diff --git a/CLOUD_SESSION_CRITICAL_FIXES.txt b/CLOUD_SESSION_CRITICAL_FIXES.txt
new file mode 100644
index 0000000..0b391fc
--- /dev/null
+++ b/CLOUD_SESSION_CRITICAL_FIXES.txt
@@ -0,0 +1,82 @@
+Clone https://github.com/dannystocker/navidocs, checkout branch claude/install-run-ssh-01RZPPuRFwrveZKec62363vu (latest build with E2E tests passing), create new branch fix/critical-security-ux, then implement these 8 critical fixes using 8 Haiku agents in parallel (single message with 8 Task tool calls):
+
+SECURITY FIXES (Agents 1-4):
+
+Agent 1 - JWT Secret Enforcement:
+- File: server/services/auth.service.js line 13
+- Change: const JWT_SECRET = process.env.JWT_SECRET || 'your-jwt-secret-here-change-in-production'
+- To: const JWT_SECRET = process.env.JWT_SECRET; if (!JWT_SECRET || JWT_SECRET.length < 32) throw new Error('JWT_SECRET required, min 32 chars');
+- Test: Server should crash on startup without JWT_SECRET
+
+Agent 2 - Document/Image Route Auth:
+- Files: server/routes/documents.js, server/routes/images.js
+- Find all: const userId = req.user?.id || 'test-user-id'
+- Change to: const userId = req.user.userId (and add authenticateToken middleware to routes)
+- Import: import { authenticateToken } from '../middleware/auth.middleware.js'
+- Test: Unauthenticated requests should return 401
+
+Agent 3 - Search/Upload Route Auth:
+- Files: server/routes/search.js, server/routes/upload.js
+- Same pattern: Remove 'test-user-id' fallbacks, add authenticateToken middleware
+- Test: Unauthenticated uploads/searches should return 401
+
+Agent 4 - Stats Route Protection:
+- File: server/routes/stats.js
+- Add: import { authenticateToken, requireSystemAdmin } from '../middleware/auth.middleware.js'
+- Change: router.get('/', async (req, res) => TO router.get('/', authenticateToken, requireSystemAdmin, async (req, res) =>
+- Test: Non-admin requests should return 403
+
+MARINE UX FIXES (Agents 5-8):
+
+Agent 5 - Touch Targets 60px Minimum:
+- Files: client/src/components/TocSidebar.vue, SearchResultsSidebar.vue, TocEntry.vue
+- Find all: width: 20px, width: 32px, width: 40px, height: 20px, height: 32px, height: 40px
+- Change to: min-width: 60px, min-height: 60px, padding: 10px
+- Test: grep -r "width.*px|height.*px" client/src/components/ should show no values under 60px for buttons
+
+Agent 6 - Font Sizes 16px Minimum:
+- Files: client/src/views/SearchView.vue, client/src/components/TocSidebar.vue, SearchResultsSidebar.vue
+- Find all: font-size: 10px, 11px, 12px, 13px, 14px
+- Change to: font-size: 16px minimum
+- Test: grep -r "font-size.*px" client/src/ should show no values under 16px
+
+Agent 7 - ARIA Labels:
+- Scan: grep -r "<button" client/src/ | grep -v "aria-label"
+- Add aria-label to all icon-only buttons
+- Pattern: <button aria-label="Delete item" @click="deleteItem"><TrashIcon aria-hidden="true" /></button>
+- Test: All interactive elements should have descriptive labels
+
+Agent 8 - Image Alt Text:
+- Files: client/src/views/SearchView.vue, client/src/components/FigureZoom.vue
+- Find all: <img :src= without alt attribute
+- Add: :alt="descriptive text"
+- Pattern: <img :src="thumbnail" :alt="title + ' thumbnail'">
+- Test: grep -r "<img" client/src/ | grep -v "alt=" should return 0 results
+
+After all 8 agents complete, run tests:
+- npm audit --production (should be 0 critical/high)
+- npm run build (should succeed)
+- Manual test: Start server without JWT_SECRET (should crash with error)
+- Manual test: Try accessing /api/documents without auth (should 401)
+
+Then commit and push:
+git add .
+git commit -m "Fix 8 critical security and marine UX issues
+
+Security:
+- Enforce JWT_SECRET (no fallback to known default)
+- Require auth on document/image/search/upload/stats routes
+- Remove all test-user-id synthetic user patterns
+
+Marine UX:
+- Increase touch targets to 60px minimum (glove-friendly)
+- Increase fonts to 16px minimum (sunlight-readable)
+- Add ARIA labels to icon-only buttons (accessibility)
+- Add alt text to all images (accessibility)
+
+Source: Codex security review + Gemini UX review
+Blockers: 8 critical issues preventing production deployment
+"
+git push -u origin fix/critical-security-ux
+
+Then report completion with list of files changed and test results.