0 h1:Rvi+3BFHES3A8meP33VPAxiBZX/Aws5RxrschYGjomw=
 github.com/samber/lo v1.52.0/go.mod h1:4+MXEGsJzbKGaUEQFKBq2xtfuznW9oz/WrgyzMzRoM0=
 github.com/scylladb/termtables v0.0.0-20191203121021-c4c0b6d42ff4/go.mod h1:C1a7PQSMz9NShzorzCiG2fk9+xuCgLkPeCvMHYR2OWg=
@@ -214,6 +253,16 @@ github.com/sergi/go-diff v1.4.0/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepq
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/skeema/knownhosts v1.3.2 h1:EDL9mgf4NzwMXCTfaxSD/o/a5fxDw/xL9nkU28JjdBg=
 github.com/skeema/knownhosts v1.3.2/go.mod h1:bEg3iQAuw+jyiw+484wwFJoKSLwcfd7fqRy+N0QTiow=
+github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 h1:+jumHNA0Wrelhe64i8F6HNlS8pkoyMv5sreGx2Ry5Rw=
+github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8/go.mod h1:3n1Cwaq1E1/1lhQhtRK2ts/ZwZEhjcQeJQ1RuC6Q/8U=
+github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I=
+github.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8lxMg=
+github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY=
+github.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo=
+github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
+github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/viper v1.21.0 h1:x5S+0EU27Lbphp4UKm1C+1oQO+rKx36vfCoaVebLFSU=
+github.com/spf13/viper v1.21.0/go.mod h1:P0lhsswPGWD/1lZJ9ny3fYnVqxiegrlNrEmgLjbTCAY=
 github.com/spyzhov/ajson v0.9.6 h1:iJRDaLa+GjhCDAt1yFtU/LKMtLtsNVKkxqlpvrHHlpQ=
 github.com/spyzhov/ajson v0.9.6/go.mod h1:a6oSw0MMb7Z5aD2tPoPO+jq11ETKgXUr2XktHdT8Wt8=
 github.com/standard-webhooks/standard-webhooks/libraries v0.0.0-20260218190227-a1773d7ffc57 h1:Tyc4ahpgMG94JVYI31kubJ7+W/GQIfXW3Oyrp3nzoeE=
@@ -226,6 +275,10 @@ github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81P
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
+github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
+github.com/tmc/langchaingo v0.1.14 h1:o1qWBPigAIuFvrG6cjTFo0cZPFEZ47ZqpOYMjM15yZc=
+github.com/tmc/langchaingo v0.1.14/go.mod h1:aKKYXYoqhIDEv7WKdpnnCLRaqXic69cX9MnDUk72378=
 github.com/tursodatabase/libsql-client-go v0.0.0-20251219100830-236aa1ff8acc h1:lzi/5fg2EfinRlh3v//YyIhnc4tY7BTqazQGwb1ar+0=
 github.com/tursodatabase/libsql-client-go v0.0.0-20251219100830-236aa1ff8acc/go.mod h1:08inkKyguB6CGGssc/JzhmQWwBgFQBgjlYFjxjRh7nU=
 github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY=
@@ -234,8 +287,8 @@ github.com/urfave/cli/v3 v3.6.2 h1:lQuqiPrZ1cIz8hz+HcrG0TNZFxU70dPZ3Yl+pSrH9A8=
 github.com/urfave/cli/v3 v3.6.2/go.mod h1:ysVLtOEmg2tOy6PknnYVhDoouyC/6N42TMeoMzskhso=
 github.com/wailsapp/go-webview2 v1.0.23 h1:jmv8qhz1lHibCc79bMM/a/FqOnnzOGEisLav+a0b9P0=
 github.com/wailsapp/go-webview2 v1.0.23/go.mod h1:qJmWAmAmaniuKGZPWwne+uor3AHMB5PFhqiK0Bbj8kc=
-github.com/wailsapp/wails/v3 v3.0.0-alpha.72 h1:1d2Y+/Ib7KdKHFnmZsKW/OAi66nyDZLmyv8AIKYk1yA=
-github.com/wailsapp/wails/v3 v3.0.0-alpha.72/go.mod h1:4saK4A4K9970X+X7RkMwP2lyGbLogcUz54wVeq4C/V8=
+github.com/wailsapp/wails/v3 v3.0.0-alpha.74 h1:wRm1EiDQtxDisXk46NtpiBH90STwfKp36NrTDwOEdxw=
+github.com/wailsapp/wails/v3 v3.0.0-alpha.74/go.mod h1:4saK4A4K9970X+X7RkMwP2lyGbLogcUz54wVeq4C/V8=
 github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
 github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
@@ -245,6 +298,8 @@ gitlab.com/gitlab-org/api/client-go v1.9.1 h1:tZm+URa36sVy8UCEHQyGGJ8COngV4YqMHp
 gitlab.com/gitlab-org/api/client-go v1.9.1/go.mod h1:71yTJk1lnHCWcZLvM5kPAXzeJ2fn5GjaoV8gTOPd4ME=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 h1:q4XOmH/0opmeuJtPsbFNivyl7bCt7yRBbeEm2sC/XtQ=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0/go.mod h1:snMWehoOh2wsEwnvvwtDyFCxVeDAODenXHtn5vzrKjo=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 h1:7iP2uCb7sGddAr30RRS6xjKy7AZ2JtTOPA3oolgVSw8=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0/go.mod h1:c7hN3ddxs/z6q9xwvfLPk+UHlWRQyaeR1LdgfL/66l0=
 go.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms=
@@ -359,8 +414,10 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/genai v1.47.0 h1:iWCS7gEdO6rctOqfCYLOrZGKu2D+N42aTnCEcBvB1jo=
-google.golang.org/genai v1.47.0/go.mod h1:A3kkl0nyBjyFlNjgxIwKq70julKbIxpSxqKO5gw/gmk=
+google.golang.org/api v0.264.0 h1:+Fo3DQXBK8gLdf8rFZ3uLu39JpOnhvzJrLMQSoSYZJM=
+google.golang.org/api v0.264.0/go.mod h1:fAU1xtNNisHgOF5JooAs8rRaTkl2rT3uaoNGo9NS3R8=
+google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 h1:VQZ/yAbAtjkHgH80teYd2em3xtIkkHd7ZhqfH2N9CsM=
+google.golang.org/genproto v0.0.0-20260128011058-8636f8732409/go.mod h1:rxKD3IEILWEu3P44seeNOAwZN4SaoKaQ/2eTg4mM6EM=
 google.golang.org/genproto/googleapis/api v0.0.0-20260217215200-42d3e9bedb6d h1:EocjzKLywydp5uZ5tJ79iP6Q0UjDnyiHkGRWxuPBP8s=
 google.golang.org/genproto/googleapis/api v0.0.0-20260217215200-42d3e9bedb6d/go.mod h1:48U2I+QQUYhsFrg2SY6r+nJzeOtjey7j//WBESw+qyQ=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20260217215200-42d3e9bedb6d h1:t/LOSXPJ9R0B6fnZNyALBRfZBH0Uy0gT+uR+SJ6syqQ=
@@ -378,6 +435,7 @@ gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYs
 gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
 gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
@@ -388,3 +446,5 @@ gorm.io/gorm v1.31.1 h1:7CA8FTFz/gRfgqgpeKIBcervUn3xSyPUmr6B2WXJ7kg=
 gorm.io/gorm v1.31.1/go.mod h1:XyQVbO2k6YkOis7C2437jSit3SsDK72s7n7rsSHd+Gs=
 rogchap.com/v8go v0.9.0 h1:wYbUCO4h6fjTamziHrzyrPnpFNuzPpjZY+nfmZjNaew=
 rogchap.com/v8go v0.9.0/go.mod h1:MxgP3pL2MW4dpme/72QRs8sgNMmM0pRc8DPhcuLWPAs=
+sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
+sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
diff --git a/internal/native/darwin.go b/internal/native/darwin.go
index 659ec99..ee914c0 100644
--- a/internal/native/darwin.go
+++ b/internal/native/darwin.go
@@ -418,7 +418,7 @@ func getPlatformSerial() (string, error) {
 	return strings.TrimSpace(string(serialOut)), nil
 }
 
-func BlockURL(targetURL, title, reason string, tags []string, appName string) error {
+func BlockURL(targetURL, title string, reason string, tags []string, appName string) error {
 
 	data := struct {
 		URL        string `json:"url"`
diff --git a/internal/native/types.go b/internal/native/types.go
index 547f93a..a6121bf 100644
--- a/internal/native/types.go
+++ b/internal/native/types.go
@@ -44,8 +44,7 @@ func (e *NativeEvent) BrowserHostname() string {
 		return ""
 	}
 
-	// this is very annoying
-	hostname := strings.TrimPrefix(u.Host, "www.")
+	hostname := strings.TrimPrefix(strings.ToLower(u.Hostname()), "www.")
 
 	return hostname
 }
diff --git a/build_dev.go b/internal/settings/build_dev.go
similarity index 77%
rename from build_dev.go
rename to internal/settings/build_dev.go
index 6d9b1e0..5275fe8 100644
--- a/build_dev.go
+++ b/internal/settings/build_dev.go
@@ -1,5 +1,5 @@
 //go:build !production
 
-package main
+package settings
 
 const isProductionBuild = false
diff --git a/build_prod.go b/internal/settings/build_prod.go
similarity index 76%
rename from build_prod.go
rename to internal/settings/build_prod.go
index 85e1575..5c232e4 100644
--- a/build_prod.go
+++ b/internal/settings/build_prod.go
@@ -1,5 +1,5 @@
 //go:build production
 
-package main
+package settings
 
 const isProductionBuild = true
diff --git a/internal/settings/config.go b/internal/settings/config.go
new file mode 100644
index 0000000..e8ad28b
--- /dev/null
+++ b/internal/settings/config.go
@@ -0,0 +1,42 @@
+package settings
+
+type LLMProvider string
+
+const (
+	LLMProviderGoogle    LLMProvider = "google"
+	LLMProviderOpenAI    LLMProvider = "openai"
+	LLMProviderGroq      LLMProvider = "groq"
+	LLMProviderAnthropic LLMProvider = "anthropic"
+	LLMProviderDummy     LLMProvider = "dummy"
+)
+
+// AppConfig represents all configurable options for the application
+type AppConfig struct {
+	IdleThresholdSeconds        int         `json:"idle_threshold_seconds" mapstructure:"idle_threshold_seconds"`
+	HistoryRetentionDays        int         `json:"history_retention_days" mapstructure:"history_retention_days"`
+	DistractionAllowanceMinutes int         `json:"distraction_allowance_minutes" mapstructure:"distraction_allowance_minutes"`
+	CustomRulesJS               []string    `json:"custom_rules_js" mapstructure:"custom_rules_js"`
+	ClassificationLLMProvider   LLMProvider `json:"classification_llm_provider" mapstructure:"classification_llm_provider"`
+}
+
+// DefaultConfig returns the default application configuration
+func DefaultConfig() AppConfig {
+	return AppConfig{
+		IdleThresholdSeconds:        120, // 2 minutes
+		HistoryRetentionDays:        30,  // 30 days
+		DistractionAllowanceMinutes: 60,  // 1 hour
+		CustomRulesJS:               []string{},
+		ClassificationLLMProvider:   LLMProviderGoogle,
+	}
+}
+
+func IsProductionBuild() bool {
+	return isProductionBuild
+}
+
+func APIBaseURL() string {
+	if IsProductionBuild() {
+		return "https://api.focusd.so"
+	}
+	return "http://localhost:8089"
+}
diff --git a/internal/settings/service.go b/internal/settings/service.go
index 946afeb..c7d4795 100644
--- a/internal/settings/service.go
+++ b/internal/settings/service.go
@@ -1,129 +1,81 @@
 package settings
 
 import (
+	"encoding/base64"
 	"fmt"
-	"time"
+	"log/slog"
+	"path/filepath"
 
-	"gorm.io/gorm"
+	"github.com/spf13/viper"
 )
 
-type SettingsKey string
-
-const (
-	SettingsKeyCustomRules          SettingsKey = "custom_rules"
-	SettingsKeyIdleThreshold        SettingsKey = "idle_threshold"
-	SettingsKeyHistoryRetention     SettingsKey = "history_retention"
-	SettingsKeyDistractionAllowance SettingsKey = "distraction_allowance"
-)
-
-type Settings struct {
-	ID        int64       `gorm:"primaryKey;autoIncrement" json:"id"`
-	Key       SettingsKey `json:"key"`
-	Value     string      `json:"value"`
-	Version   int         `json:"version"`
-	CreatedAt int64       `json:"created_at"`
-}
-
-type Service struct {
-	db      *gorm.DB
-	version string
-}
-
-func NewService(db *gorm.DB, version string) (*Service, error) {
-	if err := db.Migrator().AutoMigrate(&Settings{}); err != nil {
-		return nil, fmt.Errorf("failed to migrate settings table: %w", err)
+// This service exposes interface for the frontend to interact with
+// viper to read/write settings through wails3 bindings mechanism
+type Service struct{}
+
+func NewService(configDir string) (*Service, error) {
+	// Set defaults
+	viper.SetDefault("idle_threshold_seconds", 120)
+	viper.SetDefault("history_retention_days", 30)
+	viper.SetDefault("distraction_allowance_minutes", 60)
+	viper.SetDefault("custom_rules_js", []string{})
+
+	// Config file settings
+	viper.SetConfigName("config")
+	viper.SetConfigType("yaml")
+	viper.AddConfigPath(configDir)
+
+	if err := viper.ReadInConfig(); err != nil {
+		if _, ok := err.(viper.ConfigFileNotFoundError); ok {
+			if err := viper.SafeWriteConfigAs(filepath.Join(configDir, "config.yaml")); err != nil {
+				return nil, fmt.Errorf("failed to create default config file: %w", err)
+			}
+		} else {
+			return nil, fmt.Errorf("failed to read config file: %w", err)
+		}
 	}
 
-	return &Service{db: db, version: version}, nil
+	return &Service{}, nil
 }
 
-func (s *Service) GetVersion() string {
-	return s.version
+func (s *Service) GetConfig() *AppConfig {
+	return GetConfig()
 }
 
-func (s *Service) Save(key SettingsKey, value string) error {
-	setting := Settings{Key: key, Value: value}
-
-	// get existing setting last version
-	var existing Settings
-	if err := s.db.Where("key = ?", key).Order("version DESC").First(&existing).Error; err != nil {
-		if err != gorm.ErrRecordNotFound {
-			return fmt.Errorf("failed to get existing setting: %w", err)
-		}
-	}
-
-	setting.Version = existing.Version + 1
-	setting.CreatedAt = time.Now().Unix()
-	setting.Value = value
-
-	if err := s.db.Create(&setting).Error; err != nil {
-		return err
-	}
+func (s *Service) SaveConfig(config AppConfig) error {
+	viper.Set("idle_threshold_seconds", config.IdleThresholdSeconds)
+	viper.Set("history_retention_days", config.HistoryRetentionDays)
+	viper.Set("distraction_allowance_minutes", config.DistractionAllowanceMinutes)
+	viper.Set("custom_rules_js", config.CustomRulesJS)
 
-	// Keep only the 10 most recent versions, delete older ones
-	const maxVersionsToKeep = 10
-	if setting.Version > maxVersionsToKeep {
-		if err := s.db.Where("key = ? AND version <= ?", key, setting.Version-maxVersionsToKeep).
-			Delete(&Settings{}).Error; err != nil {
-			return fmt.Errorf("failed to cleanup old versions: %w", err)
-		}
+	if err := viper.WriteConfig(); err != nil {
+		return fmt.Errorf("failed to write config to disk: %w", err)
 	}
 
 	return nil
 }
 
-func (s *Service) GetLatest(key SettingsKey) (*Settings, error) {
-	var setting Settings
-
-	if err := s.db.Where("key = ?", key).Order("version DESC").First(&setting).Error; err != nil {
-		if err != gorm.ErrRecordNotFound {
-			return nil, fmt.Errorf("failed to get setting: %w", err)
-		}
-
-		return nil, nil
+func GetConfig() *AppConfig {
+	config := DefaultConfig()
+	if err := viper.Unmarshal(&config); err != nil {
+		slog.Warn("failed to unmarshal config", "error", err)
 	}
 
-	return &setting, nil
+	return &config
 }
 
-// GetAll returns the latest version of each setting key.
-//
-// Returns:
-//   - []Settings: A slice of settings with the latest version for each key
-//   - error: Database error if the query fails
-func (s *Service) GetAll() ([]Settings, error) {
-	var settings []Settings
-
-	// Get distinct keys and their latest versions using a subquery
-	subQuery := s.db.Model(&Settings{}).
-		Select("key, MAX(version) as max_version").
-		Group("key")
-
-	if err := s.db.Model(&Settings{}).
-		Joins("JOIN (?) AS latest ON settings.key = latest.key AND settings.version = latest.max_version", subQuery).
-		Find(&settings).Error; err != nil {
-		return nil, fmt.Errorf("failed to get all settings: %w", err)
-	}
+func GetCustomRulesJS() string {
+	config := GetConfig()
 
-	return settings, nil
-}
+	if len(config.CustomRulesJS) == 0 {
+		return ""
+	}
 
-// GetVersionHistory returns the last N versions of a setting key, ordered by version descending.
-//
-// Parameters:
-//   - key: The settings key to get history for
-//   - limit: Maximum number of versions to return
-//
-// Returns:
-//   - []Settings: A slice of settings versions, newest first
-//   - error: Database error if the query fails
-func (s *Service) GetVersionHistory(key SettingsKey, limit int) ([]Settings, error) {
-	var settings []Settings
-	if err := s.db.Where("key = ?", key).
-		Order("version DESC").
-		Limit(limit).
-		Find(&settings).Error; err != nil {
-		return nil, fmt.Errorf("failed to get version history: %w", err)
+	decoded, err := base64.StdEncoding.DecodeString(config.CustomRulesJS[0])
+	if err != nil {
+		slog.Warn("failed to decode custom rules", "error", err)
+		return ""
 	}
-	return settings, nil
+
+	return string(decoded)
 }
diff --git a/internal/updater/updater.go b/internal/updater/updater.go
index 772ccac..5bb368e 100644
--- a/internal/updater/updater.go
+++ b/internal/updater/updater.go
@@ -27,8 +27,8 @@ const (
 )
 
 var allowedDownloadHosts = map[string]bool{
-	"github.com":                       true,
-	"objects.githubusercontent.com":    true,
+	"github.com":                            true,
+	"objects.githubusercontent.com":         true,
 	"github-releases.githubusercontent.com": true,
 }
 
diff --git a/internal/usage/assets/prompts/app_generic.txt b/internal/usage/assets/prompts/app_generic.txt
new file mode 100644
index 0000000..526ac88
--- /dev/null
+++ b/internal/usage/assets/prompts/app_generic.txt
@@ -0,0 +1,49 @@
+You are a Software Engineering Application Intent Classifier. Your job is to determine if the user is actively doing work related to their software engineering job or seeking entertainment/distraction.
+
+# Classification Logic
+
+## **productive**
+**Criteria:** Applications that directly support software engineering tasks: coding, debugging, learning, researching, planning, or deploying.
+**Signals to detect:**
+- **Editors/IDEs:** VS Code, Xcode, IntelliJ, PyCharm, GoLand, etc.
+- **Terminals/CLIs:** Terminal, iTerm, shells, build tools, git clients.
+- **Developer Tools:** API clients, DB clients, profilers, debuggers.
+- **Documentation/Research apps:** PDF readers for technical docs, reference tools.
+- **Project Management:** Jira, Linear, Trello, Notion when used for work.
+
+## **distracting**
+**Criteria:** Apps primarily for entertainment or non-work consumption.
+**Includes:**
+- Social media, chat apps used socially (Discord, WhatsApp, Facebook Messenger).
+- Streaming video/music (YouTube Music, Spotify, Netflix).
+- Games, gaming platforms.
+- Shopping, news, celebrity gossip.
+
+## **neutral**
+**Criteria:** Ambiguous utilities or general organizational tools.
+**Includes:**
+- Email, Calendar, Notes, general file managers.
+- General communication apps without context (Slack, Teams).
+- System settings or OS utilities.
+
+# Metadata Signals
+
+**Bundle ID** (when provided) is a precise, machine-readable identifier for the app (e.g. "com.apple.dt.Xcode", "com.spotify.client"). Use it as a strong classification signal.
+
+**App Store Category** (when provided) is Apple's own pre-assigned category for the app. Treat it as the strongest available signal:
+- "public.app-category.developer-tools" -> productive
+- "public.app-category.games" -> distracting
+- "public.app-category.entertainment" -> distracting
+- "public.app-category.social-networking" -> distracting
+- "public.app-category.music" -> distracting (unless context suggests otherwise)
+- "public.app-category.productivity" / "public.app-category.business" -> likely productive or neutral
+- "public.app-category.utilities" -> neutral
+
+Return a JSON object with the following keys:
+1. "classification": "productive", "neutral", or "distracting".
+2. "reasoning": Brief explanation.
+3. "tags": Array of strings from ONLY these options: ["coding", "docs", "debug", "communication", "terminal", "planning", "learning", "entertainment", "news", "social", "shopping", "terminal", "other"].
+   - IMPORTANT: Be extremely conservative with the "communication" tag. Only use it when there is actual messaging, emailing, or chatting happening. Do NOT use it for reading code reviews, terminal multiplexers, or project management.
+4. "confidence_score": Float (0.0 - 1.0)
+5. "detected_project": If the window title clearly implies a project name. Return null if no project can be reliably inferred.
+6. "detected_communication_channel": If the window title clearly implies a communication channel and the app has communication tag in the tags array, extract just the channel name (e.g. "engineering", "random"). Return null if no channel can be reliably inferred.
diff --git a/internal/usage/assets/prompts/app_slack.txt b/internal/usage/assets/prompts/app_slack.txt
new file mode 100644
index 0000000..bd36a5f
--- /dev/null
+++ b/internal/usage/assets/prompts/app_slack.txt
@@ -0,0 +1,36 @@
+You are a Slack Software Engineer Intent Classifier. Your job is to determine if the user is engaged in productive work communication, general organizational activity, or distracted by non-essential chatter. You will receive the desktop window title -- this is your main signal.
+
+# Classification Logic
+
+## **productive**
+**Criteria:** Direct work communication, project discussions, incident response, technical collaboration, or focused async work.
+**Indicators:**
+- Work-related channels: #engineering, #product, #design, #support, #incidents, #deploys, #standup, #sprint-*, #dev-*, #backend, #frontend, #infra, #security, #ops, #platform, #release-*, #bug-*, #feature-*, #project-*, #review-*, #ci-*, #monitoring, #alerts, #on-call
+- DMs discussing work tasks (inferred from title context)
+- Threads with technical discussions
+- Huddles or calls (likely meetings)
+- Canvas or document collaboration
+- Any channel name that clearly relates to a specific project, team function, or work task
+
+## **neutral**
+**Criteria:** General organizational communication that is neither clearly productive nor distracting. Company-wide or team-wide channels used for announcements and coordination.
+**Indicators:**
+- General channels: #general, #announcements, #company, #all-hands, #team-*, #org-*, #office-*, #hr, #it-support, #helpdesk, #onboarding, #welcome
+- Channels that serve organizational purposes without being directly about project work
+- Workspace home page or search without specific channel context
+- Browsing channel list without engaging (title contains "Browse channels" or similar)
+
+## **distracting**
+**Criteria:** Social channels, watercooler chat, entertainment, or passive browsing without clear work purpose.
+**Indicators:**
+- Social/fun channels: #random, #watercooler, #pets, #food, #memes, #off-topic, #fun-*, #chat-*, #social-*, #music, #gaming, #sports, #books, #movies, #travel, #fitness, #jokes, #dogs, #cats, #photos
+- Content consumption channels: #links, #articles, #videos, #interesting-*, #cool-*
+- Any channel name that suggests entertainment, socializing, or non-work activity
+
+# Output Format
+
+Return a JSON object with the following keys:
+1. "classification": "productive" (work communication), "neutral" (general org channels), or "distracting" (social/entertainment).
+2. "reasoning": Brief explanation.
+3. "tags": Array of strings from ONLY these options: ["communication", "entertainment", "time-sink", "content-consumption"].
+4. "confidence_score": Float (0.0 - 1.0)
diff --git a/internal/usage/assets/prompts/website_generic.txt b/internal/usage/assets/prompts/website_generic.txt
new file mode 100644
index 0000000..7ec4049
--- /dev/null
+++ b/internal/usage/assets/prompts/website_generic.txt
@@ -0,0 +1,40 @@
+You are a General Software Engineer Intent Classifier. Your job is to determine if the user is actively doing work related to their software engineering job or seeking entertainment/distraction.
+
+# Classification Logic
+
+## **productive**
+**Criteria:** Content that directly supports software engineering tasks: coding, debugging, learning, researching, planning, or deploying.
+**Signals to detect:**
+- **Documentation:** Official docs for languages, frameworks, libraries, APIs, clouds (AWS, GCP, Azure).
+- **Repositories:** GitHub, GitLab, Bitbucket (code viewing, PRs, issues).
+- **Q&A/Forums:** Stack Overflow, GitHub Discussions, technical forums.
+- **Tools:** Issue trackers (Jira, Linear), design tools (Figma), cloud consoles, CI/CD dashboards, localhost servers.
+- **Learning:** Technical tutorials, courses, engineering blogs, research papers.
+
+## **distracting**
+**Criteria:** Content irrelevant to work or primarily for entertainment/consumption.
+**Includes:**
+- Social media (Facebook, Instagram, TikTok, generic Twitter/X usage).
+- News, politics, sports, celebrity gossip.
+- Video streaming (Netflix, Hulu, HBO) and gaming.
+- Shopping (Amazon, eBay) unless clearly for work equipment.
+- General interest browsing not related to tech.
+
+## **neutral**
+**Criteria:** Ambiguous utilities or general organizational tools.
+**Includes:**
+- Email, Calendar (unless clearly personal).
+- General search (Google home page).
+- Banking, personal admin (borderline, but often necessary during work day).
+
+## Safety Override (Mandatory)
+- If the page appears related to payment, checkout, billing, invoice, booking, reservation, or confirmation flows,
+  classify as "neutral".
+- Never classify such pages as "distracting" because interruptions can break critical transactions.
+
+Return a JSON object with the following keys:
+1. "classification": "productive", "neutral", or "distracting".
+2. "reasoning": Brief explanation.
+3. "tags": Array of strings from ONLY these options: ["coding", "docs", "debug", "communication", "terminal", "planning", "learning", "entertainment", "news", "social", "shopping", "other"].
+   - IMPORTANT: Be extremely conservative with the "communication" tag. Only use it when there is actual messaging, emailing, or chatting happening. Do NOT use it for reading code reviews, terminal multiplexers, or project management.
+4. "confidence_score": Float (0.0 - 1.0)
diff --git a/internal/usage/assets/prompts/website_hackernews.txt b/internal/usage/assets/prompts/website_hackernews.txt
new file mode 100644
index 0000000..5c60922
--- /dev/null
+++ b/internal/usage/assets/prompts/website_hackernews.txt
@@ -0,0 +1,36 @@
+You are a Hacker News Software Engineer Intent Classifier. Your job is to determine if the user is actively doing work related to their software engineering job or seeking entertainment/distraction. Be RESTRICTIVE: only clearly work-related technical content is productive.
+
+# Classification Logic
+
+## **productive**
+**Criteria:** ONLY content that directly helps with software engineering work. Must be clearly technical and actionable.
+**Signals to detect:**
+- Technical articles about programming languages, frameworks, tools, or infrastructure
+- "Show HN" posts with genuine technical depth: new libraries, tools, architectures, or engineering solutions
+- "Ask HN" posts asking about specific technical problems: debugging, architecture decisions, tool selection, performance
+- Engineering blog posts: postmortems, system design, scaling, security, monitoring, deployment
+- Deep-dives into algorithms, data structures, distributed systems, databases, networking
+- Open source project announcements with technical substance
+- Language/framework release notes and migration guides
+- Security advisories, CVE discussions, vulnerability analysis
+- DevOps, SRE, and infrastructure discussions with technical depth
+
+## **distracting**
+**Criteria:** EVERYTHING ELSE. When in doubt, classify as distracting.
+**Includes:**
+- Political threads, policy discussions, regulation debates
+- Career advice, salary discussions, "Who is hiring?" threads, interview experiences
+- "Ask HN: What's your favorite X?" or opinion polls without technical depth
+- Lifestyle content, productivity tips, work-life balance discussions
+- Startup drama, company news without technical relevance, funding announcements
+- Non-technical "Show HN" (e.g. games, art projects, lifestyle apps without technical depth)
+- Meta-HN discussions about moderation, community, or voting
+- Science or academic content not directly related to software engineering
+- General interest articles (history, philosophy, economics) even if intellectually stimulating
+- Comment threads that have devolved into off-topic debate
+
+Return a JSON object with the following keys:
+1. "classification": "productive" (only clearly work-related technical content) or "distracting" (everything else).
+2. "reasoning": Brief explanation.
+3. "tags": Array of strings from ONLY these options: ["music", "ambient", "entertainment", "news", "edu", "learning", "content-consumption", "time-sink"].
+4. "confidence_score": Float (0.0 - 1.0)
diff --git a/internal/usage/assets/prompts/website_linkedin.txt b/internal/usage/assets/prompts/website_linkedin.txt
new file mode 100644
index 0000000..7b4a166
--- /dev/null
+++ b/internal/usage/assets/prompts/website_linkedin.txt
@@ -0,0 +1,90 @@
+You are a STRICT LinkedIn Software Engineering Intent Classifier.
+
+Your job is NOT to detect whether a post is about tech.
+Your job is to determine whether the user is actively doing work or learning job-relevant software engineering skills.
+
+You must be extremely conservative.
+
+If there is ANY ambiguity, classify as "distracting".
+
+# Classification Logic
+
+## CORE PRINCIPLE
+
+Tech topic != Productive.
+
+A video is "productive" ONLY if it clearly contains:
+- Step-by-step instruction
+- Hands-on coding
+- Technical walkthrough
+- Debugging session
+- Deep system design explanation
+- Practical implementation details
+
+If the video is:
+- Opinion-based
+- News-style
+- Reaction-style
+- Influencer commentary
+- Product hype
+- Drama framing
+- Industry gossip
+- "X just killed Y"
+- "This changes everything"
+- "You won't believe..."
+- Tool announcement coverage
+- AI model launch discussion without hands-on demo
+
+-> It is "distracting".
+
+## HARD RULES
+
+1. Reviews, comparisons, or "vs" videos are ONLY productive if:
+   - They include real code examples, benchmarks, architecture diagrams, or implementation walkthroughs.
+   - Otherwise they are distracting.
+
+2. Any video framed around:
+   - hype
+   - shock value
+   - "killer"
+   - "destroyed"
+   - "insane"
+   - "crazy"
+   - "just dropped"
+   - "game changer"
+   - "you need to see this"
+   is automatically classified as "distracting".
+
+3. Influencer-style commentary, even about technical tools, is "distracting".
+
+4. AI news coverage is "distracting" unless it teaches how to implement or use the tool with code.
+
+5. Productive requires clear evidence of active skill development.
+
+# Classification Logic
+
+## **productive**
+**Criteria:** ONLY content that directly helps with software engineering work. Must be clearly technical and actionable.
+**Signals to detect:**
+- Technical how-to guides, tutorials, or walkthroughs (coding, architecture, DevOps, tooling)
+- Technology or framework comparisons (e.g. "X vs Y", "Choosing between...")
+- System design, architecture, or engineering blog posts with technical depth
+- Code-related discussions, debugging, performance, security, or infrastructure
+- LinkedIn Learning or similar courses on relevant tech (when identifiable from title/description)
+- Research or deep-dives on languages, frameworks, APIs, or platforms
+
+## **distracting**
+**Criteria:** EVERYTHING ELSE. When in doubt, classify as distracting.
+**Includes:**
+- Career advice, salary discussions, interview stories, job-search content
+- Motivational or hustle-culture posts, influencer content, engagement bait
+- Networking, recruiter messages, profile browsing, company PR or news
+- Personal stories, "hot takes", memes, rants about managers or workplace culture
+- Generic business or leadership content without technical depth
+- Any content that is not clearly and specifically about doing technical work
+
+Return a JSON object with the following keys:
+1. "classification": "productive" (only clearly work-related technical content) or "distracting" (everything else).
+2. "reasoning": Brief explanation.
+3. "tags": Array of strings from ONLY these options: ["music", "ambient", "entertainment", "news", "edu", "learning", "content-consumption", "time-sink"].
+4. "confidence_score": Float (0.0 - 1.0)
diff --git a/internal/usage/assets/prompts/website_medium.txt b/internal/usage/assets/prompts/website_medium.txt
new file mode 100644
index 0000000..ec000c9
--- /dev/null
+++ b/internal/usage/assets/prompts/website_medium.txt
@@ -0,0 +1,31 @@
+You are a Medium Software Engineer Intent Classifier. Your job is to determine if the user is actively doing work related to their software engineering job or seeking entertainment/distraction. Be RESTRICTIVE: only clearly work-related technical content is productive.
+
+NOTE: You will only receive the URL and the browser tab title. Medium articles encode meaningful keywords in their URL slugs (e.g. "golang-web-frameworks-top-picks-for-modern-development"). Use both the URL slug and the title to infer the article's topic.
+
+# Classification Logic
+
+## **productive**
+**Criteria:** ONLY content that directly helps with software engineering work. Must be clearly technical and actionable.
+**Signals to detect:**
+- URL slugs or titles containing technical terms: programming languages (golang, rust, python, javascript, typescript, etc.), frameworks (react, django, gin, fiber, etc.), tools (docker, kubernetes, terraform, etc.)
+- Technical blog posts, engineering deep-dives, tutorials, how-to guides
+- System design, architecture, or engineering articles with technical depth
+- DevOps write-ups, postmortems, infrastructure, deployment, monitoring
+- Code snippets, debugging, performance, security, APIs, databases
+- Author paths or slugs suggesting technical publications: better-programming, level-up-coding, towards-data-science, aws-in-plain-english, etc.
+
+## **distracting**
+**Criteria:** EVERYTHING ELSE. When in doubt, classify as distracting.
+**Includes:**
+- Self-help, productivity porn, hustle culture, life advice, motivational content
+- Opinion pieces, listicles without technical depth, "top 10" non-technical lists
+- Personal stories, career advice, interview stories, salary discussions
+- Politics, lifestyle content, relationship or wellness advice
+- Publications that often host non-technical content: The Startup, Personal Growth, etc.
+- Any content that is not clearly and specifically about doing technical work
+
+Return a JSON object with the following keys:
+1. "classification": "productive" (only clearly work-related technical content) or "distracting" (everything else).
+2. "reasoning": Brief explanation.
+3. "tags": Array of strings from ONLY these options: ["music", "ambient", "entertainment", "news", "edu", "learning", "content-consumption", "time-sink"].
+4. "confidence_score": Float (0.0 - 1.0)
diff --git a/internal/usage/assets/prompts/website_reddit.txt b/internal/usage/assets/prompts/website_reddit.txt
new file mode 100644
index 0000000..dff9dd9
--- /dev/null
+++ b/internal/usage/assets/prompts/website_reddit.txt
@@ -0,0 +1,28 @@
+You are a Reddit Software Engineer Intent Classifier. Your job is to determine if the user is actively doing work related to their software engineering job or seeking entertainment/distraction.
+
+# Classification Logic
+
+## **productive**
+**Criteria:** Content that directly helps the user with software engineering work: solving technical problems, learning job-relevant skills, system design, architecture, DevOps, debugging, code reviews, or technical leadership.
+**Signals to detect:**
+- **Subreddits:** "programming", "webdev", "golang", "rust", "python", "javascript", "typescript", "devops", "docker", "kubernetes", "linux", "vim", "neovim", "aws", "azure", "gcp", "database", "sql", "react", "svelte", "vue", "node", "backend", "frontend", "softwareengineering", "experienceddevs", "sre", "netsec", "security", "terraform", "ansible", "graphql", "grpc", "microservices", "systemdesign"
+- **Title patterns:** "How to", "Help with", "Debug", "Error", "Fix", "Solved", "Issue with", "Problem:", "[Question]", "Why does", "Best practice", "Architecture", "Design review", "Code review", "Production issue", "Outage", "Incident"
+- **Content signals:** Stack traces, code snippets, error messages, technical discussions, architecture diagrams, system design questions, API discussions, infrastructure problems, deployment issues, monitoring/observability, security vulnerabilities, performance optimization
+
+## **distracting**
+**Criteria:** **EVERYTHING ELSE.** If the content is for entertainment, general browsing, memes, news, politics, gaming, or passive consumption, it is distracting.
+**Includes:**
+- Meme subreddits (even tech memes like "ProgrammerHumor" - entertainment, not work)
+- News, politics, world events
+- Gaming, hobbies, lifestyle content
+- General discussion threads without a specific technical problem
+- Career rants, salary discussions, workplace drama, interview stories
+- "What's your favorite X" or opinion polls
+- Showcase posts without technical depth
+- Venting about managers, coworkers, or company culture
+
+Return a JSON object with the following keys:
+1. "classification": "productive" (actively doing work) or "distracting" (everything else).
+2. "reasoning": Brief explanation.
+3. "tags": Array of strings from ONLY these options: ["music", "ambient", "entertainment", "news", "edu", "learning", "content-consumption", "time-sink"].
+4. "confidence_score": Float (0.0 - 1.0)
diff --git a/internal/usage/assets/prompts/website_substack.txt b/internal/usage/assets/prompts/website_substack.txt
new file mode 100644
index 0000000..ea407c2
--- /dev/null
+++ b/internal/usage/assets/prompts/website_substack.txt
@@ -0,0 +1,35 @@
+You are a Substack Software Engineer Intent Classifier. Your job is to determine if the user is actively doing work related to their software engineering job or seeking entertainment/distraction. Be RESTRICTIVE: only clearly work-related technical content is productive.
+
+# Classification Logic
+
+## **productive**
+**Criteria:** ONLY content that directly helps with software engineering work. Must be clearly technical and actionable.
+**Signals to detect:**
+- Technical newsletters about programming, system design, architecture, DevOps, security
+- Engineering deep-dives: database internals, distributed systems, networking, performance
+- Language or framework tutorials, guides, and best practices
+- Security advisories, vulnerability analysis, threat modeling
+- Infrastructure and cloud engineering content
+- Open source project updates with technical substance
+- Technical book reviews or paper summaries relevant to software engineering
+- Newsletter authors known for technical content (e.g. engineering-focused Substacks)
+- URL subdomains or slugs containing technical terms: programming languages, frameworks, tools
+
+## **distracting**
+**Criteria:** EVERYTHING ELSE. When in doubt, classify as distracting.
+**Includes:**
+- Self-help, productivity advice, hustle culture, motivational content
+- Career advice, job market analysis, salary discussions, interview tips
+- Opinion pieces, hot takes, and thought leadership without technical depth
+- Political commentary, news analysis, cultural criticism
+- Lifestyle content, wellness, personal finance, relationship advice
+- General interest newsletters (history, philosophy, economics)
+- Tech industry gossip, company drama, funding news without technical relevance
+- "State of the industry" pieces that are opinion-heavy and light on technical content
+- Any content that is not clearly and specifically about doing technical work
+
+Return a JSON object with the following keys:
+1. "classification": "productive" (only clearly work-related technical content) or "distracting" (everything else).
+2. "reasoning": Brief explanation.
+3. "tags": Array of strings from ONLY these options: ["music", "ambient", "entertainment", "news", "edu", "learning", "content-consumption", "time-sink"].
+4. "confidence_score": Float (0.0 - 1.0)
diff --git a/internal/usage/assets/prompts/website_twitter.txt b/internal/usage/assets/prompts/website_twitter.txt
new file mode 100644
index 0000000..9a5472c
--- /dev/null
+++ b/internal/usage/assets/prompts/website_twitter.txt
@@ -0,0 +1,37 @@
+You are an X/Twitter Software Engineer Intent Classifier. Your job is to determine if the user is actively doing work related to their software engineering job or seeking entertainment/distraction. Be RESTRICTIVE: only clearly work-related technical content is productive.
+
+NOTE: You will only receive the URL and the browser tab title. For individual tweets, the browser tab title contains the tweet text. Use both the URL structure and the title to infer the content's purpose.
+
+# Classification Logic
+
+## **productive**
+**Criteria:** ONLY content that directly helps with software engineering work. Must be clearly technical and actionable.
+**Signals to detect:**
+- Technical threads about programming, engineering, architecture, DevOps, security, or infrastructure
+- Library, framework, or language release announcements and changelogs (e.g. "Go 1.23 released", "React 19 is out")
+- Incident postmortems and production war stories with technical lessons
+- Links to or discussions of engineering blog posts, technical papers, or documentation
+- Open source project announcements with technical depth
+- Code snippets, debugging discussions, performance analysis, security advisories
+- Profiles of well-known technical authors when viewing their technical content
+- Technical conference announcements, talk summaries, or slide decks
+
+## **distracting**
+**Criteria:** EVERYTHING ELSE. When in doubt, classify as distracting.
+**Includes:**
+- Hot takes, opinions, and engagement bait (even about tech topics like "X is dead", "Y is overrated")
+- Tech memes, jokes, and humorous content
+- Career advice, salary discussions, job search content, interview stories
+- Political content, news, world events
+- Personal stories, life updates, motivational content
+- Recruiter outreach, hiring announcements, company PR
+- Celebrity or influencer content
+- Rants about managers, workplace culture, or industry drama
+- "Unpopular opinion" or "hot take" threads
+- Any content that is not clearly and specifically about doing technical work
+
+Return a JSON object with the following keys:
+1. "classification": "productive" (only clearly work-related technical content) or "distracting" (everything else).
+2. "reasoning": Brief explanation.
+3. "tags": Array of strings from ONLY these options: ["music", "ambient", "entertainment", "news", "edu", "learning", "content-consumption", "time-sink"].
+4. "confidence_score": Float (0.0 - 1.0)
diff --git a/internal/usage/assets/prompts/website_youtube.txt b/internal/usage/assets/prompts/website_youtube.txt
new file mode 100644
index 0000000..0e49a7e
--- /dev/null
+++ b/internal/usage/assets/prompts/website_youtube.txt
@@ -0,0 +1,28 @@
+You are a YouTube activity classifier for software engineers.
+Classify into: "productive", "neutral", or "distracting".
+
+Apply rules in this exact order:
+
+1) MUSIC/AMBIENT OVERRIDE -> "neutral"
+If content is primarily music, ambient audio, white noise, nature/rain sounds, lo-fi, instrumental, DJ mix, radio stream, soundtrack, focus audio, or playlist, classify as "neutral" (even if visuals exist).
+
+2) WORK-RELATED EDUCATIONAL -> "productive"
+Classify as "productive" only when content clearly teaches software-engineering skills relevant to work (coding tutorials, debugging walkthroughs, architecture/system design, practical implementation).
+
+3) DISTRACTING-BY-DEFAULT SIGNALS -> "distracting"
+Opinion/commentary, news-style, reaction content, influencer takes, product hype, drama framing, industry gossip, sensational titles ("X killed Y", "this changes everything", "you won't believe"), tool announcement coverage, and AI model launch discussion without hands-on implementation are "distracting".
+
+4) EVERYTHING ELSE -> "distracting"
+Any non-work educational content or general consumption is "distracting".
+
+Tie-breakers:
+- If unsure between productive and distracting, choose "distracting".
+- If unsure whether content is primarily music/ambient, choose "neutral".
+
+Use URL, title, description, and tags as evidence.
+
+Return ONLY valid JSON:
+1. "classification": "productive", "neutral", or "distracting".
+2. "reasoning": Brief evidence-based explanation.
+3. "tags": Array of strings from ONLY these options (choose as many as applicable): ["music", "ambient", "politics", "entertainment", "news", "edu", "learning", "content-consumption", "time-sink"].
+4. "confidence_score": Float (0.0 - 1.0)
diff --git a/internal/usage/classifier_critical_pages.go b/internal/usage/classifier_critical_pages.go
new file mode 100644
index 0000000..6c73b0b
--- /dev/null
+++ b/internal/usage/classifier_critical_pages.go
@@ -0,0 +1,222 @@
+// Critical no-block safeguards for transaction-like pages.
+//
+// Why this exists:
+// Blocking the wrong page can break real-world user actions with consequences, such as
+// failed payments, lost checkout sessions, duplicate charges, expired 3DS challenges,
+// or interrupted booking/reservation confirmations. Those are high-cost interruptions,
+// so we bias toward safety and avoid classifying such flows as distracting.
+//
+// How it works:
+//  1. Deterministic URL/provider signals catch high-confidence payment and booking flows
+//     (e.g. known gateway hosts and checkout/billing/confirmation paths) and force neutral.
+//  2. Suspicious context detection marks ambiguous cases so callers can apply a fail-safe
+//     neutral outcome when LLM classification is uncertain (error/low confidence).
+//
+// This keeps strict protection where it matters while reducing false positives from weak
+// keyword-only title/content matches.
+package usage
+
+import (
+	"net/url"
+	"strings"
+)
+
+var deterministicCriticalHosts = []string{
+	"checkout.stripe.com",
+	"billing.stripe.com",
+	"checkout.paypal.com",
+	"checkout.adyen.com",
+	"secure.adyen.com",
+	"pay.braintreegateway.com",
+	"secure.authorize.net",
+	"accept.authorize.net",
+	"checkout.klarna.com",
+	"pay.klarna.com",
+	"checkout.affirm.com",
+	"pay.affirm.com",
+	"checkout.afterpay.com",
+	"pay.afterpay.com",
+	"cash.app",
+	"square.link",
+	"pay.shopify.com",
+	"checkout.shopify.com",
+}
+
+var deterministicCriticalPathTokens = []string{
+	"checkout",
+	"checkoutnow",
+	"payment",
+	"payments",
+	"pay",
+	"paynow",
+	"billing",
+	"invoice",
+	"invoices",
+	"transaction",
+	"3dsecure",
+	"3ds",
+	"book",
+	"booking",
+	"bookings",
+	"reservation",
+	"reservations",
+	"confirm",
+	"confirmation",
+}
+
+var suspiciousCriticalTokens = []string{
+	"checkout",
+	"payment",
+	"payments",
+	"pay",
+	"billing",
+	"invoice",
+	"invoices",
+	"transaction",
+	"3ds",
+	"reservation",
+	"reservations",
+	"booking",
+	"bookings",
+	"confirmation",
+}
+
+var suspiciousCriticalPhrases = []string{
+	"complete payment",
+	"secure checkout",
+	"confirm payment",
+	"confirm your booking",
+	"complete your booking",
+	"3d secure",
+	"reservation confirmation",
+	"booking confirmation",
+	"pay now",
+}
+
+var pathBasedProviderSignals = map[string][]string{
+	"paypal.com":   {"checkout", "checkoutnow", "webscr", "billing", "invoice", "pay", "subscription"},
+	"stripe.com":   {"checkout", "billing", "payment", "invoice", "portal", "pay"},
+	"adyen.com":    {"checkout", "payment", "pay"},
+	"braintree":    {"checkout", "payment", "pay"},
+	"klarna.com":   {"checkout", "payment", "pay"},
+	"affirm.com":   {"checkout", "payment", "pay"},
+	"afterpay.com": {"checkout", "payment", "pay"},
+	"squareup.com": {"checkout", "payment", "pay", "invoice"},
+	"shopify.com":  {"checkout", "payment", "billing"},
+}
+
+func isDeterministicCriticalNoBlockURL(rawURL string) bool {
+	u, err := url.Parse(rawURL)
+	if err != nil {
+		return false
+	}
+
+	host := strings.ToLower(strings.TrimPrefix(u.Hostname(), "www."))
+	if host == "" {
+		return false
+	}
+
+	if hostMatchesAny(host, deterministicCriticalHosts) {
+		return true
+	}
+
+	pathSignals := normalizeForMatch(strings.Join([]string{u.Path, u.RawQuery, u.Fragment}, " "))
+	for providerSignal, tokens := range pathBasedProviderSignals {
+		if strings.Contains(host, providerSignal) && hasAnyToken(pathSignals, tokens) {
+			return true
+		}
+	}
+
+	if hasAtLeastNTokens(pathSignals, []string{"checkout", "payment", "billing", "invoice", "3ds", "reservation", "booking", "confirm", "confirmation"}, 2) {
+		return true
+	}
+
+	if hasAnyToken(pathSignals, deterministicCriticalPathTokens) {
+		if hostMatchesAny(host, []string{"paypal.com", "stripe.com", "adyen.com", "braintreegateway.com", "klarna.com", "affirm.com", "afterpay.com", "squareup.com", "shopify.com"}) {
+			return true
+		}
+
+		for _, indicator := range []string{"pay", "checkout", "billing", "booking", "reservation", "invoice"} {
+			if strings.Contains(host, indicator) {
+				return true
+			}
+		}
+	}
+
+	return false
+}
+
+func isSuspiciousCriticalContext(rawURL, title, mainContent string) bool {
+	if rawURL == "" && title == "" && mainContent == "" {
+		return false
+	}
+
+	var urlSignals string
+	if u, err := url.Parse(rawURL); err == nil {
+		urlSignals = strings.Join([]string{u.Path, u.RawQuery, u.Fragment}, " ")
+	}
+
+	normalized := normalizeForMatch(strings.Join([]string{urlSignals, title, mainContent}, " "))
+	if hasAnyPhrase(normalized, suspiciousCriticalPhrases) {
+		return true
+	}
+
+	return hasAtLeastNTokens(normalized, suspiciousCriticalTokens, 2)
+}
+
+func hostMatchesAny(host string, candidates []string) bool {
+	for _, candidate := range candidates {
+		if host == candidate || strings.HasSuffix(host, "."+candidate) {
+			return true
+		}
+	}
+
+	return false
+}
+
+func normalizeForMatch(input string) string {
+	input = strings.ToLower(input)
+
+	return strings.Join(strings.FieldsFunc(input, func(r rune) bool {
+		return (r < 'a' || r > 'z') && (r < '0' || r > '9')
+	}), " ")
+}
+
+func hasAnyToken(normalized string, tokens []string) bool {
+	for _, token := range tokens {
+		if strings.Contains(" "+normalized+" ", " "+token+" ") {
+			return true
+		}
+	}
+
+	return false
+}
+
+func hasAtLeastNTokens(normalized string, tokens []string, required int) bool {
+	count := 0
+	for _, token := range tokens {
+		if strings.Contains(" "+normalized+" ", " "+token+" ") {
+			count++
+			if count >= required {
+				return true
+			}
+		}
+	}
+
+	return false
+}
+
+func hasAnyPhrase(normalized string, phrases []string) bool {
+	for _, phrase := range phrases {
+		normalizedPhrase := normalizeForMatch(phrase)
+		if normalizedPhrase == "" {
+			continue
+		}
+
+		if strings.Contains(" "+normalized+" ", " "+normalizedPhrase+" ") {
+			return true
+		}
+	}
+
+	return false
+}
diff --git a/internal/usage/classifier_critical_pages_test.go b/internal/usage/classifier_critical_pages_test.go
new file mode 100644
index 0000000..82b556f
--- /dev/null
+++ b/internal/usage/classifier_critical_pages_test.go
@@ -0,0 +1,121 @@
+package usage
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestIsDeterministicCriticalNoBlockURL(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name     string
+		rawURL   string
+		expected bool
+	}{
+		{
+			name:     "detects stripe checkout host",
+			rawURL:   "https://checkout.stripe.com/c/pay/cs_test_123",
+			expected: true,
+		},
+		{
+			name:     "detects paypal checkout host",
+			rawURL:   "https://checkout.paypal.com/checkoutnow?token=123",
+			expected: true,
+		},
+		{
+			name:     "detects provider path flow",
+			rawURL:   "https://www.paypal.com/checkoutnow?token=abc",
+			expected: true,
+		},
+		{
+			name:     "does not match hostname only",
+			rawURL:   "https://paypal.com/",
+			expected: false,
+		},
+		{
+			name:     "non critical page",
+			rawURL:   "https://example.com/news",
+			expected: false,
+		},
+	}
+
+	for _, tt := range tests {
+		tc := tt
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			actual := isDeterministicCriticalNoBlockURL(tc.rawURL)
+			require.Equal(t, tc.expected, actual)
+		})
+	}
+}
+
+func TestIsSuspiciousCriticalContext(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name        string
+		rawURL      string
+		title       string
+		mainContent string
+		expected    bool
+	}{
+		{
+			name:        "detects strong phrase from content",
+			rawURL:      "https://example.com/flow",
+			mainContent: "Please complete payment to confirm your booking",
+			expected:    true,
+		},
+		{
+			name:     "detects multi token from title",
+			rawURL:   "https://example.com/flow",
+			title:    "Reservation payment confirmation",
+			expected: true,
+		},
+		{
+			name:     "does not trigger for weak single mention",
+			rawURL:   "https://example.com/blog/payment-systems",
+			title:    "How payment systems work",
+			expected: false,
+		},
+		{
+			name:     "non critical page",
+			rawURL:   "https://example.com/news",
+			title:    "Top engineering trends",
+			expected: false,
+		},
+	}
+
+	for _, tt := range tests {
+		tc := tt
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			actual := isSuspiciousCriticalContext(tc.rawURL, tc.title, tc.mainContent)
+			require.Equal(t, tc.expected, actual)
+		})
+	}
+}
+
+func TestClassifyObviouslyWebsite_CriticalNoBlockOverride(t *testing.T) {
+	t.Parallel()
+
+	svc := &Service{}
+	resp, err := svc.classifyObviouslyWebsite(context.Background(), "https://amazon.com/checkout?payment=true")
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	require.Equal(t, ClassificationNeutral, resp.Classification)
+	require.Equal(t, ClassificationSourceObviously, resp.ClassificationSource)
+}
+
+func TestClassifyObviouslyWebsite_StillBlocksNonCriticalShoppingPages(t *testing.T) {
+	t.Parallel()
+
+	svc := &Service{}
+	resp, err := svc.classifyObviouslyWebsite(context.Background(), "https://amazon.com/deals")
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	require.Equal(t, ClassificationDistracting, resp.Classification)
+	require.Equal(t, ClassificationSourceObviously, resp.ClassificationSource)
+}
diff --git a/internal/usage/classifier_custom_rules.go b/internal/usage/classifier_custom_rules.go
index 2bd7610..f589410 100644
--- a/internal/usage/classifier_custom_rules.go
+++ b/internal/usage/classifier_custom_rules.go
@@ -11,28 +11,13 @@ import (
 	"github.com/focusd-so/focusd/internal/settings"
 )
 
-func (s *Service) ClassifyCustomRules(ctx context.Context, appName string, url *string, nowTime *time.Time) (*ClassificationResponse, error) {
-	if s.settingsService == nil {
-		slog.Warn("settings service is nil, skipping custom rules classification")
-
-		return nil, nil
-	}
-
+func (s *Service) ClassifyCustomRules(ctx context.Context, opts ...sandboxContextOption) (*ClassificationResponse, error) {
 	slog.Info("classifying application usage with custom rules")
 
-	sandboxCtx := createSandboxContext(appName, url)
-
-	if nowTime != nil {
-		t := *nowTime
-		sandboxCtx.Now = func(loc *time.Location) time.Time {
-			return t.In(loc)
-		}
-	}
-
-	return s.ClassifyCustomRulesWithSandbox(ctx, sandboxCtx)
+	return s.classifyCustomRulesWithSandbox(ctx, NewSandboxContext(opts...))
 }
 
-func (s *Service) ClassifyCustomRulesWithSandbox(ctx context.Context, sandboxCtx sandboxContext) (*ClassificationResponse, error) {
+func (s *Service) classifyCustomRulesWithSandbox(ctx context.Context, sandboxCtx sandboxContext) (*ClassificationResponse, error) {
 	// Serialize the context to JSON
 	contextJSON, err := json.Marshal(sandboxCtx)
 	if err != nil {
@@ -115,17 +100,13 @@ func (s *Service) ClassifyCustomRulesWithSandbox(ctx context.Context, sandboxCtx
 
 func (s *Service) classifySandbox(ctx context.Context, sandboxCtx sandboxContext) (desicion *classificationDecision, logs []string, err error) {
 	// Get the latest custom rules code
-	customRules, err := s.settingsService.GetLatest(settings.SettingsKeyCustomRules)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	if customRules == nil || customRules.Value == "" {
+	customRules := settings.GetCustomRulesJS()
+	if customRules == "" {
 		return nil, nil, nil
 	}
 
 	// Create a new sandbox with the custom rules code
-	sb, err := newSandbox(customRules.Value)
+	sb, err := newSandbox(customRules)
 	if err != nil {
 		return nil, nil, err
 	}
diff --git a/internal/usage/classifier_custom_rules_test.go b/internal/usage/classifier_custom_rules_test.go
index 5af3e76..1403541 100644
--- a/internal/usage/classifier_custom_rules_test.go
+++ b/internal/usage/classifier_custom_rules_test.go
@@ -1,36 +1,17 @@
-package usage
+package usage_test
 
 import (
 	"context"
+	"encoding/base64"
 	"strings"
 	"testing"
 	"time"
 
+	"github.com/focusd-so/focusd/internal/usage"
+	"github.com/spf13/viper"
 	"github.com/stretchr/testify/require"
-	"gorm.io/driver/sqlite"
-	"gorm.io/gorm"
-
-	"github.com/focusd-so/focusd/internal/settings"
 )
 
-func setupSettingsService(t *testing.T) *settings.Service {
-	db, _ := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
-
-	service, err := settings.NewService(db, "test")
-	require.NoError(t, err, "failed to create settings service")
-
-	return service
-}
-
-func setUpService(t *testing.T, options ...Option) (*Service, *gorm.DB) {
-	db, _ := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
-
-	service, err := NewService(context.Background(), db, options...)
-	require.NoError(t, err, "failed to create service")
-
-	return service, db
-}
-
 var customRulesApps = `
 /**
 * Custom classification logic.
@@ -42,7 +23,7 @@ export function classify(ctx: Context): ClassificationDecision | undefined {
 	if (now().getHours() == 10 && now().getMinutes() > 0 && now().getMinutes() < 30) {
 		return {
 			classification: Classification.Productive,
-			reasoning: "Work-related activity",
+			classificationReasoning: "Work-related activity",
 			tags: ["work", "productivity"],
 		}
 	}
@@ -52,7 +33,7 @@ export function classify(ctx: Context): ClassificationDecision | undefined {
 	if (ctx.appName == "Slack") {
 		return {
 			classification: Classification.Neutral,
-			reasoning: "Slack is a neutral app",
+			classificationReasoning: "Slack is a neutral app",
 			tags: ["communication", "work"],
 		}
 	}
@@ -62,7 +43,7 @@ export function classify(ctx: Context): ClassificationDecision | undefined {
 	if (ctx.minutesSinceLastBlock >= 20 && ctx.minutesUsedSinceLastBlock < 5 && ctx.appName == "Discord") {
 		return {
 			classification: Classification.Neutral,
-			reasoning: "Allow using 5 mins every 20 mins",
+			classificationReasoning: "Allow using 5 mins every 20 mins",
 			tags: ["resting", "relaxing"],
 		}
 	}
@@ -86,14 +67,14 @@ export function classify(ctx: Context): ClassificationDecision | undefined {
 	if (minutesUsed > 30) {
 		return {
 			classification: Classification.Distracting,
-			reasoning: "Too much time spent: " + minutesUsed + " minutes",
+			classificationReasoning: "Too much time spent: " + minutesUsed + " minutes",
 			tags: ["limit-exceeded"],
 		}
 	}
 	
 	return {
 		classification: Classification.Neutral,
-		reasoning: "Under limit: " + minutesUsed + " minutes",
+		classificationReasoning: "Under limit: " + minutesUsed + " minutes",
 		tags: ["within-limit"],
 	}
 }
@@ -105,7 +86,7 @@ export function classify(ctx: Context): ClassificationDecision | undefined {
 	if (ctx.domain === "youtube.com") {
 		return {
 			classification: Classification.Distracting,
-			reasoning: "YouTube is distracting",
+			classificationReasoning: "YouTube is distracting",
 			tags: ["video", "entertainment"],
 		}
 	}
@@ -114,7 +95,7 @@ export function classify(ctx: Context): ClassificationDecision | undefined {
 	if (ctx.hostname === "docs.google.com") {
 		return {
 			classification: Classification.Productive,
-			reasoning: "Google Docs is productive",
+			classificationReasoning: "Google Docs is productive",
 			tags: ["docs", "work"],
 		}
 	}
@@ -123,7 +104,7 @@ export function classify(ctx: Context): ClassificationDecision | undefined {
 	if (ctx.hostname === "github.com" && ctx.path.startsWith("/pulls")) {
 		return {
 			classification: Classification.Productive,
-			reasoning: "Reviewing pull requests",
+			classificationReasoning: "Reviewing pull requests",
 			tags: ["code-review", "work"],
 		}
 	}
@@ -132,7 +113,7 @@ export function classify(ctx: Context): ClassificationDecision | undefined {
 	if (ctx.url === "https://twitter.com/home") {
 		return {
 			classification: Classification.Distracting,
-			reasoning: "Twitter home feed",
+			classificationReasoning: "Twitter home feed",
 			tags: ["social-media"],
 		}
 	}
@@ -142,101 +123,88 @@ export function classify(ctx: Context): ClassificationDecision | undefined {
 `
 
 func TestClassifyCustomRules_Application(t *testing.T) {
-	settingsService := setupSettingsService(t)
-	require.NoError(t, settingsService.Save(settings.SettingsKeyCustomRules, customRulesApps))
+	encoded := base64.StdEncoding.EncodeToString([]byte(customRulesApps))
+	viper.SetDefault("custom_rules_js", []string{encoded})
 
-	service, _ := setUpService(t, WithSettingsService(settingsService))
+	service, _ := setUpService(t)
 
 	// match Slack app
-	response, err := service.ClassifyCustomRules(context.Background(), "Slack", nil, nil)
+	response, err := service.ClassifyCustomRules(context.Background(), usage.WithAppNameContext("Slack"))
 	require.NoError(t, err)
 	require.NotNil(t, response)
-	require.Equal(t, ClassificationNeutral, response.Classification)
+	require.Equal(t, usage.ClassificationNeutral, response.Classification)
 	require.Equal(t, "Slack is a neutral app", response.Reasoning)
 	require.Equal(t, []string{"communication", "work"}, response.Tags)
 
 	// no match Steam app
-	response, err = service.ClassifyCustomRules(context.Background(), "Steam", nil, nil)
+	response, err = service.ClassifyCustomRules(context.Background(), usage.WithAppNameContext("Steam"))
 	require.NoError(t, err)
 	require.Nil(t, response)
 }
 
 func TestClassifyCustomRules_Application_Time(t *testing.T) {
-	settingsService := setupSettingsService(t)
-	require.NoError(t, settingsService.Save(settings.SettingsKeyCustomRules, customRulesApps))
+	encoded := base64.StdEncoding.EncodeToString([]byte(customRulesApps))
+	viper.SetDefault("custom_rules_js", []string{encoded})
 
-	service, _ := setUpService(t, WithSettingsService(settingsService))
+	service, _ := setUpService(t)
 
-	sandboxCtx := sandboxContext{
-		AppName: "Discord",
-		Now: func(loc *time.Location) time.Time {
-			return time.Date(2026, 1, 1, 10, 15, 0, 0, time.Local)
-		},
-	}
+	now := time.Date(2026, 1, 1, 10, 15, 0, 0, time.Local)
+
+	response, err := service.ClassifyCustomRules(context.Background(), usage.WithAppNameContext("Discord"), usage.WithNowContext(now))
 
-	// match Productive time
-	response, err := service.ClassifyCustomRulesWithSandbox(context.Background(), sandboxCtx)
 	require.NoError(t, err)
-	require.Equal(t, ClassificationProductive, response.Classification)
+	require.Equal(t, usage.ClassificationProductive, response.Classification)
 	require.Equal(t, "Work-related activity", response.Reasoning)
 	require.Equal(t, []string{"work", "productivity"}, response.Tags)
 
 	// no match Productive time
-	sandboxCtx.Now = func(loc *time.Location) time.Time {
-		return time.Date(2026, 1, 1, 10, 45, 0, 0, time.Local)
-	}
-	response, err = service.ClassifyCustomRulesWithSandbox(context.Background(), sandboxCtx)
+
+	now = time.Date(2026, 1, 1, 10, 45, 0, 0, time.Local)
+
+	response, err = service.ClassifyCustomRules(context.Background(), usage.WithAppNameContext("Discord"), usage.WithNowContext(now))
 	require.NoError(t, err)
 	require.Nil(t, response)
 
 	// no match Productive hour
-	sandboxCtx.Now = func(loc *time.Location) time.Time {
-		return time.Date(2026, 1, 1, 11, 0, 0, 0, time.Local)
-	}
-	response, err = service.ClassifyCustomRulesWithSandbox(context.Background(), sandboxCtx)
+
+	now = time.Date(2026, 1, 1, 11, 0, 0, 0, time.Local)
+	response, err = service.ClassifyCustomRules(context.Background(), usage.WithAppNameContext("Discord"), usage.WithNowContext(now))
 	require.NoError(t, err)
 	require.Nil(t, response)
 }
 
 func TestClassifyCustomRules_Application_MinutesSinceLastBlock(t *testing.T) {
-	settingsService := setupSettingsService(t)
-	require.NoError(t, settingsService.Save(settings.SettingsKeyCustomRules, customRulesApps))
+	encoded := base64.StdEncoding.EncodeToString([]byte(customRulesApps))
+	viper.SetDefault("custom_rules_js", []string{encoded})
 
-	service, _ := setUpService(t, WithSettingsService(settingsService))
+	service, _ := setUpService(t)
 
 	minutesSinceLastBlock := 21
 	minutesUsedSinceLastBlock := 3
 
-	sandboxCtx := sandboxContext{
-		AppName:                   "Discord",
-		MinutesSinceLastBlock:     &minutesSinceLastBlock,
-		MinutesUsedSinceLastBlock: &minutesUsedSinceLastBlock,
-	}
-
 	// match MinutesSinceLastBlock rule
-	response, err := service.ClassifyCustomRulesWithSandbox(context.Background(), sandboxCtx)
+	response, err := service.ClassifyCustomRules(context.Background(),
+		usage.WithAppNameContext("Discord"),
+		usage.WithMinutesSinceLastBlockContext(minutesSinceLastBlock),
+		usage.WithMinutesUsedSinceLastBlockContext(minutesUsedSinceLastBlock),
+	)
 	require.NotNil(t, response)
 	require.NoError(t, err)
-	require.Equal(t, ClassificationNeutral, response.Classification)
+	require.Equal(t, usage.ClassificationNeutral, response.Classification)
 	require.Equal(t, "Allow using 5 mins every 20 mins", response.Reasoning)
 	require.Equal(t, []string{"resting", "relaxing"}, response.Tags)
 }
 
 func TestClassifyCustomRules_ExecutionLogs(t *testing.T) {
-	settingsService := setupSettingsService(t)
-	require.NoError(t, settingsService.Save(settings.SettingsKeyCustomRules, customRulesApps))
+	encoded := base64.StdEncoding.EncodeToString([]byte(customRulesApps))
+	viper.SetDefault("custom_rules_js", []string{encoded})
 
-	service, db := setUpService(t, WithSettingsService(settingsService))
+	service, db := setUpService(t)
 
-	// match Productive time
-	sandboxCtx := sandboxContext{
-		AppName: "Discord",
-	}
-
-	service.ClassifyCustomRulesWithSandbox(context.Background(), sandboxCtx)
+	service.ClassifyCustomRules(context.Background(), usage.WithAppNameContext("Discord"))
 
 	// read execution logs
-	var log SandboxExecutionLog
+	var log usage.SandboxExecutionLog
 	if err := db.Order("id DESC").Limit(1).First(&log).Error; err != nil {
 		t.Fatalf("failed to find execution log: %v", err)
 	}
@@ -245,187 +213,104 @@ func TestClassifyCustomRules_ExecutionLogs(t *testing.T) {
 }
 
 func TestClassifyCustomRules_MinutesUsedInPeriod(t *testing.T) {
-	settingsService := setupSettingsService(t)
-	require.NoError(t, settingsService.Save(settings.SettingsKeyCustomRules, customRulesWithMinutesUsedInPeriod))
+	encoded := base64.StdEncoding.EncodeToString([]byte(customRulesWithMinutesUsedInPeriod))
+	viper.SetDefault("custom_rules_js", []string{encoded})
 
-	service, _ := setUpService(t, WithSettingsService(settingsService))
+	service, _ := setUpService(t)
 
 	var calledWithMinutes int64
 
-	// Test case 1: Minutes used exceeds limit (> 30)
-	sandboxCtx := sandboxContext{
-		AppName:  "YouTube",
-		Hostname: "youtube.com",
-		MinutesUsedInPeriod: func(_, _ string, durationMinutes int64) (int64, error) {
-			calledWithMinutes = durationMinutes
-			return 45, nil // Return 45 minutes (exceeds 30 limit)
-		},
-	}
-
-	response, err := service.ClassifyCustomRulesWithSandbox(context.Background(), sandboxCtx)
+	response, err := service.ClassifyCustomRules(context.Background(), usage.WithAppNameContext("YouTube"), usage.WithMinutesUsedInPeriodContext(func(_, _ string, durationMinutes int64) (int64, error) {
+		calledWithMinutes = durationMinutes
+		return 45, nil // Return 45 minutes (exceeds 30 limit)
+	}))
 	require.NoError(t, err)
 	require.NotNil(t, response)
-	require.Equal(t, ClassificationDistracting, response.Classification)
+	require.Equal(t, usage.ClassificationDistracting, response.Classification)
 	require.Equal(t, "Too much time spent: 45 minutes", response.Reasoning)
 	require.Equal(t, []string{"limit-exceeded"}, response.Tags)
 
 	// Verify callback was called with correct duration parameter
 	require.Equal(t, int64(60), calledWithMinutes)
 
-	// Test case 2: Minutes used under limit (<= 30)
-	sandboxCtx.MinutesUsedInPeriod = func(bundleID, hostname string, durationMinutes int64) (int64, error) {
+	response, err = service.ClassifyCustomRules(context.Background(), usage.WithAppNameContext("YouTube"), usage.WithMinutesUsedInPeriodContext(func(_, _ string, durationMinutes int64) (int64, error) {
 		return 15, nil // Return 15 minutes (under 30 limit)
-	}
-
-	response, err = service.ClassifyCustomRulesWithSandbox(context.Background(), sandboxCtx)
+	}))
 	require.NoError(t, err)
 	require.NotNil(t, response)
-	require.Equal(t, ClassificationNeutral, response.Classification)
+	require.Equal(t, usage.ClassificationNeutral, response.Classification)
 	require.Equal(t, "Under limit: 15 minutes", response.Reasoning)
 	require.Equal(t, []string{"within-limit"}, response.Tags)
 
-	// Test case 3: Minutes used exactly at limit (30)
-	sandboxCtx.MinutesUsedInPeriod = func(bundleID, hostname string, durationMinutes int64) (int64, error) {
+	response, err = service.ClassifyCustomRules(context.Background(), usage.WithAppNameContext("YouTube"), usage.WithMinutesUsedInPeriodContext(func(_, _ string, durationMinutes int64) (int64, error) {
 		return 30, nil // Return exactly 30 minutes (at limit, should be Neutral)
-	}
-
-	response, err = service.ClassifyCustomRulesWithSandbox(context.Background(), sandboxCtx)
+	}))
 	require.NoError(t, err)
 	require.NotNil(t, response)
-	require.Equal(t, ClassificationNeutral, response.Classification)
+	require.Equal(t, usage.ClassificationNeutral, response.Classification)
 	require.Equal(t, "Under limit: 30 minutes", response.Reasoning)
 }
 
 func TestClassifyCustomRules_MinutesUsedInPeriod_NilFunction(t *testing.T) {
-	settingsService := setupSettingsService(t)
-	require.NoError(t, settingsService.Save(settings.SettingsKeyCustomRules, customRulesWithMinutesUsedInPeriod))
+	encoded := base64.StdEncoding.EncodeToString([]byte(customRulesWithMinutesUsedInPeriod))
+	viper.SetDefault("custom_rules_js", []string{encoded})
 
-	service, _ := setUpService(t, WithSettingsService(settingsService))
+	service, _ := setUpService(t)
 
-	// Test with nil MinutesUsedInPeriod - should default to 0 and classify as Neutral
-	sandboxCtx := sandboxContext{
-		AppName:             "YouTube",
-		Hostname:            "youtube.com",
-		MinutesUsedInPeriod: nil, // Explicitly nil
-	}
-
-	response, err := service.ClassifyCustomRulesWithSandbox(context.Background(), sandboxCtx)
+	response, err := service.ClassifyCustomRules(context.Background(), usage.WithAppNameContext("YouTube"), usage.WithMinutesUsedInPeriodContext(nil))
 	require.NoError(t, err)
 	require.NotNil(t, response)
 	// When MinutesUsedInPeriod is nil, the JS fallback returns 0, so it should be under limit
-	require.Equal(t, ClassificationNeutral, response.Classification)
+	require.Equal(t, usage.ClassificationNeutral, response.Classification)
 	require.Equal(t, "Under limit: 0 minutes", response.Reasoning)
 	require.Equal(t, []string{"within-limit"}, response.Tags)
 }
 
 func TestClassifyCustomRules_Website(t *testing.T) {
-	settingsService := setupSettingsService(t)
-	require.NoError(t, settingsService.Save(settings.SettingsKeyCustomRules, customRulesWebsite))
-
-	service, _ := setUpService(t, WithSettingsService(settingsService))
-
-	// Test case 1: Domain matching - youtube.com from www.youtube.com
-	sandboxCtx := sandboxContext{
-		AppName:  "Chrome",
-		Hostname: "www.youtube.com",
-		Domain:   "youtube.com",
-		Path:     "/watch",
-		URL:      "https://www.youtube.com/watch?v=abc123",
-	}
+	encoded := base64.StdEncoding.EncodeToString([]byte(customRulesWebsite))
+	viper.SetDefault("custom_rules_js", []string{encoded})
+
+	service, _ := setUpService(t)
 
-	response, err := service.ClassifyCustomRulesWithSandbox(context.Background(), sandboxCtx)
+	response, err := service.ClassifyCustomRules(context.Background(), usage.WithAppNameContext("Chrome"), usage.WithBrowserURLContext("https://www.youtube.com/watch?v=abc123"))
 	require.NoError(t, err)
 	require.NotNil(t, response)
-	require.Equal(t, ClassificationDistracting, response.Classification)
+	require.Equal(t, usage.ClassificationDistracting, response.Classification)
 	require.Equal(t, "YouTube is distracting", response.Reasoning)
 	require.Equal(t, []string{"video", "entertainment"}, response.Tags)
 
-	// Test case 2: Hostname matching - docs.google.com (subdomain)
-	sandboxCtx = sandboxContext{
-		AppName:  "Chrome",
-		Hostname: "docs.google.com",
-		Domain:   "google.com",
-		Path:     "/document/d/123",
-		URL:      "https://docs.google.com/document/d/123",
-	}
-
-	response, err = service.ClassifyCustomRulesWithSandbox(context.Background(), sandboxCtx)
+	response, err = service.ClassifyCustomRules(context.Background(), usage.WithAppNameContext("Chrome"), usage.WithBrowserURLContext("https://docs.google.com/document/d/123"))
 	require.NoError(t, err)
 	require.NotNil(t, response)
-	require.Equal(t, ClassificationProductive, response.Classification)
+	require.Equal(t, usage.ClassificationProductive, response.Classification)
 	require.Equal(t, "Google Docs is productive", response.Reasoning)
 	require.Equal(t, []string{"docs", "work"}, response.Tags)
 
-	// Test case 3: Path matching - github.com/pulls
-	sandboxCtx = sandboxContext{
-		AppName:  "Chrome",
-		Hostname: "github.com",
-		Domain:   "github.com",
-		Path:     "/pulls",
-		URL:      "https://github.com/pulls",
-	}
-
-	response, err = service.ClassifyCustomRulesWithSandbox(context.Background(), sandboxCtx)
+	response, err = service.ClassifyCustomRules(context.Background(), usage.WithAppNameContext("Chrome"), usage.WithBrowserURLContext("https://github.com/pulls"))
 	require.NoError(t, err)
 	require.NotNil(t, response)
-	require.Equal(t, ClassificationProductive, response.Classification)
+	require.Equal(t, usage.ClassificationProductive, response.Classification)
 	require.Equal(t, "Reviewing pull requests", response.Reasoning)
 	require.Equal(t, []string{"code-review", "work"}, response.Tags)
 
-	// Test case 4: Path matching with deeper path - github.com/pulls/assigned
-	sandboxCtx = sandboxContext{
-		AppName:  "Chrome",
-		Hostname: "github.com",
-		Domain:   "github.com",
-		Path:     "/pulls/assigned",
-		URL:      "https://github.com/pulls/assigned",
-	}
-
-	response, err = service.ClassifyCustomRulesWithSandbox(context.Background(), sandboxCtx)
+	response, err = service.ClassifyCustomRules(context.Background(), usage.WithAppNameContext("Chrome"), usage.WithBrowserURLContext("https://github.com/pulls/assigned"))
 	require.NoError(t, err)
 	require.NotNil(t, response)
-	require.Equal(t, ClassificationProductive, response.Classification)
+	require.Equal(t, usage.ClassificationProductive, response.Classification)
 	require.Equal(t, "Reviewing pull requests", response.Reasoning)
 
-	// Test case 5: Full URL matching - twitter.com/home
-	sandboxCtx = sandboxContext{
-		AppName:  "Chrome",
-		Hostname: "twitter.com",
-		Domain:   "twitter.com",
-		Path:     "/home",
-		URL:      "https://twitter.com/home",
-	}
-
-	response, err = service.ClassifyCustomRulesWithSandbox(context.Background(), sandboxCtx)
+	response, err = service.ClassifyCustomRules(context.Background(), usage.WithAppNameContext("Chrome"), usage.WithBrowserURLContext("https://twitter.com/home"))
 	require.NoError(t, err)
 	require.NotNil(t, response)
-	require.Equal(t, ClassificationDistracting, response.Classification)
+	require.Equal(t, usage.ClassificationDistracting, response.Classification)
 	require.Equal(t, "Twitter home feed", response.Reasoning)
 	require.Equal(t, []string{"social-media"}, response.Tags)
 
-	// Test case 6: No match - random website
-	sandboxCtx = sandboxContext{
-		AppName:  "Chrome",
-		Hostname: "example.com",
-		Domain:   "example.com",
-		Path:     "/",
-		URL:      "https://example.com/",
-	}
-
-	response, err = service.ClassifyCustomRulesWithSandbox(context.Background(), sandboxCtx)
+	response, err = service.ClassifyCustomRules(context.Background(), usage.WithAppNameContext("Chrome"), usage.WithBrowserURLContext("https://example.com/"))
 	require.NoError(t, err)
 	require.Nil(t, response)
 
-	// Test case 7: github.com but NOT /pulls path - should not match
-	sandboxCtx = sandboxContext{
-		AppName:  "Chrome",
-		Hostname: "github.com",
-		Domain:   "github.com",
-		Path:     "/user/repo",
-		URL:      "https://github.com/user/repo",
-	}
-
-	response, err = service.ClassifyCustomRulesWithSandbox(context.Background(), sandboxCtx)
+	response, err = service.ClassifyCustomRules(context.Background(), usage.WithAppNameContext("Chrome"), usage.WithBrowserURLContext("https://github.com/user/repo"))
 	require.NoError(t, err)
 	require.Nil(t, response)
 }
diff --git a/internal/usage/classifier_llm.go b/internal/usage/classifier_llm.go
index e433854..809fc63 100644
--- a/internal/usage/classifier_llm.go
+++ b/internal/usage/classifier_llm.go
@@ -1,6 +1,25 @@
 package usage
 
-import "context"
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"log/slog"
+	"net/http"
+	"slices"
+	"strings"
+
+	apiv1 "github.com/focusd-so/focusd/gen/api/v1"
+	"github.com/focusd-so/focusd/internal/api"
+	"github.com/focusd-so/focusd/internal/identity"
+	"github.com/focusd-so/focusd/internal/settings"
+	"github.com/spf13/viper"
+	"github.com/tmc/langchaingo/llms"
+	"github.com/tmc/langchaingo/llms/anthropic"
+	"github.com/tmc/langchaingo/llms/googleai"
+	"github.com/tmc/langchaingo/llms/openai"
+	"google.golang.org/api/option"
+)
 
 func (s *Service) ClassifyWithLLM(ctx context.Context, appName, title string, url, bundleID, appCategory *string) (*ClassificationResponse, error) {
 	if url != nil {
@@ -9,3 +28,183 @@ func (s *Service) ClassifyWithLLM(ctx context.Context, appName, title string, ur
 
 	return s.classifyApplication(ctx, appName, title, bundleID, appCategory)
 }
+
+func classify(ctx context.Context, instructions, input string) (*ClassificationResponse, error) {
+	switch settings.GetConfig().ClassificationLLMProvider {
+	case settings.LLMProviderGoogle:
+		return classifyWithGemini(ctx, instructions, input)
+	case settings.LLMProviderOpenAI:
+		return classifyWithOpenAI(ctx, instructions, input)
+	case settings.LLMProviderAnthropic:
+		return classifyWithAnthropic(ctx, instructions, input)
+	case settings.LLMProviderGroq:
+		return classifyWithGrok(ctx, instructions, input)
+	case settings.LLMProviderDummy:
+		resp := viper.GetString("dummy_classification_response")
+		if resp == "" {
+			return nil, errors.New("dummy_classification_response is not set")
+		}
+		var classification ClassificationResponse
+		if err := json.Unmarshal([]byte(resp), &classification); err != nil {
+			return nil, err
+		}
+		return &classification, nil
+	}
+
+	return nil, errors.New("unsupported LLM provider")
+}
+
+func selectClassificationModel(models map[apiv1.DeviceHandshakeResponse_AccountTier]string) string {
+	tier := identity.GetAccountTier()
+	if !slices.Contains([]apiv1.DeviceHandshakeResponse_AccountTier{apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_FREE, apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_PLUS}, tier) {
+		slog.Warn("tier is not pro, using free model", "tier", tier)
+
+		tier = apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_FREE
+	}
+
+	return models[tier]
+}
+
+func newSignedLLMHTTPClient() *http.Client {
+	return &http.Client{
+		Transport: api.NewSigningRoundTripper(nil),
+	}
+}
+
+func classifyWithGemini(ctx context.Context, instructions, input string) (*ClassificationResponse, error) {
+	// Use the strongest current non-reasoning Gemini model.
+	models := map[apiv1.DeviceHandshakeResponse_AccountTier]string{
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_UNSPECIFIED: "gemini-2.5-flash-lite",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_FREE:        "gemini-2.5-flash-lite",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_TRIAL:       "gemini-2.5-flash-lite",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_PLUS:        "gemini-2.5-flash-lite",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_PRO:         "gemini-2.5-flash-lite",
+	}
+
+	withGoogleAIEndpoint := func(endpoint string) googleai.Option {
+		return func(opts *googleai.Options) {
+			opts.ClientOptions = append(opts.ClientOptions, option.WithEndpoint(endpoint))
+		}
+	}
+
+	selectedModel := selectClassificationModel(models)
+	model, err := googleai.New(ctx,
+		googleai.WithDefaultModel(selectedModel),
+		googleai.WithHTTPClient(newSignedLLMHTTPClient()),
+		withGoogleAIEndpoint(settings.APIBaseURL()+"/api/v1/gemini"),
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	return classifyWithLLM(ctx, model, instructions, input)
+}
+
+func classifyWithOpenAI(ctx context.Context, instructions, input string) (*ClassificationResponse, error) {
+	// Use the strongest current non-reasoning OpenAI model.
+	models := map[apiv1.DeviceHandshakeResponse_AccountTier]string{
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_UNSPECIFIED: "gpt-4.1",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_FREE:        "gpt-4.1",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_TRIAL:       "gpt-4.1",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_PLUS:        "gpt-4.1",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_PRO:         "gpt-4.1",
+	}
+
+	model, err := openai.New(
+		openai.WithModel(selectClassificationModel(models)),
+		openai.WithToken("stubbed"),
+		openai.WithHTTPClient(newSignedLLMHTTPClient()),
+		openai.WithBaseURL(settings.APIBaseURL()+"/api/v1/openai/v1"),
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	return classifyWithLLM(ctx, model, instructions, input)
+}
+
+func classifyWithAnthropic(ctx context.Context, instructions, input string) (*ClassificationResponse, error) {
+	// Use the strongest current non-reasoning Claude model.
+	models := map[apiv1.DeviceHandshakeResponse_AccountTier]string{
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_UNSPECIFIED: "claude-sonnet-4-5",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_FREE:        "claude-sonnet-4-5",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_TRIAL:       "claude-sonnet-4-5",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_PLUS:        "claude-sonnet-4-5",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_PRO:         "claude-sonnet-4-5",
+	}
+
+	model, err := anthropic.New(
+		anthropic.WithModel(selectClassificationModel(models)),
+		anthropic.WithToken("stubbed"),
+		anthropic.WithHTTPClient(newSignedLLMHTTPClient()),
+		anthropic.WithBaseURL(settings.APIBaseURL()+"/api/v1/anthropic/v1"),
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	return classifyWithLLM(ctx, model, instructions, input)
+}
+
+func classifyWithGrok(ctx context.Context, instructions, input string) (*ClassificationResponse, error) {
+	// Use the strongest current non-reasoning Grok model.
+	models := map[apiv1.DeviceHandshakeResponse_AccountTier]string{
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_UNSPECIFIED: "grok-4.20-beta-latest-non-reasoning",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_FREE:        "grok-4.20-beta-latest-non-reasoning",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_TRIAL:       "grok-4.20-beta-latest-non-reasoning",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_PLUS:        "grok-4.20-beta-latest-non-reasoning",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_PRO:         "grok-4.20-beta-latest-non-reasoning",
+	}
+
+	model, err := openai.New(
+		openai.WithModel(selectClassificationModel(models)),
+		openai.WithToken("stubbed"),
+		openai.WithHTTPClient(newSignedLLMHTTPClient()),
+		openai.WithBaseURL(settings.APIBaseURL()+"/api/v1/grok/v1"),
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	return classifyWithLLM(ctx, model, instructions, input)
+}
+
+func classifyWithLLM(ctx context.Context, model llms.Model, instructions, input string) (*ClassificationResponse, error) {
+	resp, err := model.GenerateContent(ctx, []llms.MessageContent{
+		llms.TextParts(llms.ChatMessageTypeSystem, instructions),
+		llms.TextParts(llms.ChatMessageTypeHuman, input),
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	if len(resp.Choices) == 0 {
+		return nil, errors.New("empty response from LLM")
+	}
+
+	text := resp.Choices[0].Content
+
+	replacer := strings.NewReplacer("```json", "", "```", "", "`", "")
+	text = replacer.Replace(text)
+
+	slog.Info("LLM classification response", "resp", text)
+
+	var response ClassificationResponse
+
+	if err := json.Unmarshal([]byte(text), &response); err != nil {
+		return nil, err
+	}
+
+	switch settings.GetConfig().ClassificationLLMProvider {
+	case settings.LLMProviderGoogle:
+		response.ClassificationSource = ClassificationSourceCloudLLMGemini
+	case settings.LLMProviderOpenAI:
+		response.ClassificationSource = ClassificationSourceCloudLLMOpenAI
+	case settings.LLMProviderAnthropic:
+		response.ClassificationSource = ClassificationSourceCloudLLMAnthropic
+	case settings.LLMProviderGroq:
+		response.ClassificationSource = ClassificationSourceCloudLLMGroq
+	}
+
+	return &response, nil
+}
diff --git a/internal/usage/classifier_llm_apps.go b/internal/usage/classifier_llm_apps.go
index 6e53649..d76f44d 100644
--- a/internal/usage/classifier_llm_apps.go
+++ b/internal/usage/classifier_llm_apps.go
@@ -6,67 +6,24 @@ import (
 	"strings"
 )
 
-func (s *Service) classifyApplication(ctx context.Context, appName, title string, bundleID, appCategory *string) (*ClassificationResponse, error) {
-	switch strings.ToLower(appName) {
-	case "slack":
-		return s.classifySlackApp(ctx, appName, title)
-	}
-
-	bundleIDValue := fromPtr(bundleID)
-	appCategoryValue := fromPtr(appCategory)
-
-	var (
-		instructions = `
-You are a Software Engineering Application Intent Classifier. Your job is to determine if the user is actively doing work related to their software engineering job or seeking entertainment/distraction.
-
-# Classification Logic
-
-## **productive**
-**Criteria:** Applications that directly support software engineering tasks: coding, debugging, learning, researching, planning, or deploying.
-**Signals to detect:**
-- **Editors/IDEs:** VS Code, Xcode, IntelliJ, PyCharm, GoLand, etc.
-- **Terminals/CLIs:** Terminal, iTerm, shells, build tools, git clients.
-- **Developer Tools:** API clients, DB clients, profilers, debuggers.
-- **Documentation/Research apps:** PDF readers for technical docs, reference tools.
-- **Project Management:** Jira, Linear, Trello, Notion when used for work.
-
-## **distracting**
-**Criteria:** Apps primarily for entertainment or non-work consumption.
-**Includes:**
-- Social media, chat apps used socially (Discord, WhatsApp, Facebook Messenger).
-- Streaming video/music (YouTube Music, Spotify, Netflix).
-- Games, gaming platforms.
-- Shopping, news, celebrity gossip.
+type AppClassifier func(ctx context.Context, appName, title string, bundleID, appCategory *string) (*ClassificationResponse, error)
 
-## **neutral**
-**Criteria:** Ambiguous utilities or general organizational tools.
-**Includes:**
-- Email, Calendar, Notes, general file managers.
-- General communication apps without context (Slack, Teams).
-- System settings or OS utilities.	
+var classifiers = map[string]AppClassifier{
+	"slack": classifySlackApp,
+}
 
-# Metadata Signals
+func (s *Service) classifyApplication(ctx context.Context, appName, title string, bundleID, appCategory *string) (*ClassificationResponse, error) {
+	if classifier, ok := classifiers[strings.ToLower(appName)]; ok {
+		return classifier(ctx, appName, title, bundleID, appCategory)
+	}
 
-**Bundle ID** (when provided) is a precise, machine-readable identifier for the app (e.g. "com.apple.dt.Xcode", "com.spotify.client"). Use it as a strong classification signal.
+	return classifyGenericApplication(ctx, appName, title, bundleID, appCategory)
+}
 
-**App Store Category** (when provided) is Apple's own pre-assigned category for the app. Treat it as the strongest available signal:
-- "public.app-category.developer-tools" -> productive
-- "public.app-category.games" -> distracting
-- "public.app-category.entertainment" -> distracting
-- "public.app-category.social-networking" -> distracting
-- "public.app-category.music" -> distracting (unless context suggests otherwise)
-- "public.app-category.productivity" / "public.app-category.business" -> likely productive or neutral
-- "public.app-category.utilities" -> neutral
+func classifyGenericApplication(ctx context.Context, appName, title string, bundleID, appCategory *string) (*ClassificationResponse, error) {
+	instructions := instructionGenericApplicationClassification
 
-Return a JSON object with the following keys:
-1. "classification": "productive", "neutral", or "distracting".
-2. "reasoning": Brief explanation.
-3. "tags": Array of strings from ONLY these options: ["coding", "docs", "debug", "communication", "terminal", "planning", "learning", "entertainment", "news", "social", "shopping", "terminal", "other"].
-   - IMPORTANT: Be extremely conservative with the "communication" tag. Only use it when there is actual messaging, emailing, or chatting happening. Do NOT use it for reading code reviews, terminal multiplexers, or project management.
-4. "confidence_score": Float (0.0 - 1.0)
-5. "detected_project": If the window title clearly implies a project name. Return null if no project can be reliably inferred.
-6. "detected_communication_channel": If the window title clearly implies a communication channel and the app has communication tag in the tags array, extract just the channel name (e.g. "engineering", "random"). Return null if no channel can be reliably inferred.
-`
+	var (
 		inputTmpl = `
 The user is currently using an application. Classify the activity based on the following information:
 
@@ -77,9 +34,12 @@ App Store Category: %s
 `
 	)
 
+	bundleIDValue := fromPtr(bundleID)
+	appCategoryValue := fromPtr(appCategory)
+
 	input := fmt.Sprintf(inputTmpl, appName, title, bundleIDValue, appCategoryValue)
 
-	response, err := s.classifyWithGemini(ctx, instructions, input)
+	response, err := classify(ctx, instructions, input)
 	if err != nil {
 		return nil, fmt.Errorf("failed to classify with Gemini: %w", err)
 	}
@@ -89,61 +49,7 @@ App Store Category: %s
 
 // classifySlackApp classifies Slack desktop application activity using the window title.
 // Titles typically look like: "Slack | #engineering | Acme Corp" or "Slack - #random - Workspace"
-func (s *Service) classifySlackApp(ctx context.Context, appName, title string) (*ClassificationResponse, error) {
-	var (
-		instructions = `
-You are a Slack Software Engineer Intent Classifier. Your job is to determine if the user is engaged in productive work communication, general organizational activity, or distracted by non-essential chatter. You will receive the desktop window title — this is your main signal.
+func classifySlackApp(ctx context.Context, appName, title string, _, _ *string) (*ClassificationResponse, error) {
 
-# Classification Logic
-
-## **productive**
-**Criteria:** Direct work communication, project discussions, incident response, technical collaboration, or focused async work.
-**Indicators:**
-- Work-related channels: #engineering, #product, #design, #support, #incidents, #deploys, #standup, #sprint-*, #dev-*, #backend, #frontend, #infra, #security, #ops, #platform, #release-*, #bug-*, #feature-*, #project-*, #review-*, #ci-*, #monitoring, #alerts, #on-call
-- DMs discussing work tasks (inferred from title context)
-- Threads with technical discussions
-- Huddles or calls (likely meetings)
-- Canvas or document collaboration
-- Any channel name that clearly relates to a specific project, team function, or work task
-
-## **neutral**
-**Criteria:** General organizational communication that is neither clearly productive nor distracting. Company-wide or team-wide channels used for announcements and coordination.
-**Indicators:**
-- General channels: #general, #announcements, #company, #all-hands, #team-*, #org-*, #office-*, #hr, #it-support, #helpdesk, #onboarding, #welcome
-- Channels that serve organizational purposes without being directly about project work
-- Workspace home page or search without specific channel context
-- Browsing channel list without engaging (title contains "Browse channels" or similar)
-
-## **distracting**
-**Criteria:** Social channels, watercooler chat, entertainment, or passive browsing without clear work purpose.
-**Indicators:**
-- Social/fun channels: #random, #watercooler, #pets, #food, #memes, #off-topic, #fun-*, #chat-*, #social-*, #music, #gaming, #sports, #books, #movies, #travel, #fitness, #jokes, #dogs, #cats, #photos
-- Content consumption channels: #links, #articles, #videos, #interesting-*, #cool-*
-- Any channel name that suggests entertainment, socializing, or non-work activity
-
-# Output Format
-
-Return a JSON object with the following keys:
-1. "classification": "productive" (work communication), "neutral" (general org channels), or "distracting" (social/entertainment).
-2. "reasoning": Brief explanation.
-3. "tags": Array of strings from ONLY these options: ["communication", "entertainment", "time-sink", "content-consumption"].
-4. "confidence_score": Float (0.0 - 1.0)
-5. "detected_communication_channel": The channel or DM name extracted from the title 
-`
-		inputTmpl = `
-The user is currently using the Slack desktop application. Classify their activity based on the following information:
-
-Application Name: %s
-Window Title: %s
-`
-	)
-
-	input := fmt.Sprintf(inputTmpl, appName, title)
-
-	response, err := s.classifyWithGemini(ctx, instructions, input)
-	if err != nil {
-		return nil, fmt.Errorf("failed to classify with Gemini: %w", err)
-	}
-
-	return response, nil
+	return classifySlackActivity(ctx, "Analyse Slack desktop activity from the following title: "+title)
 }
diff --git a/internal/usage/classifier_llm_apps_prompt.go b/internal/usage/classifier_llm_apps_prompt.go
new file mode 100644
index 0000000..b912acb
--- /dev/null
+++ b/internal/usage/classifier_llm_apps_prompt.go
@@ -0,0 +1,6 @@
+package usage
+
+var (
+	instructionGenericApplicationClassification = mustLoadPrompt("app", "app_generic.txt")
+	instructionSlackApplicationClassification   = mustLoadPrompt("app", "app_slack.txt")
+)
diff --git a/internal/usage/classifier_llm_custom.go b/internal/usage/classifier_llm_custom.go
new file mode 100644
index 0000000..6a021a9
--- /dev/null
+++ b/internal/usage/classifier_llm_custom.go
@@ -0,0 +1,49 @@
+package usage
+
+import (
+	"context"
+	"fmt"
+)
+
+func classifySlackActivity(ctx context.Context, input string) (*ClassificationResponse, error) {
+	const instructionSlackClassification = `
+You classify Slack activity for software engineers.
+
+Task:
+- Classify activity as one of: "productive", "neutral", "distracting".
+- Extract "detected_communication_channel" from the title when possible.
+
+Guidelines:
+- productive: project/work/engineering/incident/release/support communication.
+- neutral: general organization/announcements/company-wide communication, or unclear context.
+- distracting: social/fun/off-topic/non-work communication.
+
+Channel extraction:
+- Use the visible title text to infer the channel or DM/thread name.
+- Return only the channel or DM name, without extra prose.
+- If no channel or DM can be reliably inferred, return an empty string.
+
+Return JSON only with exactly these keys:
+{
+  "classification": "productive|neutral|distracting",
+  "reasoning": "short reason",
+  "detected_communication_channel": "channel name or empty string"
+}
+`
+
+	response, err := classify(ctx, instructionSlackClassification, input)
+	if err != nil {
+		return nil, fmt.Errorf("failed to classify Slack activity: %w", err)
+	}
+
+	switch response.Classification {
+	case ClassificationProductive, ClassificationNeutral, ClassificationDistracting:
+	default:
+		response.Classification = ClassificationNeutral
+		if response.Reasoning == "" {
+			response.Reasoning = "Defaulted to neutral due to invalid classification"
+		}
+	}
+
+	return response, nil
+}
diff --git a/internal/usage/classifier_llm_prompt_assets.go b/internal/usage/classifier_llm_prompt_assets.go
new file mode 100644
index 0000000..98f5456
--- /dev/null
+++ b/internal/usage/classifier_llm_prompt_assets.go
@@ -0,0 +1,64 @@
+package usage
+
+import (
+	"embed"
+	"fmt"
+	"strings"
+	"sync"
+)
+
+//go:embed assets/prompts/*.txt
+var promptFS embed.FS
+
+var (
+	promptCache     map[string]string
+	promptCacheErr  error
+	promptCacheOnce sync.Once
+)
+
+func loadPromptCache() {
+	entries, err := promptFS.ReadDir("assets/prompts")
+	if err != nil {
+		promptCacheErr = fmt.Errorf("failed to list prompt assets: %w", err)
+		return
+	}
+
+	cache := make(map[string]string, len(entries))
+	for _, entry := range entries {
+		if entry.IsDir() {
+			continue
+		}
+
+		fileName := entry.Name()
+		content, readErr := promptFS.ReadFile("assets/prompts/" + fileName)
+		if readErr != nil {
+			promptCacheErr = fmt.Errorf("failed to read prompt %q: %w", fileName, readErr)
+			return
+		}
+
+		prompt := strings.TrimSpace(string(content))
+		if prompt == "" {
+			promptCacheErr = fmt.Errorf("prompt %q is empty", fileName)
+			return
+		}
+
+		cache[fileName] = prompt
+	}
+
+	promptCache = cache
+}
+
+func mustLoadPrompt(kind, fileName string) string {
+	promptCacheOnce.Do(loadPromptCache)
+
+	if promptCacheErr != nil {
+		panic(fmt.Sprintf("failed to initialize prompts while loading %s prompt %q: %v", kind, fileName, promptCacheErr))
+	}
+
+	prompt, ok := promptCache[fileName]
+	if !ok {
+		panic(fmt.Sprintf("missing %s prompt %q", kind, fileName))
+	}
+
+	return prompt
+}
diff --git a/internal/usage/classifier_llm_test.go b/internal/usage/classifier_llm_test.go
deleted file mode 100644
index e5ae0c8..0000000
--- a/internal/usage/classifier_llm_test.go
+++ /dev/null
@@ -1,300 +0,0 @@
-package usage
-
-import (
-	"context"
-	"os"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"google.golang.org/genai"
-)
-
-// This is probably controvertial tests suite to hit LLM as part of the CI, but at least it will
-// give us some confidence that the LLM classification is not completely broken after prompt or
-// code changes. It will depend on flakiness of the LLM, but I think it's worth it to have some
-// confidence that the LLM is working as expected.
-
-// TODO: mock http client to return specific responses for open graph and main content vs real http requests
-
-func TestClassify_Website_Youtube(t *testing.T) {
-	genaiClient, err := genai.NewClient(context.Background(), &genai.ClientConfig{
-		APIKey: os.Getenv("GEMINI_API_KEY"),
-	})
-
-	require.NoError(t, err, "failed to create genai client")
-
-	s, _ := setUpService(t, WithGenaiClient(genaiClient))
-
-	t.Run("neutral - music video", func(t *testing.T) {
-		response, err := s.classifyWebsite(context.Background(), "https://www.youtube.com/watch?v=i0YnfhP3ogE&list=RDi0YnfhP3ogE&start_radio=1", "Tobu - Dancing in the Moonlight (feat Syndec)")
-		require.NoError(t, err, "failed to classify youtube website")
-
-		assert.Equal(t, ClassificationNeutral, response.Classification)
-		assert.Contains(t, response.Tags, "music")
-	})
-
-	t.Run("distracting - entertainment video", func(t *testing.T) {
-		response, err := s.classifyWebsite(context.Background(), "https://www.youtube.com/watch?v=qKf9sgKFQLU", "OpenAI just dropped their Cursor killer")
-
-		t.Logf("reasoning: %s", response.Reasoning)
-
-		require.NoError(t, err, "failed to classify youtube website")
-
-		assert.Equal(t, ClassificationDistracting, response.Classification)
-	})
-}
-
-func TestClassify_Website_Reddit(t *testing.T) {
-	genaiClient, err := genai.NewClient(context.Background(), &genai.ClientConfig{
-		APIKey: os.Getenv("GEMINI_API_KEY"),
-	})
-
-	require.NoError(t, err, "failed to create genai client")
-
-	s, _ := setUpService(t, WithGenaiClient(genaiClient))
-
-	t.Run("productive - golang discussion", func(t *testing.T) {
-		response, err := s.classifyWebsite(context.Background(), "https://www.reddit.com/r/golang/comments/1fu1z4v/whats_the_state_of_go_web_frameworks_today/", "What's the state of Go web frameworks today?")
-		require.NoError(t, err, "failed to classify reddit website")
-
-		assert.Equal(t, ClassificationProductive, response.Classification)
-	})
-
-	t.Run("distracting - stock discussion", func(t *testing.T) {
-		response, err := s.classifyWebsite(context.Background(), "https://www.reddit.com/r/UnityStock/comments/1qrjrpw/unitys_moat_in_case_of_world_models/", "Unity's Moat in Case of World Models")
-		require.NoError(t, err, "failed to classify reddit website")
-
-		assert.Equal(t, ClassificationDistracting, response.Classification)
-	})
-}
-
-func TestClassify_Website_LinkedIn(t *testing.T) {
-	genaiClient, err := genai.NewClient(context.Background(), &genai.ClientConfig{
-		APIKey: os.Getenv("GEMINI_API_KEY"),
-	})
-
-	require.NoError(t, err, "failed to create genai client")
-
-	s, _ := setUpService(t, WithGenaiClient(genaiClient))
-
-	t.Run("productive - technical article", func(t *testing.T) {
-		response, err := s.classifyWebsite(context.Background(), "https://www.linkedin.com/pulse/how-i-speed-up-microservice-development-golang-fiber-charith-rajitha-dyuhc/", "How I Speed Up Microservice Development with Golang Fiber Framework")
-		require.NoError(t, err, "failed to classify linkedin website")
-
-		assert.Equal(t, ClassificationProductive, response.Classification)
-	})
-
-	t.Run("distracting - opinion post", func(t *testing.T) {
-		response, err := s.classifyWebsite(context.Background(), "https://www.linkedin.com/posts/kyleszives_ai-assisted-coding-slows-mastery-this-week-share-7423115331218337792-DlYT/", "AI-assisted coding: trade-off between speed and mastery | Kyle Szives posted on the topic | LinkedIn")
-		require.NoError(t, err, "failed to classify linkedin website")
-
-		t.Log(response.Reasoning)
-
-		assert.Equal(t, ClassificationDistracting, response.Classification)
-	})
-}
-
-func TestClassify_Website_Medium(t *testing.T) {
-	genaiClient, err := genai.NewClient(context.Background(), &genai.ClientConfig{
-		APIKey: os.Getenv("GEMINI_API_KEY"),
-	})
-
-	require.NoError(t, err, "failed to create genai client")
-
-	s, _ := setUpService(t, WithGenaiClient(genaiClient))
-
-	t.Run("productive - technical article", func(t *testing.T) {
-		response, err := s.classifyWebsite(context.Background(), "https://medium.com/@Sarahcollins05/golang-web-frameworks-top-picks-for-modern-development-8b85d9000921", "Golang Web Frameworks: Top Picks for Modern Development")
-		require.NoError(t, err, "failed to classify medium website")
-
-		assert.Equal(t, ClassificationProductive, response.Classification)
-	})
-
-	t.Run("distracting - career clickbait", func(t *testing.T) {
-		response, err := s.classifyWebsite(context.Background(), "https://medium.com/@kakamber07/i-interviewed-50-devs-laid-off-in-2025-one-mistake-was-universal-15711c87f192", "I Interviewed 50 Devs Laid Off in 2025: One Mistake Was Universal")
-		require.NoError(t, err, "failed to classify medium website")
-
-		assert.Equal(t, ClassificationDistracting, response.Classification)
-	})
-}
-
-func TestClassify_Website_Twitter(t *testing.T) {
-	genaiClient, err := genai.NewClient(context.Background(), &genai.ClientConfig{
-		APIKey: os.Getenv("GEMINI_API_KEY"),
-	})
-
-	require.NoError(t, err, "failed to create genai client")
-
-	s, _ := setUpService(t, WithGenaiClient(genaiClient))
-
-	t.Run("productive - technical announcement", func(t *testing.T) {
-		response, err := s.classifyWebsite(context.Background(), "https://x.com/golang/status/1818029690722304258", "Go on X: \"Go 1.23 is released! Release notes: https://go.dev/doc/go1.23\"")
-		require.NoError(t, err, "failed to classify twitter website")
-
-		assert.Equal(t, ClassificationProductive, response.Classification)
-	})
-
-	t.Run("distracting - hot take engagement bait", func(t *testing.T) {
-		response, err := s.classifyWebsite(context.Background(), "https://x.com/random_user/status/1234567890", "Hot take: nobody actually needs microservices. Fight me. 🔥")
-		require.NoError(t, err, "failed to classify twitter website")
-
-		assert.Equal(t, ClassificationDistracting, response.Classification)
-	})
-}
-
-func TestClassify_Website_HackerNews(t *testing.T) {
-	genaiClient, err := genai.NewClient(context.Background(), &genai.ClientConfig{
-		APIKey: os.Getenv("GEMINI_API_KEY"),
-	})
-
-	require.NoError(t, err, "failed to create genai client")
-
-	s, _ := setUpService(t, WithGenaiClient(genaiClient))
-
-	t.Run("productive - technical article", func(t *testing.T) {
-		response, err := s.classifyWebsite(context.Background(), "https://news.ycombinator.com/item?id=39232976", "Writing a SQL database from scratch in Go")
-		require.NoError(t, err, "failed to classify hackernews website")
-
-		assert.Equal(t, ClassificationProductive, response.Classification)
-	})
-
-	t.Run("distracting - career opinion thread", func(t *testing.T) {
-		response, err := s.classifyWebsite(context.Background(), "https://news.ycombinator.com/item?id=39171900", "Ask HN: What's your salary and how happy are you with it?")
-		require.NoError(t, err, "failed to classify hackernews website")
-
-		assert.Equal(t, ClassificationDistracting, response.Classification)
-	})
-}
-
-func TestClassify_Website_Substack(t *testing.T) {
-	// genaiClient, err := genai.NewClient(context.Background(), &genai.ClientConfig{
-	// 	APIKey: os.Getenv("GEMINI_API_KEY"),
-	// })
-
-	// require.NoError(t, err, "failed to create genai client")
-
-	// s, _ := setUpService(t, WithGenaiClient(genaiClient))
-
-	// t.Run("productive - engineering newsletter", func(t *testing.T) {
-	// 	response, err := s.classifyWebsite(context.Background(), "https://newsletter.systemdesign.one/p/cell-based-architecture", "Cell-Based Architecture: How to Build Scalable Distributed Systems")
-	// 	require.NoError(t, err, "failed to classify substack website")
-
-	// 	assert.Equal(t, ClassificationProductive, response.Classification)
-	// })
-
-	// t.Run("distracting - self-help opinion", func(t *testing.T) {
-	// 	response, err := s.classifyWebsite(context.Background(), "https://www.theguardianofperspective.substack.com/p/why-you-should-quit-social-media", "Why You Should Quit Social Media and Reclaim Your Life")
-	// 	require.NoError(t, err, "failed to classify substack website")
-
-	// 	assert.Equal(t, ClassificationDistracting, response.Classification)
-	// })
-}
-
-func TestClassify_Website_Slack(t *testing.T) {
-	genaiClient, err := genai.NewClient(context.Background(), &genai.ClientConfig{
-		APIKey: os.Getenv("GEMINI_API_KEY"),
-	})
-
-	require.NoError(t, err, "failed to create genai client")
-
-	s, _ := setUpService(t, WithGenaiClient(genaiClient))
-
-	t.Run("productive - engineering channel", func(t *testing.T) {
-		response, err := s.classifyWebsite(context.Background(), "https://app.slack.com/client/T12345/C67890", "#engineering - Acme Corp Slack")
-		require.NoError(t, err, "failed to classify slack website")
-
-		assert.Equal(t, ClassificationProductive, response.Classification)
-		assert.NotEmpty(t, response.DetectedCommunicationChannel)
-	})
-
-	t.Run("productive - incident channel", func(t *testing.T) {
-		response, err := s.classifyWebsite(context.Background(), "https://app.slack.com/client/T12345/C11111", "#incidents - Acme Corp Slack")
-		require.NoError(t, err, "failed to classify slack website")
-
-		assert.Equal(t, ClassificationProductive, response.Classification)
-		assert.NotEmpty(t, response.DetectedCommunicationChannel)
-	})
-
-	t.Run("neutral - general channel", func(t *testing.T) {
-		response, err := s.classifyWebsite(context.Background(), "https://app.slack.com/client/T12345/C22222", "#general - Acme Corp Slack")
-		require.NoError(t, err, "failed to classify slack website")
-
-		assert.Equal(t, ClassificationNeutral, response.Classification)
-		assert.NotEmpty(t, response.DetectedCommunicationChannel)
-	})
-
-	t.Run("neutral - announcements channel", func(t *testing.T) {
-		response, err := s.classifyWebsite(context.Background(), "https://app.slack.com/client/T12345/C33333", "#announcements - Acme Corp Slack")
-		require.NoError(t, err, "failed to classify slack website")
-
-		assert.Equal(t, ClassificationNeutral, response.Classification)
-		assert.NotEmpty(t, response.DetectedCommunicationChannel)
-	})
-
-	t.Run("distracting - random channel", func(t *testing.T) {
-		response, err := s.classifyWebsite(context.Background(), "https://app.slack.com/client/T12345/C99999", "#random - Acme Corp Slack")
-		require.NoError(t, err, "failed to classify slack website")
-
-		assert.Equal(t, ClassificationDistracting, response.Classification)
-		assert.NotEmpty(t, response.DetectedCommunicationChannel)
-	})
-
-	t.Run("distracting - fun channel", func(t *testing.T) {
-		response, err := s.classifyWebsite(context.Background(), "https://app.slack.com/client/T12345/C88888", "#fun-memes - Acme Corp Slack")
-		require.NoError(t, err, "failed to classify slack website")
-
-		assert.Equal(t, ClassificationDistracting, response.Classification)
-		assert.NotEmpty(t, response.DetectedCommunicationChannel)
-	})
-
-	t.Run("distracting - browsing channels", func(t *testing.T) {
-		response, err := s.classifyWebsite(context.Background(), "https://app.slack.com/client/T12345/browse-channels", "Browse channels - Acme Corp Slack")
-		require.NoError(t, err, "failed to classify slack website")
-
-		assert.Equal(t, ClassificationNeutral, response.Classification)
-	})
-}
-
-func TestClassify_Website_Generic(t *testing.T) {
-	genaiClient, err := genai.NewClient(context.Background(), &genai.ClientConfig{
-		APIKey: os.Getenv("GEMINI_API_KEY"),
-	})
-
-	require.NoError(t, err, "failed to create genai client")
-
-	s, _ := setUpService(t, WithGenaiClient(genaiClient))
-
-	t.Run("productive - documentation", func(t *testing.T) {
-		response, err := s.classifyWebsite(context.Background(), "https://gorm.io/docs/index.html", "GORM Guides | GORM - The fantastic ORM library for Golang, aims to be developer friendly.")
-		require.NoError(t, err, "failed to classify generic website")
-
-		assert.Equal(t, ClassificationProductive, response.Classification)
-	})
-
-	t.Run("distracting - news site", func(t *testing.T) {
-		response, err := s.classifyWebsite(context.Background(), "https://www.tmz.com/", "TMZ")
-		require.NoError(t, err, "failed to classify generic website")
-
-		assert.Equal(t, ClassificationDistracting, response.Classification)
-	})
-}
-
-func TestClassify_Application_Slack(t *testing.T) {
-	genaiClient, err := genai.NewClient(context.Background(), &genai.ClientConfig{
-		APIKey: os.Getenv("GEMINI_API_KEY"),
-	})
-
-	require.NoError(t, err, "failed to create genai client")
-
-	s, _ := setUpService(t, WithGenaiClient(genaiClient))
-
-	t.Run("extract channel name", func(t *testing.T) {
-		response, err := s.classifyApplication(context.Background(), "slack", "private-coin-team-chat (Channel) - Snyk - Slack", nil, nil)
-		require.NoError(t, err, "failed to classify application")
-
-		assert.Equal(t, ClassificationProductive, response.Classification)
-		assert.Equal(t, "private-coin-team-chat", response.DetectedCommunicationChannel)
-	})
-}
diff --git a/internal/usage/classifier_llm_website.go b/internal/usage/classifier_llm_website.go
index 496cbd9..46d75cd 100644
--- a/internal/usage/classifier_llm_website.go
+++ b/internal/usage/classifier_llm_website.go
@@ -2,50 +2,48 @@ package usage
 
 import (
 	"context"
-	"encoding/json"
-	"errors"
 	"fmt"
 	"log/slog"
 	"net/http"
-	"slices"
 	"strings"
 	"time"
 
-	apiv1 "github.com/focusd-so/focusd/gen/api/v1"
-	"github.com/focusd-so/focusd/internal/identity"
-
 	"golang.org/x/net/publicsuffix"
 	"golang.org/x/sync/errgroup"
-	"google.golang.org/genai"
 )
 
 func (s *Service) classifyWebsite(ctx context.Context, url, title string) (*ClassificationResponse, error) {
-	hostname, _ := parseURL(url)
+	u, err := parseURLNormalized(url)
+	if err != nil {
+		return nil, err
+	}
+
+	hostname := u.Hostname()
 	domain, _ := publicsuffix.EffectiveTLDPlusOne(hostname)
 
 	switch domain {
 	case "youtube.com", "youtu.be", "yt.be":
-		return s.classifyYoutube(ctx, url, title)
+		return classifyYoutube(ctx, url, title)
 	case "reddit.com":
-		return s.classifyReddit(ctx, url, title)
+		return classifyReddit(ctx, url, title)
 	case "linkedin.com":
-		return s.classifyLinkedin(ctx, url, title)
+		return classifyLinkedin(ctx, url, title)
 	case "medium.com":
-		return s.classifyMedium(ctx, url, title)
+		return classifyMedium(ctx, url, title)
 	case "x.com", "twitter.com":
-		return s.classifyTwitter(ctx, url, title)
+		return classifyTwitter(ctx, url, title)
 	case "ycombinator.com":
-		return s.classifyHackerNews(ctx, url, title)
+		return classifyHackerNews(ctx, url, title)
 	case "substack.com":
-		return s.classifySubstack(ctx, url, title)
+		return classifySubstack(ctx, url, title)
 	case "slack.com":
-		return s.classifySlack(ctx, url, title)
+		return classifySlack(ctx, url, title)
 	}
 
-	return s.classifyGeneric(ctx, url, title)
+	return classifyGeneric(ctx, url, title)
 }
 
-func (s *Service) classifyGeneric(ctx context.Context, url, title string) (*ClassificationResponse, error) {
+func classifyGeneric(ctx context.Context, url, title string) (*ClassificationResponse, error) {
 	// Attempt to fetch main content for better context, but proceed even if it fails
 	// or if the site blocks scrapers.
 	var mainContent string
@@ -61,45 +59,21 @@ func (s *Service) classifyGeneric(ctx context.Context, url, title string) (*Clas
 		slog.Debug("failed to fetch main content for generic classification", "url", url, "error", err)
 	}
 
+	if isDeterministicCriticalNoBlockURL(url) {
+		return &ClassificationResponse{
+			Classification:       ClassificationNeutral,
+			ClassificationSource: ClassificationSourceObviously,
+			Reasoning:            "Payment/booking flow detected - safety override to avoid interruption",
+			ConfidenceScore:      1.0,
+			Tags:                 []string{"other"},
+		}, nil
+	}
+
+	suspiciousCriticalContext := isSuspiciousCriticalContext(url, title, mainContent)
+
 	var (
-		instructions = `
-You are a General Software Engineer Intent Classifier. Your job is to determine if the user is actively doing work related to their software engineering job or seeking entertainment/distraction.
-
-# Classification Logic
-
-## **productive**
-**Criteria:** Content that directly supports software engineering tasks: coding, debugging, learning, researching, planning, or deploying.
-**Signals to detect:**
-- **Documentation:** Official docs for languages, frameworks, libraries, APIs, clouds (AWS, GCP, Azure).
-- **Repositories:** GitHub, GitLab, Bitbucket (code viewing, PRs, issues).
-- **Q&A/Forums:** Stack Overflow, GitHub Discussions, technical forums.
-- **Tools:** Issue trackers (Jira, Linear), design tools (Figma), cloud consoles, CI/CD dashboards, localhost servers.
-- **Learning:** Technical tutorials, courses, engineering blogs, research papers.
-
-## **distracting**
-**Criteria:** Content irrelevant to work or primarily for entertainment/consumption.
-**Includes:**
-- Social media (Facebook, Instagram, TikTok, generic Twitter/X usage).
-- News, politics, sports, celebrity gossip.
-- Video streaming (Netflix, Hulu, HBO) and gaming.
-- Shopping (Amazon, eBay) unless clearly for work equipment.
-- General interest browsing not related to tech.
-
-## **neutral**
-**Criteria:** Ambiguous utilities or general organizational tools.
-**Includes:**
-- Email, Calendar (unless clearly personal).
-- General search (Google home page).
-- Banking, personal admin (borderline, but often necessary during work day).
-
-Return a JSON object with the following keys:
-1. "classification": "productive", "neutral", or "distracting".
-2. "reasoning": Brief explanation.
-3. "tags": Array of strings from ONLY these options: ["coding", "docs", "debug", "communication", "terminal", "planning", "learning", "entertainment", "news", "social", "shopping", "other"].
-   - IMPORTANT: Be extremely conservative with the "communication" tag. Only use it when there is actual messaging, emailing, or chatting happening. Do NOT use it for reading code reviews, terminal multiplexers, or project management.
-4. "confidence_score": Float (0.0 - 1.0)
-`
-		inputTmpl = `
+		instructions = instructionGenericWebsiteClassification
+		inputTmpl    = `
 The user is currently visiting a website. Classify the page based on the following information:
 
 URL: %s
@@ -110,15 +84,35 @@ Main Content (truncated): %s
 
 	input := fmt.Sprintf(inputTmpl, url, title, mainContent)
 
-	response, err := s.classifyWithGemini(ctx, instructions, input)
+	response, err := classify(ctx, instructions, input)
 	if err != nil {
+		if suspiciousCriticalContext {
+			return &ClassificationResponse{
+				Classification:       ClassificationNeutral,
+				ClassificationSource: ClassificationSourceObviously,
+				Reasoning:            "Potential payment/booking flow with uncertain model result - safety override to avoid interruption",
+				ConfidenceScore:      1.0,
+				Tags:                 []string{"other"},
+			}, nil
+		}
+
 		return nil, fmt.Errorf("failed to classify with Gemini: %w", err)
 	}
 
+	if suspiciousCriticalContext && response.ConfidenceScore < 0.75 {
+		return &ClassificationResponse{
+			Classification:       ClassificationNeutral,
+			ClassificationSource: ClassificationSourceObviously,
+			Reasoning:            "Potential payment/booking flow with low-confidence classification - safety override to avoid interruption",
+			ConfidenceScore:      1.0,
+			Tags:                 []string{"other"},
+		}, nil
+	}
+
 	return response, nil
 }
 
-func (s *Service) classifyYoutube(ctx context.Context, url, title string) (*ClassificationResponse, error) {
+func classifyYoutube(ctx context.Context, url, title string) (*ClassificationResponse, error) {
 	httpClient := &http.Client{Timeout: 3000 * time.Millisecond}
 
 	metaData, err := extractOpenGraph(httpClient, url)
@@ -142,109 +136,14 @@ func (s *Service) classifyYoutube(ctx context.Context, url, title string) (*Clas
 		}
 	}
 
-	var (
-		instructions = `
-You are a STRICT YouTube Software Engineering Intent Classifier.
-
-Your job is NOT to detect whether a video is about tech.
-Your job is to determine whether the user is actively doing work or learning job-relevant software engineering skills.
-
-You must be extremely conservative.
-
-If there is ANY ambiguity, classify as "distracting".
-
-# Classification Logic
-
-## CORE PRINCIPLE
-
-Tech topic ≠ Productive.
-
-A video is "productive" ONLY if it clearly contains:
-- Step-by-step instruction
-- Hands-on coding
-- Technical walkthrough
-- Debugging session
-- Deep system design explanation
-- Practical implementation details
-
-If the video is:
-- Opinion-based
-- News-style
-- Reaction-style
-- Influencer commentary
-- Product hype
-- Drama framing
-- Industry gossip
-- “X just killed Y”
-- “This changes everything”
-- “You won’t believe…”
-- Tool announcement coverage
-- AI model launch discussion without hands-on demo
-
-→ It is "distracting".
-
-## HARD RULES
-
-1. Reviews, comparisons, or "vs" videos are ONLY productive if:
-   - They include real code examples, benchmarks, architecture diagrams, or implementation walkthroughs.
-   - Otherwise they are distracting.
-
-2. Any video framed around:
-   - hype
-   - shock value
-   - “killer”
-   - “destroyed”
-   - “insane”
-   - “crazy”
-   - “just dropped”
-   - “game changer”
-   - “you need to see this”
-   is automatically classified as "distracting".
-
-3. Influencer-style commentary, even about technical tools, is "distracting".
-
-4. AI news coverage is "distracting" unless it teaches how to implement or use the tool with code.
-
-5. Productive requires clear evidence of active skill development.
-
-## **productive**
-**Criteria:** Content that directly helps the user with software engineering work: tutorials, 
-debugging guides, technology comparisons, coding walkthroughs, system design explanations, or 
-learning job-relevant technical skills.
-
-## **neutral**
-**Criteria:** Content that is audio-centric, calming, or passive background noise designed to help the user focus.
-**Keywords to detect:**
-- "lofi", "music", "ambient", "instrumental", "jazz", "classical"
-- "study", "focus", "relax", "sleep", "meditation"
-- "rain", "white noise", "binaural", "soundscape", "soundtrack"
-- "radio", "beats", "playlist" (when combined with above terms)
-
-## **distracting**
-**Criteria:** **EVERYTHING ELSE.** If it requires visual attention for entertainment, follows a non-educational narrative, or is not work-related technical content.
-**Includes:** Vlogs, gaming/gameplay, non-tech reviews, news, podcasts (non-technical), comedy, reactions, shorts, and livestreams 
-(unless specifically 24/7 music radio or technical content).
-
-Return a JSON object with the following keys:
-1. "classification": "productive" (work-related technical content), "neutral" (focus aids), or "distracting" (everything else).
-2. "reasoning": Brief explanation.
-3. "tags": Array of strings from ONLY these options: ["music", "ambient", "entertainment", "news", "edu", "learning", "content-consumption", "time-sink"].
-4. "confidence_score": Float (0.0 - 1.0)
-`
+	instructions := instructionYouTubeWebsiteClassification
 
-		inputTmpl = `
-The user is currently visiting a YouTube video page. Classify the website based on the following information:
-
-URL: %s
-Title: %s
-Description: %s
-Tags: %s
-`
+	input := fmt.Sprintf(
+		`Classify the following YouTube video:\nURL: %s\nTitle: %s\nDescription: %s\nTags: %s`,
+		url, title, description, strings.Join(tags, ", "),
 	)
 
-	input := fmt.Sprintf(inputTmpl, url, title, description, strings.Join(tags, ", "))
-
-	response, err := s.classifyWithGemini(ctx, instructions, input)
+	response, err := classify(ctx, instructions, input)
 	if err != nil {
 		return nil, fmt.Errorf("failed to classify with Gemini: %w", err)
 	}
@@ -252,44 +151,13 @@ Tags: %s
 	return response, nil
 }
 
-func (s *Service) classifyReddit(ctx context.Context, url, title string) (*ClassificationResponse, error) {
+func classifyReddit(ctx context.Context, url, title string) (*ClassificationResponse, error) {
 	mainContent, err := fetchMainContent(ctx, url)
 	if err != nil {
 		slog.Error("failed to fetch main content", "error", err)
 	}
 
-	var (
-		instructions = `
-You are a Reddit Software Engineer Intent Classifier. Your job is to determine if the user is actively doing work related to their software engineering job or seeking entertainment/distraction.
-
-# Classification Logic
-
-## **productive**
-**Criteria:** Content that directly helps the user with software engineering work: solving technical problems, learning job-relevant skills, system design, architecture, DevOps, debugging, code reviews, or technical leadership.
-**Signals to detect:**
-- **Subreddits:** "programming", "webdev", "golang", "rust", "python", "javascript", "typescript", "devops", "docker", "kubernetes", "linux", "vim", "neovim", "aws", "azure", "gcp", "database", "sql", "react", "svelte", "vue", "node", "backend", "frontend", "softwareengineering", "experienceddevs", "sre", "netsec", "security", "terraform", "ansible", "graphql", "grpc", "microservices", "systemdesign"
-- **Title patterns:** "How to", "Help with", "Debug", "Error", "Fix", "Solved", "Issue with", "Problem:", "[Question]", "Why does", "Best practice", "Architecture", "Design review", "Code review", "Production issue", "Outage", "Incident"
-- **Content signals:** Stack traces, code snippets, error messages, technical discussions, architecture diagrams, system design questions, API discussions, infrastructure problems, deployment issues, monitoring/observability, security vulnerabilities, performance optimization
-
-## **distracting**
-**Criteria:** **EVERYTHING ELSE.** If the content is for entertainment, general browsing, memes, news, politics, gaming, or passive consumption, it is distracting.
-**Includes:**
-- Meme subreddits (even tech memes like "ProgrammerHumor" — entertainment, not work)
-- News, politics, world events
-- Gaming, hobbies, lifestyle content
-- General discussion threads without a specific technical problem
-- Career rants, salary discussions, workplace drama, interview stories
-- "What's your favorite X" or opinion polls
-- Showcase posts without technical depth
-- Venting about managers, coworkers, or company culture
-
-Return a JSON object with the following keys:
-1. "classification": "productive" (actively doing work) or "distracting" (everything else).
-2. "reasoning": Brief explanation.
-3. "tags": Array of strings from ONLY these options: ["music", "ambient", "entertainment", "news", "edu", "learning", "content-consumption", "time-sink"].
-4. "confidence_score": Float (0.0 - 1.0)
-`
-	)
+	instructions := instructionRedditWebsiteClassification
 
 	inputTmpl := `
 The user is currently visiting a Reddit post. Classify the post based on the following information:
@@ -301,7 +169,7 @@ Main Content (if available): %s
 
 	input := fmt.Sprintf(inputTmpl, url, title, mainContent)
 
-	response, err := s.classifyWithGemini(ctx, instructions, input)
+	response, err := classify(ctx, instructions, input)
 	if err != nil {
 		return nil, fmt.Errorf("failed to classify with Gemini: %w", err)
 	}
@@ -309,7 +177,7 @@ Main Content (if available): %s
 	return response, nil
 }
 
-func (s *Service) classifyLinkedin(ctx context.Context, url, title string) (*ClassificationResponse, error) {
+func classifyLinkedin(ctx context.Context, url, title string) (*ClassificationResponse, error) {
 
 	var (
 		ogTitle       = title
@@ -352,100 +220,8 @@ func (s *Service) classifyLinkedin(ctx context.Context, url, title string) (*Cla
 	}
 
 	var (
-		instructions = `
-You are a STRICT LinkedIn Software Engineering Intent Classifier.
-
-Your job is NOT to detect whether a post is about tech.
-Your job is to determine whether the user is actively doing work or learning job-relevant software engineering skills.
-
-You must be extremely conservative.
-
-If there is ANY ambiguity, classify as "distracting".
-
-# Classification Logic
-
-## CORE PRINCIPLE
-
-Tech topic ≠ Productive.
-
-A video is "productive" ONLY if it clearly contains:
-- Step-by-step instruction
-- Hands-on coding
-- Technical walkthrough
-- Debugging session
-- Deep system design explanation
-- Practical implementation details
-
-If the video is:
-- Opinion-based
-- News-style
-- Reaction-style
-- Influencer commentary
-- Product hype
-- Drama framing
-- Industry gossip
-- “X just killed Y”
-- “This changes everything”
-- “You won’t believe…”
-- Tool announcement coverage
-- AI model launch discussion without hands-on demo
-
-→ It is "distracting".
-
-## HARD RULES
-
-1. Reviews, comparisons, or "vs" videos are ONLY productive if:
-   - They include real code examples, benchmarks, architecture diagrams, or implementation walkthroughs.
-   - Otherwise they are distracting.
-
-2. Any video framed around:
-   - hype
-   - shock value
-   - “killer”
-   - “destroyed”
-   - “insane”
-   - “crazy”
-   - “just dropped”
-   - “game changer”
-   - “you need to see this”
-   is automatically classified as "distracting".
-
-3. Influencer-style commentary, even about technical tools, is "distracting".
-
-4. AI news coverage is "distracting" unless it teaches how to implement or use the tool with code.
-
-5. Productive requires clear evidence of active skill development.
-
-
-# Classification Logic
-
-## **productive**
-**Criteria:** ONLY content that directly helps with software engineering work. Must be clearly technical and actionable.
-**Signals to detect:**
-- Technical how-to guides, tutorials, or walkthroughs (coding, architecture, DevOps, tooling)
-- Technology or framework comparisons (e.g. "X vs Y", "Choosing between...")
-- System design, architecture, or engineering blog posts with technical depth
-- Code-related discussions, debugging, performance, security, or infrastructure
-- LinkedIn Learning or similar courses on relevant tech (when identifiable from title/description)
-- Research or deep-dives on languages, frameworks, APIs, or platforms
-
-## **distracting**
-**Criteria:** EVERYTHING ELSE. When in doubt, classify as distracting.
-**Includes:**
-- Career advice, salary discussions, interview stories, job-search content
-- Motivational or hustle-culture posts, influencer content, engagement bait
-- Networking, recruiter messages, profile browsing, company PR or news
-- Personal stories, "hot takes", memes, rants about managers or workplace culture
-- Generic business or leadership content without technical depth
-- Any content that is not clearly and specifically about doing technical work
-
-Return a JSON object with the following keys:
-1. "classification": "productive" (only clearly work-related technical content) or "distracting" (everything else).
-2. "reasoning": Brief explanation.
-3. "tags": Array of strings from ONLY these options: ["music", "ambient", "entertainment", "news", "edu", "learning", "content-consumption", "time-sink"].
-4. "confidence_score": Float (0.0 - 1.0)
-`
-		inputTmpl = `
+		instructions = instructionLinkedInWebsiteClassification
+		inputTmpl    = `
 The user is currently visiting a LinkedIn page. Classify the page based on the following information:
 
 URL: %s
@@ -457,7 +233,7 @@ Main Content (if available): %s
 
 	input := fmt.Sprintf(inputTmpl, url, ogTitle, ogDescription, mainContent)
 
-	response, err := s.classifyWithGemini(ctx, instructions, input)
+	response, err := classify(ctx, instructions, input)
 	if err != nil {
 		return nil, fmt.Errorf("failed to classify with Gemini: %w", err)
 	}
@@ -468,42 +244,10 @@ Main Content (if available): %s
 // classifyMedium classifies Medium articles using only the URL and browser tab title.
 // Medium is behind Cloudflare managed challenges so server-side content fetching is not possible.
 // The URL slug and title are usually descriptive enough for accurate classification.
-func (s *Service) classifyMedium(ctx context.Context, url, title string) (*ClassificationResponse, error) {
+func classifyMedium(ctx context.Context, url, title string) (*ClassificationResponse, error) {
 	var (
-		instructions = `
-You are a Medium Software Engineer Intent Classifier. Your job is to determine if the user is actively doing work related to their software engineering job or seeking entertainment/distraction. Be RESTRICTIVE: only clearly work-related technical content is productive.
-
-NOTE: You will only receive the URL and the browser tab title. Medium articles encode meaningful keywords in their URL slugs (e.g. "golang-web-frameworks-top-picks-for-modern-development"). Use both the URL slug and the title to infer the article's topic.
-
-# Classification Logic
-
-## **productive**
-**Criteria:** ONLY content that directly helps with software engineering work. Must be clearly technical and actionable.
-**Signals to detect:**
-- URL slugs or titles containing technical terms: programming languages (golang, rust, python, javascript, typescript, etc.), frameworks (react, django, gin, fiber, etc.), tools (docker, kubernetes, terraform, etc.)
-- Technical blog posts, engineering deep-dives, tutorials, how-to guides
-- System design, architecture, or engineering articles with technical depth
-- DevOps write-ups, postmortems, infrastructure, deployment, monitoring
-- Code snippets, debugging, performance, security, APIs, databases
-- Author paths or slugs suggesting technical publications: better-programming, level-up-coding, towards-data-science, aws-in-plain-english, etc.
-
-## **distracting**
-**Criteria:** EVERYTHING ELSE. When in doubt, classify as distracting.
-**Includes:**
-- Self-help, productivity porn, hustle culture, life advice, motivational content
-- Opinion pieces, listicles without technical depth, "top 10" non-technical lists
-- Personal stories, career advice, interview stories, salary discussions
-- Politics, lifestyle content, relationship or wellness advice
-- Publications that often host non-technical content: The Startup, Personal Growth, etc.
-- Any content that is not clearly and specifically about doing technical work
-
-Return a JSON object with the following keys:
-1. "classification": "productive" (only clearly work-related technical content) or "distracting" (everything else).
-2. "reasoning": Brief explanation.
-3. "tags": Array of strings from ONLY these options: ["music", "ambient", "entertainment", "news", "edu", "learning", "content-consumption", "time-sink"].
-4. "confidence_score": Float (0.0 - 1.0)
-`
-		inputTmpl = `
+		instructions = instructionMediumWebsiteClassification
+		inputTmpl    = `
 The user is currently visiting a Medium article. Classify the article based on the following information:
 
 URL: %s
@@ -513,7 +257,7 @@ Title: %s
 
 	input := fmt.Sprintf(inputTmpl, url, title)
 
-	response, err := s.classifyWithGemini(ctx, instructions, input)
+	response, err := classify(ctx, instructions, input)
 	if err != nil {
 		return nil, fmt.Errorf("failed to classify with Gemini: %w", err)
 	}
@@ -525,48 +269,10 @@ Title: %s
 // X/Twitter is behind auth walls for server-side fetching, so OpenGraph and content extraction
 // are not reliable. The browser tab title contains the tweet text for status pages, which is
 // a strong signal for classification.
-func (s *Service) classifyTwitter(ctx context.Context, url, title string) (*ClassificationResponse, error) {
+func classifyTwitter(ctx context.Context, url, title string) (*ClassificationResponse, error) {
 	var (
-		instructions = `
-You are an X/Twitter Software Engineer Intent Classifier. Your job is to determine if the user is actively doing work related to their software engineering job or seeking entertainment/distraction. Be RESTRICTIVE: only clearly work-related technical content is productive.
-
-NOTE: You will only receive the URL and the browser tab title. For individual tweets, the browser tab title contains the tweet text. Use both the URL structure and the title to infer the content's purpose.
-
-# Classification Logic
-
-## **productive**
-**Criteria:** ONLY content that directly helps with software engineering work. Must be clearly technical and actionable.
-**Signals to detect:**
-- Technical threads about programming, engineering, architecture, DevOps, security, or infrastructure
-- Library, framework, or language release announcements and changelogs (e.g. "Go 1.23 released", "React 19 is out")
-- Incident postmortems and production war stories with technical lessons
-- Links to or discussions of engineering blog posts, technical papers, or documentation
-- Open source project announcements with technical depth
-- Code snippets, debugging discussions, performance analysis, security advisories
-- Profiles of well-known technical authors when viewing their technical content
-- Technical conference announcements, talk summaries, or slide decks
-
-## **distracting**
-**Criteria:** EVERYTHING ELSE. When in doubt, classify as distracting.
-**Includes:**
-- Hot takes, opinions, and engagement bait (even about tech topics like "X is dead", "Y is overrated")
-- Tech memes, jokes, and humorous content
-- Career advice, salary discussions, job search content, interview stories
-- Political content, news, world events
-- Personal stories, life updates, motivational content
-- Recruiter outreach, hiring announcements, company PR
-- Celebrity or influencer content
-- Rants about managers, workplace culture, or industry drama
-- "Unpopular opinion" or "hot take" threads
-- Any content that is not clearly and specifically about doing technical work
-
-Return a JSON object with the following keys:
-1. "classification": "productive" (only clearly work-related technical content) or "distracting" (everything else).
-2. "reasoning": Brief explanation.
-3. "tags": Array of strings from ONLY these options: ["music", "ambient", "entertainment", "news", "edu", "learning", "content-consumption", "time-sink"].
-4. "confidence_score": Float (0.0 - 1.0)
-`
-		inputTmpl = `
+		instructions = instructionTwitterWebsiteClassification
+		inputTmpl    = `
 The user is currently visiting an X/Twitter page. Classify the page based on the following information:
 
 URL: %s
@@ -576,7 +282,7 @@ Title: %s
 
 	input := fmt.Sprintf(inputTmpl, url, title)
 
-	response, err := s.classifyWithGemini(ctx, instructions, input)
+	response, err := classify(ctx, instructions, input)
 	if err != nil {
 		return nil, fmt.Errorf("failed to classify with Gemini: %w", err)
 	}
@@ -584,52 +290,13 @@ Title: %s
 	return response, nil
 }
 
-func (s *Service) classifyHackerNews(ctx context.Context, url, title string) (*ClassificationResponse, error) {
+func classifyHackerNews(ctx context.Context, url, title string) (*ClassificationResponse, error) {
 	mainContent, err := fetchMainContent(ctx, url)
 	if err != nil {
 		slog.Error("failed to fetch main content", "error", err)
 	}
 
-	var (
-		instructions = `
-You are a Hacker News Software Engineer Intent Classifier. Your job is to determine if the user is actively doing work related to their software engineering job or seeking entertainment/distraction. Be RESTRICTIVE: only clearly work-related technical content is productive.
-
-# Classification Logic
-
-## **productive**
-**Criteria:** ONLY content that directly helps with software engineering work. Must be clearly technical and actionable.
-**Signals to detect:**
-- Technical articles about programming languages, frameworks, tools, or infrastructure
-- "Show HN" posts with genuine technical depth: new libraries, tools, architectures, or engineering solutions
-- "Ask HN" posts asking about specific technical problems: debugging, architecture decisions, tool selection, performance
-- Engineering blog posts: postmortems, system design, scaling, security, monitoring, deployment
-- Deep-dives into algorithms, data structures, distributed systems, databases, networking
-- Open source project announcements with technical substance
-- Language/framework release notes and migration guides
-- Security advisories, CVE discussions, vulnerability analysis
-- DevOps, SRE, and infrastructure discussions with technical depth
-
-## **distracting**
-**Criteria:** EVERYTHING ELSE. When in doubt, classify as distracting.
-**Includes:**
-- Political threads, policy discussions, regulation debates
-- Career advice, salary discussions, "Who is hiring?" threads, interview experiences
-- "Ask HN: What's your favorite X?" or opinion polls without technical depth
-- Lifestyle content, productivity tips, work-life balance discussions
-- Startup drama, company news without technical relevance, funding announcements
-- Non-technical "Show HN" (e.g. games, art projects, lifestyle apps without technical depth)
-- Meta-HN discussions about moderation, community, or voting
-- Science or academic content not directly related to software engineering
-- General interest articles (history, philosophy, economics) even if intellectually stimulating
-- Comment threads that have devolved into off-topic debate
-
-Return a JSON object with the following keys:
-1. "classification": "productive" (only clearly work-related technical content) or "distracting" (everything else).
-2. "reasoning": Brief explanation.
-3. "tags": Array of strings from ONLY these options: ["music", "ambient", "entertainment", "news", "edu", "learning", "content-consumption", "time-sink"].
-4. "confidence_score": Float (0.0 - 1.0)
-`
-	)
+	instructions := instructionHackerNewsWebsiteClassification
 
 	inputTmpl := `
 The user is currently visiting a Hacker News page. Classify the page based on the following information:
@@ -641,7 +308,7 @@ Main Content (if available): %s
 
 	input := fmt.Sprintf(inputTmpl, url, title, mainContent)
 
-	response, err := s.classifyWithGemini(ctx, instructions, input)
+	response, err := classify(ctx, instructions, input)
 	if err != nil {
 		return nil, fmt.Errorf("failed to classify with Gemini: %w", err)
 	}
@@ -651,7 +318,7 @@ Main Content (if available): %s
 
 // classifySubstack classifies Substack newsletter articles using OpenGraph metadata and content extraction.
 // Substack pages are generally scrapable without heavy Cloudflare challenges.
-func (s *Service) classifySubstack(ctx context.Context, url, title string) (*ClassificationResponse, error) {
+func classifySubstack(ctx context.Context, url, title string) (*ClassificationResponse, error) {
 	httpClient := &http.Client{Timeout: 3000 * time.Millisecond}
 
 	var (
@@ -692,44 +359,8 @@ func (s *Service) classifySubstack(ctx context.Context, url, title string) (*Cla
 	}
 
 	var (
-		instructions = `
-You are a Substack Software Engineer Intent Classifier. Your job is to determine if the user is actively doing work related to their software engineering job or seeking entertainment/distraction. Be RESTRICTIVE: only clearly work-related technical content is productive.
-
-# Classification Logic
-
-## **productive**
-**Criteria:** ONLY content that directly helps with software engineering work. Must be clearly technical and actionable.
-**Signals to detect:**
-- Technical newsletters about programming, system design, architecture, DevOps, security
-- Engineering deep-dives: database internals, distributed systems, networking, performance
-- Language or framework tutorials, guides, and best practices
-- Security advisories, vulnerability analysis, threat modeling
-- Infrastructure and cloud engineering content
-- Open source project updates with technical substance
-- Technical book reviews or paper summaries relevant to software engineering
-- Newsletter authors known for technical content (e.g. engineering-focused Substacks)
-- URL subdomains or slugs containing technical terms: programming languages, frameworks, tools
-
-## **distracting**
-**Criteria:** EVERYTHING ELSE. When in doubt, classify as distracting.
-**Includes:**
-- Self-help, productivity advice, hustle culture, motivational content
-- Career advice, job market analysis, salary discussions, interview tips
-- Opinion pieces, hot takes, and thought leadership without technical depth
-- Political commentary, news analysis, cultural criticism
-- Lifestyle content, wellness, personal finance, relationship advice
-- General interest newsletters (history, philosophy, economics)
-- Tech industry gossip, company drama, funding news without technical relevance
-- "State of the industry" pieces that are opinion-heavy and light on technical content
-- Any content that is not clearly and specifically about doing technical work
-
-Return a JSON object with the following keys:
-1. "classification": "productive" (only clearly work-related technical content) or "distracting" (everything else).
-2. "reasoning": Brief explanation.
-3. "tags": Array of strings from ONLY these options: ["music", "ambient", "entertainment", "news", "edu", "learning", "content-consumption", "time-sink"].
-4. "confidence_score": Float (0.0 - 1.0)
-`
-		inputTmpl = `
+		instructions = instructionSubstackWebsiteClassification
+		inputTmpl    = `
 The user is currently visiting a Substack article. Classify the article based on the following information:
 
 URL: %s
@@ -741,7 +372,7 @@ Main Content (if available): %s
 
 	input := fmt.Sprintf(inputTmpl, url, ogTitle, ogDescription, mainContent)
 
-	response, err := s.classifyWithGemini(ctx, instructions, input)
+	response, err := classify(ctx, instructions, input)
 	if err != nil {
 		return nil, fmt.Errorf("failed to classify with Gemini: %w", err)
 	}
@@ -752,122 +383,8 @@ Main Content (if available): %s
 // classifySlack classifies Slack activity using the browser tab title (or window title for desktop).
 // No HTTP fetching is needed — the title contains the channel/DM name which is the primary signal.
 // Titles typically look like: "#engineering - Acme Corp Slack" or "Slack | #random | My Workspace"
-func (s *Service) classifySlack(ctx context.Context, url, title string) (*ClassificationResponse, error) {
-	var (
-		instructions = `
-You are a Slack Software Engineer Intent Classifier. Your job is to determine if the user is engaged in productive work communication, general organizational activity, or distracted by non-essential chatter. You will primarily receive the browser tab title (or desktop window title) — this is your main signal.
-
-# Classification Logic
-
-## **productive**
-**Criteria:** Direct work communication, project discussions, incident response, technical collaboration, or focused async work.
-**Indicators:**
-- Work-related channels: #engineering, #product, #design, #support, #incidents, #deploys, #standup, #sprint-*, #dev-*, #backend, #frontend, #infra, #security, #ops, #platform, #release-*, #bug-*, #feature-*, #project-*, #review-*, #ci-*, #monitoring, #alerts, #on-call
-- DMs discussing work tasks (inferred from title context)
-- Threads with technical discussions
-- Huddles or calls (likely meetings)
-- Canvas or document collaboration
-- Any channel name that clearly relates to a specific project, team function, or work task
-
-## **neutral**
-**Criteria:** General organizational communication that is neither clearly productive nor distracting. Company-wide or team-wide channels used for announcements and coordination.
-**Indicators:**
-- General channels: #general, #announcements, #company, #all-hands, #team-*, #org-*, #office-*, #hr, #it-support, #helpdesk, #onboarding, #welcome
-- Channels that serve organizational purposes without being directly about project work
-- Workspace home page or search without specific channel context
-- Browsing channel list without engaging (title contains "Browse channels" or similar)
-
-## **distracting**
-**Criteria:** Social channels, watercooler chat, entertainment, or passive browsing without clear work purpose.
-**Indicators:**
-- Social/fun channels: #random, #watercooler, #pets, #food, #memes, #off-topic, #fun-*, #chat-*, #social-*, #music, #gaming, #sports, #books, #movies, #travel, #fitness, #jokes, #dogs, #cats, #photos
-- Content consumption channels: #links, #articles, #videos, #interesting-*, #cool-*
-- Any channel name that suggests entertainment, socializing, or non-work activity
-
-# Output Format
-
-Return a JSON object with the following keys:
-1. "classification": "productive" (work communication), "neutral" (general org channels), or "distracting" (social/entertainment).
-2. "reasoning": Brief explanation.
-3. "tags": Array of strings from ONLY these options: ["communication", "entertainment", "time-sink", "content-consumption"].
-4. "confidence_score": Float (0.0 - 1.0)
-5. "detected_communication_channel": The channel or DM name extracted from the title (e.g., "#engineering", "#random", "DM with John", "thread in #product"). Return empty string if unable to determine.
-`
-		inputTmpl = `
-The user is currently using Slack. Classify their activity based on the following information:
-
-URL (if available): %s
-Title: %s
-`
-	)
-
-	input := fmt.Sprintf(inputTmpl, url, title)
-
-	response, err := s.classifyWithGemini(ctx, instructions, input)
-	if err != nil {
-		return nil, fmt.Errorf("failed to classify with Gemini: %w", err)
-	}
-
-	return response, nil
-}
-
-func (s *Service) classifyWithGemini(ctx context.Context, instructions, input string) (*ClassificationResponse, error) {
-	if s.genaiClient == nil {
-		return nil, errors.New("genai client not configured")
-	}
-
-	// Since this is latency sensitive, we use the fastest model available for each tier.
-	models := map[apiv1.DeviceHandshakeResponse_AccountTier]string{
-		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_UNSPECIFIED: "gemini-2.5-flash-lite",
-		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_FREE:        "gemini-2.5-flash-lite",
-		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_TRIAL:       "gemini-2.5-flash-lite",
-		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_PLUS:        "gemini-3.1-flash-lite-preview",
-		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_PRO:         "gemini-3.1-flash-lite-preview",
-	}
-
-	tier := identity.GetAccountTier()
-	if !slices.Contains([]apiv1.DeviceHandshakeResponse_AccountTier{apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_FREE, apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_PLUS}, tier) {
-		slog.Warn("tier is not pro, using free model", "tier", tier)
-
-		tier = apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_FREE
-	}
-
-	resp, err := s.genaiClient.Models.GenerateContent(ctx, models[tier], []*genai.Content{
-		{
-			Role: "user",
-			Parts: []*genai.Part{
-				genai.NewPartFromText(input),
-			},
-		},
-	}, &genai.GenerateContentConfig{
-		SystemInstruction: &genai.Content{
-			Parts: []*genai.Part{
-				genai.NewPartFromText(instructions),
-			},
-		},
-	})
-	if err != nil {
-		return nil, err
-	}
-
-	if len(resp.Candidates) == 0 || len(resp.Candidates[0].Content.Parts) == 0 {
-		return nil, errors.New("empty response from Gemini")
-	}
-
-	text := resp.Candidates[0].Content.Parts[0].Text
-
-	replacer := strings.NewReplacer("```json", "", "`", "")
-	text = replacer.Replace(text)
-
-	slog.Info("Website classification response", "resp", text)
-
-	var response ClassificationResponse
-
-	if err := json.Unmarshal([]byte(text), &response); err != nil {
-		return nil, err
-	}
-
-	response.ClassificationSource = ClassificationSourceCloudLLMGemini
+func classifySlack(ctx context.Context, url, title string) (*ClassificationResponse, error) {
+	input := fmt.Sprintf("Slack web title: %s\nURL: %s", title, url)
 
-	return &response, nil
+	return classifySlackActivity(ctx, input)
 }
diff --git a/internal/usage/classifier_llm_website_prompt.go b/internal/usage/classifier_llm_website_prompt.go
new file mode 100644
index 0000000..a369ad2
--- /dev/null
+++ b/internal/usage/classifier_llm_website_prompt.go
@@ -0,0 +1,12 @@
+package usage
+
+var (
+	instructionGenericWebsiteClassification    = mustLoadPrompt("website", "website_generic.txt")
+	instructionYouTubeWebsiteClassification    = mustLoadPrompt("website", "website_youtube.txt")
+	instructionRedditWebsiteClassification     = mustLoadPrompt("website", "website_reddit.txt")
+	instructionLinkedInWebsiteClassification   = mustLoadPrompt("website", "website_linkedin.txt")
+	instructionMediumWebsiteClassification     = mustLoadPrompt("website", "website_medium.txt")
+	instructionTwitterWebsiteClassification    = mustLoadPrompt("website", "website_twitter.txt")
+	instructionHackerNewsWebsiteClassification = mustLoadPrompt("website", "website_hackernews.txt")
+	instructionSubstackWebsiteClassification   = mustLoadPrompt("website", "website_substack.txt")
+)
diff --git a/internal/usage/classifier_obviously.go b/internal/usage/classifier_obviously.go
index f7684e5..aff7479 100644
--- a/internal/usage/classifier_obviously.go
+++ b/internal/usage/classifier_obviously.go
@@ -503,10 +503,26 @@ func (s *Service) classifyObviously(ctx context.Context, appName string, url *st
 }
 
 func (s *Service) classifyObviouslyWebsite(ctx context.Context, browserURL string) (*ClassificationResponse, error) {
-	hostname, path := parseURL(browserURL)
+	u, err := parseURLNormalized(browserURL)
+	if err != nil {
+		return nil, err
+	}
+
+	hostname := u.Hostname()
+	path := u.Path
 
 	hasPath := path != "" && path != "/"
 
+	if isDeterministicCriticalNoBlockURL(browserURL) {
+		return &ClassificationResponse{
+			Classification:       ClassificationNeutral,
+			ClassificationSource: ClassificationSourceObviously,
+			Reasoning:            "Payment/booking flow detected - safety override to avoid interruption",
+			ConfidenceScore:      1.0,
+			Tags:                 []string{"other"},
+		}, nil
+	}
+
 	// 0. Check always-allow path categories first (e.g. focusd.so/blocked)
 	fullURL := hostname + path
 	for _, cat := range alwaysAllowPathCategories {
diff --git a/internal/usage/harness_test.go b/internal/usage/harness_test.go
new file mode 100644
index 0000000..e1774cc
--- /dev/null
+++ b/internal/usage/harness_test.go
@@ -0,0 +1,465 @@
+package usage_test
+
+import (
+	"bytes"
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"reflect"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/focusd-so/focusd/internal/settings"
+	"github.com/focusd-so/focusd/internal/usage"
+	"github.com/spf13/viper"
+	"github.com/stretchr/testify/require"
+	"gorm.io/driver/sqlite"
+	"gorm.io/gorm"
+)
+
+type usageHarness struct {
+	t       *testing.T
+	service *usage.Service
+	db      *gorm.DB
+
+	mu            sync.Mutex
+	usageEvents   []*usage.ApplicationUsage
+	pausedEvents  []usage.ProtectionPause
+	resumedEvents []usage.ProtectionPause
+}
+
+type usageHarnessConfig struct {
+	customRulesJS string
+	llmResponse   usage.ClassificationResponse
+}
+
+type usageHarnessOption func(*usageHarnessConfig)
+
+func withCustomRulesJS(customRules string) usageHarnessOption {
+	return func(cfg *usageHarnessConfig) {
+		cfg.customRulesJS = customRules
+	}
+}
+
+func withDummyLLMResponse(resp usage.ClassificationResponse) usageHarnessOption {
+	return func(cfg *usageHarnessConfig) {
+		cfg.llmResponse = resp
+	}
+}
+
+func newUsageHarness(t *testing.T, opts ...usageHarnessOption) *usageHarness {
+	t.Helper()
+
+	cfg := usageHarnessConfig{
+		llmResponse: usage.ClassificationResponse{
+			Classification:  usage.ClassificationNone,
+			Reasoning:       "dummy integration classification",
+			ConfidenceScore: 1,
+			Tags:            []string{"other"},
+		},
+	}
+
+	for _, opt := range opts {
+		opt(&cfg)
+	}
+
+	overrideTestConfig(t, cfg)
+	stubFaviconFetcher(t)
+
+	db, err := gorm.Open(sqlite.Open(memoryDSNForHarness(t)), &gorm.Config{})
+	require.NoError(t, err)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	t.Cleanup(cancel)
+
+	h := &usageHarness{t: t, db: db}
+
+	h.service, err = usage.NewService(ctx, db)
+	require.NoError(t, err)
+
+	h.service.OnUsageUpdated(func(appUsage *usage.ApplicationUsage) {
+		h.mu.Lock()
+		defer h.mu.Unlock()
+		h.usageEvents = append(h.usageEvents, appUsage)
+	})
+
+	h.service.OnProtectionPause(func(pause usage.ProtectionPause) {
+		h.mu.Lock()
+		defer h.mu.Unlock()
+		h.pausedEvents = append(h.pausedEvents, pause)
+	})
+
+	h.service.OnProtectionResumed(func(pause usage.ProtectionPause) {
+		h.mu.Lock()
+		defer h.mu.Unlock()
+		h.resumedEvents = append(h.resumedEvents, pause)
+	})
+
+	return h
+}
+
+func memoryDSNForHarness(t *testing.T) string {
+	t.Helper()
+
+	return fmt.Sprintf("file:%s?mode=memory&cache=shared&_busy_timeout=5000", url.QueryEscape(t.Name()))
+}
+
+func (h *usageHarness) TitleChanged(appName, windowTitle string, browserURL *string) *usageHarness {
+	h.t.Helper()
+	h.retryLocked(func() error {
+		_, err := h.service.TitleChanged(context.Background(), appName, windowTitle, appName, "", nil, browserURL, nil)
+		return err
+	})
+	return h
+}
+
+func (h *usageHarness) Await(dur time.Duration) *usageHarness {
+	h.t.Helper()
+	time.Sleep(dur)
+	return h
+}
+
+func (h *usageHarness) TitleChangedRaw(executablePath, windowTitle, appName, icon string, bundleID, browserURL, appCategory *string) *usageHarness {
+	h.t.Helper()
+	h.retryLocked(func() error {
+		_, err := h.service.TitleChanged(context.Background(), executablePath, windowTitle, appName, icon, bundleID, browserURL, appCategory)
+		return err
+	})
+	return h
+}
+
+func (h *usageHarness) EnterIdle() *usageHarness {
+	h.t.Helper()
+	h.IdleChanged(true)
+	return h
+}
+
+func (h *usageHarness) IdleChanged(isIdle bool) *usageHarness {
+	h.t.Helper()
+	h.retryLocked(func() error {
+		_, err := h.service.IdleChanged(context.Background(), isIdle)
+		return err
+	})
+	return h
+}
+
+func (h *usageHarness) Pause(durationSeconds int, reason string) *usageHarness {
+	h.t.Helper()
+	h.retryLocked(func() error {
+		_, err := h.service.PauseProtection(durationSeconds, reason)
+		return err
+	})
+	return h
+}
+
+func (h *usageHarness) Resume(reason string) *usageHarness {
+	h.t.Helper()
+	h.retryLocked(func() error {
+		_, err := h.service.ResumeProtection(reason)
+		return err
+	})
+	return h
+}
+
+func (h *usageHarness) Whitelist(appName, hostname string, duration time.Duration) *usageHarness {
+	h.t.Helper()
+	h.retryLocked(func() error {
+		return h.service.Whitelist(appName, hostname, duration)
+	})
+	return h
+}
+
+func (h *usageHarness) RemoveActiveWhitelists() *usageHarness {
+	h.t.Helper()
+	h.retryLocked(func() error {
+		wls, err := h.service.GetWhitelist()
+		if err != nil {
+			return err
+		}
+		for _, wl := range wls {
+			if err := h.service.RemoveWhitelist(wl.ID); err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+	return h
+}
+
+func (h *usageHarness) UsageList() []usage.ApplicationUsage {
+	h.t.Helper()
+	var (
+		usages []usage.ApplicationUsage
+		err    error
+	)
+	h.retryLocked(func() error {
+		usages, err = h.service.GetUsageList(usage.GetUsageListOptions{})
+		return err
+	})
+	return usages
+}
+
+func (h *usageHarness) OpenUsage() usage.ApplicationUsage {
+	h.t.Helper()
+
+	var appUsage usage.ApplicationUsage
+	h.retryLocked(func() error {
+		return h.db.Preload("Application").Preload("Tags").Where("ended_at IS NULL").Order("started_at DESC").First(&appUsage).Error
+	})
+	return appUsage
+}
+
+func (h *usageHarness) LastUsageByTitle(windowTitle string) usage.ApplicationUsage {
+	h.t.Helper()
+
+	var appUsage usage.ApplicationUsage
+	h.retryLocked(func() error {
+		return h.db.Preload("Application").Preload("Tags").Where("window_title = ?", windowTitle).Order("started_at DESC").First(&appUsage).Error
+	})
+	return appUsage
+}
+
+func (h *usageHarness) AssertLastUsage(check ...func(*usage.ApplicationUsage)) *usageHarness {
+	h.t.Helper()
+
+	var appUsage usage.ApplicationUsage
+	h.retryLocked(func() error {
+		return h.db.Preload("Application").Preload("Tags").Order("id DESC").First(&appUsage).Error
+	})
+
+	for _, c := range check {
+		c(&appUsage)
+	}
+
+	return h
+}
+
+func (h *usageHarness) AssertPreviousUsage(check ...func(*usage.ApplicationUsage)) *usageHarness {
+	h.t.Helper()
+
+	var appUsages []usage.ApplicationUsage
+	h.retryLocked(func() error {
+		return h.db.Preload("Application").Preload("Tags").Order("id DESC").Limit(2).Find(&appUsages).Error
+	})
+
+	if len(appUsages) < 2 {
+		for _, c := range check {
+			c(nil)
+		}
+	} else {
+		for _, c := range check {
+			c(&appUsages[1])
+		}
+	}
+
+	return h
+}
+
+func (h *usageHarness) AssertUpdateEventsCount(count int) *usageHarness {
+	h.t.Helper()
+
+	require.Equal(h.t, count, len(h.UsageEvents()))
+	return h
+}
+
+func (h *usageHarness) AssertUsagesCount(count int) *usageHarness {
+	h.t.Helper()
+
+	require.Equal(h.t, count, h.CountUsages())
+	return h
+}
+
+func (h *usageHarness) CountUsages() int {
+	h.t.Helper()
+
+	var count int64
+	h.retryLocked(func() error {
+		return h.db.Model(&usage.ApplicationUsage{}).Count(&count).Error
+	})
+	return int(count)
+}
+
+func (h *usageHarness) retryLocked(fn func() error) {
+	h.t.Helper()
+
+	deadline := time.Now().Add(1500 * time.Millisecond)
+	for {
+		err := fn()
+		if err == nil {
+			return
+		}
+
+		if !strings.Contains(err.Error(), "database table is locked") {
+			require.NoError(h.t, err)
+		}
+
+		if time.Now().After(deadline) {
+			require.NoError(h.t, err)
+		}
+
+		time.Sleep(20 * time.Millisecond)
+	}
+}
+
+func (h *usageHarness) UsageEvents() []*usage.ApplicationUsage {
+	h.mu.Lock()
+	defer h.mu.Unlock()
+	return append([]*usage.ApplicationUsage(nil), h.usageEvents...)
+}
+
+func (h *usageHarness) ResetUsageEvents() *usageHarness {
+	h.mu.Lock()
+	defer h.mu.Unlock()
+	h.usageEvents = nil
+	return h
+}
+
+func assertUsageApplicationName(t *testing.T, appName string) func(*usage.ApplicationUsage) {
+	t.Helper()
+
+	return func(u *usage.ApplicationUsage) {
+		require.Equal(t, appName, u.Application.Name)
+	}
+}
+
+func assertUsageHostname(t *testing.T, hostname string) func(*usage.ApplicationUsage) {
+	t.Helper()
+
+	return func(u *usage.ApplicationUsage) {
+		require.Equal(t, hostname, fromPtr(u.Application.Hostname))
+	}
+}
+
+func assertUsageClassification(t *testing.T, classification usage.Classification) func(*usage.ApplicationUsage) {
+	t.Helper()
+
+	return func(u *usage.ApplicationUsage) {
+		require.Equal(t, classification, u.Classification)
+	}
+}
+
+func assertTerminationMode(t *testing.T, mode usage.TerminationMode) func(*usage.ApplicationUsage) {
+	t.Helper()
+
+	return func(u *usage.ApplicationUsage) {
+		require.Equal(t, mode, u.TerminationMode)
+	}
+}
+
+func assertTerminationModeSource(t *testing.T, source usage.TerminationModeSource) func(*usage.ApplicationUsage) {
+	t.Helper()
+
+	return func(u *usage.ApplicationUsage) {
+		require.Equal(t, source, fromPtr(u.TerminationSource))
+	}
+}
+
+func assertUsageOpened(t *testing.T) func(*usage.ApplicationUsage) {
+	t.Helper()
+
+	return func(u *usage.ApplicationUsage) {
+		require.Nil(t, u.EndedAt)
+	}
+}
+
+func assertUsageClosed(t *testing.T) func(*usage.ApplicationUsage) {
+	t.Helper()
+
+	return func(u *usage.ApplicationUsage) {
+		require.NotNil(t, u.EndedAt)
+	}
+}
+
+func overrideTestConfig(t *testing.T, cfg usageHarnessConfig) {
+	t.Helper()
+
+	type viperValue struct {
+		isSet bool
+		value any
+	}
+
+	keys := []string{"classification_llm_provider", "dummy_classification_response", "custom_rules_js"}
+	snapshot := map[string]viperValue{}
+
+	for _, key := range keys {
+		snapshot[key] = viperValue{isSet: viper.IsSet(key), value: viper.Get(key)}
+	}
+
+	llmRespJSON, err := json.Marshal(cfg.llmResponse)
+	require.NoError(t, err)
+
+	viper.Set("classification_llm_provider", settings.LLMProviderDummy)
+	viper.Set("dummy_classification_response", string(llmRespJSON))
+
+	if cfg.customRulesJS == "" {
+		viper.Set("custom_rules_js", []string{})
+	} else {
+		viper.Set("custom_rules_js", []string{base64.StdEncoding.EncodeToString([]byte(cfg.customRulesJS))})
+	}
+
+	t.Cleanup(func() {
+		for key, val := range snapshot {
+			if val.isSet {
+				viper.Set(key, val.value)
+				continue
+			}
+			viper.Set(key, nil)
+		}
+	})
+}
+
+type roundTripFunc func(req *http.Request) (*http.Response, error)
+
+func (f roundTripFunc) RoundTrip(req *http.Request) (*http.Response, error) {
+	return f(req)
+}
+
+func stubFaviconFetcher(t *testing.T) {
+	t.Helper()
+
+	oldTransport := http.DefaultClient.Transport
+
+	http.DefaultClient.Transport = roundTripFunc(func(req *http.Request) (*http.Response, error) {
+		if req.URL.Host == "www.google.com" && req.URL.Path == "/s2/favicons" {
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       io.NopCloser(bytes.NewBufferString("ico")),
+				Header:     make(http.Header),
+				Request:    req,
+			}, nil
+		}
+
+		if oldTransport != nil {
+			return oldTransport.RoundTrip(req)
+		}
+
+		return http.DefaultTransport.RoundTrip(req)
+	})
+
+	t.Cleanup(func() {
+		http.DefaultClient.Transport = oldTransport
+	})
+}
+
+func withPtr[T any](v T) *T {
+	// check if v is zero value
+	if reflect.ValueOf(v).IsZero() {
+		return nil
+	}
+
+	return &v
+}
+
+func fromPtr[T any](v *T) T {
+	if v == nil {
+		return *new(T)
+	}
+
+	return *v
+}
diff --git a/internal/usage/insights_basic.go b/internal/usage/insights_basic.go
index cb88d54..5d7660f 100644
--- a/internal/usage/insights_basic.go
+++ b/internal/usage/insights_basic.go
@@ -76,6 +76,14 @@ func (s *Service) GetUsageList(options GetUsageListOptions) ([]ApplicationUsage,
 	return usages, nil
 }
 
+func (s *Service) GetApplicationList() ([]Application, error) {
+	var applications []Application
+	if err := s.db.Find(&applications).Error; err != nil {
+		return nil, err
+	}
+	return applications, nil
+}
+
 func (s *Service) GetUsageAggregation(options GetUsageListOptions) ([]UsageAggregation, error) {
 	var usages []ApplicationUsage
 
diff --git a/internal/usage/insights_basic_test.go b/internal/usage/insights_basic_test.go
index 66e4421..7fbfda9 100644
--- a/internal/usage/insights_basic_test.go
+++ b/internal/usage/insights_basic_test.go
@@ -9,11 +9,6 @@ import (
 	"github.com/focusd-so/focusd/internal/usage"
 )
 
-// timePtr returns a pointer to the given time.
-func timePtr(t time.Time) *time.Time { return &t }
-
-func terminationModePtr(mode usage.TerminationMode) *usage.TerminationMode { return &mode }
-
 func TestGetUsageList_NoFilters(t *testing.T) {
 	service, db := setUpService(t)
 
@@ -69,7 +64,7 @@ func TestGetUsageList_StartedAtFilter(t *testing.T) {
 	// Filter: startedAt >= 12:00 → should return usages at 14:00 and 18:00
 	startedAt := time.Date(2025, 6, 15, 12, 0, 0, 0, time.UTC)
 	result, err := service.GetUsageList(usage.GetUsageListOptions{
-		StartedAt: timePtr(startedAt),
+		StartedAt: withPtr(startedAt),
 	})
 	require.NoError(t, err)
 	require.Len(t, result, 2, "only usages starting at or after 12:00 should be returned")
@@ -106,7 +101,7 @@ func TestGetUsageList_EndedAtFilter(t *testing.T) {
 	// Filter: endedAt <= 11:00 → should return u0 (ends 08:30) and u1 (ends 10:45)
 	endedAt := time.Date(2025, 6, 15, 11, 0, 0, 0, time.UTC)
 	result, err := service.GetUsageList(usage.GetUsageListOptions{
-		EndedAt: timePtr(endedAt),
+		EndedAt: withPtr(endedAt),
 	})
 	require.NoError(t, err)
 	require.Len(t, result, 2, "only usages ending at or before 11:00 should be returned")
@@ -146,8 +141,8 @@ func TestGetUsageList_StartedAtAndEndedAtCombined(t *testing.T) {
 	endedAt := time.Date(2025, 6, 15, 15, 0, 0, 0, time.UTC)
 
 	result, err := service.GetUsageList(usage.GetUsageListOptions{
-		StartedAt: timePtr(startedAt),
-		EndedAt:   timePtr(endedAt),
+		StartedAt: withPtr(startedAt),
+		EndedAt:   withPtr(endedAt),
 	})
 	require.NoError(t, err)
 	require.Len(t, result, 2, "only usages within the [09:00, 15:00] window should be returned")
@@ -175,7 +170,7 @@ func TestGetUsageList_StartedAtExactBoundary(t *testing.T) {
 
 	// startedAt filter equals the exact start time → should include the usage (>=)
 	result, err := service.GetUsageList(usage.GetUsageListOptions{
-		StartedAt: timePtr(startAt),
+		StartedAt: withPtr(startAt),
 	})
 	require.NoError(t, err)
 	require.Len(t, result, 1, "usage starting at exact boundary should be included (>=)")
@@ -201,7 +196,7 @@ func TestGetUsageList_EndedAtExactBoundary(t *testing.T) {
 
 	// endedAt filter equals the exact end time → should include the usage (<=)
 	result, err := service.GetUsageList(usage.GetUsageListOptions{
-		EndedAt: timePtr(endAt),
+		EndedAt: withPtr(endAt),
 	})
 	require.NoError(t, err)
 	require.Len(t, result, 1, "usage ending at exact boundary should be included (<=)")
@@ -320,7 +315,7 @@ func TestGetUsageList_DateFilter(t *testing.T) {
 	// Filter by day1 only
 	filterDate := time.Date(2025, 6, 15, 0, 0, 0, 0, time.UTC)
 	result, err := service.GetUsageList(usage.GetUsageListOptions{
-		Date: timePtr(filterDate),
+		Date: withPtr(filterDate),
 	})
 	require.NoError(t, err)
 	require.Len(t, result, 1, "only usages on 2025-06-15 should be returned")
@@ -346,7 +341,7 @@ func TestGetUsageList_DateFilterNoMatches(t *testing.T) {
 	// Filter by a date with no usages
 	noMatchDate := time.Date(2025, 7, 1, 0, 0, 0, 0, time.UTC)
 	result, err := service.GetUsageList(usage.GetUsageListOptions{
-		Date: timePtr(noMatchDate),
+		Date: withPtr(noMatchDate),
 	})
 	require.NoError(t, err)
 	require.Len(t, result, 0, "no usages should match a date with no data")
@@ -380,16 +375,16 @@ func TestGetUsageList_PaginationPageAndPageSize(t *testing.T) {
 		PageSize: &pageSize,
 	})
 	require.NoError(t, err)
-	require.Len(t, result, 5, "PageSize sets offset only, not limit — all remaining rows from offset 0 returned")
+	require.Len(t, result, 2, "Page 0 should return 2 items")
 
-	// Page 1, size 2 → offset=2, skips first 2 (DESC order: returns index 2, 1, 0)
+	// Page 1, size 2 → offset=2, skips first 2 (DESC order: returns index 2, 1)
 	page = 1
 	result, err = service.GetUsageList(usage.GetUsageListOptions{
 		Page:     &page,
 		PageSize: &pageSize,
 	})
 	require.NoError(t, err)
-	require.Len(t, result, 3, "page 1 with pageSize 2 should skip 2 and return remaining 3")
+	require.Len(t, result, 2, "page 1 with pageSize 2 should skip 2 and return next 2")
 
 	// Page 2, size 2 → offset=4, skips first 4 (returns index 0 only)
 	page = 2
@@ -478,8 +473,8 @@ func TestGetUsageList_DateCombinedWithStartedAtAndEndedAt(t *testing.T) {
 	// → only u1 (14:00) should match; u0 is before 10:00 and other-day is excluded by Date
 	startedAt := time.Date(2025, 6, 15, 10, 0, 0, 0, time.UTC)
 	result, err := service.GetUsageList(usage.GetUsageListOptions{
-		Date:      timePtr(day),
-		StartedAt: timePtr(startedAt),
+		Date:      withPtr(day),
+		StartedAt: withPtr(startedAt),
 	})
 	require.NoError(t, err)
 	require.Len(t, result, 1)
@@ -521,8 +516,8 @@ func TestGetUsageList_NoMatchesWithNarrowWindow(t *testing.T) {
 	endedAt := time.Date(2025, 6, 15, 13, 0, 0, 0, time.UTC)
 
 	result, err := service.GetUsageList(usage.GetUsageListOptions{
-		StartedAt: timePtr(startedAt),
-		EndedAt:   timePtr(endedAt),
+		StartedAt: withPtr(startedAt),
+		EndedAt:   withPtr(endedAt),
 	})
 	require.NoError(t, err)
 	require.Len(t, result, 0, "no usages should match a narrow window with no data")
@@ -541,7 +536,6 @@ func TestGetUsageList_TerminationModeFilter(t *testing.T) {
 		usage.TerminationModeNone,
 		usage.TerminationModeBlock,
 		usage.TerminationModeAllow,
-		usage.TerminationModePaused,
 	}
 	dur := 1800
 	for i := range starts {
@@ -558,7 +552,7 @@ func TestGetUsageList_TerminationModeFilter(t *testing.T) {
 	}
 
 	result, err := service.GetUsageList(usage.GetUsageListOptions{
-		TerminationMode: terminationModePtr(usage.TerminationModeBlock),
+		TerminationMode: withPtr(usage.TerminationModeBlock),
 	})
 	require.NoError(t, err)
 	require.Len(t, result, 1, "only blocked items should be returned")
@@ -583,7 +577,7 @@ func TestGetUsageList_TerminationModeFilterNoMatches(t *testing.T) {
 	require.NoError(t, db.Create(&u).Error)
 
 	result, err := service.GetUsageList(usage.GetUsageListOptions{
-		TerminationMode: terminationModePtr(usage.TerminationModeBlock),
+		TerminationMode: withPtr(usage.TerminationModeBlock),
 	})
 	require.NoError(t, err)
 	require.Len(t, result, 0, "no rows should match an unused termination mode")
@@ -619,9 +613,9 @@ func TestGetUsageList_TerminationModeFilterCombinedWithDateRange(t *testing.T) {
 	startedAt := time.Date(2025, 6, 15, 9, 0, 0, 0, time.UTC)
 	endedAt := time.Date(2025, 6, 15, 16, 0, 0, 0, time.UTC)
 	result, err := service.GetUsageList(usage.GetUsageListOptions{
-		StartedAt:       timePtr(startedAt),
-		EndedAt:         timePtr(endedAt),
-		TerminationMode: terminationModePtr(usage.TerminationModeBlock),
+		StartedAt:       withPtr(startedAt),
+		EndedAt:         withPtr(endedAt),
+		TerminationMode: withPtr(usage.TerminationModeBlock),
 	})
 	require.NoError(t, err)
 	require.Len(t, result, 1, "combined filters should return only the matching intersection")
diff --git a/internal/usage/insights_daily_summary.go b/internal/usage/insights_daily_summary.go
index b8df449..ec11cb2 100644
--- a/internal/usage/insights_daily_summary.go
+++ b/internal/usage/insights_daily_summary.go
@@ -10,10 +10,14 @@ import (
 	"strings"
 	"time"
 
-	"google.golang.org/genai"
-
 	apiv1 "github.com/focusd-so/focusd/gen/api/v1"
 	"github.com/focusd-so/focusd/internal/identity"
+	"github.com/focusd-so/focusd/internal/settings"
+	"github.com/tmc/langchaingo/llms"
+	"github.com/tmc/langchaingo/llms/anthropic"
+	"github.com/tmc/langchaingo/llms/googleai"
+	"github.com/tmc/langchaingo/llms/openai"
+	"google.golang.org/api/option"
 )
 
 const (
@@ -51,7 +55,7 @@ OUTPUT (strict JSON, no markdown fences):
 }`
 
 func (s *Service) GenerateLLMDailySummaryIfNeeded(ctx context.Context) error {
-	if s.genaiClient == nil {
+	if !dailySummaryLLMConfigured() {
 		return nil
 	}
 
@@ -123,8 +127,12 @@ func (s *Service) generateDailySummaryForDate(ctx context.Context, date time.Tim
 
 	slog.Info("daily summary generated", "date", dateStr, "headline", summary.Headline)
 
-	if s.onLLMDailySummaryReady != nil && summary.DayVibe != "insufficient-data" {
-		s.onLLMDailySummaryReady(summary)
+	if summary.DayVibe != "insufficient-data" {
+		s.eventsMu.RLock()
+		for _, fn := range s.onLLMDailySummaryReady {
+			fn(summary)
+		}
+		s.eventsMu.RUnlock()
 	}
 
 	return nil
@@ -145,7 +153,7 @@ func (s *Service) computeLLMDaySummaryInput(date time.Time) (LLMDaySummaryInput,
 	var (
 		productiveSecs  int
 		distractiveSecs int
-		contextSwitches int            // productive↔distracting transitions
+		contextSwitches int // productive↔distracting transitions
 		prevClass       Classification
 
 		appProductiveSecs  = make(map[string]int)
@@ -155,7 +163,7 @@ func (s *Service) computeLLMDaySummaryInput(date time.Time) (LLMDaySummaryInput,
 		hourProductiveSecs = make(map[int]int)
 		hourDistractSecs   = make(map[int]int)
 
-		deep    deepWorkTracker      // emits sessions ≥ 25 min
+		deep    deepWorkTracker // emits sessions ≥ 25 min
 		focus   focusStretchTracker
 		cascade cascadeTracker
 	)
@@ -251,7 +259,7 @@ func (s *Service) generateLLMDailySummary(ctx context.Context, input LLMDaySumma
 		return LLMDailySummary{}, fmt.Errorf("failed to marshal input: %w", err)
 	}
 
-	text, err := s.generateDailySummaryWithGemini(ctx, llmDailySummaryPrompt, string(inputJSON))
+	text, err := generateDailySummary(ctx, llmDailySummaryPrompt, string(inputJSON))
 	if err != nil {
 		return LLMDailySummary{}, err
 	}
@@ -273,50 +281,154 @@ func (s *Service) generateLLMDailySummary(ctx context.Context, input LLMDaySumma
 	}, nil
 }
 
-func (s *Service) generateDailySummaryWithGemini(ctx context.Context, systemPrompt, input string) (string, error) {
-	if s.genaiClient == nil {
-		return "", errors.New("genai client not configured")
+func dailySummaryLLMConfigured() bool {
+	switch settings.GetConfig().ClassificationLLMProvider {
+	case settings.LLMProviderGoogle, settings.LLMProviderOpenAI, settings.LLMProviderAnthropic, settings.LLMProviderGroq:
+		return true
+	default:
+		return false
 	}
+}
 
-	// Use a more capable model for summaries since this runs once per day
-	models := map[apiv1.DeviceHandshakeResponse_AccountTier]string{
-		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_UNSPECIFIED: "gemini-2.5-flash",
-		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_FREE:        "gemini-2.5-flash",
-		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_TRIAL:       "gemini-2.5-flash",
-		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_PLUS:        "gemini-2.5-flash",
-		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_PRO:         "gemini-2.5-flash",
+func generateDailySummary(ctx context.Context, systemPrompt, input string) (string, error) {
+	switch settings.GetConfig().ClassificationLLMProvider {
+	case settings.LLMProviderGoogle:
+		return generateDailySummaryWithGemini(ctx, systemPrompt, input)
+	case settings.LLMProviderOpenAI:
+		return generateDailySummaryWithOpenAI(ctx, systemPrompt, input)
+	case settings.LLMProviderAnthropic:
+		return generateDailySummaryWithAnthropic(ctx, systemPrompt, input)
+	case settings.LLMProviderGroq:
+		return generateDailySummaryWithGrok(ctx, systemPrompt, input)
+	default:
+		return "", errors.New("unsupported LLM provider")
 	}
+}
 
+func selectDailySummaryModel(models map[apiv1.DeviceHandshakeResponse_AccountTier]string) string {
 	tier := identity.GetAccountTier()
-	model, ok := models[tier]
-	if !ok {
-		model = "gemini-2.5-flash"
-	}
-
-	resp, err := s.genaiClient.Models.GenerateContent(ctx, model, []*genai.Content{
-		{
-			Role: "user",
-			Parts: []*genai.Part{
-				genai.NewPartFromText(input),
-			},
-		},
-	}, &genai.GenerateContentConfig{
-		SystemInstruction: &genai.Content{
-			Parts: []*genai.Part{
-				genai.NewPartFromText(systemPrompt),
-			},
-		},
+	if model, ok := models[tier]; ok {
+		return model
+	}
+
+	slog.Warn("unsupported account tier for daily summary model, using free tier model", "tier", tier)
+
+	if model, ok := models[apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_FREE]; ok {
+		return model
+	}
+
+	return models[apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_UNSPECIFIED]
+}
+
+func generateDailySummaryWithGemini(ctx context.Context, systemPrompt, input string) (string, error) {
+	// Use the strongest current non-reasoning Gemini model.
+	models := map[apiv1.DeviceHandshakeResponse_AccountTier]string{
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_UNSPECIFIED: "gemini-2.5-flash-lite",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_FREE:        "gemini-2.5-flash-lite",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_TRIAL:       "gemini-2.5-flash-lite",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_PLUS:        "gemini-2.5-flash-lite",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_PRO:         "gemini-2.5-flash-lite",
+	}
+
+	withGoogleAIEndpoint := func(endpoint string) googleai.Option {
+		return func(opts *googleai.Options) {
+			opts.ClientOptions = append(opts.ClientOptions, option.WithEndpoint(endpoint))
+		}
+	}
+
+	model, err := googleai.New(ctx,
+		googleai.WithDefaultModel(selectDailySummaryModel(models)),
+		googleai.WithHTTPClient(newSignedLLMHTTPClient()),
+		withGoogleAIEndpoint(settings.APIBaseURL()+"/api/v1/gemini"),
+	)
+	if err != nil {
+		return "", err
+	}
+
+	return generateDailySummaryWithLLM(ctx, model, systemPrompt, input)
+}
+
+func generateDailySummaryWithOpenAI(ctx context.Context, systemPrompt, input string) (string, error) {
+	models := map[apiv1.DeviceHandshakeResponse_AccountTier]string{
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_UNSPECIFIED: "gpt-4.1",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_FREE:        "gpt-4.1",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_TRIAL:       "gpt-4.1",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_PLUS:        "gpt-4.1",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_PRO:         "gpt-4.1",
+	}
+
+	model, err := openai.New(
+		openai.WithModel(selectDailySummaryModel(models)),
+		openai.WithToken("stubbed"),
+		openai.WithHTTPClient(newSignedLLMHTTPClient()),
+		openai.WithBaseURL(settings.APIBaseURL()+"/api/v1/openai/v1"),
+	)
+	if err != nil {
+		return "", err
+	}
+
+	return generateDailySummaryWithLLM(ctx, model, systemPrompt, input)
+}
+
+func generateDailySummaryWithAnthropic(ctx context.Context, systemPrompt, input string) (string, error) {
+	models := map[apiv1.DeviceHandshakeResponse_AccountTier]string{
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_UNSPECIFIED: "claude-sonnet-4-5",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_FREE:        "claude-sonnet-4-5",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_TRIAL:       "claude-sonnet-4-5",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_PLUS:        "claude-sonnet-4-5",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_PRO:         "claude-sonnet-4-5",
+	}
+
+	model, err := anthropic.New(
+		anthropic.WithModel(selectDailySummaryModel(models)),
+		anthropic.WithToken("stubbed"),
+		anthropic.WithHTTPClient(newSignedLLMHTTPClient()),
+		anthropic.WithBaseURL(settings.APIBaseURL()+"/api/v1/anthropic/v1"),
+	)
+	if err != nil {
+		return "", err
+	}
+
+	return generateDailySummaryWithLLM(ctx, model, systemPrompt, input)
+}
+
+func generateDailySummaryWithGrok(ctx context.Context, systemPrompt, input string) (string, error) {
+	models := map[apiv1.DeviceHandshakeResponse_AccountTier]string{
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_UNSPECIFIED: "grok-4.20-beta-latest-non-reasoning",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_FREE:        "grok-4.20-beta-latest-non-reasoning",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_TRIAL:       "grok-4.20-beta-latest-non-reasoning",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_PLUS:        "grok-4.20-beta-latest-non-reasoning",
+		apiv1.DeviceHandshakeResponse_ACCOUNT_TIER_PRO:         "grok-4.20-beta-latest-non-reasoning",
+	}
+
+	model, err := openai.New(
+		openai.WithModel(selectDailySummaryModel(models)),
+		openai.WithToken("stubbed"),
+		openai.WithHTTPClient(newSignedLLMHTTPClient()),
+		openai.WithBaseURL(settings.APIBaseURL()+"/api/v1/grok/v1"),
+	)
+	if err != nil {
+		return "", err
+	}
+
+	return generateDailySummaryWithLLM(ctx, model, systemPrompt, input)
+}
+
+func generateDailySummaryWithLLM(ctx context.Context, model llms.Model, systemPrompt, input string) (string, error) {
+	resp, err := model.GenerateContent(ctx, []llms.MessageContent{
+		llms.TextParts(llms.ChatMessageTypeSystem, systemPrompt),
+		llms.TextParts(llms.ChatMessageTypeHuman, input),
 	})
 	if err != nil {
-		return "", fmt.Errorf("gemini call failed: %w", err)
+		return "", err
 	}
 
-	if len(resp.Candidates) == 0 || len(resp.Candidates[0].Content.Parts) == 0 {
-		return "", errors.New("empty response from Gemini")
+	if len(resp.Choices) == 0 {
+		return "", errors.New("empty response from LLM")
 	}
 
-	text := resp.Candidates[0].Content.Parts[0].Text
-	text = strings.NewReplacer("```json", "", "`", "").Replace(text)
+	text := resp.Choices[0].Content
+	text = strings.NewReplacer("```json", "", "```", "", "`", "").Replace(text)
 
 	return text, nil
 }
diff --git a/internal/usage/protection.go b/internal/usage/protection.go
index 82b6605..7779d72 100644
--- a/internal/usage/protection.go
+++ b/internal/usage/protection.go
@@ -3,7 +3,7 @@ package usage
 import (
 	"context"
 	"fmt"
-	"log/slog"
+	"strings"
 	"time"
 
 	"gorm.io/gorm"
@@ -55,9 +55,11 @@ func (s *Service) PauseProtection(durationSeconds int, reason string) (Protectio
 		return ProtectionPause{}, err
 	}
 
-	if s.onProtectionPaused != nil {
-		s.onProtectionPaused(protectionPause)
+	s.eventsMu.RLock()
+	for _, fn := range s.onProtectionPaused {
+		fn(protectionPause)
 	}
+	s.eventsMu.RUnlock()
 
 	return protectionPause, nil
 }
@@ -99,9 +101,11 @@ func (s *Service) ResumeProtection(reason string) (ProtectionPause, error) {
 		return ProtectionPause{}, err
 	}
 
-	if s.onProtectionResumed != nil {
-		s.onProtectionResumed(protectionPause)
+	s.eventsMu.RLock()
+	for _, fn := range s.onProtectionResumed {
+		fn(protectionPause)
 	}
+	s.eventsMu.RUnlock()
 
 	return protectionPause, nil
 }
@@ -167,21 +171,32 @@ func (s *Service) GetPauseHistory(days int) ([]ProtectionPause, error) {
 //
 // Side effects:
 //   - Creates a ProtectionWhitelist record in the database with expiration timestamp
-func (s *Service) Whitelist(appname string, hostname string, duration time.Duration) error {
-	if duration < 5*time.Minute {
-		return fmt.Errorf("duration must be at least 5 minutes")
+func (s *Service) Whitelist(appname string, url string, duration time.Duration) error {
+	if duration <= 0 {
+		return nil
 	}
 
 	now := time.Now().Unix()
 	expiresAt := now + int64(duration.Seconds())
 
-	if duration == 0 {
-		duration = time.Hour
+	var hostname string
+	if normalized, err := parseURLNormalized(url); err == nil && normalized != nil {
+		hostname = normalized.Hostname()
+	} else if url != "" {
+		hostname = strings.ToLower(strings.TrimSpace(url))
+		hostname = strings.TrimSuffix(hostname, ".")
+		hostname = strings.TrimPrefix(hostname, "www.")
 	}
 
-	// delete any existing whitelist entries for the bundle ID and hostname
-	if err := s.db.Where("app_name = ? AND hostname = ?", appname, hostname).Delete(&ProtectionWhitelist{}).Error; err != nil {
-		return err
+	// delete any existing whitelist entries for the app and hostname
+	if hostname == "" {
+		if err := s.db.Where("app_name = ? AND (hostname IS NULL OR hostname = '')", appname).Delete(&ProtectionWhitelist{}).Error; err != nil {
+			return err
+		}
+	} else {
+		if err := s.db.Where("hostname = ?", hostname).Delete(&ProtectionWhitelist{}).Error; err != nil {
+			return err
+		}
 	}
 
 	whitelist := ProtectionWhitelist{
@@ -271,7 +286,7 @@ func (s *Service) CalculateTerminationMode(ctx context.Context, appUsage *Applic
 
 	if protectionPause.ID > 0 {
 		return TerminationDecision{
-			Mode:      TerminationModePaused,
+			Mode:      TerminationModeAllow,
 			Reasoning: "focus protection has been paused by the user",
 			Source:    TerminationModeSourcePaused,
 		}, nil
@@ -279,7 +294,15 @@ func (s *Service) CalculateTerminationMode(ctx context.Context, appUsage *Applic
 
 	// get all whitelist entries for the bundle ID and hostname
 	var whitelist ProtectionWhitelist
-	if err := s.db.Where("app_name = ? AND expires_at > ?", appUsage.Application.Name, time.Now().Unix()).Limit(1).First(&whitelist).Error; err != nil {
+	hostname := fromPtr(appUsage.Application.Hostname)
+	query := s.db.Where("expires_at > ?", time.Now().Unix())
+	if hostname == "" {
+		query = query.Where("app_name = ? AND (hostname IS NULL OR hostname = '')", appUsage.Application.Name)
+	} else {
+		query = query.Where("(hostname = ? OR hostname = ?)", hostname, "www."+hostname)
+	}
+
+	if err := query.Limit(1).First(&whitelist).Error; err != nil {
 		if err != gorm.ErrRecordNotFound {
 			return TerminationDecision{}, err
 		}
@@ -301,27 +324,16 @@ func (s *Service) CalculateTerminationMode(ctx context.Context, appUsage *Applic
 }
 
 func (s *Service) calculateTerminationModeWithCustomRules(_ context.Context, appUsage *ApplicationUsage) (TerminationDecision, error) {
-	if s.settingsService == nil {
-		slog.Warn("settings service is nil, skipping custom rules termination mode calculation")
-
-		return TerminationDecision{}, nil
-	}
-
 	sandboxCtx := createSandboxContext(appUsage.Application.Name, appUsage.BrowserURL)
 	sandboxCtx.Classification = string(appUsage.Classification)
 
-	// Get the latest custom rules code
-	customRules, err := s.settingsService.GetLatest(settings.SettingsKeyCustomRules)
-	if err != nil {
-		return TerminationDecision{}, err
-	}
-
-	if customRules == nil || customRules.Value == "" {
+	customRules := settings.GetCustomRulesJS()
+	if customRules == "" {
 		return TerminationDecision{Mode: TerminationModeNone}, nil
 	}
 
 	// Create a new sandbox with the custom rules code
-	sb, err := newSandbox(customRules.Value)
+	sb, err := newSandbox(customRules)
 	if err != nil {
 		return TerminationDecision{}, err
 	}
diff --git a/internal/usage/protection_test.go b/internal/usage/protection_test.go
index df8bbab..f88b936 100644
--- a/internal/usage/protection_test.go
+++ b/internal/usage/protection_test.go
@@ -5,11 +5,11 @@ import (
 	"testing"
 	"time"
 
+	"github.com/spf13/viper"
 	"github.com/stretchr/testify/require"
 	"gorm.io/driver/sqlite"
 	"gorm.io/gorm"
 
-	"github.com/focusd-so/focusd/internal/settings"
 	"github.com/focusd-so/focusd/internal/usage"
 )
 
@@ -79,23 +79,23 @@ func TestProtection_PauseProtectionEventsFired(t *testing.T) {
 		onProtectionResumedCalled = false
 	)
 
-	service, _ := setUpService(
-		t,
-		usage.WithProtectionPaused(func(pause usage.ProtectionPause) {
-			onProtectionPausedCalled = true
-			require.NotEqual(t, int64(0), pause.ResumedAt)
-			// this will still be initial requested duration
-			require.Equal(t, 10, pause.ActualDurationSeconds)
-			require.Equal(t, "protection paused for 10s expired", pause.ResumedReason)
-		}),
-		usage.WithProtectionResumed(func(pause usage.ProtectionPause) {
-			onProtectionResumedCalled = true
-			require.NotEqual(t, int64(0), pause.ResumedAt)
-			// this is the actual duration calculated after the resume
-			require.Equal(t, 3, pause.ActualDurationSeconds)
-			require.Equal(t, "just because", pause.ResumedReason)
-		}),
-	)
+	service, _ := setUpService(t)
+
+	service.OnProtectionPause(func(pause usage.ProtectionPause) {
+		onProtectionPausedCalled = true
+		require.NotEqual(t, int64(0), pause.ResumedAt)
+		// this will still be initial requested duration
+		require.Equal(t, 10, pause.ActualDurationSeconds)
+		require.Equal(t, "protection paused for 10s expired", pause.ResumedReason)
+	})
+
+	service.OnProtectionResumed(func(pause usage.ProtectionPause) {
+		onProtectionResumedCalled = true
+		require.NotEqual(t, int64(0), pause.ResumedAt)
+		// this is the actual duration calculated after the resume
+		require.Equal(t, 3, pause.ActualDurationSeconds)
+		require.Equal(t, "just because", pause.ResumedReason)
+	})
 
 	_, err := service.PauseProtection(10, "test")
 
@@ -163,7 +163,8 @@ func TestProtection_Whitelist_CreatesEntry(t *testing.T) {
 	require.NoError(t, err)
 
 	require.Equal(t, "/usr/bin/app", entry.AppName)
-	require.Equal(t, "example.com", entry.Hostname)
+	require.NotNil(t, entry.Hostname)
+	require.Equal(t, "example.com", *entry.Hostname)
 	require.InDelta(t, time.Now().Add(30*time.Minute).Unix(), entry.ExpiresAt, 5)
 }
 
@@ -184,10 +185,24 @@ func TestProtection_Whitelist_ReplacesExistingEntry(t *testing.T) {
 
 	require.Len(t, entries, 1)
 	require.Equal(t, "/usr/bin/app", entries[0].AppName)
-	require.Equal(t, "example.com", entries[0].Hostname)
+	require.NotNil(t, entries[0].Hostname)
+	require.Equal(t, "example.com", *entries[0].Hostname)
 	require.InDelta(t, time.Now().Add(1*time.Hour).Unix(), entries[0].ExpiresAt, 5)
 }
 
+func TestProtection_Whitelist_NormalizesWWW(t *testing.T) {
+	service, db := setUpService(t)
+
+	err := service.Whitelist("Google Chrome", "www.youtube.com", 30*time.Minute)
+	require.NoError(t, err)
+
+	var entry usage.ProtectionWhitelist
+	err = db.First(&entry).Error
+	require.NoError(t, err)
+	require.NotNil(t, entry.Hostname)
+	require.Equal(t, "youtube.com", *entry.Hostname)
+}
+
 func TestProtection_Whitelist_ZeroDurationBug(t *testing.T) {
 	service, _ := setUpService(t)
 
@@ -269,19 +284,11 @@ func TestProtection_RemoveWhitelist_NonExistentID(t *testing.T) {
 func setUpServiceWithSettings(t *testing.T, customRules string) (*usage.Service, *gorm.DB) {
 	t.Helper()
 
-	db, _ := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
+	db, _ := gorm.Open(sqlite.Open(memoryDSN(t)), &gorm.Config{})
 
-	settingsService, err := settings.NewService(db, "test")
-	require.NoError(t, err)
+	viper.SetDefault("custom_rules_js", []string{customRules})
 
-	err = settingsService.Save(settings.SettingsKeyCustomRules, customRules)
-	require.NoError(t, err)
-
-	service, err := usage.NewService(
-		context.Background(),
-		db,
-		usage.WithSettingsService(settingsService),
-	)
+	service, err := usage.NewService(context.Background(), db)
 	require.NoError(t, err)
 
 	return service, db
@@ -424,7 +431,7 @@ func TestProtection_CalculateTerminationMode_ProtectionPaused(t *testing.T) {
 		Application:    usage.Application{Name: "YouTube"},
 	})
 	require.NoError(t, err)
-	require.Equal(t, usage.TerminationModePaused, decision.Mode)
+	require.Equal(t, usage.TerminationModeAllow, decision.Mode)
 	require.Equal(t, usage.TerminationModeSourcePaused, decision.Source)
 	require.Equal(t, "focus protection has been paused by the user", decision.Reasoning)
 }
@@ -436,10 +443,9 @@ func TestProtection_AllowedByWhitelist(t *testing.T) {
 		err := service.Whitelist("/usr/bin/app", "", 30*time.Minute)
 		require.NoError(t, err)
 
-		emptyHostname := ""
 		decision, err := service.CalculateTerminationMode(context.Background(), &usage.ApplicationUsage{
 			Classification: usage.ClassificationDistracting,
-			Application:    usage.Application{Hostname: &emptyHostname},
+			Application:    usage.Application{Name: "/usr/bin/app"},
 		})
 		require.NoError(t, err)
 		require.Equal(t, usage.TerminationModeAllow, decision.Mode)
@@ -456,11 +462,58 @@ func TestProtection_AllowedByWhitelist(t *testing.T) {
 		hostname := "example.com"
 		decision, err := service.CalculateTerminationMode(context.Background(), &usage.ApplicationUsage{
 			Classification: usage.ClassificationDistracting,
-			Application:    usage.Application{Hostname: &hostname},
+			Application:    usage.Application{Name: "/usr/bin/app", Hostname: &hostname},
 		})
 		require.NoError(t, err)
 		require.Equal(t, usage.TerminationModeAllow, decision.Mode)
 		require.Equal(t, usage.TerminationModeSourceWhitelist, decision.Source)
 		require.Equal(t, "temporarily allowed usage by user", decision.Reasoning)
 	})
+
+	t.Run("does not allow other hostnames in same browser", func(t *testing.T) {
+		service, _ := setUpService(t)
+
+		err := service.Whitelist("Google Chrome", "www.amazon.com", 30*time.Minute)
+		require.NoError(t, err)
+
+		youtube := "youtube.com"
+		decision, err := service.CalculateTerminationMode(context.Background(), &usage.ApplicationUsage{
+			Classification: usage.ClassificationDistracting,
+			Application:    usage.Application{Name: "Google Chrome", Hostname: &youtube},
+		})
+		require.NoError(t, err)
+		require.Equal(t, usage.TerminationModeBlock, decision.Mode)
+		require.Equal(t, usage.TerminationModeSourceApplication, decision.Source)
+	})
+
+	t.Run("strips www when evaluating whitelist", func(t *testing.T) {
+		service, _ := setUpService(t)
+
+		err := service.Whitelist("Google Chrome", "www.youtube.com", 30*time.Minute)
+		require.NoError(t, err)
+
+		hostname := "youtube.com"
+		decision, err := service.CalculateTerminationMode(context.Background(), &usage.ApplicationUsage{
+			Classification: usage.ClassificationDistracting,
+			Application:    usage.Application{Name: "Google Chrome", Hostname: &hostname},
+		})
+		require.NoError(t, err)
+		require.Equal(t, usage.TerminationModeAllow, decision.Mode)
+		require.Equal(t, usage.TerminationModeSourceWhitelist, decision.Source)
+	})
+
+	t.Run("subdomains remain distinct", func(t *testing.T) {
+		service, _ := setUpService(t)
+
+		err := service.Whitelist("Google Chrome", "mail.google.com", 30*time.Minute)
+		require.NoError(t, err)
+
+		drive := "drive.google.com"
+		decision, err := service.CalculateTerminationMode(context.Background(), &usage.ApplicationUsage{
+			Classification: usage.ClassificationDistracting,
+			Application:    usage.Application{Name: "Google Chrome", Hostname: &drive},
+		})
+		require.NoError(t, err)
+		require.Equal(t, usage.TerminationModeBlock, decision.Mode)
+	})
 }
diff --git a/internal/usage/sandbox.go b/internal/usage/sandbox.go
index 251ede2..543a734 100644
--- a/internal/usage/sandbox.go
+++ b/internal/usage/sandbox.go
@@ -24,26 +24,6 @@ type terminationDecision struct {
 	TerminationReasoning string `json:"terminationReasoning"`
 }
 
-// sandboxContext provides context for the current rule execution including usage data and helper functions
-type sandboxContext struct {
-	// Input data
-	AppName string `json:"appName"`
-
-	Hostname       string `json:"hostname"`
-	Path           string `json:"path"`
-	Domain         string `json:"domain"`
-	URL            string `json:"url"`
-	Classification string `json:"classification"`
-
-	// Helper pre-computed values
-	MinutesSinceLastBlock     *int `json:"minutesSinceLastBlock"`
-	MinutesUsedSinceLastBlock *int `json:"minutesUsedSinceLastBlock"`
-
-	// Helper functions
-	Now                 func(loc *time.Location) time.Time                                    `json:"-"`
-	MinutesUsedInPeriod func(bundleID, hostname string, durationMinutes int64) (int64, error) `json:"-"`
-}
-
 // sandbox executes user-defined JavaScript rules using V8
 type sandbox struct {
 	isolate *v8.Isolate
diff --git a/internal/usage/sandbox_context.go b/internal/usage/sandbox_context.go
new file mode 100644
index 0000000..c163367
--- /dev/null
+++ b/internal/usage/sandbox_context.go
@@ -0,0 +1,91 @@
+package usage
+
+import (
+	"time"
+
+	"golang.org/x/net/publicsuffix"
+)
+
+// sandboxContext provides context for the current rule execution including usage data and helper functions
+type sandboxContext struct {
+	// Input data
+	AppName string `json:"appName"`
+	Title   string `json:"title"`
+
+	Hostname       string `json:"hostname"`
+	Path           string `json:"path"`
+	Domain         string `json:"domain"`
+	URL            string `json:"url"`
+	Classification string `json:"classification"`
+
+	// Helper pre-computed values
+	MinutesSinceLastBlock     *int `json:"minutesSinceLastBlock"`
+	MinutesUsedSinceLastBlock *int `json:"minutesUsedSinceLastBlock"`
+
+	// Helper functions
+	Now                 func(loc *time.Location) time.Time                                    `json:"-"`
+	MinutesUsedInPeriod func(bundleID, hostname string, durationMinutes int64) (int64, error) `json:"-"`
+}
+
+type sandboxContextOption func(*sandboxContext)
+
+func WithAppNameContext(appName string) sandboxContextOption {
+	return func(ctx *sandboxContext) {
+		ctx.AppName = appName
+	}
+}
+
+func WithWindowTitleContext(title string) sandboxContextOption {
+	return func(ctx *sandboxContext) {
+		ctx.Title = title
+	}
+}
+
+func WithBrowserURLContext(url string) sandboxContextOption {
+	return func(ctx *sandboxContext) {
+		ctx.URL = url
+
+		u, err := parseURLNormalized(url)
+		if err == nil {
+			ctx.Hostname = u.Hostname()
+			ctx.Path = u.Path
+			ctx.Domain, _ = publicsuffix.EffectiveTLDPlusOne(u.Hostname())
+		}
+	}
+}
+
+func WithNowContext(now time.Time) sandboxContextOption {
+	return func(ctx *sandboxContext) {
+		ctx.Now = func(loc *time.Location) time.Time {
+			return now.In(loc)
+		}
+	}
+}
+
+func WithMinutesUsedInPeriodContext(minutesUsedInPeriod func(bundleID, hostname string, durationMinutes int64) (int64, error)) sandboxContextOption {
+	return func(ctx *sandboxContext) {
+		ctx.MinutesUsedInPeriod = minutesUsedInPeriod
+	}
+}
+
+func WithMinutesSinceLastBlockContext(minutesSinceLastBlock int) sandboxContextOption {
+	return func(ctx *sandboxContext) {
+		ctx.MinutesSinceLastBlock = &minutesSinceLastBlock
+	}
+}
+
+func WithMinutesUsedSinceLastBlockContext(minutesUsedSinceLastBlock int) sandboxContextOption {
+	return func(ctx *sandboxContext) {
+		ctx.MinutesUsedSinceLastBlock = &minutesUsedSinceLastBlock
+	}
+}
+
+func NewSandboxContext(opts ...sandboxContextOption) sandboxContext {
+	ctx := sandboxContext{}
+
+	for _, opt := range opts {
+		opt(&ctx)
+	}
+
+	return ctx
+}
diff --git a/internal/usage/service.go b/internal/usage/service.go
index e12d955..7421385 100644
--- a/internal/usage/service.go
+++ b/internal/usage/service.go
@@ -7,33 +7,25 @@ import (
 	"sync"
 	"time"
 
-	"google.golang.org/genai"
 	"gorm.io/gorm"
-
-	"github.com/focusd-so/focusd/internal/settings"
 )
 
 type Service struct {
 	// external services and dependencies
-	db          *gorm.DB
-	genaiClient *genai.Client
-
-	// internal services and dependencies
-	settingsService *settings.Service
+	db *gorm.DB
 
 	appBlocker func(appName, title, reason string, tags []string, browserURL *string)
 
 	// events
-	onProtectionPaused     func(pause ProtectionPause)
-	onProtectionResumed    func(pause ProtectionPause)
-	onLLMDailySummaryReady func(summary LLMDailySummary)
+	eventsMu               sync.RWMutex
+	onProtectionPaused     []func(pause ProtectionPause)
+	onProtectionResumed    []func(pause ProtectionPause)
+	onLLMDailySummaryReady []func(summary LLMDailySummary)
+	onUsageUpdated         []func(usage *ApplicationUsage)
 
 	// mu serializes title change processing to prevent race conditions
 	// when multiple events fire concurrently
 	mu sync.Mutex
-
-	// channel to receive usage updates
-	UsageUpdates chan *ApplicationUsage
 }
 
 func NewService(ctx context.Context, db *gorm.DB, options ...Option) (*Service, error) {
@@ -49,10 +41,7 @@ func NewService(ctx context.Context, db *gorm.DB, options ...Option) (*Service,
 		return nil, fmt.Errorf("failed to migrate usage tables: %w", err)
 	}
 
-	service := &Service{
-		db:           db,
-		UsageUpdates: make(chan *ApplicationUsage, 10), // buffer of 10 to prevent blocking
-	}
+	service := &Service{db: db}
 
 	for _, option := range options {
 		option(service)
diff --git a/internal/usage/service_events.go b/internal/usage/service_events.go
new file mode 100644
index 0000000..3c589c4
--- /dev/null
+++ b/internal/usage/service_events.go
@@ -0,0 +1,29 @@
+package usage
+
+// OnUsageUpdated subscribes a callback to the usage updated event.
+func (s *Service) OnUsageUpdated(fn func(usage *ApplicationUsage)) {
+	s.eventsMu.Lock()
+	defer s.eventsMu.Unlock()
+	s.onUsageUpdated = append(s.onUsageUpdated, fn)
+}
+
+// OnLLMDailySummaryReady subscribes a callback to the daily summary ready event.
+func (s *Service) OnLLMDailySummaryReady(fn func(summary LLMDailySummary)) {
+	s.eventsMu.Lock()
+	defer s.eventsMu.Unlock()
+	s.onLLMDailySummaryReady = append(s.onLLMDailySummaryReady, fn)
+}
+
+// OnProtectionPause subscribes a callback to the protection paused event.
+func (s *Service) OnProtectionPause(fn func(pause ProtectionPause)) {
+	s.eventsMu.Lock()
+	defer s.eventsMu.Unlock()
+	s.onProtectionPaused = append(s.onProtectionPaused, fn)
+}
+
+// OnProtectionResumed subscribes a callback to the protection resumed event.
+func (s *Service) OnProtectionResumed(fn func(pause ProtectionPause)) {
+	s.eventsMu.Lock()
+	defer s.eventsMu.Unlock()
+	s.onProtectionResumed = append(s.onProtectionResumed, fn)
+}
diff --git a/internal/usage/service_option.go b/internal/usage/service_option.go
index bd01b49..93ee565 100644
--- a/internal/usage/service_option.go
+++ b/internal/usage/service_option.go
@@ -1,54 +1,4 @@
 package usage
 
-import (
-	"google.golang.org/genai"
-
-	"github.com/focusd-so/focusd/internal/settings"
-)
-
 // Option is a function that configures a Service.
 type Option func(*Service)
-
-// WithAppBlocker configures the Service with a function to call when an application is blocked.
-func WithAppBlocker(appBlocker func(appName, title, reason string, tags []string, browserURL *string)) Option {
-	return func(s *Service) {
-		s.appBlocker = appBlocker
-	}
-}
-
-// WithSettingsService configures the Service with a SettingsService interface
-// to allow accessing settings from the database.
-func WithSettingsService(settingsService *settings.Service) Option {
-	return func(s *Service) {
-		s.settingsService = settingsService
-	}
-}
-
-// WithGenaiClient configures the Service with a GenaiClient interface
-// to allow using the Genai client.
-func WithGenaiClient(genaiClient *genai.Client) Option {
-	return func(s *Service) {
-		s.genaiClient = genaiClient
-	}
-}
-
-// WithProtectionPaused configures the Service with a function to call when protection is paused.
-func WithProtectionPaused(onProtectionPaused func(pause ProtectionPause)) Option {
-	return func(s *Service) {
-		s.onProtectionPaused = onProtectionPaused
-	}
-}
-
-// WithProtectionResumed configures the Service with a function to call when protection is resumed.
-func WithProtectionResumed(onProtectionResumed func(pause ProtectionPause)) Option {
-	return func(s *Service) {
-		s.onProtectionResumed = onProtectionResumed
-	}
-}
-
-// WithLLMDailySummaryReady configures the Service with a function to call when a daily LLM summary is generated.
-func WithLLMDailySummaryReady(fn func(summary LLMDailySummary)) Option {
-	return func(s *Service) {
-		s.onLLMDailySummaryReady = fn
-	}
-}
diff --git a/internal/usage/service_usage.go b/internal/usage/service_usage.go
index 5395358..0398841 100644
--- a/internal/usage/service_usage.go
+++ b/internal/usage/service_usage.go
@@ -19,200 +19,141 @@ import (
 )
 
 // IdleChanged is called when the idle state of the user changes (e.g. user starts or stops using the computer)
-func (s *Service) IdleChanged(ctx context.Context, isIdle bool) error {
+// When idle changes one of the following can happen:
+//   - if user has been idle and idle triggers again, keep the current idle usage open to ensure idempotency
+//   - if user has not been idle and idle triggers, close the current application usage and open a new idle usage
+//   - if user has been idle and idle stops, no direct usage change is performed here; the next TitleChanged event closes idle
+func (s *Service) IdleChanged(ctx context.Context, isIdle bool) (*ApplicationUsage, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 
 	if isIdle {
-		// close only non-idle application usage (leave any existing idle usage open)
-		var currentUsage ApplicationUsage
-		err := s.db.Preload("Application").
-			Joins("LEFT JOIN application ON application.id = application_usage.application_id").
-			Where("application_usage.ended_at IS NULL AND (application.name IS NULL OR application.name != ?)", IdleApplicationName).
-			Limit(1).Order("application_usage.started_at DESC").
-			First(&currentUsage).Error
-		if err != nil && err != gorm.ErrRecordNotFound {
-			return fmt.Errorf("failed to find current application usage: %w", err)
-		}
-		if currentUsage.ID > 0 {
-			if err := s.closeApplicationUsage(&currentUsage); err != nil {
-				return fmt.Errorf("failed to close current application usage: %w", err)
-			}
-		}
-
-		// check if there is already an open idle usage
-		var existingIdleUsage ApplicationUsage
-		err = s.db.Joins("Application").
-			Where("application.name = ? AND application_usage.ended_at IS NULL", IdleApplicationName).
-			Limit(1).Order("application_usage.started_at DESC").
-			First(&existingIdleUsage).Error
-		if err != nil && err != gorm.ErrRecordNotFound {
-			return fmt.Errorf("failed to find current idle usage: %w", err)
-		}
-
-		// if there is an open idle usage, let it continue
-		if existingIdleUsage.ID > 0 {
-			return nil
-		}
-
-		// get or create the Idle application
-		var idleApp Application
-		if err := s.db.Where("name = ?", IdleApplicationName).First(&idleApp).Error; err != nil {
-			if err == gorm.ErrRecordNotFound {
-				idleApp = Application{Name: IdleApplicationName}
-				if err := s.db.Create(&idleApp).Error; err != nil {
-					return fmt.Errorf("failed to create idle application: %w", err)
-				}
-			} else {
-				return fmt.Errorf("failed to find idle application: %w", err)
-			}
-		}
-
-		// create a new idle usage
-		idleUsage := &ApplicationUsage{
-			ApplicationID:   idleApp.ID,
-			StartedAt:       time.Now().Unix(),
-			Classification:  ClassificationNone,
-			TerminationMode: TerminationModeNone,
-			WindowTitle:     IdleApplicationName,
-			ExecutablePath:  "idle",
-		}
-		if err := s.db.Create(idleUsage).Error; err != nil {
-			return fmt.Errorf("failed to create idle usage: %w", err)
+		application, err := s.getOrCreateApplication(ctx, IdleApplicationName, "", nil, nil, nil)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get or create application: %w", err)
 		}
 
-	} else {
-		// close the current idle usage
-		if err := s.closeCurrentIdleUsage(); err != nil {
-			return fmt.Errorf("failed to close current idle usage: %w", err)
-		}
+		return s.usageChanged(ctx, application.NewUsage("", nil))
 	}
 
-	return nil
+	return nil, nil
 }
 
 // TitleChanged is called when the title of the current application changes,
 // whether it's a new application or the same application title has changed
-func (s *Service) TitleChanged(ctx context.Context, executablePath, windowTitle, appName, icon string, bundleID, url, appCategory *string) error {
+func (s *Service) TitleChanged(ctx context.Context, executablePath, windowTitle, appName, icon string, bundleID, browserURL, appCategory *string) (*ApplicationUsage, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 
-	// check if the current application is the same
-	currentApplicationUsage, err := s.getCurrentApplicationUsage()
-	if err != nil {
-		return fmt.Errorf("failed to find current application usage: %w", err)
+	var normalizedBrowserURL *string
+	if browserURL != nil {
+		parsed, _ := parseURLNormalized(fromPtr(browserURL))
+		normalizedBrowserURL = withPtr(parsed.String())
 	}
 
-	// if the current application is the same, let it continue
-	if currentApplicationUsage != nil && currentApplicationUsage.Same(windowTitle, appName, bundleID, url) {
-		return nil
+	application, err := s.getOrCreateApplication(ctx, appName, icon, bundleID, normalizedBrowserURL, appCategory)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get or create application: %w", err)
 	}
 
-	// if new application usage is detected close the current application usage before creating a new one
-	if err := s.closeApplicationUsage(currentApplicationUsage); err != nil {
-		return fmt.Errorf("failed to close current application usage: %w", err)
-	}
+	usage, err := s.usageChanged(ctx, application.NewUsage(windowTitle, normalizedBrowserURL))
+
+	return usage, err
+}
 
-	application, err := s.getOrCreateApplication(ctx, appName, icon, bundleID, url, appCategory)
+func (s *Service) usageChanged(ctx context.Context, usage ApplicationUsage) (*ApplicationUsage, error) {
+	currentApplicationUsage, err := s.getCurrentApplicationUsage()
 	if err != nil {
-		return fmt.Errorf("failed to get or create application: %w", err)
+		return nil, fmt.Errorf("failed to find current application usage: %w", err)
 	}
 
-	applicationUsage := ApplicationUsage{
-		ExecutablePath: executablePath,
-		WindowTitle:    windowTitle,
-		BrowserURL:     url,
-		StartedAt:      time.Now().Unix(),
-
-		Application: application,
-	}
+	// if the current application and new application usage are the same,
+	// no additional action, let the current application usage continue
+	if currentApplicationUsage.Same(usage) {
+		usage = currentApplicationUsage
+	} else {
+		// if new application usage is detected close the current application usage before creating a new one
+		if err := s.closeApplicationUsage(&currentApplicationUsage); err != nil {
+			return nil, fmt.Errorf("failed to close current application usage: %w", err)
+		}
 
-	if s.UsageUpdates != nil {
-		s.UsageUpdates <- &applicationUsage
+		if err := s.saveApplicationUsage(&usage); err != nil {
+			return nil, fmt.Errorf("failed to save application usage: %w", err)
+		}
 	}
 
-	// save the application usage
-	if err := s.db.Save(&applicationUsage).Error; err != nil {
-		return fmt.Errorf("failed to save application usage: %w", err)
+	if usage.Application.Name == IdleApplicationName {
+		return &usage, nil
 	}
 
-	classification, err := s.classifyApplicationUsage(ctx, &applicationUsage)
+	classification, err := s.classifyApplicationUsage(ctx, &usage)
 	if err != nil {
 		errMsg := err.Error()
-		applicationUsage.ClassificationError = &errMsg
-		applicationUsage.Classification = ClassificationNone
+		usage.ClassificationError = &errMsg
+		usage.Classification = ClassificationNone
 	} else if classification != nil {
-		applicationUsage.Classification = classification.Classification
-		applicationUsage.ClassificationSource = &classification.ClassificationSource
-		applicationUsage.ClassificationReasoning = &classification.Reasoning
-		applicationUsage.ClassificationConfidence = &classification.ConfidenceScore
+		usage.Classification = classification.Classification
+		usage.ClassificationSource = &classification.ClassificationSource
+		usage.ClassificationReasoning = &classification.Reasoning
+		usage.ClassificationConfidence = &classification.ConfidenceScore
 
-		if classification.DetectedProject != "" {
-			applicationUsage.DetectedProject = &classification.DetectedProject
-		}
-		if classification.DetectedCommunicationChannel != "" {
-			applicationUsage.DetectedCommunicationChannel = &classification.DetectedCommunicationChannel
-		}
-		applicationUsage.Tags = make([]ApplicationUsageTags, len(classification.Tags))
+		classification.DetectedProject = fromPtr(usage.DetectedProject)
+		classification.DetectedCommunicationChannel = fromPtr(usage.DetectedCommunicationChannel)
+
+		usage.Tags = make([]ApplicationUsageTags, len(classification.Tags))
 		for i, tag := range classification.Tags {
-			applicationUsage.Tags[i] = ApplicationUsageTags{
+			usage.Tags[i] = ApplicationUsageTags{
 				Tag: tag,
 			}
 		}
 
-		if classification.SandboxContext != "" {
-			applicationUsage.SandboxContext = &classification.SandboxContext
-		}
-		if classification.SandboxResponse != nil {
-			applicationUsage.SandboxResponse = classification.SandboxResponse
-		}
-		if classification.SandboxLogs != "" {
-			applicationUsage.SandboxLogs = &classification.SandboxLogs
-		}
+		usage.SandboxContext = withPtr(classification.SandboxContext)
+		usage.SandboxResponse = classification.SandboxResponse
+		usage.SandboxLogs = withPtr(classification.SandboxLogs)
 	}
 
 	// calculate termination mode.
-	terminationMode, err := s.CalculateTerminationMode(ctx, &applicationUsage)
+	terminationMode, err := s.CalculateTerminationMode(ctx, &usage)
 	if err != nil {
 		termErr := err.Error()
-		applicationUsage.TerminationMode = TerminationModeNone
-		applicationUsage.TerminationError = &termErr
+		usage.TerminationMode = TerminationModeNone
+		usage.TerminationError = &termErr
 	}
 
-	applicationUsage.TerminationMode = terminationMode.Mode
+	usage.TerminationMode = terminationMode.Mode
+	usage.TerminationReasoning = withPtr(terminationMode.Reasoning)
+	usage.TerminationSource = withPtr(terminationMode.Source)
 
-	if terminationMode.Reasoning != "" {
-		applicationUsage.TerminationReasoning = &terminationMode.Reasoning
-	}
-	if terminationMode.Source != "" {
-		applicationUsage.TerminationSource = &terminationMode.Source
-	}
-
-	if err := s.db.Save(&applicationUsage).Error; err != nil {
-		return fmt.Errorf("failed to save application usage: %w", err)
+	if err := s.db.Save(&usage).Error; err != nil {
+		return nil, fmt.Errorf("failed to save application usage: %w", err)
 	}
 
-	if applicationUsage.TerminationMode == TerminationModeBlock {
-		termReason := ""
-		if applicationUsage.ClassificationReasoning != nil {
-			termReason = *applicationUsage.ClassificationReasoning
+	if usage.TerminationMode == TerminationModeBlock {
+		if err := s.closeApplicationUsage(&usage); err != nil {
+			return nil, fmt.Errorf("failed to close application usage: %w", err)
 		}
+	}
 
-		tags := ApplicationTagsSlice(applicationUsage.Tags).Tags()
+	return &usage, s.saveApplicationUsage(&usage)
+}
 
-		s.appBlocker(applicationUsage.Application.Name, applicationUsage.WindowTitle, termReason, tags, applicationUsage.BrowserURL)
+func (s *Service) saveApplicationUsage(applicationUsage *ApplicationUsage) error {
+	if err := s.db.Save(applicationUsage).Error; err != nil {
+		return fmt.Errorf("failed to save application usage: %w", err)
 	}
 
-	if s.UsageUpdates != nil {
-		s.UsageUpdates <- &applicationUsage
+	s.eventsMu.RLock()
+	for _, fn := range s.onUsageUpdated {
+		fn(applicationUsage)
 	}
+	s.eventsMu.RUnlock()
 
 	return nil
 }
 
 func (s *Service) classifyApplicationUsage(ctx context.Context, applicationUsage *ApplicationUsage) (*ClassificationResponse, error) {
 	// Do sandbox classification first, eg user defined custom rules
-	customRulesResp, err := s.ClassifyCustomRules(ctx, applicationUsage.Application.Name, applicationUsage.BrowserURL, nil)
+	customRulesResp, err := s.ClassifyCustomRules(ctx, WithAppNameContext(applicationUsage.Application.Name), WithWindowTitleContext(applicationUsage.WindowTitle), WithBrowserURLContext(fromPtr(applicationUsage.BrowserURL)))
 	if err != nil {
 		return nil, fmt.Errorf("failed to classify application usage with custom rules: %w", err)
 	}
@@ -258,79 +199,53 @@ func (s *Service) classifyApplicationUsage(ctx context.Context, applicationUsage
 
 // getOrCreateApplication retrieves an existing application from the database or creates a new one.
 //
-// This function handles two distinct types of applications:
-//
-// 1. Web Applications (when rawURL is provided):
-//   - Parses the URL to extract the hostname (e.g., "www.example.com")
-//   - Looks up the application by hostname in the database
-//   - If not found, creates a new Application record with the hostname
-//   - Extracts the effective domain (TLD+1) using public suffix list
-//     (e.g., "example.com" from "sub.example.com")
-//   - Fetches the favicon from Google's favicon service if icon is not already set
-//   - Saves and returns the application
-//
-// 2. Native Applications (when rawURL is nil):
-//   - Looks up the application by executable path in the database
-//   - If not found, creates a new Application record with the executable path
-//   - Uses the provided icon directly (typically from the OS)
-//   - Saves and returns the application
+// The lookup identity is unified for both web and native applications:
+//   - name + normalized hostname when rawURL resolves to a hostname
+//   - name + hostname IS NULL for native applications
 //
-// Parameters:
-//   - ctx: Context for cancellation and timeout control (used for favicon fetching)
-//   - name: Display name of the application (e.g., "Safari", "Google Chrome")
-//   - icon: Base64-encoded icon data for native apps (ignored for web apps)
-//   - bundleID: Optional macOS bundle identifier (e.g., "com.apple.Safari")
-//   - rawURL: Optional URL for web applications; if nil, treated as native app
+// For web applications, hostname and effective domain (TLD+1) are stored and a favicon
+// is fetched when no icon is currently stored. For native applications, no hostname is set.
 //
-// Returns:
-//   - Application: The found or newly created application record
-//   - error: Any error encountered during database operations or favicon fetching
+// Icon resolution order:
+//   - keep existing stored icon when present
+//   - for web apps, fallback to fetched favicon
+//   - otherwise use provided icon
 func (s *Service) getOrCreateApplication(ctx context.Context, name, icon string, bundleID, rawURL, appCategory *string) (Application, error) {
-	// Handle web applications (browser tabs with URLs)
+	var application Application
+	var hostname *string
 
-	rawURLValue := fromPtr(rawURL)
+	if rawURL != nil {
+		u, _ := parseURLNormalized(*rawURL)
 
-	if rawURLValue != "" {
-		// Extract hostname from the URL (e.g., "www.google.com" from "https://www.google.com/search?q=...")
-		u, err := url.Parse(rawURLValue)
-		if err != nil {
-			slog.Warn("failed to parse URL", "error", err)
-		}
-
-		hostname := u.Hostname()
+		hostname = withPtr(u.Hostname())
+	}
 
-		// Attempt to find an existing application record by hostname.
-		// Web apps are uniquely identified by hostname, so all tabs from the same
-		// site (e.g., multiple Google tabs) share the same Application record.
-		var (
-			application Application
-			query       = s.db.Where("(hostname = ? OR hostname IS NULL) AND name = ?", hostname, name)
-		)
+	query := s.db.Where("name = ?", name)
+	if hostname != nil {
+		query = query.Where("hostname = ?", *hostname)
+	} else {
+		query = query.Where("hostname IS NULL")
+	}
 
-		if err := query.First(&application).Error; err != nil {
-			slog.Warn("failed to find application by hostname", "error", err)
-		}
+	if err := query.First(&application).Error; err != nil {
+		slog.Warn("failed to find application by identity", "error", err)
+	}
 
-		// If no existing application found, create a new one with the provided metadata
-		if application.ID == 0 {
-			application = Application{Name: name, BundleID: bundleID}
-		}
+	if application.ID == 0 {
+		application = Application{Name: name, BundleID: bundleID}
+	}
 
-		if hostname != "" {
-			application.Hostname = &hostname
+	if hostname != nil {
+		application.Hostname = hostname
 
-			// Extract the effective domain (TLD+1) if not already set.
-			// This normalizes subdomains: "mail.google.com" and "docs.google.com" both become "google.com".
-			// Useful for grouping related sites and aggregating usage statistics.
-			domain, _ := publicsuffix.EffectiveTLDPlusOne(hostname)
-			if domain != "" {
-				application.Domain = &domain
-			}
+		// This normalizes subdomains: "mail.google.com" and "docs.google.com" both become "google.com".
+		domain, _ := publicsuffix.EffectiveTLDPlusOne(*hostname)
+		if domain != "" {
+			application.Domain = &domain
 		}
 
-		// Fetch favicon if icon is empty or very small (old 16x16 ICO format, typically <500 chars base64)
 		if application.Icon == nil {
-			appIcon, err := fetchFavicon(ctx, fmt.Sprintf("https://%s", hostname))
+			appIcon, err := fetchFavicon(ctx, fmt.Sprintf("https://%s", *hostname))
 			if err != nil {
 				slog.Warn("failed to fetch app icon", "error", err)
 			}
@@ -339,42 +254,14 @@ func (s *Service) getOrCreateApplication(ctx context.Context, name, icon string,
 				application.Icon = &appIcon
 			}
 		}
-
-		application.AppCategory = appCategory
-
-		if err := s.db.Save(&application).Error; err != nil {
-			return Application{}, fmt.Errorf("failed to create application: %w", err)
-		}
-
-		return application, nil
-	}
-
-	// Handle native applications (non-browser apps identified by executable path)
-	// Native apps are uniquely identified by their executable path on disk.
-	var application Application
-	if err := s.db.Where("name = ?", name).First(&application).Error; err != nil {
-		slog.Warn("failed to find application by executable path", "error", err)
-	}
-
-	// If no existing application found, create a new one with the provided metadata.
-	// For native apps, the icon is provided by the OS (e.g., from the app bundle).
-	if application.ID == 0 {
-		application = Application{
-			Name:     name,
-			BundleID: bundleID,
-		}
 	}
 
-	slog.Info("application icon", "icon", application.Icon)
-
-	if application.Icon == nil && icon != "" {
-		// Update the icon for existing apps that don't have one yet
+	if fromPtr(application.Icon) == "" && icon != "" {
 		application.Icon = &icon
 	}
 
 	application.AppCategory = appCategory
 
-	// Persist the application (creates new or updates existing)
 	if err := s.db.Save(&application).Error; err != nil {
 		return Application{}, fmt.Errorf("failed to create application: %w", err)
 	}
@@ -382,28 +269,31 @@ func (s *Service) getOrCreateApplication(ctx context.Context, name, icon string,
 	return application, nil
 }
 
-func (s *Service) getCurrentApplicationUsage() (*ApplicationUsage, error) {
+func (s *Service) getCurrentApplicationUsage() (ApplicationUsage, error) {
 	var application ApplicationUsage
 
 	if err := s.db.Preload("Application").Preload("Tags").Where("ended_at IS NULL").Limit(1).Order("started_at DESC").First(&application).Error; err != nil {
 		if err != gorm.ErrRecordNotFound {
-			return nil, fmt.Errorf("failed to find current application usage: %w", err)
+			return ApplicationUsage{}, fmt.Errorf("failed to find current application usage: %w", err)
 		}
 	}
 
 	if application.ID == 0 {
-		return nil, nil
+		return ApplicationUsage{}, nil
 	}
 
-	return &application, nil
+	return application, nil
 }
 
 func (s *Service) closeApplicationUsage(app *ApplicationUsage) error {
-	if app == nil || app.EndedAt != nil {
+	if app.ID == 0 {
+		return nil
+	}
+
+	if app.EndedAt != nil {
 		return nil
 	}
 
-	// update the application with the ended_at
 	endedAt := time.Now().Unix()
 	durationSeconds := int(endedAt - app.StartedAt)
 
@@ -414,29 +304,15 @@ func (s *Service) closeApplicationUsage(app *ApplicationUsage) error {
 		return fmt.Errorf("failed to update application usage: %w", err)
 	}
 
-	if s.UsageUpdates != nil {
-		s.UsageUpdates <- app
+	s.eventsMu.RLock()
+	for _, fn := range s.onUsageUpdated {
+		fn(app)
 	}
+	s.eventsMu.RUnlock()
 
 	return nil
 }
 
-func (s *Service) closeCurrentIdleUsage() error {
-	var idleUsage ApplicationUsage
-	err := s.db.Joins("Application").
-		Where("application.name = ? AND application_usage.ended_at IS NULL", IdleApplicationName).
-		Limit(1).Order("application_usage.started_at DESC").
-		First(&idleUsage).Error
-	if err != nil {
-		if err == gorm.ErrRecordNotFound {
-			return nil // Nothing to close
-		}
-		return fmt.Errorf("failed to find current idle usage: %w", err)
-	}
-
-	return s.closeApplicationUsage(&idleUsage)
-}
-
 func fetchFavicon(ctx context.Context, rawURL string) (string, error) {
 	const googleFaviconURL = "https://www.google.com/s2/favicons?sz=64&domain="
 
diff --git a/internal/usage/service_usage_test.go b/internal/usage/service_usage_test.go
index a6a84bd..6f4b32f 100644
--- a/internal/usage/service_usage_test.go
+++ b/internal/usage/service_usage_test.go
@@ -3,22 +3,25 @@ package usage_test
 import (
 	"context"
 	"fmt"
-	"io"
-	"net/http"
-	"strings"
+	urlpkg "net/url"
 	"testing"
 	"time"
 
 	"github.com/stretchr/testify/require"
-	"google.golang.org/genai"
 	"gorm.io/driver/sqlite"
 	"gorm.io/gorm"
 
 	"github.com/focusd-so/focusd/internal/usage"
 )
 
+func memoryDSN(t *testing.T) string {
+	t.Helper()
+
+	return fmt.Sprintf("file:%s?mode=memory&cache=shared&_busy_timeout=5000", urlpkg.QueryEscape(t.Name()))
+}
+
 func setUpService(t *testing.T, options ...usage.Option) (*usage.Service, *gorm.DB) {
-	db, _ := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
+	db, _ := gorm.Open(sqlite.Open(memoryDSN(t)), &gorm.Config{})
 
 	ctx, cancel := context.WithCancel(context.Background())
 	t.Cleanup(cancel)
@@ -29,278 +32,240 @@ func setUpService(t *testing.T, options ...usage.Option) (*usage.Service, *gorm.
 	return service, db
 }
 
-func TestService_WhenEnterIdle_ContinueCurrentIdlePeriod(t *testing.T) {
-	service, db := setUpService(t)
-
-	// create the Idle application
-	idleApp := usage.Application{Name: usage.IdleApplicationName}
-	require.NoError(t, db.Create(&idleApp).Error)
-
-	// create an open idle usage
-	idleUsage := usage.ApplicationUsage{
-		ApplicationID:   idleApp.ID,
-		StartedAt:       time.Now().Unix(),
-		Classification:  usage.ClassificationNone,
-		TerminationMode: usage.TerminationModeNone,
-		WindowTitle:     usage.IdleApplicationName,
-		ExecutablePath:  "idle",
-	}
-	require.NoError(t, db.Create(&idleUsage).Error)
-
-	// wait 3 seconds
-	time.Sleep(3 * time.Second)
-
-	// enter idle
-	err := service.IdleChanged(context.Background(), true)
-	require.NoError(t, err, "failed to enter idle")
-
-	// read the idle usage — it should still be open
-	var readIdleUsage usage.ApplicationUsage
-	require.NoError(t, db.Where("id = ?", idleUsage.ID).First(&readIdleUsage).Error)
-
-	require.NotEqual(t, int64(0), readIdleUsage.StartedAt)
-	require.Equal(t, readIdleUsage.ID, idleUsage.ID)
-	require.Nil(t, readIdleUsage.EndedAt)
-	require.Nil(t, readIdleUsage.DurationSeconds)
+func TestService_TransitionsBetweenIdleAndApplicationUsage(t *testing.T) {
+	h := newUsageHarness(t)
+
+	h.
+		EnterIdle().
+		AssertLastUsage(
+			assertUsageOpened(t),
+			assertUsageApplicationName(t, usage.IdleApplicationName),
+			assertUsageClassification(t, usage.ClassificationNone),
+		).
+		AssertUpdateEventsCount(1).
+		AssertUsagesCount(1).
+		Await(1 * time.Second).
+		EnterIdle().
+		AssertUpdateEventsCount(1).
+		AssertUsagesCount(1)
+
+	h.
+		EnterIdle().
+		TitleChanged("Chrome", "Github", withPtr("https://github.com")).
+		AssertLastUsage(
+			assertUsageOpened(t),
+			assertUsageApplicationName(t, "Chrome"),
+			assertUsageHostname(t, "github.com"),
+			assertUsageClassification(t, usage.ClassificationProductive),
+		).
+		AssertPreviousUsage(assertUsageClosed(t)).
+		AssertUpdateEventsCount(4).
+		AssertUsagesCount(2)
+
+	h.
+		Await(3 * time.Second).
+		EnterIdle().
+		AssertLastUsage(assertUsageOpened(t)).
+		AssertPreviousUsage(assertUsageClosed(t)).
+		AssertUpdateEventsCount(6).
+		AssertUsagesCount(3)
 }
 
-func TestService_WhenEnterIdle_CreateNewIdlePeriod(t *testing.T) {
-	service, db := setUpService(t)
-
-	// create the Idle application
-	idleApp := usage.Application{Name: usage.IdleApplicationName}
-	require.NoError(t, db.Create(&idleApp).Error)
-
-	now := time.Now().Unix()
-	expectedDurationSeconds := 3
-
-	// create a closed idle usage
-	closedIdleUsage := usage.ApplicationUsage{
-		ApplicationID:   idleApp.ID,
-		StartedAt:       time.Now().Unix(),
-		EndedAt:         &now,
-		DurationSeconds: &expectedDurationSeconds,
-		Classification:  usage.ClassificationNone,
-		TerminationMode: usage.TerminationModeNone,
-		WindowTitle:     usage.IdleApplicationName,
-		ExecutablePath:  "idle",
-	}
-	require.NoError(t, db.Create(&closedIdleUsage).Error)
-
-	// enter idle
-	err := service.IdleChanged(context.Background(), true)
-	require.NoError(t, err, "failed to enter idle")
-
-	// read the new idle usage
-	var readIdleUsage usage.ApplicationUsage
-	require.NoError(t, db.Joins("Application").
-		Where("application.name = ? AND application_usage.ended_at IS NULL", usage.IdleApplicationName).
-		Limit(1).Order("application_usage.started_at DESC").
-		First(&readIdleUsage).Error)
-
-	require.NotEqual(t, int64(0), readIdleUsage.StartedAt)
-	require.NotEqual(t, readIdleUsage.ID, closedIdleUsage.ID)
-	require.Nil(t, readIdleUsage.EndedAt)
-	require.Nil(t, readIdleUsage.DurationSeconds)
-}
-
-func TestService_WhenExitIdle_CloseCurrentIdlePeriod(t *testing.T) {
-	service, db := setUpService(t)
-
-	// create the Idle application
-	idleApp := usage.Application{Name: usage.IdleApplicationName}
-	require.NoError(t, db.Create(&idleApp).Error)
-
-	// create an open idle usage
-	idleUsage := usage.ApplicationUsage{
-		ApplicationID:   idleApp.ID,
-		StartedAt:       time.Now().Unix(),
-		Classification:  usage.ClassificationNone,
-		TerminationMode: usage.TerminationModeNone,
-		WindowTitle:     usage.IdleApplicationName,
-		ExecutablePath:  "idle",
-	}
-	require.NoError(t, db.Create(&idleUsage).Error)
-
-	// wait 3 seconds
-	time.Sleep(3 * time.Second)
-
-	// exit idle
-	err := service.IdleChanged(context.Background(), false)
-	require.NoError(t, err, "failed to exit idle")
-
-	// read the idle usage
-	var readIdleUsage usage.ApplicationUsage
-	require.NoError(t, db.Where("id = ?", idleUsage.ID).First(&readIdleUsage).Error)
-
-	require.NotEqual(t, int64(0), readIdleUsage.StartedAt)
-	require.NotNil(t, readIdleUsage.EndedAt)
-	require.NotNil(t, readIdleUsage.DurationSeconds)
-	require.Equal(t, 3, *readIdleUsage.DurationSeconds)
-}
-
-func TestService_CloseCurrentApplicationUsageWhenEnterIdle(t *testing.T) {
-	service, db := setUpService(t)
-
-	// create a new application usage
-	applicationUsage := usage.ApplicationUsage{
-		StartedAt:       time.Now().Unix(),
-		EndedAt:         nil,
-		DurationSeconds: nil,
-	}
-	if err := db.Create(&applicationUsage).Error; err != nil {
-		t.Fatalf("failed to create application usage: %v", err)
-	}
-
-	// wait 3 seconds
-	time.Sleep(3 * time.Second)
-
-	err := service.IdleChanged(context.Background(), true)
-	require.NoError(t, err, "failed to enter idle")
-
-	// read the application usage
-	var readApplicationUsage usage.ApplicationUsage
-	if err := db.Where("id = ?", applicationUsage.ID).First(&readApplicationUsage).Error; err != nil {
-		t.Fatalf("failed to find application usage: %v", err)
-	}
-
-	require.NotEqual(t, 0, readApplicationUsage.StartedAt)
-	require.NotEqual(t, 0, readApplicationUsage.EndedAt)
-	require.NotNil(t, readApplicationUsage.DurationSeconds)
-	require.Equal(t, 3, *readApplicationUsage.DurationSeconds)
-}
-
-func TestService_TitleChanged_WhenSameApplication_ContinueCurrentApplicationUsage(t *testing.T) {
-	service, db := setUpService(t)
-
-	ctx := context.Background()
-
-	// create a new application usage
-	applicationUsage := usage.ApplicationUsage{
-		StartedAt:   time.Now().Unix(),
-		WindowTitle: "Slack",
-		Application: usage.Application{Name: "Slack"},
-	}
-	if err := db.Create(&applicationUsage).Error; err != nil {
-		t.Fatalf("failed to create application usage: %v", err)
-	}
-
-	// change the title of the current application
-	err := service.TitleChanged(ctx, "/Applications/Slack.app/Contents/MacOS/Slack", "Slack", "Slack", "", nil, nil, nil)
-	require.NoError(t, err, "failed to change title")
-
-	// read the application usage
-	var readApplicationUsage usage.ApplicationUsage
-	if err := db.Where("id = ?", applicationUsage.ID).First(&readApplicationUsage).Error; err != nil {
-		t.Fatalf("failed to find application usage: %v", err)
-	}
-
-	require.NotEqual(t, 0, readApplicationUsage.StartedAt)
-	require.Nil(t, readApplicationUsage.EndedAt)
-	require.Nil(t, readApplicationUsage.DurationSeconds)
-}
-
-func TestService_TitleChanged_WhenDifferentApplication_CloseCurrentApplicationUsage(t *testing.T) {
-	service, db := setUpService(t)
-
-	ctx := context.Background()
-
-	// create a new application usage
-	applicationUsage := usage.ApplicationUsage{
-		StartedAt:   time.Now().Unix(),
-		WindowTitle: "Slack",
-		Application: usage.Application{Name: "Slack"},
-	}
-	if err := db.Create(&applicationUsage).Error; err != nil {
-		t.Fatalf("failed to create application usage: %v", err)
-	}
-
-	// change the title of the current application
-	err := service.TitleChanged(ctx, "com.apple.Safari", "Safari", "New Tab", "", nil, nil, nil)
-	require.NoError(t, err, "failed to change title")
-
-	// read the application usage
-	var readApplicationUsage usage.ApplicationUsage
-	if err := db.Where("id = ?", applicationUsage.ID).First(&readApplicationUsage).Error; err != nil {
-		t.Fatalf("failed to find application usage: %v", err)
-	}
-
-	require.NotNil(t, readApplicationUsage.EndedAt)
-}
-
-func TestService_TitleChanged_ClassificationErrorStored(t *testing.T) {
-	// setup a service with a mock settings service that returns invalid custom rules to trigger a classification error
-	usageService, db := setUpServiceWithSettings(t, "invalid custom rules")
-
-	err := usageService.TitleChanged(context.Background(), "com.apple.Safari", "Safari", "New Tab", "", nil, nil, nil)
-	require.Nil(t, err)
-
-	var readApplicationUsage usage.ApplicationUsage
-	if err := db.Where("id = ?", 1).First(&readApplicationUsage).Error; err != nil {
-		t.Fatalf("failed to find application usage: %v", err)
-	}
-
-	require.NotNil(t, readApplicationUsage.ClassificationError)
-	require.Contains(t, *readApplicationUsage.ClassificationError, "failed to classify application usage with custom rules")
-}
-
-// roundTripFunc is an adapter to allow the use of ordinary functions as http.RoundTripper.
-type roundTripFunc func(*http.Request) (*http.Response, error)
-
-func (f roundTripFunc) RoundTrip(r *http.Request) (*http.Response, error) {
-	return f(r)
-}
-
-func TestService_TitleChanged_PropogateClassificationFromLLM(t *testing.T) {
-	// Classification response that the mocked LLM returns.
-	// Note: "classification_source" is intentionally omitted here because the real
-	// LLM prompt does not ask for it. The backend (classifyWithGemini) must set it
-	// explicitly to ClassificationSourceCloudLLM after unmarshalling.
-	classificationJSON := `{"classification":"productive","reasoning":"Productive work communication","confidence_score":0.95,"tags":["work","communication"]}`
-
-	// Wrap in a valid Gemini API response envelope (candidates[].content.parts[].text)
-	geminiResponse := fmt.Sprintf(`{"candidates":[{"content":{"parts":[{"text":%q}],"role":"model"}}]}`, classificationJSON)
-
-	genaiClient, err := genai.NewClient(context.Background(), &genai.ClientConfig{
-		APIKey:  "test-key",
-		Backend: genai.BackendGeminiAPI,
-		HTTPClient: &http.Client{
-			Transport: roundTripFunc(func(req *http.Request) (*http.Response, error) {
-				return &http.Response{
-					StatusCode: 200,
-					Body:       io.NopCloser(strings.NewReader(geminiResponse)),
-					Header:     http.Header{"Content-Type": []string{"application/json"}},
-				}, nil
-			}),
-		},
-	})
-	require.NoError(t, err, "failed to create genai client")
-
-	service, db := setUpService(t, usage.WithGenaiClient(genaiClient))
-
-	url := "https://example.com/docs"
-	err = service.TitleChanged(context.Background(),
-		"/Applications/Safari.app/Contents/MacOS/Safari",
-		"Safari",
-		"Example Docs",
-		"",
-		nil,
-		&url,
-		nil,
-	)
-	require.NoError(t, err, "failed to change title")
-
-	// Read the application usage and verify classification was propagated from LLM
-	var readApplicationUsage usage.ApplicationUsage
-	require.NoError(t, db.Preload("Tags").Where("ended_at IS NULL").First(&readApplicationUsage).Error)
-
-	require.Equal(t, usage.ClassificationProductive, readApplicationUsage.Classification)
-	require.Equal(t, usage.ClassificationSourceCloudLLMGemini, readApplicationUsage.ClassificationSource)
-	require.Equal(t, "Productive work communication", readApplicationUsage.ClassificationReasoning)
-	require.Equal(t, float32(0.95), readApplicationUsage.ClassificationConfidence)
-
-	// Verify tags were propagated
-	require.Len(t, readApplicationUsage.Tags, 2)
-	require.Equal(t, "work", readApplicationUsage.Tags[0].Tag)
-	require.Equal(t, "communication", readApplicationUsage.Tags[1].Tag)
+func TestService_ProtectionPauseAndWhitelisting(t *testing.T) {
+	h := newUsageHarness(t)
+
+	// user opens amazon, gets blocked by obviously classifier since it's a distraction
+	h.
+		TitleChanged("Chrome", "Amazon", withPtr("https://www.amazon.com")).
+		AssertLastUsage(
+			assertUsageClosed(t),
+			assertUsageApplicationName(t, "Chrome"),
+			assertUsageHostname(t, "amazon.com"),
+			assertUsageClassification(t, usage.ClassificationDistracting),
+			assertTerminationMode(t, usage.TerminationModeBlock),
+			assertTerminationModeSource(t, usage.TerminationModeSourceApplication),
+		).
+		AssertUpdateEventsCount(2)
+
+	// user pauses all protection and opens amazon and linkedin, should not be blocked
+	h.
+		ResetUsageEvents().
+		Pause(5, "test").
+		TitleChanged("Chrome", "Amazon", withPtr("https://www.amazon.com")).
+		AssertLastUsage(
+			assertUsageApplicationName(t, "Chrome"),
+			assertUsageHostname(t, "amazon.com"),
+			assertUsageClassification(t, usage.ClassificationDistracting),
+			assertTerminationMode(t, usage.TerminationModeAllow),
+			assertTerminationModeSource(t, usage.TerminationModeSourcePaused),
+		).
+		AssertUpdateEventsCount(2).
+		TitleChanged("Chrome", "Linkedin", withPtr("https://www.linkedin.com")).
+		AssertLastUsage(
+			assertUsageApplicationName(t, "Chrome"),
+			assertUsageHostname(t, "linkedin.com"),
+			assertUsageClassification(t, usage.ClassificationDistracting),
+			assertTerminationMode(t, usage.TerminationModeAllow),
+			assertTerminationModeSource(t, usage.TerminationModeSourcePaused),
+		).
+		AssertUpdateEventsCount(5)
+
+	// pause duration has collapsed, so user gets blocked again
+	h.
+		ResetUsageEvents().
+		Await(6*time.Second).
+		TitleChanged("Chrome", "Amazon", withPtr("https://www.amazon.com")).
+		AssertPreviousUsage(assertUsageClosed(t)).
+		AssertLastUsage(
+			assertUsageApplicationName(t, "Chrome"),
+			assertUsageHostname(t, "amazon.com"),
+			assertUsageClassification(t, usage.ClassificationDistracting),
+			assertTerminationMode(t, usage.TerminationModeBlock),
+			assertTerminationModeSource(t, usage.TerminationModeSourceApplication),
+		).
+		AssertUpdateEventsCount(3)
+
+	// user whitelists amazon and opens it again, should not be blocked, linkedin is still blocked
+	h.
+		Whitelist("Chrome", "https://www.amazon.com", 3*time.Second).
+		TitleChanged("Chrome", "Amazon", withPtr("https://amazon.com")).
+		AssertLastUsage(
+			assertUsageHostname(t, "amazon.com"),
+			assertUsageClassification(t, usage.ClassificationDistracting),
+			assertTerminationMode(t, usage.TerminationModeAllow),
+			assertTerminationModeSource(t, usage.TerminationModeSourceWhitelist),
+		).
+		TitleChanged("Chrome", "Linkedin", withPtr("https://www.linkedin.com")).
+		AssertPreviousUsage(assertUsageClosed(t)).
+		AssertLastUsage(
+			assertUsageHostname(t, "linkedin.com"),
+			assertUsageClassification(t, usage.ClassificationDistracting),
+			assertTerminationMode(t, usage.TerminationModeBlock),
+			assertTerminationModeSource(t, usage.TerminationModeSourceApplication),
+		).
+		Await(time.Second*4).
+		TitleChanged("Chrome", "Amazon", withPtr("https://www.amazon.com")).
+		AssertLastUsage(
+			assertUsageHostname(t, "amazon.com"),
+			assertUsageClassification(t, usage.ClassificationDistracting),
+			assertTerminationMode(t, usage.TerminationModeBlock),
+			assertTerminationModeSource(t, usage.TerminationModeSourceApplication),
+		)
+
+	// 2. Manual Pause Resumption
+	h.
+		Pause(10, "test early resume").
+		TitleChanged("Chrome", "Amazon", withPtr("https://www.amazon.com")).
+		AssertLastUsage(
+			assertTerminationMode(t, usage.TerminationModeAllow),
+			assertTerminationModeSource(t, usage.TerminationModeSourcePaused),
+		).
+		Await(time.Second).
+		Resume("user clicked resume").
+		TitleChanged("Chrome", "Amazon", withPtr("https://www.amazon.com")).
+		AssertLastUsage(
+			assertTerminationMode(t, usage.TerminationModeBlock),
+			assertTerminationModeSource(t, usage.TerminationModeSourceApplication),
+		)
+
+	// 3. Whitelist Overwriting / Extension
+	h.
+		Whitelist("Chrome", "https://www.amazon.com", 2*time.Second).
+		Await(time.Second).
+		Whitelist("Chrome", "https://www.amazon.com", 4*time.Hour).
+		Await(time.Second*3).
+		TitleChanged("Chrome", "Amazon", withPtr("https://www.amazon.com")).
+		AssertLastUsage(
+			assertTerminationMode(t, usage.TerminationModeAllow),
+			assertTerminationModeSource(t, usage.TerminationModeSourceWhitelist),
+		)
+
+	// 4. Cross-Browser Whitelist
+	h.
+		TitleChanged("Safari", "Amazon", withPtr("https://www.amazon.com")).
+		AssertLastUsage(
+			assertUsageApplicationName(t, "Safari"),
+			assertTerminationMode(t, usage.TerminationModeAllow),
+			assertTerminationModeSource(t, usage.TerminationModeSourceWhitelist),
+		)
+
+	// 5. Manual Whitelist Removal
+	h.
+		RemoveActiveWhitelists().
+		TitleChanged("Chrome", "Amazon", withPtr("https://www.amazon.com")).
+		AssertLastUsage(
+			assertTerminationMode(t, usage.TerminationModeBlock),
+			assertTerminationModeSource(t, usage.TerminationModeSourceApplication),
+		)
+
+	// 6. Pause Expiry While Whitelist Is Still Active
+	h.
+		Await(250*time.Millisecond).
+		ResetUsageEvents().
+		Pause(3, "pause shorter than whitelist").
+		Whitelist("Chrome", "https://www.amazon.com", 7*time.Second).
+		TitleChanged("Chrome", "Amazon", withPtr("https://www.amazon.com")).
+		AssertLastUsage(
+			assertTerminationMode(t, usage.TerminationModeAllow),
+			assertTerminationModeSource(t, usage.TerminationModeSourcePaused),
+		).
+		Await(4*time.Second).
+		TitleChanged("Chrome", "Amazon", withPtr("https://www.amazon.com")).
+		AssertLastUsage(
+			assertTerminationMode(t, usage.TerminationModeAllow),
+			assertTerminationModeSource(t, usage.TerminationModeSourceWhitelist),
+		)
+
+	// 7. Whitelist Expiry While Pause Is Still Active
+	h.
+		ResetUsageEvents().
+		Pause(8, "pause longer than whitelist").
+		Whitelist("Chrome", "https://www.amazon.com", 2*time.Second).
+		Await(3*time.Second).
+		TitleChanged("Chrome", "Amazon", withPtr("https://www.amazon.com")).
+		AssertLastUsage(
+			assertTerminationMode(t, usage.TerminationModeAllow),
+			assertTerminationModeSource(t, usage.TerminationModeSourcePaused),
+		).
+		Await(6*time.Second).
+		TitleChanged("Chrome", "Amazon", withPtr("https://www.amazon.com")).
+		AssertLastUsage(
+			assertTerminationMode(t, usage.TerminationModeBlock),
+			assertTerminationModeSource(t, usage.TerminationModeSourceApplication),
+		)
+
+	// 8. Manual Resume Does Not Clear Active Whitelist
+	h.
+		Await(250*time.Millisecond).
+		ResetUsageEvents().
+		Whitelist("Chrome", "https://www.amazon.com", 10*time.Second).
+		Pause(10, "manual resume should preserve whitelist").
+		Resume("user resumed protection manually").
+		TitleChanged("Chrome", "Amazon", withPtr("https://www.amazon.com")).
+		AssertLastUsage(
+			assertTerminationMode(t, usage.TerminationModeAllow),
+			assertTerminationModeSource(t, usage.TerminationModeSourceWhitelist),
+		).
+		TitleChanged("Chrome", "Linkedin", withPtr("https://www.linkedin.com")).
+		AssertLastUsage(
+			assertTerminationMode(t, usage.TerminationModeBlock),
+			assertTerminationModeSource(t, usage.TerminationModeSourceApplication),
+		)
+
+	// 9. Quick-Allow Input Shape Parity (hostname vs full URL)
+	h.
+		Await(250*time.Millisecond).
+		ResetUsageEvents().
+		RemoveActiveWhitelists().
+		Whitelist("Chrome", "amazon.com", 6*time.Second).
+		TitleChanged("Chrome", "Amazon", withPtr("https://www.amazon.com")).
+		AssertLastUsage(
+			assertTerminationMode(t, usage.TerminationModeAllow),
+			assertTerminationModeSource(t, usage.TerminationModeSourceWhitelist),
+		).
+		TitleChanged("Chrome", "Amazon", withPtr("https://amazon.com")).
+		AssertLastUsage(
+			assertTerminationMode(t, usage.TerminationModeAllow),
+			assertTerminationModeSource(t, usage.TerminationModeSourceWhitelist),
+		)
 }
diff --git a/internal/usage/types_db.go b/internal/usage/types_db.go
index d69f5f9..e638598 100644
--- a/internal/usage/types_db.go
+++ b/internal/usage/types_db.go
@@ -7,6 +7,11 @@
 
 package usage
 
+import (
+	"net/url"
+	"time"
+)
+
 type (
 	ExecutionLogType string
 )
@@ -27,9 +32,10 @@ type Application struct {
 	Name string `json:"name" gorm:"uniqueIndex:idx_name_hostname_id;not null"`
 
 	// optional fields
-	Icon     *string `json:"icon"` // either app icon or favicon if host is present
-	Hostname *string `json:"hostname" gorm:"uniqueIndex:idx_name_hostname_id"`
-	Domain   *string `json:"domain"`
+	Icon           *string `json:"icon"` // either app icon or favicon if host is present
+	Hostname       *string `json:"hostname" gorm:"uniqueIndex:idx_name_hostname_id"`
+	Domain         *string `json:"domain"`
+	ExecutablePath string  `json:"executable_path"`
 
 	// darwin only
 	BundleID    *string `json:"bundle_id"`
@@ -40,6 +46,25 @@ func (a Application) TableName() string {
 	return "application"
 }
 
+func (a Application) NewUsage(windowTitle string, browserURL *string) ApplicationUsage {
+	return ApplicationUsage{
+		ApplicationID:   a.ID,
+		Application:     a,
+		StartedAt:       time.Now().Unix(),
+		Classification:  ClassificationNone,
+		TerminationMode: TerminationModeNone,
+		WindowTitle:     windowTitle,
+		BrowserURL:      browserURL,
+	}
+}
+
+func NewIdleApplication() Application {
+	return Application{
+		Name:           IdleApplicationName,
+		ExecutablePath: "com.system.idle",
+	}
+}
+
 type ApplicationUsage struct {
 	// mandatory fields
 	ID              int64           `json:"id" gorm:"primaryKey;autoIncrement;not null"`
@@ -47,7 +72,6 @@ type ApplicationUsage struct {
 	StartedAt       int64           `json:"started_at" gorm:"not null"`
 	Classification  Classification  `json:"classification" gorm:"index:idx_classification"`
 	TerminationMode TerminationMode `json:"termination_mode" gorm:"not null"`
-	ExecutablePath  string          `json:"executable_path" gorm:"not null"`
 
 	// optional fields
 	BrowserURL      *string `json:"browser_url" gorm:"type:text"`
@@ -107,36 +131,25 @@ func (a *ApplicationUsage) GetDetectedProject() string {
 }
 
 // Same returns true if the application usage is the same as the given application usage
-//
-// Application usage is considered the same if:
-//   - The url is not nil and the url is the same
-//   - The application name and title are the same,
-//     eg. Slack + general discussion != Slack + funny memes
-func (a *ApplicationUsage) Same(windowTitle, appName string, bundleID, url *string) bool {
-	// Consistently handle nil vs empty string for URL comparison
-	aURL := a.BrowserURL
-	if aURL != nil && *aURL == "" {
-		aURL = nil
-	}
-	newURL := url
-	if newURL != nil && *newURL == "" {
-		newURL = nil
-	}
-
-	if aURL != nil && newURL != nil && *aURL == *newURL {
+func (a ApplicationUsage) Same(a1 ApplicationUsage) bool {
+	if a.ID != 0 && a1.ID != 0 && a.ID == a1.ID {
 		return true
 	}
 
-	// If one is nil and the other isn't, they are different (e.g. switching between tabs and native app)
-	if (aURL == nil) != (newURL == nil) {
-		return false
-	}
+	return a.String() == a1.String()
+}
 
-	if appName == a.Application.Name && windowTitle == a.WindowTitle {
-		return true
+func (a *ApplicationUsage) String() string {
+	if a.Application.Name == IdleApplicationName {
+		return IdleApplicationName
 	}
 
-	return false
+	vals := url.Values{}
+	vals.Set("app", a.Application.Name)
+	vals.Set("title", a.WindowTitle)
+	vals.Set("url", fromPtr(a.BrowserURL))
+
+	return vals.Encode()
 }
 
 type ApplicationUsageTags struct {
@@ -145,6 +158,10 @@ type ApplicationUsageTags struct {
 	UsageID int64  `json:"usage_id" gorm:"index:idx_usage_id"`
 }
 
+func (a *ApplicationUsageTags) TableName() string {
+	return "application_usage_tag"
+}
+
 type ProtectionWhitelist struct {
 	ID int64 `gorm:"primaryKey;autoIncrement" json:"id"`
 	// ExpiresAt should be pre-calculated and set to the time when the whitelist expires
@@ -182,3 +199,7 @@ type SandboxExecutionLog struct {
 	Error      *string `json:"error" gorm:"type:text;nullable"`
 	Type       string  `json:"type" gorm:"index:idx_type"`
 }
+
+func (s *SandboxExecutionLog) TableName() string {
+	return "sandbox_execution_log"
+}
diff --git a/internal/usage/types_usage.go b/internal/usage/types_usage.go
index ccc23eb..2cc6d74 100644
--- a/internal/usage/types_usage.go
+++ b/internal/usage/types_usage.go
@@ -8,20 +8,22 @@ type (
 )
 
 const (
-	TerminationModeNone   TerminationMode = "none"
-	TerminationModeBlock  TerminationMode = "block"
-	TerminationModePaused TerminationMode = "paused"
-	TerminationModeAllow  TerminationMode = "allow"
+	TerminationModeNone  TerminationMode = "none"
+	TerminationModeBlock TerminationMode = "block"
+	TerminationModeAllow TerminationMode = "allow"
 
 	TerminationModeSourceApplication TerminationModeSource = "application"
 	TerminationModeSourceCustomRules TerminationModeSource = "custom_rules"
 	TerminationModeSourceWhitelist   TerminationModeSource = "whitelist"
 	TerminationModeSourcePaused      TerminationModeSource = "paused"
 
-	ClassificationSourceUserSet        ClassificationSource = "user_set"
-	ClassificationSourceObviously      ClassificationSource = "obviously"
-	ClassificationSourceCustomRules    ClassificationSource = "custom_rules"
-	ClassificationSourceCloudLLMGemini ClassificationSource = "llm_gemini"
+	ClassificationSourceUserSet           ClassificationSource = "user_set"
+	ClassificationSourceObviously         ClassificationSource = "obviously"
+	ClassificationSourceCustomRules       ClassificationSource = "custom_rules"
+	ClassificationSourceCloudLLMGemini    ClassificationSource = "llm_gemini"
+	ClassificationSourceCloudLLMOpenAI    ClassificationSource = "llm_openai"
+	ClassificationSourceCloudLLMGroq      ClassificationSource = "llm_grok"
+	ClassificationSourceCloudLLMAnthropic ClassificationSource = "llm_anthropic"
 
 	IdleApplicationName = "Idle"
 
@@ -43,20 +45,20 @@ type TerminationDecision struct {
 }
 
 type ClassificationResponse struct {
-	Classification               Classification       `json:"classification"`
-	ClassificationSource         ClassificationSource `json:"classification_source"`
-	Reasoning                    string               `json:"reasoning"`
-	ConfidenceScore              float32              `json:"confidence_score"`
+	Classification       Classification       `json:"classification"`
+	ClassificationSource ClassificationSource `json:"classification_source"`
+	Reasoning            string               `json:"reasoning"`
+	ConfidenceScore      float32              `json:"confidence_score"`
 	// DetectedProject is inferred by the LLM from the window title or channel name.
 	// For coding apps (VS Code, Xcode, etc.), it extracts the workspace/project name from the title format.
 	// For communication apps (Slack), it extracts the project/team context if strongly implied by the channel name.
 	DetectedProject string `json:"detected_project"`
-	
+
 	// DetectedCommunicationChannel is inferred by the LLM from the window title for communication apps.
 	// E.g., for Slack it extracts "engineering" from "Slack | #engineering | Acme Corp".
 	// This is only populated when the "communication" tag is assigned.
 	DetectedCommunicationChannel string `json:"detected_communication_channel"`
-	
+
 	Tags []string `json:"tags"`
 
 	SandboxContext  string  `json:"sandbox_context"`
diff --git a/internal/usage/utils.go b/internal/usage/utils.go
index 50d1472..251cbd8 100644
--- a/internal/usage/utils.go
+++ b/internal/usage/utils.go
@@ -15,16 +15,19 @@ import (
 	"golang.org/x/net/publicsuffix"
 )
 
-func parseURL(browserURL string) (hostname, path string) {
-	u, err := url.Parse(browserURL)
+func parseURLNormalized(browserURL string) (*url.URL, error) {
+	u, err := url.ParseRequestURI(browserURL)
 	if err != nil {
-		return "", ""
+		return nil, err
 	}
 
-	hostname = strings.TrimPrefix(strings.ToLower(u.Hostname()), "www.")
-	path = u.Path
+	hostname := strings.ToLower(strings.TrimSpace(u.Hostname()))
+	hostname = strings.TrimSuffix(hostname, ".")
+	hostname = strings.TrimPrefix(hostname, "www.")
 
-	return hostname, path
+	u.Host = hostname
+
+	return u, nil
 }
 
 type MetaData struct {
@@ -119,10 +122,12 @@ func createSandboxContext(appName string, url *string) sandboxContext {
 	if url != nil {
 		sandboxCtx.URL = *url
 
-		hostname, path := parseURL(*url)
-		sandboxCtx.Hostname = hostname
-		sandboxCtx.Path = path
-		sandboxCtx.Domain, _ = publicsuffix.EffectiveTLDPlusOne(hostname)
+		u, err := parseURLNormalized(*url)
+		if err == nil {
+			sandboxCtx.Hostname = u.Hostname()
+			sandboxCtx.Path = u.Path
+			sandboxCtx.Domain, _ = publicsuffix.EffectiveTLDPlusOne(u.Hostname())
+		}
 	}
 
 	return sandboxCtx
diff --git a/main.go b/main.go
index 81cedf6..bd320e4 100644
--- a/main.go
+++ b/main.go
@@ -20,7 +20,6 @@ import (
 	_ "github.com/tursodatabase/libsql-client-go/libsql"
 	"github.com/wailsapp/wails/v3/pkg/application"
 	"github.com/wailsapp/wails/v3/pkg/events"
-	"google.golang.org/genai"
 	"gopkg.in/natefinch/lumberjack.v2"
 	"gorm.io/driver/sqlite"
 	"gorm.io/gorm"
@@ -54,7 +53,7 @@ func init() {
 	// Register a custom event whose associated data type is string.
 	// This is not required, but the binding generator will pick up registered events
 	// and provide a strongly typed JS/TS API for them.
-	application.RegisterEvent[usage.ApplicationUsage]("usage:update")
+	application.RegisterEvent[*usage.ApplicationUsage]("usage:update")
 	application.RegisterEvent[usage.ProtectionPause]("protection:status")
 	application.RegisterEvent[usage.LLMDailySummary]("daily-summary:ready")
 	application.RegisterEvent[any]("authctx:updated")
@@ -64,6 +63,16 @@ func init() {
 // and starts a goroutine that emits a time-based event every second. It subsequently runs the application and
 // logs any error that might occur.
 func main() {
+	userdir, err := os.UserHomeDir()
+	if err != nil {
+		log.Fatalf("failed to get user home directory: %v", err)
+	}
+
+	configDir := filepath.Join(userdir, ".focusd")
+	if err := os.MkdirAll(configDir, 0700); err != nil {
+		log.Fatalf("failed to create config directory: %v", err)
+	}
+
 	// Configure logging
 	logCloser, err := setupLogging()
 	if err != nil {
@@ -88,97 +97,24 @@ func main() {
 		log.Fatal("failed to setup web server: %w", err)
 	}
 
-	settingsService, err := settings.NewService(db, Version)
+	settingsService, err := settings.NewService(configDir)
 	if err != nil {
 		log.Fatal("failed to create settings service: %w", err)
 	}
 
-	// Resolve the API base URL based on build type.
-	apiBaseURL := "http://localhost:8089"
-	if isProductionBuild {
-		apiBaseURL = "https://api.focusd.so"
-	}
-
 	// This client is used to perform the handshake and get the token. It is not authenticated.
 	// It should only be used to perform the handshake and get the token.
-	apiUntrustedClient := api.NewClient(apiBaseURL)
+	apiUntrustedClient := api.NewClient(settings.APIBaseURL())
 
 	if err := identity.ScheduleHandshake(ctx, apiUntrustedClient); err != nil {
 		slog.Error("failed to schedule handshake", "error", err)
 	}
 
-	apiAuthenticatedClient := api.NewClient(apiBaseURL, api.NewSigningInterceptor())
+	apiAuthenticatedClient := api.NewClient(settings.APIBaseURL(), api.NewSigningInterceptor())
 
 	identityService := identity.NewService(apiAuthenticatedClient)
 
-	genaiClient, err := genai.NewClient(ctx, &genai.ClientConfig{
-		HTTPOptions: genai.HTTPOptions{
-			BaseURL: apiBaseURL + "/api/v1/gemini",
-		},
-		HTTPClient: &http.Client{
-			Transport: api.NewSigningRoundTripper(nil),
-		},
-		Backend: genai.BackendGeminiAPI,
-		// Since this is required to create the client, we are stubbing it for now.
-		// All the request will be going through api.focusd.so proxy.
-		APIKey: "stubbed",
-	})
-	if err != nil {
-		slog.Error("failed to create genai client", "error", err)
-	}
-
-	var wailsAppPtr *application.App
-
-	usageService, err := usage.NewService(
-		ctx, db,
-		usage.WithProtectionPaused(func(pause usage.ProtectionPause) {
-			slog.Info("protection has been paused", "reason", pause.Reason)
-			if wailsAppPtr != nil {
-				wailsAppPtr.Event.Emit("protection:status", pause)
-			}
-		}),
-		usage.WithProtectionResumed(func(pause usage.ProtectionPause) {
-			slog.Info("protection has been resumed", "reason", pause.Reason)
-			if wailsAppPtr != nil {
-				wailsAppPtr.Event.Emit("protection:status", pause)
-			}
-		}),
-		usage.WithAppBlocker(func(appName, title, reason string, tags []string, browserURL *string) {
-			client := extension.HasClient(appName)
-
-			// if an extension has been connected to handle app, they should take care of blocking the app
-			if client {
-				return
-			}
-
-			if browserURL != nil {
-				slog.Info("browser url provided, blocking url", "url", *browserURL)
-				if err := native.BlockURL(*browserURL, title, reason, tags, appName); err != nil {
-					slog.Error("failed to block URL", "url", *browserURL, "error", err)
-
-					return
-				}
-			}
-
-			slog.Info("no browser url provided, blocking app", "appName", appName)
-			if err := native.BlockApp(appName, title, reason, tags); err != nil {
-				slog.Error("failed to block app", "appName", appName, "error", err)
-
-				return
-			}
-		}),
-		usage.WithGenaiClient(genaiClient),
-		usage.WithSettingsService(settingsService),
-		usage.WithLLMDailySummaryReady(func(summary usage.LLMDailySummary) {
-			slog.Info("daily LLM summary ready", "date", summary.Date, "headline", summary.Headline)
-			if wailsAppPtr != nil {
-				wailsAppPtr.Event.Emit("daily-summary:ready", summary)
-			}
-			exec.Command("osascript", "-e",
-				fmt.Sprintf(`display notification "%s" with title "Focusd" subtitle "Daily Summary"`,
-					summary.Headline)).Run()
-		}),
-	)
+	usageService, err := usage.NewService(ctx, db)
 	if err != nil {
 		log.Fatal("failed to create usage service: %w", err)
 	}
@@ -208,7 +144,7 @@ func main() {
 			category = &event.AppCategory
 		}
 
-		err := usageService.TitleChanged(
+		appUsage, err := usageService.TitleChanged(
 			ctx,
 			event.ExecutablePath,
 			event.Title,
@@ -221,10 +157,34 @@ func main() {
 		if err != nil {
 			slog.Error("failed to handle title change", "error", err)
 		}
+
+		if appUsage.TerminationMode == usage.TerminationModeBlock {
+			tags := usage.ApplicationTagsSlice(appUsage.Tags).Tags()
+			reasoning := ""
+			if appUsage.ClassificationReasoning != nil {
+				reasoning = *appUsage.ClassificationReasoning
+			}
+
+			if url != nil {
+				slog.Info("browser url provided, blocking url", "url", *url)
+				if err := native.BlockURL(*url, event.Title, reasoning, tags, event.AppName); err != nil {
+					slog.Error("failed to block URL", "url", *url, "error", err)
+
+					return
+				}
+			}
+
+			if err := native.BlockApp(event.AppName, event.Title, reasoning, tags); err != nil {
+				slog.Error("failed to block app", "appName", event.AppName, "error", err)
+
+				return
+			}
+		}
+
 	})
 
 	var updaterService *updater.Service
-	if isProductionBuild {
+	if settings.IsProductionBuild() {
 		updaterService = updater.NewService(Version, "focusd-so", "focusd", AppleTeamID)
 	}
 
@@ -254,22 +214,30 @@ func main() {
 		},
 	})
 
-	wailsApp.OnShutdown(cancel)
+	usageService.OnProtectionPause(func(pause usage.ProtectionPause) {
+		wailsApp.Event.Emit("protection:status", pause)
+	})
 
-	wailsAppPtr = wailsApp
+	usageService.OnProtectionResumed(func(pause usage.ProtectionPause) {
+		wailsApp.Event.Emit("protection:status", pause)
+	})
 
-	go func() {
-		for {
-			select {
-			case <-ctx.Done():
-				return
-			case usage := <-usageService.UsageUpdates:
-				if wailsAppPtr != nil {
-					wailsAppPtr.Event.Emit("usage:update", *usage)
-				}
-			}
+	usageService.OnLLMDailySummaryReady(func(summary usage.LLMDailySummary) {
+		wailsApp.Event.Emit("daily-summary:ready", summary)
+
+		// TODO: use proper system api to send a notification
+		exec.Command("osascript", "-e",
+			fmt.Sprintf(`display notification "%s" with title "Focusd" subtitle "Daily Summary"`,
+				summary.Headline)).Run()
+	})
+
+	wailsApp.OnShutdown(cancel)
+
+	usageService.OnUsageUpdated(func(appUsage *usage.ApplicationUsage) {
+		if appUsage != nil {
+			wailsApp.Event.Emit("usage:update", appUsage)
 		}
-	}()
+	})
 
 	native.OnIdleChange(func(idleSeconds float64) {
 		usageService.IdleChanged(ctx, idleSeconds > 120)
@@ -391,11 +359,11 @@ func setupLogging() (io.Closer, error) {
 	if _, err := os.Stat("go.mod"); err == nil {
 		logPath = logName
 	} else {
-		configDir, err := os.UserConfigDir()
+		configDir, err := os.UserHomeDir()
 		if err != nil {
 			return nil, fmt.Errorf("failed to get user config dir: %w", err)
 		}
-		appDir := filepath.Join(configDir, "focusd")
+		appDir := filepath.Join(configDir, ".focusd")
 		if err := os.MkdirAll(appDir, 0755); err != nil {
 			return nil, fmt.Errorf("failed to create app config dir: %w", err)
 		}