diff --git a/internal/cli/config.go b/internal/cli/config.go
index 0a8c0041c..f2de8ef5e 100644
--- a/internal/cli/config.go
+++ b/internal/cli/config.go
@@ -127,6 +127,7 @@ func MustStartComponents(mainCtx context.Context, cfg *config.Config) {
 		}
 		if webS != nil {
 			xrayS.RegisterRoutes(webS.APIGroup())
+			webS.SetXrayStatus(xrayS)
 		}
 		if err := xrayS.Start(mainCtx); err != nil {
 			cliLogger.Fatalf("Start XrayServer meet err=%v", err)
diff --git a/internal/cli/update.go b/internal/cli/update.go
index 9e77a6a27..1388e4321 100644
--- a/internal/cli/update.go
+++ b/internal/cli/update.go
@@ -2,296 +2,28 @@ package cli
 
 import (
 	"context"
-	"encoding/json"
-	"fmt"
-	"io"
-	"net/http"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"runtime"
-	"strings"
 	"time"
 
 	"github.com/Ehco1996/ehco/internal/constant"
+	"github.com/Ehco1996/ehco/internal/updater"
 	cli "github.com/urfave/cli/v2"
-	"golang.org/x/mod/semver"
 )
 
-const (
-	githubLatestReleaseAPI = "https://api.github.com/repos/Ehco1996/ehco/releases/latest"
-	githubReleasesAPI      = "https://api.github.com/repos/Ehco1996/ehco/releases?per_page=30"
-	systemdServiceName     = "ehco"
-
-	channelAuto    = "auto"
-	channelStable  = "stable"
-	channelNightly = "nightly"
-
-	nightlyTagSuffix = "-next"
-)
-
-type ghAsset struct {
-	Name               string `json:"name"`
-	BrowserDownloadURL string `json:"browser_download_url"`
-}
-
-type ghRelease struct {
-	TagName     string    `json:"tag_name"`
-	Prerelease  bool      `json:"prerelease"`
-	Draft       bool      `json:"draft"`
-	PublishedAt time.Time `json:"published_at"`
-	Assets      []ghAsset `json:"assets"`
-}
-
 var UpdateCMD = &cli.Command{
 	Name:  "update",
 	Usage: "update ehco to the latest GitHub release and restart the systemd service",
 	Flags: []cli.Flag{
-		&cli.BoolFlag{
-			Name:  "force",
-			Usage: "force update even if already at the latest version, or to allow downgrade / channel switch",
-		},
-		&cli.BoolFlag{
-			Name:  "no-restart",
-			Usage: "skip systemctl restart after replacing the binary",
-		},
-		&cli.StringFlag{
-			Name:  "channel",
-			Value: channelAuto,
-			Usage: "release channel to track: auto (match current build), stable, or nightly",
-		},
+		&cli.BoolFlag{Name: "force", Usage: "allow downgrade or channel switch"},
+		&cli.BoolFlag{Name: "no-restart", Usage: "skip systemctl restart after replacing the binary"},
+		&cli.StringFlag{Name: "channel", Value: updater.ChannelAuto, Usage: "auto | stable | nightly"},
+	},
+	Action: func(c *cli.Context) error {
+		ctx, cancel := context.WithTimeout(c.Context, 5*time.Minute)
+		defer cancel()
+		return updater.Apply(ctx, updater.ApplyOptions{
+			Channel: c.String("channel"),
+			Force:   c.Bool("force"),
+			Restart: !c.Bool("no-restart"),
+		}, constant.Version, cliLogger, nil)
 	},
-	Action: runUpdate,
-}
-
-func runUpdate(c *cli.Context) error {
-	ctx, cancel := context.WithTimeout(c.Context, 5*time.Minute)
-	defer cancel()
-
-	channel, err := resolveChannel(c.String("channel"), constant.Version)
-	if err != nil {
-		return err
-	}
-
-	rel, err := fetchTargetRelease(ctx, channel)
-	if err != nil {
-		return fmt.Errorf("fetch %s release: %w", channel, err)
-	}
-	latest := strings.TrimPrefix(rel.TagName, "v")
-	cliLogger.Infof("channel=%s current version=%s latest version=%s", channel, constant.Version, latest)
-
-	force := c.Bool("force")
-	if !force {
-		if latest == constant.Version {
-			cliLogger.Info("already up to date, nothing to do")
-			return nil
-		}
-		if cmp := compareVersions(latest, constant.Version); cmp < 0 {
-			return fmt.Errorf("refusing to downgrade from %s to %s; rerun with --force to override",
-				constant.Version, latest)
-		}
-	}
-
-	asset, err := pickReleaseAsset(rel.Assets)
-	if err != nil {
-		return err
-	}
-
-	binPath, err := resolveBinaryPath()
-	if err != nil {
-		return fmt.Errorf("resolve current binary path: %w", err)
-	}
-	tmpPath := binPath + ".new"
-	cliLogger.Infof("downloading %s -> %s", asset.BrowserDownloadURL, tmpPath)
-	if err := downloadFile(ctx, asset.BrowserDownloadURL, tmpPath); err != nil {
-		_ = os.Remove(tmpPath)
-		return fmt.Errorf("download asset: %w", err)
-	}
-	if err := os.Chmod(tmpPath, 0o755); err != nil {
-		_ = os.Remove(tmpPath)
-		return fmt.Errorf("chmod new binary: %w", err)
-	}
-	// rename(2) over a running ELF on linux is safe: the kernel keeps the
-	// old inode alive for the existing process, while new invocations
-	// (including the post-restart service) resolve to the new file.
-	if err := os.Rename(tmpPath, binPath); err != nil {
-		_ = os.Remove(tmpPath)
-		return fmt.Errorf("replace binary at %s: %w", binPath, err)
-	}
-	cliLogger.Infof("binary at %s updated to version %s", binPath, latest)
-
-	if c.Bool("no-restart") {
-		cliLogger.Info("skipping systemd restart (--no-restart); restart ehco manually to pick up the new binary")
-		return nil
-	}
-	return restartSystemdService()
-}
-
-func resolveChannel(flagVal, currentVersion string) (string, error) {
-	switch flagVal {
-	case channelStable, channelNightly:
-		return flagVal, nil
-	case channelAuto, "":
-		if isNightlyVersion(currentVersion) {
-			return channelNightly, nil
-		}
-		return channelStable, nil
-	default:
-		return "", fmt.Errorf("invalid --channel %q (want one of auto, stable, nightly)", flagVal)
-	}
-}
-
-func isNightlyVersion(v string) bool {
-	// goreleaser injects bare versions like "1.1.7-next" or "1.1.6"; both
-	// stable and nightly builds skip the leading "v". A nightly is anything
-	// carrying a prerelease suffix (currently "-next"), but we use a generic
-	// "contains a dash" check so future suffixes (e.g. "-rc.1") still work.
-	return strings.Contains(v, "-")
-}
-
-func fetchTargetRelease(ctx context.Context, channel string) (*ghRelease, error) {
-	switch channel {
-	case channelStable:
-		return fetchLatestStableRelease(ctx)
-	case channelNightly:
-		return fetchLatestNightlyRelease(ctx)
-	default:
-		return nil, fmt.Errorf("unknown channel %q", channel)
-	}
-}
-
-func fetchLatestStableRelease(ctx context.Context) (*ghRelease, error) {
-	var rel ghRelease
-	if err := getJSON(ctx, githubLatestReleaseAPI, &rel); err != nil {
-		return nil, err
-	}
-	if rel.TagName == "" {
-		return nil, fmt.Errorf("empty tag name in github response")
-	}
-	return &rel, nil
-}
-
-func fetchLatestNightlyRelease(ctx context.Context) (*ghRelease, error) {
-	// /releases/latest excludes prereleases by design, so list recent
-	// releases and pick the freshest nightly ourselves.
-	var all []ghRelease
-	if err := getJSON(ctx, githubReleasesAPI, &all); err != nil {
-		return nil, err
-	}
-	var best *ghRelease
-	for i := range all {
-		r := &all[i]
-		if r.Draft || !r.Prerelease {
-			continue
-		}
-		if !strings.HasSuffix(r.TagName, nightlyTagSuffix) {
-			continue
-		}
-		if best == nil || r.PublishedAt.After(best.PublishedAt) {
-			best = r
-		}
-	}
-	if best == nil {
-		return nil, fmt.Errorf("no nightly release found (looking for tags ending in %q)", nightlyTagSuffix)
-	}
-	return best, nil
-}
-
-func getJSON(ctx context.Context, url string, out any) error {
-	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
-	if err != nil {
-		return err
-	}
-	req.Header.Set("Accept", "application/vnd.github+json")
-	resp, err := http.DefaultClient.Do(req)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-	if resp.StatusCode != http.StatusOK {
-		body, _ := io.ReadAll(io.LimitReader(resp.Body, 512))
-		return fmt.Errorf("github api %s: %s", resp.Status, strings.TrimSpace(string(body)))
-	}
-	return json.NewDecoder(resp.Body).Decode(out)
-}
-
-// compareVersions returns -1/0/1 like semver.Compare. Inputs may have or
-// omit the leading "v"; unparseable inputs fall back to string compare so a
-// malformed version never crashes the updater (it just disables the
-// downgrade guard for that case, which --force handles).
-func compareVersions(a, b string) int {
-	va, vb := ensureV(a), ensureV(b)
-	if semver.IsValid(va) && semver.IsValid(vb) {
-		return semver.Compare(va, vb)
-	}
-	return strings.Compare(a, b)
-}
-
-func ensureV(s string) string {
-	if strings.HasPrefix(s, "v") {
-		return s
-	}
-	return "v" + s
-}
-
-func pickReleaseAsset(assets []ghAsset) (*ghAsset, error) {
-	if runtime.GOOS != "linux" {
-		return nil, fmt.Errorf("update only supports linux releases, current os=%s", runtime.GOOS)
-	}
-	want := fmt.Sprintf("ehco_linux_%s", runtime.GOARCH)
-	for i := range assets {
-		if assets[i].Name == want {
-			return &assets[i], nil
-		}
-	}
-	return nil, fmt.Errorf("no release asset matches %s", want)
-}
-
-func resolveBinaryPath() (string, error) {
-	p, err := os.Executable()
-	if err != nil {
-		return "", err
-	}
-	resolved, err := filepath.EvalSymlinks(p)
-	if err != nil {
-		return "", err
-	}
-	return resolved, nil
-}
-
-func downloadFile(ctx context.Context, url, dst string) error {
-	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
-	if err != nil {
-		return err
-	}
-	resp, err := http.DefaultClient.Do(req)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-	if resp.StatusCode != http.StatusOK {
-		return fmt.Errorf("download returned %s", resp.Status)
-	}
-	f, err := os.OpenFile(dst, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o755)
-	if err != nil {
-		return err
-	}
-	if _, err := io.Copy(f, resp.Body); err != nil {
-		_ = f.Close()
-		return err
-	}
-	return f.Close()
-}
-
-func restartSystemdService() error {
-	if _, err := exec.LookPath("systemctl"); err != nil {
-		cliLogger.Warn("systemctl not found on PATH; please restart ehco manually")
-		return nil
-	}
-	unit := systemdServiceName + ".service"
-	cliLogger.Infof("restarting %s via systemctl", unit)
-	cmd := exec.Command("systemctl", "restart", unit)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	return cmd.Run()
 }
diff --git a/internal/cmgr/cmgr.go b/internal/cmgr/cmgr.go
index 6e3b79561..126e87475 100644
--- a/internal/cmgr/cmgr.go
+++ b/internal/cmgr/cmgr.go
@@ -39,8 +39,8 @@ type Cmgr interface {
 	Start(ctx context.Context, errCH chan error)
 
 	// Metrics related
-	QueryNodeMetrics(ctx context.Context, req *ms.QueryNodeMetricsReq, refresh bool) (*ms.QueryNodeMetricsResp, error)
-	QueryRuleMetrics(ctx context.Context, req *ms.QueryRuleMetricsReq, refresh bool) (*ms.QueryRuleMetricsResp, error)
+	QueryNodeMetrics(ctx context.Context, req *ms.QueryNodeMetricsReq) (*ms.QueryNodeMetricsResp, error)
+	QueryRuleMetrics(ctx context.Context, req *ms.QueryRuleMetricsReq) (*ms.QueryRuleMetricsResp, error)
 }
 
 type cmgrImpl struct {
@@ -184,53 +184,49 @@ func (cm *cmgrImpl) GetActiveConnectCntByRelayLabel(label string) int {
 	return len(cm.activeConnectionsMap[label])
 }
 
+// metricsSampleInterval is the cadence at which we read /metrics/ and
+// persist a row to the local store, so the dashboard's Node page has
+// sub-minute resolution. SyncInterval (default 60s) controls the coarser
+// control-plane push only.
+const metricsSampleInterval = 5 * time.Second
+
 func (cm *cmgrImpl) Start(ctx context.Context, errCH chan error) {
-	cm.l.Infof("Start Cmgr sync interval=%d", cm.cfg.SyncInterval)
-	ticker := time.NewTicker(time.Second * time.Duration(cm.cfg.SyncInterval))
+	cm.l.Infof("Start Cmgr sync interval=%d sample interval=%s", cm.cfg.SyncInterval, metricsSampleInterval)
+	syncEvery := int(time.Duration(cm.cfg.SyncInterval)*time.Second/metricsSampleInterval) - 1
+	if syncEvery < 1 {
+		syncEvery = 1
+	}
+	ticker := time.NewTicker(metricsSampleInterval)
 	defer ticker.Stop()
+	tick := 0
 	for {
 		select {
 		case <-ctx.Done():
 			cm.l.Info("sync stop")
 			return
 		case <-ticker.C:
+			cm.sampleMetrics(ctx)
+			tick++
+			if tick%syncEvery != 0 {
+				continue
+			}
 			// Tolerate transient sync failures: retryablehttp already does
 			// internal backoff; on final error we just log and wait for the
 			// next tick. The traffic stats accumulated for this interval are
 			// dropped on the floor.
 			// TODO: persist unsent stats locally so they can be retried on
 			// later ticks instead of being lost when the upstream is down.
-			if err := cm.syncOnce(ctx); err != nil {
-				cm.l.Errorf("sync failed, will retry on next tick in %ds: %s", cm.cfg.SyncInterval, err)
+			if err := cm.pushStats(ctx); err != nil {
+				cm.l.Errorf("sync failed, will retry next tick in %ds: %s", cm.cfg.SyncInterval, err)
 			}
 		}
 	}
 }
 
-func (cm *cmgrImpl) QueryNodeMetrics(ctx context.Context, req *ms.QueryNodeMetricsReq, refresh bool) (*ms.QueryNodeMetricsResp, error) {
-	if refresh {
-		nm, _, err := cm.mr.ReadOnce(ctx)
-		if err != nil {
-			return nil, err
-		}
-		if err := cm.ms.AddNodeMetric(ctx, nm); err != nil {
-			return nil, err
-		}
-	}
+func (cm *cmgrImpl) QueryNodeMetrics(ctx context.Context, req *ms.QueryNodeMetricsReq) (*ms.QueryNodeMetricsResp, error) {
 	return cm.ms.QueryNodeMetric(ctx, req)
 }
 
-func (cm *cmgrImpl) QueryRuleMetrics(ctx context.Context, req *ms.QueryRuleMetricsReq, refresh bool) (*ms.QueryRuleMetricsResp, error) {
-	if refresh {
-		_, rm, err := cm.mr.ReadOnce(ctx)
-		if err != nil {
-			return nil, err
-		}
-		for _, m := range rm {
-			if err := cm.ms.AddRuleMetric(ctx, m); err != nil {
-				return nil, err
-			}
-		}
-	}
+func (cm *cmgrImpl) QueryRuleMetrics(ctx context.Context, req *ms.QueryRuleMetricsReq) (*ms.QueryRuleMetricsResp, error) {
 	return cm.ms.QueryRuleMetric(ctx, req)
 }
diff --git a/internal/cmgr/ms/handler.go b/internal/cmgr/ms/handler.go
index f591ef819..c2cb9358a 100644
--- a/internal/cmgr/ms/handler.go
+++ b/internal/cmgr/ms/handler.go
@@ -2,6 +2,7 @@ package ms
 
 import (
 	"context"
+	"database/sql"
 
 	"github.com/Ehco1996/ehco/pkg/metric_reader"
 )
@@ -20,6 +21,10 @@ type QueryNodeMetricsReq struct {
 	StartTimestamp int64
 	EndTimestamp   int64
 	Num            int64
+	// Step buckets samples into N-second windows when > 1, averaging
+	// every gauge field per bucket. Lets the SPA pull 7d/30d windows
+	// without dragging back hundreds of thousands of raw points.
+	Step int64
 }
 
 type QueryNodeMetricsResp struct {
@@ -47,6 +52,11 @@ type QueryRuleMetricsReq struct {
 	StartTimestamp int64
 	EndTimestamp   int64
 	Num            int64
+	// Step keeps the last sample per (label, remote) within each
+	// N-second bucket. Counter-style fields (transmit bytes) keep
+	// monotonic semantics so the SPA's delta-on-consecutive-points
+	// trend math still works after bucketing.
+	Step int64
 }
 
 type QueryRuleMetricsResp struct {
@@ -94,13 +104,33 @@ func (ms *MetricsStore) AddRuleMetric(ctx context.Context, rm *metric_reader.Rul
 }
 
 func (ms *MetricsStore) QueryNodeMetric(ctx context.Context, req *QueryNodeMetricsReq) (*QueryNodeMetricsResp, error) {
-	rows, err := ms.db.QueryContext(ctx, `
-	SELECT timestamp, cpu_usage, memory_usage, disk_usage, network_in, network_out
-	FROM node_metrics
-	WHERE timestamp >= ? AND timestamp <= ?
-	ORDER BY timestamp DESC
-	LIMIT ?
-`, req.StartTimestamp, req.EndTimestamp, req.Num)
+	var (
+		rows *sql.Rows
+		err  error
+	)
+	if req.Step > 1 {
+		// Floor each timestamp to a step-second bucket and average every
+		// gauge field. Cheaper than rolling a separate downsample table
+		// for the windows we care about (≤30d).
+		rows, err = ms.db.QueryContext(ctx, `
+		SELECT (timestamp/?)*? AS bucket_ts,
+		       AVG(cpu_usage), AVG(memory_usage), AVG(disk_usage),
+		       AVG(network_in), AVG(network_out)
+		FROM node_metrics
+		WHERE timestamp >= ? AND timestamp <= ?
+		GROUP BY bucket_ts
+		ORDER BY bucket_ts DESC
+		LIMIT ?
+	`, req.Step, req.Step, req.StartTimestamp, req.EndTimestamp, req.Num)
+	} else {
+		rows, err = ms.db.QueryContext(ctx, `
+		SELECT timestamp, cpu_usage, memory_usage, disk_usage, network_in, network_out
+		FROM node_metrics
+		WHERE timestamp >= ? AND timestamp <= ?
+		ORDER BY timestamp DESC
+		LIMIT ?
+	`, req.StartTimestamp, req.EndTimestamp, req.Num)
+	}
 	if err != nil {
 		return nil, err
 	}
@@ -119,29 +149,37 @@ func (ms *MetricsStore) QueryNodeMetric(ctx context.Context, req *QueryNodeMetri
 }
 
 func (ms *MetricsStore) QueryRuleMetric(ctx context.Context, req *QueryRuleMetricsReq) (*QueryRuleMetricsResp, error) {
-	query := `
-        SELECT timestamp, label, remote, ping_latency,
-               tcp_connection_count, tcp_handshake_duration, tcp_network_transmit_bytes,
-               udp_connection_count, udp_handshake_duration, udp_network_transmit_bytes
-        FROM rule_metrics
-        WHERE timestamp >= ? AND timestamp <= ?
-    `
-	args := []interface{}{req.StartTimestamp, req.EndTimestamp}
-
+	// Bucketed mode keeps the last sample per (label, remote) inside each
+	// step-second window. The bytes columns are monotonic counters, so
+	// last-of-bucket preserves the deltas the SPA computes — averaging
+	// would smear the curve.
+	const cols = `timestamp, label, remote, ping_latency,
+        tcp_connection_count, tcp_handshake_duration, tcp_network_transmit_bytes,
+        udp_connection_count, udp_handshake_duration, udp_network_transmit_bytes`
+
+	whereSQL := "WHERE timestamp >= ? AND timestamp <= ?"
+	whereArgs := []interface{}{req.StartTimestamp, req.EndTimestamp}
 	if req.RuleLabel != "" {
-		query += " AND label = ?"
-		args = append(args, req.RuleLabel)
+		whereSQL += " AND label = ?"
+		whereArgs = append(whereArgs, req.RuleLabel)
 	}
 	if req.Remote != "" {
-		query += " AND remote = ?"
-		args = append(args, req.Remote)
+		whereSQL += " AND remote = ?"
+		whereArgs = append(whereArgs, req.Remote)
 	}
 
-	query += `
-        ORDER BY timestamp DESC
-        LIMIT ?
-    `
-	args = append(args, req.Num)
+	var query string
+	var args []interface{}
+	if req.Step > 1 {
+		query = "SELECT " + cols + " FROM rule_metrics WHERE rowid IN (" +
+			"SELECT MAX(rowid) FROM rule_metrics " + whereSQL +
+			" GROUP BY (timestamp/?), label, remote) ORDER BY timestamp DESC LIMIT ?"
+		args = append(append([]interface{}{}, whereArgs...), req.Step, req.Num)
+	} else {
+		query = "SELECT " + cols + " FROM rule_metrics " + whereSQL +
+			" ORDER BY timestamp DESC LIMIT ?"
+		args = append(whereArgs, req.Num)
+	}
 
 	rows, err := ms.db.Query(query, args...)
 	if err != nil {
diff --git a/internal/cmgr/syncer.go b/internal/cmgr/syncer.go
index a82987f29..a4c459243 100644
--- a/internal/cmgr/syncer.go
+++ b/internal/cmgr/syncer.go
@@ -24,15 +24,34 @@ type VersionInfo struct {
 	ShortCommit string `json:"short_commit"`
 }
 
-type syncReq struct {
-	Version VersionInfo               `json:"version"`
-	Node    metric_reader.NodeMetrics `json:"node"`
-	Stats   []StatsPerRule            `json:"stats"`
+// sampleMetrics reads /metrics/ once and persists node + per-rule rows
+// to the local store. Cheap; called on every fast tick so the dashboard
+// has sub-minute resolution regardless of whether control-plane sync is
+// configured.
+func (cm *cmgrImpl) sampleMetrics(ctx context.Context) {
+	if !cm.cfg.NeedMetrics() {
+		return
+	}
+	nm, rmm, err := cm.mr.ReadOnce(ctx)
+	if err != nil {
+		cm.l.Debugf("metrics sample failed: %v", err)
+		return
+	}
+	if err := cm.ms.AddNodeMetric(ctx, nm); err != nil {
+		cm.l.Errorf("persist node metric: %v", err)
+	}
+	for _, rm := range rmm {
+		if err := cm.ms.AddRuleMetric(ctx, rm); err != nil {
+			cm.l.Errorf("persist rule metric: %v", err)
+		}
+	}
 }
 
-func (cm *cmgrImpl) syncOnce(ctx context.Context) error {
+// pushStats drains closedConnectionsMap and POSTs accumulated traffic
+// stats to the control plane. Called at SyncInterval cadence (default
+// 60s); a tighter cadence would just spam the control plane.
+func (cm *cmgrImpl) pushStats(ctx context.Context) error {
 	cm.l.Infof("sync once total closed connections: %d", cm.countClosedConnection())
-	// todo: opt lock
 	cm.lock.Lock()
 
 	shortCommit := constant.GitRevision
@@ -45,26 +64,15 @@ func (cm *cmgrImpl) syncOnce(ctx context.Context) error {
 	}
 
 	if cm.cfg.NeedMetrics() {
-		nm, rmm, err := cm.mr.ReadOnce(ctx)
-		if err != nil {
-			cm.l.Errorf("read metrics failed: %v", err)
+		if nm, _, err := cm.mr.ReadOnce(ctx); err != nil {
+			cm.l.Errorf("read metrics for sync: %v", err)
 		} else {
 			req.Node = *nm
-			if err := cm.ms.AddNodeMetric(ctx, nm); err != nil {
-				cm.l.Errorf("add metrics to store failed: %v", err)
-			}
-			for _, rm := range rmm {
-				if err := cm.ms.AddRuleMetric(ctx, rm); err != nil {
-					cm.l.Errorf("add rule metrics to store failed: %v", err)
-				}
-			}
 		}
 	}
 
 	for label, conns := range cm.closedConnectionsMap {
-		s := StatsPerRule{
-			RelayLabel: label,
-		}
+		s := StatsPerRule{RelayLabel: label}
 		var totalLatency int64
 		for _, c := range conns {
 			s.ConnectionCnt++
@@ -80,11 +88,16 @@ func (cm *cmgrImpl) syncOnce(ctx context.Context) error {
 	cm.closedConnectionsMap = make(map[string][]conn.RelayConn)
 	cm.lock.Unlock()
 
-	if cm.cfg.NeedSync() {
-		cm.l.Debug("syncing data to server", zap.Any("data", req))
-		return myhttp.PostJSONWithRetry(cm.cfg.SyncURL, &req)
-	} else {
-		cm.l.Debugf("remove %d closed connections", len(req.Stats))
+	if !cm.cfg.NeedSync() {
+		cm.l.Debugf("removed %d closed connections", len(req.Stats))
+		return nil
 	}
-	return nil
+	cm.l.Debug("syncing data to server", zap.Any("data", req))
+	return myhttp.PostJSONWithRetry(cm.cfg.SyncURL, &req)
+}
+
+type syncReq struct {
+	Version VersionInfo               `json:"version"`
+	Node    metric_reader.NodeMetrics `json:"node"`
+	Stats   []StatsPerRule            `json:"stats"`
 }
diff --git a/internal/glue/interface.go b/internal/glue/interface.go
index 011cdfbfe..1ad3d99f3 100644
--- a/internal/glue/interface.go
+++ b/internal/glue/interface.go
@@ -12,3 +12,21 @@ type HealthChecker interface {
 	// get relay by ID and check the connection health
 	HealthCheck(ctx context.Context, RelayID string) (int64, error)
 }
+
+// XrayStatus is the slice of XrayServer the web admin needs for its
+// aggregate /overview endpoint. Defined here so web/ doesn't need to
+// import pkg/xray.
+type XrayStatus interface {
+	// Snapshot returns instantaneous counters scraped from the user
+	// pool and conn tracker. Cheap — no DB hits.
+	Snapshot() XraySnapshot
+}
+
+type XraySnapshot struct {
+	Conns         int   `json:"conns"`
+	Users         int   `json:"users"`
+	EnabledUsers  int   `json:"enabled_users"`
+	RunningUsers  int   `json:"running_users"`
+	UploadTotal   int64 `json:"upload_total"`
+	DownloadTotal int64 `json:"download_total"`
+}
diff --git a/internal/metrics/log_level.go b/internal/metrics/log_level.go
new file mode 100644
index 000000000..a9bdc2f26
--- /dev/null
+++ b/internal/metrics/log_level.go
@@ -0,0 +1,21 @@
+package metrics
+
+import (
+	"log/slog"
+	"strings"
+)
+
+func zapLevelToSlogLevel(zapLevel string) slog.Level {
+	switch strings.ToLower(zapLevel) {
+	case "debug":
+		return slog.LevelDebug
+	case "info":
+		return slog.LevelInfo
+	case "warn", "warning":
+		return slog.LevelWarn
+	case "error":
+		return slog.LevelError
+	default:
+		return slog.LevelInfo
+	}
+}
diff --git a/internal/metrics/node_darwin.go b/internal/metrics/node_darwin.go
index d4914d01f..c7bd1ee66 100644
--- a/internal/metrics/node_darwin.go
+++ b/internal/metrics/node_darwin.go
@@ -3,12 +3,34 @@
 package metrics
 
 import (
+	"fmt"
+	"log/slog"
+	"os"
+
 	"github.com/Ehco1996/ehco/internal/config"
+	"github.com/alecthomas/kingpin/v2"
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/node_exporter/collector"
 )
 
-// RegisterNodeExporterMetrics is a no-op on Darwin/macOS
-// node_exporter has compatibility issues on macOS, so we disable it
+// `thermal` collector logs an ERROR per scrape on most Macs with
+// "no CPU power status has been recorded". Disable it via kingpin so
+// logs stay quiet. Kept separate from node_linux.go because Linux
+// doesn't have the collector and shouldn't carry the flag noise.
 func RegisterNodeExporterMetrics(cfg *config.Config) error {
-	// node_exporter is not supported on macOS, skip registration
+	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{
+		Level: zapLevelToSlogLevel(cfg.LogLeveL),
+	}))
+
+	if _, err := kingpin.CommandLine.Parse([]string{
+		"--no-collector.thermal",
+	}); err != nil {
+		return err
+	}
+	nc, err := collector.NewNodeCollector(logger)
+	if err != nil {
+		return fmt.Errorf("couldn't create collector: %w", err)
+	}
+	prometheus.MustRegister(nc)
 	return nil
 }
diff --git a/internal/metrics/node_linux.go b/internal/metrics/node_linux.go
index 72a306f20..ec9960511 100644
--- a/internal/metrics/node_linux.go
+++ b/internal/metrics/node_linux.go
@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"log/slog"
 	"os"
-	"strings"
 
 	"github.com/Ehco1996/ehco/internal/config"
 	"github.com/alecthomas/kingpin/v2"
@@ -14,22 +13,6 @@ import (
 	"github.com/prometheus/node_exporter/collector"
 )
 
-// zapLevelToSlogLevel converts zap log level string to slog.Level
-func zapLevelToSlogLevel(zapLevel string) slog.Level {
-	switch strings.ToLower(zapLevel) {
-	case "debug":
-		return slog.LevelDebug
-	case "info":
-		return slog.LevelInfo
-	case "warn", "warning":
-		return slog.LevelWarn
-	case "error":
-		return slog.LevelError
-	default:
-		return slog.LevelInfo
-	}
-}
-
 func RegisterNodeExporterMetrics(cfg *config.Config) error {
 	slogLevel := zapLevelToSlogLevel(cfg.LogLeveL)
 	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{
diff --git a/internal/updater/updater.go b/internal/updater/updater.go
new file mode 100644
index 000000000..e48222e73
--- /dev/null
+++ b/internal/updater/updater.go
@@ -0,0 +1,320 @@
+// Package updater self-updates the ehco binary from GitHub releases.
+// Used by both `ehco update` (CLI) and the dashboard's /api/v1/update/*
+// endpoints.
+package updater
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"time"
+
+	"go.uber.org/zap"
+	"golang.org/x/mod/semver"
+)
+
+const (
+	ChannelAuto    = "auto"
+	ChannelStable  = "stable"
+	ChannelNightly = "nightly"
+
+	releasesAPI        = "https://api.github.com/repos/Ehco1996/ehco/releases"
+	systemdServiceName = "ehco"
+)
+
+// State is the phase of an Apply run; consumed by the web UI.
+type State string
+
+const (
+	StateChecking    State = "checking"
+	StateDownloading State = "downloading"
+	StateInstalling  State = "installing"
+	StateRestarting  State = "restarting"
+	StateDone        State = "done"
+	StateFailed      State = "failed"
+)
+
+// CheckResult describes a release relative to the running binary.
+type CheckResult struct {
+	Channel         string    `json:"channel"`
+	CurrentVersion  string    `json:"current_version"`
+	LatestVersion   string    `json:"latest_version"`
+	LatestTag       string    `json:"latest_tag"`
+	ReleaseName     string    `json:"release_name"`
+	ReleaseBody     string    `json:"release_body"`
+	ReleaseURL      string    `json:"release_url"`
+	PublishedAt     time.Time `json:"published_at"`
+	UpdateAvailable bool      `json:"update_available"`
+	AssetName       string    `json:"asset_name"`
+	AssetURL        string    `json:"asset_url"`
+}
+
+// ApplyOptions doubles as the JSON body of POST /api/v1/update/apply.
+type ApplyOptions struct {
+	Channel string `json:"channel"`
+	Force   bool   `json:"force"`
+	Restart bool   `json:"restart"`
+}
+
+type ghAsset struct {
+	Name               string `json:"name"`
+	BrowserDownloadURL string `json:"browser_download_url"`
+}
+
+type ghRelease struct {
+	TagName     string    `json:"tag_name"`
+	Name        string    `json:"name"`
+	Body        string    `json:"body"`
+	Prerelease  bool      `json:"prerelease"`
+	Draft       bool      `json:"draft"`
+	PublishedAt time.Time `json:"published_at"`
+	HTMLURL     string    `json:"html_url"`
+	Assets      []ghAsset `json:"assets"`
+}
+
+// Check resolves channel against currentVersion and queries GitHub.
+func Check(ctx context.Context, channel, currentVersion string) (*CheckResult, error) {
+	resolved, rel, err := pickRelease(ctx, channel, currentVersion)
+	if err != nil {
+		return nil, err
+	}
+	latest := strings.TrimPrefix(rel.TagName, "v")
+	res := &CheckResult{
+		Channel:        resolved,
+		CurrentVersion: currentVersion,
+		LatestVersion:  latest,
+		LatestTag:      rel.TagName,
+		ReleaseName:    rel.Name,
+		ReleaseBody:    rel.Body,
+		ReleaseURL:     rel.HTMLURL,
+		PublishedAt:    rel.PublishedAt,
+	}
+	res.UpdateAvailable = latest != currentVersion && compareVersions(latest, currentVersion) > 0
+	if a := pickAsset(rel.Assets); a != nil {
+		res.AssetName = a.Name
+		res.AssetURL = a.BrowserDownloadURL
+	}
+	return res, nil
+}
+
+// Apply downloads + swaps + (optionally) restarts. Each phase is reported
+// to onState so the dashboard can render progress; CLI passes nil.
+func Apply(ctx context.Context, opts ApplyOptions, currentVersion string, log *zap.SugaredLogger, onState func(State)) error {
+	emit := func(s State) {
+		if onState != nil {
+			onState(s)
+		}
+	}
+
+	emit(StateChecking)
+	resolved, rel, err := pickRelease(ctx, opts.Channel, currentVersion)
+	if err != nil {
+		return err
+	}
+	latest := strings.TrimPrefix(rel.TagName, "v")
+	log.Infof("channel=%s current=%s latest=%s", resolved, currentVersion, latest)
+
+	if !opts.Force {
+		if latest == currentVersion {
+			log.Info("already up to date")
+			emit(StateDone)
+			return nil
+		}
+		if compareVersions(latest, currentVersion) < 0 {
+			return fmt.Errorf("refusing to downgrade %s -> %s; use force", currentVersion, latest)
+		}
+	}
+
+	asset := pickAsset(rel.Assets)
+	if asset == nil {
+		return fmt.Errorf("no release asset for %s/%s", runtime.GOOS, runtime.GOARCH)
+	}
+
+	binPath, err := os.Executable()
+	if err != nil {
+		return fmt.Errorf("locate binary: %w", err)
+	}
+	if binPath, err = filepath.EvalSymlinks(binPath); err != nil {
+		return fmt.Errorf("resolve binary symlink: %w", err)
+	}
+	tmpPath := binPath + ".new"
+
+	emit(StateDownloading)
+	log.Infof("downloading %s -> %s", asset.BrowserDownloadURL, tmpPath)
+	if err := download(ctx, asset.BrowserDownloadURL, tmpPath); err != nil {
+		_ = os.Remove(tmpPath)
+		return fmt.Errorf("download: %w", err)
+	}
+
+	emit(StateInstalling)
+	// rename(2) over a running ELF on linux is safe: the kernel keeps the
+	// old inode alive for the running process while new invocations
+	// resolve to the new file.
+	if err := os.Chmod(tmpPath, 0o755); err != nil {
+		_ = os.Remove(tmpPath)
+		return fmt.Errorf("chmod: %w", err)
+	}
+	if err := os.Rename(tmpPath, binPath); err != nil {
+		_ = os.Remove(tmpPath)
+		return fmt.Errorf("replace %s: %w", binPath, err)
+	}
+	log.Infof("installed %s at %s", latest, binPath)
+
+	if !opts.Restart {
+		log.Info("skipping restart; restart manually to pick up the new binary")
+		emit(StateDone)
+		return nil
+	}
+	emit(StateRestarting)
+	if err := restartSystemd(log); err != nil {
+		return err
+	}
+	emit(StateDone)
+	return nil
+}
+
+func pickRelease(ctx context.Context, channel, currentVersion string) (string, *ghRelease, error) {
+	resolved, err := resolveChannel(channel, currentVersion)
+	if err != nil {
+		return "", nil, err
+	}
+	rel, err := fetchLatest(ctx, resolved)
+	if err != nil {
+		return "", nil, fmt.Errorf("fetch %s: %w", resolved, err)
+	}
+	return resolved, rel, nil
+}
+
+func resolveChannel(flag, currentVersion string) (string, error) {
+	switch flag {
+	case ChannelStable, ChannelNightly:
+		return flag, nil
+	case ChannelAuto, "":
+		// goreleaser injects "1.1.7-next" for nightlies, "1.1.7" for
+		// stable. semver.Prerelease handles "+build" and "-rc.1" too.
+		if semver.Prerelease("v"+currentVersion) != "" {
+			return ChannelNightly, nil
+		}
+		return ChannelStable, nil
+	default:
+		return "", fmt.Errorf("invalid channel %q (auto|stable|nightly)", flag)
+	}
+}
+
+func fetchLatest(ctx context.Context, channel string) (*ghRelease, error) {
+	if channel == ChannelStable {
+		// /releases/latest excludes prereleases, perfect for stable.
+		var rel ghRelease
+		if err := getJSON(ctx, releasesAPI+"/latest", &rel); err != nil {
+			return nil, err
+		}
+		if rel.TagName == "" {
+			return nil, fmt.Errorf("empty tag in github response")
+		}
+		return &rel, nil
+	}
+	// Nightly: list releases and pick the freshest prerelease.
+	var all []ghRelease
+	if err := getJSON(ctx, releasesAPI+"?per_page=30", &all); err != nil {
+		return nil, err
+	}
+	var best *ghRelease
+	for i := range all {
+		r := &all[i]
+		if r.Draft || !r.Prerelease {
+			continue
+		}
+		if best == nil || r.PublishedAt.After(best.PublishedAt) {
+			best = r
+		}
+	}
+	if best == nil {
+		return nil, fmt.Errorf("no nightly release found")
+	}
+	return best, nil
+}
+
+func getJSON(ctx context.Context, url string, out any) error {
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return err
+	}
+	req.Header.Set("Accept", "application/vnd.github+json")
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(io.LimitReader(resp.Body, 512))
+		return fmt.Errorf("github %s: %s", resp.Status, strings.TrimSpace(string(body)))
+	}
+	return json.NewDecoder(resp.Body).Decode(out)
+}
+
+// compareVersions returns -1/0/1 like semver.Compare. Falls back to
+// string compare for unparseable versions so a malformed constant.Version
+// never crashes the updater (--force still works).
+func compareVersions(a, b string) int {
+	va, vb := "v"+strings.TrimPrefix(a, "v"), "v"+strings.TrimPrefix(b, "v")
+	if semver.IsValid(va) && semver.IsValid(vb) {
+		return semver.Compare(va, vb)
+	}
+	return strings.Compare(a, b)
+}
+
+func pickAsset(assets []ghAsset) *ghAsset {
+	if runtime.GOOS != "linux" {
+		return nil
+	}
+	want := fmt.Sprintf("ehco_linux_%s", runtime.GOARCH)
+	for i := range assets {
+		if assets[i].Name == want {
+			return &assets[i]
+		}
+	}
+	return nil
+}
+
+func download(ctx context.Context, url, dst string) error {
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return err
+	}
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("download %s", resp.Status)
+	}
+	f, err := os.OpenFile(dst, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o755)
+	if err != nil {
+		return err
+	}
+	if _, err := io.Copy(f, resp.Body); err != nil {
+		_ = f.Close()
+		return err
+	}
+	return f.Close()
+}
+
+func restartSystemd(log *zap.SugaredLogger) error {
+	if _, err := exec.LookPath("systemctl"); err != nil {
+		log.Warn("systemctl not found; restart ehco manually")
+		return nil
+	}
+	log.Infof("restarting %s.service via systemctl", systemdServiceName)
+	cmd := exec.Command("systemctl", "restart", systemdServiceName+".service")
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	return cmd.Run()
+}
diff --git a/internal/updater/updater_test.go b/internal/updater/updater_test.go
new file mode 100644
index 000000000..0af3dd06b
--- /dev/null
+++ b/internal/updater/updater_test.go
@@ -0,0 +1,46 @@
+package updater
+
+import "testing"
+
+func TestResolveChannel(t *testing.T) {
+	cases := []struct {
+		flag, current, want string
+		wantErr             bool
+	}{
+		{"stable", "1.1.7-next", "stable", false},
+		{"nightly", "1.1.6", "nightly", false},
+		{"auto", "1.1.7-next", "nightly", false},
+		{"auto", "1.1.6", "stable", false},
+		{"", "1.1.6", "stable", false},
+		{"bogus", "1.1.6", "", true},
+	}
+	for _, c := range cases {
+		got, err := resolveChannel(c.flag, c.current)
+		if (err != nil) != c.wantErr {
+			t.Errorf("resolveChannel(%q,%q) err=%v wantErr=%v", c.flag, c.current, err, c.wantErr)
+			continue
+		}
+		if got != c.want {
+			t.Errorf("resolveChannel(%q,%q) = %q want %q", c.flag, c.current, got, c.want)
+		}
+	}
+}
+
+func TestCompareVersions(t *testing.T) {
+	cases := []struct {
+		a, b string
+		want int
+	}{
+		{"1.1.6", "1.1.7", -1},
+		{"1.1.7", "1.1.6", 1},
+		{"1.1.6", "1.1.6", 0},
+		{"v1.1.6", "1.1.6", 0},
+		{"1.1.7-next", "1.1.7", -1}, // semver: prerelease < release
+		{"1.1.7", "1.1.7-next", 1},
+	}
+	for _, c := range cases {
+		if got := compareVersions(c.a, c.b); got != c.want {
+			t.Errorf("compareVersions(%q,%q)=%d want %d", c.a, c.b, got, c.want)
+		}
+	}
+}
diff --git a/internal/web/handler_api.go b/internal/web/handler_api.go
index 71a4c3dda..6ab487006 100644
--- a/internal/web/handler_api.go
+++ b/internal/web/handler_api.go
@@ -8,6 +8,7 @@ import (
 	"time"
 
 	"github.com/Ehco1996/ehco/internal/cmgr/ms"
+	"github.com/Ehco1996/ehco/internal/glue"
 	"github.com/labstack/echo/v4"
 )
 
@@ -19,7 +20,8 @@ const (
 type queryParams struct {
 	startTS int64
 	endTS   int64
-	refresh bool
+	latest  bool
+	step    int64
 }
 
 func parseQueryParams(c echo.Context) (*queryParams, error) {
@@ -27,7 +29,6 @@ func parseQueryParams(c echo.Context) (*queryParams, error) {
 	params := &queryParams{
 		startTS: now - defaultTimeRange,
 		endTS:   now,
-		refresh: false,
 	}
 
 	if start, err := parseTimestamp(c.QueryParam("start_ts")); err == nil {
@@ -38,8 +39,12 @@ func parseQueryParams(c echo.Context) (*queryParams, error) {
 		params.endTS = end
 	}
 
-	if refresh, err := strconv.ParseBool(c.QueryParam("latest")); err == nil {
-		params.refresh = refresh
+	if latest, err := strconv.ParseBool(c.QueryParam("latest")); err == nil {
+		params.latest = latest
+	}
+
+	if step, err := strconv.ParseInt(c.QueryParam("step"), 10, 64); err == nil && step > 0 {
+		params.step = step
 	}
 
 	if params.startTS >= params.endTS {
@@ -61,11 +66,11 @@ func (s *Server) GetNodeMetrics(c echo.Context) error {
 	if err != nil {
 		return echo.NewHTTPError(http.StatusBadRequest, err.Error())
 	}
-	req := &ms.QueryNodeMetricsReq{StartTimestamp: params.startTS, EndTimestamp: params.endTS, Num: -1}
-	if params.refresh {
+	req := &ms.QueryNodeMetricsReq{StartTimestamp: params.startTS, EndTimestamp: params.endTS, Num: -1, Step: params.step}
+	if params.latest {
 		req.Num = 1
 	}
-	metrics, err := s.connMgr.QueryNodeMetrics(c.Request().Context(), req, params.refresh)
+	metrics, err := s.connMgr.QueryNodeMetrics(c.Request().Context(), req)
 	if err != nil {
 		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
 	}
@@ -81,14 +86,15 @@ func (s *Server) GetRuleMetrics(c echo.Context) error {
 		StartTimestamp: params.startTS,
 		EndTimestamp:   params.endTS,
 		Num:            -1,
+		Step:           params.step,
 		RuleLabel:      c.QueryParam("label"),
 		Remote:         c.QueryParam("remote"),
 	}
-	if params.refresh {
+	if params.latest {
 		req.Num = 1
 	}
 
-	metrics, err := s.connMgr.QueryRuleMetrics(c.Request().Context(), req, params.refresh)
+	metrics, err := s.connMgr.QueryRuleMetrics(c.Request().Context(), req)
 	if err != nil {
 		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
 	}
@@ -135,6 +141,44 @@ func (s *Server) HandleReload(c echo.Context) error {
 	return nil
 }
 
+// OverviewResp bundles everything the SPA's home page polls — saves
+// the front-end the 3 parallel fetches it would otherwise need on
+// every refresh tick. Fields stay nil/zero when their subsystem is
+// disabled (xray-less deployments, no host sampler yet).
+type OverviewResp struct {
+	Xray  *glue.XraySnapshot `json:"xray,omitempty"`
+	Host  *ms.NodeMetrics    `json:"host,omitempty"`
+	Rules int                `json:"rules"`
+}
+
+func (s *Server) Overview(c echo.Context) error {
+	out := OverviewResp{}
+
+	if s.cfg != nil {
+		out.Rules = len(s.cfg.RelayConfigs)
+	}
+
+	if p := s.xrayStatus.Load(); p != nil && *p != nil {
+		snap := (*p).Snapshot()
+		out.Xray = &snap
+	}
+
+	if s.connMgr != nil {
+		now := time.Now()
+		req := &ms.QueryNodeMetricsReq{
+			StartTimestamp: now.Add(-5 * time.Minute).Unix(),
+			EndTimestamp:   now.Unix(),
+			Num:            1,
+		}
+		if resp, err := s.connMgr.QueryNodeMetrics(c.Request().Context(), req); err == nil && len(resp.Data) > 0 {
+			h := resp.Data[0]
+			out.Host = &h
+		}
+	}
+
+	return c.JSON(http.StatusOK, out)
+}
+
 func (s *Server) HandleHealthCheck(c echo.Context) error {
 	relayLabel := c.QueryParam("relay_label")
 	if relayLabel == "" {
diff --git a/internal/web/handler_update.go b/internal/web/handler_update.go
new file mode 100644
index 000000000..19b211862
--- /dev/null
+++ b/internal/web/handler_update.go
@@ -0,0 +1,130 @@
+package web
+
+import (
+	"context"
+	"net/http"
+	"runtime"
+	"time"
+
+	"github.com/Ehco1996/ehco/internal/constant"
+	"github.com/Ehco1996/ehco/internal/updater"
+	"github.com/labstack/echo/v4"
+)
+
+const updateApplyTimeout = 5 * time.Minute
+
+type VersionInfo struct {
+	Version     string    `json:"version"`
+	GitBranch   string    `json:"git_branch"`
+	GitRevision string    `json:"git_revision"`
+	BuildTime   string    `json:"build_time"`
+	StartTime   time.Time `json:"start_time"`
+	GoOS        string    `json:"go_os"`
+	GoArch      string    `json:"go_arch"`
+}
+
+// JobStatus is the in-memory record of the most-recent update attempt.
+// Process-local on purpose: after a successful restart the new process
+// boots with no record, the SPA reloads /version and sees the new build.
+type JobStatus struct {
+	State     updater.State `json:"state"`
+	Channel   string        `json:"channel"`
+	From      string        `json:"from"`
+	To        string        `json:"to"`
+	StartedAt time.Time     `json:"started_at"`
+	Error     string        `json:"error,omitempty"`
+}
+
+func (s *Server) Version(c echo.Context) error {
+	return c.JSON(http.StatusOK, VersionInfo{
+		Version:     constant.Version,
+		GitBranch:   constant.GitBranch,
+		GitRevision: constant.GitRevision,
+		BuildTime:   constant.BuildTime,
+		StartTime:   constant.StartTime,
+		GoOS:        runtime.GOOS,
+		GoArch:      runtime.GOARCH,
+	})
+}
+
+func (s *Server) UpdateCheck(c echo.Context) error {
+	channel := c.QueryParam("channel")
+	if channel == "" {
+		channel = updater.ChannelAuto
+	}
+	ctx, cancel := context.WithTimeout(c.Request().Context(), 30*time.Second)
+	defer cancel()
+	res, err := updater.Check(ctx, channel, constant.Version)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadGateway, err.Error())
+	}
+	return c.JSON(http.StatusOK, res)
+}
+
+func (s *Server) UpdateApply(c echo.Context) error {
+	if runtime.GOOS != "linux" {
+		return echo.NewHTTPError(http.StatusBadRequest,
+			"self-update only supported on linux; current platform is "+runtime.GOOS)
+	}
+	var opts updater.ApplyOptions
+	if err := c.Bind(&opts); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, err.Error())
+	}
+	if opts.Channel == "" {
+		opts.Channel = updater.ChannelAuto
+	}
+
+	prev := s.updateJob.Load()
+	if prev != nil && isInProgress(prev.State) {
+		return echo.NewHTTPError(http.StatusConflict, "another update is already running")
+	}
+
+	job := &JobStatus{
+		State:     updater.StateChecking,
+		Channel:   opts.Channel,
+		From:      constant.Version,
+		StartedAt: time.Now().UTC(),
+	}
+	s.updateJob.Store(job)
+	s.l.Infof("update apply requested channel=%s force=%v restart=%v", opts.Channel, opts.Force, opts.Restart)
+
+	// Detached context: closing the browser shouldn't abort an in-flight swap.
+	go s.runUpdate(opts, job)
+	return c.JSON(http.StatusAccepted, map[string]string{"state": string(updater.StateChecking)})
+}
+
+func (s *Server) runUpdate(opts updater.ApplyOptions, job *JobStatus) {
+	ctx, cancel := context.WithTimeout(context.Background(), updateApplyTimeout)
+	defer cancel()
+
+	onState := func(st updater.State) {
+		// Copy-on-write so /status readers always see a consistent snapshot.
+		next := *job
+		next.State = st
+		s.updateJob.Store(&next)
+		*job = next
+	}
+
+	if err := updater.Apply(ctx, opts, constant.Version, s.l, onState); err != nil {
+		next := *job
+		next.State = updater.StateFailed
+		next.Error = err.Error()
+		s.updateJob.Store(&next)
+		s.l.Errorf("update failed: %v", err)
+	}
+}
+
+func (s *Server) UpdateStatus(c echo.Context) error {
+	if j := s.updateJob.Load(); j != nil {
+		return c.JSON(http.StatusOK, j)
+	}
+	return c.JSON(http.StatusOK, map[string]string{"state": "idle"})
+}
+
+func isInProgress(s updater.State) bool {
+	switch s {
+	case updater.StateChecking, updater.StateDownloading, updater.StateInstalling, updater.StateRestarting:
+		return true
+	}
+	return false
+}
diff --git a/internal/web/server.go b/internal/web/server.go
index ec5b6c2a1..c747f2b92 100644
--- a/internal/web/server.go
+++ b/internal/web/server.go
@@ -5,6 +5,7 @@ import (
 	"net"
 	"net/http"
 	_ "net/http/pprof"
+	"sync/atomic"
 
 	"github.com/labstack/echo/v4"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
@@ -31,7 +32,22 @@ type Server struct {
 	cfg  *config.Config
 	auth *authenticator
 
-	connMgr cmgr.Cmgr
+	connMgr   cmgr.Cmgr
+	updateJob atomic.Pointer[JobStatus]
+
+	// xrayStatus is wired post-construction by cli boot once the
+	// XrayServer exists. Always read via Load() — may be nil when
+	// xray sync is disabled. Atomic pointer keeps it lock-free.
+	xrayStatus atomic.Pointer[glue.XrayStatus]
+}
+
+// SetXrayStatus is called by cli boot once the XrayServer is
+// constructed. The /overview handler picks it up via Load().
+func (s *Server) SetXrayStatus(p glue.XrayStatus) {
+	if p == nil {
+		return
+	}
+	s.xrayStatus.Store(&p)
 }
 
 func NewServer(
@@ -110,6 +126,11 @@ func setupRoutes(s *Server) {
 	api.GET("/health_check/", s.HandleHealthCheck)
 	api.GET("/node_metrics/", s.GetNodeMetrics)
 	api.GET("/rule_metrics/", s.GetRuleMetrics)
+	api.GET("/overview", s.Overview)
+	api.GET("/version", s.Version)
+	api.GET("/update/check", s.UpdateCheck)
+	api.POST("/update/apply", s.UpdateApply)
+	api.GET("/update/status", s.UpdateStatus)
 
 	e.GET("/ws/logs", s.handleWebSocketLogs)
 
diff --git a/internal/web/webui/src/App.tsx b/internal/web/webui/src/App.tsx
index 3444815d7..bd5e8d43d 100644
--- a/internal/web/webui/src/App.tsx
+++ b/internal/web/webui/src/App.tsx
@@ -1,9 +1,9 @@
 import { Show, onMount } from "solid-js";
-import { HashRouter, Route } from "@solidjs/router";
+import { HashRouter, Route, Navigate } from "@solidjs/router";
 import { authState, probeAuth } from "./store/auth";
 import LoginGate from "./components/LoginGate";
 import Layout from "./components/Layout";
-import Overview from "./pages/Overview";
+import Home from "./pages/Home";
 import Rules from "./pages/Rules";
 import XrayConns from "./pages/XrayConns";
 import XrayUsers from "./pages/XrayUsers";
@@ -24,13 +24,18 @@ export default function App() {
     >
       <Show when={authState() === "ok"} fallback={<LoginGate />}>
         <HashRouter root={Layout}>
-          <Route path="/" component={Overview} />
+          <Route path="/" component={Home} />
+          <Route path="/users" component={XrayUsers} />
+          <Route path="/conns" component={XrayConns} />
           <Route path="/rules" component={Rules} />
-          <Route path="/xray/conns" component={XrayConns} />
-          <Route path="/xray/users" component={XrayUsers} />
           <Route path="/logs" component={Logs} />
           <Route path="/settings" component={Settings} />
-          <Route path="*" component={Overview} />
+          {/* Legacy paths kept so bookmarks survive the IA shuffle. */}
+          <Route path="/xray/users" component={() => <Navigate href="/users" />} />
+          <Route path="/xray/conns" component={() => <Navigate href="/conns" />} />
+          <Route path="/node" component={() => <Navigate href="/" />} />
+          <Route path="/updates" component={() => <Navigate href="/settings" />} />
+          <Route path="*" component={() => <Navigate href="/" />} />
         </HashRouter>
       </Show>
     </Show>
diff --git a/internal/web/webui/src/api/client.ts b/internal/web/webui/src/api/client.ts
index 2819b79b6..cd1fd8efb 100644
--- a/internal/web/webui/src/api/client.ts
+++ b/internal/web/webui/src/api/client.ts
@@ -34,6 +34,11 @@ import type {
   HealthCheckResp,
   QueryNodeMetricsResp,
   QueryRuleMetricsResp,
+  VersionInfo,
+  UpdateCheck,
+  UpdateStatus,
+  UpdateApplyOptions,
+  OverviewResp,
 } from "./types";
 
 export const api = {
@@ -44,11 +49,12 @@ export const api = {
     request<HealthCheckResp>(
       `/api/v1/health_check/?relay_label=${encodeURIComponent(label)}`,
     ),
-  nodeMetrics: (params: { start_ts?: number; end_ts?: number; latest?: boolean }) => {
+  nodeMetrics: (params: { start_ts?: number; end_ts?: number; latest?: boolean; step?: number }) => {
     const q = new URLSearchParams();
     if (params.start_ts != null) q.set("start_ts", String(params.start_ts));
     if (params.end_ts != null) q.set("end_ts", String(params.end_ts));
     if (params.latest) q.set("latest", "true");
+    if (params.step && params.step > 1) q.set("step", String(params.step));
     return request<QueryNodeMetricsResp>(`/api/v1/node_metrics/?${q.toString()}`);
   },
   ruleMetrics: (params: {
@@ -57,6 +63,7 @@ export const api = {
     start_ts?: number;
     end_ts?: number;
     latest?: boolean;
+    step?: number;
   }) => {
     const q = new URLSearchParams();
     for (const [k, v] of Object.entries(params)) {
@@ -64,6 +71,7 @@ export const api = {
     }
     return request<QueryRuleMetricsResp>(`/api/v1/rule_metrics/?${q.toString()}`);
   },
+  overview: () => request<OverviewResp>("/api/v1/overview"),
   xrayConns: (userId?: number) => {
     const q = userId ? `?user=${userId}` : "";
     return request<XrayConn[]>(`/api/v1/xray/conns${q}`);
@@ -78,6 +86,16 @@ export const api = {
       { method: "DELETE" },
     ),
   xrayUsers: () => request<XrayUser[]>("/api/v1/xray/users"),
+  version: () => request<VersionInfo>("/api/v1/version"),
+  updateCheck: (channel: string) =>
+    request<UpdateCheck>(`/api/v1/update/check?channel=${encodeURIComponent(channel)}`),
+  updateApply: (opts: UpdateApplyOptions) =>
+    request<{ state: string }>("/api/v1/update/apply", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(opts),
+    }),
+  updateStatus: () => request<UpdateStatus>("/api/v1/update/status"),
 };
 
 export function wsURL(path: string): string {
diff --git a/internal/web/webui/src/api/types.ts b/internal/web/webui/src/api/types.ts
index 9c8014b7d..baf3f3f23 100644
--- a/internal/web/webui/src/api/types.ts
+++ b/internal/web/webui/src/api/types.ts
@@ -30,8 +30,23 @@ export interface NodeMetric {
   cpu_usage: number;
   memory_usage: number;
   disk_usage: number;
-  network_in: number;
-  network_out: number;
+  network_in: number;  // bytes/sec
+  network_out: number; // bytes/sec
+}
+
+export interface XraySnapshot {
+  conns: number;
+  users: number;
+  enabled_users: number;
+  running_users: number;
+  upload_total: number;
+  download_total: number;
+}
+
+export interface OverviewResp {
+  xray?: XraySnapshot;
+  host?: NodeMetric;
+  rules: number;
 }
 
 export interface QueryNodeMetricsResp {
@@ -98,6 +113,54 @@ export interface EhcoConfig {
   [k: string]: unknown;
 }
 
+export interface VersionInfo {
+  version: string;
+  git_branch: string;
+  git_revision: string;
+  build_time: string;
+  start_time: string; // RFC3339
+  go_os: string;
+  go_arch: string;
+}
+
+export interface UpdateCheck {
+  channel: string;
+  current_version: string;
+  latest_version: string;
+  latest_tag: string;
+  release_name: string;
+  release_body: string;
+  release_url: string;
+  published_at: string; // RFC3339
+  update_available: boolean;
+  asset_name: string;
+  asset_url: string;
+}
+
+export type UpdateState =
+  | "idle"
+  | "checking"
+  | "downloading"
+  | "installing"
+  | "restarting"
+  | "done"
+  | "failed";
+
+export interface UpdateStatus {
+  state: UpdateState;
+  channel?: string;
+  from?: string;
+  to?: string;
+  started_at?: string;
+  error?: string;
+}
+
+export interface UpdateApplyOptions {
+  channel: string;
+  force: boolean;
+  restart: boolean;
+}
+
 export interface LogFrame {
   level: string;
   ts?: string;
diff --git a/internal/web/webui/src/components/Layout.tsx b/internal/web/webui/src/components/Layout.tsx
index a93e77953..457a61ca0 100644
--- a/internal/web/webui/src/components/Layout.tsx
+++ b/internal/web/webui/src/components/Layout.tsx
@@ -1,7 +1,7 @@
 import { JSX, createSignal, Show } from "solid-js";
 import { A } from "@solidjs/router";
 import {
-  LayoutDashboard,
+  Activity,
   ServerCog,
   Users,
   Cable,
@@ -22,30 +22,33 @@ const authConfigured = () => authInfo().auth_required;
 interface NavItem {
   href: string;
   label: string;
-  icon: typeof LayoutDashboard;
+  icon: typeof Activity;
   end?: boolean;
 }
 
-const liveNav: NavItem[] = [
-  { href: "/", label: "Overview", icon: LayoutDashboard, end: true },
-  { href: "/xray/users", label: "Users", icon: Users },
-  { href: "/xray/conns", label: "Conns", icon: Cable },
-  { href: "/logs", label: "Logs", icon: ScrollText },
-];
-
-const configNav: NavItem[] = [
+// Single flat nav. Home subsumes the old standalone Node page; Settings
+// owns the Updates flow as an embedded section.
+const nav: NavItem[] = [
+  { href: "/", label: "Home", icon: Activity, end: true },
+  { href: "/users", label: "Users", icon: Users },
+  { href: "/conns", label: "Conns", icon: Cable },
   { href: "/rules", label: "Rules", icon: ServerCog },
+  { href: "/logs", label: "Logs", icon: ScrollText },
   { href: "/settings", label: "Settings", icon: Settings },
 ];
 
 // Mobile bottom-bar — five items max for usable touch targets.
+// Settings is shoved into "More" sheet to keep tap targets honest.
 const primaryMobile: NavItem[] = [
-  { href: "/", label: "Overview", icon: LayoutDashboard, end: true },
-  { href: "/xray/users", label: "Users", icon: Users },
-  { href: "/xray/conns", label: "Conns", icon: Cable },
+  { href: "/", label: "Home", icon: Activity, end: true },
+  { href: "/users", label: "Users", icon: Users },
+  { href: "/conns", label: "Conns", icon: Cable },
   { href: "/logs", label: "Logs", icon: ScrollText },
 ];
-const moreMobile: NavItem[] = configNav;
+const moreMobile: NavItem[] = [
+  { href: "/rules", label: "Rules", icon: ServerCog },
+  { href: "/settings", label: "Settings", icon: Settings },
+];
 
 export default function Layout(props: { children?: JSX.Element }) {
   const [moreOpen, setMoreOpen] = createSignal(false);
@@ -53,11 +56,12 @@ export default function Layout(props: { children?: JSX.Element }) {
   return (
     <div class="flex h-full flex-col md:flex-row">
       {/* ===== Desktop sidebar ===== */}
-      <aside class="hidden w-56 shrink-0 flex-col border-r border-zinc-200 bg-white px-3 py-4 md:flex dark:border-zinc-800 dark:bg-zinc-900">
+      <aside class="hidden w-52 shrink-0 flex-col border-r border-zinc-200 bg-white px-2 py-4 md:flex dark:border-zinc-800 dark:bg-zinc-900">
         <Brand />
-        <nav class="mt-6 flex flex-1 flex-col gap-4">
-          <NavGroup label="Live" items={liveNav} />
-          <NavGroup label="Config" items={configNav} />
+        <nav class="mt-6 flex flex-1 flex-col gap-0.5">
+          {nav.map((l) => (
+            <NavLink {...l} />
+          ))}
         </nav>
         <div class="mt-3 flex flex-col gap-0.5 border-t border-zinc-200 pt-3 dark:border-zinc-800">
           <NavButton onClick={toggleTheme} icon={theme() === "dark" ? Sun : Moon}>
@@ -127,7 +131,7 @@ export default function Layout(props: { children?: JSX.Element }) {
               ))}
               <Show when={authConfigured()}>
                 <button
-                  class="flex flex-col items-center justify-center gap-1 rounded-xl border border-zinc-200 p-3 text-xs font-medium text-rose-600 hover:bg-rose-50 dark:border-zinc-800 dark:text-rose-400 dark:hover:bg-rose-950/40"
+                  class="flex flex-col items-center justify-center gap-1 rounded-md border border-zinc-200 p-3 text-xs font-medium text-rose-600 hover:bg-rose-50 dark:border-zinc-800 dark:text-rose-400 dark:hover:bg-rose-950/40"
                   onClick={() => {
                     setMoreOpen(false);
                     signOut();
@@ -145,27 +149,18 @@ export default function Layout(props: { children?: JSX.Element }) {
   );
 }
 
-function NavGroup(props: { label: string; items: NavItem[] }) {
-  return (
-    <div class="flex flex-col gap-0.5">
-      <div class="px-3 pb-1 text-[10px] font-semibold uppercase tracking-wider text-zinc-400">
-        {props.label}
-      </div>
-      {props.items.map((l) => (
-        <NavLink {...l} />
-      ))}
-    </div>
-  );
-}
-
 function Brand(props: { compact?: boolean }) {
   return (
-    <div class="flex items-center gap-2.5">
-      <Logo size={props.compact ? 28 : 32} />
+    <div class="flex items-center gap-2.5 px-2">
+      <Logo size={props.compact ? 26 : 28} />
       <div class="leading-tight">
-        <div class="text-sm font-semibold">ehco</div>
+        <div class="text-[13px] font-semibold tracking-tight">
+          ehco<span class="caret-blink ml-0.5 inline-block h-3 w-1.5 -translate-y-[1px] bg-emerald-500 align-middle" />
+        </div>
         {!props.compact && (
-          <div class="text-[11px] text-zinc-500">admin</div>
+          <div class="text-[10px] uppercase tracking-[0.18em] text-zinc-500">
+            admin
+          </div>
         )}
       </div>
     </div>
@@ -178,27 +173,27 @@ function NavLink(props: NavItem) {
     <A
       href={props.href}
       end={props.end}
-      class="flex items-center gap-2.5 rounded-md px-3 py-1.5 text-sm text-zinc-600 hover:bg-zinc-100 dark:text-zinc-400 dark:hover:bg-zinc-800"
-      activeClass="!bg-emerald-50 !text-emerald-700 dark:!bg-emerald-500/10 dark:!text-emerald-400"
+      class="flex items-center gap-2.5 rounded-md px-3 py-1.5 text-[13px] text-zinc-600 hover:bg-zinc-100 dark:text-zinc-400 dark:hover:bg-zinc-800"
+      activeClass="!bg-emerald-500/10 !text-emerald-700 dark:!text-emerald-400"
     >
-      <Icon size={16} />
-      {props.label}
+      <Icon size={15} />
+      <span>{props.label}</span>
     </A>
   );
 }
 
 function NavButton(props: {
   onClick: () => void;
-  icon: typeof LayoutDashboard;
+  icon: typeof Activity;
   children: JSX.Element;
 }) {
   const Icon = props.icon;
   return (
     <button
       onClick={props.onClick}
-      class="flex items-center gap-2.5 rounded-md px-3 py-1.5 text-left text-sm text-zinc-600 hover:bg-zinc-100 dark:text-zinc-400 dark:hover:bg-zinc-800"
+      class="flex items-center gap-2.5 rounded-md px-3 py-1.5 text-left text-[13px] text-zinc-600 hover:bg-zinc-100 dark:text-zinc-400 dark:hover:bg-zinc-800"
     >
-      <Icon size={16} />
+      <Icon size={15} />
       {props.children}
     </button>
   );
@@ -225,7 +220,7 @@ function SheetTile(props: NavItem & { onClose: () => void }) {
     <A
       href={props.href}
       onClick={() => props.onClose()}
-      class="flex flex-col items-center justify-center gap-1 rounded-xl border border-zinc-200 p-3 text-xs font-medium text-zinc-700 hover:bg-zinc-50 dark:border-zinc-800 dark:text-zinc-300 dark:hover:bg-zinc-800"
+      class="flex flex-col items-center justify-center gap-1 rounded-md border border-zinc-200 p-3 text-xs font-medium text-zinc-700 hover:bg-zinc-50 dark:border-zinc-800 dark:text-zinc-300 dark:hover:bg-zinc-800"
       activeClass="!border-emerald-500/50 !text-emerald-700 dark:!text-emerald-400"
     >
       <Icon size={20} />
diff --git a/internal/web/webui/src/index.css b/internal/web/webui/src/index.css
index a12f1b985..86f4882b9 100644
--- a/internal/web/webui/src/index.css
+++ b/internal/web/webui/src/index.css
@@ -1,38 +1,42 @@
+@import url("https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;500;600;700&display=swap");
 @import "tailwindcss";
 @import "uplot/dist/uPlot.min.css";
 
 /* ---------- Design tokens ----------
- * Single source of truth for colour, type, motion. Light + dark are
- * expressed via Tailwind utilities for component code; CSS vars are
- * here only for things referenced by raw CSS (uPlot, scrollbars,
- * focus rings).
+ * Operator's-terminal direction: a single mono typeface drives every
+ * surface. Hierarchy comes from weight + size, not from sans/mono
+ * mixing. One signal colour (emerald) on a tight zinc palette.
  * ----------------------------------- */
 
 @theme {
-  --font-sans: "Inter", ui-sans-serif, system-ui, -apple-system, "Segoe UI",
-    Roboto, "Helvetica Neue", Arial, sans-serif;
-  --font-mono: ui-monospace, "SF Mono", Menlo, Consolas, "Liberation Mono",
-    monospace;
+  --font-sans: "JetBrains Mono", ui-monospace, "SF Mono", Menlo, Consolas,
+    "Liberation Mono", monospace;
+  --font-mono: "JetBrains Mono", ui-monospace, "SF Mono", Menlo, Consolas,
+    "Liberation Mono", monospace;
 }
 
 :root {
   --accent: oklch(0.62 0.15 160);
+  --accent-strong: oklch(0.55 0.16 160);
   --ring: oklch(0.62 0.15 160 / 0.45);
-  --surface: oklch(0.99 0 0);
+  --surface: oklch(0.985 0 0);
   --surface-2: oklch(1 0 0);
+  --surface-sunk: oklch(0.965 0 0);
   --border: oklch(0.92 0 0);
-  --border-strong: oklch(0.88 0 0);
-  --text: oklch(0.2 0 0);
-  --text-muted: oklch(0.55 0 0);
+  --border-strong: oklch(0.86 0 0);
+  --text: oklch(0.18 0 0);
+  --text-muted: oklch(0.5 0 0);
 }
 
 .dark {
   --accent: oklch(0.78 0.16 160);
+  --accent-strong: oklch(0.84 0.18 160);
   --ring: oklch(0.78 0.16 160 / 0.45);
-  --surface: oklch(0.16 0 0);
-  --surface-2: oklch(0.20 0 0);
+  --surface: oklch(0.145 0 0);
+  --surface-2: oklch(0.185 0 0);
+  --surface-sunk: oklch(0.115 0 0);
   --border: oklch(0.27 0 0);
-  --border-strong: oklch(0.32 0 0);
+  --border-strong: oklch(0.34 0 0);
   --text: oklch(0.95 0 0);
   --text-muted: oklch(0.6 0 0);
 }
@@ -47,26 +51,24 @@ html {
 
 body {
   font-family: var(--font-sans);
-  font-size: 14px;
-  line-height: 1.5;
+  font-size: 13px;
+  line-height: 1.55;
+  letter-spacing: -0.005em;
   background: var(--surface);
   color: var(--text);
+  font-variant-numeric: tabular-nums;
   -webkit-font-smoothing: antialiased;
   text-rendering: optimizeLegibility;
 }
 
-/* Numbers always align — applied broadly so columns of bytes line up. */
 table, .font-mono, .tabular {
   font-variant-numeric: tabular-nums;
 }
 
-/* Single canonical focus ring used everywhere. Tailwind's default ring
- * gets in the way; we hide focus when the user used the mouse and only
- * show it for keyboard nav. */
 :where(button, a, input, select, textarea, [tabindex]):focus-visible {
   outline: 2px solid var(--ring);
   outline-offset: 2px;
-  border-radius: 6px;
+  border-radius: 4px;
 }
 
 /* ---------- uPlot dark mode patch ---------- */
@@ -105,6 +107,14 @@ table, .font-mono, .tabular {
 }
 .pulse-dot { animation: pulse-dot 1.6s ease-in-out infinite; }
 
+/* ---------- Caret blink for terminal-style brand ---------- */
+
+@keyframes caret-blink {
+  0%, 49% { opacity: 1; }
+  50%, 100% { opacity: 0; }
+}
+.caret-blink { animation: caret-blink 1.1s step-end infinite; }
+
 /* ---------- Safe-area for mobile bottom tab bar ---------- */
 
 .safe-bottom {
diff --git a/internal/web/webui/src/pages/Home.tsx b/internal/web/webui/src/pages/Home.tsx
new file mode 100644
index 000000000..d5b661433
--- /dev/null
+++ b/internal/web/webui/src/pages/Home.tsx
@@ -0,0 +1,341 @@
+import { JSX, createEffect, createMemo, createResource, createSignal, For, Show } from "solid-js";
+import { useNavigate } from "@solidjs/router";
+import { Cable, Users as UsersIcon, ArrowRight, Activity } from "lucide-solid";
+import PageHeader from "../ui/PageHeader";
+import { Card, CardHeader } from "../ui/Card";
+import { Pill } from "../ui/Pill";
+import Sparkline from "../ui/Sparkline";
+import EmptyState from "../ui/EmptyState";
+import Chart from "../ui/Chart";
+import Segmented from "../ui/Segmented";
+import RefreshPicker from "../ui/RefreshPicker";
+import { api } from "../api/client";
+import { bytes, bytesShort, pct, rate, relTime, pickStep } from "../util/format";
+import { ipKind, ipKindLabel, ipKindTone } from "../util/ip";
+import { usePolling } from "../util/polling";
+import { recordUserSnapshot, userSamples } from "../store/userTrafficHistory";
+import type { XrayUser } from "../api/types";
+
+const TOP_N = 8;
+
+const WINDOWS = [
+  { value: 5 * 60, label: "5m" },
+  { value: 60 * 60, label: "1h" },
+  { value: 6 * 60 * 60, label: "6h" },
+  { value: 24 * 60 * 60, label: "24h" },
+  { value: 7 * 24 * 60 * 60, label: "7d" },
+  { value: 30 * 24 * 60 * 60, label: "30d" },
+] as const;
+
+interface ScoredUser {
+  user: XrayUser;
+  recent: number;
+}
+
+export default function Home() {
+  const nav = useNavigate();
+  const [windowSec, setWindowSec] = createSignal<number>(WINDOWS[1].value);
+
+  const [overview, { refetch: rcOverview }] = createResource(() => api.overview());
+  const [users, { refetch: rcUsers }] = createResource(() => api.xrayUsers());
+  const [conns, { refetch: rcConns }] = createResource(() => api.xrayConns());
+  const [history, { refetch: rcHistory }] = createResource(
+    windowSec,
+    async (sec) => {
+      const end = Math.floor(Date.now() / 1000);
+      return api.nodeMetrics({
+        start_ts: end - sec,
+        end_ts: end,
+        step: pickStep(sec),
+      });
+    },
+  );
+
+  const poll = usePolling(
+    () => {
+      rcOverview();
+      rcUsers();
+      rcConns();
+      rcHistory();
+    },
+    { defaultSec: 15 },
+  );
+
+  createEffect(() => {
+    const u = users();
+    if (u) recordUserSnapshot(u);
+  });
+
+  const allConns = () => conns() ?? [];
+  // Charts want ascending time; the API returns DESC for LIMIT semantics.
+  const series = createMemo(() =>
+    [...(history()?.data ?? [])].sort((a, b) => a.timestamp - b.timestamp),
+  );
+  const xs = createMemo(() => series().map((d) => d.timestamp));
+
+  const xray = () => overview()?.xray;
+  const host = () => overview()?.host;
+
+  const topUsers = createMemo<ScoredUser[]>(() => {
+    const list = (users() ?? []).map<ScoredUser>((u) => ({
+      user: u,
+      recent: userSamples(u.user_id).reduce((a, b) => a + b, 0),
+    }));
+    list.sort((a, b) => {
+      if (b.recent !== a.recent) return b.recent - a.recent;
+      const aTotal = a.user.upload_total + a.user.download_total;
+      const bTotal = b.user.upload_total + b.user.download_total;
+      return bTotal - aTotal;
+    });
+    return list.slice(0, TOP_N);
+  });
+
+  const recentConns = createMemo(() =>
+    allConns()
+      .slice()
+      .sort((a, b) => (a.since < b.since ? 1 : -1))
+      .slice(0, TOP_N),
+  );
+
+  return (
+    <>
+      <PageHeader
+        title="status"
+        subtitle="live state of this relay box"
+        actions={
+          <>
+            <Segmented
+              options={WINDOWS.map((w) => ({ value: w.value, label: w.label }))}
+              value={windowSec()}
+              onChange={setWindowSec}
+              size="sm"
+            />
+            <RefreshPicker handle={poll} />
+          </>
+        }
+      />
+
+      <ThroughputAnchor
+        rateIn={host()?.network_in ?? 0}
+        rateOut={host()?.network_out ?? 0}
+        conns={xray()?.conns ?? allConns().length}
+        users={xray()?.running_users ?? 0}
+        rules={overview()?.rules ?? 0}
+        cpu={host()?.cpu_usage}
+        mem={host()?.memory_usage}
+      />
+
+      <ChartCard
+        class="mt-3"
+        title="throughput"
+        subtitle="host network rate (in / out)"
+        right={
+          <span class="font-mono text-[11px] text-zinc-500">
+            {series().length} pts · step{" "}
+            {pickStep(windowSec()) === 0 ? "raw" : `${pickStep(windowSec())}s`}
+          </span>
+        }
+      >
+        <Show
+          when={series().length > 1}
+          fallback={
+            <div class="px-4 py-8 text-center text-xs text-zinc-500">
+              <Activity size={20} class="mx-auto mb-2" />
+              collecting samples…
+            </div>
+          }
+        >
+          <Chart
+            height={180}
+            timestamps={xs()}
+            series={[
+              { label: "in", stroke: "#10b981", values: series().map((d) => d.network_in) },
+              { label: "out", stroke: "#f97316", values: series().map((d) => d.network_out) },
+            ]}
+            yFormat={(v) => `${bytesShort(v)}/s`}
+          />
+        </Show>
+      </ChartCard>
+
+      <div class="mt-3 grid grid-cols-1 gap-3 lg:grid-cols-2">
+        <Card padded={false}>
+          <ListHeader title="top users" subtitle="by recent throughput · last 5m" linkTo="/users" />
+          <Show
+            when={topUsers().length}
+            fallback={<EmptyState icon={<UsersIcon size={24} />} title="No users registered" />}
+          >
+            <ul class="divide-y divide-zinc-100 dark:divide-zinc-800/70">
+              <For each={topUsers()}>
+                {({ user, recent }) => (
+                  <li
+                    class="flex cursor-pointer items-center gap-3 px-4 py-2 hover:bg-emerald-500/5"
+                    onClick={() => nav(`/conns?user=${user.user_id}`)}
+                  >
+                    <span class="w-12 shrink-0 font-mono text-[13px]">{user.user_id}</span>
+                    <Pill tone={user.running ? "ok" : "neutral"} dot pulse={user.running}>
+                      {user.protocol || "—"}
+                    </Pill>
+                    <span class="ml-auto hidden text-emerald-600 sm:block dark:text-emerald-400">
+                      <Sparkline values={userSamples(user.user_id)} width={80} height={20} />
+                    </span>
+                    <span class="w-20 shrink-0 text-right font-mono text-[11px] tabular-nums text-zinc-500">
+                      {recent > 0 ? bytes(recent) : "—"}
+                    </span>
+                    <span class="w-10 shrink-0 text-right font-mono text-[11px] tabular-nums text-zinc-500">
+                      {user.tcp_conn_count}c
+                    </span>
+                  </li>
+                )}
+              </For>
+            </ul>
+          </Show>
+        </Card>
+
+        <Card padded={false}>
+          <ListHeader title="recent conns" subtitle="newest first" linkTo="/conns" />
+          <Show
+            when={recentConns().length}
+            fallback={<EmptyState icon={<Cable size={24} />} title="No live connections" />}
+          >
+            <ul class="divide-y divide-zinc-100 dark:divide-zinc-800/70">
+              <For each={recentConns()}>
+                {(c) => (
+                  <li
+                    class="flex cursor-pointer items-center gap-2 px-4 py-2 hover:bg-emerald-500/5"
+                    onClick={() => nav(`/conns?user=${c.user_id}`)}
+                  >
+                    <Pill tone={c.network === "tcp" ? "info" : "accent"}>{c.network}</Pill>
+                    <span class="w-10 shrink-0 font-mono text-[13px]">{c.user_id}</span>
+                    <Pill tone={ipKindTone[ipKind(c.source_ip)]}>{ipKindLabel[ipKind(c.source_ip)]}</Pill>
+                    <span class="min-w-0 flex-1 truncate font-mono text-[11px]">{c.target}</span>
+                    <span class="shrink-0 text-[11px] text-zinc-500">{relTime(c.since)}</span>
+                  </li>
+                )}
+              </For>
+            </ul>
+          </Show>
+        </Card>
+      </div>
+
+      <Show when={series().length > 1}>
+        <div class="mt-3 grid grid-cols-1 gap-3 lg:grid-cols-2">
+          <ChartCard title="cpu / memory">
+            <Chart
+              height={150}
+              timestamps={xs()}
+              series={[
+                { label: "cpu", stroke: "#10b981", values: series().map((d) => d.cpu_usage) },
+                { label: "mem", stroke: "#6366f1", values: series().map((d) => d.memory_usage) },
+              ]}
+              yFormat={(v) => pct(v)}
+            />
+          </ChartCard>
+          <ChartCard title="disk">
+            <Chart
+              height={150}
+              timestamps={xs()}
+              series={[
+                { label: "disk", stroke: "#f59e0b", values: series().map((d) => d.disk_usage) },
+              ]}
+              yFormat={(v) => pct(v)}
+            />
+          </ChartCard>
+        </div>
+      </Show>
+    </>
+  );
+}
+
+function ChartCard(props: {
+  title: string;
+  subtitle?: string;
+  right?: JSX.Element;
+  class?: string;
+  children: JSX.Element;
+}) {
+  return (
+    <Card padded={false} class={props.class}>
+      <div class="flex items-center justify-between gap-3 border-b border-zinc-200 px-4 py-2.5 dark:border-zinc-800">
+        <CardHeader title={props.title} subtitle={props.subtitle} />
+        {props.right}
+      </div>
+      <div class="px-2 py-3">{props.children}</div>
+    </Card>
+  );
+}
+
+function ListHeader(props: { title: string; subtitle: string; linkTo: string }) {
+  const nav = useNavigate();
+  return (
+    <div class="flex items-center justify-between gap-3 border-b border-zinc-200 px-4 py-2.5 dark:border-zinc-800">
+      <CardHeader title={props.title} subtitle={props.subtitle} />
+      <button
+        class="inline-flex items-center gap-1 text-xs text-emerald-700 hover:underline dark:text-emerald-400"
+        onClick={() => nav(props.linkTo)}
+      >
+        all <ArrowRight size={12} />
+      </button>
+    </div>
+  );
+}
+
+function ThroughputAnchor(props: {
+  rateIn: number;
+  rateOut: number;
+  conns: number;
+  users: number;
+  rules: number;
+  cpu?: number;
+  mem?: number;
+}) {
+  return (
+    <div class="grid grid-cols-1 gap-3 sm:grid-cols-2">
+      <Card padded={false}>
+        <div class="px-5 py-4">
+          <div class="text-[10px] font-semibold uppercase tracking-[0.18em] text-zinc-500">
+            now · rate
+          </div>
+          <div class="mt-1 flex items-baseline gap-5">
+            <div>
+              <span class="text-emerald-500 dark:text-emerald-400">↓</span>
+              <span class="ml-1 font-mono text-[28px] font-semibold tabular-nums tracking-tight sm:text-[32px]">
+                {rate(props.rateIn)}
+              </span>
+            </div>
+            <div>
+              <span class="text-orange-500">↑</span>
+              <span class="ml-1 font-mono text-[28px] font-semibold tabular-nums tracking-tight sm:text-[32px]">
+                {rate(props.rateOut)}
+              </span>
+            </div>
+          </div>
+          <div class="mt-1 text-[11px] text-zinc-500">host nic · 5s sample</div>
+        </div>
+      </Card>
+      <Card padded={false}>
+        <div class="grid grid-cols-2 divide-x divide-zinc-200 sm:grid-cols-4 dark:divide-zinc-800">
+          <Stat label="conns" value={props.conns} />
+          <Stat label="users" value={props.users} hint="running" />
+          <Stat label="cpu" value={props.cpu != null ? pct(props.cpu) : "—"} />
+          <Stat label="mem" value={props.mem != null ? pct(props.mem) : "—"} />
+        </div>
+      </Card>
+    </div>
+  );
+}
+
+function Stat(props: { label: string; value: string | number; hint?: string }) {
+  return (
+    <div class="px-4 py-4 sm:py-3.5">
+      <div class="text-[10px] font-semibold uppercase tracking-[0.16em] text-zinc-500">
+        {props.label}
+        {props.hint && (
+          <span class="ml-1 normal-case tracking-normal text-zinc-400">· {props.hint}</span>
+        )}
+      </div>
+      <div class="mt-1 font-mono text-[18px] font-semibold tabular-nums tracking-tight">
+        {props.value}
+      </div>
+    </div>
+  );
+}
diff --git a/internal/web/webui/src/pages/Logs.tsx b/internal/web/webui/src/pages/Logs.tsx
index 88a8ac50c..f202d2f9e 100644
--- a/internal/web/webui/src/pages/Logs.tsx
+++ b/internal/web/webui/src/pages/Logs.tsx
@@ -93,8 +93,8 @@ export default function Logs() {
   return (
     <>
       <PageHeader
-        title="Logs"
-        subtitle="Live tail of the in-process zap logger via /ws/logs."
+        title="logs"
+        subtitle="live tail of the in-process zap logger via /ws/logs"
         actions={
           <>
             <Show when={errorCount() > 0}>
@@ -178,7 +178,7 @@ export default function Logs() {
 
       <div
         ref={pane}
-        class="scroll-pretty h-[calc(100vh-280px)] min-h-[300px] overflow-y-auto rounded-xl border border-zinc-200 bg-zinc-50 p-2 font-mono text-[11px] leading-relaxed sm:text-xs md:h-[calc(100vh-260px)] dark:border-zinc-800 dark:bg-zinc-950"
+        class="scroll-pretty h-[calc(100vh-280px)] min-h-[300px] overflow-y-auto rounded-md border border-zinc-200 bg-zinc-50 p-1 font-mono text-[11px] leading-relaxed sm:text-[12px] md:h-[calc(100vh-260px)] dark:border-zinc-800 dark:bg-zinc-950"
       >
         <Show
           when={filtered().length}
@@ -199,9 +199,14 @@ export default function Logs() {
           }
         >
           <For each={filtered()}>
-            {(l) => (
-              <div class="flex gap-2 px-1.5 py-0.5 hover:bg-white dark:hover:bg-zinc-900">
-                <span class="hidden shrink-0 text-zinc-500 sm:inline">
+            {(l, i) => (
+              <div
+                class={
+                  "flex gap-2 px-1.5 py-0.5 hover:bg-white dark:hover:bg-zinc-900 " +
+                  (i() % 2 === 1 ? "bg-zinc-100/40 dark:bg-zinc-900/40" : "")
+                }
+              >
+                <span class="hidden shrink-0 tabular-nums text-zinc-500 sm:inline">
                   {(l.ts ?? "").replace(/T/, " ").slice(0, 19)}
                 </span>
                 <span class="w-12 shrink-0">
diff --git a/internal/web/webui/src/pages/Overview.tsx b/internal/web/webui/src/pages/Overview.tsx
deleted file mode 100644
index 5c6bf33e3..000000000
--- a/internal/web/webui/src/pages/Overview.tsx
+++ /dev/null
@@ -1,340 +0,0 @@
-import { createEffect, createMemo, createResource, createSignal, For, onCleanup, Show } from "solid-js";
-import { useNavigate } from "@solidjs/router";
-import {
-  Cable,
-  Users as UsersIcon,
-  ServerCog,
-  ArrowDownUp,
-  ArrowRight,
-  Activity,
-} from "lucide-solid";
-import PageHeader from "../ui/PageHeader";
-import KpiCard from "../ui/KpiCard";
-import { Card, CardHeader } from "../ui/Card";
-import { Pill } from "../ui/Pill";
-import Sparkline from "../ui/Sparkline";
-import EmptyState from "../ui/EmptyState";
-import Chart from "../ui/Chart";
-import Segmented from "../ui/Segmented";
-import RefreshPicker from "../ui/RefreshPicker";
-import { api } from "../api/client";
-import { bytes, pct, relTime } from "../util/format";
-import { ipKind, ipKindLabel, ipKindTone } from "../util/ip";
-import { usePolling } from "../util/polling";
-import { recordUserSnapshot, userSamples } from "../store/userTrafficHistory";
-import type { XrayUser } from "../api/types";
-
-const TOP_N = 8;
-
-const HOST_WINDOWS = [
-  { value: 5 * 60, label: "5m" },
-  { value: 60 * 60, label: "1h" },
-  { value: 6 * 60 * 60, label: "6h" },
-  { value: 24 * 60 * 60, label: "24h" },
-] as const;
-
-export default function Overview() {
-  const nav = useNavigate();
-  const [config] = createResource(() => api.config());
-  const [conns, { refetch: rcConns }] = createResource(() => api.xrayConns());
-  const [users, { refetch: rcUsers }] = createResource(() => api.xrayUsers());
-  const [hostLatest, { refetch: rcHost }] = createResource(() =>
-    api.nodeMetrics({ latest: true }),
-  );
-
-  const [hostWindow, setHostWindow] = createSignal<number>(HOST_WINDOWS[1].value);
-  const [hostHistory, { refetch: rcHostHistory }] = createResource(
-    hostWindow,
-    async (sec) => {
-      const end = Math.floor(Date.now() / 1000);
-      return api.nodeMetrics({ start_ts: end - sec, end_ts: end });
-    },
-  );
-
-  const poll = usePolling(
-    () => {
-      rcConns();
-      rcUsers();
-      rcHost();
-      rcHostHistory();
-    },
-    { defaultSec: 15 },
-  );
-  void poll; // ensure timer is armed; onCleanup is wired inside the hook
-
-  // Feed throughput samples so the Top Users sparkline has signal.
-  createEffect(() => {
-    const u = users();
-    if (u) recordUserSnapshot(u);
-  });
-  onCleanup(() => {});
-
-  const allUsers = () => users() ?? [];
-  const allConns = () => conns() ?? [];
-  const latestHost = () => hostLatest()?.data?.[hostLatest()!.data.length - 1];
-  const hostSeries = () => hostHistory()?.data ?? [];
-
-  const totalUp = () => allUsers().reduce((a, u) => a + u.upload_total, 0);
-  const totalDown = () => allUsers().reduce((a, u) => a + u.download_total, 0);
-  const ruleCount = () =>
-    Array.isArray(config()?.relay_configs) ? config()!.relay_configs!.length : 0;
-
-  const activeUsers = () =>
-    allUsers().filter((u) => userSamples(u.user_id).some((v) => v > 0)).length;
-
-  const topUsers = createMemo<XrayUser[]>(() => {
-    const recentBytes = (u: XrayUser) =>
-      userSamples(u.user_id).reduce((a, b) => a + b, 0);
-    return allUsers()
-      .slice()
-      .sort((a, b) => {
-        const ra = recentBytes(a);
-        const rb = recentBytes(b);
-        if (rb !== ra) return rb - ra;
-        return b.upload_total + b.download_total - (a.upload_total + a.download_total);
-      })
-      .slice(0, TOP_N);
-  });
-
-  const recentConns = createMemo(() =>
-    allConns()
-      .slice()
-      .sort((a, b) => (a.since < b.since ? 1 : -1))
-      .slice(0, TOP_N),
-  );
-
-  return (
-    <>
-      <PageHeader
-        title="Overview"
-        subtitle="What's flowing right now."
-        actions={<RefreshPicker handle={poll} />}
-      />
-
-      <div class="grid grid-cols-2 gap-3 sm:gap-4 lg:grid-cols-4">
-        <KpiCard
-          label="Active conns"
-          icon={<Cable size={14} />}
-          value={allConns().length}
-          hint={`${activeUsers()} users w/ traffic`}
-        />
-        <KpiCard
-          label="Known users"
-          icon={<UsersIcon size={14} />}
-          value={allUsers().length}
-          hint={`${allUsers().filter((u) => u.enable).length} enabled`}
-        />
-        <KpiCard
-          label="Relay rules"
-          icon={<ServerCog size={14} />}
-          value={ruleCount()}
-          hint={
-            config()
-              ? `:${config()!.web_port} · ${config()!.log_level ?? "info"}`
-              : ""
-          }
-        />
-        <KpiCard
-          label="Total xfer"
-          icon={<ArrowDownUp size={14} />}
-          value={bytes(totalUp() + totalDown())}
-          hint={
-            <span class="font-mono">
-              ↑ {bytes(totalUp())} · ↓ {bytes(totalDown())}
-            </span>
-          }
-        />
-      </div>
-
-      <div class="mt-4 grid grid-cols-1 gap-3 lg:grid-cols-2">
-        <Card padded={false}>
-          <div class="flex items-center justify-between gap-3 px-4 py-3 sm:px-5">
-            <CardHeader title="Top users · last 5m" subtitle="By recent throughput" />
-            <button
-              class="inline-flex items-center gap-1 text-xs text-emerald-700 hover:underline dark:text-emerald-400"
-              onClick={() => nav("/xray/users")}
-            >
-              all users <ArrowRight size={12} />
-            </button>
-          </div>
-          <Show
-            when={topUsers().length}
-            fallback={
-              <EmptyState
-                icon={<UsersIcon size={24} />}
-                title="No users registered"
-              />
-            }
-          >
-            <ul class="divide-y divide-zinc-100 dark:divide-zinc-800/70">
-              <For each={topUsers()}>
-                {(u) => {
-                  const samples = () => userSamples(u.user_id);
-                  const recentSum = () => samples().reduce((a, b) => a + b, 0);
-                  return (
-                    <li
-                      class="flex cursor-pointer items-center gap-3 px-4 py-2.5 hover:bg-emerald-50/40 sm:px-5 dark:hover:bg-emerald-500/5"
-                      onClick={() => nav(`/xray/conns?user=${u.user_id}`)}
-                    >
-                      <span class="w-12 shrink-0 font-mono text-sm">
-                        {u.user_id}
-                      </span>
-                      <Pill tone={u.running ? "ok" : "neutral"} dot pulse={u.running}>
-                        {u.protocol || "—"}
-                      </Pill>
-                      <span class="ml-auto hidden text-emerald-600 sm:block dark:text-emerald-400">
-                        <Sparkline values={samples()} width={80} height={20} />
-                      </span>
-                      <span class="w-20 shrink-0 text-right font-mono text-xs tabular-nums text-zinc-500">
-                        {recentSum() > 0 ? bytes(recentSum()) : "—"}
-                      </span>
-                      <span class="w-10 shrink-0 text-right font-mono text-xs tabular-nums text-zinc-500">
-                        {u.tcp_conn_count}c
-                      </span>
-                    </li>
-                  );
-                }}
-              </For>
-            </ul>
-          </Show>
-        </Card>
-
-        <Card padded={false}>
-          <div class="flex items-center justify-between gap-3 px-4 py-3 sm:px-5">
-            <CardHeader title="Recent connections" subtitle="Newest first" />
-            <button
-              class="inline-flex items-center gap-1 text-xs text-emerald-700 hover:underline dark:text-emerald-400"
-              onClick={() => nav("/xray/conns")}
-            >
-              all conns <ArrowRight size={12} />
-            </button>
-          </div>
-          <Show
-            when={recentConns().length}
-            fallback={
-              <EmptyState
-                icon={<Cable size={24} />}
-                title="No live connections"
-              />
-            }
-          >
-            <ul class="divide-y divide-zinc-100 dark:divide-zinc-800/70">
-              <For each={recentConns()}>
-                {(c) => (
-                  <li
-                    class="flex cursor-pointer items-center gap-2 px-4 py-2 hover:bg-emerald-50/40 sm:px-5 dark:hover:bg-emerald-500/5"
-                    onClick={() => nav(`/xray/conns?user=${c.user_id}`)}
-                  >
-                    <Pill tone={c.network === "tcp" ? "info" : "accent"}>
-                      {c.network}
-                    </Pill>
-                    <span class="w-12 shrink-0 font-mono text-sm">
-                      {c.user_id}
-                    </span>
-                    <Pill tone={ipKindTone[ipKind(c.source_ip)]}>
-                      {ipKindLabel[ipKind(c.source_ip)]}
-                    </Pill>
-                    <span class="min-w-0 flex-1 truncate font-mono text-xs">
-                      {c.target}
-                    </span>
-                    <span class="shrink-0 text-xs text-zinc-500">
-                      {relTime(c.since)}
-                    </span>
-                  </li>
-                )}
-              </For>
-            </ul>
-          </Show>
-        </Card>
-      </div>
-
-      <Show
-        when={latestHost()}
-        fallback={
-          <div class="mt-4 flex items-center gap-2 rounded-xl border border-zinc-200 bg-zinc-50 px-4 py-2 text-xs text-zinc-500 dark:border-zinc-800 dark:bg-zinc-950">
-            <Activity size={13} /> Host metrics not reporting yet.
-          </div>
-        }
-      >
-        <Card class="mt-4" padded={false}>
-          <div class="flex flex-wrap items-center justify-between gap-3 border-b border-zinc-200 px-4 py-3 sm:px-5 dark:border-zinc-800">
-            <CardHeader title="Host" subtitle="System resource utilisation" />
-            <Segmented
-              options={HOST_WINDOWS.map((w) => ({ value: w.value, label: w.label }))}
-              value={hostWindow()}
-              onChange={setHostWindow}
-              size="sm"
-            />
-          </div>
-          <div class="grid grid-cols-2 gap-3 px-4 pt-4 sm:grid-cols-4 sm:px-5">
-            <HostStat label="CPU" value={pct(latestHost()!.cpu_usage)} />
-            <HostStat label="Memory" value={pct(latestHost()!.memory_usage)} />
-            <HostStat label="Net in" value={bytes(latestHost()!.network_in)} />
-            <HostStat label="Net out" value={bytes(latestHost()!.network_out)} />
-          </div>
-          <Show when={hostSeries().length > 1}>
-            <div class="grid grid-cols-1 gap-3 px-4 pb-4 pt-3 sm:px-5 sm:pb-5 lg:grid-cols-2">
-              <div class="rounded-lg border border-zinc-200 p-3 dark:border-zinc-800">
-                <div class="mb-2 text-[11px] font-semibold uppercase tracking-wider text-zinc-500">
-                  CPU & Memory
-                </div>
-                <Chart
-                  height={160}
-                  timestamps={hostSeries().map((d) => d.timestamp)}
-                  series={[
-                    {
-                      label: "CPU %",
-                      stroke: "#10b981",
-                      values: hostSeries().map((d) => d.cpu_usage),
-                    },
-                    {
-                      label: "Memory %",
-                      stroke: "#6366f1",
-                      values: hostSeries().map((d) => d.memory_usage),
-                    },
-                  ]}
-                  yFormat={(v) => pct(v)}
-                />
-              </div>
-              <div class="rounded-lg border border-zinc-200 p-3 dark:border-zinc-800">
-                <div class="mb-2 text-[11px] font-semibold uppercase tracking-wider text-zinc-500">
-                  Network
-                </div>
-                <Chart
-                  height={160}
-                  timestamps={hostSeries().map((d) => d.timestamp)}
-                  series={[
-                    {
-                      label: "in",
-                      stroke: "#0ea5e9",
-                      values: hostSeries().map((d) => d.network_in),
-                    },
-                    {
-                      label: "out",
-                      stroke: "#f97316",
-                      values: hostSeries().map((d) => d.network_out),
-                    },
-                  ]}
-                  yFormat={(v) => bytes(v)}
-                />
-              </div>
-            </div>
-          </Show>
-        </Card>
-      </Show>
-    </>
-  );
-}
-
-function HostStat(props: { label: string; value: string }) {
-  return (
-    <div>
-      <div class="text-[11px] font-medium uppercase tracking-wider text-zinc-500">
-        {props.label}
-      </div>
-      <div class="mt-1 font-mono text-lg font-semibold tabular-nums">
-        {props.value}
-      </div>
-    </div>
-  );
-}
diff --git a/internal/web/webui/src/pages/Rules.tsx b/internal/web/webui/src/pages/Rules.tsx
index 5d83b9693..eff745648 100644
--- a/internal/web/webui/src/pages/Rules.tsx
+++ b/internal/web/webui/src/pages/Rules.tsx
@@ -5,12 +5,19 @@ import Button from "../ui/Button";
 import { Pill } from "../ui/Pill";
 import EmptyState from "../ui/EmptyState";
 import Sparkline from "../ui/Sparkline";
+import Segmented from "../ui/Segmented";
 import DataTable, { Column } from "../ui/DataTable";
 import { api, ApiError } from "../api/client";
-import { bytes } from "../util/format";
+import { bytes, pickStep } from "../util/format";
 import type { RelayConfig, RuleMetric } from "../api/types";
 
-const HISTORY_SECONDS = 60 * 60;
+const HISTORY_WINDOWS = [
+  { value: 60 * 60, label: "1h" },
+  { value: 6 * 60 * 60, label: "6h" },
+  { value: 24 * 60 * 60, label: "24h" },
+  { value: 7 * 24 * 60 * 60, label: "7d" },
+  { value: 30 * 24 * 60 * 60, label: "30d" },
+] as const;
 
 interface HCResult {
   state: "running" | "ok" | "err";
@@ -29,9 +36,14 @@ export default function Rules() {
   const [latest, { refetch: rcLatest }] = createResource(() =>
     api.ruleMetrics({ latest: true }),
   );
-  const [history, { refetch: rcHistory }] = createResource(async () => {
+  const [historyWindow, setHistoryWindow] = createSignal<number>(HISTORY_WINDOWS[0].value);
+  const [history, { refetch: rcHistory }] = createResource(historyWindow, async (sec) => {
     const end = Math.floor(Date.now() / 1000);
-    return api.ruleMetrics({ start_ts: end - HISTORY_SECONDS, end_ts: end });
+    return api.ruleMetrics({
+      start_ts: end - sec,
+      end_ts: end,
+      step: pickStep(sec),
+    });
   });
   const [hc, setHc] = createSignal<Record<string, HCResult>>({});
 
@@ -148,7 +160,7 @@ export default function Rules() {
     },
     {
       key: "trend",
-      header: "1h trend",
+      header: `${HISTORY_WINDOWS.find((w) => w.value === historyWindow())?.label ?? ""} trend`,
       cell: (r) => (
         <span class="text-emerald-600 dark:text-emerald-400">
           <Sparkline values={r.series} width={90} height={22} />
@@ -233,16 +245,24 @@ export default function Rules() {
   return (
     <>
       <PageHeader
-        title="Relay Rules"
-        subtitle="Static rules with the last hour of throughput per remote."
+        title="rules"
+        subtitle="static relay rules with throughput per remote"
         actions={
-          <Button
-            size="sm"
-            leadingIcon={<RefreshCcw size={13} />}
-            onClick={refreshAll}
-          >
-            Refresh
-          </Button>
+          <>
+            <Segmented
+              options={HISTORY_WINDOWS.map((w) => ({ value: w.value, label: w.label }))}
+              value={historyWindow()}
+              onChange={setHistoryWindow}
+              size="sm"
+            />
+            <Button
+              size="sm"
+              leadingIcon={<RefreshCcw size={13} />}
+              onClick={refreshAll}
+            >
+              Refresh
+            </Button>
+          </>
         }
       />
 
diff --git a/internal/web/webui/src/pages/Settings.tsx b/internal/web/webui/src/pages/Settings.tsx
index cdc3c506c..1119b8456 100644
--- a/internal/web/webui/src/pages/Settings.tsx
+++ b/internal/web/webui/src/pages/Settings.tsx
@@ -8,6 +8,7 @@ import DescList from "../ui/DescList";
 import { api } from "../api/client";
 import { authInfo } from "../store/auth";
 import { theme, toggleTheme } from "../store/theme";
+import UpdatesPanel from "./UpdatesPanel";
 
 export default function Settings() {
   const [config] = createResource(() => api.config());
@@ -48,14 +49,14 @@ export default function Settings() {
   return (
     <>
       <PageHeader
-        title="Settings"
-        subtitle="Local UI preferences, runtime config, admin actions."
+        title="settings"
+        subtitle="local ui preferences · runtime config · admin actions"
       />
 
       <div class="grid gap-3 lg:grid-cols-2">
         <Show when={config()}>
           <Card>
-            <CardHeader title="Runtime configuration" subtitle="Read-only snapshot" />
+            <CardHeader title="runtime configuration" subtitle="read-only snapshot" />
             <DescList
               items={[
                 ["log level", String(config()!.log_level ?? "—")],
@@ -75,8 +76,8 @@ export default function Settings() {
 
           <Card>
             <CardHeader
-              title="Sync endpoint"
-              subtitle="Where ehco POSTs traffic stats"
+              title="sync endpoint"
+              subtitle="where ehco POSTs traffic stats"
               right={
                 <button
                   class="inline-flex items-center gap-1 text-xs text-zinc-500 hover:text-emerald-600 dark:hover:text-emerald-400"
@@ -96,8 +97,8 @@ export default function Settings() {
 
         <Card>
           <CardHeader
-            title="Reload configuration"
-            subtitle="Re-fetch from upstream"
+            title="reload configuration"
+            subtitle="re-fetch from upstream"
           />
           <p class="mb-3 text-sm text-zinc-500">
             A listener change reloads xray and drops active conns.
@@ -119,7 +120,7 @@ export default function Settings() {
         </Card>
 
         <Card>
-          <CardHeader title="Theme" subtitle="Light / dark mode override" />
+          <CardHeader title="theme" subtitle="light / dark mode override" />
           <div class="flex items-center gap-3">
             <Pill tone="neutral">{theme()}</Pill>
             <Button leadingIcon={<Palette size={13} />} onClick={toggleTheme}>
@@ -128,15 +129,20 @@ export default function Settings() {
           </div>
         </Card>
 
+        <div class="lg:col-span-2">
+          <UpdatesPanel />
+        </div>
+
         <Card class="lg:col-span-2">
           <CardHeader
-            title="API surface"
-            subtitle="Endpoints the UI consumes"
+            title="api surface"
+            subtitle="endpoints the ui consumes"
           />
           <ul class="grid grid-cols-1 gap-y-1 font-mono text-xs text-zinc-600 sm:grid-cols-2 dark:text-zinc-400">
             <Endpoint method="GET" path="/api/v1/config/" />
             <Endpoint method="POST" path="/api/v1/config/reload/" />
             <Endpoint method="GET" path="/api/v1/health_check/" />
+            <Endpoint method="GET" path="/api/v1/overview" />
             <Endpoint method="GET" path="/api/v1/node_metrics/" />
             <Endpoint method="GET" path="/api/v1/rule_metrics/" />
             <Endpoint method="GET" path="/api/v1/xray/conns" />
diff --git a/internal/web/webui/src/pages/UpdatesPanel.tsx b/internal/web/webui/src/pages/UpdatesPanel.tsx
new file mode 100644
index 000000000..cbae12f91
--- /dev/null
+++ b/internal/web/webui/src/pages/UpdatesPanel.tsx
@@ -0,0 +1,323 @@
+import { createResource, createSignal, For, onCleanup, Show } from "solid-js";
+import { Download, RefreshCw, CircleCheck, CircleAlert } from "lucide-solid";
+import { Card, CardHeader } from "../ui/Card";
+import Button from "../ui/Button";
+import { Pill } from "../ui/Pill";
+import Segmented from "../ui/Segmented";
+import DescList from "../ui/DescList";
+import { api, ApiError } from "../api/client";
+import { relTime } from "../util/format";
+import type {
+  UpdateCheck,
+  UpdateState,
+  UpdateStatus,
+  VersionInfo,
+} from "../api/types";
+
+type Channel = "auto" | "stable" | "nightly";
+
+const STEPS: UpdateState[] = [
+  "checking",
+  "downloading",
+  "installing",
+  "restarting",
+  "done",
+];
+const cap = (s: string) => s[0].toUpperCase() + s.slice(1);
+
+export default function UpdatesPanel() {
+  const [version, { refetch: rcVersion }] = createResource<VersionInfo>(() =>
+    api.version(),
+  );
+  const [channel, setChannel] = createSignal<Channel>("auto");
+  const [checking, setChecking] = createSignal(false);
+  const [check, setCheck] = createSignal<UpdateCheck | null>(null);
+  const [checkErr, setCheckErr] = createSignal("");
+  const [status, setStatus] = createSignal<UpdateStatus | null>(null);
+  const [applyErr, setApplyErr] = createSignal("");
+
+  let timer: number | null = null;
+  const stopTimer = () => {
+    if (timer != null) {
+      window.clearInterval(timer);
+      timer = null;
+    }
+  };
+  onCleanup(stopTimer);
+
+  // Single polling loop: while a job is in progress, hit /update/status.
+  // Once state==restarting the relay may go down mid-poll; we then probe
+  // /version and stop when the running version differs from the one we
+  // started from (i.e. the new binary booted).
+  const tick = async () => {
+    const before = status()?.from;
+    try {
+      const s = await api.updateStatus();
+      if (s.state !== "idle") {
+        setStatus(s);
+        if (s.state === "done" || s.state === "failed") {
+          stopTimer();
+          rcVersion();
+          return;
+        }
+      } else if (status()?.state === "restarting") {
+        // New process booted; status reset to idle. Probe /version to
+        // confirm and land on done.
+        const v = await api.version();
+        if (before && v.version !== before) {
+          setStatus({ ...(status() as UpdateStatus), state: "done" });
+          rcVersion();
+          stopTimer();
+        }
+      }
+    } catch {
+      // Relay is restarting — keep polling, the new process will answer.
+    }
+  };
+
+  const startPolling = () => {
+    if (timer != null) return;
+    timer = window.setInterval(tick, 1500) as unknown as number;
+  };
+
+  // Hydrate any in-flight job on mount so a refresh during update doesn't
+  // lose the indicator.
+  api.updateStatus().then((s) => {
+    if (s.state !== "idle") {
+      setStatus(s);
+      if (s.state !== "done" && s.state !== "failed") startPolling();
+    }
+  }).catch(() => {});
+
+  const runCheck = async () => {
+    setChecking(true);
+    setCheckErr("");
+    try {
+      setCheck(await api.updateCheck(channel()));
+    } catch (e) {
+      setCheckErr(e instanceof ApiError ? e.message : String(e));
+    } finally {
+      setChecking(false);
+    }
+  };
+
+  const applyUpdate = async () => {
+    const c = check();
+    if (!c) return;
+    if (!confirm(
+      `Update to ${c.latest_version}? This replaces the running binary and restarts ehco. Active connections will drop.`,
+    )) return;
+    setApplyErr("");
+    try {
+      await api.updateApply({ channel: channel(), force: false, restart: true });
+      setStatus({
+        state: "checking",
+        channel: channel(),
+        from: version()?.version ?? "",
+        to: c.latest_version,
+        started_at: new Date().toISOString(),
+      });
+      startPolling();
+    } catch (e) {
+      setApplyErr(e instanceof ApiError ? e.message : String(e));
+    }
+  };
+
+  const inProgress = () => {
+    const s = status()?.state;
+    return s === "checking" || s === "downloading" || s === "installing" || s === "restarting";
+  };
+  const isNightly = () => version()?.version.includes("-") ?? false;
+  const linuxOnly = () => version()?.go_os === "linux";
+
+  return (
+    <>
+      <div class="mb-3 flex items-center justify-between">
+        <div>
+          <h2 class="text-[12px] font-semibold uppercase tracking-[0.14em] text-zinc-500">
+            updates
+          </h2>
+          <p class="mt-0.5 text-[11px] text-zinc-500">
+            check for new ehco builds and apply them in place
+          </p>
+        </div>
+        <Pill tone={isNightly() ? "warn" : "info"}>
+          {isNightly() ? "nightly build" : "stable build"}
+        </Pill>
+      </div>
+
+      <Card>
+        <CardHeader title="current build" subtitle="reported by this binary" />
+        <DescList
+          items={[
+            ["Version", version()?.version ?? "—"],
+            ["Branch", version()?.git_branch || "—"],
+            ["Commit", (version()?.git_revision ?? "").slice(0, 7) || "—"],
+            ["Built", version()?.build_time || "—"],
+            ["Started", version()?.start_time ? relTime(version()!.start_time) : "—"],
+            ["Platform", version() ? `${version()!.go_os}/${version()!.go_arch}` : "—"],
+          ]}
+        />
+        <Show when={version() && !linuxOnly()}>
+          <div class="mt-3 rounded-md border border-amber-200 bg-amber-50 p-2 text-xs text-amber-800 dark:border-amber-900/40 dark:bg-amber-950/30 dark:text-amber-300">
+            Self-update is only supported on linux. On {version()!.go_os} you'll need to rebuild from source.
+          </div>
+        </Show>
+      </Card>
+
+      <Card class="mt-4">
+        <div class="flex flex-wrap items-center gap-3">
+          <CardHeader title="check for updates" subtitle="github releases (Ehco1996/ehco)" />
+          <div class="ml-auto flex items-center gap-2">
+            <Segmented<Channel>
+              options={[
+                { value: "auto", label: "Auto" },
+                { value: "stable", label: "Stable" },
+                { value: "nightly", label: "Nightly" },
+              ]}
+              value={channel()}
+              onChange={setChannel}
+              size="sm"
+            />
+            <Button
+              size="sm"
+              variant="primary"
+              loading={checking()}
+              leadingIcon={<RefreshCw size={13} />}
+              onClick={runCheck}
+            >
+              Check
+            </Button>
+          </div>
+        </div>
+
+        <Show when={checkErr()}>
+          <div class="mt-3 rounded-md border border-rose-200 bg-rose-50 p-2 text-xs text-rose-700 dark:border-rose-900/50 dark:bg-rose-950/30 dark:text-rose-400">
+            {checkErr()}
+          </div>
+        </Show>
+
+        <Show when={check()}>
+          {(c) => (
+            <div class="mt-4">
+              <Show
+                when={c().update_available}
+                fallback={
+                  <div class="flex items-center gap-2 rounded-md border border-emerald-200 bg-emerald-50 p-3 text-sm text-emerald-800 dark:border-emerald-900/40 dark:bg-emerald-950/30 dark:text-emerald-300">
+                    <CircleCheck size={15} />
+                    <span>
+                      Up to date — already on{" "}
+                      <span class="font-mono">{c().current_version}</span>{" "}
+                      ({c().channel} channel).
+                    </span>
+                  </div>
+                }
+              >
+                <div class="rounded-md border border-amber-200 bg-amber-50 p-3 dark:border-amber-900/40 dark:bg-amber-950/30">
+                  <div class="flex flex-wrap items-center gap-2 text-sm text-amber-900 dark:text-amber-200">
+                    <CircleAlert size={15} />
+                    <span>
+                      New version available:{" "}
+                      <span class="font-mono">{c().latest_version}</span>
+                    </span>
+                    <span class="text-xs text-amber-700 dark:text-amber-400">
+                      published {relTime(c().published_at)}
+                    </span>
+                    <a
+                      href={c().release_url}
+                      target="_blank"
+                      rel="noreferrer"
+                      class="ml-auto text-xs underline"
+                    >
+                      release notes
+                    </a>
+                  </div>
+                  <Show when={c().release_body}>
+                    <pre class="scroll-pretty mt-2 max-h-40 overflow-y-auto whitespace-pre-wrap break-words text-xs text-amber-900/80 dark:text-amber-200/80">
+                      {c().release_body}
+                    </pre>
+                  </Show>
+                  <div class="mt-3 flex items-center gap-2">
+                    <Button
+                      variant="primary"
+                      size="sm"
+                      leadingIcon={<Download size={13} />}
+                      disabled={!linuxOnly() || inProgress()}
+                      onClick={applyUpdate}
+                    >
+                      Update now
+                    </Button>
+                    <span class="text-xs text-amber-800/70 dark:text-amber-300/70">
+                      Asset: <span class="font-mono">{c().asset_name || "n/a"}</span>
+                    </span>
+                  </div>
+                </div>
+              </Show>
+            </div>
+          )}
+        </Show>
+      </Card>
+
+      <Show when={status() && status()!.state !== "idle"}>
+        <Card class="mt-4">
+          <CardHeader
+            title="update progress"
+            subtitle={status()!.from ? `${status()!.from} → ${status()!.to || "?"}` : undefined}
+          />
+          <Show when={applyErr()}>
+            <div class="mb-2 rounded-md border border-rose-200 bg-rose-50 p-2 text-xs text-rose-700 dark:border-rose-900/50 dark:bg-rose-950/30 dark:text-rose-400">
+              {applyErr()}
+            </div>
+          </Show>
+          <StepIndicator state={status()!.state} />
+          <Show when={status()!.state === "restarting"}>
+            <div class="mt-3 text-xs text-zinc-500">
+              Waiting for the relay to come back online…
+            </div>
+          </Show>
+          <Show when={status()!.error}>
+            <div class="mt-3 rounded-md border border-rose-200 bg-rose-50 p-2 text-xs text-rose-700 dark:border-rose-900/50 dark:bg-rose-950/30 dark:text-rose-400">
+              {status()!.error}
+            </div>
+          </Show>
+        </Card>
+      </Show>
+    </>
+  );
+}
+
+function StepIndicator(props: { state: UpdateState }) {
+  const cur = () => STEPS.indexOf(props.state);
+  return (
+    <div class="flex flex-wrap items-center gap-2 text-xs">
+      <For each={STEPS}>
+        {(label, i) => {
+          const done = () => cur() > i();
+          const active = () => cur() === i();
+          return (
+            <>
+              <Show when={i() > 0}>
+                <span class={done() ? "h-px w-6 bg-emerald-400" : "h-px w-6 bg-zinc-300 dark:bg-zinc-700"} />
+              </Show>
+              <span
+                class={
+                  done() || active()
+                    ? "inline-flex items-center gap-1 rounded-full border border-emerald-300 bg-emerald-50 px-2 py-0.5 font-medium text-emerald-800 dark:border-emerald-700/60 dark:bg-emerald-950/40 dark:text-emerald-300"
+                    : "inline-flex items-center gap-1 rounded-full border border-zinc-200 px-2 py-0.5 text-zinc-500 dark:border-zinc-800"
+                }
+              >
+                <span
+                  class={
+                    "h-1.5 w-1.5 rounded-full " +
+                    (active() ? "animate-pulse bg-emerald-500" : done() ? "bg-emerald-500" : "bg-zinc-400")
+                  }
+                />
+                {cap(label)}
+              </span>
+            </>
+          );
+        }}
+      </For>
+    </div>
+  );
+}
diff --git a/internal/web/webui/src/pages/XrayConns.tsx b/internal/web/webui/src/pages/XrayConns.tsx
index 6fe06219a..3af66df97 100644
--- a/internal/web/webui/src/pages/XrayConns.tsx
+++ b/internal/web/webui/src/pages/XrayConns.tsx
@@ -161,17 +161,19 @@ export default function XrayConns() {
       align: "right",
       width: "70px",
       cell: (c) => (
-        <Button
-          variant="danger"
-          size="sm"
-          disabled={busy() === c.id}
-          onClick={(e) => {
-            e.stopPropagation();
-            killOne(c.id);
-          }}
-        >
-          kill
-        </Button>
+        <span class="opacity-0 transition-opacity group-hover:opacity-100 focus-within:opacity-100">
+          <Button
+            variant="danger"
+            size="sm"
+            disabled={busy() === c.id}
+            onClick={(e) => {
+              e.stopPropagation();
+              killOne(c.id);
+            }}
+          >
+            kill
+          </Button>
+        </span>
       ),
     },
   ];
@@ -179,8 +181,8 @@ export default function XrayConns() {
   return (
     <>
       <PageHeader
-        title="Xray Connections"
-        subtitle="Live conns from the in-process xray outbound."
+        title="connections"
+        subtitle="live conns from the in-process xray outbound"
         actions={<RefreshPicker handle={poll} />}
       />
 
@@ -243,7 +245,7 @@ export default function XrayConns() {
           <Show
             when={groupedRows()!.length}
             fallback={
-              <div class="rounded-xl border border-zinc-200 bg-white p-6 dark:border-zinc-800 dark:bg-zinc-900">
+              <div class="rounded-md border border-zinc-200 bg-white p-6 dark:border-zinc-800 dark:bg-zinc-900">
                 <EmptyState
                   icon={<Cable size={28} />}
                   title="No connections match"
@@ -254,7 +256,7 @@ export default function XrayConns() {
             <div class="flex flex-col gap-3">
               <For each={groupedRows()!}>
                 {(g) => (
-                  <div class="rounded-xl border border-zinc-200 bg-white dark:border-zinc-800 dark:bg-zinc-900">
+                  <div class="rounded-md border border-zinc-200 bg-white dark:border-zinc-800 dark:bg-zinc-900">
                     <div class="flex items-center justify-between gap-3 border-b border-zinc-200 px-4 py-2 dark:border-zinc-800">
                       <div class="flex items-center gap-2">
                         <span class="text-[10px] font-semibold uppercase tracking-wider text-zinc-500">
@@ -267,9 +269,16 @@ export default function XrayConns() {
                         <Button
                           variant="danger"
                           size="sm"
-                          onClick={() => {
+                          disabled={busy() === "user"}
+                          onClick={async () => {
                             if (!confirm(`Kill all ${g.conns.length} conns for user_id=${g.key}?`)) return;
-                            api.killUser(Number(g.key)).then(() => refetch());
+                            setBusy("user");
+                            try {
+                              await api.killUser(Number(g.key));
+                              await refetch();
+                            } finally {
+                              setBusy(null);
+                            }
                           }}
                         >
                           kill user
diff --git a/internal/web/webui/src/pages/XrayUsers.tsx b/internal/web/webui/src/pages/XrayUsers.tsx
index 0e00f39ab..6e49aa50b 100644
--- a/internal/web/webui/src/pages/XrayUsers.tsx
+++ b/internal/web/webui/src/pages/XrayUsers.tsx
@@ -176,7 +176,7 @@ export default function XrayUsers() {
           size="sm"
           onClick={(e) => {
             e.stopPropagation();
-            nav(`/xray/conns?user=${u.user_id}`);
+            nav(`/conns?user=${u.user_id}`);
           }}
         >
           conns <ArrowRight size={13} />
@@ -188,8 +188,8 @@ export default function XrayUsers() {
   return (
     <>
       <PageHeader
-        title="Xray Users"
-        subtitle="Cumulative byte counters since process boot. Reset on restart."
+        title="users"
+        subtitle="cumulative byte counters since process boot · reset on restart"
         actions={<RefreshPicker handle={poll} />}
       />
 
@@ -222,7 +222,7 @@ export default function XrayUsers() {
         rowKey={(u) => u.user_id}
         pageSize={50}
         defaultSort={{ key: "down", dir: "desc" }}
-        onRowClick={(u) => nav(`/xray/conns?user=${u.user_id}`)}
+        onRowClick={(u) => nav(`/conns?user=${u.user_id}`)}
         empty={
           <EmptyState
             icon={<UsersIcon size={28} />}
diff --git a/internal/web/webui/src/ui/Card.tsx b/internal/web/webui/src/ui/Card.tsx
index fafb7c715..190d02037 100644
--- a/internal/web/webui/src/ui/Card.tsx
+++ b/internal/web/webui/src/ui/Card.tsx
@@ -8,7 +8,7 @@ export function Card(props: {
   const padded = props.padded ?? true;
   return (
     <div
-      class={`rounded-xl border border-zinc-200 bg-white dark:border-zinc-800 dark:bg-zinc-900 ${padded ? "p-4 sm:p-5" : ""} ${props.class ?? ""}`}
+      class={`rounded-md border border-zinc-200 bg-white dark:border-zinc-800 dark:bg-zinc-900 ${padded ? "p-4 sm:p-5" : ""} ${props.class ?? ""}`}
     >
       {props.children}
     </div>
@@ -23,11 +23,13 @@ export function CardHeader(props: {
   return (
     <div class="mb-3 flex items-baseline justify-between gap-3">
       <div class="min-w-0">
-        <h3 class="truncate text-sm font-semibold tracking-tight">
+        <h3 class="truncate text-[12px] font-semibold uppercase tracking-[0.12em]">
           {props.title}
         </h3>
         {props.subtitle && (
-          <p class="mt-0.5 truncate text-xs text-zinc-500">{props.subtitle}</p>
+          <p class="mt-0.5 truncate text-[11px] normal-case tracking-normal text-zinc-500">
+            {props.subtitle}
+          </p>
         )}
       </div>
       {props.right && (
diff --git a/internal/web/webui/src/ui/DataTable.tsx b/internal/web/webui/src/ui/DataTable.tsx
index 2700a8c80..d1cd6aabe 100644
--- a/internal/web/webui/src/ui/DataTable.tsx
+++ b/internal/web/webui/src/ui/DataTable.tsx
@@ -86,10 +86,10 @@ export default function DataTable<T>(props: Props<T>) {
   const padY = () => (density() === "compact" ? "py-1.5" : "py-2.5");
 
   return (
-    <div class="rounded-xl border border-zinc-200 bg-white dark:border-zinc-800 dark:bg-zinc-900">
+    <div class="rounded-md border border-zinc-200 bg-white dark:border-zinc-800 dark:bg-zinc-900">
       <div class="scroll-pretty overflow-x-auto">
-        <table class="w-full text-left text-sm">
-          <thead class="bg-zinc-50/80 text-[11px] font-semibold uppercase tracking-wider text-zinc-500 dark:bg-zinc-900/50">
+        <table class="w-full text-left text-[13px]">
+          <thead class="bg-zinc-50/80 text-[10px] font-semibold uppercase tracking-[0.14em] text-zinc-500 dark:bg-zinc-900/50">
             <tr>
               <For each={props.columns}>
                 {(c) => (
diff --git a/internal/web/webui/src/ui/KpiCard.tsx b/internal/web/webui/src/ui/KpiCard.tsx
index b84a5f175..3b2789c9c 100644
--- a/internal/web/webui/src/ui/KpiCard.tsx
+++ b/internal/web/webui/src/ui/KpiCard.tsx
@@ -7,16 +7,16 @@ export default function KpiCard(props: {
   icon?: JSX.Element;
 }) {
   return (
-    <div class="rounded-xl border border-zinc-200 bg-white p-3 sm:p-4 dark:border-zinc-800 dark:bg-zinc-900">
-      <div class="flex items-center justify-between text-[11px] font-medium uppercase tracking-wider text-zinc-500">
+    <div class="rounded-md border border-zinc-200 bg-white p-3 sm:p-4 dark:border-zinc-800 dark:bg-zinc-900">
+      <div class="flex items-center justify-between text-[10px] font-semibold uppercase tracking-[0.16em] text-zinc-500">
         <span>{props.label}</span>
         {props.icon && <span class="text-zinc-400">{props.icon}</span>}
       </div>
-      <div class="mt-2 font-mono text-xl font-semibold tracking-tight sm:text-2xl">
+      <div class="mt-2 font-mono text-[20px] font-semibold tabular-nums tracking-tight sm:text-[24px]">
         {props.value}
       </div>
       {props.hint && (
-        <div class="mt-1 truncate text-xs text-zinc-500">{props.hint}</div>
+        <div class="mt-1 truncate text-[11px] text-zinc-500">{props.hint}</div>
       )}
     </div>
   );
diff --git a/internal/web/webui/src/ui/PageHeader.tsx b/internal/web/webui/src/ui/PageHeader.tsx
index 5452f9d67..7b0850e88 100644
--- a/internal/web/webui/src/ui/PageHeader.tsx
+++ b/internal/web/webui/src/ui/PageHeader.tsx
@@ -6,13 +6,14 @@ export default function PageHeader(props: {
   actions?: JSX.Element;
 }) {
   return (
-    <div class="mb-5 flex flex-col gap-3 border-b border-zinc-200 pb-4 sm:mb-6 sm:flex-row sm:items-end sm:justify-between sm:gap-4 dark:border-zinc-800">
+    <div class="mb-4 flex flex-col gap-3 border-b border-zinc-200 pb-3 sm:mb-5 sm:flex-row sm:items-end sm:justify-between sm:gap-4 dark:border-zinc-800">
       <div class="min-w-0">
-        <h1 class="text-xl font-semibold tracking-tight sm:text-2xl">
+        <h1 class="text-[18px] font-semibold tracking-tight sm:text-[20px]">
+          <span class="text-emerald-600 dark:text-emerald-400">{">"}</span>{" "}
           {props.title}
         </h1>
         {props.subtitle && (
-          <p class="mt-1 text-sm text-zinc-500">{props.subtitle}</p>
+          <p class="mt-1 text-[12px] text-zinc-500">{props.subtitle}</p>
         )}
       </div>
       {props.actions && (
diff --git a/internal/web/webui/src/util/format.ts b/internal/web/webui/src/util/format.ts
index 6bccbbd4c..fa95fb9f5 100644
--- a/internal/web/webui/src/util/format.ts
+++ b/internal/web/webui/src/util/format.ts
@@ -24,3 +24,35 @@ export function pct(n: number | undefined): string {
   if (n == null || !Number.isFinite(n)) return "—";
   return `${n.toFixed(1)}%`;
 }
+
+// rate formats a bytes-per-second number as a compact "12.4 MB/s".
+export function rate(bps: number | undefined | null): string {
+  if (!bps || bps < 0) return "0 B/s";
+  return `${bytes(bps)}/s`;
+}
+
+// bytesShort is like bytes() but with single-letter units and no space:
+// "12M", "1.4G", "830K". Used in chart y-axes where label width is tight.
+export function bytesShort(n: number | undefined | null): string {
+  if (!n || n < 0) return "0";
+  const u = ["", "K", "M", "G", "T", "P"];
+  let i = 0;
+  let v = n;
+  while (v >= 1024 && i < u.length - 1) {
+    v /= 1024;
+    i++;
+  }
+  return `${v.toFixed(v >= 100 || i === 0 ? 0 : v >= 10 ? 0 : 1)}${u[i]}`;
+}
+
+// pickStep returns a server-side bucket size (in seconds) for a given
+// time window. Aim is ≤ ~360 points per chart, regardless of window —
+// keeps payload small and uPlot snappy at 30d zoom levels.
+export function pickStep(windowSec: number): number {
+  if (windowSec <= 5 * 60) return 0;        // ≤5m: raw 5s samples
+  if (windowSec <= 60 * 60) return 30;      // 1h: 30s
+  if (windowSec <= 6 * 60 * 60) return 120; // 6h: 2m
+  if (windowSec <= 24 * 60 * 60) return 600; // 24h: 10m
+  if (windowSec <= 7 * 24 * 60 * 60) return 3600;     // 7d: 1h
+  return 4 * 3600;                                     // 30d: 4h
+}
diff --git a/pkg/xray/admin_api.go b/pkg/xray/admin_api.go
index 4413180a8..564e54f19 100644
--- a/pkg/xray/admin_api.go
+++ b/pkg/xray/admin_api.go
@@ -6,9 +6,36 @@ import (
 	"strconv"
 	"sync/atomic"
 
+	"github.com/Ehco1996/ehco/internal/glue"
 	"github.com/labstack/echo/v4"
 )
 
+// Snapshot satisfies glue.XrayStatus — read by the web admin's
+// /api/v1/overview aggregate. Locks each subsystem briefly; safe to
+// call from any goroutine.
+func (xs *XrayServer) Snapshot() glue.XraySnapshot {
+	snap := glue.XraySnapshot{}
+	if xs.tracker != nil {
+		snap.Conns = xs.tracker.Count()
+	}
+	if xs.up == nil {
+		return snap
+	}
+	users := xs.up.GetAllUsers()
+	snap.Users = len(users)
+	for _, u := range users {
+		if u.Enable {
+			snap.EnabledUsers++
+		}
+		if u.running {
+			snap.RunningUsers++
+		}
+		snap.UploadTotal += atomic.LoadInt64(&u.UploadTotal)
+		snap.DownloadTotal += atomic.LoadInt64(&u.DownloadTotal)
+	}
+	return snap
+}
+
 // RegisterRoutes mounts the xray management endpoints onto the given echo group.
 // Authentication is provided by the surrounding web server's middleware.
 //
diff --git a/pkg/xray/conn_tracker.go b/pkg/xray/conn_tracker.go
index bbc658f5d..e7b37b53a 100644
--- a/pkg/xray/conn_tracker.go
+++ b/pkg/xray/conn_tracker.go
@@ -217,6 +217,13 @@ func (t *connTracker) List(userID int) []ConnInfo {
 	return out
 }
 
+// Count returns the total number of live conns across all users.
+func (t *connTracker) Count() int {
+	t.mu.RLock()
+	defer t.mu.RUnlock()
+	return len(t.entries)
+}
+
 // CountTCPByUser returns how many live TCP conns the user currently has.
 // Used by the traffic sync to populate UserTraffic.TcpCount.
 func (t *connTracker) CountTCPByUser(userID int) int {