diff --git a/web/Dockerfile b/web/Dockerfile
index 54f5288..c4f481b 100644
--- a/web/Dockerfile
+++ b/web/Dockerfile
@@ -33,7 +33,12 @@ ENV NODE_ENV=production
 ENV NEXT_TELEMETRY_DISABLED=1
 
 COPY --from=builder /app/web/.next/standalone ./
-COPY --from=builder /app/web/.next/static ./.next/static
+# The Next.js standalone server (at /app/web/web/server.js) serves
+# /_next/static/* from a `web/.next/static` directory relative to its
+# own location, NOT from /app/web/.next/static. Without this, all
+# generated JS chunks 404 with text/plain content-type and the SPA
+# never hydrates.
+COPY --from=builder /app/web/.next/static ./web/.next/static
 
 EXPOSE 3045
 ENV PORT=3045
diff --git a/web/e2e/accessibility.spec.ts b/web/e2e/accessibility.spec.ts
index d0451ed..c4788ad 100644
--- a/web/e2e/accessibility.spec.ts
+++ b/web/e2e/accessibility.spec.ts
@@ -28,9 +28,15 @@ for (const route of routes) {
 }
 
 test('accessibility: focus-visible ring appears on tab navigation', async ({ page }) => {
-  await page.goto('/dashboard');
+  // Use /login because it doesn't require auth and has known focusable
+  // form fields. /dashboard would be redirected by AuthGuard when no
+  // session is present, leaving the DOM empty (AuthGuard returns null
+  // until verifySessionAndReadiness completes) and Tab presses would
+  // focus nothing.
+  await page.goto('/login');
   await page.waitForLoadState('networkidle');
-  await page.keyboard.press('Tab');
+  // Click the page first to ensure keyboard focus tracking starts.
+  await page.locator('body').click();
   await page.keyboard.press('Tab');
 
   const focused = page.locator(':focus-visible');
diff --git a/web/e2e/settings.spec.ts b/web/e2e/settings.spec.ts
index 9ec3ca4..7c3b693 100644
--- a/web/e2e/settings.spec.ts
+++ b/web/e2e/settings.spec.ts
@@ -6,7 +6,40 @@ test.describe("Settings Page", () => {
     expect(res.status()).toBe(200);
   });
 
-  test("shows product configuration section", async ({ page }) => {
+  test("shows product configuration section", async ({ page, request }) => {
+    // Obtain real tokens from platform-service via API, then seed
+    // localStorage so AuthGuard's session refresh + kill-switch checks
+    // pass naturally. Requires the deployed platform-service stack to be
+    // reachable at http://localhost:4003, which is the same assumption
+    // as the navigation/dashboard specs.
+    const email = process.env.NOTELETT_E2E_EMAIL ?? "user@notelett.app";
+    const password = process.env.NOTELETT_E2E_PASSWORD ?? "Notelett!Test#2026";
+    const platformUrl =
+      process.env.NOTELETT_E2E_PLATFORM_URL ?? "http://localhost:4003/api";
+
+    const loginRes = await request.post(`${platformUrl}/auth/login`, {
+      data: { email, password, productId: "notelett" },
+      headers: { "Content-Type": "application/json", "X-Product-Id": "notelett" },
+    });
+    if (!loginRes.ok()) {
+      test.skip(
+        true,
+        `Skipping: platform-service login at ${platformUrl} not reachable. Status ${loginRes.status()}.`
+      );
+      return;
+    }
+    const tokens = (await loginRes.json()) as {
+      user: { id: string; email: string; name?: string };
+      accessToken: string;
+      refreshToken: string;
+    };
+
+    await page.addInitScript((seed) => {
+      localStorage.setItem("notelett_auth_user", JSON.stringify(seed.user));
+      localStorage.setItem("notelett_access_token", seed.accessToken);
+      localStorage.setItem("notelett_refresh_token", seed.refreshToken);
+    }, tokens);
+
     await page.goto("/settings");
     await expect(
       page.getByText(/product|configuration|notelett|backend/i).first()