diff --git a/CLAUDE.md b/CLAUDE.md
index a746c55..c992f6e 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -4,7 +4,7 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
 
 ## Project Overview
 
-AgentHub is a FastAPI-based AI Agent Management System with MongoDB backend. It provides role-based authentication (admin/user), agent CRUD operations, user management, and a web interface built with Jinja2 templates and Bootstrap 5.
+AgentHub is a FastAPI-based AI Agent Management System with MongoDB backend. It provides three-tier role-based authentication (admin/readonly_admin/user), agent CRUD operations, client verification workflow, email notifications, user management, and a web interface built with Jinja2 templates and Bootstrap 5.
 
 ## Common Development Tasks
 
@@ -33,6 +33,8 @@ Create `.env` file with:
 - `MAILGUN_FROM_EMAIL`: Sender address (default: `AgentHub <noreply@{MAILGUN_DOMAIN}>`)
 - `TOKEN_USAGE_THRESHOLD`: Token count that triggers an alert (default: 100000)
 - `NOTIFICATION_COOLDOWN_HOURS`: Hours between repeat alerts for the same agent (default: 24)
+- `CLIENT_AGENT_NOTIFY_EMAILS`: Comma-separated list of emails for client agent notifications
+- `DAILY_DIGEST_HOUR`: Hour (24h format) to send daily digest (default: 7)
 
 ### Default Login Credentials
 - Admin: `admin@agenthub.com` / `admin123`
@@ -46,22 +48,26 @@ Create `.env` file with:
 - JWT cookie-based authentication system
 - HTML routes for web interface
 - REST API endpoints for agent/user management
-- Role-based access control (admin vs regular user)
+- Three-tier role-based access control (admin / readonly_admin / user)
+- Client verification workflow with email notifications
+- Daily agent digest scheduler (APScheduler)
 - Template rendering with Jinja2
 
 **Key Authentication Functions**:
 - `get_current_user_optional()`: Cookie-based auth for templates
 - `get_current_user_from_cookie()`: Required auth for API endpoints
-- `require_admin()`: Admin-only access control
+- `require_admin()`: Admin-only access control (write operations)
+- `require_admin_or_readonly()`: Admin + readonly_admin access (read-only dashboard views)
 
 ### Data Layer
 
 **models.py**: Pydantic models for:
-- `AiAgent`: Core agent model with comprehensive fields (includes `discipline`, `rating`)
+- `AiAgent`: Core agent model with comprehensive fields (includes `discipline`, `rating`, `client`, `client_name`, `studio_name`)
 - `UsageTimelineEntry`: Daily usage data including `message_count` and `token_count`
-- `UserCreate/UserResponse`: User management models
-- `AiAgentCreate/AiAgentResponse`: API request/response models (includes `total_tokens`, `prompt_tokens`, `completion_tokens`, `discipline`, `rating`, `rating_count`)
-- `AgentCollectorCreate`: Collector API input model (includes `total_tokens`, `prompt_tokens`, `completion_tokens`, `discipline`)
+- `UserCreate/UserResponse`: User management models (includes `role` field: `user`/`admin`/`readonly_admin`)
+- `UserUpdate`: Includes `role` field for three-tier role management
+- `AiAgentCreate/AiAgentResponse`: API request/response models (includes `total_tokens`, `prompt_tokens`, `completion_tokens`, `discipline`, `rating`, `rating_count`, `client`, `client_name`, `studio_name`, `verification_status`, `verified_by`, `verified_date`)
+- `AgentCollectorCreate`: Collector API input model (includes `total_tokens`, `prompt_tokens`, `completion_tokens`, `discipline`, `client`, `client_name`, `studio_name`)
 - `AgentUsageStatsResponse`: Usage statistics response (includes `total_tokens`, `prompt_tokens`, `completion_tokens`)
 
 **crud.py**: Database operations using Motor (async MongoDB driver):
@@ -72,13 +78,17 @@ Create `.env` file with:
 
 **database.py**: MongoDB connection setup with Motor async client
 - Collections: `users`, `agents`, `agent_usage`, `token_notifications`, `agent_ratings`
-- `ensure_indexes()`: Creates compound unique index on `agent_ratings(agent_id, user_id)`
+- `ensure_indexes()`: Creates compound unique index on `agent_ratings(agent_id, user_id)` and index on `verification_status`
 
-**notifications.py**: Optional Mailgun email notification system:
+**notifications.py**: Mailgun email notification system:
 - `is_mailgun_configured()`: Returns False if env vars not set (gracefully disabled)
 - `send_mailgun_email()`: POST to Mailgun HTTP API with 10s timeout
 - `build_threshold_email()`: HTML email template for threshold alerts
 - `check_and_notify_threshold()`: Checks token usage against threshold, enforces cooldown via `token_notifications` collection, sends to admin users
+- `send_client_agent_notification()`: Sends email when client-facing agent is created (to `CLIENT_AGENT_NOTIFY_EMAILS`)
+- `build_client_agent_email()`: HTML email template for client agent notifications
+- `send_daily_agent_digest()`: Queries agents created in last 24 hours, sends summary to all admin users
+- `build_daily_digest_email()`: HTML email template for daily digest
 
 **auth.py**: JWT authentication with:
 - bcrypt password hashing
@@ -96,7 +106,7 @@ Located in `templates/` directory:
 - **agent_management.html**: Agent dashboard with real data
 - **search.html**: Global search functionality
 - **user_management.html**: User management interface
-- **admin/dashboard.html**: Admin statistics and management
+- **admin/dashboard.html**: Admin statistics, management, and verification workflow
 
 ### Static Assets
 
@@ -110,8 +120,13 @@ Located in `templates/` directory:
 
 ### Authentication Flow
 - Cookie-based JWT authentication
-- Role-based access (admin/user permissions)
-- Automatic redirects based on user role
+- Three-tier role-based access: `user`, `admin`, `readonly_admin`
+  - `user`: Standard access, can manage own agents
+  - `admin`: Full access to admin dashboard, all write operations
+  - `readonly_admin`: Can view admin dashboard but all write actions (edit, delete, approve, create) are hidden
+- `role` field on user documents; `is_admin` kept in sync for backward compatibility
+- `require_admin_or_readonly()` dependency for read-only admin endpoints
+- Automatic redirects based on user role (admin/readonly_admin → /admin, user → /agent-management)
 - Secure logout with token cleanup
 
 ### Agent Management
@@ -122,6 +137,32 @@ Located in `templates/` directory:
 - Filtering by status, audit status (Audited / Not Audited), and discipline
 - Admin can view/manage all agents
 
+### Client & Verification System
+- `client` field on agents: `"yes"` or `"no"` (mandatory on registration form)
+- `client_name`: free text, required when client is "yes"
+- `studio_name`: optional free text field
+- Registration form order: Name, Description, Purpose, Client (Yes/No), Client Name (conditional), Studio Name, Tool, then Version/Status/etc.
+- When `client == "yes"`: agent auto-tagged with `verification_status = "needs_verification"`
+- Verification tab on admin dashboard shows pending agents with Approve button
+- `PUT /api/admin/agents/{id}/verify` — admin-only, sets status to "verified" with verifier info
+- `GET /api/admin/agents/pending-verification` — returns agents needing verification
+- Verification badges displayed on agent cards (orange "Needs Verification", green "Verified")
+
+### Client Agent Email Notification
+- When `client == "yes"` on agent creation, sends email via Mailgun to `CLIENT_AGENT_NOTIFY_EMAILS`
+- Subject: "Client Agent Created"
+- Body includes: Agent Name, Description, Purpose, Client Name, Studio Name, Tool, Created By
+- Non-blocking: failure does not break agent creation
+
+### Daily Agent Digest Email
+- Scheduled via APScheduler at configured hour (default 7:00 AM, `DAILY_DIGEST_HOUR` env var)
+- Queries agents created in last 24 hours
+- Sends to all active admin users
+- Body includes: Agent Name, Purpose, Description, Created By (email)
+- Subject: "Agents Created Last 24 Hours"
+- Skips sending if no agents created
+- Can be manually triggered via `POST /api/admin/digest/send` (admin-only)
+
 ### Discipline & Star Rating
 - `discipline` field classifies agents into business categories: Strategy, Creative, Oversight including delivery, Optimization, Back Office including operations, Pencil Agents
 - Required on registration form, optional on edit (to support legacy agents)
@@ -161,6 +202,9 @@ Located in `templates/` directory:
 ### User Management
 - User registration with validation
 - Admin user creation capabilities
+- Three-tier role system: `user`, `admin`, `readonly_admin`
+  - Role dropdown in admin user edit modal (replaces is_admin checkbox)
+  - `role` and `is_admin` fields kept in sync on update
 - Profile management
 - User statistics and administration
 
@@ -182,8 +226,10 @@ Located in `templates/` directory:
 ### Authentication
 - Use cookie-based auth for web interface
 - API endpoints require `get_current_user_from_cookie()` dependency
-- Admin endpoints use `require_admin()` dependency
+- Write endpoints use `require_admin()` dependency
+- Read-only admin endpoints use `require_admin_or_readonly()` dependency
 - Always validate user permissions for data access
+- `readonly_admin` users can view admin dashboard but UI hides all write-action buttons via `admin-write-action` CSS class
 
 ### Template Context
 - Pass `current_user` to all templates for navigation
@@ -213,4 +259,14 @@ Key dependencies from requirements.txt:
 - **pydantic**: Data validation
 - **jinja2**: Template engine
 - **python-multipart**: Form handling
-- **requests**: HTTP client (used for Mailgun API calls)
\ No newline at end of file
+- **requests**: HTTP client (used for Mailgun API calls)
+- **apscheduler**: Task scheduling (daily digest email)
+
+## API Endpoints (New)
+
+### Verification
+- `GET /api/admin/agents/pending-verification` — List agents with verification status (admin + readonly_admin)
+- `PUT /api/admin/agents/{agent_id}/verify` — Approve/verify an agent (admin only)
+
+### Daily Digest
+- `POST /api/admin/digest/send` — Manually trigger the daily agent digest email (admin only)
\ No newline at end of file
diff --git a/PLAN-prompt-audit.md b/PLAN-prompt-audit.md
new file mode 100644
index 0000000..a704119
--- /dev/null
+++ b/PLAN-prompt-audit.md
@@ -0,0 +1,588 @@
+# Agent Tracker: Prompt Audit & Auto-Audit — Implementation Plan
+
+## Context
+
+The admin team needs visibility into what each LibreChat agent's system prompt says and whether it poses business/legal/compliance risks. System prompts will arrive via the agent-sync pipeline (see the agent-sync plan). Agent Tracker needs to: (1) accept and store them, and (2) provide on-demand AI analysis using Google Gemini to classify agents against business category definitions and flag those needing scrutiny.
+
+### Business Category Definitions (used for backend analysis, not visible fields)
+
+- **Cat 1**: Created in the Oliver AI Sandbox, used behind the scenes for experimentation. Needs IT/Compliance consideration for safety.
+- **Cat 1B**: Agents that may incur large cost but aren't Cat 2 or 3.
+- **Cat 2**: Created in Pencil, exposed to clients but not for sale. Needs Legal consideration.
+- **Cat 3**: Created in Pencil, sold to clients or sold via teams using them. Needs Commercial team consideration.
+
+## Architecture
+
+```
+Agent-sync pipeline → POST /agents collector API (now includes system_prompt)
+                              → Stored on agent document
+
+Admin clicks "Run Audit"
+       → Reads stored system_prompt + tools from agent docs
+       → Sends to Google Gemini API for analysis
+       → Stores audit results on agent doc + audit_history collection
+       → Displays in new Prompt Audit tab
+```
+
+- **LLM**: Google Gemini (`gemini-2.5-pro`) via `google-generativeai` SDK
+- **API Key**: Reuses existing `GOOGLE_API_KEY` (same key as the ai_qc project)
+- **Trigger**: On-demand only (admin clicks "Run Audit")
+- **No new DB connections** — prompts come through the existing collector API
+
+## Files to Modify
+
+### 1. MODIFY: `requirements.txt`
+
+Add:
+```
+google-generativeai>=0.3.0
+```
+
+### 2. MODIFY: `database.py` — Add audit_history collection
+
+After line 16 (after `agent_ratings_collection`), add:
+```python
+audit_history_collection = db.get_collection("audit_history")
+```
+
+In `ensure_indexes()`, add:
+```python
+await agents_collection.create_index([("audit_status", 1)])
+await audit_history_collection.create_index([("agent_id", 1), ("audit_date", -1)])
+```
+
+Also update the import in `audit_analyzer.py` to use `audit_history_collection`.
+
+### 3. MODIFY: `models.py` — Add system_prompt + audit models
+
+**Add to `AgentCollectorCreate`** (around line 164, with the other optional fields):
+```python
+system_prompt: Optional[str] = None
+```
+
+**Add to `AiAgentResponse`** (around line 144, after `completion_tokens`):
+```python
+audit_status: Optional[str] = None
+audit_date: Optional[str] = None
+system_prompt: Optional[str] = None
+```
+
+**Add new model after line 210:**
+```python
+class AuditReviewRequest(BaseModel):
+    audit_status: str = Field(..., pattern="^(flagged|reviewed|cleared)$")
+    reviewer_notes: Optional[str] = None
+```
+
+### 4. NEW: `audit_analyzer.py` — Core audit module
+
+New file with two responsibilities: Gemini analysis and result storage.
+
+**A. Gemini API Analysis**
+
+```python
+import os
+import json
+import re
+import asyncio
+from datetime import datetime
+from bson import ObjectId
+
+import google.generativeai as genai
+
+from database import agents_collection, audit_history_collection
+
+
+def is_gemini_configured() -> bool:
+    return bool(os.getenv("GOOGLE_API_KEY"))
+
+
+def _get_model():
+    api_key = os.getenv("GOOGLE_API_KEY")
+    genai.configure(api_key=api_key)
+    model_name = os.getenv("AUDIT_GEMINI_MODEL", "gemini-2.5-pro")
+    return genai.GenerativeModel(model_name)
+```
+
+Key functions:
+
+| Function | Purpose |
+|----------|---------|
+| `is_gemini_configured()` | Checks `GOOGLE_API_KEY` env var |
+| `analyze_single_agent(agent_name, system_prompt, tools, description, model_name, author)` | Builds prompt with category definitions, calls Gemini, parses JSON response |
+| `run_audit_batch(agents, concurrency=3)` | `asyncio.Semaphore` for rate-limit-safe parallel processing |
+| `store_audit_result(agent_id, audit_data)` | `$set` on agent doc + insert into `audit_history` |
+| `get_all_audit_results()` | Query agents with audit fields |
+| `update_audit_review(agent_id, status, notes, reviewer_info)` | Mark as reviewed/cleared |
+
+**Gemini Prompt Design:**
+
+System instruction:
+```
+You are an AI agent compliance analyst. Classify AI agents based on their system prompts
+and tool configurations into risk categories.
+
+Respond ONLY with valid JSON matching this schema:
+{
+  "category": "1" | "1B" | "2" | "3",
+  "category_reasoning": "string",
+  "flags": ["array", "of", "strings"],
+  "summary": "2-3 sentence analysis",
+  "recommendations": "which team(s) should review and why",
+  "risk_level": "low" | "medium" | "high" | "critical"
+}
+
+CATEGORY DEFINITIONS:
+Cat 1 - Internal Sandbox/Experimentation (Oliver AI Sandbox, behind the scenes, needs IT/Compliance)
+Cat 1B - High Cost Internal (may incur large cost, not Cat 2 or 3)
+Cat 2 - Client-Exposed Not Sold (Pencil platform, exposed to clients, needs Legal)
+Cat 3 - Client-Sold (Pencil platform, sold to clients, needs Commercial team)
+
+RISK LEVELS:
+- low: Internal-only, limited capabilities
+- medium: Internal with external tool access or moderate cost
+- high: Client-facing or accesses sensitive data
+- critical: Client-sold or handles financial/legal/PII data
+
+FLAGS TO CONSIDER:
+internal_only, experimental, sandbox, client_facing, pencil_platform,
+revenue_generating, not_for_sale, uses_external_tools, uses_code_interpreter,
+uses_file_search, accesses_sensitive_data, handles_pii, high_cost,
+resource_intensive, legal_review_needed, commercial_review_needed,
+compliance_review_needed, no_instructions
+```
+
+User prompt per agent:
+```
+Analyze this AI agent:
+
+AGENT NAME: {name}
+DESCRIPTION: {description}
+MODEL: {model}
+AUTHOR: {author}
+
+SYSTEM PROMPT / INSTRUCTIONS:
+---
+{system_prompt}
+---
+
+TOOLS: {tools_list}
+TOOL RESOURCES: {tool_resources}
+ACTIONS: {actions}
+```
+
+**Concurrency**: `asyncio.Semaphore(3)` — configurable via `AUDIT_CONCURRENCY` env var. ~50 agents completes in ~50-85 seconds.
+
+**Error handling per agent**: Wrap each call in try/except. On failure, return `{"error": "...", "agent_name": "..."}`. Parse JSON response with regex fallback if needed. All audited agents start with `audit_status = "flagged"`.
+
+### 5. MODIFY: `main.py` — 3 new endpoints + collector update
+
+**A. Update `map_agent_collector_to_internal()`** to pass through `system_prompt`:
+
+Add to the mapping dict:
+```python
+"system_prompt": collector_data.system_prompt,
+```
+
+**B. Update `create_agent_response()`** to include audit fields:
+
+Add to the response construction:
+```python
+audit_status=agent.get("audit_status"),
+audit_date=agent.get("audit_date"),
+system_prompt=agent.get("system_prompt"),
+```
+
+**C. Add 3 new admin-only endpoints** (after the analytics endpoint, ~line 1163):
+
+| Endpoint | Method | Purpose |
+|----------|--------|---------|
+| `POST /api/admin/audit/run` | POST | Reads stored `system_prompt` from agent docs, sends to Gemini. Optional `agent_id` body param for single agent. Returns `{status, total, audited_count, failed_count, skipped_count, results_summary}`. |
+| `GET /api/admin/audit/results` | GET | Returns all agents with audit data + `config_status: {gemini_configured: bool}`. |
+| `PUT /api/admin/audit/{agent_id}/review` | PUT | Admin marks agent as reviewed/cleared with optional `reviewer_notes`. |
+
+Pre-flight check: `POST /api/admin/audit/run` returns 503 if `GOOGLE_API_KEY` not set.
+
+### 6. MODIFY: `templates/admin/dashboard.html` — Add Prompt Audit tab
+
+**A. New tab** (4th tab, after Agents Management):
+```html
+<li class="nav-item">
+  <a class="nav-link" id="audit-tab" data-bs-toggle="tab" href="#audit">
+    <i class="fas fa-shield-alt me-2"></i>Prompt Audit
+    <span class="badge bg-danger ms-1" id="auditFlaggedBadge" style="display:none;">0</span>
+  </a>
+</li>
+```
+
+**B. Tab content layout:**
+```
+Row 1: Header + [Run Audit] button (with spinner loading state)
+Row 2: Summary cards — Audited | Flagged | Reviewed | Cleared | No Prompt
+Row 3: Filters — [Category ▼] [Risk Level ▼] [Status ▼] [Search...]
+Row 4: Results table:
+        Agent Name | Category | Risk Level | Flags | Status | Last Audited | Actions
+Row 5: Agents without prompts notice (collapsible)
+```
+
+**C. Audit Detail Modal:**
+- Agent name + basic info header
+- LLM analysis summary
+- Category badge + reasoning
+- Flags list (as badges)
+- Recommendations text
+- System prompt (collapsible `<pre>` block, can be long)
+- Tools config (collapsible)
+- Review controls: status dropdown (flagged/reviewed/cleared) + notes textarea + Save button
+- Review history trail (who reviewed, when)
+
+**D. JavaScript functions:**
+
+| Function | Purpose |
+|----------|---------|
+| `loadAuditResults()` | `GET /api/admin/audit/results` → populate table + summary cards + flagged badge count |
+| `runAudit(agentId?)` | `POST /api/admin/audit/run` with loading spinner. Disable button during run. On complete, show summary alert + reload results. |
+| `displayAuditResults(agents)` | Render table rows with color-coded badges |
+| `showAuditDetail(agentId)` | Open detail modal with full analysis |
+| `submitAuditReview(agentId)` | `PUT /api/admin/audit/{id}/review` → reload results |
+| `filterAuditResults()` | Client-side filtering by category, risk, status, search text |
+
+Wire up:
+- `DOMContentLoaded` → call `loadAuditResults()` alongside existing `loadAdminData()` and `loadAnalytics()`
+- Refresh button → also call `loadAuditResults()`
+
+**E. CSS additions:**
+```css
+.risk-critical { background-color: #dc3545; color: white; }
+.risk-high { background-color: #fd7e14; color: white; }
+.risk-medium { background-color: #ffc107; color: #212529; }
+.risk-low { background-color: #28a745; color: white; }
+
+.cat-1 { background-color: #28a745; color: white; }
+.cat-1b { background-color: #17a2b8; color: white; }
+.cat-2 { background-color: #6f42c1; color: white; }
+.cat-3 { background-color: #dc3545; color: white; }
+
+.audit-status-flagged { border-left: 4px solid #dc3545; }
+.audit-status-reviewed { border-left: 4px solid #ffc107; }
+.audit-status-cleared { border-left: 4px solid #28a745; }
+```
+
+**F. Config warning:** If `config_status.gemini_configured` is false in the results response, show an info card explaining that `GOOGLE_API_KEY` needs to be set, and hide the Run Audit button.
+
+## Environment Variables
+
+Add to `.env`:
+```
+GOOGLE_API_KEY=AIzaSyDMWN_PAnyU7bPmtWcEKq4LJfiu1KuwUsU
+AUDIT_GEMINI_MODEL=gemini-2.5-pro     # default, configurable
+AUDIT_CONCURRENCY=3                    # concurrent Gemini API calls
+```
+
+## Error Handling
+
+| Scenario | Handling |
+|----------|---------|
+| `GOOGLE_API_KEY` not set | 503 with message; UI shows config warning, hides Run button |
+| Agent has no `system_prompt` | Skip during audit, count as "skipped", show in "No Prompt" card |
+| Gemini API auth failure | Abort batch, return 503 |
+| Gemini rate limit | Retry with backoff; semaphore limits concurrency; mark agent as failed |
+| Prompt too long | Gemini 2.5 Pro has 1M token limit — unlikely to hit; truncate at 900K chars if needed |
+| JSON parse failure from Gemini | Regex extraction fallback `\{[\s\S]*\}`; if fails, store raw text as summary |
+| Partial failures | Continue processing remaining agents; report success/fail/skipped counts |
+
+## Design Decisions
+
+- **Prompts via agent-sync** — no second DB connection needed, reuses existing infrastructure
+- **All audited agents start as "flagged"** — admin must explicitly review/clear each
+- **Synchronous HTTP request** for v1 — admin waits with spinner (~30-120s for full audit)
+- **Gemini 2.5 Pro** — fast, 1M token context window, reuses existing Google API key
+- **Separate from quality_audit_status** — that's a manual human checkbox; this is automated analysis. They coexist.
+- **audit_history_collection** — historical record of each audit run
+
+## Implementation Order
+
+1. `requirements.txt` — add `google-generativeai`
+2. `database.py` — add `audit_history_collection` + indexes
+3. `models.py` — add `system_prompt` to collector model, audit fields to response, `AuditReviewRequest`
+4. `audit_analyzer.py` — new file (Gemini analysis + result storage)
+5. `main.py` — update collector mapping + `create_agent_response()` + add 3 audit endpoints
+6. `templates/admin/dashboard.html` — Prompt Audit tab (HTML, JS, CSS)
+
+## Verification
+
+1. Add `GOOGLE_API_KEY` to `.env`
+2. `pip install -r requirements.txt`
+3. `uvicorn main:app --reload --port 8000`
+4. Login as admin → `/admin` → click "Prompt Audit" tab
+5. Before agent-sync runs: agents show as "No prompt available"
+6. After agent-sync (with instructions included): `system_prompt` appears on agent docs
+7. Click "Run Audit" → spinner → results populate with category/risk/flags badges
+8. Click detail on an agent → see full LLM analysis + raw system prompt
+9. Mark as "Reviewed" with notes → status updates, reviewer trail shows
+10. Refresh → all data persists
+11. Test without `GOOGLE_API_KEY` → config warning shown gracefully
+
+## Files Changed Summary (for deployment)
+
+| File | Change |
+|------|--------|
+| `audit_analyzer.py` | **New file** |
+| `database.py` | Add collection + indexes |
+| `models.py` | Add fields + new model |
+| `main.py` | Update collector mapping + 3 new endpoints |
+| `templates/admin/dashboard.html` | Add Prompt Audit tab |
+| `requirements.txt` | Add `google-generativeai` |
+
+---
+
+# Phase 2: Read-Only Admin, Client Verification & Daily Digest
+
+## 1. Read-Only Admin Role
+
+### Problem
+Currently only two roles exist: `user` and `admin`. There's a need for users who can **view** the admin dashboard but not modify anything.
+
+### Solution
+Add a third role: `readonly_admin`.
+
+**A. Data Model Changes (`models.py`)**
+- Update `UserCreate` and user handling to support `role` values: `user`, `admin`, `readonly_admin`
+
+**B. Auth Changes (`auth.py` / `main.py`)**
+- Add `require_admin_or_readonly()` dependency — allows access to admin dashboard GET routes
+- Existing `require_admin()` stays as-is for write operations (create/update/delete)
+- `readonly_admin` users:
+  - Can access `/admin` dashboard and view all tabs
+  - Cannot run audits, edit agents, edit users, approve verifications, or perform any write action
+  - UI hides action buttons (edit, delete, approve, Run Audit) for readonly users
+
+**C. User Management UI (`templates/admin/dashboard.html`)**
+- In the user edit modal, add a role dropdown: `User` | `Admin` | `Read-Only Admin`
+- Admin can change any user's role (except their own demotion from admin)
+
+**D. API Changes (`main.py`)**
+- `GET /admin` → allow `admin` + `readonly_admin`
+- All `POST/PUT/DELETE` admin endpoints → require `admin` only (no change)
+- `GET /api/admin/*` data endpoints → allow `admin` + `readonly_admin`
+- New endpoint: `PUT /api/users/{user_id}/role` — admin-only, sets role
+
+---
+
+## 2. Client Verification System
+
+### Problem
+Agents created for clients need a verification step before they're considered approved for use.
+
+### Solution
+Add a `verification_status` field to agents and a verification workflow.
+
+**A. Data Model Changes (`models.py`)**
+- Add to `AiAgent` / `AiAgentResponse`:
+  - `client: Optional[str] = None` — `"yes"` or `"no"`
+  - `client_name: Optional[str] = None` — free text, required when `client == "yes"`
+  - `studio_name: Optional[str] = None` — free text, not mandatory
+  - `verification_status: Optional[str] = None` — `"needs_verification"` | `"verified"` | `None`
+  - `verified_by: Optional[str] = None` — user who verified
+  - `verified_date: Optional[str] = None` — when verified
+- Add to `AiAgentCreate`:
+  - `client: str` (mandatory, `"yes"` or `"no"`)
+  - `client_name: Optional[str] = None`
+  - `studio_name: Optional[str] = None`
+- Add to `AgentCollectorCreate`:
+  - `client: Optional[str] = None`
+  - `client_name: Optional[str] = None`
+  - `studio_name: Optional[str] = None`
+
+**B. Registration Form (`templates/agent_register.html`)**
+
+Reorder form fields to:
+1. **Agent Name** (mandatory)
+2. **Description** (stays the same)
+3. **Purpose** (stays the same)
+4. **Client** — dropdown: `Yes` / `No` (mandatory)
+   - 4a. If `Yes` → show a text input for **Client Name** (mandatory when visible)
+5. **Studio Name** — free text (not mandatory)
+6. **Tool** (stays the same)
+7. *...rest of form continues from Version, Status, etc.*
+
+JavaScript: toggle `client_name` field visibility based on `client` dropdown value.
+
+**C. Auto-Tagging Logic**
+- When `client == "yes"` on agent creation → set `verification_status = "needs_verification"`
+- When `client == "no"` or not set → `verification_status` remains `None`
+
+**D. Verification Tab on Admin Dashboard (`templates/admin/dashboard.html`)**
+
+New tab: **Verification** (between Agents Management and Prompt Audit tabs)
+```
+Tab content:
+- Header: "Agents Pending Verification"
+- Table: Agent Name | Client Name | Studio | Created By | Date Created | Status | Action
+- Each row with status "needs_verification" shows an [Approve ✓] button
+- Clicking Approve → calls PUT /api/admin/agents/{id}/verify → status changes to "verified"
+- Verified agents move to a collapsible "Recently Verified" section below
+- Filter: Show All | Needs Verification | Verified
+```
+
+**E. API Endpoints (`main.py`)**
+- `PUT /api/admin/agents/{agent_id}/verify` — admin-only, sets `verification_status = "verified"`, records `verified_by` and `verified_date`
+- `GET /api/admin/agents/pending-verification` — returns agents where `verification_status == "needs_verification"`
+
+**F. Agent Card Display**
+- Show verification badge on agent cards:
+  - `needs_verification` → orange badge: "Needs Verification"
+  - `verified` → green badge: "Verified"
+  - `None` → no badge (non-client agents)
+
+---
+
+## 3. Client Agent Email Notification
+
+### Problem
+When a client-facing agent is created, stakeholders need to be notified immediately.
+
+### Solution
+Trigger an email via Mailgun when `client == "yes"` on agent creation.
+
+**A. Mailgun Configuration (`.env`)**
+```
+MAILGUN_API_KEY=4fccfbb0606b55852d243fc848f0356c-c6620443-faf31917
+MAILGUN_DOMAIN=mg.oliver.solutions
+MAILGUN_FROM_EMAIL=AgentHub <noreply@mg.oliver.solutions>
+CLIENT_AGENT_NOTIFY_EMAILS=EstellevanHeerden@oliver.agency
+```
+
+Note: `CLIENT_AGENT_NOTIFY_EMAILS` is a comma-separated list, making it easy to add recipients later.
+
+**B. Notification Logic (`notifications.py`)**
+
+New function: `send_client_agent_notification(agent_data: dict)`
+- **Trigger**: Called from the agent creation endpoint when `client == "yes"`
+- **Subject**: `Client Agent Created`
+- **Body** (HTML email):
+  ```
+  A new client-facing agent has been created and requires verification.
+
+  Agent Name: {agent_name}
+  Description: {description}
+  Purpose: {purpose}
+  Client: Yes
+  Client Name: {client_name}
+  Studio Name: {studio_name or "N/A"}
+  Tool: {tool}
+  Created By: {user_email}
+
+  Please review this agent in AgentHub.
+  ```
+- **To**: `CLIENT_AGENT_NOTIFY_EMAILS` env var (comma-split)
+- **Non-blocking**: Failure does not break agent creation (try/except, log warning)
+
+**C. Mailgun API Call**
+Uses existing `send_mailgun_email()` pattern from `notifications.py`:
+```
+POST https://api.mailgun.net/v3/mg.oliver.solutions/messages
+Auth: api:{MAILGUN_API_KEY}
+Form data: from, to, subject, html
+```
+
+---
+
+## 4. Daily Agent Digest Email
+
+### Problem
+Admins need a daily summary of all agents created in the last 24 hours for quick scanning.
+
+### Solution
+A scheduled daily email summarising new agents.
+
+**A. New Function (`notifications.py`)**
+
+`send_daily_agent_digest()`
+- **Query**: Find all agents with `created_date` in the last 24 hours
+- **Subject**: `Agents Created Last 24 Hours`
+- **Body** (HTML email, kept short and scannable):
+  ```
+  {count} agent(s) created in the last 24 hours:
+
+  ┌──────────────────────────────────────────────────┐
+  │ 1. Agent Name                                    │
+  │    Purpose: Brief purpose text                   │
+  │    Description: Brief description text           │
+  │    Created by: user@email.com                    │
+  │                                                  │
+  │ 2. Agent Name                                    │
+  │    Purpose: ...                                  │
+  │    Description: ...                              │
+  │    Created by: ...                               │
+  └──────────────────────────────────────────────────┘
+
+  View full details at {AGENTHUB_URL}/admin
+  ```
+- **To**: All active admin users (query `users` collection for `role == "admin"`)
+- **If no agents created**: Skip sending (don't send empty digest)
+
+**B. Scheduling**
+
+Option: Use `apscheduler` (add to `requirements.txt`):
+```python
+from apscheduler.schedulers.asyncio import AsyncIOScheduler
+
+scheduler = AsyncIOScheduler()
+scheduler.add_job(send_daily_agent_digest, 'cron', hour=7, minute=0)  # 7:00 AM daily
+scheduler.start()
+```
+
+Wire into FastAPI `startup` event in `main.py`.
+
+Alternatively, can be triggered via a cron job calling a new admin endpoint:
+- `POST /api/admin/digest/send` — admin-only, manually trigger the digest
+
+**C. Configuration (`.env`)**
+```
+DAILY_DIGEST_HOUR=7          # Hour to send (24h format), default 7
+DAILY_DIGEST_TIMEZONE=UTC    # Timezone, default UTC
+```
+
+---
+
+## Implementation Order (Phase 2)
+
+1. **Models** — Add `client`, `client_name`, `studio_name`, `verification_status`, `verified_by`, `verified_date` fields; update `role` to support `readonly_admin`
+2. **Database** — Add index on `verification_status`
+3. **Auth** — Add `require_admin_or_readonly()` dependency
+4. **Registration Form** — Reorder fields, add Client dropdown with conditional Client Name, add Studio Name
+5. **CRUD/main.py** — Auto-tag verification status on creation, add verification + role endpoints
+6. **Notifications** — Client agent email + daily digest function
+7. **Admin Dashboard** — Verification tab, role dropdown in user edit, readonly UI gating
+8. **Scheduler** — Wire up daily digest (apscheduler or cron endpoint)
+
+## Files Changed Summary (Phase 2)
+
+| File | Change |
+|------|--------|
+| `models.py` | Add client/verification/studio fields, readonly_admin role support |
+| `database.py` | Add index on `verification_status` |
+| `auth.py` | Add `require_admin_or_readonly()` |
+| `crud.py` | Verification queries, daily digest query |
+| `main.py` | Verification endpoints, role endpoint, digest endpoint, auth updates |
+| `notifications.py` | Client agent notification, daily digest email |
+| `templates/agent_register.html` | Reorder form, add Client/Studio fields |
+| `templates/admin/dashboard.html` | Verification tab, role dropdown, readonly gating |
+| `requirements.txt` | Add `apscheduler` (if using scheduler approach) |
+| `.env` | Add `CLIENT_AGENT_NOTIFY_EMAILS`, `DAILY_DIGEST_HOUR`, `DAILY_DIGEST_TIMEZONE` |
+
+## Verification (Phase 2)
+
+1. Create a user with `readonly_admin` role → confirm they can view `/admin` but all action buttons are hidden
+2. Register agent with Client = Yes, Client Name = "Test Client" → confirm `verification_status = "needs_verification"` and email sent to configured address
+3. Register agent with Client = No → confirm no verification tag, no email
+4. Admin dashboard → Verification tab → approve an agent → confirm status changes to "verified" with badge update
+5. Wait for scheduled time (or trigger manually) → confirm daily digest email arrives with correct agent list
+6. Test with no agents created → confirm no email sent
+
+---
+
+## Dependency on Agent-Sync
+
+This plan requires the agent-sync changes to be deployed (removing the `instructions` exclusion and adding `system_prompt` to the payload). Without it, agents will have no `system_prompt` stored and the audit will skip all agents. The audit tab will still load and show the "No Prompt" count gracefully.
diff --git a/crud.py b/crud.py
index 3f3bb8f..4ad31a2 100644
--- a/crud.py
+++ b/crud.py
@@ -218,20 +218,142 @@ async def search_agents(search_term: str, user_id: str = None):
     
     return await agents_collection.find(query).sort("created_at", -1).to_list(length=None)
 
-async def get_agent_stats():
+async def get_agent_stats(discipline_filter: str = None):
     """Get agent statistics"""
-    pipeline = [
-        {
-            "$group": {
-                "_id": "$agent_status",
-                "count": {"$sum": 1}
-            }
+    pipeline = []
+    if discipline_filter:
+        pipeline.append({"$match": {"discipline": discipline_filter}})
+    pipeline.append({
+        "$group": {
+            "_id": "$agent_status",
+            "count": {"$sum": 1}
         }
-    ]
-    
+    })
+
     stats = await agents_collection.aggregate(pipeline).to_list(length=None)
     return {stat["_id"]: stat["count"] for stat in stats}
 
+async def get_analytics_summary(status_filter: str = None, discipline_filter: str = None):
+    """Get aggregated analytics summary across all agents"""
+    match_filter = {}
+    if status_filter:
+        match_filter["agent_status"] = status_filter
+    if discipline_filter:
+        match_filter["discipline"] = discipline_filter
+
+    pipeline = []
+    if match_filter:
+        pipeline.append({"$match": match_filter})
+    pipeline.append({
+        "$group": {
+            "_id": None,
+            "total_messages": {"$sum": {"$ifNull": ["$total_messages", 0]}},
+            "total_tokens": {"$sum": {"$ifNull": ["$total_tokens", 0]}},
+            "prompt_tokens": {"$sum": {"$ifNull": ["$prompt_tokens", 0]}},
+            "completion_tokens": {"$sum": {"$ifNull": ["$completion_tokens", 0]}},
+            "conversation_count": {"$sum": {"$ifNull": ["$conversation_count", 0]}},
+            "unique_users": {"$sum": {"$ifNull": ["$unique_users", 0]}},
+        }
+    })
+    results = await agents_collection.aggregate(pipeline).to_list(length=1)
+    if results:
+        r = results[0]
+        del r["_id"]
+        return r
+    return {
+        "total_messages": 0, "total_tokens": 0, "prompt_tokens": 0,
+        "completion_tokens": 0, "conversation_count": 0, "unique_users": 0,
+    }
+
+async def get_discipline_breakdown(status_filter: str = None):
+    """Group agents by discipline field"""
+    pipeline = []
+    if status_filter:
+        pipeline.append({"$match": {"agent_status": status_filter}})
+    pipeline.append({"$group": {"_id": "$discipline", "count": {"$sum": 1}}})
+    results = await agents_collection.aggregate(pipeline).to_list(length=None)
+    return {(r["_id"] or "Unassigned"): r["count"] for r in results}
+
+async def get_aggregated_usage_timeline(limit_days: int = 90, status_filter: str = None, discipline_filter: str = None):
+    """Aggregate usage_timeline across all agents for system-wide daily totals"""
+    match_filter = {"usage_timeline": {"$exists": True, "$ne": []}}
+    if status_filter:
+        match_filter["agent_status"] = status_filter
+    if discipline_filter:
+        match_filter["discipline"] = discipline_filter
+
+    pipeline = [
+        {"$match": match_filter},
+        {"$unwind": "$usage_timeline"},
+        {
+            "$group": {
+                "_id": "$usage_timeline.date",
+                "message_count": {"$sum": {"$ifNull": ["$usage_timeline.message_count", 0]}},
+                "token_count": {"$sum": {"$ifNull": ["$usage_timeline.token_count", 0]}},
+            }
+        },
+        {"$sort": {"_id": 1}},
+        {"$limit": limit_days},
+    ]
+    results = await agents_collection.aggregate(pipeline).to_list(length=None)
+    return [{"date": r["_id"], "message_count": r["message_count"], "token_count": r["token_count"]} for r in results]
+
+async def get_top_agents(sort_field: str, limit: int = 5, status_filter: str = None, discipline_filter: str = None):
+    """Return top N agents by a given numeric field"""
+    match_filter = {sort_field: {"$exists": True, "$ne": None, "$gt": 0}}
+    if status_filter:
+        match_filter["agent_status"] = status_filter
+    if discipline_filter:
+        match_filter["discipline"] = discipline_filter
+
+    pipeline = [
+        {"$match": match_filter},
+        {"$sort": {sort_field: -1}},
+        {"$limit": limit},
+        {
+            "$project": {
+                "agent_name": 1,
+                "agent_status": 1,
+                "discipline": 1,
+                "total_messages": 1,
+                "total_tokens": 1,
+                "last_used": 1,
+            }
+        },
+    ]
+    results = await agents_collection.aggregate(pipeline).to_list(length=None)
+    for r in results:
+        r["_id"] = str(r["_id"])
+    return results
+
+async def get_recently_active_agents(limit: int = 10, status_filter: str = None, discipline_filter: str = None):
+    """Return recently active agents sorted by last_used"""
+    match_filter = {"last_used": {"$exists": True, "$ne": None}}
+    if status_filter:
+        match_filter["agent_status"] = status_filter
+    if discipline_filter:
+        match_filter["discipline"] = discipline_filter
+
+    pipeline = [
+        {"$match": match_filter},
+        {"$sort": {"last_used": -1}},
+        {"$limit": limit},
+        {
+            "$project": {
+                "agent_name": 1,
+                "agent_status": 1,
+                "discipline": 1,
+                "total_messages": 1,
+                "total_tokens": 1,
+                "last_used": 1,
+            }
+        },
+    ]
+    results = await agents_collection.aggregate(pipeline).to_list(length=None)
+    for r in results:
+        r["_id"] = str(r["_id"])
+    return results
+
 async def update_agent(agent_id: str, update_data: dict, user_id: str = None, admin_user_info: dict = None, last_edited_by: str = None):
     try:
         filter_query = {"_id": ObjectId(agent_id)}
diff --git a/database.py b/database.py
index c802dfb..2ace175 100644
--- a/database.py
+++ b/database.py
@@ -22,6 +22,7 @@ async def ensure_indexes():
             [("agent_id", 1), ("user_id", 1)],
             unique=True
         )
+        await agents_collection.create_index([("verification_status", 1)])
         print("Database indexes ensured successfully")
     except Exception as e:
         print(f"Warning: Failed to create indexes: {e}")
diff --git a/main.py b/main.py
index f7df4c9..5a36cfc 100644
--- a/main.py
+++ b/main.py
@@ -19,6 +19,7 @@ from fastapi import Header
 import csv
 import io
 import json
+import asyncio
 
 load_dotenv()
 
@@ -162,6 +163,14 @@ async def require_admin(current_user: dict = Depends(get_current_user_from_cooki
         raise HTTPException(status_code=403, detail="Admin access required")
     return current_user
 
+async def require_admin_or_readonly(current_user: dict = Depends(get_current_user_from_cookie)):
+    """Require admin or readonly_admin access"""
+    if current_user.get("is_admin"):
+        return current_user
+    if current_user.get("role") == "readonly_admin":
+        return current_user
+    raise HTTPException(status_code=403, detail="Admin access required")
+
 def sanitize_metadata(metadata: dict) -> dict[str, str]:
     """
     Sanitize agent metadata to ensure all values are strings.
@@ -228,6 +237,12 @@ def create_agent_response(agent: dict) -> models.AiAgentResponse:
         discipline=agent.get("discipline"),
         rating=agent.get("rating"),
         rating_count=agent.get("rating_count"),
+        client=agent.get("client"),
+        client_name=agent.get("client_name"),
+        studio_name=agent.get("studio_name"),
+        verification_status=agent.get("verification_status"),
+        verified_by=agent.get("verified_by"),
+        verified_date=agent.get("verified_date"),
         created_by=agent["created_by"],
         # Usage tracking fields
         usage_timeline=agent.get("usage_timeline"),
@@ -290,6 +305,9 @@ def map_agent_collector_to_internal(collector_data: models.AgentCollectorCreate)
         "agent_metadata": collector_data.metadata,
         "url": collector_data.url,
         "discipline": discipline,
+        "client": collector_data.client,
+        "client_name": collector_data.client_name,
+        "studio_name": collector_data.studio_name,
         # Usage tracking fields
         "usage_timeline": usage_timeline,
         "conversation_count": collector_data.conversation_count,
@@ -310,7 +328,8 @@ async def me(current_user: dict = Depends(get_current_user)):
         "email": current_user["email"],
         "full_name": current_user.get("full_name"),
         "is_active": current_user["is_active"],
-        "is_admin": current_user["is_admin"]
+        "is_admin": current_user["is_admin"],
+        "role": current_user.get("role", "admin" if current_user["is_admin"] else "user"),
     }
 
 @app.on_event("startup")
@@ -324,6 +343,23 @@ async def startup_event():
     if count > 0:
         print(f"Pencil Agents migration: updated {count} agent(s)")
 
+    # Start daily digest scheduler
+    try:
+        from apscheduler.schedulers.asyncio import AsyncIOScheduler
+        digest_hour = int(os.getenv("DAILY_DIGEST_HOUR", "7"))
+        scheduler = AsyncIOScheduler()
+        scheduler.add_job(
+            notifications.send_daily_agent_digest,
+            'cron',
+            hour=digest_hour,
+            minute=0,
+            id='daily_agent_digest',
+        )
+        scheduler.start()
+        print(f"Daily digest scheduler started (runs at {digest_hour}:00)")
+    except Exception as e:
+        print(f"Warning: Failed to start daily digest scheduler: {e}")
+
 # HTML Routes
 @app.get("/")
 async def home(request: Request):
@@ -344,7 +380,7 @@ async def home(request: Request):
     current_user = await get_current_user_optional(request)
     if current_user:
         # Redirect logged-in users appropriately
-        if current_user.get("is_admin"):
+        if current_user.get("is_admin") or current_user.get("role") == "readonly_admin":
             return RedirectResponse(url=get_app_url("admin"), status_code=303)
         else:
             return RedirectResponse(url=get_app_url("agent-management"), status_code=303)
@@ -441,9 +477,9 @@ async def login_form(
         # Create token (you can store this in session/cookie in a real app)
         token = auth.create_access_token({"sub": str(user["_id"])})
         
-        # Check if user is admin
-        if user.get("is_admin"):
-            # Admin goes to admin dashboard
+        # Check if user is admin or readonly_admin
+        if user.get("is_admin") or user.get("role") == "readonly_admin":
+            # Admin / readonly_admin goes to admin dashboard
             response = RedirectResponse(url=get_app_url("admin"), status_code=303)
         else:
             # Regular user goes to all agents page
@@ -589,6 +625,9 @@ async def agent_register_form(
     agent_tool: str = Form(...),
     agent_description: str = Form(None),
     agent_purpose: str = Form(None),
+    client: str = Form(...),
+    client_name: str = Form(None),
+    studio_name: str = Form(None),
     agent_version: str = Form(None),
     agent_status: str = Form("Development"),
     agent_location: str = Form(None),
@@ -606,9 +645,15 @@ async def agent_register_form(
         current_user = await get_current_user_optional(request)
         if not current_user:
             return RedirectResponse(url=get_app_url("login"), status_code=303)
-        
+
         user_id = str(current_user["_id"])
-        
+
+        # Validate client_name is provided when client is Yes
+        if client.lower() == "yes" and not client_name:
+            context = get_template_context(request, current_user)
+            context["error"] = "Client Name is required when Client is set to Yes."
+            return templates.TemplateResponse("agent_register.html", context)
+
         # Prepare agent data
         agent_data = {
             "agent_name": agent_name,
@@ -621,8 +666,15 @@ async def agent_register_form(
             "agent_department": agent_department,
             "agent_contact_person": agent_contact_person,
             "discipline": discipline,
+            "client": client.lower(),
+            "studio_name": studio_name,
         }
-        
+
+        # Handle client-specific fields
+        if client.lower() == "yes":
+            agent_data["client_name"] = client_name
+            agent_data["verification_status"] = "needs_verification"
+
         # Process tags, userbase, and capabilities (convert comma-separated to lists)
         if agent_tags:
             agent_data["agent_tags"] = [tag.strip() for tag in agent_tags.split(',') if tag.strip()]
@@ -630,7 +682,7 @@ async def agent_register_form(
             agent_data["agent_userbase"] = [user.strip() for user in agent_userbase.split(',') if user.strip()]
         if agent_capabilities:
             agent_data["agent_capabilities"] = [cap.strip() for cap in agent_capabilities.split(',') if cap.strip()]
-        
+
         # Handle Quality Audit - only admins can set it to True
         if quality_audit_status and current_user.get("is_admin"):
             # Admin is setting quality audit to true
@@ -639,32 +691,43 @@ async def agent_register_form(
             agent_data["quality_audit_updated_by"] = user_id
             agent_data["quality_audit_updated_at"] = datetime.utcnow().isoformat()
             agent_data["quality_audit_updated_by_name"] = current_user.get("full_name", current_user.get("email"))
-            
+
             # Validate Risk Factor when Quality Audit is checked
             if risk_factor is None or not (1 <= risk_factor <= 5):
                 context = get_template_context(request, current_user)
                 context["error"] = "Risk Factor (1-5) is required when Quality Audit is checked."
                 return templates.TemplateResponse("agent_register.html", context)
-            
+
             agent_data["risk_factor"] = risk_factor
         else:
             # Non-admin or quality audit not checked
             agent_data["quality_audit_status"] = False
             agent_data["risk_factor"] = None
-        
+
         # Remove None values
         agent_data = {k: v for k, v in agent_data.items() if v is not None}
-        
+
         # Create agent in database
         created_agent = await crud.create_agent(agent_data, user_id)
-        
+
+        # Send client agent notification if client is Yes (non-blocking)
+        if client.lower() == "yes":
+            try:
+                notification_data = {
+                    **agent_data,
+                    "created_by_email": current_user.get("email", "Unknown"),
+                }
+                notifications.send_client_agent_notification(notification_data)
+            except Exception as notify_err:
+                print(f"Client agent notification failed: {notify_err}")
+
         # Redirect to agent management with success message
         from urllib.parse import quote
         success_msg = quote(f"Agent '{agent_name}' registered successfully!")
         redirect_url = get_app_url(f"agent-management?success={success_msg}")
         print(f"DEBUG: Redirecting to: {redirect_url}")  # Debug line
         return RedirectResponse(
-            url=redirect_url, 
+            url=redirect_url,
             status_code=303
         )
         
@@ -745,7 +808,9 @@ async def agent_management_page(request: Request, view: Optional[str] = Query(No
 @app.get("/admin", response_class=HTMLResponse)
 async def admin_dashboard(request: Request):
     current_user = await get_current_user_optional(request)
-    if not current_user or not current_user.get("is_admin"):
+    if not current_user:
+        return RedirectResponse(url=get_app_url("login"), status_code=303)
+    if not current_user.get("is_admin") and current_user.get("role") != "readonly_admin":
         return RedirectResponse(url=get_app_url("login"), status_code=303)
     
     # Get statistics
@@ -1002,7 +1067,7 @@ async def toggle_admin_view(request: Request, current_user: dict = Depends(get_c
 
 # Admin endpoints
 @app.get("/api/admin/users", response_model=List[models.UserResponse])
-async def get_all_users(current_user: dict = Depends(require_admin)):
+async def get_all_users(current_user: dict = Depends(require_admin_or_readonly)):
 
     users = await crud.get_all_users()
     return [
@@ -1011,6 +1076,7 @@ async def get_all_users(current_user: dict = Depends(require_admin)):
             full_name=user.get("full_name"),
             is_active=user["is_active"],
             is_admin=user["is_admin"],
+            role=user.get("role", "admin" if user.get("is_admin") else "user"),
             auth_provider=user.get("auth_provider", "local")
         ) for user in users
     ]
@@ -1033,6 +1099,7 @@ async def admin_create_user(
             full_name=created_user.get("full_name"),
             is_active=created_user["is_active"],
             is_admin=created_user["is_admin"],
+            role=created_user.get("role", "admin" if created_user["is_admin"] else "user"),
             auth_provider=created_user.get("auth_provider", "local")
         )
     except ValueError as e:
@@ -1047,6 +1114,24 @@ async def update_user(email: str, user_update: models.UserUpdate, current_user:
 
     # Update the user
     update_data = user_update.model_dump(exclude_unset=True)
+
+    # Sync role and is_admin fields
+    if "role" in update_data:
+        role = update_data["role"]
+        if role == "admin":
+            update_data["is_admin"] = True
+        elif role == "readonly_admin":
+            update_data["is_admin"] = False
+        elif role == "user":
+            update_data["is_admin"] = False
+    elif "is_admin" in update_data:
+        if update_data["is_admin"]:
+            update_data["role"] = "admin"
+        else:
+            # Only reset to user if not already readonly_admin
+            if existing_user.get("role") != "readonly_admin":
+                update_data["role"] = "user"
+
     updated_user = await crud.update_user(str(existing_user["_id"]), update_data)
 
     if not updated_user:
@@ -1057,6 +1142,7 @@ async def update_user(email: str, user_update: models.UserUpdate, current_user:
         full_name=updated_user.get("full_name"),
         is_active=updated_user["is_active"],
         is_admin=updated_user["is_admin"],
+        role=updated_user.get("role", "admin" if updated_user["is_admin"] else "user"),
         auth_provider=updated_user.get("auth_provider", "local")
     )
 
@@ -1109,8 +1195,132 @@ async def change_password(
     except ValueError as e:
         raise HTTPException(status_code=400, detail=str(e))
 
+@app.get("/api/admin/agents/pending-verification")
+async def get_pending_verification(current_user: dict = Depends(require_admin_or_readonly)):
+    """Get agents pending verification"""
+    from database import agents_collection as ac
+    cursor = ac.find(
+        {"verification_status": {"$in": ["needs_verification", "verified"]}}
+    ).sort("created_at", -1)
+    agents = await cursor.to_list(length=None)
+    result = []
+    for agent in agents:
+        # Resolve creator email
+        created_by = agent.get("created_by", "")
+        created_by_email = created_by
+        if created_by and created_by != "agent_collector_api":
+            try:
+                from bson import ObjectId
+                creator = await crud.get_user_by_id(created_by)
+                if creator:
+                    created_by_email = creator.get("email", created_by)
+            except Exception:
+                pass
+        result.append({
+            "agent_id": str(agent["_id"]),
+            "agent_name": agent.get("agent_name"),
+            "client_name": agent.get("client_name"),
+            "studio_name": agent.get("studio_name"),
+            "created_by": created_by_email,
+            "created_at": agent["created_at"].isoformat() if agent.get("created_at") else None,
+            "verification_status": agent.get("verification_status"),
+            "verified_by": agent.get("verified_by"),
+            "verified_date": agent.get("verified_date"),
+        })
+    return result
+
+@app.put("/api/admin/agents/{agent_id}/verify")
+async def verify_agent(agent_id: str, current_user: dict = Depends(require_admin)):
+    """Approve/verify an agent (admin only)"""
+    from bson import ObjectId
+    from database import agents_collection as ac
+    agent = await crud.get_agent_by_id(agent_id)
+    if not agent:
+        raise HTTPException(status_code=404, detail="Agent not found")
+
+    result = await ac.update_one(
+        {"_id": ObjectId(agent_id)},
+        {"$set": {
+            "verification_status": "verified",
+            "verified_by": current_user.get("email", str(current_user["_id"])),
+            "verified_date": datetime.utcnow().isoformat(),
+            "updated_at": datetime.utcnow(),
+        }}
+    )
+    if result.modified_count:
+        return {"message": "Agent verified successfully"}
+    raise HTTPException(status_code=500, detail="Failed to verify agent")
+
+@app.post("/api/admin/digest/send")
+async def trigger_daily_digest(current_user: dict = Depends(require_admin)):
+    """Manually trigger the daily agent digest email"""
+    try:
+        await notifications.send_daily_agent_digest()
+        return {"message": "Daily digest sent successfully"}
+    except Exception as e:
+        raise HTTPException(status_code=500, detail=f"Failed to send digest: {str(e)}")
+
+@app.get("/api/admin/analytics")
+async def get_admin_analytics(
+    status: Optional[str] = None,
+    discipline: Optional[str] = None,
+    days: int = 90,
+    current_user: dict = Depends(require_admin_or_readonly),
+):
+    """Get analytics data for admin dashboard"""
+    (
+        summary,
+        status_breakdown,
+        discipline_breakdown,
+        usage_timeline,
+        top_by_messages,
+        top_by_tokens,
+        recently_active,
+        all_users,
+    ) = await asyncio.gather(
+        crud.get_analytics_summary(status_filter=status, discipline_filter=discipline),
+        crud.get_agent_stats(discipline_filter=discipline),
+        crud.get_discipline_breakdown(status_filter=status),
+        crud.get_aggregated_usage_timeline(days, status_filter=status, discipline_filter=discipline),
+        crud.get_top_agents("total_messages", 5, status_filter=status, discipline_filter=discipline),
+        crud.get_top_agents("total_tokens", 5, status_filter=status, discipline_filter=discipline),
+        crud.get_recently_active_agents(10, status_filter=status, discipline_filter=discipline),
+        crud.get_all_users(),
+    )
+
+    # Rating distribution: count agents in each star bucket (1-5)
+    all_agents = await crud.get_all_agents(status_filter=status)
+    filtered_agents = all_agents
+    if discipline:
+        filtered_agents = [a for a in all_agents if a.get("discipline") == discipline]
+    rating_dist = {1: 0, 2: 0, 3: 0, 4: 0, 5: 0}
+    for agent in filtered_agents:
+        r = agent.get("rating")
+        if r is not None:
+            bucket = max(1, min(5, round(r)))
+            rating_dist[bucket] += 1
+
+    total_users = len(all_users)
+    admin_users = sum(1 for u in all_users if u.get("is_admin"))
+    active_users = sum(1 for u in all_users if u.get("is_active"))
+
+    return {
+        "summary": summary,
+        "status_breakdown": status_breakdown,
+        "discipline_breakdown": discipline_breakdown,
+        "usage_timeline": usage_timeline,
+        "top_by_messages": top_by_messages,
+        "top_by_tokens": top_by_tokens,
+        "recently_active": recently_active,
+        "rating_distribution": rating_dist,
+        "total_users": total_users,
+        "admin_users": admin_users,
+        "active_users": active_users,
+        "total_agents": len(filtered_agents),
+    }
+
 @app.get("/api/admin/agents", response_model=List[models.AiAgentResponse])
-async def get_all_agents_admin(current_user: dict = Depends(require_admin)):
+async def get_all_agents_admin(current_user: dict = Depends(require_admin_or_readonly)):
 
     agents = await crud.get_all_agents()
     return [
diff --git a/models.py b/models.py
index b61ea03..4eeb951 100644
--- a/models.py
+++ b/models.py
@@ -53,12 +53,14 @@ class UserResponse(BaseModel):
     full_name: Optional[str] = None
     is_active: bool
     is_admin: bool
+    role: Optional[str] = "user"
     auth_provider: Optional[str] = "local"
 
 class UserUpdate(BaseModel):
     full_name: Optional[str] = None
     is_active: Optional[bool] = None
     is_admin: Optional[bool] = None
+    role: Optional[str] = Field(default=None, pattern="^(user|admin|readonly_admin)$")
 
 class Token(BaseModel):
     access_token: str
@@ -102,6 +104,9 @@ class AiAgentCreate(BaseModel):
     last_edited_by: Optional[str] = None
     discipline: Optional[str] = None
     rating: Optional[float] = Field(default=None, ge=1, le=5)
+    client: Optional[str] = None
+    client_name: Optional[str] = None
+    studio_name: Optional[str] = None
 
 class AiAgentResponse(BaseModel):
     agent_id: str
@@ -130,6 +135,12 @@ class AiAgentResponse(BaseModel):
     discipline: Optional[str] = None
     rating: Optional[float] = None
     rating_count: Optional[int] = None
+    client: Optional[str] = None
+    client_name: Optional[str] = None
+    studio_name: Optional[str] = None
+    verification_status: Optional[str] = None
+    verified_by: Optional[str] = None
+    verified_date: Optional[str] = None
     created_by: str
 
     # Usage tracking fields (new)
@@ -162,6 +173,9 @@ class AgentCollectorCreate(BaseModel):
     metadata: Optional[dict] = None
     url: Optional[str] = None
     discipline: Optional[str] = None
+    client: Optional[str] = None
+    client_name: Optional[str] = None
+    studio_name: Optional[str] = None
 
     # Usage tracking fields (new)
     usage_timeline: Optional[List[UsageTimelineEntry]] = None
diff --git a/notifications.py b/notifications.py
index 3a75c49..75ca028 100644
--- a/notifications.py
+++ b/notifications.py
@@ -1,7 +1,7 @@
 import os
 import requests
 from datetime import datetime, timedelta
-from database import notifications_collection, users_collection
+from database import notifications_collection, users_collection, agents_collection
 
 
 def is_mailgun_configured() -> bool:
@@ -105,3 +105,164 @@ async def check_and_notify_threshold(agent_name: str, total_tokens: int):
         "success": success,
         "sent_at": datetime.utcnow(),
     })
+
+
+def build_client_agent_email(agent_data: dict) -> str:
+    """Build HTML email body for a client agent creation notification."""
+    return f"""
+    <html>
+    <body style="font-family: Arial, sans-serif; max-width: 600px; margin: 0 auto;">
+        <div style="background: linear-gradient(135deg, #6f42c1, #5a32a3); padding: 20px; border-radius: 8px 8px 0 0;">
+            <h2 style="color: white; margin: 0;">Client Agent Created</h2>
+        </div>
+        <div style="padding: 20px; border: 1px solid #e2e8f0; border-top: none; border-radius: 0 0 8px 8px;">
+            <p>A new client-facing agent has been created and requires verification.</p>
+            <table style="width: 100%; border-collapse: collapse; margin: 16px 0;">
+                <tr>
+                    <td style="padding: 8px; font-weight: bold; border-bottom: 1px solid #eee;">Agent Name</td>
+                    <td style="padding: 8px; border-bottom: 1px solid #eee;">{agent_data.get('agent_name', 'N/A')}</td>
+                </tr>
+                <tr>
+                    <td style="padding: 8px; font-weight: bold; border-bottom: 1px solid #eee;">Description</td>
+                    <td style="padding: 8px; border-bottom: 1px solid #eee;">{agent_data.get('agent_description', 'N/A')}</td>
+                </tr>
+                <tr>
+                    <td style="padding: 8px; font-weight: bold; border-bottom: 1px solid #eee;">Purpose</td>
+                    <td style="padding: 8px; border-bottom: 1px solid #eee;">{agent_data.get('agent_purpose', 'N/A')}</td>
+                </tr>
+                <tr>
+                    <td style="padding: 8px; font-weight: bold; border-bottom: 1px solid #eee;">Client</td>
+                    <td style="padding: 8px; border-bottom: 1px solid #eee;">Yes</td>
+                </tr>
+                <tr>
+                    <td style="padding: 8px; font-weight: bold; border-bottom: 1px solid #eee;">Client Name</td>
+                    <td style="padding: 8px; border-bottom: 1px solid #eee;">{agent_data.get('client_name', 'N/A')}</td>
+                </tr>
+                <tr>
+                    <td style="padding: 8px; font-weight: bold; border-bottom: 1px solid #eee;">Studio Name</td>
+                    <td style="padding: 8px; border-bottom: 1px solid #eee;">{agent_data.get('studio_name', 'N/A')}</td>
+                </tr>
+                <tr>
+                    <td style="padding: 8px; font-weight: bold; border-bottom: 1px solid #eee;">Tool</td>
+                    <td style="padding: 8px; border-bottom: 1px solid #eee;">{agent_data.get('agent_tool', 'N/A')}</td>
+                </tr>
+                <tr>
+                    <td style="padding: 8px; font-weight: bold; border-bottom: 1px solid #eee;">Created By</td>
+                    <td style="padding: 8px; border-bottom: 1px solid #eee;">{agent_data.get('created_by_email', 'N/A')}</td>
+                </tr>
+            </table>
+            <p style="color: #666; font-size: 0.9em;">
+                Please review this agent in AgentHub.
+            </p>
+        </div>
+    </body>
+    </html>
+    """
+
+
+def send_client_agent_notification(agent_data: dict):
+    """Send email notification when a client-facing agent is created. Non-blocking."""
+    if not is_mailgun_configured():
+        return
+
+    notify_emails_str = os.getenv("CLIENT_AGENT_NOTIFY_EMAILS", "")
+    if not notify_emails_str:
+        return
+
+    to_emails = [e.strip() for e in notify_emails_str.split(",") if e.strip()]
+    if not to_emails:
+        return
+
+    try:
+        subject = "Client Agent Created"
+        html_body = build_client_agent_email(agent_data)
+        send_mailgun_email(to_emails, subject, html_body)
+    except Exception as e:
+        print(f"Failed to send client agent notification: {e}")
+
+
+def build_daily_digest_email(agents: list) -> str:
+    """Build HTML email body for the daily agent digest."""
+    rows = ""
+    for i, agent in enumerate(agents, 1):
+        rows += f"""
+        <tr style="border-bottom: 1px solid #eee;">
+            <td style="padding: 10px; vertical-align: top; font-weight: bold; color: #333;">{i}.</td>
+            <td style="padding: 10px;">
+                <strong>{agent.get('agent_name', 'N/A')}</strong><br>
+                <span style="color: #555;">Purpose: {agent.get('agent_purpose', 'N/A')}</span><br>
+                <span style="color: #555;">Description: {agent.get('agent_description', 'N/A')}</span><br>
+                <span style="color: #888; font-size: 0.9em;">Created by: {agent.get('created_by_email', 'N/A')}</span>
+            </td>
+        </tr>"""
+
+    return f"""
+    <html>
+    <body style="font-family: Arial, sans-serif; max-width: 600px; margin: 0 auto;">
+        <div style="background: linear-gradient(135deg, #2d6a4f, #40916c); padding: 20px; border-radius: 8px 8px 0 0;">
+            <h2 style="color: white; margin: 0;">Agents Created Last 24 Hours</h2>
+        </div>
+        <div style="padding: 20px; border: 1px solid #e2e8f0; border-top: none; border-radius: 0 0 8px 8px;">
+            <p>{len(agents)} agent(s) created in the last 24 hours:</p>
+            <table style="width: 100%; border-collapse: collapse; margin: 16px 0;">
+                {rows}
+            </table>
+            <p style="color: #666; font-size: 0.9em;">
+                View full details in the AgentHub admin dashboard.
+            </p>
+        </div>
+    </body>
+    </html>
+    """
+
+
+async def send_daily_agent_digest():
+    """Send daily digest of agents created in the last 24 hours to all admins."""
+    if not is_mailgun_configured():
+        print("Daily digest: Mailgun not configured, skipping.")
+        return
+
+    cutoff = datetime.utcnow() - timedelta(hours=24)
+
+    # Find agents created in last 24 hours
+    cursor = agents_collection.find(
+        {"created_at": {"$gte": cutoff}},
+        {"agent_name": 1, "agent_purpose": 1, "agent_description": 1, "created_by": 1}
+    ).sort("created_at", -1)
+    agents = await cursor.to_list(length=None)
+
+    if not agents:
+        print("Daily digest: No agents created in last 24 hours, skipping.")
+        return
+
+    # Resolve creator emails
+    for agent in agents:
+        created_by = agent.get("created_by", "")
+        if created_by == "agent_collector_api":
+            agent["created_by_email"] = "Agent Collector API"
+        else:
+            try:
+                from bson import ObjectId
+                user = await users_collection.find_one({"_id": ObjectId(created_by)}, {"email": 1})
+                agent["created_by_email"] = user["email"] if user else created_by
+            except Exception:
+                agent["created_by_email"] = created_by
+
+    # Get admin emails
+    admin_cursor = users_collection.find(
+        {"is_admin": True, "is_active": True},
+        {"email": 1},
+    )
+    admin_emails = [doc["email"] async for doc in admin_cursor]
+    if not admin_emails:
+        print("Daily digest: No admin emails found, skipping.")
+        return
+
+    subject = "Agents Created Last 24 Hours"
+    html_body = build_daily_digest_email(agents)
+
+    try:
+        success = send_mailgun_email(admin_emails, subject, html_body)
+        print(f"Daily digest: Sent to {len(admin_emails)} admins, success={success}")
+    except Exception as e:
+        print(f"Daily digest: Failed to send: {e}")
diff --git a/requirements.txt b/requirements.txt
index e30cbb8..352fbe5 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -38,3 +38,4 @@ uvicorn==0.35.0
 msal==1.26.0
 itsdangerous==2.2.0
 cryptography==41.0.7
+apscheduler>=3.10.0
diff --git a/templates/admin/dashboard.html b/templates/admin/dashboard.html
index 247f93d..9dfa1a5 100644
--- a/templates/admin/dashboard.html
+++ b/templates/admin/dashboard.html
@@ -25,48 +25,58 @@
   </div>
 
   <!-- Statistics Cards -->
-  <div class="row mb-4">
-    <div class="col-lg-3 col-md-6 mb-3">
-      <div class="stat-card">
-        <div class="stat-icon">
-          <i class="fas fa-users"></i>
-        </div>
+  <div class="row mb-4 align-items-stretch">
+    <div class="col-lg-2 col-md-4 mb-3 d-flex">
+      <div class="stat-card w-100">
+        <div class="stat-icon"><i class="fas fa-users"></i></div>
         <div class="stat-info">
           <h3 id="totalUsers">0</h3>
           <p>Total Users</p>
         </div>
       </div>
     </div>
-    <div class="col-lg-3 col-md-6 mb-3">
-      <div class="stat-card admin-card">
-        <div class="stat-icon">
-          <i class="fas fa-user-shield"></i>
-        </div>
-        <div class="stat-info">
-          <h3 id="adminUsers">0</h3>
-          <p>Admin Users</p>
-        </div>
-      </div>
-    </div>
-    <div class="col-lg-3 col-md-6 mb-3">
-      <div class="stat-card agent-card">
-        <div class="stat-icon">
-          <i class="fas fa-robot"></i>
-        </div>
+    <div class="col-lg-2 col-md-4 mb-3 d-flex">
+      <div class="stat-card agent-card w-100">
+        <div class="stat-icon"><i class="fas fa-robot"></i></div>
         <div class="stat-info">
           <h3 id="totalAgents">0</h3>
           <p>Total Agents</p>
         </div>
       </div>
     </div>
-    <div class="col-lg-3 col-md-6 mb-3">
-      <div class="stat-card active-card">
-        <div class="stat-icon">
-          <i class="fas fa-user-check"></i>
-        </div>
+    <div class="col-lg-2 col-md-4 mb-3 d-flex">
+      <div class="stat-card w-100">
+        <div class="stat-icon"><i class="fas fa-envelope"></i></div>
         <div class="stat-info">
-          <h3 id="activeUsers">0</h3>
-          <p>Active Users</p>
+          <h3 id="totalMessages">0</h3>
+          <p>Total Messages</p>
+        </div>
+      </div>
+    </div>
+    <div class="col-lg-2 col-md-4 mb-3 d-flex">
+      <div class="stat-card w-100">
+        <div class="stat-icon"><i class="fas fa-coins"></i></div>
+        <div class="stat-info">
+          <h3 id="totalTokens">0</h3>
+          <p>Total Tokens</p>
+        </div>
+      </div>
+    </div>
+    <div class="col-lg-2 col-md-4 mb-3 d-flex">
+      <div class="stat-card w-100">
+        <div class="stat-icon"><i class="fas fa-comments"></i></div>
+        <div class="stat-info">
+          <h3 id="totalConversations">0</h3>
+          <p>Conversations</p>
+        </div>
+      </div>
+    </div>
+    <div class="col-lg-2 col-md-4 mb-3 d-flex">
+      <div class="stat-card w-100">
+        <div class="stat-icon"><i class="fas fa-user-friends"></i></div>
+        <div class="stat-info">
+          <h3 id="totalUniqueUsers">0</h3>
+          <p>Agent-User Sessions</p>
         </div>
       </div>
     </div>
@@ -79,7 +89,12 @@
         <div class="card-header bg-white">
           <ul class="nav nav-tabs card-header-tabs" id="adminTabs">
             <li class="nav-item">
-              <a class="nav-link active" id="users-tab" data-bs-toggle="tab" href="#users">
+              <a class="nav-link active" id="analytics-tab" data-bs-toggle="tab" href="#analytics">
+                <i class="fas fa-chart-line me-2"></i>Analytics
+              </a>
+            </li>
+            <li class="nav-item">
+              <a class="nav-link" id="users-tab" data-bs-toggle="tab" href="#users">
                 <i class="fas fa-users me-2"></i>Users Management
               </a>
             </li>
@@ -88,16 +103,169 @@
                 <i class="fas fa-robot me-2"></i>Agents Management
               </a>
             </li>
+            <li class="nav-item">
+              <a class="nav-link" id="verification-tab" data-bs-toggle="tab" href="#verification">
+                <i class="fas fa-check-circle me-2"></i>Verification
+                <span class="badge bg-warning ms-1" id="verificationPendingBadge" style="display:none;">0</span>
+              </a>
+            </li>
           </ul>
         </div>
         <div class="card-body">
           <div class="tab-content" id="adminTabsContent">
+            <!-- Analytics Tab -->
+            <div class="tab-pane fade show active" id="analytics">
+              <!-- Analytics Filter Bar -->
+              <div class="row mb-3">
+                <div class="col-12">
+                  <div class="d-flex flex-wrap align-items-center gap-2 p-3 bg-light rounded">
+                    <span class="fw-semibold text-muted me-1"><i class="fas fa-filter me-1"></i>Filters:</span>
+                    <select id="analyticsStatusFilter" class="form-select form-select-sm" style="width:auto;min-width:150px;">
+                      <option value="">All Statuses</option>
+                      <option value="Active">Active</option>
+                      <option value="Development">Development</option>
+                      <option value="Inactive">Inactive</option>
+                      <option value="Deprecated">Deprecated</option>
+                    </select>
+                    <select id="analyticsDisciplineFilter" class="form-select form-select-sm" style="width:auto;min-width:200px;">
+                      <option value="">All Disciplines</option>
+                      <option value="Strategy">Strategy</option>
+                      <option value="Creative">Creative</option>
+                      <option value="Oversight including delivery">Oversight including delivery</option>
+                      <option value="Optimization">Optimization</option>
+                      <option value="Back Office including operations">Back Office including operations</option>
+                      <option value="Pencil Agents">Pencil Agents</option>
+                    </select>
+                    <select id="analyticsTimeRange" class="form-select form-select-sm" style="width:auto;min-width:140px;">
+                      <option value="30">Last 30 Days</option>
+                      <option value="60">Last 60 Days</option>
+                      <option value="90" selected>Last 90 Days</option>
+                      <option value="180">Last 180 Days</option>
+                    </select>
+                    <button id="analyticsApplyBtn" class="btn btn-sm btn-primary">
+                      <i class="fas fa-check me-1"></i>Apply
+                    </button>
+                  </div>
+                </div>
+              </div>
+
+              <div class="row mb-4">
+                <!-- Usage Over Time Chart -->
+                <div class="col-lg-8 mb-4">
+                  <div class="card h-100 border-0 shadow-sm">
+                    <div class="card-header bg-white"><h6 class="mb-0"><i class="fas fa-chart-area me-2"></i>System Usage Over Time <span id="timeRangeLabel">(Last 90 Days)</span></h6></div>
+                    <div class="card-body">
+                      <div id="usageTimelineEmpty" class="text-center text-muted py-5" style="display:none;">No usage timeline data available</div>
+                      <canvas id="usageTimelineChart"></canvas>
+                    </div>
+                  </div>
+                </div>
+                <!-- Token Breakdown Doughnut -->
+                <div class="col-lg-4 mb-4">
+                  <div class="card h-100 border-0 shadow-sm">
+                    <div class="card-header bg-white"><h6 class="mb-0"><i class="fas fa-coins me-2"></i>Token Breakdown</h6></div>
+                    <div class="card-body d-flex align-items-center justify-content-center">
+                      <div id="tokenBreakdownEmpty" class="text-center text-muted py-5" style="display:none;">No token data available</div>
+                      <canvas id="tokenBreakdownChart"></canvas>
+                    </div>
+                  </div>
+                </div>
+              </div>
+
+              <div class="row mb-4">
+                <!-- Status Breakdown Doughnut -->
+                <div class="col-lg-4 mb-4">
+                  <div class="card h-100 border-0 shadow-sm">
+                    <div class="card-header bg-white"><h6 class="mb-0"><i class="fas fa-signal me-2"></i>Agents by Status</h6></div>
+                    <div class="card-body d-flex align-items-center justify-content-center">
+                      <div id="statusBreakdownEmpty" class="text-center text-muted py-5" style="display:none;">No agent data available</div>
+                      <canvas id="statusBreakdownChart"></canvas>
+                    </div>
+                  </div>
+                </div>
+                <!-- Discipline Breakdown Doughnut -->
+                <div class="col-lg-4 mb-4">
+                  <div class="card h-100 border-0 shadow-sm">
+                    <div class="card-header bg-white"><h6 class="mb-0"><i class="fas fa-layer-group me-2"></i>Agents by Discipline</h6></div>
+                    <div class="card-body d-flex align-items-center justify-content-center">
+                      <div id="disciplineBreakdownEmpty" class="text-center text-muted py-5" style="display:none;">No discipline data available</div>
+                      <canvas id="disciplineBreakdownChart"></canvas>
+                    </div>
+                  </div>
+                </div>
+                <!-- Rating Distribution Bar Chart -->
+                <div class="col-lg-4 mb-4">
+                  <div class="card h-100 border-0 shadow-sm">
+                    <div class="card-header bg-white"><h6 class="mb-0"><i class="fas fa-star me-2"></i>Rating Distribution</h6></div>
+                    <div class="card-body d-flex align-items-center justify-content-center">
+                      <div id="ratingDistEmpty" class="text-center text-muted py-5" style="display:none;">No rating data available</div>
+                      <canvas id="ratingDistChart"></canvas>
+                    </div>
+                  </div>
+                </div>
+              </div>
+
+              <div class="row mb-4">
+                <!-- Top 5 Agents by Messages -->
+                <div class="col-lg-6 mb-4">
+                  <div class="card h-100 border-0 shadow-sm">
+                    <div class="card-header bg-white"><h6 class="mb-0"><i class="fas fa-trophy me-2"></i>Top 5 Agents by Messages</h6></div>
+                    <div class="card-body p-0">
+                      <div class="table-responsive">
+                        <table class="table table-hover mb-0 analytics-table">
+                          <thead><tr><th>#</th><th>Agent</th><th>Status</th><th>Messages</th></tr></thead>
+                          <tbody id="topMessagesTbody">
+                            <tr><td colspan="4" class="text-center text-muted py-3">No data</td></tr>
+                          </tbody>
+                        </table>
+                      </div>
+                    </div>
+                  </div>
+                </div>
+                <!-- Top 5 Agents by Tokens -->
+                <div class="col-lg-6 mb-4">
+                  <div class="card h-100 border-0 shadow-sm">
+                    <div class="card-header bg-white"><h6 class="mb-0"><i class="fas fa-trophy me-2"></i>Top 5 Agents by Tokens</h6></div>
+                    <div class="card-body p-0">
+                      <div class="table-responsive">
+                        <table class="table table-hover mb-0 analytics-table">
+                          <thead><tr><th>#</th><th>Agent</th><th>Status</th><th>Tokens</th></tr></thead>
+                          <tbody id="topTokensTbody">
+                            <tr><td colspan="4" class="text-center text-muted py-3">No data</td></tr>
+                          </tbody>
+                        </table>
+                      </div>
+                    </div>
+                  </div>
+                </div>
+              </div>
+
+              <div class="row mb-4">
+                <!-- Recently Active Agents -->
+                <div class="col-12">
+                  <div class="card border-0 shadow-sm">
+                    <div class="card-header bg-white"><h6 class="mb-0"><i class="fas fa-clock me-2"></i>Recently Active Agents</h6></div>
+                    <div class="card-body p-0">
+                      <div class="table-responsive">
+                        <table class="table table-hover mb-0 analytics-table">
+                          <thead><tr><th>Agent</th><th>Status</th><th>Discipline</th><th>Messages</th><th>Tokens</th><th>Last Used</th></tr></thead>
+                          <tbody id="recentlyActiveTbody">
+                            <tr><td colspan="6" class="text-center text-muted py-3">No recently active agents</td></tr>
+                          </tbody>
+                        </table>
+                      </div>
+                    </div>
+                  </div>
+                </div>
+              </div>
+            </div>
+
             <!-- Users Management Tab -->
-            <div class="tab-pane fade show active" id="users">
+            <div class="tab-pane fade" id="users">
               <div class="d-flex justify-content-between align-items-center mb-3">
                 <h5 class="mb-0">Users Management</h5>
                 <div class="d-flex gap-2">
-                  <button class="btn btn-success" onclick="showCreateUserModal()">
+                  <button class="btn btn-success admin-write-action" onclick="showCreateUserModal()">
                     <i class="fas fa-user-plus me-2"></i>Create User
                   </button>
                   <div class="input-group" style="width: 300px;">
@@ -180,6 +348,45 @@
                 </table>
               </div>
             </div>
+
+            <!-- Verification Tab -->
+            <div class="tab-pane fade" id="verification">
+              <div class="d-flex justify-content-between align-items-center mb-3">
+                <h5 class="mb-0"><i class="fas fa-check-circle me-2"></i>Agent Verification</h5>
+                <div class="d-flex gap-2">
+                  <select id="verificationFilter" class="form-select form-select-sm" style="width:auto;" onchange="filterVerificationAgents()">
+                    <option value="all">All</option>
+                    <option value="needs_verification" selected>Needs Verification</option>
+                    <option value="verified">Verified</option>
+                  </select>
+                </div>
+              </div>
+              <div class="table-responsive">
+                <table class="table table-hover">
+                  <thead>
+                    <tr>
+                      <th>Agent Name</th>
+                      <th>Client Name</th>
+                      <th>Studio</th>
+                      <th>Created By</th>
+                      <th>Date Created</th>
+                      <th>Status</th>
+                      <th>Action</th>
+                    </tr>
+                  </thead>
+                  <tbody id="verificationTableBody">
+                    <tr>
+                      <td colspan="7" class="text-center py-4">
+                        <div class="spinner-border text-primary" role="status">
+                          <span class="visually-hidden">Loading...</span>
+                        </div>
+                      </td>
+                    </tr>
+                  </tbody>
+                </table>
+              </div>
+            </div>
+
           </div>
         </div>
       </div>
@@ -222,13 +429,22 @@
             </div>
           </div>
           <div class="mb-3">
-            <div class="form-check">
+            <div class="form-check" style="display:none;">
               <input class="form-check-input" type="checkbox" id="editUserIsAdmin">
               <label class="form-check-label" for="editUserIsAdmin">
                 User has admin privileges
               </label>
             </div>
           </div>
+          <div class="mb-3">
+            <label for="editUserRole" class="form-label">Role</label>
+            <select class="form-select" id="editUserRole">
+              <option value="user">User</option>
+              <option value="admin">Admin</option>
+              <option value="readonly_admin">Read-Only Admin</option>
+            </select>
+            <div class="form-text">Read-Only Admin can view the admin dashboard but cannot make changes.</div>
+          </div>
           <!-- Password Reset Section (only for local users) -->
           <div class="mb-3" id="passwordResetSection" style="display: none;">
             <hr>
@@ -544,11 +760,11 @@
 .stat-card {
   background: linear-gradient(135deg, #f3ae3e 0%, #f3ae3e 100%);
   border-radius: 16px;
-  padding: 1.5rem;
+  padding: 1.25rem;
   color: white;
   display: flex;
   align-items: center;
-  margin-bottom: 1rem;
+  min-height: 90px;
   box-shadow: 0 4px 15px rgba(0,0,0,0.1);
 }
 
@@ -565,21 +781,31 @@
 }
 
 .stat-icon {
-  font-size: 2.5rem;
-  margin-right: 1rem;
+  font-size: 2rem;
+  margin-right: 0.75rem;
   opacity: 0.8;
+  flex-shrink: 0;
+}
+
+.stat-info {
+  min-width: 0;
 }
 
 .stat-info h3 {
   margin: 0;
-  font-size: 2rem;
+  font-size: 1.5rem;
   font-weight: 700;
+  white-space: nowrap;
+  overflow: hidden;
+  text-overflow: ellipsis;
 }
 
 .stat-info p {
   margin: 0;
   opacity: 0.9;
-  font-size: 0.9rem;
+  font-size: 0.75rem;
+  white-space: normal;
+  line-height: 1.2;
 }
 
 .user-avatar-sm {
@@ -719,17 +945,48 @@
   color: white !important;
 }
 
+.analytics-table th {
+  font-size: 0.8rem;
+  text-transform: uppercase;
+  letter-spacing: 0.05em;
+  padding: 0.75rem 1rem;
+}
+.analytics-table td {
+  padding: 0.6rem 1rem;
+  vertical-align: middle;
+}
+.rank-badge {
+  width: 26px;
+  height: 26px;
+  border-radius: 50%;
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  font-weight: 700;
+  font-size: 0.75rem;
+  color: #fff;
+  background: linear-gradient(135deg, #f3ae3e 0%, #e8983e 100%);
+}
+
 @media (max-width: 768px) {
   .stat-card {
     text-align: center;
     flex-direction: column;
   }
-  
+
   .stat-icon {
     margin-right: 0;
     margin-bottom: 0.5rem;
   }
-  
+
+  .stat-info h3 {
+    font-size: 1.2rem;
+  }
+
+  .stat-info p {
+    font-size: 0.75rem;
+  }
+
   .table-responsive {
     font-size: 0.875rem;
   }
@@ -739,14 +996,24 @@
 <script>
 let allUsers = [];
 let allAgents = [];
+let verificationAgents = [];
+const isReadonlyAdmin = {% if current_user and current_user.get('role') == 'readonly_admin' %}true{% else %}false{% endif %};
+const isFullAdmin = {% if current_user and current_user.get('is_admin') %}true{% else %}false{% endif %};
 
 document.addEventListener('DOMContentLoaded', function() {
   loadAdminData();
+  loadAnalytics();
+  loadVerificationData();
   setupEventListeners();
+
+  // Hide write-action buttons for readonly admins
+  if (isReadonlyAdmin && !isFullAdmin) {
+    document.querySelectorAll('.admin-write-action').forEach(el => el.style.display = 'none');
+  }
 });
 
 function setupEventListeners() {
-  document.getElementById('refreshBtn').addEventListener('click', loadAdminData);
+  document.getElementById('refreshBtn').addEventListener('click', () => { loadAdminData(); loadAnalytics(); loadVerificationData(); });
   document.getElementById('userSearch').addEventListener('input', filterUsers);
   document.getElementById('agentSearch').addEventListener('input', filterAgents);
   document.getElementById('agentStatusFilter').addEventListener('change', filterAgents);
@@ -755,6 +1022,7 @@ function setupEventListeners() {
   document.getElementById('editAgentForm').addEventListener('submit', handleEditAgentSubmit);
   document.getElementById('createUserForm').addEventListener('submit', handleCreateUserSubmit);
   document.getElementById('resetPasswordForm').addEventListener('submit', handleResetPasswordSubmit);
+  document.getElementById('analyticsApplyBtn').addEventListener('click', loadAnalytics);
 }
 
 async function loadAdminData() {
@@ -797,10 +1065,25 @@ async function loadAdminData() {
 }
 
 function updateStatistics() {
-  document.getElementById('totalUsers').textContent = allUsers.length;
-  document.getElementById('adminUsers').textContent = allUsers.filter(u => u.is_admin).length;
-  document.getElementById('totalAgents').textContent = allAgents.length;
-  document.getElementById('activeUsers').textContent = allUsers.filter(u => u.is_active).length;
+  // These two are still fed from the users/agents lists for the management tabs
+  // The stat cards are now primarily updated by loadAnalytics()
+  // Keep this as a fallback for basic counts from the existing load
+}
+
+function updateAnalyticsStats(data) {
+  document.getElementById('totalUsers').textContent = formatNumber(data.total_users || 0);
+  document.getElementById('totalAgents').textContent = formatNumber(data.total_agents || 0);
+  document.getElementById('totalMessages').textContent = formatNumber(data.summary.total_messages || 0);
+  document.getElementById('totalTokens').textContent = formatNumber(data.summary.total_tokens || 0);
+  document.getElementById('totalConversations').textContent = formatNumber(data.summary.conversation_count || 0);
+  document.getElementById('totalUniqueUsers').textContent = formatNumber(data.summary.unique_users || 0);
+}
+
+function formatNumber(n) {
+  if (n >= 1000000000) return (n / 1000000000).toFixed(1) + 'B';
+  if (n >= 1000000) return (n / 1000000).toFixed(1) + 'M';
+  if (n >= 1000) return (n / 1000).toFixed(1) + 'K';
+  return n.toString();
 }
 
 function displayUsers(users) {
@@ -834,9 +1117,12 @@ function displayUsers(users) {
           </span>
         </td>
         <td>
-          <span class="badge ${user.is_admin ? 'bg-danger' : 'bg-primary'}">
-            ${user.is_admin ? 'Admin' : 'User'}
-          </span>
+          ${(() => {
+            const role = user.role || (user.is_admin ? 'admin' : 'user');
+            if (role === 'admin') return '<span class="badge bg-danger">Admin</span>';
+            if (role === 'readonly_admin') return '<span class="badge bg-warning text-dark">Read-Only Admin</span>';
+            return '<span class="badge bg-primary">User</span>';
+          })()}
         </td>
         <td>
           <span class="badge ${user.is_active ? 'bg-success' : 'bg-secondary'}">
@@ -850,10 +1136,10 @@ function displayUsers(users) {
           <button class="btn btn-outline-primary btn-sm me-1" onclick="viewUserDetails('${user.email}')" title="View">
             <i class="fas fa-eye"></i>
           </button>
-          <button class="btn btn-outline-warning btn-sm me-1" onclick="editUser('${user.email}')" title="Edit">
+          <button class="btn btn-outline-warning btn-sm me-1 admin-write-action" onclick="editUser('${user.email}')" title="Edit">
             <i class="fas fa-edit"></i>
           </button>
-          <button class="btn btn-outline-secondary btn-sm" onclick="toggleUserStatus('${user.email}')" title="${user.is_active ? 'Deactivate' : 'Activate'}">
+          <button class="btn btn-outline-secondary btn-sm admin-write-action" onclick="toggleUserStatus('${user.email}')" title="${user.is_active ? 'Deactivate' : 'Activate'}">
             <i class="fas fa-${user.is_active ? 'ban' : 'check'}"></i>
           </button>
         </td>
@@ -881,7 +1167,10 @@ function displayAgents(agents) {
     return `
       <tr>
         <td>
-          <div class="fw-medium">${agent.agent_name}</div>
+          <div class="fw-medium">${agent.agent_name}
+            ${agent.verification_status === 'needs_verification' ? ' <span class="badge bg-warning text-dark" style="font-size:0.65em;">Needs Verification</span>' : ''}
+            ${agent.verification_status === 'verified' ? ' <span class="badge bg-success" style="font-size:0.65em;">Verified</span>' : ''}
+          </div>
           <small class="text-muted">${agent.agent_description || 'No description'}</small>
         </td>
         <td>
@@ -903,10 +1192,10 @@ function displayAgents(agents) {
           <button class="btn btn-outline-primary btn-sm me-1" onclick="viewAgentDetails('${agent.agent_id}')">
             <i class="fas fa-eye"></i>
           </button>
-          <button class="btn btn-outline-warning btn-sm me-1" onclick="editAgentAdmin('${agent.agent_id}')">
+          <button class="btn btn-outline-warning btn-sm me-1 admin-write-action" onclick="editAgentAdmin('${agent.agent_id}')">
             <i class="fas fa-edit"></i>
           </button>
-          <button class="btn btn-outline-danger btn-sm" onclick="deleteAgentAdmin('${agent.agent_id}')">
+          <button class="btn btn-outline-danger btn-sm admin-write-action" onclick="deleteAgentAdmin('${agent.agent_id}')">
             <i class="fas fa-trash"></i>
           </button>
         </td>
@@ -997,12 +1286,16 @@ function editUser(email) {
   const authProvider = user.auth_provider || 'local';
   const isLocalAuth = authProvider === 'local';
 
+  // Determine role from user data
+  const userRole = user.role || (user.is_admin ? 'admin' : 'user');
+
   // Populate the edit form
   document.getElementById('editUserId').value = user.email;
   document.getElementById('editUserEmail').value = user.email;
   document.getElementById('editUserFullName').value = user.full_name || '';
   document.getElementById('editUserIsActive').checked = user.is_active;
   document.getElementById('editUserIsAdmin').checked = user.is_admin;
+  document.getElementById('editUserRole').value = userRole;
   document.getElementById('editUserAuthProvider').value = authProvider;
 
   // Update auth display
@@ -1043,7 +1336,8 @@ async function toggleUserStatus(email) {
       body: JSON.stringify({
         full_name: user.full_name,
         is_active: newStatus,
-        is_admin: user.is_admin
+        is_admin: user.is_admin,
+        role: user.role || (user.is_admin ? 'admin' : 'user')
       })
     });
     
@@ -1124,12 +1418,13 @@ function showError(message) {
 
 async function handleEditUserSubmit(e) {
   e.preventDefault();
-  
+
   const email = document.getElementById('editUserId').value;
   const fullName = document.getElementById('editUserFullName').value;
   const isActive = document.getElementById('editUserIsActive').checked;
-  const isAdmin = document.getElementById('editUserIsAdmin').checked;
-  
+  const role = document.getElementById('editUserRole').value;
+  const isAdmin = (role === 'admin');
+
   try {
     const response = await fetch(`{{ base_path }}/api/admin/users/${encodeURIComponent(email)}`, {
       method: 'PUT',
@@ -1140,7 +1435,8 @@ async function handleEditUserSubmit(e) {
       body: JSON.stringify({
         full_name: fullName,
         is_active: isActive,
-        is_admin: isAdmin
+        is_admin: isAdmin,
+        role: role
       })
     });
     
@@ -1431,6 +1727,363 @@ async function handleResetPasswordSubmit(e) {
   }
 }
 
+// ===================== Analytics =====================
+let analyticsCharts = {};
+
+function destroyChart(key) {
+  if (analyticsCharts[key]) {
+    analyticsCharts[key].destroy();
+    analyticsCharts[key] = null;
+  }
+}
+
+const STATUS_COLORS = {
+  'Active': '#28a745',
+  'Development': '#ffc107',
+  'Inactive': '#dc3545',
+  'Deprecated': '#6c757d'
+};
+
+const DISCIPLINE_COLORS = [
+  '#f3ae3e', '#4e79a7', '#59a14f', '#e15759', '#76b7b2', '#edc949', '#af7aa1'
+];
+
+async function loadAnalytics() {
+  try {
+    const status = document.getElementById('analyticsStatusFilter').value;
+    const discipline = document.getElementById('analyticsDisciplineFilter').value;
+    const days = document.getElementById('analyticsTimeRange').value;
+
+    const params = new URLSearchParams();
+    if (status) params.set('status', status);
+    if (discipline) params.set('discipline', discipline);
+    params.set('days', days);
+
+    const qs = params.toString();
+    const url = '{{ base_path }}/api/admin/analytics' + (qs ? '?' + qs : '');
+    const response = await fetch(url, { credentials: 'include' });
+    if (!response.ok) return;
+    const data = await response.json();
+
+    // Update time range label in chart header
+    const label = document.getElementById('timeRangeLabel');
+    if (label) label.textContent = '(Last ' + days + ' Days)';
+
+    updateAnalyticsStats(data);
+    renderUsageTimeline(data.usage_timeline);
+    renderTokenBreakdown(data.summary.prompt_tokens, data.summary.completion_tokens);
+    renderStatusBreakdown(data.status_breakdown);
+    renderDisciplineBreakdown(data.discipline_breakdown);
+    renderRatingDistribution(data.rating_distribution);
+    renderTopTable('topMessagesTbody', data.top_by_messages, 'total_messages');
+    renderTopTable('topTokensTbody', data.top_by_tokens, 'total_tokens');
+    renderRecentlyActive(data.recently_active);
+  } catch (err) {
+    console.error('Failed to load analytics:', err);
+  }
+}
+
+function renderUsageTimeline(timeline) {
+  destroyChart('usageTimeline');
+  const canvas = document.getElementById('usageTimelineChart');
+  const emptyEl = document.getElementById('usageTimelineEmpty');
+
+  if (!timeline || timeline.length === 0) {
+    canvas.style.display = 'none';
+    emptyEl.style.display = 'block';
+    return;
+  }
+  canvas.style.display = 'block';
+  emptyEl.style.display = 'none';
+
+  const labels = timeline.map(t => t.date);
+  const messages = timeline.map(t => t.message_count);
+  const tokens = timeline.map(t => t.token_count);
+  const hasTokens = tokens.some(v => v > 0);
+
+  const datasets = [{
+    label: 'Messages',
+    data: messages,
+    borderColor: '#4e79a7',
+    backgroundColor: 'rgba(78,121,167,0.1)',
+    fill: true,
+    tension: 0.3,
+    yAxisID: 'y'
+  }];
+
+  const scales = {
+    y: { beginAtZero: true, title: { display: true, text: 'Messages' }, position: 'left' },
+    x: { ticks: { maxTicksLimit: 12 } }
+  };
+
+  if (hasTokens) {
+    datasets.push({
+      label: 'Tokens',
+      data: tokens,
+      borderColor: '#f3ae3e',
+      backgroundColor: 'rgba(243,174,62,0.1)',
+      fill: true,
+      tension: 0.3,
+      yAxisID: 'y1'
+    });
+    scales.y1 = { beginAtZero: true, title: { display: true, text: 'Tokens' }, position: 'right', grid: { drawOnChartArea: false } };
+  }
+
+  analyticsCharts.usageTimeline = new Chart(canvas, {
+    type: 'line',
+    data: { labels, datasets },
+    options: {
+      responsive: true,
+      maintainAspectRatio: true,
+      interaction: { mode: 'index', intersect: false },
+      plugins: { legend: { position: 'top' } },
+      scales
+    }
+  });
+}
+
+function renderTokenBreakdown(prompt, completion) {
+  destroyChart('tokenBreakdown');
+  const canvas = document.getElementById('tokenBreakdownChart');
+  const emptyEl = document.getElementById('tokenBreakdownEmpty');
+
+  if (!prompt && !completion) {
+    canvas.style.display = 'none';
+    emptyEl.style.display = 'block';
+    return;
+  }
+  canvas.style.display = 'block';
+  emptyEl.style.display = 'none';
+
+  analyticsCharts.tokenBreakdown = new Chart(canvas, {
+    type: 'doughnut',
+    data: {
+      labels: ['Prompt (Input)', 'Completion (Output)'],
+      datasets: [{ data: [prompt, completion], backgroundColor: ['#4e79a7', '#f3ae3e'] }]
+    },
+    options: {
+      responsive: true,
+      plugins: { legend: { position: 'bottom' } }
+    }
+  });
+}
+
+function renderStatusBreakdown(statusData) {
+  destroyChart('statusBreakdown');
+  const canvas = document.getElementById('statusBreakdownChart');
+  const emptyEl = document.getElementById('statusBreakdownEmpty');
+
+  const entries = Object.entries(statusData || {}).filter(([, v]) => v > 0);
+  if (entries.length === 0) {
+    canvas.style.display = 'none';
+    emptyEl.style.display = 'block';
+    return;
+  }
+  canvas.style.display = 'block';
+  emptyEl.style.display = 'none';
+
+  analyticsCharts.statusBreakdown = new Chart(canvas, {
+    type: 'doughnut',
+    data: {
+      labels: entries.map(([k]) => k || 'Unknown'),
+      datasets: [{
+        data: entries.map(([, v]) => v),
+        backgroundColor: entries.map(([k]) => STATUS_COLORS[k] || '#adb5bd')
+      }]
+    },
+    options: {
+      responsive: true,
+      plugins: { legend: { position: 'bottom' } }
+    }
+  });
+}
+
+function renderDisciplineBreakdown(disciplineData) {
+  destroyChart('disciplineBreakdown');
+  const canvas = document.getElementById('disciplineBreakdownChart');
+  const emptyEl = document.getElementById('disciplineBreakdownEmpty');
+
+  const entries = Object.entries(disciplineData || {}).filter(([, v]) => v > 0);
+  if (entries.length === 0) {
+    canvas.style.display = 'none';
+    emptyEl.style.display = 'block';
+    return;
+  }
+  canvas.style.display = 'block';
+  emptyEl.style.display = 'none';
+
+  analyticsCharts.disciplineBreakdown = new Chart(canvas, {
+    type: 'doughnut',
+    data: {
+      labels: entries.map(([k]) => k),
+      datasets: [{
+        data: entries.map(([, v]) => v),
+        backgroundColor: entries.map((_, i) => DISCIPLINE_COLORS[i % DISCIPLINE_COLORS.length])
+      }]
+    },
+    options: {
+      responsive: true,
+      plugins: { legend: { position: 'bottom' } }
+    }
+  });
+}
+
+function renderRatingDistribution(ratingData) {
+  destroyChart('ratingDist');
+  const canvas = document.getElementById('ratingDistChart');
+  const emptyEl = document.getElementById('ratingDistEmpty');
+
+  const values = [1, 2, 3, 4, 5].map(k => (ratingData || {})[k] || 0);
+  if (values.every(v => v === 0)) {
+    canvas.style.display = 'none';
+    emptyEl.style.display = 'block';
+    return;
+  }
+  canvas.style.display = 'block';
+  emptyEl.style.display = 'none';
+
+  analyticsCharts.ratingDist = new Chart(canvas, {
+    type: 'bar',
+    data: {
+      labels: ['1 Star', '2 Stars', '3 Stars', '4 Stars', '5 Stars'],
+      datasets: [{
+        label: 'Agents',
+        data: values,
+        backgroundColor: '#f3ae3e',
+        borderRadius: 6
+      }]
+    },
+    options: {
+      responsive: true,
+      plugins: { legend: { display: false } },
+      scales: {
+        y: { beginAtZero: true, ticks: { stepSize: 1 } }
+      }
+    }
+  });
+}
+
+function renderTopTable(tbodyId, agents, field) {
+  const tbody = document.getElementById(tbodyId);
+  if (!agents || agents.length === 0) {
+    tbody.innerHTML = '<tr><td colspan="4" class="text-center text-muted py-3">No data</td></tr>';
+    return;
+  }
+  tbody.innerHTML = agents.map((a, i) => `
+    <tr>
+      <td><span class="rank-badge">${i + 1}</span></td>
+      <td class="fw-medium">${a.agent_name}</td>
+      <td><span class="badge status-${a.agent_status || 'Development'}">${a.agent_status || 'Development'}</span></td>
+      <td class="fw-bold">${formatNumber(a[field] || 0)}</td>
+    </tr>
+  `).join('');
+}
+
+function renderRecentlyActive(agents) {
+  const tbody = document.getElementById('recentlyActiveTbody');
+  if (!agents || agents.length === 0) {
+    tbody.innerHTML = '<tr><td colspan="6" class="text-center text-muted py-3">No recently active agents</td></tr>';
+    return;
+  }
+  tbody.innerHTML = agents.map(a => `
+    <tr>
+      <td class="fw-medium">${a.agent_name}</td>
+      <td><span class="badge status-${a.agent_status || 'Development'}">${a.agent_status || 'Development'}</span></td>
+      <td>${a.discipline || '<span class="text-muted">-</span>'}</td>
+      <td>${formatNumber(a.total_messages || 0)}</td>
+      <td>${formatNumber(a.total_tokens || 0)}</td>
+      <td>${formatDate(a.last_used)}</td>
+    </tr>
+  `).join('');
+}
+
+
+// ===== Verification Tab Functions =====
+
+async function loadVerificationData() {
+  try {
+    const response = await fetch('{{ base_path }}/api/admin/agents/pending-verification', {
+      credentials: 'include'
+    });
+    if (!response.ok) return;
+    verificationAgents = await response.json();
+
+    // Update badge count
+    const pending = verificationAgents.filter(a => a.verification_status === 'needs_verification');
+    const badge = document.getElementById('verificationPendingBadge');
+    if (pending.length > 0) {
+      badge.textContent = pending.length;
+      badge.style.display = 'inline';
+    } else {
+      badge.style.display = 'none';
+    }
+
+    filterVerificationAgents();
+  } catch (error) {
+    console.error('Error loading verification data:', error);
+  }
+}
+
+function filterVerificationAgents() {
+  const filter = document.getElementById('verificationFilter').value;
+  let filtered = verificationAgents;
+  if (filter !== 'all') {
+    filtered = verificationAgents.filter(a => a.verification_status === filter);
+  }
+  displayVerificationAgents(filtered);
+}
+
+function displayVerificationAgents(agents) {
+  const tbody = document.getElementById('verificationTableBody');
+  if (!agents.length) {
+    tbody.innerHTML = '<tr><td colspan="7" class="text-center text-muted py-4">No agents to display</td></tr>';
+    return;
+  }
+
+  tbody.innerHTML = agents.map(agent => {
+    const statusBadge = agent.verification_status === 'verified'
+      ? '<span class="badge bg-success">Verified</span>'
+      : '<span class="badge bg-warning text-dark">Needs Verification</span>';
+
+    const actionBtn = agent.verification_status === 'needs_verification' && !isReadonlyAdmin
+      ? `<button class="btn btn-success btn-sm admin-write-action" onclick="approveAgent('${agent.agent_id}')">
+           <i class="fas fa-check me-1"></i>Approve
+         </button>`
+      : (agent.verified_by ? `<small class="text-muted">by ${agent.verified_by}<br>${formatDate(agent.verified_date)}</small>` : '');
+
+    return `<tr>
+      <td class="fw-medium">${agent.agent_name || 'N/A'}</td>
+      <td>${agent.client_name || 'N/A'}</td>
+      <td>${agent.studio_name || 'N/A'}</td>
+      <td>${agent.created_by || 'N/A'}</td>
+      <td>${formatDate(agent.created_at)}</td>
+      <td>${statusBadge}</td>
+      <td>${actionBtn}</td>
+    </tr>`;
+  }).join('');
+}
+
+async function approveAgent(agentId) {
+  if (!confirm('Are you sure you want to verify this agent?')) return;
+
+  try {
+    const response = await fetch(`{{ base_path }}/api/admin/agents/${agentId}/verify`, {
+      method: 'PUT',
+      credentials: 'include'
+    });
+
+    if (response.ok) {
+      showSuccess('Agent verified successfully');
+      await loadVerificationData();
+      await loadAdminData();
+    } else {
+      const error = await response.json();
+      showError(error.detail || 'Failed to verify agent');
+    }
+  } catch (error) {
+    showError('Failed to verify agent');
+  }
+}
 
 </script>
 {% endblock %}
\ No newline at end of file
diff --git a/templates/agent_register.html b/templates/agent_register.html
index 9d0cf45..02aca6f 100644
--- a/templates/agent_register.html
+++ b/templates/agent_register.html
@@ -27,34 +27,21 @@
               <label for="agentName" class="form-label">
                 <i class="fas fa-tag me-2"></i>Agent Name *
               </label>
-              <input type="text" 
-                     name="agent_name" 
-                     class="form-control form-control-lg" 
-                     id="agentName" 
+              <input type="text"
+                     name="agent_name"
+                     class="form-control form-control-lg"
+                     id="agentName"
                      placeholder="Enter agent name"
                      required>
             </div>
 
-            <div class="mb-4">
-              <label for="agentTool" class="form-label">
-                <i class="fas fa-tools me-2"></i>Tool *
-              </label>
-              <input type="text" 
-                     name="agent_tool" 
-                     class="form-control form-control-lg" 
-                     id="agentTool" 
-                     placeholder="e.g., chat-sandbox (LibreChat), Copilot, Custom"
-                     required>
-              <div class="form-text">The platform or environment where this agent operates</div>
-            </div>
-
             <div class="mb-4">
               <label for="agentDescription" class="form-label">
                 <i class="fas fa-align-left me-2"></i>Description
               </label>
-              <textarea name="agent_description" 
-                       class="form-control" 
-                       id="agentDescription" 
+              <textarea name="agent_description"
+                       class="form-control"
+                       id="agentDescription"
                        rows="3"
                        maxlength="300"
                        placeholder="Describe what this agent does"></textarea>
@@ -65,24 +52,72 @@
               <label for="agentPurpose" class="form-label">
                 <i class="fas fa-bullseye me-2"></i>Purpose
               </label>
-              <input type="text" 
-                     name="agent_purpose" 
-                     class="form-control" 
-                     id="agentPurpose" 
+              <input type="text"
+                     name="agent_purpose"
+                     class="form-control"
+                     id="agentPurpose"
                      maxlength="200"
                      placeholder="What is the main purpose of this agent?">
               <div class="form-text">Maximum 200 characters</div>
             </div>
 
+            <div class="row">
+              <div class="col-md-6 mb-4">
+                <label for="agentClient" class="form-label">
+                  <i class="fas fa-handshake me-2"></i>Client *
+                </label>
+                <select name="client" class="form-select" id="agentClient" required onchange="toggleClientName()">
+                  <option value="">Select</option>
+                  <option value="yes">Yes</option>
+                  <option value="no">No</option>
+                </select>
+                <div class="form-text">Is this agent for a client?</div>
+              </div>
+              <div class="col-md-6 mb-4" id="clientNameSection" style="display: none;">
+                <label for="agentClientName" class="form-label">
+                  <i class="fas fa-building me-2"></i>Client Name *
+                </label>
+                <input type="text"
+                       name="client_name"
+                       class="form-control"
+                       id="agentClientName"
+                       placeholder="Enter client name">
+              </div>
+            </div>
+
+            <div class="mb-4">
+              <label for="agentStudioName" class="form-label">
+                <i class="fas fa-film me-2"></i>Studio Name
+              </label>
+              <input type="text"
+                     name="studio_name"
+                     class="form-control"
+                     id="agentStudioName"
+                     placeholder="Enter studio name (optional)">
+            </div>
+
+            <div class="mb-4">
+              <label for="agentTool" class="form-label">
+                <i class="fas fa-tools me-2"></i>Tool *
+              </label>
+              <input type="text"
+                     name="agent_tool"
+                     class="form-control form-control-lg"
+                     id="agentTool"
+                     placeholder="e.g., chat-sandbox (LibreChat), Copilot, Custom"
+                     required>
+              <div class="form-text">The platform or environment where this agent operates</div>
+            </div>
+
             <div class="row">
               <div class="col-md-6 mb-4">
                 <label for="agentVersion" class="form-label">
                   <i class="fas fa-code-branch me-2"></i>Version
                 </label>
-                <input type="text" 
-                       name="agent_version" 
-                       class="form-control" 
-                       id="agentVersion" 
+                <input type="text"
+                       name="agent_version"
+                       class="form-control"
+                       id="agentVersion"
                        placeholder="e.g., 1.0.0">
               </div>
               <div class="col-md-6 mb-4">
@@ -301,11 +336,26 @@
 // Simple form validation and duplicate submission prevention
 let formSubmitted = false;
 
+function toggleClientName() {
+  const clientSelect = document.getElementById('agentClient');
+  const clientNameSection = document.getElementById('clientNameSection');
+  const clientNameInput = document.getElementById('agentClientName');
+
+  if (clientSelect.value === 'yes') {
+    clientNameSection.style.display = 'block';
+    clientNameInput.required = true;
+  } else {
+    clientNameSection.style.display = 'none';
+    clientNameInput.required = false;
+    clientNameInput.value = '';
+  }
+}
+
 function toggleRiskFactor() {
   const qualityAuditStatus = document.getElementById('qualityAuditStatus');
   const riskFactorSection = document.getElementById('riskFactorSection');
   const riskFactor = document.getElementById('riskFactor');
-  
+
   if (qualityAuditStatus.checked) {
     riskFactorSection.style.display = 'block';
     riskFactor.required = true;
@@ -319,21 +369,37 @@ function toggleRiskFactor() {
 document.getElementById('agentForm').addEventListener('submit', function(e) {
   const agentName = document.getElementById('agentName').value.trim();
   const agentTool = document.getElementById('agentTool').value.trim();
+  const clientSelect = document.getElementById('agentClient');
   const qualityAuditStatus = document.getElementById('qualityAuditStatus');
   const riskFactor = document.getElementById('riskFactor');
-  
+
   if (!agentName) {
     e.preventDefault();
     alert('Agent name is required!');
     return false;
   }
-  
+
   if (!agentTool) {
     e.preventDefault();
     alert('Agent tool is required!');
     return false;
   }
 
+  if (!clientSelect.value) {
+    e.preventDefault();
+    alert('Client selection is required!');
+    return false;
+  }
+
+  if (clientSelect.value === 'yes') {
+    const clientName = document.getElementById('agentClientName').value.trim();
+    if (!clientName) {
+      e.preventDefault();
+      alert('Client Name is required when Client is set to Yes!');
+      return false;
+    }
+  }
+
   const discipline = document.getElementById('agentDiscipline').value;
   if (!discipline) {
     e.preventDefault();
@@ -347,22 +413,22 @@ document.getElementById('agentForm').addEventListener('submit', function(e) {
     alert('Risk Factor is required when Quality Audit is checked!');
     return false;
   }
-  
+
   // Prevent duplicate submissions
   if (formSubmitted) {
     e.preventDefault();
     return false;
   }
-  
+
   formSubmitted = true;
-  
+
   // Disable the submit button to prevent multiple clicks
   const submitBtn = e.target.querySelector('button[type="submit"]');
   if (submitBtn) {
     submitBtn.disabled = true;
     submitBtn.innerHTML = '<i class="fas fa-spinner fa-spin me-2"></i>Registering...';
   }
-  
+
   return true;
 });
 </script>