diff --git a/docs/docs/security/rbac/file-map.md b/docs/docs/security/rbac/file-map.md
index 067a68841c..b5195b64a3 100644
--- a/docs/docs/security/rbac/file-map.md
+++ b/docs/docs/security/rbac/file-map.md
@@ -31,6 +31,7 @@ When you need to change something in the auth path, this table tells you which f
 | Dynamic agents JWT validation & userinfo | `ai_platform_engineering/dynamic_agents/src/dynamic_agents/auth/auth.py` |
 | Dynamic Agents Web UI backend execution proxy auth and UI shell: session/bearer authentication, stable subject and role propagation, `X-User-Context` browser-session fallback when the server-side Keycloak token cache is missing, backend bearer forwarding when available, W3C `traceparent` forwarding, no `OIDC_REQUIRED_DYNAMIC_AGENTS_GROUP`/admin-only UI gate for the Agents page, Conversations tab shown only when OpenFGA admin audit-log access is granted, the Models tab uses the LLM provider credential surface plus the OpenFGA-filtered model list, and conversation-scoped file proxies gated by `dynamic_agent#invoke` | `ui/src/lib/da-proxy.ts`, `ui/src/lib/auth-config.ts`, `ui/src/components/layout/AppHeader.tsx`, `ui/src/app/(app)/dynamic-agents/page.tsx`, `ui/src/app/(app)/dynamic-agents/__tests__/page.test.tsx`, `ui/src/components/dynamic-agents/LLMProvidersTab.tsx`, `ui/src/components/dynamic-agents/__tests__/LLMProvidersTab.test.tsx`, `ui/src/components/layout/__tests__/AppHeader.test.tsx`, `ui/src/app/api/dynamic-agents/conversations/[id]/files/list/route.ts`, `ui/src/app/api/dynamic-agents/conversations/[id]/files/content/route.ts`, `ui/src/lib/__tests__/da-proxy-auth-result.test.ts`, `ui/src/lib/__tests__/auth-config.test.ts` |
 | Dynamic Agents Web UI backend OpenFGA execution, picker, and conversation binding gates: subject-first, email-fallback `can_use agent:<agent_id>` checks for start/invoke/resume/cancel, chat agent selection, subagent selection, and new conversation agent bindings; implicit-owner-or-explicit conversation checks on chat routes; authz trace creation and `openfga_rebac` audit emission | `ui/src/lib/rbac/openfga-agent-authz.ts`, `ui/src/lib/rbac/authz-tracing.ts`, `ui/src/lib/rbac/resource-authz.ts`, `ui/src/lib/rbac/conversation-implicit-authz.ts`, `ui/src/app/api/v1/chat/_conversation-authz.ts`, `ui/src/app/api/dynamic-agents/available/route.ts`, `ui/src/app/api/dynamic-agents/available-subagents/route.ts`, `ui/src/app/api/chat/conversations/route.ts`, `ui/src/lib/rbac/__tests__/resource-authz.test.ts`, `ui/src/lib/rbac/__tests__/openfga-agent-authz.test.ts`, `ui/src/lib/rbac/__tests__/authz-tracing.test.ts`, `ui/src/lib/rbac/__tests__/audit-tracing.test.ts`, `ui/src/app/api/v1/chat/stream/start/route.ts`, `ui/src/app/api/v1/chat/invoke/route.ts`, `ui/src/app/api/v1/chat/stream/resume/route.ts`, `ui/src/app/api/v1/chat/stream/cancel/route.ts`, `ui/src/app/api/v1/chat/__tests__/routes.test.ts`, `ui/src/app/api/dynamic-agents/__tests__/route-rbac.test.ts`, `ui/src/app/api/__tests__/chat-conversations-agent-auth.test.ts` |
+| Chat conversation list sharing metadata — `GET /api/chat/conversations` bounds Mongo candidates, filters through ReBAC, marks `viewer_has_shared_access`, and returns a display-only `access_level` for the sidebar/share-button UX. Direct and team recipients still derive read-only vs edit from `sharing_access` / `sharing.team_permissions`; detail, message, turn, and share routes keep using `requireConversationAccess` for authoritative enforcement. | `ui/src/app/api/chat/conversations/route.ts`, `ui/src/lib/rbac/conversation-implicit-authz.ts`, `ui/src/lib/api-middleware.ts`, `ui/src/components/layout/Sidebar.tsx`, `ui/src/components/chat/ShareButton.tsx`, `ui/src/app/api/__tests__/chat-conversations-client-type.test.ts`, `ui/src/app/api/__tests__/chat-conversations-agent-auth.test.ts`, `ui/src/app/api/__tests__/chat-conversations-remaining-rbac.test.ts`, `ui/e2e/rbac/chat-share-exposed.spec.ts` |
 | Connections & Secrets credential management: feature flag, signed-in-only and `organization:<org>#can_use` page gate, MongoDB envelope store, env/ESO OAuth connector startup bootstrap, browser guardrails for raw retrieval, service-to-service retrieve/exchange APIs with service JWT validation, JWT-`sub` provider-key exchange, future AgentGateway credential injector route, and `secret_ref:provider_connection:<id>#can_use`, browser-safe OAuth profile validators and automatic refresh endpoints that return only redacted provider/refresh metadata, deep-linked user My Secrets/My Connections tabs, user-visible enabled OAuth connector list with Connect/Relink and Check Profile actions, per-user OAuth scope selection at connect time (My Connections "Advanced settings" lets a user narrow within the connector's allowed `scopes`; the connect route accepts `?scopes=`, `startConnection` bounds it via `boundScopes`, and the choice is persisted as `requestedScopes`/`grantedScopes` on `provider_connections` so relink pre-fills it), Dynamic Agents LLM provider credentials saved as OpenFGA-governed credential secrets, OpenFGA-backed global admin secret metadata management with per-secret row-level audit details, deep-linked OAuth connector/admin secret tabs, Dynamic Agents MCP provider credential-ref resolution, and Jira MCP provider-token header consumption | `ui/src/lib/feature-flags/credentials.ts`, `ui/src/lib/credentials/`, `ui/src/lib/seed-config.ts`, `ui/src/app/(app)/credentials/page.tsx`, `ui/src/app/(app)/credentials/__tests__/page.test.tsx`, `ui/src/app/api/credentials/`, `ui/src/app/api/credentials/inject/[provider]/route.ts`, `ui/src/app/api/credentials/inject/[provider]/__tests__/route.test.ts`, `ui/src/app/api/credentials/connections/[connection_id]/profile/route.ts`, `ui/src/app/api/credentials/connections/[connection_id]/profile/__tests__/route.test.ts`, `ui/src/app/api/credentials/connections/[connection_id]/refresh/route.ts`, `ui/src/app/api/credentials/connections/[connection_id]/refresh/__tests__/route.test.ts`, `ui/src/app/api/admin/credentials/secrets/route.ts`, `ui/src/app/api/admin/credentials/secrets/[secret_id]/route.ts`, `ui/src/app/api/admin/credentials/oauth-connectors/route.ts`, `ui/src/app/api/admin/credentials/oauth-connectors/[connector_id]/route.ts`, `ui/src/app/api/admin/credentials/audit/route.ts`, `ui/src/components/credentials/`, `ui/src/components/dynamic-agents/LLMProvidersTab.tsx`, `docker-compose.dev.yaml`, `docker-compose.yaml`, `charts/ai-platform-engineering/charts/caipe-ui/values.yaml`, `charts/ai-platform-engineering/values.yaml`, `ai_platform_engineering/dynamic_agents/src/dynamic_agents/services/credential_exchange.py`, `ai_platform_engineering/dynamic_agents/src/dynamic_agents/services/mcp_client.py`, `ai_platform_engineering/dynamic_agents/src/dynamic_agents/models.py`, `ai_platform_engineering/agents/jira/mcp/mcp_jira/api/client.py`, `ai_platform_engineering/agents/jira/mcp/tests/test_client.py` |
 | Remaining OpenFGA cutovers for conversations, skills, workflow runs, MCP servers, and RAG tools: shared/search/trash conversation candidate filtering, conversation share/pin/archive/restore resource checks, skill nested route/import authorization, workflow-run parent-config checks, self-service `mcp_server` owner/team tuples, and concrete RAG `tool` checks | `ui/src/app/api/chat/shared/route.ts`, `ui/src/app/api/chat/search/route.ts`, `ui/src/app/api/chat/conversations/trash/route.ts`, `ui/src/app/api/chat/conversations/[id]/share/route.ts`, `ui/src/app/api/chat/conversations/[id]/pin/route.ts`, `ui/src/app/api/chat/conversations/[id]/archive/route.ts`, `ui/src/app/api/chat/conversations/[id]/restore/route.ts`, `ui/src/app/api/__tests__/chat-conversations-remaining-rbac.test.ts`, `ui/src/lib/agent-skill-visibility.ts`, `ui/src/app/api/skills/configs/route.ts`, `ui/src/app/api/skills/configs/import-zip/route.ts`, `ui/src/app/api/skills/configs/[id]/revisions/route.ts`, `ui/src/app/api/skills/configs/[id]/revisions/[revisionId]/route.ts`, `ui/src/app/api/skills/configs/[id]/revisions/[revisionId]/restore/route.ts`, `ui/src/app/api/skills/configs/[id]/export/route.ts`, `ui/src/app/api/skills/configs/[id]/clone/route.ts`, `ui/src/app/api/__tests__/agent-skill-subroutes-rbac.test.ts`, `ui/src/app/api/skills/configs/__tests__/route-rbac.test.ts`, `ui/src/app/api/skills/configs/import-zip/__tests__/route.test.ts`, `ui/src/app/api/workflow-runs/route.ts`, `ui/src/app/api/workflow-runs/[id]/resume/route.ts`, `ui/src/app/api/workflow-runs/[id]/cancel/route.ts`, `ui/src/app/api/__tests__/workflow-runs-rbac.test.ts`, `ui/src/app/api/mcp-servers/route.ts`, `ui/src/lib/rbac/openfga-owned-resources.ts`, `ui/src/app/api/__tests__/mcp-servers-rbac.test.ts`, `ui/src/app/api/rag/tools/route.ts`, `ui/src/app/api/rag/tools/[toolId]/route.ts` |
 | Web UI message/metadata persistence — forwards cookie-session or first-party bearer access tokens to the backend and uses implicit-owner-or-explicit conversation read/write checks, including Slack OBO thread metadata updates | `ui/src/app/api/chat/conversations/[id]/messages/route.ts`, `ui/src/app/api/chat/conversations/[id]/metadata/route.ts`, `ui/src/app/api/__tests__/chat-conversation-metadata-auth.test.ts`, `ui/src/app/api/__tests__/owner-id-denormalization.test.ts` |
diff --git a/ui/e2e/rbac/_helpers.ts b/ui/e2e/rbac/_helpers.ts
index 45cf44e9dd..0d0216a892 100644
--- a/ui/e2e/rbac/_helpers.ts
+++ b/ui/e2e/rbac/_helpers.ts
@@ -22,21 +22,40 @@ type TestCredentials = {
 type ChatBootMocksOptions = {
   conversationId?: string;
   ownerEmail?: string;
+  title?: string;
   /** When true (default), GET /api/chat/conversations returns the fixture conversation. */
   seedExistingConversation?: boolean;
   /** Artificial delay for the conversation list GET (simulates Sidebar + /chat racing). */
   conversationListDelayMs?: number;
   /** When set, seeds an agent participant on the conversation fixture. */
   agentId?: string;
+  sharing?: {
+    is_public?: boolean;
+    public_permission?: "view" | "comment";
+    shared_with?: string[];
+    shared_with_teams?: string[];
+    team_permissions?: Record<string, "view" | "comment">;
+    share_link_enabled?: boolean;
+  };
+  viewerHasSharedAccess?: boolean;
+  accessLevel?: "owner" | "shared" | "shared_readonly" | "admin_audit";
   onConversationListRequest?: (url: URL) => void;
   onConversationCreate?: () => void;
 };
 
-function chatConversationFixture(id: string, ownerEmail: string, agentId?: string) {
+function chatConversationFixture(
+  id: string,
+  ownerEmail: string,
+  agentId?: string,
+  options: Pick<
+    ChatBootMocksOptions,
+    "accessLevel" | "sharing" | "title" | "viewerHasSharedAccess"
+  > = {},
+) {
   const now = new Date().toISOString();
   return {
     _id: id,
-    title: "RBAC E2E Conversation",
+    title: options.title ?? "RBAC E2E Conversation",
     client_type: "webui",
     owner_id: ownerEmail,
     participants: agentId ? [{ type: "agent", id: agentId }] : [],
@@ -48,7 +67,10 @@ function chatConversationFixture(id: string, ownerEmail: string, agentId?: strin
       shared_with: [],
       shared_with_teams: [],
       share_link_enabled: false,
+      ...options.sharing,
     },
+    viewer_has_shared_access: options.viewerHasSharedAccess,
+    access_level: options.accessLevel,
     tags: [],
     is_archived: false,
     is_pinned: false,
@@ -63,19 +85,81 @@ export async function installChatBootMocks(
 ): Promise<void> {
   const conversationId = options.conversationId ?? "rbac-e2e-conversation";
   const ownerEmail = options.ownerEmail ?? env.user.email;
-  const conversation = chatConversationFixture(conversationId, ownerEmail, options.agentId);
+  const conversation = chatConversationFixture(conversationId, ownerEmail, options.agentId, {
+    accessLevel: options.accessLevel,
+    sharing: options.sharing,
+    title: options.title,
+    viewerHasSharedAccess: options.viewerHasSharedAccess,
+  });
   const seedExistingConversation = options.seedExistingConversation !== false;
   const conversationListDelayMs = options.conversationListDelayMs ?? 0;
   let created = seedExistingConversation;
+  const directSharePermission = options.accessLevel === "shared_readonly" ? "view" : "comment";
 
   await page.route("**/api/admin/platform-config", async (route) => {
     await route.fulfill({
       status: 200,
       contentType: "application/json",
-      body: JSON.stringify({ success: true, data: { default_agent_id: null } }),
+      body: JSON.stringify({
+        success: true,
+        data: {
+          default_agent_id: options.agentId ?? null,
+          release_notes: { enabled: false },
+        },
+      }),
     });
   });
 
+  if (options.agentId) {
+    const agent = {
+      _id: options.agentId,
+      name: "RBAC E2E Agent",
+      description: "Mocked dynamic agent for chat browser regressions",
+      enabled: true,
+      skills: [],
+      ui: {},
+    };
+
+    await page.route("**/api/dynamic-agents**", async (route) => {
+      const request = route.request();
+      const requestUrl = new URL(request.url());
+      const method = request.method();
+      const path = requestUrl.pathname;
+
+      if (path === "/api/dynamic-agents/available" && method === "GET") {
+        await route.fulfill({
+          status: 200,
+          contentType: "application/json",
+          body: JSON.stringify({ success: true, data: [agent] }),
+        });
+        return;
+      }
+
+      if (path === `/api/dynamic-agents/agents/${options.agentId}` && method === "GET") {
+        await route.fulfill({
+          status: 200,
+          contentType: "application/json",
+          body: JSON.stringify({ success: true, data: agent }),
+        });
+        return;
+      }
+
+      if (path === "/api/dynamic-agents" && method === "GET") {
+        await route.fulfill({
+          status: 200,
+          contentType: "application/json",
+          body: JSON.stringify({
+            success: true,
+            data: { items: [agent], total: 1, page: 1, page_size: 20 },
+          }),
+        });
+        return;
+      }
+
+      await route.continue();
+    });
+  }
+
   await page.route("**/api/chat/conversations**", async (route) => {
     const request = route.request();
     const requestUrl = new URL(request.url());
@@ -128,6 +212,27 @@ export async function installChatBootMocks(
       return;
     }
 
+    if (path === `/api/chat/conversations/${conversationId}/share` && method === "GET") {
+      await route.fulfill({
+        status: 200,
+        contentType: "application/json",
+        body: JSON.stringify({
+          success: true,
+          data: {
+            sharing: conversation.sharing,
+            access_list: (conversation.sharing.shared_with ?? []).map((email: string) => ({
+              conversation_id: conversationId,
+              granted_by: ownerEmail,
+              granted_to: email,
+              permission: directSharePermission,
+              granted_at: new Date().toISOString(),
+            })),
+          },
+        }),
+      });
+      return;
+    }
+
     if (
       (path === `/api/chat/conversations/${conversationId}/turns` ||
         path === `/api/chat/conversations/${conversationId}/messages`) &&
diff --git a/ui/e2e/rbac/chat-navigation-regression.spec.ts b/ui/e2e/rbac/chat-navigation-regression.spec.ts
index 80ccc1773d..b49fb24b6f 100644
--- a/ui/e2e/rbac/chat-navigation-regression.spec.ts
+++ b/ui/e2e/rbac/chat-navigation-regression.spec.ts
@@ -14,6 +14,8 @@ const CHAT_MEMBER_SESSION = {
   email: "member@caipe.local",
   subject: "playwright-chat-member-sub",
 };
+const CHAT_AGENT_ID = "agent-rbac-e2e";
+const SHARED_OWNER_EMAIL = "owner@caipe.local";
 
 function minimalSessionEnv() {
   return {
@@ -30,7 +32,10 @@ async function bootChatSession(
 ) {
   test.skip(!process.env.NEXTAUTH_SECRET, "NEXTAUTH_SECRET required for chat navigation SSR.");
   const env = minimalSessionEnv();
-  await installChatBootMocks(page, env, options);
+  await installChatBootMocks(page, env, {
+    agentId: CHAT_AGENT_ID,
+    ...options,
+  });
   await installTestSession(page, env, {
     email: CHAT_MEMBER_SESSION.email,
     subject: CHAT_MEMBER_SESSION.subject,
@@ -68,6 +73,87 @@ test.describe("mocked RBAC e2e — chat navigation regression", () => {
     expect(createCallCount).toBe(0);
   });
 
+  test("copies the link for read-only shared conversation recipients", async ({
+    context,
+    page,
+  }) => {
+    const conversationId = "rbac-shared-recipient-conv";
+    const conversationTitle = "Readonly Shared Recipient Sidebar Chat";
+    const sharedByText = `Shared by ${SHARED_OWNER_EMAIL}`;
+    const env = await bootChatSession(page, {
+      accessLevel: "shared_readonly",
+      conversationId,
+      ownerEmail: SHARED_OWNER_EMAIL,
+      sharing: { shared_with: [CHAT_MEMBER_SESSION.email] },
+      title: conversationTitle,
+      viewerHasSharedAccess: true,
+    });
+
+    await context.grantPermissions(["clipboard-read", "clipboard-write"], {
+      origin: env.baseUrl,
+    });
+
+    await page.goto(`/chat/${conversationId}`, { waitUntil: "domcontentloaded" });
+    await dismissReleaseUpgradeDialog(page);
+
+    const sidebarConversationTitle = page.getByTitle(conversationTitle);
+    await expect(sidebarConversationTitle).toBeVisible();
+
+    const recipientShareButton = page.getByRole("button", { name: sharedByText });
+    await expect(recipientShareButton).toBeVisible();
+    await recipientShareButton.hover({ force: true });
+
+    await expect(page.getByText(sharedByText)).toBeVisible();
+    await expect(page.getByText("Click to copy link")).toBeVisible();
+
+    await recipientShareButton.click({ force: true });
+    await expect(page.getByText("Link copied")).toBeVisible();
+    await expect(page.getByRole("dialog", { name: /shared conversation/i })).toHaveCount(0);
+
+    const copiedUrl = await page.evaluate(() => navigator.clipboard.readText());
+    expect(copiedUrl).toBe(`${env.baseUrl}/chat/${conversationId}`);
+  });
+
+  test("opens sharing details for edit-mode shared conversation recipients", async ({
+    page,
+  }) => {
+    const conversationId = "rbac-edit-shared-recipient-conv";
+    const conversationTitle = "Edit Shared Recipient Sidebar Chat";
+    const sharedByText = `Shared by ${SHARED_OWNER_EMAIL}`;
+    const env = await bootChatSession(page, {
+      accessLevel: "shared",
+      conversationId,
+      ownerEmail: SHARED_OWNER_EMAIL,
+      sharing: { shared_with: [CHAT_MEMBER_SESSION.email] },
+      title: conversationTitle,
+      viewerHasSharedAccess: true,
+    });
+
+    await page.goto(`/chat/${conversationId}`, { waitUntil: "domcontentloaded" });
+    await dismissReleaseUpgradeDialog(page);
+
+    const sidebarConversationTitle = page.getByTitle(conversationTitle);
+    await expect(sidebarConversationTitle).toBeVisible();
+
+    const recipientShareButton = page.getByRole("button", { name: sharedByText });
+    await expect(recipientShareButton).toBeVisible();
+    await recipientShareButton.hover({ force: true });
+
+    await expect(page.getByText(sharedByText)).toBeVisible();
+    await expect(page.getByText("Click to copy link")).toHaveCount(0);
+
+    await recipientShareButton.click({ force: true });
+    const dialog = page.getByRole("dialog", { name: "Shared Conversation" });
+    await expect(dialog).toBeVisible();
+    await expect(dialog.getByText("Shared by")).toBeVisible();
+    await expect(dialog.getByText(SHARED_OWNER_EMAIL)).toBeVisible();
+    await expect(dialog.getByText("Share Link")).toBeVisible();
+    await expect(dialog.locator('input[readonly]').first()).toHaveValue(`${env.baseUrl}/chat/${conversationId}`);
+    await expect(dialog.getByText("Can edit")).toBeVisible();
+    await expect(dialog.getByPlaceholder("Search by email or team name...")).toHaveCount(0);
+    await expect(dialog.getByRole("switch", { name: "Share with everyone" })).toHaveCount(0);
+  });
+
   test("waits for a slow conversation list fetch instead of creating a duplicate chat", async ({
     page,
   }) => {
diff --git a/ui/e2e/rbac/chat-share-exposed.spec.ts b/ui/e2e/rbac/chat-share-exposed.spec.ts
index 53dec6f2bf..d49554b371 100644
--- a/ui/e2e/rbac/chat-share-exposed.spec.ts
+++ b/ui/e2e/rbac/chat-share-exposed.spec.ts
@@ -14,13 +14,15 @@
  *   - Private conversations that should never be shared are not displayed
  *   - API requests are made with correct scoping parameters
  *   - Empty states render per tab when there are no matching conversations
+ *   - Related list/search/trash endpoints do not expose unshared private chats
+ *   - The grant API rejects conversation discovery grants to everyone
  *
  * All API calls are mocked so no live backend is required.
  * Enable with: RUN_RBAC_REGRESSION=1 npx playwright test --config=playwright.rbac.config.ts
  */
 
-import { expect, test } from "@playwright/test";
-import { fulfillJson, installMockedRbacApp, mockedRbacEnabled } from "./_mocked-rbac";
+import { expect, test, type Page } from "@playwright/test";
+import { fulfillJson, installMockedRbacApp, mockedRbacEnabled, postJson } from "./_mocked-rbac";
 
 // ─── Fixtures ────────────────────────────────────────────────────────────────
 
@@ -58,7 +60,27 @@ function makeConversation(
   };
 }
 
-function paginatedResponse(items: ReturnType<typeof makeConversation>[]) {
+type ConversationFixture = ReturnType<typeof makeConversation>;
+
+type ApiResult<T = unknown> = {
+  status: number;
+  body: T;
+};
+
+type ConversationListBody = {
+  success?: boolean;
+  data?: {
+    items?: ConversationFixture[];
+  };
+};
+
+type GrantRequestBody = {
+  resource?: { type?: string; id?: string };
+  grantee?: { type?: string; id?: string };
+  capability?: string;
+};
+
+function paginatedResponse(items: ConversationFixture[]) {
   return {
     success: true,
     data: { items, total: items.length, page: 1, page_size: 20 },
@@ -68,15 +90,52 @@ function paginatedResponse(items: ReturnType<typeof makeConversation>[]) {
 // ─── Helpers ─────────────────────────────────────────────────────────────────
 
 type SharedApiOptions = {
-  items?: ReturnType<typeof makeConversation>[];
+  items?: ConversationFixture[];
+  conversationItems?: ConversationFixture[];
+  searchItems?: ConversationFixture[];
+  trashItems?: ConversationFixture[];
   onRequest?: (url: URL) => void;
+  onConversationRequest?: (url: URL) => void;
+  onSearchRequest?: (url: URL) => void;
+  onTrashRequest?: (url: URL) => void;
 };
 
+async function fetchJson<T = unknown>(page: Page, path: string, init?: RequestInit): Promise<ApiResult<T>> {
+  return page.evaluate(
+    async ({ path: requestPath, init: requestInit }) => {
+      const response = await fetch(requestPath, requestInit);
+      let body: unknown = null;
+      try {
+        body = await response.json();
+      } catch {
+        body = await response.text();
+      }
+      return { status: response.status, body };
+    },
+    { path, init },
+  ) as Promise<ApiResult<T>>;
+}
+
+async function postJsonFromPage<T = unknown>(
+  page: Page,
+  path: string,
+  body: unknown,
+): Promise<ApiResult<T>> {
+  return fetchJson<T>(page, path, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body),
+  });
+}
+
 async function installHomePageMocks(
   page: Parameters<typeof installMockedRbacApp>[0],
   options: SharedApiOptions = {},
 ) {
   const sharedItems = options.items ?? [];
+  const conversationItems = options.conversationItems ?? [];
+  const searchItems = options.searchItems ?? [];
+  const trashItems = options.trashItems ?? [];
 
   // Force MongoDB storage mode so the SharedConversations section renders.
   // The server injects __APP_CONFIG__ via an inline <script> in <head> based
@@ -118,7 +177,38 @@ async function installHomePageMocks(
           return true;
         }
         if (path === "/api/chat/conversations" && method === "GET") {
-          await fulfillJson(route, paginatedResponse([]));
+          options.onConversationRequest?.(new URL(route.request().url()));
+          await fulfillJson(route, paginatedResponse(conversationItems));
+          return true;
+        }
+        if (path === "/api/chat/search" && method === "GET") {
+          options.onSearchRequest?.(new URL(route.request().url()));
+          await fulfillJson(route, paginatedResponse(searchItems));
+          return true;
+        }
+        if (path === "/api/chat/conversations/trash" && method === "GET") {
+          options.onTrashRequest?.(new URL(route.request().url()));
+          await fulfillJson(route, paginatedResponse(trashItems));
+          return true;
+        }
+        if (path === "/api/authz/v1/grants" && method === "POST") {
+          const body = await postJson(route) as GrantRequestBody | null;
+          if (
+            body?.resource?.type === "conversation" &&
+            body?.grantee?.type === "everyone" &&
+            body.capability === "discover"
+          ) {
+            await fulfillJson(
+              route,
+              {
+                error: "everyone grants are limited to low-risk resource capabilities",
+                code: "INVALID_REQUEST",
+              },
+              400,
+            );
+            return true;
+          }
+          await fulfillJson(route, { success: true });
           return true;
         }
         if (path === "/api/users/me/stats") {
@@ -261,6 +351,95 @@ test.describe("issue #1979 — shared conversations exposure regression", () =>
     await expect(page.getByText(ownConv.title)).not.toBeVisible();
   });
 
+  // ── Private visibility regression — normal list/search/trash ─────────────
+
+  test("recent chats only render scoped conversation candidates", async ({ page }) => {
+    const ownedConv = makeConversation("conv-owned", "Owned Private Conversation", {}, CALLER_EMAIL);
+    const teamCandidate = makeConversation("conv-team-candidate", "Team Candidate Conversation", {
+      shared_with_teams: ["team-visible"],
+    });
+    const unsharedPrivate = makeConversation("conv-unshared-private", "Unshared Private Conversation");
+    let conversationApiCallCount = 0;
+
+    // assisted-by Codex Codex-sonnet-4-6
+    // Route-level tests verify the Mongo candidate query; this covers the browser contract it feeds.
+    await installHomePageMocks(page, {
+      conversationItems: [ownedConv, teamCandidate],
+      onConversationRequest: () => {
+        conversationApiCallCount++;
+      },
+    });
+
+    await page.goto("/", { waitUntil: "domcontentloaded" });
+
+    await expect(page.getByTestId("recent-chats")).toBeVisible({ timeout: 10_000 });
+    await expect(page.getByText(ownedConv.title)).toBeVisible();
+    await expect(page.getByText(teamCandidate.title)).toBeVisible();
+    await expect(page.getByText(unsharedPrivate.title)).not.toBeVisible();
+    await expect.poll(() => conversationApiCallCount).toBeGreaterThan(0);
+  });
+
+  test("search and trash APIs do not return unshared private conversations", async ({ page }) => {
+    const publicConv = makeConversation("conv-public-search", "Public Search Result", {
+      is_public: true,
+    });
+    const ownedTrash = makeConversation("conv-owned-trash", "Owned Trash Result", {}, CALLER_EMAIL);
+    const unsharedPrivate = makeConversation("conv-private-search", "Private Search Result");
+    let searchRequest: URL | null = null;
+    let trashRequest: URL | null = null;
+
+    await installHomePageMocks(page, {
+      searchItems: [publicConv],
+      trashItems: [ownedTrash],
+      onSearchRequest: (url) => {
+        searchRequest = url;
+      },
+      onTrashRequest: (url) => {
+        trashRequest = url;
+      },
+    });
+
+    await page.goto("/", { waitUntil: "domcontentloaded" });
+
+    const search = await fetchJson<ConversationListBody>(
+      page,
+      "/api/chat/search?q=Private%20Search&page_size=20",
+    );
+    const searchTitles = search.body.data?.items?.map((item) => item.title) ?? [];
+
+    expect(search.status, JSON.stringify(search.body)).toBe(200);
+    expect(searchTitles).toContain(publicConv.title);
+    expect(searchTitles).not.toContain(unsharedPrivate.title);
+    expect(searchRequest?.searchParams.get("q")).toBe("Private Search");
+
+    const trash = await fetchJson<ConversationListBody>(page, "/api/chat/conversations/trash?page_size=20");
+    const trashTitles = trash.body.data?.items?.map((item) => item.title) ?? [];
+
+    expect(trash.status, JSON.stringify(trash.body)).toBe(200);
+    expect(trashTitles).toContain(ownedTrash.title);
+    expect(trashTitles).not.toContain(unsharedPrivate.title);
+    expect(trashRequest?.searchParams.get("page_size")).toBe("20");
+  });
+
+  test("rejects conversation discover grants to everyone", async ({ page }) => {
+    await installHomePageMocks(page);
+    await page.goto("/", { waitUntil: "domcontentloaded" });
+
+    const result = await postJsonFromPage<{ error?: string; code?: string }>(
+      page,
+      "/api/authz/v1/grants",
+      {
+        resource: { type: "conversation", id: "conv-unshared-private" },
+        grantee: { type: "everyone" },
+        capability: "discover",
+      },
+    );
+
+    expect(result.status, JSON.stringify(result.body)).toBe(400);
+    expect(result.body.code).toBe("INVALID_REQUEST");
+    expect(result.body.error).toContain("everyone grants are limited");
+  });
+
   // ── Tab filtering ─────────────────────────────────────────────────────────
 
   test("Shared with me tab is active by default", async ({ page }) => {
diff --git a/ui/src/app/(app)/chat/[uuid]/__tests__/page.test.tsx b/ui/src/app/(app)/chat/[uuid]/__tests__/page.test.tsx
index 2d678f529f..0ea76ba784 100644
--- a/ui/src/app/(app)/chat/[uuid]/__tests__/page.test.tsx
+++ b/ui/src/app/(app)/chat/[uuid]/__tests__/page.test.tsx
@@ -748,6 +748,48 @@ describe("ChatContainer", () => {
     expect(addedConv.title).toBe("From MongoDB");
   });
 
+  it("preserves sharing metadata when a shared conversation is opened directly", async () => {
+    // assisted-by Codex Codex-sonnet-4-6
+    // Direct URL loads bypass the list route, so this metadata must survive the detail fetch.
+    const sharing = {
+      is_public: false,
+      shared_with: [],
+      shared_with_teams: [],
+      share_link_enabled: true,
+    };
+    const findAddedConversation = () =>
+      mockConversations.find((conversation) => conversation.id === mockUuid) as
+        | { owner_id?: string; sharing?: typeof sharing; accessLevel?: string }
+        | undefined;
+
+    render(<ChatContainer />);
+
+    resolveGetConversation({
+      _id: mockUuid,
+      title: "Direct Shared Conversation",
+      owner_id: "owner@example.com",
+      created_at: new Date().toISOString(),
+      updated_at: new Date().toISOString(),
+      participants: [{ type: "agent", id: "agent-1" }],
+      sharing,
+      access_level: "shared_readonly",
+    });
+
+    await waitFor(() => {
+      expect(findAddedConversation()).toBeDefined();
+    });
+
+    await waitFor(() => {
+      expect(mockLoadMessagesFromServer).toHaveBeenCalledWith(mockUuid);
+    });
+    resolveLoadMessages();
+
+    const addedConv = findAddedConversation();
+    expect(addedConv?.owner_id).toBe("owner@example.com");
+    expect(addedConv?.accessLevel).toBe("shared_readonly");
+    expect(addedConv?.sharing).toEqual(sharing);
+  });
+
   it("adds fallback conversation to store when MongoDB returns 404", async () => {
     // eslint-disable-next-line @typescript-eslint/no-require-imports
     const { useChatStore } = require("@/store/chat-store");
diff --git a/ui/src/app/api/__tests__/admin-audit-access.test.ts b/ui/src/app/api/__tests__/admin-audit-access.test.ts
index 1c4865601a..6dee5d7eed 100644
--- a/ui/src/app/api/__tests__/admin-audit-access.test.ts
+++ b/ui/src/app/api/__tests__/admin-audit-access.test.ts
@@ -130,6 +130,58 @@ describe('requireConversationAccess — admin audit', () => {
     expect(result.conversation).toEqual(conv);
   });
 
+  it('returns access_level owner for case-insensitive owner email matches', async () => {
+    const conv = {
+      _id: CONV_ID,
+      owner_id: 'Owner@Example.com',
+      title: 'Test',
+      sharing: { shared_with: ['owner@example.com'], shared_with_teams: [] },
+    };
+    const convsCol = createMockCollection();
+    convsCol.findOne.mockResolvedValue(conv);
+    mockCollections['conversations'] = convsCol;
+
+    const sharingAccessCol = createMockCollection();
+    sharingAccessCol.findOne.mockResolvedValue({ permission: 'view' });
+    mockCollections['sharing_access'] = sharingAccessCol;
+
+    const result = await requireConversationAccess(
+      CONV_ID,
+      'owner@example.com',
+      mockGetCollection
+    );
+
+    expect(result.access_level).toBe('owner');
+    expect(sharingAccessCol.findOne).not.toHaveBeenCalled();
+  });
+
+  it('returns access_level owner when owner_subject matches the session subject', async () => {
+    const conv = {
+      _id: CONV_ID,
+      owner_id: 'legacy-owner@example.com',
+      owner_subject: 'owner-subject',
+      title: 'Test',
+      sharing: { shared_with: ['viewer@example.com'], shared_with_teams: [] },
+    };
+    const convsCol = createMockCollection();
+    convsCol.findOne.mockResolvedValue(conv);
+    mockCollections['conversations'] = convsCol;
+
+    const sharingAccessCol = createMockCollection();
+    sharingAccessCol.findOne.mockResolvedValue({ permission: 'view' });
+    mockCollections['sharing_access'] = sharingAccessCol;
+
+    const result = await requireConversationAccess(
+      CONV_ID,
+      'viewer@example.com',
+      mockGetCollection,
+      { sub: 'owner-subject' }
+    );
+
+    expect(result.access_level).toBe('owner');
+    expect(sharingAccessCol.findOne).not.toHaveBeenCalled();
+  });
+
   it('returns access_level shared when user is in shared_with', async () => {
     const conv = {
       _id: CONV_ID,
diff --git a/ui/src/app/api/__tests__/chat-conversations-agent-auth.test.ts b/ui/src/app/api/__tests__/chat-conversations-agent-auth.test.ts
index 5a9a2eb911..12f1dec4cb 100644
--- a/ui/src/app/api/__tests__/chat-conversations-agent-auth.test.ts
+++ b/ui/src/app/api/__tests__/chat-conversations-agent-auth.test.ts
@@ -56,6 +56,19 @@ jest.mock("@/lib/mongodb", () => ({
 }));
 
 jest.mock("@/lib/rbac/conversation-implicit-authz", () => ({
+  annotateConversationsWithViewerSharing: (_session: unknown, userEmail: string, items: Array<{ owner_id?: string }>) =>
+    items.map((item) => ({
+      ...item,
+      viewer_has_shared_access: item.owner_id?.toLowerCase() !== userEmail.toLowerCase(),
+    })),
+  conversationVisibilityCandidateQuery: (userEmail: string) => ({
+    $or: [
+      { owner_id: userEmail },
+      { "sharing.is_public": true },
+      { "sharing.shared_with": userEmail },
+      { "sharing.shared_with_teams.0": { $exists: true } },
+    ],
+  }),
   filterConversationsByImplicitOrExplicitPermission: (...args: unknown[]) =>
     mockFilterConversationsByImplicitOrExplicitPermission(...args),
 }));
@@ -87,7 +100,7 @@ describe("POST /api/chat/conversations agent authorization", () => {
     );
   });
 
-  it("lists candidate conversations without legacy team prefiltering before OpenFGA filtering", async () => {
+  it("lists bounded conversation candidates before OpenFGA filtering", async () => {
     const candidate = {
       _id: "conv-openfga-only",
       title: "OpenFGA Only",
@@ -109,8 +122,17 @@ describe("POST /api/chat/conversations agent authorization", () => {
     expect(response.status).toBe(200);
     expect(mockGetUserTeamIds).not.toHaveBeenCalled();
     expect(countDocuments).toHaveBeenCalledWith(
-      expect.not.objectContaining({
-        $or: expect.any(Array),
+      expect.objectContaining({
+        $and: expect.arrayContaining([
+          {
+            $or: [
+              { owner_id: "alice@example.com" },
+              { "sharing.is_public": true },
+              { "sharing.shared_with": "alice@example.com" },
+              { "sharing.shared_with_teams.0": { $exists: true } },
+            ],
+          },
+        ]),
       }),
     );
     expect(mockFilterConversationsByImplicitOrExplicitPermission).toHaveBeenCalledWith(
diff --git a/ui/src/app/api/__tests__/chat-conversations-client-type.test.ts b/ui/src/app/api/__tests__/chat-conversations-client-type.test.ts
index 25b55285ae..2917e4ec7c 100644
--- a/ui/src/app/api/__tests__/chat-conversations-client-type.test.ts
+++ b/ui/src/app/api/__tests__/chat-conversations-client-type.test.ts
@@ -19,6 +19,11 @@ jest.mock('@/lib/config', () => ({
   getConfig: (key: string) => key === 'ssoEnabled',
 }));
 
+jest.mock('@/lib/authz', () => ({
+  authorize: jest.fn().mockResolvedValue({ decision: 'DENY' }),
+  authorizeMany: jest.fn().mockResolvedValue(new Map()),
+}));
+
 const mockCollections: Record<string, any> = {};
 const mockGetCollection = jest.fn((name: string) => {
   if (!mockCollections[name]) {
@@ -65,12 +70,18 @@ function userSession(email = 'user@example.com') {
 
 function resetMocks() {
   mockGetServerSession.mockReset();
+  authorizeMany.mockReset();
+  authorizeMany.mockResolvedValue(new Map());
   mockGetCollection.mockClear();
   Object.keys(mockCollections).forEach((key) => delete mockCollections[key]);
 }
 
 import { GET } from '../chat/conversations/route';
 
+const { authorizeMany } = jest.requireMock('@/lib/authz') as {
+  authorizeMany: jest.Mock;
+};
+
 describe('GET /api/chat/conversations — client_type filtering', () => {
   beforeEach(resetMocks);
 
@@ -156,6 +167,75 @@ describe('GET /api/chat/conversations — client_type filtering', () => {
     });
   });
 
+  it('marks shared recipient rows in the conversations list response', async () => {
+    mockGetServerSession.mockResolvedValue({
+      ...userSession('viewer@example.com'),
+      sub: 'viewer-sub',
+    });
+    authorizeMany.mockResolvedValue(new Map([
+      ['shared-recipient-conv', { decision: 'ALLOW' }],
+    ]));
+
+    const conversationsCol = createMockCollection();
+    conversationsCol.countDocuments.mockResolvedValue(2);
+    conversationsCol.find.mockReturnValue({
+      sort: jest.fn().mockReturnValue({
+        skip: jest.fn().mockReturnValue({
+          limit: jest.fn().mockReturnValue({
+            toArray: jest.fn().mockResolvedValue([
+              {
+                _id: 'owned-conv',
+                title: 'Owned conversation',
+                owner_id: 'viewer@example.com',
+                created_at: new Date(),
+                updated_at: new Date(),
+                metadata: { total_messages: 0 },
+                sharing: { is_public: false, shared_with: [], shared_with_teams: [], share_link_enabled: false },
+                tags: [],
+                is_archived: false,
+                is_pinned: false,
+              },
+              {
+                _id: 'shared-recipient-conv',
+                title: 'Shared recipient conversation',
+                owner_id: 'owner@example.com',
+                created_at: new Date(),
+                updated_at: new Date(),
+                metadata: { total_messages: 0 },
+                sharing: {
+                  is_public: false,
+                  shared_with: ['viewer@example.com'],
+                  shared_with_teams: [],
+                  share_link_enabled: false,
+                },
+                tags: [],
+                is_archived: false,
+                is_pinned: false,
+              },
+            ]),
+          }),
+        }),
+      }),
+    });
+    mockCollections['conversations'] = conversationsCol;
+
+    const req = makeRequest('/api/chat/conversations?page_size=100');
+    const res = await GET(req);
+    const body = await res.json();
+
+    expect(res.status).toBe(200);
+    expect(body.data.items).toEqual(expect.arrayContaining([
+      expect.objectContaining({
+        _id: 'owned-conv',
+        viewer_has_shared_access: false,
+      }),
+      expect.objectContaining({
+        _id: 'shared-recipient-conv',
+        viewer_has_shared_access: true,
+      }),
+    ]));
+  });
+
   it('enriches conversation agent participants with display names', async () => {
     mockGetServerSession.mockResolvedValue(userSession());
 
diff --git a/ui/src/app/api/__tests__/chat-conversations-remaining-rbac.test.ts b/ui/src/app/api/__tests__/chat-conversations-remaining-rbac.test.ts
index 216dd33075..ed8963f8f3 100644
--- a/ui/src/app/api/__tests__/chat-conversations-remaining-rbac.test.ts
+++ b/ui/src/app/api/__tests__/chat-conversations-remaining-rbac.test.ts
@@ -28,6 +28,7 @@ jest.mock("@/lib/api-middleware", () => {
   const session = { sub: "alice-sub", role: "user" };
   return {
     ApiError,
+    getAuthFromBearerOrSession: async () => ({ user, session }),
     getPaginationParams: () => ({ page: 1, pageSize: 20, skip: 0 }),
     getUserTeamIds: (...args: unknown[]) => mockGetUserTeamIds(...args),
     paginatedResponse: (items: unknown[], total: number, page: number, pageSize: number) =>
@@ -55,6 +56,19 @@ jest.mock("@/lib/api-middleware", () => {
 });
 
 jest.mock("@/lib/rbac/conversation-implicit-authz", () => ({
+  annotateConversationsWithViewerSharing: (_session: unknown, userEmail: string, items: Array<{ owner_id?: string }>) =>
+    items.map((item) => ({
+      ...item,
+      viewer_has_shared_access: item.owner_id?.toLowerCase() !== userEmail.toLowerCase(),
+    })),
+  conversationVisibilityCandidateQuery: (userEmail: string) => ({
+    $or: [
+      { owner_id: userEmail },
+      { "sharing.is_public": true },
+      { "sharing.shared_with": userEmail },
+      { "sharing.shared_with_teams.0": { $exists: true } },
+    ],
+  }),
   filterConversationsByImplicitOrExplicitPermission: (...args: unknown[]) =>
     mockFilterConversationsByImplicitOrExplicitPermission(...args),
   requireConversationResourcePermission: (...args: unknown[]) =>
@@ -138,7 +152,39 @@ describe("remaining conversation routes use OpenFGA instead of legacy owner/team
     );
   });
 
-  it("search conversations applies text filters before OpenFGA without owner/shared prefilters", async () => {
+  it("conversation list prefilters owned and sharing-configured candidates before OpenFGA authorization", async () => {
+    const candidate = conversation({ owner_id: "alice@example.com" });
+    const conversations = collectionWithItems([candidate]);
+    mockGetCollection.mockImplementation(async (name: string) => {
+      if (name === "conversations") return conversations;
+      return collectionWithItems([]);
+    });
+    const { GET } = await import("../chat/conversations/route");
+
+    const response = await GET(request("/api/chat/conversations"));
+
+    expect(response.status).toBe(200);
+    const mongoQuery = conversations.find.mock.calls[0][0];
+    expect(mongoQuery.$and).toEqual(
+      expect.arrayContaining([
+        {
+          $or: [
+            { owner_id: "alice@example.com" },
+            { "sharing.is_public": true },
+            { "sharing.shared_with": "alice@example.com" },
+            { "sharing.shared_with_teams.0": { $exists: true } },
+          ],
+        },
+      ]),
+    );
+    expect(mockFilterConversationsByImplicitOrExplicitPermission).toHaveBeenCalledWith(
+      expect.objectContaining({ sub: "alice-sub" }),
+      "alice@example.com",
+      [candidate],
+    );
+  });
+
+  it("search conversations applies candidate and text filters before OpenFGA", async () => {
     const candidate = conversation({ title: "needle" });
     const conversations = collectionWithItems([candidate]);
     mockGetCollection.mockResolvedValue(conversations);
@@ -148,12 +194,16 @@ describe("remaining conversation routes use OpenFGA instead of legacy owner/team
 
     expect(response.status).toBe(200);
     const mongoQuery = conversations.find.mock.calls[0][0];
-    expect(mongoQuery).not.toHaveProperty("$or", [
-      { owner_id: "alice@example.com" },
-      { "sharing.shared_with": "alice@example.com" },
-    ]);
     expect(mongoQuery.$and).toEqual(
       expect.arrayContaining([
+        {
+          $or: [
+            { owner_id: "alice@example.com" },
+            { "sharing.is_public": true },
+            { "sharing.shared_with": "alice@example.com" },
+            { "sharing.shared_with_teams.0": { $exists: true } },
+          ],
+        },
         expect.objectContaining({
           $or: expect.arrayContaining([expect.objectContaining({ title: expect.any(Object) })]),
         }),
@@ -166,7 +216,7 @@ describe("remaining conversation routes use OpenFGA instead of legacy owner/team
     );
   });
 
-  it("trash listing is filtered by OpenFGA instead of owner_id", async () => {
+  it("trash listing is bounded to owned and sharing-configured candidates before OpenFGA", async () => {
     const deleted = conversation({ deleted_at: new Date() });
     const conversations = collectionWithItems([deleted]);
     mockGetCollection.mockImplementation(async (name: string) => {
@@ -179,7 +229,19 @@ describe("remaining conversation routes use OpenFGA instead of legacy owner/team
 
     expect(response.status).toBe(200);
     const listQuery = conversations.find.mock.calls[1][0];
-    expect(listQuery).not.toHaveProperty("owner_id");
+    expect(listQuery.$and).toEqual(
+      expect.arrayContaining([
+        { deleted_at: { $exists: true, $ne: null } },
+        {
+          $or: [
+            { owner_id: "alice@example.com" },
+            { "sharing.is_public": true },
+            { "sharing.shared_with": "alice@example.com" },
+            { "sharing.shared_with_teams.0": { $exists: true } },
+          ],
+        },
+      ]),
+    );
     expect(mockFilterConversationsByImplicitOrExplicitPermission).toHaveBeenCalledWith(
       expect.objectContaining({ sub: "alice-sub" }),
       "alice@example.com",
diff --git a/ui/src/app/api/__tests__/chat-conversations-sa-grant.test.ts b/ui/src/app/api/__tests__/chat-conversations-sa-grant.test.ts
index 42e7d8ef5e..027f94ab56 100644
--- a/ui/src/app/api/__tests__/chat-conversations-sa-grant.test.ts
+++ b/ui/src/app/api/__tests__/chat-conversations-sa-grant.test.ts
@@ -64,6 +64,14 @@ jest.mock("@/lib/mongodb", () => ({
 }));
 
 jest.mock("@/lib/rbac/conversation-implicit-authz", () => ({
+  conversationVisibilityCandidateQuery: (userEmail: string) => ({
+    $or: [
+      { owner_id: userEmail },
+      { "sharing.is_public": true },
+      { "sharing.shared_with": userEmail },
+      { "sharing.shared_with_teams.0": { $exists: true } },
+    ],
+  }),
   filterConversationsByImplicitOrExplicitPermission: (...args: unknown[]) =>
     mockFilterConversationsByImplicitOrExplicitPermission(...args),
 }));
diff --git a/ui/src/app/api/__tests__/chat-sharing-public.test.ts b/ui/src/app/api/__tests__/chat-sharing-public.test.ts
index 22303a1f99..afbee585d6 100644
--- a/ui/src/app/api/__tests__/chat-sharing-public.test.ts
+++ b/ui/src/app/api/__tests__/chat-sharing-public.test.ts
@@ -539,12 +539,7 @@ describe('GET /api/chat/conversations — public conversations', () => {
     GET = mod.GET;
   });
 
-  // Spec 098-enterprise-rbac removed the per-user `$or` (owner_id /
-  // sharing.shared_with / sharing.is_public) from
-  // `/api/chat/conversations`. Visibility is now decided by the ReBAC
-  // post-filter (`filterConversationsByImplicitOrExplicitPermission`),
-  // so the Mongo query no longer references legacy sharing fields.
-  it('does NOT include legacy is_public/sharing predicates in the Mongo query', async () => {
+  it('prefilters owned and explicitly shared/public candidates before ReBAC', async () => {
     mockGetServerSession.mockResolvedValue(userSession(VIEWER_EMAIL));
 
     const teamsCol = createMockCollection();
@@ -563,9 +558,16 @@ describe('GET /api/chat/conversations — public conversations', () => {
     await GET(req);
 
     const findCall = convsCol.find.mock.calls[0][0];
-    const serialized = JSON.stringify(findCall);
-    expect(serialized).not.toContain('sharing.is_public');
-    expect(serialized).not.toContain('sharing.shared_with');
+    expect(findCall.$and).toEqual(expect.arrayContaining([
+      {
+        $or: [
+          { owner_id: VIEWER_EMAIL },
+          { 'sharing.is_public': true },
+          { 'sharing.shared_with': VIEWER_EMAIL },
+          { 'sharing.shared_with_teams.0': { $exists: true } },
+        ],
+      },
+    ]));
   });
 
   it('keeps a stable $and query regardless of caller identity', async () => {
@@ -588,7 +590,14 @@ describe('GET /api/chat/conversations — public conversations', () => {
 
     const findCall = convsCol.find.mock.calls[0][0];
     expect(findCall.$and).toBeDefined();
-    expect(JSON.stringify(findCall)).not.toContain('sharing.is_public');
+    expect(findCall.$and).toEqual(expect.arrayContaining([
+      expect.objectContaining({
+        $or: expect.arrayContaining([
+          { 'sharing.is_public': true },
+          { 'sharing.shared_with': VIEWER_EMAIL },
+        ]),
+      }),
+    ]));
   });
 });
 
diff --git a/ui/src/app/api/__tests__/chat-sharing-readonly.test.ts b/ui/src/app/api/__tests__/chat-sharing-readonly.test.ts
index e07ddfbb7f..1ef4a22187 100644
--- a/ui/src/app/api/__tests__/chat-sharing-readonly.test.ts
+++ b/ui/src/app/api/__tests__/chat-sharing-readonly.test.ts
@@ -64,8 +64,10 @@ const mockCheckOpenFgaTuple = jest.fn().mockImplementation(async (tuple: { relat
   const allowed = new Set(['can_read', 'can_discover', 'can_write', 'can_use', 'can_chat']);
   return { allowed: allowed.has(tuple?.relation ?? '') };
 });
+const mockWriteOpenFgaTuples = jest.fn().mockResolvedValue({ enabled: true, writes: 0, deletes: 0 });
 jest.mock('@/lib/rbac/openfga', () => ({
   checkOpenFgaTuple: (...args: unknown[]) => mockCheckOpenFgaTuple(...args),
+  writeOpenFgaTuples: (...args: unknown[]) => mockWriteOpenFgaTuples(...args),
 }));
 
 jest.mock('@/lib/rbac/resource-authz', () => ({
@@ -686,4 +688,53 @@ describe('POST /api/chat/conversations/[id]/share — permission storage', () =>
     const updateCall = convsCol.updateOne.mock.calls[0][1];
     expect(updateCall.$set['sharing.team_permissions']).toEqual({ [teamIdStr]: 'view' });
   });
+
+  it('stores canonical team slugs and writes team conversation grants', async () => {
+    const teamObjId = new ObjectId();
+    const teamIdStr = teamObjId.toHexString();
+
+    const conv = makeConversation({
+      sharing: { shared_with: [], shared_with_teams: [] },
+    });
+
+    const convsCol = createMockCollection();
+    convsCol.findOne
+      .mockResolvedValueOnce(conv)
+      .mockResolvedValue({ ...conv });
+    mockCollections['conversations'] = convsCol;
+
+    const teamsCol = createMockCollection();
+    teamsCol.findOne.mockResolvedValue({ _id: teamObjId, slug: 'platform', name: 'Platform' });
+    mockCollections['teams'] = teamsCol;
+
+    mockGetServerSession.mockResolvedValue({
+      user: { email: OWNER_EMAIL, name: 'Owner' },
+      sub: 'owner-sub',
+    });
+
+    const { POST } = await import('@/app/api/chat/conversations/[id]/share/route');
+
+    const req = new NextRequest(`http://localhost/api/chat/conversations/${TEST_CONV_ID}/share`, {
+      method: 'POST',
+      body: JSON.stringify({
+        team_ids: [teamIdStr],
+        permission: 'comment',
+      }),
+      headers: { 'Content-Type': 'application/json' },
+    });
+
+    const res = await POST(req, { params: Promise.resolve({ id: conv._id }) });
+
+    expect(res.status).toBe(200);
+    const updateCall = convsCol.updateOne.mock.calls[0][1];
+    expect(updateCall.$set['sharing.shared_with_teams']).toEqual(['platform']);
+    expect(updateCall.$set['sharing.team_permissions']).toEqual({ platform: 'comment' });
+    expect(mockWriteOpenFgaTuples).toHaveBeenCalledWith({
+      writes: expect.arrayContaining([
+        { user: 'team:platform#member', relation: 'reader', object: `conversation:${conv._id}` },
+        { user: 'team:platform#member', relation: 'writer', object: `conversation:${conv._id}` },
+      ]),
+      deletes: [],
+    });
+  });
 });
diff --git a/ui/src/app/api/__tests__/chat-sharing-teams.test.ts b/ui/src/app/api/__tests__/chat-sharing-teams.test.ts
index 47935ef353..f944607500 100644
--- a/ui/src/app/api/__tests__/chat-sharing-teams.test.ts
+++ b/ui/src/app/api/__tests__/chat-sharing-teams.test.ts
@@ -180,7 +180,43 @@ describe('getUserTeamIds', () => {
     const result = await getUserTeamIds(MEMBER_EMAIL);
 
     expect(result).toEqual([TEAM_ID_1.toString(), TEAM_ID_2.toString()]);
-    expect(teamsCol.find).toHaveBeenCalledWith({ 'members.user_id': MEMBER_EMAIL });
+    expect(teamsCol.find).toHaveBeenCalledWith({
+      $or: [{ 'members.user_id': MEMBER_EMAIL }],
+    });
+  });
+
+  it('returns canonical team ids and slugs from team_membership_sources', async () => {
+    const sourcesCol = createMockCollection();
+    sourcesCol.find.mockReturnValue({
+      project: jest.fn().mockReturnValue({
+        toArray: jest.fn().mockResolvedValue([
+          { team_id: TEAM_ID_1.toString(), team_slug: 'platform' },
+          { team_id: TEAM_ID_2.toString(), team_slug: 'sre' },
+        ]),
+      }),
+    });
+    mockCollections['team_membership_sources'] = sourcesCol;
+
+    const teamsCol = createMockCollection();
+    teamsCol.find.mockReturnValue({
+      project: jest.fn().mockReturnValue({
+        toArray: jest.fn().mockResolvedValue([]),
+      }),
+    });
+    mockCollections['teams'] = teamsCol;
+
+    const result = await getUserTeamIds(MEMBER_EMAIL);
+
+    expect(result).toEqual([
+      TEAM_ID_1.toString(),
+      'platform',
+      TEAM_ID_2.toString(),
+      'sre',
+    ]);
+    expect(sourcesCol.find).toHaveBeenCalledWith({
+      status: 'active',
+      user_email: MEMBER_EMAIL,
+    });
   });
 
   it('returns empty array when user has no teams', async () => {
@@ -276,6 +312,34 @@ describe('requireConversationAccess — team-based access', () => {
     expect(result.access_level).toBe('shared');
   });
 
+  it('grants access when user belongs to a canonically shared team slug', async () => {
+    const conv = makeConversation({
+      sharing: {
+        shared_with: [],
+        shared_with_teams: ['platform'],
+      },
+    });
+    const convsCol = createMockCollection();
+    convsCol.findOne.mockResolvedValue(conv);
+    mockCollections['conversations'] = convsCol;
+
+    const sourcesCol = createMockCollection();
+    sourcesCol.find.mockReturnValue({
+      project: jest.fn().mockReturnValue({
+        toArray: jest.fn().mockResolvedValue([
+          { team_id: TEAM_ID_1.toString(), team_slug: 'platform' },
+        ]),
+      }),
+    });
+    mockCollections['team_membership_sources'] = sourcesCol;
+
+    const result = await requireConversationAccess(conv._id, MEMBER_EMAIL, mockGetCollection);
+
+    expect(result).toBeDefined();
+    expect(result.conversation._id).toBe(conv._id);
+    expect(result.access_level).toBe('shared');
+  });
+
   it('denies access when user does not belong to any shared team', async () => {
     const conv = makeConversation({
       sharing: {
@@ -433,14 +497,7 @@ describe('GET /api/chat/conversations — team sharing', () => {
     GET = mod.GET;
   });
 
-  // Spec 098-enterprise-rbac moved team-share visibility out of the Mongo
-  // query and into a ReBAC post-filter. The route now fetches non-deleted
-  // candidates and lets `filterConversationsByImplicitOrExplicitPermission`
-  // decide visibility, so the legacy `$or` over `sharing.shared_with_*` is
-  // intentionally gone. These tests now assert the new contract: the query
-  // no longer leaks legacy sharing predicates regardless of the caller's
-  // team memberships.
-  it('does NOT include legacy shared_with_teams predicates in the Mongo query', async () => {
+  it('prefilters owned and sharing-configured candidates before ReBAC', async () => {
     mockGetServerSession.mockResolvedValue(userSession(MEMBER_EMAIL));
 
     const teamsCol = createMockCollection();
@@ -459,12 +516,19 @@ describe('GET /api/chat/conversations — team sharing', () => {
     await GET(req);
 
     const findCall = convsCol.find.mock.calls[0][0];
-    const serialized = JSON.stringify(findCall);
-    expect(serialized).not.toContain('shared_with_teams');
-    expect(serialized).not.toContain('shared_with');
+    expect(findCall.$and).toEqual(expect.arrayContaining([
+      {
+        $or: [
+          { owner_id: MEMBER_EMAIL },
+          { 'sharing.is_public': true },
+          { 'sharing.shared_with': MEMBER_EMAIL },
+          { 'sharing.shared_with_teams.0': { $exists: true } },
+        ],
+      },
+    ]));
   });
 
-  it('does NOT include legacy shared_with predicates when user has no teams', async () => {
+  it('uses the same bounded candidate shape when user has no teams', async () => {
     mockGetServerSession.mockResolvedValue(userSession(NON_MEMBER_EMAIL));
 
     const teamsCol = createMockCollection();
@@ -483,7 +547,16 @@ describe('GET /api/chat/conversations — team sharing', () => {
     await GET(req);
 
     const findCall = convsCol.find.mock.calls[0][0];
-    expect(JSON.stringify(findCall)).not.toContain('shared_with');
+    expect(findCall.$and).toEqual(expect.arrayContaining([
+      expect.objectContaining({
+        $or: [
+          { owner_id: NON_MEMBER_EMAIL },
+          { 'sharing.is_public': true },
+          { 'sharing.shared_with': NON_MEMBER_EMAIL },
+          { 'sharing.shared_with_teams.0': { $exists: true } },
+        ],
+      }),
+    ]));
   });
 
   it('does not branch query shape on the number of teams (ReBAC does the filtering)', async () => {
@@ -508,7 +581,13 @@ describe('GET /api/chat/conversations — team sharing', () => {
     await GET(req);
 
     const findCall = convsCol.find.mock.calls[0][0];
-    expect(JSON.stringify(findCall)).not.toContain('shared_with_teams');
+    expect(findCall.$and).toEqual(expect.arrayContaining([
+      expect.objectContaining({
+        $or: expect.arrayContaining([
+          { 'sharing.shared_with_teams.0': { $exists: true } },
+        ]),
+      }),
+    ]));
   });
 
   it('still excludes soft-deleted conversations', async () => {
diff --git a/ui/src/app/api/chat/conversations/[id]/share/route.ts b/ui/src/app/api/chat/conversations/[id]/share/route.ts
index daf8b018f3..1ef3ef5619 100644
--- a/ui/src/app/api/chat/conversations/[id]/share/route.ts
+++ b/ui/src/app/api/chat/conversations/[id]/share/route.ts
@@ -4,6 +4,7 @@
 
 import {
 ApiError,
+requireConversationAccess,
 successResponse,
 validateEmail,
 validateUUID,
@@ -12,10 +13,110 @@ withErrorHandler
 } from '@/lib/api-middleware';
 import { getCollection } from '@/lib/mongodb';
 import { requireConversationResourcePermission } from '@/lib/rbac/conversation-implicit-authz';
+import { writeOpenFgaTuples, type OpenFgaTupleKey } from '@/lib/rbac/openfga';
 import type { Conversation,ShareConversationRequest,SharingAccess } from '@/types/mongodb';
 import { ObjectId } from 'mongodb';
 import { NextRequest } from 'next/server';
 
+type SharePermission = 'view' | 'comment';
+
+interface TeamShareDocument {
+  _id?: unknown;
+  slug?: string;
+  name?: string;
+}
+
+interface ResolvedTeamShare {
+  shareRef: string;
+  subjectRef: string;
+  aliases: string[];
+}
+
+function uniqueStrings(values: string[]): string[] {
+  return Array.from(new Set(values.map((value) => value.trim()).filter(Boolean)));
+}
+
+function teamLookupFilter(teamRef: string): Record<string, unknown> {
+  const clauses: Record<string, unknown>[] = [
+    { slug: teamRef },
+    { _id: teamRef },
+  ];
+  if (ObjectId.isValid(teamRef)) {
+    clauses.push({ _id: new ObjectId(teamRef) });
+  }
+  return { $or: clauses };
+}
+
+async function resolveTeamShares(teamRefs: string[]): Promise<ResolvedTeamShare[]> {
+  const teams = await getCollection<TeamShareDocument>('teams');
+  const resolved: ResolvedTeamShare[] = [];
+
+  for (const rawRef of uniqueStrings(teamRefs)) {
+    const team = await teams.findOne(teamLookupFilter(rawRef));
+    if (!team) {
+      throw new ApiError(`Team not found: ${rawRef}`, 404);
+    }
+
+    const id = team._id !== undefined && team._id !== null ? String(team._id) : rawRef;
+    const slug = typeof team.slug === 'string' ? team.slug.trim() : '';
+    // assisted-by Codex Codex-sonnet-4-6
+    // Store canonical slugs for new team shares, while accepting legacy Mongo _id refs.
+    const shareRef = slug || id;
+
+    resolved.push({
+      shareRef,
+      subjectRef: slug || id,
+      aliases: uniqueStrings([rawRef, id, slug]),
+    });
+  }
+
+  return resolved;
+}
+
+function canonicalizeSharedTeamRefs(existingRefs: string[], resolvedTeams: ResolvedTeamShare[]): string[] {
+  const next: string[] = [];
+  for (const existingRef of existingRefs) {
+    const ref = String(existingRef).trim();
+    if (!ref) continue;
+    const resolved = resolvedTeams.find((team) => team.aliases.includes(ref));
+    next.push(resolved?.shareRef ?? ref);
+  }
+  next.push(...resolvedTeams.map((team) => team.shareRef));
+  return uniqueStrings(next);
+}
+
+function mergeTeamPermissions(
+  existing: Record<string, SharePermission> | undefined,
+  resolvedTeams: ResolvedTeamShare[],
+  permission: SharePermission,
+): Record<string, SharePermission> {
+  const next: Record<string, SharePermission> = {};
+  for (const [ref, value] of Object.entries(existing || {})) {
+    const resolved = resolvedTeams.find((team) => team.aliases.includes(ref));
+    next[resolved?.shareRef ?? ref] = value;
+  }
+  for (const team of resolvedTeams) {
+    next[team.shareRef] = permission;
+  }
+  return next;
+}
+
+function teamConversationGrantTuples(
+  conversationId: string,
+  resolvedTeams: ResolvedTeamShare[],
+  permission: SharePermission,
+): OpenFgaTupleKey[] {
+  const tuples: OpenFgaTupleKey[] = [];
+  for (const team of resolvedTeams) {
+    const user = `team:${team.subjectRef}#member`;
+    tuples.push({ user, relation: 'reader', object: `conversation:${conversationId}` });
+    if (permission === 'comment') {
+      tuples.push({ user, relation: 'writer', object: `conversation:${conversationId}` });
+    }
+  }
+  return tuples;
+}
+
 // GET /api/chat/conversations/[id]/share
 export const GET = withErrorHandler(async (
   request: NextRequest,
@@ -29,14 +130,12 @@ export const GET = withErrorHandler(async (
       throw new ApiError('Invalid conversation ID format', 400);
     }
 
-    const conversations = await getCollection<Conversation>('conversations');
-    const conversation = await conversations.findOne({ _id: conversationId });
-
-    if (!conversation) {
-      throw new ApiError('Conversation not found', 404);
-    }
-
-    await requireConversationResourcePermission(session, user.email, conversation, 'share');
+    const { conversation } = await requireConversationAccess(
+      conversationId,
+      user.email,
+      getCollection,
+      session,
+    );
 
     const sharingAccess = await getCollection<SharingAccess>('sharing_access');
     const accessList = await sharingAccess
@@ -78,6 +177,9 @@ export const POST = withErrorHandler(async (
     if ((hasUsers || hasTeams) && !body.permission) {
       throw new ApiError('permission is required when sharing with users or teams', 400);
     }
+    if (body.permission && !['view', 'comment'].includes(body.permission)) {
+      throw new ApiError('permission must be "view" or "comment"', 400);
+    }
 
     const conversations = await getCollection<Conversation>('conversations');
     const conversation = await conversations.findOne({ _id: conversationId });
@@ -126,18 +228,8 @@ export const POST = withErrorHandler(async (
 
     // Handle team sharing
     if (body.team_ids && body.team_ids.length > 0) {
-      // Validate team IDs exist
-      const teams = await getCollection('teams');
-      for (const teamId of body.team_ids) {
-        // Convert string teamId to ObjectId for MongoDB query
-        if (!ObjectId.isValid(teamId)) {
-          throw new ApiError(`Invalid team ID format: ${teamId}`, 400);
-        }
-        const team = await teams.findOne({ _id: new ObjectId(teamId) });
-        if (!team) {
-          throw new ApiError(`Team not found: ${teamId}`, 404);
-        }
-      }
+      const resolvedTeams = await resolveTeamShares(body.team_ids);
+      const permission = body.permission as SharePermission;
 
       // Initialize sharing object if it doesn't exist
       if (!conversation.sharing) {
@@ -146,15 +238,23 @@ export const POST = withErrorHandler(async (
 
       // Update conversation shared_with_teams
       const existingSharedWithTeams = conversation.sharing?.shared_with_teams || [];
-      update['sharing.shared_with_teams'] = [...new Set([...existingSharedWithTeams, ...body.team_ids])];
+      update['sharing.shared_with_teams'] = canonicalizeSharedTeamRefs(existingSharedWithTeams, resolvedTeams);
 
       // Store per-team permission
-      const existingTeamPerms = conversation.sharing?.team_permissions || {};
-      const newTeamPerms = { ...existingTeamPerms };
-      for (const teamId of body.team_ids) {
-        newTeamPerms[teamId] = body.permission;
+      update['sharing.team_permissions'] = mergeTeamPermissions(
+        conversation.sharing?.team_permissions,
+        resolvedTeams,
+        permission,
+      );
+
+      const grantTuples = teamConversationGrantTuples(conversationId, resolvedTeams, permission);
+      if (grantTuples.length > 0) {
+        try {
+          await writeOpenFgaTuples({ writes: grantTuples, deletes: [] });
+        } catch (err) {
+          console.warn('[chat/share] Team conversation grant write failed (best-effort):', err);
+        }
       }
-      update['sharing.team_permissions'] = newTeamPerms;
     }
 
     if (body.is_public !== undefined) {
diff --git a/ui/src/app/api/chat/conversations/route.ts b/ui/src/app/api/chat/conversations/route.ts
index 97e8f812fb..435c2e9e1c 100644
--- a/ui/src/app/api/chat/conversations/route.ts
+++ b/ui/src/app/api/chat/conversations/route.ts
@@ -2,36 +2,131 @@
 // POST /api/chat/conversations - Create new conversation (or return existing via upsert)
 
 import {
-getAuthFromBearerOrSession,
-getPaginationParams,
-paginatedResponse,
-successResponse,
-validateRequired,
-withErrorHandler,
+  getAuthFromBearerOrSession,
+  getPaginationParams,
+  getUserTeamIds,
+  paginatedResponse,
+  successResponse,
+  validateRequired,
+  withErrorHandler,
 } from '@/lib/api-middleware';
-import { getCollection,isMongoDBConfigured } from '@/lib/mongodb';
-import { filterConversationsByImplicitOrExplicitPermission } from '@/lib/rbac/conversation-implicit-authz';
+import type { ConversationAccessLevel } from '@/lib/api-middleware';
+import { getCollection, isMongoDBConfigured } from '@/lib/mongodb';
+import {
+  annotateConversationsWithViewerSharing,
+  conversationVisibilityCandidateQuery,
+  filterConversationsByImplicitOrExplicitPermission,
+} from '@/lib/rbac/conversation-implicit-authz';
 import { requireAgentUsePermission } from '@/lib/rbac/openfga-agent-authz';
 import { writeOpenFgaTuples } from '@/lib/rbac/openfga';
 import { buildParticipants } from '@/types/a2a';
-import type { ClientType,Conversation,CreateConversationRequest } from '@/types/mongodb';
+import type { ClientType, Conversation, CreateConversationRequest } from '@/types/mongodb';
 import { VALID_CLIENT_TYPES } from '@/types/mongodb';
-import { NextRequest,NextResponse } from 'next/server';
+import { NextRequest, NextResponse } from 'next/server';
 import { v4 as uuidv4 } from 'uuid';
 import packageJson from '../../../../../package.json';
 
-type ConversationWithAgentDisplay = Conversation & {
+type ConversationWithAgentDisplay<T extends Conversation = Conversation> = T & {
   agent_id?: string;
   agent_name?: string;
 };
 
+function normalizeIdentity(value: unknown): string {
+  return typeof value === 'string' ? value.trim().toLowerCase() : '';
+}
+
+function permissionToAccessLevel(permission: unknown): ConversationAccessLevel {
+  return permission === 'view' ? 'shared_readonly' : 'shared';
+}
+
+function isListConversationOwner(
+  conversation: Pick<Conversation, 'owner_id' | 'owner_subject'>,
+  userEmail: string,
+  session?: { sub?: unknown },
+): boolean {
+  const subject = typeof session?.sub === 'string' ? session.sub.trim() : '';
+  if (subject && conversation.owner_subject === subject) return true;
+  return Boolean(
+    normalizeIdentity(userEmail) &&
+    normalizeIdentity(conversation.owner_id) === normalizeIdentity(userEmail),
+  );
+}
+
+async function getDirectSharePermission(
+  conversationId: string,
+  userEmail: string,
+): Promise<'view' | 'comment' | undefined> {
+  try {
+    const sharingAccess = await getCollection<{ permission?: 'view' | 'comment' }>('sharing_access');
+    const normalizedEmail = normalizeIdentity(userEmail);
+    const identities = Array.from(new Set([userEmail, normalizedEmail].filter(Boolean)));
+    const accessRecord = await sharingAccess.findOne({
+      conversation_id: conversationId,
+      granted_to: { $in: identities },
+      revoked_at: null,
+    });
+    return accessRecord?.permission;
+  } catch {
+    return undefined;
+  }
+}
+
+async function getTeamSharePermission(
+  conversation: Conversation,
+  userEmail: string,
+): Promise<'view' | 'comment' | undefined> {
+  const sharedTeams = conversation.sharing?.shared_with_teams;
+  if (!sharedTeams?.length) return undefined;
+
+  try {
+    const userTeamIds = await getUserTeamIds(userEmail);
+    const matchedTeamId = sharedTeams.find((teamId) => userTeamIds.includes(teamId));
+    if (!matchedTeamId) return undefined;
+    return conversation.sharing?.team_permissions?.[matchedTeamId] ?? 'comment';
+  } catch {
+    return undefined;
+  }
+}
+
+async function resolveListConversationAccessLevel(
+  conversation: Conversation,
+  userEmail: string,
+  session?: { role?: unknown; sub?: unknown },
+): Promise<ConversationAccessLevel> {
+  // assisted-by Codex Codex-sonnet-4-6
+  // The list already passed ReBAC filtering; derive display-level access without refetching the row.
+  if (isListConversationOwner(conversation, userEmail, session)) return 'owner';
+
+  if (conversation.sharing?.is_public) {
+    return permissionToAccessLevel(conversation.sharing.public_permission ?? 'view');
+  }
+
+  const normalizedEmail = normalizeIdentity(userEmail);
+  const directShareMatch = conversation.sharing?.shared_with?.some(
+    (email) => normalizeIdentity(email) === normalizedEmail,
+  );
+  if (directShareMatch) {
+    const permission = await getDirectSharePermission(conversation._id, userEmail);
+    return permissionToAccessLevel(permission ?? 'comment');
+  }
+
+  const teamPermission = await getTeamSharePermission(conversation, userEmail);
+  if (teamPermission) {
+    return permissionToAccessLevel(teamPermission);
+  }
+
+  if (session?.role === 'admin') return 'admin_audit';
+
+  return 'shared';
+}
+
 function getConversationAgentId(conversation: Conversation): string | undefined {
   return conversation.participants?.find((participant) => participant.type === 'agent')?.id;
 }
 
-async function enrichConversationAgentNames(
-  items: Conversation[],
-): Promise<ConversationWithAgentDisplay[]> {
+async function enrichConversationAgentNames<T extends Conversation>(
+  items: T[],
+): Promise<ConversationWithAgentDisplay<T>[]> {
   const agentIds = Array.from(
     new Set(items.map(getConversationAgentId).filter((id): id is string => Boolean(id))),
   );
@@ -94,11 +189,12 @@ export const GET = withErrorHandler(async (request: NextRequest) => {
 
   const conversations = await getCollection<Conversation>('conversations');
 
-  // Fetch non-deleted candidates and let the ReBAC filter decide visibility.
-  // Legacy sharing fields are still stored for migration, but no longer prefilter reads.
+  // Fetch only owned or sharing-configured candidates; ReBAC remains the final
+  // visibility check for team shares and explicit conversation grants.
   const query: any = {
     $and: [
       { $or: [{ deleted_at: null }, { deleted_at: { $exists: false } }] },
+      conversationVisibilityCandidateQuery(user.email),
     ],
   };
 
@@ -138,9 +234,16 @@ export const GET = withErrorHandler(async (request: NextRequest) => {
     .toArray();
 
   const visibleItems = await filterConversationsByImplicitOrExplicitPermission(session, user.email, items);
+  const visibleItemsWithViewerFlags = annotateConversationsWithViewerSharing(session, user.email, visibleItems);
+  const visibleItemsWithAccessLevel = await Promise.all(
+    visibleItemsWithViewerFlags.map(async (conversation) => {
+      const access_level = await resolveListConversationAccessLevel(conversation, user.email, session);
+      return { ...conversation, access_level };
+    }),
+  );
 
   return paginatedResponse(
-    await enrichConversationAgentNames(visibleItems),
+    await enrichConversationAgentNames(visibleItemsWithAccessLevel),
     visibleItems.length < items.length ? visibleItems.length : total,
     page,
     pageSize
diff --git a/ui/src/app/api/chat/conversations/trash/route.ts b/ui/src/app/api/chat/conversations/trash/route.ts
index 28a5c93d27..bd3ba80d7e 100644
--- a/ui/src/app/api/chat/conversations/trash/route.ts
+++ b/ui/src/app/api/chat/conversations/trash/route.ts
@@ -8,7 +8,10 @@ withAuth,
 withErrorHandler,
 } from '@/lib/api-middleware';
 import { getCollection,isMongoDBConfigured } from '@/lib/mongodb';
-import { filterConversationsByImplicitOrExplicitPermission } from '@/lib/rbac/conversation-implicit-authz';
+import {
+  conversationVisibilityCandidateQuery,
+  filterConversationsByImplicitOrExplicitPermission,
+} from '@/lib/rbac/conversation-implicit-authz';
 import type { Conversation } from '@/types/mongodb';
 import { NextRequest,NextResponse } from 'next/server';
 import { deleteConversationsPermanently } from '../delete-permanently';
@@ -50,8 +53,11 @@ export const GET = withErrorHandler(async (request: NextRequest) => {
 
     // Query for soft-deleted conversation candidates, then filter by ReBAC.
     const query = {
-      source: { $ne: 'slack' } as any,
-      deleted_at: { $exists: true, $ne: null },
+      $and: [
+        { source: { $ne: 'slack' } as any },
+        { deleted_at: { $exists: true, $ne: null } },
+        conversationVisibilityCandidateQuery(user.email),
+      ],
     };
 
     const total = await conversations.countDocuments(query);
diff --git a/ui/src/app/api/chat/search/route.ts b/ui/src/app/api/chat/search/route.ts
index ec437585ac..aa8039b403 100644
--- a/ui/src/app/api/chat/search/route.ts
+++ b/ui/src/app/api/chat/search/route.ts
@@ -7,7 +7,10 @@ withAuth,
 withErrorHandler,
 } from '@/lib/api-middleware';
 import { getCollection } from '@/lib/mongodb';
-import { filterConversationsByImplicitOrExplicitPermission } from '@/lib/rbac/conversation-implicit-authz';
+import {
+  conversationVisibilityCandidateQuery,
+  filterConversationsByImplicitOrExplicitPermission,
+} from '@/lib/rbac/conversation-implicit-authz';
 import type { Conversation } from '@/types/mongodb';
 import { NextRequest } from 'next/server';
 
@@ -23,8 +26,8 @@ export const GET = withErrorHandler(async (request: NextRequest) => {
 
     const conversations = await getCollection<Conversation>('conversations');
 
-    // Build search query from content filters only; OpenFGA filters access below.
-    const searchQuery: any = {};
+    // Build search query from content filters and privacy-safe conversation candidates.
+    const searchQuery: any = { $and: [conversationVisibilityCandidateQuery(user.email)] };
 
     // Add text search if query provided
     if (query) {
diff --git a/ui/src/components/chat/ChatContainer.tsx b/ui/src/components/chat/ChatContainer.tsx
index 2f455dcc5f..880efcb976 100644
--- a/ui/src/components/chat/ChatContainer.tsx
+++ b/ui/src/components/chat/ChatContainer.tsx
@@ -6,7 +6,7 @@ import { apiClient } from "@/lib/api-client";
 import { getConfig } from "@/lib/config";
 import { getStorageMode } from "@/lib/storage-config";
 import { useChatStore } from "@/store/chat-store";
-import type { Conversation as LocalConversation } from "@/types/a2a";
+import type { Conversation as LocalConversation, ConversationAccessLevel } from "@/types/a2a";
 import { getAgentId,isDynamicAgentConversation } from "@/types/a2a";
 import type { DynamicAgentConfig } from "@/types/dynamic-agent";
 import type { Conversation } from "@/types/mongodb";
@@ -73,7 +73,7 @@ export function ChatContainer() {
   const existingHasMessages = !!(existingConv?.messages && existingConv.messages.length > 0);
 
   const [conversation, setConversation] = useState<Conversation | LocalConversation | null>(existingConv || null);
-  const [accessLevel, setAccessLevel] = useState<string | null>(null);
+  const [accessLevel, setAccessLevel] = useState<ConversationAccessLevel | null>(existingConv?.accessLevel ?? null);
   const [fetchInProgress, setFetchInProgress] = useState(
     storageMode === 'mongodb' && !existingHasMessages
   );
@@ -125,7 +125,9 @@ export function ChatContainer() {
         setActiveConversation(uuid);
 
         // Derive access level from store data
-        if (localConv.owner_id && session?.user?.email && localConv.owner_id !== session.user.email) {
+        if (localConv.accessLevel) {
+          setAccessLevel(localConv.accessLevel);
+        } else if (localConv.owner_id && session?.user?.email && localConv.owner_id !== session.user.email) {
           if (localConv.sharing?.is_public) {
             setAccessLevel('shared_readonly');
           } else if (localConv.sharing?.shared_with?.includes(session.user.email) ||
@@ -169,9 +171,9 @@ export function ChatContainer() {
         if (storageMode === 'mongodb') {
           console.log("[ChatContainer] Loading from MongoDB...");
           try {
-            const conv = await apiClient.getConversation(uuid);
-            if ((conv as any).access_level) {
-              setAccessLevel((conv as any).access_level);
+            const conv = await apiClient.getConversation(uuid) as Conversation & { access_level?: ConversationAccessLevel };
+            if (conv.access_level) {
+              setAccessLevel(conv.access_level);
             }
             const localConv: LocalConversation = {
               id: conv._id,
@@ -181,6 +183,11 @@ export function ChatContainer() {
               messages: [],
               streamEvents: [],
               participants: conv.participants || [],
+              // assisted-by Codex Codex-sonnet-4-6
+              // Direct-open shared chats may skip the list route; keep share metadata for sidebar badges.
+              owner_id: conv.owner_id,
+              accessLevel: conv.access_level,
+              sharing: conv.sharing,
             };
 
             useChatStore.setState((state) => ({
diff --git a/ui/src/components/chat/DynamicAgentTimeline.tsx b/ui/src/components/chat/DynamicAgentTimeline.tsx
index caeec4e5e5..8210c78f66 100644
--- a/ui/src/components/chat/DynamicAgentTimeline.tsx
+++ b/ui/src/components/chat/DynamicAgentTimeline.tsx
@@ -202,11 +202,14 @@ export function AgentTimeline({
 
   // Determine if turn has ended (not streaming and has final answer)
   const turnEnded = !isStreaming && finalAnswer !== null;
+  const hasWarningsOrErrors = segments.some(s => s.type === "warning" || s.type === "error");
 
-  // Machinery sections collapse after streaming ends (or start collapsed if already ended)
-  const [machineryExpanded, setMachineryExpanded] = useState(!turnEnded);
+  // assisted-by Codex Codex-sonnet-4-6
+  // Collapse completed machinery, but keep warning/error details visible until the user collapses them.
+  const [machineryExpanded, setMachineryExpanded] = useState(!turnEnded || hasWarningsOrErrors);
   const prevStreamingRef = useRef(isStreaming);
   const prevFinalAnswerRef = useRef(finalAnswer);
+  const prevHadWarningsOrErrorsRef = useRef(hasWarningsOrErrors);
   // Track whether this turn transitioned from streaming → final.
   // When true, skip the reveal animation since content was already visible.
   // State (not ref) so the JSX can read it without a react-hooks/refs violation.
@@ -225,25 +228,30 @@ export function AgentTimeline({
       prevPendingHitlRef.current = pendingHitl;
       return;
     }
+    if (hasWarningsOrErrors && !prevHadWarningsOrErrorsRef.current) {
+      // eslint-disable-next-line react-hooks/set-state-in-effect -- intentional: surface new warnings/errors instead of hiding them behind the summary row
+      setMachineryExpanded(true);
+    }
     // Collapse when HITL input is resolved (pendingHitl went true → false)
-    if (prevPendingHitlRef.current) {
+    if (prevPendingHitlRef.current && !hasWarningsOrErrors) {
       // eslint-disable-next-line react-hooks/set-state-in-effect
       setMachineryExpanded(false);
     }
     // Collapse when streaming ends
     if (prevStreamingRef.current && !isStreaming) {
       // eslint-disable-next-line react-hooks/set-state-in-effect -- intentional: collapse when streaming ends and mark streaming-complete for animation
-      setMachineryExpanded(false);
+      setMachineryExpanded(hasWarningsOrErrors);
       setWasStreaming(true);
     }
     // Also collapse when final answer first appears AND streaming has stopped
-    if (!prevFinalAnswerRef.current && finalAnswer && !isStreaming) {
+    if (!prevFinalAnswerRef.current && finalAnswer && !isStreaming && !hasWarningsOrErrors) {
       setMachineryExpanded(false);
     }
     prevStreamingRef.current = isStreaming;
     prevFinalAnswerRef.current = finalAnswer;
+    prevHadWarningsOrErrorsRef.current = hasWarningsOrErrors;
     prevPendingHitlRef.current = pendingHitl;
-  }, [isStreaming, finalAnswer, pendingHitl]);
+  }, [isStreaming, finalAnswer, pendingHitl, hasWarningsOrErrors]);
 
   // Group consecutive tools for compact rendering
   const groupedSegments = groupConsecutiveTools(segments);
@@ -254,8 +262,6 @@ export function AgentTimeline({
   const warningCount = segments.filter(s => s.type === "warning").length;
   const errorCount = segments.filter(s => s.type === "error").length;
 
-  const hasWarningsOrErrors = warningCount > 0 || errorCount > 0;
-
   // Determine if tasks/files sections will actually be shown
   const showTasksSection = tasks.length > 0 && hasTodoToolsInSegments(segments) && (isStreaming || tasks.some(t => t.status !== "completed"));
   const showFilesSection = files.length > 0 && hasFileToolsInSegments(segments);
@@ -1117,6 +1123,8 @@ function TimelineSummary({
 
   return (
     <button
+      type="button"
+      aria-expanded={expanded}
       onClick={onToggle}
       className={cn(
         "w-full flex items-center gap-2 px-3 py-2 rounded-lg text-xs",
diff --git a/ui/src/components/chat/ShareButton.tsx b/ui/src/components/chat/ShareButton.tsx
index d9e07c2d4d..f3134bac3b 100644
--- a/ui/src/components/chat/ShareButton.tsx
+++ b/ui/src/components/chat/ShareButton.tsx
@@ -7,7 +7,8 @@ TooltipContent,
 TooltipProvider,
 TooltipTrigger,
 } from "@/components/ui/tooltip";
-import { Share2 } from "lucide-react";
+import type { Conversation } from "@/types/a2a";
+import { Check, Globe, Users2 } from "lucide-react";
 import React,{ useState } from "react";
 import { ShareDialog } from "./ShareDialog";
 
@@ -15,21 +16,29 @@ interface ShareButtonProps {
   conversationId: string;
   conversationTitle?: string;
   isOwner?: boolean;
+  isSharedWithViewer?: boolean;
+  sharedBy?: string;
+  sharing?: Conversation["sharing"];
+  accessLevel?: Conversation["accessLevel"];
 }
 
 export function ShareButton({ 
   conversationId, 
   conversationTitle = "Conversation",
-  isOwner = true
+  isOwner = true,
+  isSharedWithViewer = false,
+  sharedBy,
+  sharing,
+  accessLevel,
 }: ShareButtonProps) {
   const [showDialog, setShowDialog] = useState(false);
   const [copied, setCopied] = useState(false);
 
   const handleQuickCopy = async (e: React.MouseEvent) => {
     e.stopPropagation();
-    
+
     const shareUrl = `${window.location.origin}/chat/${conversationId}`;
-    
+
     try {
       await navigator.clipboard.writeText(shareUrl);
       setCopied(true);
@@ -44,36 +53,65 @@ export function ShareButton({
     setShowDialog(true);
   };
 
+  const sharedByText = sharedBy?.trim() ? `Shared by ${sharedBy.trim()}` : "Shared conversation";
+  const shouldShowButton = isOwner || isSharedWithViewer;
+  const shouldOpenDialog = isOwner || accessLevel === "shared";
+  const hasSharingConfig = Boolean(
+    sharing?.is_public ||
+    (sharing?.shared_with?.length ?? 0) > 0 ||
+    (sharing?.shared_with_teams?.length ?? 0) > 0 ||
+    sharing?.share_link_enabled
+  );
+  const Icon = sharing?.is_public ? Globe : Users2;
+  const iconClassName = sharing?.is_public
+    ? "h-3 w-3 text-green-500"
+    : isOwner || isSharedWithViewer || hasSharingConfig
+      ? "h-3 w-3 text-blue-500"
+      : "h-3 w-3";
+
   return (
     <>
       <TooltipProvider>
-        {/* Single share button that opens dialog */}
-        {isOwner && (
+        {shouldShowButton && (
           <Tooltip>
             <TooltipTrigger asChild>
               <Button
                 variant="ghost"
                 size="icon"
-                onClick={handleOpenDialog}
+                onClick={shouldOpenDialog ? handleOpenDialog : handleQuickCopy}
                 className="h-6 w-6"
+                aria-label={isOwner ? "Share conversation" : sharedByText}
               >
-                <Share2 className="h-3 w-3" />
+                {copied ? <Check className="h-3 w-3" /> : <Icon className={iconClassName} />}
               </Button>
             </TooltipTrigger>
             <TooltipContent side="left">
-              <p>Share</p>
+              {isOwner ? (
+                <p>Share</p>
+              ) : (
+                <>
+                  {/* assisted-by Codex Codex-sonnet-4-6 */}
+                  <p>{copied ? "Link copied" : sharedByText}</p>
+                  {!copied && !shouldOpenDialog && (
+                    <p className="text-xs text-muted-foreground">Click to copy link</p>
+                  )}
+                </>
+              )}
             </TooltipContent>
           </Tooltip>
         )}
       </TooltipProvider>
 
       {/* Share dialog */}
-      {isOwner && (
+      {shouldShowButton && shouldOpenDialog && (
         <ShareDialog
           conversationId={conversationId}
           conversationTitle={conversationTitle}
           open={showDialog}
           onOpenChange={setShowDialog}
+          canManageSharing={isOwner}
+          sharedBy={sharedBy}
+          initialSharing={sharing}
         />
       )}
     </>
diff --git a/ui/src/components/chat/ShareDialog.tsx b/ui/src/components/chat/ShareDialog.tsx
index d39b9b4386..a1d0627b58 100644
--- a/ui/src/components/chat/ShareDialog.tsx
+++ b/ui/src/components/chat/ShareDialog.tsx
@@ -9,12 +9,46 @@ import { useEffect,useState } from "react";
 import { createPortal } from "react-dom";
 
 type SharePermission = 'view' | 'comment';
+const TEAM_SHARE_SEARCH_ENDPOINT = '/api/dynamic-agents/teams';
+
+type SharingSnapshot = {
+  is_public?: boolean;
+  public_permission?: SharePermission;
+  shared_with?: string[];
+  shared_with_teams?: string[];
+  team_permissions?: Record<string, SharePermission>;
+  share_link_enabled?: boolean;
+};
 
 interface ShareDialogProps {
   conversationId: string;
   conversationTitle: string;
   open: boolean;
   onOpenChange: (open: boolean) => void;
+  canManageSharing?: boolean;
+  sharedBy?: string;
+  initialSharing?: SharingSnapshot;
+}
+
+function teamShareRef(team: Team): string {
+  return team.slug?.trim() || String(team._id);
+}
+
+function teamAliases(team: Team): string[] {
+  return Array.from(new Set([team.slug, team._id].map((value) => String(value || '').trim()).filter(Boolean)));
+}
+
+function isTeamAlreadyShared(team: Team, sharedTeamRefs: string[]): boolean {
+  const sharedRefs = new Set(sharedTeamRefs.map((value) => String(value).trim()).filter(Boolean));
+  return teamAliases(team).some((alias) => sharedRefs.has(alias));
+}
+
+async function fetchShareableTeams(): Promise<Team[]> {
+  const teamsResponse = await fetch(TEAM_SHARE_SEARCH_ENDPOINT);
+  if (!teamsResponse.ok) return [];
+  const teamsData = await teamsResponse.json();
+  if (Array.isArray(teamsData.data)) return teamsData.data;
+  return teamsData.data?.teams || [];
 }
 
 export function ShareDialog({
@@ -22,6 +56,9 @@ export function ShareDialog({
   conversationTitle,
   open,
   onOpenChange,
+  canManageSharing = true,
+  sharedBy,
+  initialSharing,
 }: ShareDialogProps) {
   const updateConversationSharing = useChatStore((state) => state.updateConversationSharing);
   const [searchInput, setSearchInput] = useState("");
@@ -43,13 +80,25 @@ export function ShareDialog({
   const [publicPermission, setPublicPermission] = useState<SharePermission>('comment');
 
   const shareUrl = `${typeof window !== 'undefined' ? window.location.origin : ''}/chat/${conversationId}`;
+  const sharedByLabel = sharedBy?.trim();
+
+  const applySharingSnapshot = (sharing?: SharingSnapshot) => {
+    setSharedWith(sharing?.shared_with || []);
+    const teamIds = sharing?.shared_with_teams || [];
+    setSharedWithTeams(teamIds);
+    setIsPublic(sharing?.is_public || false);
+    setTeamPermissions(sharing?.team_permissions || {});
+    setPublicPermission(sharing?.public_permission || 'comment');
+    setUserPermissions({});
+  };
 
   // Load current sharing info
   useEffect(() => {
     if (open) {
+      applySharingSnapshot(initialSharing);
       loadSharingInfo();
     }
-  }, [open, conversationId]);
+  }, [open, conversationId, canManageSharing]);
 
   const loadSharingInfo = async () => {
     try {
@@ -92,18 +141,16 @@ export function ShareDialog({
         // Load team names for display
         if (teamIds.length > 0) {
           try {
-            const teamsResponse = await fetch('/api/admin/teams');
-            if (teamsResponse.ok) {
-              const teamsData = await teamsResponse.json();
-              const allTeams = teamsData.data?.teams || [];
-              const namesMap: Record<string, string> = {};
-              allTeams.forEach((team: Team) => {
-                if (teamIds.includes(team._id)) {
-                  namesMap[team._id] = team.name;
+            const allTeams = await fetchShareableTeams();
+            const namesMap: Record<string, string> = {};
+            allTeams.forEach((team: Team) => {
+              for (const alias of teamAliases(team)) {
+                if (teamIds.includes(alias)) {
+                  namesMap[alias] = team.name;
                 }
-              });
-              setTeamNames(namesMap);
-            }
+              }
+            });
+            setTeamNames(namesMap);
           } catch (err) {
             console.error("Failed to load team names:", err);
           }
@@ -132,6 +179,13 @@ export function ShareDialog({
   // Search users and teams as they type
   useEffect(() => {
     const searchPeopleAndTeams = async () => {
+      if (!canManageSharing) {
+        setUserResults([]);
+        setTeamResults([]);
+        setNoResults(false);
+        return;
+      }
+
       if (searchInput.length < 2) {
         setUserResults([]);
         setTeamResults([]);
@@ -149,37 +203,22 @@ export function ShareDialog({
 
         // Search teams (may require admin access - handle gracefully)
         try {
-          const teamsResponse = await fetch('/api/admin/teams');
-          if (teamsResponse.ok) {
-            const teamsData = await teamsResponse.json();
-            const allTeams = teamsData.data?.teams || [];
-            // Filter teams by name/description matching search input
-            const searchLower = searchInput.toLowerCase();
-            const matchingTeams = allTeams.filter((team: Team) => {
-              const nameMatch = team.name.toLowerCase().includes(searchLower);
-              const descMatch = team.description?.toLowerCase().includes(searchLower);
-              const notAlreadyShared = !sharedWithTeams.includes(team._id);
-              return (nameMatch || descMatch) && notAlreadyShared;
-            });
-            setTeamResults(matchingTeams);
-            
-            // Show no results message if both are empty
-            if (filteredUsers.length === 0 && matchingTeams.length === 0 && searchInput.length >= 2) {
-              setNoResults(true);
-            }
-          } else if (teamsResponse.status === 403) {
-            // Admin access required - teams search not available
-            setTeamResults([]);
-            // Still check user results
-            if (filteredUsers.length === 0 && searchInput.length >= 2) {
-              setNoResults(true);
-            }
-          } else {
-            // Other error - still check user results
-            setTeamResults([]);
-            if (filteredUsers.length === 0 && searchInput.length >= 2) {
-              setNoResults(true);
-            }
+          const allTeams = await fetchShareableTeams();
+          // assisted-by Codex Codex-sonnet-4-6
+          // Team chat sharing uses the member-visible team endpoint, not the admin grid API.
+          const searchLower = searchInput.toLowerCase();
+          const matchingTeams = allTeams.filter((team: Team) => {
+            const nameMatch = team.name.toLowerCase().includes(searchLower);
+            const slugMatch = team.slug?.toLowerCase().includes(searchLower);
+            const descMatch = team.description?.toLowerCase().includes(searchLower);
+            const notAlreadyShared = !isTeamAlreadyShared(team, sharedWithTeams);
+            return (nameMatch || slugMatch || descMatch) && notAlreadyShared;
+          });
+          setTeamResults(matchingTeams);
+
+          // Show no results message if both are empty
+          if (filteredUsers.length === 0 && matchingTeams.length === 0 && searchInput.length >= 2) {
+            setNoResults(true);
           }
         } catch (teamErr) {
           console.error("Team search failed:", teamErr);
@@ -201,9 +240,10 @@ export function ShareDialog({
 
     const timer = setTimeout(searchPeopleAndTeams, 300);
     return () => clearTimeout(timer);
-  }, [searchInput, sharedWith, sharedWithTeams]);
+  }, [searchInput, sharedWith, sharedWithTeams, canManageSharing]);
 
   const handleShareUser = async (email: string) => {
+    if (!canManageSharing) return;
     setLoading(true);
     try {
       const updatedConversation = await apiClient.shareConversation(conversationId, {
@@ -244,6 +284,7 @@ export function ShareDialog({
   };
 
   const handleShareTeam = async (teamId: string) => {
+    if (!canManageSharing) return;
     setLoading(true);
     try {
       // Update conversation to include team in shared_with_teams
@@ -300,6 +341,7 @@ export function ShareDialog({
 
   // Handle sharing by email directly (for users not yet in system)
   const handleShareByEmail = async () => {
+    if (!canManageSharing) return;
     // Simple email validation
     const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
     if (!emailRegex.test(searchInput)) {
@@ -324,6 +366,7 @@ export function ShareDialog({
     target: { email?: string; team_id?: string },
     newPermission: SharePermission
   ) => {
+    if (!canManageSharing) return;
     try {
       const response = await fetch(`/api/chat/conversations/${conversationId}/share`, {
         method: 'PATCH',
@@ -343,6 +386,7 @@ export function ShareDialog({
   };
 
   const handlePublicPermissionChange = async (newPermission: SharePermission) => {
+    if (!canManageSharing) return;
     try {
       const response = await fetch(`/api/chat/conversations/${conversationId}/share`, {
         method: 'POST',
@@ -358,6 +402,7 @@ export function ShareDialog({
   };
 
   const handleTogglePublic = async () => {
+    if (!canManageSharing) return;
     setTogglingPublic(true);
     const newPublicState = !isPublic;
     try {
@@ -414,12 +459,17 @@ export function ShareDialog({
     >
       <div 
         className="bg-background rounded-lg shadow-xl w-full max-w-md p-6 mx-auto my-auto"
+        role="dialog"
+        aria-modal="true"
+        aria-labelledby="share-dialog-title"
         onClick={(e) => e.stopPropagation()} // Prevent closing when clicking inside dialog
       >
         {/* Header */}
         <div className="flex items-start justify-between mb-4">
           <div>
-            <h2 className="text-lg font-semibold">Share Conversation</h2>
+            <h2 id="share-dialog-title" className="text-lg font-semibold">
+              {canManageSharing ? 'Share Conversation' : 'Shared Conversation'}
+            </h2>
             <p className="text-sm text-muted-foreground mt-1">
               {conversationTitle}
             </p>
@@ -462,6 +512,13 @@ export function ShareDialog({
           </div>
         ) : (
           <>
+            {!canManageSharing && sharedByLabel && (
+              <div className="mb-4 rounded-md border bg-muted/40 px-3 py-2">
+                <div className="text-xs text-muted-foreground">Shared by</div>
+                <div className="text-sm font-medium truncate">{sharedByLabel}</div>
+              </div>
+            )}
+
             {/* Copy link section */}
         <div className="mb-6">
           <label className="text-sm font-medium mb-2 block">Share Link</label>
@@ -492,6 +549,7 @@ export function ShareDialog({
         </div>
 
         {/* Share with everyone toggle */}
+        {canManageSharing && (
         <div className="mb-6">
           <div className="flex items-center justify-between p-3 border rounded-md">
             <div className="flex items-center gap-3">
@@ -530,8 +588,10 @@ export function ShareDialog({
             </button>
           </div>
         </div>
+        )}
 
         {/* Add people and teams section */}
+        {canManageSharing && (
         <div className="mb-6">
           <label className="text-sm font-medium mb-2 block">
             People, Teams
@@ -588,8 +648,8 @@ export function ShareDialog({
                     <div className="text-xs font-medium text-muted-foreground px-2 py-1">Teams</div>
                     {teamResults.map((team) => (
                       <button
-                        key={team._id}
-                        onClick={() => handleShareTeam(team._id)}
+                        key={teamShareRef(team)}
+                        onClick={() => handleShareTeam(teamShareRef(team))}
                         disabled={loading}
                         className="w-full px-3 py-2 text-left hover:bg-muted flex items-center gap-2 text-sm rounded-md"
                       >
@@ -642,6 +702,7 @@ export function ShareDialog({
             )}
           </div>
         </div>
+        )}
 
         {/* People and Teams with access */}
         {(sharedWith.length > 0 || sharedWithTeams.length > 0 || isPublic) && (
@@ -662,14 +723,20 @@ export function ShareDialog({
                       <div className="text-xs text-muted-foreground">All organization members</div>
                     </div>
                   </div>
-                  <select
-                    value={publicPermission}
-                    onChange={(e) => handlePublicPermissionChange(e.target.value as SharePermission)}
-                    className="text-xs bg-transparent border border-green-500/30 rounded px-1.5 py-1 text-muted-foreground hover:text-foreground cursor-pointer focus:outline-none focus:ring-1 focus:ring-primary/50"
-                  >
-                    <option value="view">Can view</option>
-                    <option value="comment">Can edit</option>
-                  </select>
+                  {canManageSharing ? (
+                    <select
+                      value={publicPermission}
+                      onChange={(e) => handlePublicPermissionChange(e.target.value as SharePermission)}
+                      className="text-xs bg-transparent border border-green-500/30 rounded px-1.5 py-1 text-muted-foreground hover:text-foreground cursor-pointer focus:outline-none focus:ring-1 focus:ring-primary/50"
+                    >
+                      <option value="view">Can view</option>
+                      <option value="comment">Can edit</option>
+                    </select>
+                  ) : (
+                    <span className="text-xs text-muted-foreground">
+                      {publicPermission === 'comment' ? 'Can edit' : 'Can view'}
+                    </span>
+                  )}
                 </div>
               )}
               {/* People */}
@@ -684,6 +751,7 @@ export function ShareDialog({
                     </div>
                     <div className="text-sm truncate">{email}</div>
                   </div>
+                  {canManageSharing ? (
                   <div className="flex items-center gap-1.5 shrink-0">
                     <select
                       value={userPermissions[email] || 'view'}
@@ -703,6 +771,11 @@ export function ShareDialog({
                       <Trash2 className="h-4 w-4" />
                     </button>
                   </div>
+                  ) : (
+                    <span className="text-xs text-muted-foreground shrink-0">
+                      {(userPermissions[email] || 'view') === 'comment' ? 'Can edit' : 'Can view'}
+                    </span>
+                  )}
                 </div>
               ))}
               {/* Teams */}
@@ -719,6 +792,7 @@ export function ShareDialog({
                       {teamNames[teamId] || `Team: ${teamId}`}
                     </div>
                   </div>
+                  {canManageSharing ? (
                   <div className="flex items-center gap-1.5 shrink-0">
                     <select
                       value={teamPermissions[teamId] || 'view'}
@@ -738,6 +812,11 @@ export function ShareDialog({
                       <Trash2 className="h-4 w-4" />
                     </button>
                   </div>
+                  ) : (
+                    <span className="text-xs text-muted-foreground shrink-0">
+                      {(teamPermissions[teamId] || 'view') === 'comment' ? 'Can edit' : 'Can view'}
+                    </span>
+                  )}
                 </div>
               ))}
             </div>
diff --git a/ui/src/components/chat/__tests__/DynamicAgentTimeline.test.tsx b/ui/src/components/chat/__tests__/DynamicAgentTimeline.test.tsx
new file mode 100644
index 0000000000..fbe44adb8b
--- /dev/null
+++ b/ui/src/components/chat/__tests__/DynamicAgentTimeline.test.tsx
@@ -0,0 +1,69 @@
+// assisted-by Codex Codex-sonnet-4-6
+
+import { fireEvent, render, screen, waitFor } from "@testing-library/react";
+
+import { AgentTimeline } from "../DynamicAgentTimeline";
+import type { TimelineData } from "@/types/dynamic-agent-timeline";
+
+jest.mock("@/components/shared/timeline", () => ({
+  CollapsibleSection: ({ children }: { children: React.ReactNode }) => <section>{children}</section>,
+  MarkdownRenderer: ({ content }: { content: string }) => <div>{content}</div>,
+  TaskList: () => null,
+}));
+
+jest.mock("@/components/dynamic-agents/AgentAvatar", () => ({
+  AgentAvatar: () => <span data-testid="agent-avatar" />,
+}));
+
+jest.mock("@/components/dynamic-agents/FileTree", () => ({
+  FileTree: () => null,
+}));
+
+jest.mock("../WorkflowRunCard", () => ({
+  WorkflowRunCard: () => null,
+}));
+
+function renderTimeline(data: TimelineData) {
+  return render(
+    <AgentTimeline
+      data={data}
+      files={[]}
+      tasks={[]}
+      isLatestMessage={true}
+    />,
+  );
+}
+
+describe("AgentTimeline", () => {
+  it("keeps completed turns with warnings expanded until the user collapses them", async () => {
+    const data: TimelineData = {
+      isStreaming: false,
+      hasTools: true,
+      finalAnswer: "Ready now.",
+      segments: [
+        {
+          type: "warning",
+          id: "warning-1",
+          message: "MCP server is starting up and not ready yet.",
+        },
+        {
+          type: "status",
+          id: "status-1",
+          status: "done",
+        },
+      ],
+    };
+
+    renderTimeline(data);
+
+    const toggle = screen.getByRole("button", { name: /view execution details/i });
+    expect(toggle).toHaveAttribute("aria-expanded", "true");
+    expect(screen.getByText(/MCP server is starting up/i)).toBeInTheDocument();
+
+    fireEvent.click(toggle);
+
+    await waitFor(() => {
+      expect(toggle).toHaveAttribute("aria-expanded", "false");
+    });
+  });
+});
diff --git a/ui/src/components/chat/__tests__/ShareButton.test.tsx b/ui/src/components/chat/__tests__/ShareButton.test.tsx
new file mode 100644
index 0000000000..921f33dd6a
--- /dev/null
+++ b/ui/src/components/chat/__tests__/ShareButton.test.tsx
@@ -0,0 +1,111 @@
+import React from 'react'
+import { fireEvent, render, screen, waitFor } from '@testing-library/react'
+
+const mockShareDialog = jest.fn(() => null)
+
+jest.mock('@/components/ui/button', () => ({
+  Button: ({ children, ...props }: any) => <button {...props}>{children}</button>,
+}))
+
+jest.mock('@/components/ui/tooltip', () => ({
+  Tooltip: ({ children }: any) => <>{children}</>,
+  TooltipContent: ({ children }: any) => <>{children}</>,
+  TooltipProvider: ({ children }: any) => <>{children}</>,
+  TooltipTrigger: ({ children }: any) => <>{children}</>,
+}))
+
+jest.mock('lucide-react', () => ({
+  Check: (props: any) => <span data-testid="icon-check" {...props} />,
+  Globe: (props: any) => <span data-testid="icon-globe" {...props} />,
+  Users2: (props: any) => <span data-testid="icon-users2" {...props} />,
+}))
+
+jest.mock('../ShareDialog', () => ({
+  ShareDialog: (props: any) => {
+    mockShareDialog(props)
+    return props.open ? <div data-testid="share-dialog" /> : null
+  },
+}))
+
+import { ShareButton } from '../ShareButton'
+
+describe('ShareButton', () => {
+  const writeText = jest.fn().mockResolvedValue(undefined)
+
+  beforeEach(() => {
+    jest.clearAllMocks()
+    Object.defineProperty(navigator, 'clipboard', {
+      configurable: true,
+      value: { writeText },
+    })
+  })
+
+  it('copies the link for read-only shared recipients', async () => {
+    render(
+      <ShareButton
+        conversationId="conv-recipient"
+        conversationTitle="Recipient Chat"
+        isOwner={false}
+        isSharedWithViewer
+        sharedBy="owner@test.com"
+        accessLevel="shared_readonly"
+      />,
+    )
+
+    expect(screen.getByRole('button', { name: 'Shared by owner@test.com' })).toBeInTheDocument()
+    expect(screen.getByText('Shared by owner@test.com')).toBeInTheDocument()
+    expect(screen.getByText('Click to copy link')).toBeInTheDocument()
+    expect(screen.getByTestId('icon-users2')).toBeInTheDocument()
+
+    fireEvent.click(screen.getByRole('button', { name: 'Shared by owner@test.com' }))
+
+    await waitFor(() => {
+      expect(writeText).toHaveBeenCalledWith(`${window.location.origin}/chat/conv-recipient`)
+    })
+    expect(screen.queryByTestId('share-dialog')).not.toBeInTheDocument()
+    expect(mockShareDialog).not.toHaveBeenCalled()
+  })
+
+  it('opens sharing details for edit-mode shared recipients', async () => {
+    render(
+      <ShareButton
+        conversationId="conv-edit-recipient"
+        conversationTitle="Editable Recipient Chat"
+        isOwner={false}
+        isSharedWithViewer
+        sharedBy="owner@test.com"
+        accessLevel="shared"
+      />,
+    )
+
+    expect(screen.getByRole('button', { name: 'Shared by owner@test.com' })).toBeInTheDocument()
+    expect(screen.getByText('Shared by owner@test.com')).toBeInTheDocument()
+    expect(screen.queryByText('Click to copy link')).not.toBeInTheDocument()
+    expect(screen.getByTestId('icon-users2')).toBeInTheDocument()
+
+    fireEvent.click(screen.getByRole('button', { name: 'Shared by owner@test.com' }))
+
+    await waitFor(() => expect(screen.getByTestId('share-dialog')).toBeInTheDocument())
+    expect(writeText).not.toHaveBeenCalled()
+    expect(mockShareDialog).toHaveBeenLastCalledWith(expect.objectContaining({
+      canManageSharing: false,
+      open: true,
+      sharedBy: 'owner@test.com',
+    }))
+  })
+
+  it('opens the share dialog for owners', () => {
+    render(
+      <ShareButton
+        conversationId="conv-owner"
+        conversationTitle="Owner Chat"
+        isOwner
+      />,
+    )
+
+    fireEvent.click(screen.getByRole('button', { name: 'Share conversation' }))
+
+    expect(screen.getByTestId('share-dialog')).toBeInTheDocument()
+    expect(screen.getByTestId('icon-users2')).toBeInTheDocument()
+  })
+})
diff --git a/ui/src/components/chat/__tests__/ShareDialogPermissions.test.tsx b/ui/src/components/chat/__tests__/ShareDialogPermissions.test.tsx
new file mode 100644
index 0000000000..fa52cb23cb
--- /dev/null
+++ b/ui/src/components/chat/__tests__/ShareDialogPermissions.test.tsx
@@ -0,0 +1,74 @@
+// assisted-by Codex Codex-sonnet-4-6
+
+import { render, screen, waitFor } from '@testing-library/react'
+
+const mockUpdateConversationSharing = jest.fn()
+
+jest.mock('@/store/chat-store', () => ({
+  useChatStore: (selector: any) => selector({
+    updateConversationSharing: mockUpdateConversationSharing,
+  }),
+}))
+
+jest.mock('@/lib/api-client', () => ({
+  apiClient: {
+    searchUsers: jest.fn().mockResolvedValue([]),
+    shareConversation: jest.fn(),
+  },
+}))
+
+import { ShareDialog } from '../ShareDialog'
+
+describe('ShareDialog permissions', () => {
+  beforeEach(() => {
+    jest.clearAllMocks()
+  })
+
+  it('shows direct edit permission in the shared-recipient details modal', async () => {
+    ;(global.fetch as jest.Mock).mockResolvedValue({
+      ok: true,
+      status: 200,
+      json: async () => ({
+        data: {
+          sharing: {
+            is_public: false,
+            shared_with: ['recipient@example.com'],
+            shared_with_teams: [],
+            share_link_enabled: false,
+          },
+          access_list: [
+            {
+              granted_to: 'recipient@example.com',
+              permission: 'comment',
+            },
+          ],
+        },
+      }),
+    })
+
+    render(
+      <ShareDialog
+        conversationId="conv-123"
+        conversationTitle="Shared edit chat"
+        open
+        onOpenChange={jest.fn()}
+        canManageSharing={false}
+        sharedBy="owner@example.com"
+        initialSharing={{
+          is_public: false,
+          shared_with: ['recipient@example.com'],
+          shared_with_teams: [],
+          share_link_enabled: false,
+        }}
+      />
+    )
+
+    await waitFor(() => {
+      expect(screen.getByText('recipient@example.com')).toBeInTheDocument()
+      expect(screen.getByText('Can edit')).toBeInTheDocument()
+    })
+
+    expect(screen.getByText('Shared by')).toBeInTheDocument()
+    expect(screen.queryByPlaceholderText('Search by email or team name...')).not.toBeInTheDocument()
+  })
+})
diff --git a/ui/src/components/chat/__tests__/ShareDialogPublicToggle.test.tsx b/ui/src/components/chat/__tests__/ShareDialogPublicToggle.test.tsx
index 42ebfbcf80..840aa6b05c 100644
--- a/ui/src/components/chat/__tests__/ShareDialogPublicToggle.test.tsx
+++ b/ui/src/components/chat/__tests__/ShareDialogPublicToggle.test.tsx
@@ -282,4 +282,86 @@ describe('ShareDialog — Share with everyone toggle', () => {
     consoleSpy.mockRestore()
     alertSpy.mockRestore()
   })
+
+  it('shares with teams from the member-visible team endpoint', async () => {
+    let sharing = {
+      is_public: false,
+      shared_with: [],
+      shared_with_teams: [] as string[],
+      share_link_enabled: false,
+    }
+
+    ;(global.fetch as jest.Mock).mockImplementation((url: string, opts?: any) => {
+      if (url.includes('/api/dynamic-agents/teams')) {
+        return Promise.resolve({
+          ok: true,
+          status: 200,
+          json: async () => ({
+            success: true,
+            data: [
+              {
+                _id: 'team-1',
+                slug: 'platform',
+                name: 'Platform Team',
+                description: 'Core platform',
+              },
+            ],
+          }),
+        })
+      }
+      if (url.includes('/share') && (!opts || opts.method !== 'POST')) {
+        return Promise.resolve({
+          ok: true,
+          status: 200,
+          json: async () => ({
+            data: { sharing },
+          }),
+        })
+      }
+      if (url.includes('/share') && opts?.method === 'POST') {
+        sharing = {
+          ...sharing,
+          shared_with_teams: ['platform'],
+        }
+        return Promise.resolve({
+          ok: true,
+          status: 200,
+          json: async () => ({ data: { sharing } }),
+        })
+      }
+      return Promise.resolve({ ok: true, status: 200, json: async () => ({}) })
+    })
+
+    render(<ShareDialog {...defaultProps} />)
+
+    await waitFor(() => {
+      expect(screen.getByPlaceholderText('Search by email or team name...')).toBeInTheDocument()
+    })
+
+    fireEvent.change(screen.getByPlaceholderText('Search by email or team name...'), {
+      target: { value: 'plat' },
+    })
+
+    await waitFor(() => {
+      expect(screen.getByText('Platform Team')).toBeInTheDocument()
+    })
+
+    fireEvent.click(screen.getByText('Platform Team'))
+
+    await waitFor(() => {
+      const postCalls = (global.fetch as jest.Mock).mock.calls.filter(
+        ([url, opts]: [string, any]) => url.includes('/share') && opts?.method === 'POST'
+      )
+      expect(postCalls.length).toBeGreaterThan(0)
+      const body = JSON.parse(postCalls[0][1].body)
+      expect(body.team_ids).toEqual(['platform'])
+    })
+
+    expect((global.fetch as jest.Mock).mock.calls.some(([url]: [string]) =>
+      url.includes('/api/dynamic-agents/teams')
+    )).toBe(true)
+    expect((global.fetch as jest.Mock).mock.calls.some(([url]: [string]) =>
+      url.includes('/api/admin/teams')
+    )).toBe(false)
+  })
 })
diff --git a/ui/src/components/layout/Sidebar.tsx b/ui/src/components/layout/Sidebar.tsx
index 2dc8452af0..3af6c2bdfe 100644
--- a/ui/src/components/layout/Sidebar.tsx
+++ b/ui/src/components/layout/Sidebar.tsx
@@ -23,7 +23,6 @@ ArchiveRestore,
 ChevronLeft,
 ChevronRight,
 Database,
-Globe,
 HardDrive,
 History,
 MessageCircleQuestion,
@@ -34,8 +33,7 @@ RefreshCw,
 Shield,
 Sparkles,
 TrendingUp,
-Users,
-Users2
+Users
 } from "lucide-react";
 import { useSession } from "next-auth/react";
 import { useRouter } from "next/navigation";
@@ -355,13 +353,33 @@ export function Sidebar({ activeTab, onTabChange, collapsed, onCollapse, onUseCa
             <div className="px-2 space-y-1 pb-4">
               <AnimatePresence mode="popLayout">
                 {conversations.map((conv, index) => {
-                  // Check if conversation is shared
-                  const isShared = conv.sharing && (
-                    conv.sharing.is_public ||
-                    (conv.sharing.shared_with && conv.sharing.shared_with.length > 0) ||
-                    (conv.sharing.shared_with_teams && conv.sharing.shared_with_teams.length > 0) ||
-                    conv.sharing.share_link_enabled
+                  const currentUserEmail = session?.user?.email?.trim().toLowerCase();
+                  const ownerEmail = conv.owner_id?.trim().toLowerCase();
+                  const viewerIsKnownOwner =
+                    conv.accessLevel === "owner" ||
+                    Boolean(ownerEmail && currentUserEmail && ownerEmail === currentUserEmail);
+                  const hasSharingConfig = Boolean(
+                    conv.sharing?.is_public ||
+                    (conv.sharing?.shared_with?.length ?? 0) > 0 ||
+                    (conv.sharing?.shared_with_teams?.length ?? 0) > 0 ||
+                    conv.sharing?.share_link_enabled
                   );
+                  const sharedByKnownDifferentOwner = Boolean(
+                    ownerEmail &&
+                    currentUserEmail &&
+                    ownerEmail !== currentUserEmail &&
+                    hasSharingConfig
+                  );
+                  // assisted-by Codex Codex-sonnet-4-6
+                  // The badge is viewer-facing, so prefer the server's per-viewer sharing signal.
+                  const isSharedWithViewer = !viewerIsKnownOwner && (
+                    conv.isSharedWithViewer === true ||
+                    conv.accessLevel === "shared" ||
+                    conv.accessLevel === "shared_readonly" ||
+                    sharedByKnownDifferentOwner
+                  );
+                  const sharedByLabel = conv.owner_id?.trim();
+                  const canManageSharing = viewerIsKnownOwner || (!ownerEmail && !isSharedWithViewer);
 
                   const isLive = isConversationStreaming(conv.id);
                   const isInputRequired = !isLive && isConversationInputRequired(conv.id);
@@ -387,7 +405,7 @@ export function Sidebar({ activeTab, onTabChange, collapsed, onCollapse, onUseCa
                               ? "bg-blue-500/5 border border-blue-500/25"
                               : activeConversationId === conv.id
                                 ? "bg-primary/10 border border-primary/30"
-                                : isShared
+                                : isSharedWithViewer
                                   ? "hover:bg-muted/50 border border-blue-500/20"
                                   : "hover:bg-muted/50 border border-transparent"
                       )}
@@ -452,26 +470,6 @@ export function Sidebar({ activeTab, onTabChange, collapsed, onCollapse, onUseCa
                             <p className="text-sm font-medium truncate flex-1" title={conv.title}>
                               {truncateText(conv.title, sidebarWidth > 350 ? 40 : sidebarWidth > 320 ? 25 : 20)}
                             </p>
-                            {isShared && (
-                              <TooltipProvider>
-                                <Tooltip>
-                                  <TooltipTrigger asChild>
-                                    {conv.sharing?.is_public ? (
-                                      <Globe className="h-3 w-3 text-green-500 shrink-0" />
-                                    ) : (
-                                      <Users2 className="h-3 w-3 text-blue-500 shrink-0" />
-                                    )}
-                                  </TooltipTrigger>
-                                  <TooltipContent side="right">
-                                    <p className="text-xs">
-                                      {conv.sharing?.is_public
-                                        ? 'Shared with everyone'
-                                        : 'Shared conversation'}
-                                    </p>
-                                  </TooltipContent>
-                                </Tooltip>
-                              </TooltipProvider>
-                            )}
                           </div>
                           <p className={cn(
                             "text-xs truncate",
@@ -498,11 +496,22 @@ export function Sidebar({ activeTab, onTabChange, collapsed, onCollapse, onUseCa
                         </div>
 
                         <div className="flex items-center gap-0.5 shrink-0">
-                          <div className="opacity-0 group-hover:opacity-100 transition-opacity">
+                          <div
+                            className={cn(
+                              "transition-opacity",
+                              activeConversationId === conv.id || hasSharingConfig || isSharedWithViewer
+                                ? "opacity-100"
+                                : "opacity-0 group-hover:opacity-100",
+                            )}
+                          >
                             <ShareButton
                               conversationId={conv.id}
                               conversationTitle={conv.title}
-                              isOwner={!conv.owner_id || conv.owner_id === session?.user?.email}
+                              isOwner={canManageSharing}
+                              isSharedWithViewer={isSharedWithViewer}
+                              sharedBy={sharedByLabel}
+                              sharing={conv.sharing}
+                              accessLevel={conv.accessLevel}
                             />
                           </div>
                           <TooltipProvider delayDuration={200}>
diff --git a/ui/src/components/layout/__tests__/Sidebar.test.tsx b/ui/src/components/layout/__tests__/Sidebar.test.tsx
index 092e061fc7..6669726cf8 100644
--- a/ui/src/components/layout/__tests__/Sidebar.test.tsx
+++ b/ui/src/components/layout/__tests__/Sidebar.test.tsx
@@ -96,6 +96,7 @@ jest.mock('lucide-react', () => ({
   Sparkles: (props: any) => <span data-testid="icon-sparkles" {...props} />,
   Zap: (props: any) => <span data-testid="icon-zap" {...props} />,
   Database: (props: any) => <span data-testid="icon-database" {...props} />,
+  Globe: (props: React.ComponentProps<'span'>) => <span data-testid="icon-globe" {...props} />,
   HardDrive: (props: any) => <span data-testid="icon-hard-drive" {...props} />,
   Users2: (props: any) => <span data-testid="icon-users2" {...props} />,
   Shield: (props: any) => <span data-testid="icon-shield" {...props} />,
@@ -143,7 +144,31 @@ jest.mock('@/components/chat/RecycleBinDialog', () => ({
 }))
 
 jest.mock('@/components/chat/ShareButton', () => ({
-  ShareButton: () => null,
+  ShareButton: ({ isOwner, isSharedWithViewer, sharedBy, sharing }: any) => {
+    const hasSharingConfig = Boolean(
+      sharing?.is_public ||
+      (sharing?.shared_with?.length ?? 0) > 0 ||
+      (sharing?.shared_with_teams?.length ?? 0) > 0 ||
+      sharing?.share_link_enabled
+    )
+
+    return isOwner || isSharedWithViewer ? (
+      <button
+        data-testid="share-button"
+        data-owner={String(Boolean(isOwner))}
+        data-shared-viewer={String(Boolean(isSharedWithViewer))}
+        data-shared-by={sharedBy || ''}
+      >
+        {sharing?.is_public ? (
+          <span data-testid="icon-globe" />
+        ) : (isOwner || isSharedWithViewer || hasSharingConfig) ? (
+          <span data-testid="icon-users2" />
+        ) : null}
+        Share
+        {isSharedWithViewer && sharedBy ? <span>Shared by {sharedBy}</span> : null}
+      </button>
+    ) : null
+  },
 }))
 
 // NewChatButton is exercised by its own test suite; stub it here so the
@@ -388,6 +413,109 @@ describe('Sidebar — Live Status Indicator', () => {
       expect(screen.queryByText('Live')).not.toBeInTheDocument()
       expect(screen.queryByText('New response')).not.toBeInTheDocument()
     })
+
+    it('shows a shared badge for link-shared conversations', () => {
+      mockConversations = [
+        makeConv('conv-shared-link', 'Shared Link Chat', {
+          owner_id: 'owner@test.com',
+          // assisted-by Codex Codex-sonnet-4-6
+          // Link-shared direct URLs should still render the non-public shared badge.
+          sharing: {
+            is_public: false,
+            shared_with: [],
+            shared_with_teams: [],
+            share_link_enabled: true,
+          },
+        }),
+      ]
+
+      render(<Sidebar {...defaultProps} />)
+
+      expect(screen.getByText('Shared Link Chat')).toBeInTheDocument()
+      expect(screen.getByTestId('icon-users2')).toBeInTheDocument()
+      expect(screen.queryByTestId('icon-globe')).not.toBeInTheDocument()
+    })
+
+    it('shows a shared badge for recipient access even without sharing arrays', () => {
+      mockConversations = [
+        makeConv('conv-recipient', 'Recipient Chat', {
+          owner_id: 'owner@test.com',
+          accessLevel: 'shared_readonly',
+        }),
+      ]
+
+      render(<Sidebar {...defaultProps} />)
+
+      expect(screen.getByText('Recipient Chat')).toBeInTheDocument()
+      expect(screen.getByTestId('icon-users2')).toBeInTheDocument()
+      expect(screen.getByText('Shared by owner@test.com')).toBeInTheDocument()
+      expect(screen.getByTestId('share-button')).toHaveAttribute('data-owner', 'false')
+      expect(screen.getByTestId('share-button')).toHaveAttribute('data-shared-viewer', 'true')
+      expect(screen.getByTestId('share-button')).toHaveAttribute('data-shared-by', 'owner@test.com')
+    })
+
+    it('shows a shared badge from the server viewer flag without owner metadata', () => {
+      mockConversations = [
+        makeConv('conv-flagged-recipient', 'Flagged Recipient Chat', {
+          isSharedWithViewer: true,
+          sharing: {
+            is_public: false,
+            shared_with: [],
+            shared_with_teams: [],
+            share_link_enabled: false,
+          },
+        }),
+      ]
+
+      render(<Sidebar {...defaultProps} />)
+
+      expect(screen.getByText('Flagged Recipient Chat')).toBeInTheDocument()
+      expect(screen.getByTestId('icon-users2')).toBeInTheDocument()
+      expect(screen.queryByTestId('icon-globe')).not.toBeInTheDocument()
+      expect(screen.getByTestId('share-button')).toHaveAttribute('data-owner', 'false')
+      expect(screen.getByTestId('share-button')).toHaveAttribute('data-shared-viewer', 'true')
+    })
+
+    it('shows the shared action icon to the owner without marking them as a recipient', () => {
+      mockConversations = [
+        makeConv('conv-owner-shared', 'Owner Shared Chat', {
+          owner_id: 'test@test.com',
+          sharing: {
+            is_public: false,
+            shared_with: ['teammate@test.com'],
+            shared_with_teams: [],
+            share_link_enabled: false,
+          },
+        }),
+      ]
+
+      render(<Sidebar {...defaultProps} />)
+
+      expect(screen.getByText('Owner Shared Chat')).toBeInTheDocument()
+      expect(screen.getByTestId('icon-users2')).toBeInTheDocument()
+      expect(screen.queryByTestId('icon-globe')).not.toBeInTheDocument()
+      expect(screen.getByTestId('share-button')).toHaveAttribute('data-owner', 'true')
+      expect(screen.getByTestId('share-button')).toHaveAttribute('data-shared-viewer', 'false')
+    })
+
+    it('shows a globe badge for public conversations', () => {
+      mockConversations = [
+        makeConv('conv-public', 'Public Chat', {
+          owner_id: 'owner@test.com',
+          sharing: {
+            is_public: true,
+            shared_with: [],
+            shared_with_teams: [],
+            share_link_enabled: false,
+          },
+        }),
+      ]
+
+      render(<Sidebar {...defaultProps} />)
+
+      expect(screen.getByText('Public Chat')).toBeInTheDocument()
+      expect(screen.getByTestId('icon-globe')).toBeInTheDocument()
+    })
   })
 
   // --------------------------------------------------------------------------
diff --git a/ui/src/lib/api-middleware.ts b/ui/src/lib/api-middleware.ts
index 3fd839ca3a..46a49a2683 100644
--- a/ui/src/lib/api-middleware.ts
+++ b/ui/src/lib/api-middleware.ts
@@ -7,10 +7,12 @@ import { authOptions, isBootstrapAdmin } from '@/lib/auth-config';
 import { getConfig } from '@/lib/config';
 import { getCollection } from '@/lib/mongodb';
 import type { User } from '@/types/mongodb';
+import type { TeamMembershipSource } from '@/types/identity-group-sync';
 import { validateBearerJWT, validateLocalSkillsJWT } from '@/lib/jwt-validation';
 import { ApiError } from '@/lib/api-error';
 import type { AuthFailureAction, AuthFailureReason } from '@/lib/auth-error';
 import { CredentialError } from '@/lib/credentials/errors';
+import { getRbacCollection } from '@/lib/rbac/mongo-collections';
 import {
   getDevAnonymousSession,
   getDevAnonymousUser,
@@ -1194,19 +1196,55 @@ export function requireOwnership(ownerId: string, userId: string) {
 
 /**
  * Resolve all team IDs that a user belongs to.
- * Looks up the teams collection for teams where the user is a member.
+ * Uses canonical team_membership_sources and falls back to legacy teams.members[].
  */
 export async function getUserTeamIds(userEmail: string): Promise<string[]> {
+  const refs = new Set<string>();
+  const normalizedEmail = userEmail.trim().toLowerCase();
+  if (!normalizedEmail) return [];
+
+  try {
+    // assisted-by Codex Codex-sonnet-4-6
+    // Chat team shares must follow the canonical membership store, not stale embedded team members.
+    const sources = await getRbacCollection<TeamMembershipSource>('teamMembershipSources');
+    const rows = await sources
+      .find({ status: 'active', user_email: normalizedEmail })
+      .project({ team_id: 1, team_slug: 1 })
+      .toArray();
+
+    for (const row of rows) {
+      if (typeof row.team_id === 'string' && row.team_id.trim()) {
+        refs.add(row.team_id.trim());
+      }
+      if (typeof row.team_slug === 'string' && row.team_slug.trim()) {
+        refs.add(row.team_slug.trim());
+      }
+    }
+  } catch {
+    // Fall through to the legacy embedded-members lookup below.
+  }
+
   try {
     const teams = await getCollection('teams');
+    const emailClauses = Array.from(new Set([userEmail.trim(), normalizedEmail].filter(Boolean)));
     const userTeams = await teams
-      .find({ 'members.user_id': userEmail })
-      .project({ _id: 1 })
+      .find({ $or: emailClauses.map((email) => ({ 'members.user_id': email })) })
+      .project({ _id: 1, slug: 1 })
       .toArray();
-    return userTeams.map((t: any) => t._id.toString());
+
+    for (const team of userTeams) {
+      if (team?._id !== undefined && team?._id !== null) {
+        refs.add(team._id.toString());
+      }
+      if (typeof team?.slug === 'string' && team.slug.trim()) {
+        refs.add(team.slug.trim());
+      }
+    }
   } catch {
-    return [];
+    // Ignore legacy lookup failures; sharing should fail closed for non-matches.
   }
+
+  return Array.from(refs);
 }
 
 export type ConversationAccessLevel = 'owner' | 'shared' | 'shared_readonly' | 'admin_audit';
@@ -1216,6 +1254,24 @@ interface ConversationAccessResult {
   access_level: ConversationAccessLevel;
 }
 
+function normalizedIdentity(value: unknown): string {
+  return typeof value === 'string' ? value.trim().toLowerCase() : '';
+}
+
+function sessionSubject(session: { sub?: unknown } | undefined): string {
+  return typeof session?.sub === 'string' ? session.sub.trim() : '';
+}
+
+function isConversationOwnerForAccess(
+  conversation: { owner_id?: unknown; owner_subject?: unknown },
+  userId: string,
+  session?: { sub?: unknown },
+): boolean {
+  const subject = sessionSubject(session);
+  if (subject && conversation.owner_subject === subject) return true;
+  return Boolean(normalizedIdentity(userId) && normalizedIdentity(conversation.owner_id) === normalizedIdentity(userId));
+}
+
 /**
  * Check if user has access to a conversation (owner, shared with directly,
  * shared with one of their teams, via sharing_access records, or admin audit).
@@ -1227,7 +1283,7 @@ export async function requireConversationAccess(
   conversationId: string,
   userId: string,
   getCollectionFn: (name: string) => Promise<any>,
-  session?: { role?: string }
+  session?: { role?: string; sub?: string }
 ): Promise<ConversationAccessResult> {
   const conversations = await getCollectionFn('conversations');
   const conversation = await conversations.findOne({ _id: conversationId });
@@ -1236,8 +1292,10 @@ export async function requireConversationAccess(
     throw new ApiError('Conversation not found', 404, 'NOT_FOUND');
   }
 
-  // Check if user is owner
-  if (conversation.owner_id === userId) {
+  // Check if user is owner. Newer conversations may carry owner_subject; older
+  // records rely on owner_id email and should be compared case-insensitively.
+  // assisted-by Codex Codex-sonnet-4-6
+  if (isConversationOwnerForAccess(conversation, userId, session)) {
     return { conversation, access_level: 'owner' };
   }
 
@@ -1253,11 +1311,15 @@ export async function requireConversationAccess(
   }
 
   // Check if conversation is shared with user directly
-  if (conversation.sharing?.shared_with?.includes(userId)) {
+  const normalizedUserId = normalizedIdentity(userId);
+  const directShareMatch = conversation.sharing?.shared_with?.some(
+    (email: unknown) => normalizedIdentity(email) === normalizedUserId,
+  );
+  if (directShareMatch) {
     const sharingAccess = await getCollectionFn('sharing_access');
     const accessRecord = await sharingAccess.findOne({
       conversation_id: conversationId,
-      granted_to: userId,
+      granted_to: { $in: [userId, normalizedUserId] },
       revoked_at: null,
     });
     // Default to 'comment' (full access) for backward compatibility with
diff --git a/ui/src/lib/authz/__tests__/http.test.ts b/ui/src/lib/authz/__tests__/http.test.ts
index 3adeb6f3ad..b3eebcc2c4 100644
--- a/ui/src/lib/authz/__tests__/http.test.ts
+++ b/ui/src/lib/authz/__tests__/http.test.ts
@@ -203,6 +203,16 @@ describe("grant parsing", () => {
     ).toThrow(HttpAuthzError);
   });
 
+  it("parseGrantIntent blocks everyone grants for conversation discovery", () => {
+    expect(() =>
+      parseGrantIntent({
+        resource: { type: "conversation", id: "conv-1" },
+        grantee: { type: "everyone" },
+        capability: "discover",
+      }),
+    ).toThrow(HttpAuthzError);
+  });
+
   it("parseGrantIntent allows everyone use grants for global workflow agent access", () => {
     expect(parseGrantIntent({ resource: { type: "agent", id: "pe" }, grantee: { type: "everyone" }, capability: "use" })).toEqual({
       resource: { type: "agent", id: "pe" },
diff --git a/ui/src/lib/authz/http.ts b/ui/src/lib/authz/http.ts
index 9e5819ebe5..1db584fd56 100644
--- a/ui/src/lib/authz/http.ts
+++ b/ui/src/lib/authz/http.ts
@@ -46,7 +46,6 @@ const PUBLIC_GRANTABLE_EVERYONE_RESOURCE_ACTIONS: ReadonlySet<string> = new Set(
   "agent:discover",
   "agent:use",
   "audit_log:discover",
-  "conversation:discover",
   "data_source:discover",
   "document:discover",
   "external_group:discover",
diff --git a/ui/src/lib/rbac/__tests__/conversation-implicit-authz.test.ts b/ui/src/lib/rbac/__tests__/conversation-implicit-authz.test.ts
index fded157e6d..fd76406a95 100644
--- a/ui/src/lib/rbac/__tests__/conversation-implicit-authz.test.ts
+++ b/ui/src/lib/rbac/__tests__/conversation-implicit-authz.test.ts
@@ -1,4 +1,6 @@
 import {
+  annotateConversationsWithViewerSharing,
+  conversationVisibilityCandidateQuery,
   filterConversationsByImplicitOrExplicitPermission,
   isImplicitConversationOwner,
   requireConversationResourcePermission,
@@ -21,6 +23,17 @@ describe("conversation implicit authorization", () => {
     jest.clearAllMocks();
   });
 
+  it("builds a bounded candidate query for owned and explicitly shared conversations", () => {
+    expect(conversationVisibilityCandidateQuery("alice@example.com")).toEqual({
+      $or: [
+        { owner_id: "alice@example.com" },
+        { "sharing.is_public": true },
+        { "sharing.shared_with": "alice@example.com" },
+        { "sharing.shared_with_teams.0": { $exists: true } },
+      ],
+    });
+  });
+
   it("treats owner_subject and legacy owner_id as implicit ownership", () => {
     expect(
       isImplicitConversationOwner(
@@ -65,6 +78,32 @@ describe("conversation implicit authorization", () => {
     );
   });
 
+  it("annotates viewer sharing for non-owned visible rows", () => {
+    type ViewerFlagRow = {
+      _id: string;
+      owner_id?: string;
+      owner_subject?: string;
+    };
+
+    const rows = annotateConversationsWithViewerSharing<ViewerFlagRow>(
+      { sub: "alice-sub" },
+      "alice@example.com",
+      [
+        { _id: "owned-sub", owner_id: "other@example.com", owner_subject: "alice-sub" },
+        { _id: "owned-email", owner_id: "alice@example.com", owner_subject: undefined },
+        { _id: "shared-no-owner", owner_id: undefined, owner_subject: undefined },
+        { _id: "shared-known-owner", owner_id: "bob@example.com", owner_subject: undefined },
+      ],
+    );
+
+    expect(rows.map((row) => [row._id, row.viewer_has_shared_access])).toEqual([
+      ["owned-sub", false],
+      ["owned-email", false],
+      ["shared-no-owner", true],
+      ["shared-known-owner", true],
+    ]);
+  });
+
   it("requires OpenFGA only when caller is not the implicit owner", async () => {
     await requireConversationResourcePermission(
       { sub: "alice-sub" },
diff --git a/ui/src/lib/rbac/conversation-implicit-authz.ts b/ui/src/lib/rbac/conversation-implicit-authz.ts
index b8c72b869d..7e335c6b11 100644
--- a/ui/src/lib/rbac/conversation-implicit-authz.ts
+++ b/ui/src/lib/rbac/conversation-implicit-authz.ts
@@ -15,6 +15,20 @@ function normalizeEmail(email: string | undefined): string {
   return email?.trim().toLowerCase() ?? "";
 }
 
+export function conversationVisibilityCandidateQuery(userEmail: string): { $or: Record<string, unknown>[] } {
+  const email = userEmail.trim();
+  return {
+    $or: [
+      { owner_id: email },
+      { "sharing.is_public": true },
+      { "sharing.shared_with": email },
+      // assisted-by Codex Codex-sonnet-4-6
+      // Team membership is still decided by ReBAC; this only bounds the Mongo candidate set.
+      { "sharing.shared_with_teams.0": { $exists: true } },
+    ],
+  };
+}
+
 export function isImplicitConversationOwner(
   session: ResourceAuthzSession,
   userEmail: string,
@@ -25,6 +39,25 @@ export function isImplicitConversationOwner(
   return Boolean(normalizeEmail(userEmail) && normalizeEmail(conversation.owner_id) === normalizeEmail(userEmail));
 }
 
+export interface ConversationViewerSharingFlag {
+  viewer_has_shared_access: boolean;
+}
+
+export function annotateConversationsWithViewerSharing<
+  T extends Pick<Conversation, "owner_id" | "owner_subject">,
+>(
+  session: ResourceAuthzSession,
+  userEmail: string,
+  conversations: T[],
+): Array<T & ConversationViewerSharingFlag> {
+  return conversations.map((conversation) => ({
+    ...conversation,
+    // assisted-by Codex Codex-sonnet-4-6
+    // Sidebar needs an explicit recipient signal even when owner metadata is absent client-side.
+    viewer_has_shared_access: !isImplicitConversationOwner(session, userEmail, conversation),
+  }));
+}
+
 export async function requireConversationResourcePermission(
   session: ResourceAuthzSession,
   userEmail: string,
diff --git a/ui/src/store/__tests__/chat-store.test.ts b/ui/src/store/__tests__/chat-store.test.ts
index d1237d970e..26d527e5c8 100644
--- a/ui/src/store/__tests__/chat-store.test.ts
+++ b/ui/src/store/__tests__/chat-store.test.ts
@@ -1037,6 +1037,31 @@ describe('chat-store', () => {
       expect(newConv!.messages).toHaveLength(0);
     });
 
+    it('maps the server viewer sharing flag into local conversations', async () => {
+      useChatStore.setState({ conversations: [] });
+
+      mockApiClient.getConversations.mockResolvedValue({
+        items: [
+          {
+            _id: 'shared-recipient',
+            title: 'Shared Recipient',
+            created_at: new Date().toISOString(),
+            updated_at: new Date().toISOString(),
+            viewer_has_shared_access: true,
+          },
+        ],
+        total: 1,
+        page: 1,
+        page_size: 100,
+        has_more: false,
+      });
+
+      await useChatStore.getState().loadConversationsFromServer();
+
+      const sharedConv = useChatStore.getState().conversations.find(c => c.id === 'shared-recipient');
+      expect(sharedConv!.isSharedWithViewer).toBe(true);
+    });
+
     it('does not preserve non-active non-streaming local-only conversations', async () => {
       // Conversations that are neither active nor streaming should be removed
       // when not present in the server response (FR-004).
diff --git a/ui/src/store/chat-store.ts b/ui/src/store/chat-store.ts
index 22919685c8..b1d5360828 100644
--- a/ui/src/store/chat-store.ts
+++ b/ui/src/store/chat-store.ts
@@ -758,6 +758,8 @@ const storeImplementation = (set: any, get: any) => ({
               streamEvents: (isStreaming || hasLoadedMessages || isActive) && localConv ? (localConv.streamEvents || []) : [],
               participants: conv.participants || [],
               owner_id: conv.owner_id,
+              accessLevel: conv.access_level,
+              isSharedWithViewer: conv.viewer_has_shared_access,
               sharing: conv.sharing,
             };
           });
diff --git a/ui/src/types/a2a.ts b/ui/src/types/a2a.ts
index 1d7ecbbc29..4c4e090814 100644
--- a/ui/src/types/a2a.ts
+++ b/ui/src/types/a2a.ts
@@ -8,6 +8,7 @@ import type { Participant } from "@/types/mongodb";
 
 // Turn status for Dynamic Agents (shown in timeline)
 export type TurnStatus = "done" | "interrupted" | "waiting_for_input";
+export type ConversationAccessLevel = "owner" | "shared" | "shared_readonly" | "admin_audit";
 
 // Chat conversation types
 export interface Conversation {
@@ -22,11 +23,18 @@ export interface Conversation {
   participants: Participant[];
   /** Owner email (only for MongoDB conversations) */
   owner_id?: string;
+  /** Current viewer access level returned by the conversation detail API. */
+  accessLevel?: ConversationAccessLevel;
+  /** Server list says the current viewer sees this row through sharing. */
+  // assisted-by Codex Codex-sonnet-4-6
+  isSharedWithViewer?: boolean;
   /** Sharing information (optional, only for MongoDB conversations) */
   sharing?: {
     is_public?: boolean;
+    public_permission?: "view" | "comment";
     shared_with?: string[];
     shared_with_teams?: string[];
+    team_permissions?: Record<string, "view" | "comment">;
     share_link_enabled?: boolean;
   };
 }
diff --git a/ui/src/types/mongodb.ts b/ui/src/types/mongodb.ts
index 44286e6d39..61dca1e264 100644
--- a/ui/src/types/mongodb.ts
+++ b/ui/src/types/mongodb.ts
@@ -89,6 +89,12 @@ export interface Conversation {
     share_link_enabled: boolean;
     share_link_expires?: Date;
   };
+  // assisted-by Codex Codex-sonnet-4-6
+  // Response-only: current viewer reached this conversation through sharing, not ownership.
+  viewer_has_shared_access?: boolean;
+  // assisted-by Codex Codex-sonnet-4-6
+  // Response-only: current viewer's effective access level for UI affordances.
+  access_level?: 'owner' | 'shared' | 'shared_readonly' | 'admin_audit';
   tags: string[];
   is_archived: boolean;
   is_pinned: boolean;