diff --git a/stacks/terminal/files/devvm/README.md b/stacks/terminal/files/devvm/README.md
new file mode 100644
index 00000000..f4b6073e
--- /dev/null
+++ b/stacks/terminal/files/devvm/README.md
@@ -0,0 +1,67 @@
+# DevVM terminal-multi files
+
+These files configure the multi-session terminal on the DevVM (`10.0.10.10`).
+They install **alongside** the existing `ttyd.service` (port 7681) and
+`ttyd-ro.service` (port 7682) — the existing units are **not** modified.
+
+## Layout
+
+| Source | Destination on DevVM |
+|--------|----------------------|
+| `tmux-attach.sh` | `/usr/local/bin/tmux-attach.sh` (chmod 0755) |
+| `ttyd-multi.service` | `/etc/systemd/system/ttyd-multi.service` |
+| `tmux-api.service` | `/etc/systemd/system/tmux-api.service` |
+| `../index-multi.html` (one level up) | `/usr/local/share/ttyd/index-multi.html` |
+| `../../tmux-api/` binary, built `GOOS=linux GOARCH=amd64` | `/usr/local/bin/tmux-api` (chmod 0755) |
+
+## Apply
+
+From the workstation (`infra/` repo root):
+
+```bash
+DEVVM=10.0.10.10   # SSH config provides the user
+
+# 1. Build the tmux-api binary for linux/amd64
+( cd infra/stacks/terminal/tmux-api && GOOS=linux GOARCH=amd64 go build -o /tmp/tmux-api . )
+
+# 2. HTML page + wrapper script
+scp infra/stacks/terminal/files/index-multi.html $DEVVM:/tmp/index-multi.html
+scp infra/stacks/terminal/files/devvm/tmux-attach.sh $DEVVM:/tmp/tmux-attach.sh
+ssh $DEVVM "sudo install -m 0644 /tmp/index-multi.html /usr/local/share/ttyd/index-multi.html && \
+            sudo install -m 0755 /tmp/tmux-attach.sh    /usr/local/bin/tmux-attach.sh && \
+            rm /tmp/index-multi.html /tmp/tmux-attach.sh"
+
+# 3. tmux-api binary
+scp /tmp/tmux-api $DEVVM:/tmp/tmux-api
+ssh $DEVVM "sudo install -m 0755 /tmp/tmux-api /usr/local/bin/tmux-api && rm /tmp/tmux-api"
+
+# 4. systemd units
+scp infra/stacks/terminal/files/devvm/ttyd-multi.service $DEVVM:/tmp/
+scp infra/stacks/terminal/files/devvm/tmux-api.service   $DEVVM:/tmp/
+ssh $DEVVM "sudo mv /tmp/ttyd-multi.service /etc/systemd/system/ && \
+            sudo mv /tmp/tmux-api.service   /etc/systemd/system/ && \
+            sudo systemctl daemon-reload && \
+            sudo systemctl enable --now ttyd-multi tmux-api"
+
+# 5. Sanity checks
+ssh $DEVVM "systemctl status ttyd-multi tmux-api --no-pager"
+ssh $DEVVM "curl -sf localhost:7684/sessions"
+ssh $DEVVM "curl -sf localhost:7685/ | head -5"
+ssh $DEVVM "systemctl is-active ttyd ttyd-ro"   # existing units untouched
+```
+
+## Notes
+
+- **`User=wizard`** matches the existing `ttyd.service` so the new services
+  share the same tmux server (one socket per Unix user). Sessions created
+  via either `terminal.viktorbarzin.me` or `term.viktorbarzin.me` are
+  cross-visible. This is intentional.
+- **ttyd version** is `1.7.7` on the DevVM — the `-a` flag (allow URL args
+  → argv) requires ≥ 1.7.
+- **Argv flow**: `?arg=foo` on the URL → ttyd appends `foo` as `$1` to
+  `tmux-attach.sh` → the wrapper regex-validates and runs
+  `tmux new-session -A -s "$name"`. ttyd uses argv (never a shell string),
+  so there is no injection path.
+- **No external exposure of 7684/7685** — the DevVM is reachable only from
+  the cluster (`10.0.10.10` is on the internal VLAN). Authentik forward-auth
+  on the ingress is the access gate.
diff --git a/stacks/terminal/files/devvm/tmux-api.service b/stacks/terminal/files/devvm/tmux-api.service
new file mode 100644
index 00000000..b25eeda4
--- /dev/null
+++ b/stacks/terminal/files/devvm/tmux-api.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=tmux-api (port 7684) - REST API for listing and killing tmux sessions
+After=network.target
+
+[Service]
+ExecStart=/usr/local/bin/tmux-api
+Restart=always
+User=wizard
+
+[Install]
+WantedBy=multi-user.target
diff --git a/stacks/terminal/files/devvm/tmux-attach.sh b/stacks/terminal/files/devvm/tmux-attach.sh
new file mode 100644
index 00000000..afd842a3
--- /dev/null
+++ b/stacks/terminal/files/devvm/tmux-attach.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+# Invoked by ttyd-multi.service. ttyd's -a flag forwards ?arg=<value> as $1.
+# Defence-in-depth: ttyd uses argv (never shell strings) and we re-validate
+# here before handing the name to tmux as a quoted argv slot.
+set -euo pipefail
+
+name="${1:-main}"
+if ! [[ "$name" =~ ^[a-zA-Z0-9_-]{1,32}$ ]]; then
+    name=main
+fi
+
+exec tmux new-session -A -s "$name" -c /home/wizard/code
diff --git a/stacks/terminal/files/devvm/ttyd-multi.service b/stacks/terminal/files/devvm/ttyd-multi.service
new file mode 100644
index 00000000..60d3e5d5
--- /dev/null
+++ b/stacks/terminal/files/devvm/ttyd-multi.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=ttyd multi-session (port 7685) - tmux session lobby + per-session attach
+After=network.target
+
+[Service]
+ExecStart=/usr/local/bin/ttyd -W -a -t enableClipboard=true -I /usr/local/share/ttyd/index-multi.html -p 7685 /usr/local/bin/tmux-attach.sh
+Restart=always
+User=wizard
+
+[Install]
+WantedBy=multi-user.target
diff --git a/stacks/terminal/files/index-multi.html b/stacks/terminal/files/index-multi.html
new file mode 100644
index 00000000..712d85ed
--- /dev/null
+++ b/stacks/terminal/files/index-multi.html
@@ -0,0 +1,506 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Terminal</title>
+    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@xterm/xterm@5.5.0/css/xterm.min.css">
+    <style>
+        html, body { margin: 0; padding: 0; height: 100%; overflow: hidden; background: #000; }
+        #terminal { height: 100%; width: 100%; }
+        .hidden { display: none !important; }
+        #toast {
+            position: fixed; top: 16px; right: 16px; z-index: 9999;
+            background: #1a1a2e; color: #a29bfe; border: 1px solid #333;
+            border-radius: 8px; padding: 10px 18px; font-family: monospace;
+            font-size: 14px; opacity: 0; transition: opacity 0.3s;
+            pointer-events: none; max-width: 500px; word-break: break-all;
+        }
+        #toast.visible { opacity: 1; }
+        #toast.error { color: #e74c3c; border-color: #e74c3c; }
+        #toast.success { color: #2ecc71; border-color: #2ecc71; }
+        #paste-btn {
+            position: fixed; bottom: 24px; right: 24px; z-index: 9999;
+            width: 48px; height: 48px; border-radius: 12px;
+            background: rgba(108, 92, 231, 0.6); border: 1px solid rgba(162, 155, 254, 0.4);
+            color: #eee; font-size: 22px; cursor: pointer;
+            display: flex; align-items: center; justify-content: center;
+            backdrop-filter: blur(8px); -webkit-backdrop-filter: blur(8px);
+            transition: background 0.2s, transform 0.1s;
+            touch-action: manipulation; -webkit-tap-highlight-color: transparent;
+        }
+        #paste-btn:hover { background: rgba(108, 92, 231, 0.85); }
+        #paste-btn:active { transform: scale(0.92); }
+        #img-btn {
+            position: fixed; bottom: 24px; right: 80px; z-index: 9999;
+            width: 48px; height: 48px; border-radius: 12px;
+            background: rgba(108, 92, 231, 0.6); border: 1px solid rgba(162, 155, 254, 0.4);
+            color: #eee; font-size: 22px; cursor: pointer;
+            display: flex; align-items: center; justify-content: center;
+            backdrop-filter: blur(8px); -webkit-backdrop-filter: blur(8px);
+            transition: background 0.2s, transform 0.1s;
+            touch-action: manipulation; -webkit-tap-highlight-color: transparent;
+        }
+        #img-btn:hover { background: rgba(108, 92, 231, 0.85); }
+        #img-btn:active { transform: scale(0.92); }
+        #img-input { display: none; }
+
+        /* Lobby */
+        #lobby {
+            display: none; padding: 32px; height: 100vh; box-sizing: border-box;
+            font-family: 'JetBrains Mono', 'Fira Code', 'Cascadia Code', Menlo, Monaco, 'Courier New', monospace;
+            color: #eee; background: #1a1a2e; overflow-y: auto;
+        }
+        #lobby.visible { display: block; }
+        .lobby-header { font-size: 22px; color: #a29bfe; margin: 0 0 4px 0; }
+        .lobby-sub { color: #888; font-size: 13px; margin: 0 0 24px 0; }
+        .new-row { display: flex; gap: 8px; margin-bottom: 24px; max-width: 640px; }
+        .new-row input {
+            flex: 1; padding: 10px 14px; border-radius: 8px; border: 1px solid #333;
+            background: #0f0f1f; color: #eee; font-family: inherit; font-size: 14px;
+        }
+        .new-row input:focus { outline: none; border-color: #a29bfe; }
+        .new-row button {
+            padding: 10px 18px; border-radius: 8px; border: 1px solid rgba(162, 155, 254, 0.4);
+            background: rgba(108, 92, 231, 0.6); color: #eee; font-family: inherit;
+            font-size: 14px; cursor: pointer;
+        }
+        .new-row button:hover { background: rgba(108, 92, 231, 0.85); }
+        .session-list { display: grid; gap: 12px; max-width: 640px; }
+        .session-card {
+            display: flex; align-items: center; justify-content: space-between;
+            background: #0f0f1f; border: 1px solid #2a2a3f; border-radius: 10px;
+            padding: 14px 18px;
+        }
+        .session-meta { display: flex; flex-direction: column; gap: 4px; min-width: 0; }
+        .session-name { font-size: 16px; font-weight: 600; color: #eee; }
+        .session-detail { font-size: 12px; color: #888; }
+        .session-detail.attached { color: #2ecc71; }
+        .session-actions { display: flex; gap: 8px; }
+        .session-actions button {
+            padding: 8px 14px; border-radius: 6px; border: 1px solid #333;
+            background: #1f1f33; color: #eee; font-family: inherit;
+            font-size: 13px; cursor: pointer;
+        }
+        .session-actions button.open { color: #a29bfe; border-color: rgba(162, 155, 254, 0.4); }
+        .session-actions button.kill { color: #e74c3c; border-color: rgba(231, 76, 60, 0.4); }
+        .session-actions button:hover { filter: brightness(1.3); }
+        .empty { color: #888; font-style: italic; padding: 16px 0; }
+    </style>
+</head>
+<body>
+    <div id="terminal"></div>
+    <div id="lobby">
+        <h1 class="lobby-header">tmux sessions</h1>
+        <p class="lobby-sub">Pick an existing session or create a new one. Sessions persist after you close the tab.</p>
+        <div class="new-row">
+            <input id="new-name" type="text" placeholder="new session name (a-z, 0-9, _, -)" maxlength="32" autocomplete="off">
+            <button id="new-btn">Create &amp; Open</button>
+        </div>
+        <div id="session-list" class="session-list"></div>
+    </div>
+    <div id="toast"></div>
+    <button id="img-btn" title="Upload image">&#128247;</button>
+    <button id="paste-btn" title="Paste from clipboard">&#128203;</button>
+    <input type="file" id="img-input" accept="image/*">
+
+    <script src="https://cdn.jsdelivr.net/npm/@xterm/xterm@5.5.0/lib/xterm.min.js"></script>
+    <script src="https://cdn.jsdelivr.net/npm/@xterm/addon-fit@0.10.0/lib/addon-fit.min.js"></script>
+    <script src="https://cdn.jsdelivr.net/npm/@xterm/addon-web-links@0.11.0/lib/addon-web-links.min.js"></script>
+    <script src="https://cdn.jsdelivr.net/npm/@xterm/addon-webgl@0.18.0/lib/addon-webgl.min.js"></script>
+    <script>
+    (function() {
+        const NAME_RE = /^[a-zA-Z0-9_-]{1,32}$/;
+        const SESSIONS_API = '/api/sessions/sessions';
+        const params = new URLSearchParams(location.search);
+        const rawArg = params.get('arg');
+        const validArg = rawArg && NAME_RE.test(rawArg) ? rawArg : null;
+
+        function showToast(msg, type, duration) {
+            const el = document.getElementById('toast');
+            el.textContent = msg;
+            el.className = 'visible' + (type ? ' ' + type : '');
+            clearTimeout(el._timer);
+            el._timer = setTimeout(() => { el.className = ''; }, duration || 3000);
+        }
+
+        function clearChildren(el) {
+            while (el.firstChild) el.removeChild(el.firstChild);
+        }
+
+        function emptyState(text) {
+            const e = document.createElement('div');
+            e.className = 'empty';
+            e.textContent = text;
+            return e;
+        }
+
+        if (!validArg) {
+            // ============================================================
+            // LOBBY MODE — no valid ?arg=, show session picker
+            // ============================================================
+            document.getElementById('terminal').classList.add('hidden');
+            document.getElementById('paste-btn').classList.add('hidden');
+            document.getElementById('img-btn').classList.add('hidden');
+            document.getElementById('lobby').classList.add('visible');
+            document.title = 'tmux sessions';
+
+            const listEl    = document.getElementById('session-list');
+            const newNameEl = document.getElementById('new-name');
+            const newBtnEl  = document.getElementById('new-btn');
+
+            function relativeTime(epochSec) {
+                if (!epochSec) return '';
+                const diff = Math.floor(Date.now() / 1000) - epochSec;
+                if (diff < 60)    return diff + 's ago';
+                if (diff < 3600)  return Math.floor(diff / 60) + 'm ago';
+                if (diff < 86400) return Math.floor(diff / 3600) + 'h ago';
+                return Math.floor(diff / 86400) + 'd ago';
+            }
+
+            function openSession(name) {
+                if (!NAME_RE.test(name)) { showToast('Invalid name', 'error'); return; }
+                location.search = '?arg=' + encodeURIComponent(name);
+            }
+
+            async function killSession(name) {
+                if (!NAME_RE.test(name)) { showToast('Invalid name', 'error'); return; }
+                if (!confirm('Kill tmux session "' + name + '"? Any running processes inside it will be terminated.')) return;
+                try {
+                    const resp = await fetch(SESSIONS_API + '/' + encodeURIComponent(name), {
+                        method: 'DELETE', credentials: 'same-origin'
+                    });
+                    if (resp.ok) {
+                        showToast('Killed ' + name, 'success');
+                    } else if (resp.status === 404) {
+                        showToast('Session not found', 'error');
+                    } else {
+                        showToast('Kill failed: HTTP ' + resp.status, 'error');
+                    }
+                    renderLobby();
+                } catch (err) {
+                    showToast('Kill error: ' + err.message, 'error');
+                }
+            }
+
+            function renderCard(s) {
+                const card = document.createElement('div');
+                card.className = 'session-card';
+
+                const meta = document.createElement('div');
+                meta.className = 'session-meta';
+                const name = document.createElement('div');
+                name.className = 'session-name';
+                name.textContent = s.name;
+                meta.appendChild(name);
+                const detail = document.createElement('div');
+                detail.className = 'session-detail' + (s.attached > 0 ? ' attached' : '');
+                const attachedText = s.attached > 0 ? (s.attached + ' attached') : 'idle';
+                detail.textContent = attachedText + ' · last activity ' + relativeTime(s.lastActivity);
+                meta.appendChild(detail);
+                card.appendChild(meta);
+
+                const actions = document.createElement('div');
+                actions.className = 'session-actions';
+                const openBtn = document.createElement('button');
+                openBtn.className = 'open';
+                openBtn.textContent = 'Open';
+                openBtn.onclick = () => openSession(s.name);
+                actions.appendChild(openBtn);
+                const killBtn = document.createElement('button');
+                killBtn.className = 'kill';
+                killBtn.textContent = 'Kill';
+                killBtn.onclick = () => killSession(s.name);
+                actions.appendChild(killBtn);
+                card.appendChild(actions);
+
+                return card;
+            }
+
+            async function renderLobby() {
+                try {
+                    const resp = await fetch(SESSIONS_API, { credentials: 'same-origin' });
+                    if (!resp.ok) {
+                        clearChildren(listEl);
+                        listEl.appendChild(emptyState('Failed to load sessions: HTTP ' + resp.status));
+                        return;
+                    }
+                    const sessions = await resp.json();
+                    clearChildren(listEl);
+                    if (sessions.length === 0) {
+                        listEl.appendChild(emptyState('No tmux sessions. Create one above.'));
+                        return;
+                    }
+                    sessions.sort((a, b) => b.lastActivity - a.lastActivity);
+                    for (const s of sessions) listEl.appendChild(renderCard(s));
+                } catch (err) {
+                    clearChildren(listEl);
+                    listEl.appendChild(emptyState('Error: ' + err.message));
+                }
+            }
+
+            newBtnEl.addEventListener('click', () => {
+                const name = newNameEl.value.trim();
+                if (!NAME_RE.test(name)) {
+                    showToast('Name must match ^[a-zA-Z0-9_-]{1,32}$', 'error', 4000);
+                    return;
+                }
+                openSession(name);
+            });
+            newNameEl.addEventListener('keydown', (e) => {
+                if (e.key === 'Enter') newBtnEl.click();
+            });
+
+            renderLobby();
+            setInterval(renderLobby, 5000);
+            return;
+        }
+
+        // ============================================================
+        // TERMINAL MODE — valid ?arg=<session>, attach via ttyd
+        // ============================================================
+
+        // ttyd binary protocol
+        const MSG_OUTPUT    = 0x30; // '0' - terminal output
+        const MSG_SET_PREFS = 0x31; // '1' - JSON preferences
+        const MSG_SET_TITLE = 0x32; // '2' - window title
+        const MSG_INPUT     = '0';  // client → server: input data
+        const MSG_RESIZE    = '1';  // client → server: {columns, rows}
+
+        let ws = null;
+        const textEncoder = new TextEncoder();
+        const textDecoder = new TextDecoder();
+
+        const term = new Terminal({
+            cursorBlink: true,
+            fontFamily: "'JetBrains Mono', 'Fira Code', 'Cascadia Code', Menlo, Monaco, 'Courier New', monospace",
+            fontSize: 15,
+            theme: {
+                background: '#1a1a2e',
+                foreground: '#eee',
+                cursor: '#a29bfe',
+                selectionBackground: 'rgba(162, 155, 254, 0.3)'
+            },
+            allowProposedApi: true
+        });
+
+        const fitAddon = new FitAddon.FitAddon();
+        const webLinksAddon = new WebLinksAddon.WebLinksAddon();
+        term.loadAddon(fitAddon);
+        term.loadAddon(webLinksAddon);
+
+        try {
+            const webglAddon = new WebglAddon.WebglAddon();
+            webglAddon.onContextLoss(() => { webglAddon.dispose(); });
+            term.loadAddon(webglAddon);
+        } catch (e) {
+            console.warn('WebGL addon failed:', e);
+        }
+
+        term.open(document.getElementById('terminal'));
+        fitAddon.fit();
+
+        document.title = 'tmux: ' + validArg;
+
+        function sendInput(data) {
+            if (!ws || ws.readyState !== WebSocket.OPEN) return;
+            const payload = textEncoder.encode(data);
+            const buf = new Uint8Array(payload.length + 1);
+            buf[0] = MSG_INPUT.charCodeAt(0);
+            buf.set(payload, 1);
+            ws.send(buf.buffer);
+        }
+
+        function sendResize() {
+            if (!ws || ws.readyState !== WebSocket.OPEN) return;
+            const json = JSON.stringify({ columns: term.cols, rows: term.rows });
+            const payload = textEncoder.encode(json);
+            const buf = new Uint8Array(payload.length + 1);
+            buf[0] = MSG_RESIZE.charCodeAt(0);
+            buf.set(payload, 1);
+            ws.send(buf.buffer);
+        }
+
+        term.onData(sendInput);
+        term.onBinary((data) => {
+            if (!ws || ws.readyState !== WebSocket.OPEN) return;
+            const bytes = new Uint8Array(data.length + 1);
+            bytes[0] = MSG_INPUT.charCodeAt(0);
+            for (let i = 0; i < data.length; i++) bytes[i + 1] = data.charCodeAt(i);
+            ws.send(bytes.buffer);
+        });
+
+        term.onResize(() => sendResize());
+        window.addEventListener('resize', () => fitAddon.fit());
+
+        term.attachCustomKeyEventHandler((e) => {
+            if ((e.ctrlKey || e.metaKey) && e.key === 'c' && term.hasSelection()) {
+                navigator.clipboard.writeText(term.getSelection());
+                return false;
+            }
+            if ((e.ctrlKey || e.metaKey) && e.key === 'v') {
+                return false; // let browser paste event fire
+            }
+            return true;
+        });
+
+        document.addEventListener('paste', async (e) => {
+            const items = e.clipboardData?.items;
+            if (!items) return;
+
+            for (const item of items) {
+                if (item.type.startsWith('image/')) {
+                    e.preventDefault();
+                    e.stopPropagation();
+
+                    const blob = item.getAsFile();
+                    if (!blob) { showToast('Failed to read image', 'error'); return; }
+
+                    showToast('Uploading image...', '');
+                    try {
+                        const formData = new FormData();
+                        formData.append('image', blob);
+                        const resp = await fetch('/clipboard/upload', { method: 'POST', body: formData });
+                        if (!resp.ok) { showToast('Upload failed: ' + await resp.text(), 'error', 5000); return; }
+                        const { path } = await resp.json();
+                        sendInput(path);
+                        showToast('Pasted: ' + path, 'success', 4000);
+                    } catch (err) {
+                        showToast('Upload error: ' + err.message, 'error', 5000);
+                    }
+                    return;
+                }
+            }
+
+            const text = e.clipboardData.getData('text');
+            if (text) {
+                e.preventDefault();
+                sendInput(text);
+            }
+        }, true);
+
+        document.getElementById('paste-btn').addEventListener('click', async () => {
+            try {
+                if (navigator.clipboard.read) {
+                    const items = await navigator.clipboard.read();
+                    for (const item of items) {
+                        const imageType = item.types.find(t => t.startsWith('image/'));
+                        if (imageType) {
+                            const blob = await item.getType(imageType);
+                            showToast('Uploading image...', '');
+                            const formData = new FormData();
+                            formData.append('image', blob);
+                            const resp = await fetch('/clipboard/upload', { method: 'POST', body: formData });
+                            if (!resp.ok) { showToast('Upload failed: ' + await resp.text(), 'error', 5000); return; }
+                            const { path } = await resp.json();
+                            sendInput(path);
+                            showToast('Pasted: ' + path, 'success', 4000);
+                            return;
+                        }
+                        if (item.types.includes('text/plain')) {
+                            const blob = await item.getType('text/plain');
+                            const text = await blob.text();
+                            if (text) { sendInput(text); return; }
+                        }
+                    }
+                } else {
+                    const text = await navigator.clipboard.readText();
+                    if (text) sendInput(text);
+                }
+            } catch (err) {
+                showToast('Clipboard access denied', 'error', 3000);
+                console.error('Clipboard read failed:', err);
+            }
+            term.focus();
+        });
+
+        document.getElementById('img-btn').addEventListener('click', () => {
+            document.getElementById('img-input').click();
+        });
+        document.getElementById('img-input').addEventListener('change', async (e) => {
+            const file = e.target.files[0];
+            if (!file) return;
+            e.target.value = ''; // reset so same file can be re-selected
+
+            showToast('Uploading image...', '');
+            try {
+                const formData = new FormData();
+                formData.append('image', file);
+                const resp = await fetch('/clipboard/upload', { method: 'POST', body: formData });
+                if (!resp.ok) { showToast('Upload failed: ' + await resp.text(), 'error', 5000); return; }
+                const { path } = await resp.json();
+                sendInput(path);
+                showToast('Pasted: ' + path, 'success', 4000);
+            } catch (err) {
+                showToast('Upload error: ' + err.message, 'error', 5000);
+            }
+            term.focus();
+        });
+
+        function connect() {
+            const proto = location.protocol === 'https:' ? 'wss:' : 'ws:';
+            const argSuffix = '?arg=' + encodeURIComponent(validArg);
+            const base = location.pathname.replace(/\/+$/, '');
+            const wsUrl = proto + '//' + location.host + base + '/ws' + argSuffix;
+
+            fetch(base + '/token' + argSuffix, { credentials: 'same-origin' })
+                .then(r => r.json())
+                .then(tokenData => {
+                    const token = tokenData.token || '';
+                    ws = new WebSocket(wsUrl, ['tty']);
+                    ws.binaryType = 'arraybuffer';
+
+                    ws.onopen = () => {
+                        console.log('Connected to ttyd (session: ' + validArg + ')');
+                        const initMsg = JSON.stringify({
+                            AuthToken: token,
+                            columns: term.cols,
+                            rows: term.rows
+                        });
+                        ws.send(initMsg);
+                    };
+
+                    ws.onmessage = (event) => {
+                        const data = event.data;
+                        if (data instanceof ArrayBuffer) {
+                            const view = new Uint8Array(data);
+                            if (view.length < 1) return;
+                            const msgType = view[0];
+                            const payload = view.slice(1);
+
+                            switch (msgType) {
+                                case MSG_OUTPUT:
+                                    term.write(payload);
+                                    break;
+                                case MSG_SET_PREFS:
+                                    try {
+                                        const prefs = JSON.parse(textDecoder.decode(payload));
+                                        console.log('ttyd prefs:', prefs);
+                                    } catch (e) {}
+                                    break;
+                                case MSG_SET_TITLE:
+                                    document.title = textDecoder.decode(payload);
+                                    break;
+                            }
+                        }
+                    };
+
+                    ws.onclose = () => {
+                        term.write('\r\n\x1b[31mDisconnected. Reconnecting...\x1b[0m\r\n');
+                        setTimeout(connect, 3000);
+                    };
+
+                    ws.onerror = (e) => console.error('WebSocket error:', e);
+                })
+                .catch(err => {
+                    console.error('Token fetch failed:', err);
+                    term.write('\r\n\x1b[31mFailed to connect. Retrying...\x1b[0m\r\n');
+                    setTimeout(connect, 3000);
+                });
+        }
+
+        connect();
+    })();
+    </script>
+</body>
+</html>
diff --git a/stacks/terminal/main.tf b/stacks/terminal/main.tf
index 53f5b9ad..4b7cbd5c 100644
--- a/stacks/terminal/main.tf
+++ b/stacks/terminal/main.tf
@@ -216,3 +216,158 @@ module "ingress_ro" {
     "gethomepage.dev/pod-selector" = ""
   }
 }
+
+# === Multi-session terminal: term.viktorbarzin.me ===
+#
+# Additive lobby UX on a fresh hostname + ports — does not touch the existing
+# terminal.viktorbarzin.me (7681), terminal-ro.viktorbarzin.me (7682) or
+# /clipboard/* (7683) wiring above. DevVM-side units (ttyd-multi.service on
+# port 7685, tmux-api.service on port 7684) ship from
+# files/devvm/ — see files/devvm/README.md.
+
+# Service+Endpoints → ttyd-multi on the DevVM (port 7685).
+resource "kubernetes_service" "terminal_multi" {
+  metadata {
+    name      = "terminal-multi"
+    namespace = kubernetes_namespace.terminal.metadata[0].name
+    labels = {
+      app = "terminal-multi"
+    }
+  }
+
+  spec {
+    port {
+      name        = "http"
+      port        = 80
+      target_port = 7685
+    }
+  }
+}
+
+resource "kubernetes_endpoints" "terminal_multi" {
+  metadata {
+    name      = "terminal-multi"
+    namespace = kubernetes_namespace.terminal.metadata[0].name
+  }
+
+  subset {
+    address {
+      ip = "10.0.10.10"
+    }
+    port {
+      name = "http"
+      port = 7685
+    }
+  }
+}
+
+# Service+Endpoints → tmux-api on the DevVM (port 7684).
+resource "kubernetes_service" "tmux_api" {
+  metadata {
+    name      = "tmux-api"
+    namespace = kubernetes_namespace.terminal.metadata[0].name
+    labels = {
+      app = "tmux-api"
+    }
+  }
+
+  spec {
+    port {
+      name        = "http"
+      port        = 80
+      target_port = 7684
+    }
+  }
+}
+
+resource "kubernetes_endpoints" "tmux_api" {
+  metadata {
+    name      = "tmux-api"
+    namespace = kubernetes_namespace.terminal.metadata[0].name
+  }
+
+  subset {
+    address {
+      ip = "10.0.10.10"
+    }
+    port {
+      name = "http"
+      port = 7684
+    }
+  }
+}
+
+# Public ingress for the lobby + per-session attach.
+# Hostname: term.viktorbarzin.me (via `host = "term"` override).
+module "ingress_multi" {
+  source          = "../../modules/kubernetes/ingress_factory"
+  dns_type        = "proxied"
+  namespace       = kubernetes_namespace.terminal.metadata[0].name
+  name            = "terminal-multi"
+  host            = "term"
+  tls_secret_name = var.tls_secret_name
+  auth            = "required"
+  extra_annotations = {
+    "gethomepage.dev/enabled"      = "true"
+    "gethomepage.dev/name"         = "Terminal (Multi)"
+    "gethomepage.dev/description"  = "Multi-session tmux lobby (ttyd)"
+    "gethomepage.dev/icon"         = "mdi-console"
+    "gethomepage.dev/group"        = "Infrastructure"
+    "gethomepage.dev/pod-selector" = ""
+  }
+}
+
+# IngressRoute: /api/sessions/* on term.viktorbarzin.me → tmux-api service.
+# Path-prefixed routes beat the catch-all module ingress above by
+# specificity, so the lobby HTML reaches tmux-api directly while everything
+# else flows to ttyd-multi.
+resource "kubernetes_manifest" "tmux_api_ingressroute" {
+  manifest = {
+    apiVersion = "traefik.io/v1alpha1"
+    kind       = "IngressRoute"
+    metadata = {
+      name      = "tmux-api"
+      namespace = kubernetes_namespace.terminal.metadata[0].name
+    }
+    spec = {
+      entryPoints = ["websecure"]
+      routes = [{
+        match = "Host(`term.viktorbarzin.me`) && PathPrefix(`/api/sessions/`)"
+        kind  = "Rule"
+        middlewares = [
+          {
+            name      = "authentik-forward-auth"
+            namespace = "traefik"
+          },
+          {
+            name      = "tmux-api-strip-prefix"
+            namespace = kubernetes_namespace.terminal.metadata[0].name
+          }
+        ]
+        services = [{
+          name = "tmux-api"
+          port = 80
+        }]
+      }]
+      tls = {
+        secretName = var.tls_secret_name
+      }
+    }
+  }
+}
+
+resource "kubernetes_manifest" "tmux_api_strip_prefix" {
+  manifest = {
+    apiVersion = "traefik.io/v1alpha1"
+    kind       = "Middleware"
+    metadata = {
+      name      = "tmux-api-strip-prefix"
+      namespace = kubernetes_namespace.terminal.metadata[0].name
+    }
+    spec = {
+      stripPrefix = {
+        prefixes = ["/api/sessions"]
+      }
+    }
+  }
+}
diff --git a/stacks/terminal/tmux-api/go.mod b/stacks/terminal/tmux-api/go.mod
new file mode 100644
index 00000000..94f20b35
--- /dev/null
+++ b/stacks/terminal/tmux-api/go.mod
@@ -0,0 +1,3 @@
+module tmux-api
+
+go 1.21
diff --git a/stacks/terminal/tmux-api/main.go b/stacks/terminal/tmux-api/main.go
new file mode 100644
index 00000000..0a567037
--- /dev/null
+++ b/stacks/terminal/tmux-api/main.go
@@ -0,0 +1,104 @@
+package main
+
+import (
+	"encoding/json"
+	"log"
+	"net/http"
+	"os/exec"
+	"regexp"
+	"strconv"
+	"strings"
+)
+
+const listenAddr = "0.0.0.0:7684"
+
+var sessionNameRe = regexp.MustCompile(`^[a-zA-Z0-9_-]{1,32}$`)
+
+type Session struct {
+	Name         string `json:"name"`
+	Attached     int    `json:"attached"`
+	LastActivity int64  `json:"lastActivity"`
+	Created      int64  `json:"created"`
+}
+
+func main() {
+	http.HandleFunc("/sessions", handleSessions)
+	http.HandleFunc("/sessions/", handleSessionByName)
+	http.HandleFunc("/health", func(w http.ResponseWriter, _ *http.Request) {
+		w.Write([]byte("ok"))
+	})
+
+	log.Printf("tmux-api listening on %s", listenAddr)
+	log.Fatal(http.ListenAndServe(listenAddr, nil))
+}
+
+func handleSessions(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Error(w, "GET only", http.StatusMethodNotAllowed)
+		return
+	}
+
+	out, err := exec.Command(
+		"tmux", "list-sessions", "-F",
+		"#{session_name}|#{session_attached}|#{session_activity}|#{session_created}",
+	).Output()
+
+	w.Header().Set("Content-Type", "application/json")
+
+	// tmux exits non-zero when no server is running or no sessions exist.
+	// Treat both as "empty list" rather than a 500.
+	if err != nil {
+		w.Write([]byte("[]"))
+		return
+	}
+
+	sessions := make([]Session, 0)
+	for _, line := range strings.Split(strings.TrimRight(string(out), "\n"), "\n") {
+		if line == "" {
+			continue
+		}
+		parts := strings.Split(line, "|")
+		if len(parts) != 4 {
+			continue
+		}
+		attached, _ := strconv.Atoi(parts[1])
+		activity, _ := strconv.ParseInt(parts[2], 10, 64)
+		created, _ := strconv.ParseInt(parts[3], 10, 64)
+		sessions = append(sessions, Session{
+			Name:         parts[0],
+			Attached:     attached,
+			LastActivity: activity,
+			Created:      created,
+		})
+	}
+
+	json.NewEncoder(w).Encode(sessions)
+}
+
+func handleSessionByName(w http.ResponseWriter, r *http.Request) {
+	name := strings.TrimPrefix(r.URL.Path, "/sessions/")
+	name = strings.TrimSuffix(name, "/")
+
+	if !sessionNameRe.MatchString(name) {
+		http.Error(w, "invalid session name", http.StatusBadRequest)
+		return
+	}
+
+	if r.Method != http.MethodDelete {
+		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	out, err := exec.Command("tmux", "kill-session", "-t", name).CombinedOutput()
+	if err != nil {
+		msg := string(out)
+		if strings.Contains(msg, "can't find session") || strings.Contains(msg, "no server running") {
+			http.Error(w, "session not found", http.StatusNotFound)
+			return
+		}
+		log.Printf("kill-session %s failed: %v: %s", name, err, msg)
+		http.Error(w, "kill-session failed", http.StatusInternalServerError)
+		return
+	}
+	w.WriteHeader(http.StatusNoContent)
+}