diff --git a/internal/mcp/apps.go b/internal/mcp/apps.go
index 4cb10ec..8dc5784 100644
--- a/internal/mcp/apps.go
+++ b/internal/mcp/apps.go
@@ -16,6 +16,9 @@ import (
 //go:embed apps_html/dashboard.html
 var dashboardHTML string
 
+//go:embed apps_html/compliance.html
+var complianceHTML string
+
 //go:embed apps_html/common.js
 var appCommonJS string
 
@@ -67,6 +70,17 @@ var appSpecs = []appSpec{
 			return fetchDashboardData(ctx)
 		},
 	},
+	{
+		Name:                "compliance_view",
+		Description:         "Show a JumpCloud compliance snapshot scoped to audit-friendly metrics: MFA adoption (% enrolled + list of users without MFA), device encryption (% FDE-enabled, segmented by OS, with unencrypted-device drill-down), password-age histogram (<30d / 30-60d / 60-90d / >90d), and admin inventory (per-admin email, role, MFA status, last login). Renders as a 4-card report in MCP App-capable hosts; returns the same data as JSON when rendering isn't supported.",
+		ResourceURI:         "ui://jc/compliance",
+		ResourceName:        "Compliance Snapshot App",
+		ResourceDescription: "Audit-friendly JumpCloud compliance snapshot (MFA, FDE, password age, admins)",
+		HTML:                complianceHTML,
+		Handler: func(ctx context.Context) (any, error) {
+			return fetchComplianceData(ctx)
+		},
+	},
 }
 
 // renderAppHTML returns the app's HTML with the common.js scaffolding injected
diff --git a/internal/mcp/apps_compliance.go b/internal/mcp/apps_compliance.go
new file mode 100644
index 0000000..731908a
--- /dev/null
+++ b/internal/mcp/apps_compliance.go
@@ -0,0 +1,421 @@
+package mcp
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"sort"
+	"sync"
+	"time"
+
+	"github.com/klaassen-consulting/jc/internal/api"
+)
+
+// Compliance-view tuning constants. The "list of offenders" panels are
+// bounded so a large org doesn't push a 50,000-row payload through the
+// iframe; the percentages still aggregate across the full population.
+const (
+	complianceListLimit = 200
+
+	// Password-age histogram thresholds in days. Bucket boundaries are
+	// exclusive upper bounds; the >90 bucket catches anything stale-er
+	// (or any password_date in the future, defensively).
+	complianceAgeLT30 = 30
+	complianceAgeLT60 = 60
+	complianceAgeLT90 = 90
+)
+
+// complianceData is the JSON payload pushed to the compliance.html
+// iframe. Mirrors the structured-per-card pattern from the dashboard
+// and device_view: top-level sections, a Warnings slice for partial
+// failures, and a timestamp the UI can show as "snapshot taken at".
+type complianceData struct {
+	MFA       *complianceMFA      `json:"mfa,omitempty"`
+	FDE       *complianceFDE      `json:"fde,omitempty"`
+	Passwords *compliancePassword `json:"passwords,omitempty"`
+	Admins    *complianceAdmins   `json:"admins,omitempty"`
+	Timestamp string              `json:"timestamp"`
+	Warnings  []string            `json:"warnings,omitempty"`
+}
+
+type complianceMFA struct {
+	Total         int                 `json:"total"`
+	Enrolled      int                 `json:"enrolled"`
+	Percentage    float64             `json:"percentage"`
+	WithoutMFA    []complianceUserRef `json:"without_mfa"`
+	WithoutMFALen int                 `json:"without_mfa_total"` // total before truncation
+}
+
+type complianceUserRef struct {
+	ID       string `json:"id"`
+	Username string `json:"username"`
+	Email    string `json:"email,omitempty"`
+}
+
+type complianceFDE struct {
+	Total       int                   `json:"total"`
+	Encrypted   int                   `json:"encrypted"`
+	Percentage  float64               `json:"percentage"`
+	ByOS        []complianceFDEByOS   `json:"by_os"`
+	Unencrypted []complianceDeviceRef `json:"unencrypted"`
+	// UnencryptedLen lets the UI show "showing N of M" when the list is
+	// truncated. complianceListLimit-bounded.
+	UnencryptedLen int `json:"unencrypted_total"`
+}
+
+type complianceFDEByOS struct {
+	OS         string  `json:"os"`
+	Total      int     `json:"total"`
+	Encrypted  int     `json:"encrypted"`
+	Percentage float64 `json:"percentage"`
+}
+
+type complianceDeviceRef struct {
+	ID       string `json:"id"`
+	Hostname string `json:"hostname,omitempty"`
+	OS       string `json:"os,omitempty"`
+}
+
+type compliancePassword struct {
+	// Total counts users with a usable password_date — users with no
+	// recorded password date are surfaced separately as NoData so the
+	// histogram percentages aren't skewed by missing data.
+	Total   int                        `json:"total"`
+	NoData  int                        `json:"no_data"`
+	Buckets []compliancePasswordBucket `json:"buckets"`
+}
+
+type compliancePasswordBucket struct {
+	// Label is human-readable (e.g. "<30d", "30-60d"). Index follows
+	// the ordering of complianceAgeLT* constants so the UI can render
+	// left-to-right without lookups.
+	Label      string  `json:"label"`
+	Count      int     `json:"count"`
+	Percentage float64 `json:"percentage"`
+}
+
+type complianceAdmins struct {
+	Total int                  `json:"total"`
+	List  []complianceAdminRef `json:"list"`
+}
+
+type complianceAdminRef struct {
+	ID                string `json:"id"`
+	Email             string `json:"email"`
+	RoleName          string `json:"role_name,omitempty"`
+	EnableMultiFactor bool   `json:"enable_multi_factor"`
+	LastLogin         string `json:"last_login,omitempty"`
+}
+
+// fetchComplianceData runs the parallel API calls behind compliance_view
+// and aggregates the result. Same best-effort contract as device_view:
+// a transient sub-fetch failure surfaces as a Warning rather than
+// blocking the whole snapshot.
+func fetchComplianceData(ctx context.Context) (*complianceData, error) {
+	now := nowFunc().UTC()
+	data := &complianceData{Timestamp: now.Format(time.RFC3339)}
+
+	var (
+		mu       sync.Mutex
+		warnings []string
+	)
+	addWarning := func(msg string) {
+		mu.Lock()
+		warnings = append(warnings, msg)
+		mu.Unlock()
+	}
+
+	var wg sync.WaitGroup
+
+	// V1: org users → MFA + password age. One scan, two derived stats.
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		v1, err := newV1ClientFunc()
+		if err != nil {
+			addWarning(fmt.Sprintf("v1 client (users): %v", err))
+			return
+		}
+		result, err := v1.ListAll(ctx, "/systemusers", api.ListOptions{})
+		if err != nil {
+			addWarning(fmt.Sprintf("listing users: %v", err))
+			return
+		}
+		mfa, pwd := aggregateUserCompliance(result.Data, now)
+		mu.Lock()
+		data.MFA = mfa
+		data.Passwords = pwd
+		mu.Unlock()
+	}()
+
+	// V1: devices → FDE coverage segmented by OS, with an unencrypted
+	// drill-down list.
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		v1, err := newV1ClientFunc()
+		if err != nil {
+			addWarning(fmt.Sprintf("v1 client (devices): %v", err))
+			return
+		}
+		result, err := v1.ListAll(ctx, "/systems", api.ListOptions{})
+		if err != nil {
+			addWarning(fmt.Sprintf("listing devices: %v", err))
+			return
+		}
+		fde := aggregateDeviceCompliance(result.Data)
+		mu.Lock()
+		data.FDE = fde
+		mu.Unlock()
+	}()
+
+	// V1: admins live on the V1 /users endpoint (distinct from
+	// /systemusers, which is org members). One snapshot pulls every
+	// admin row — orgs typically have single-digit admins.
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		v1, err := newV1ClientFunc()
+		if err != nil {
+			addWarning(fmt.Sprintf("v1 client (admins): %v", err))
+			return
+		}
+		result, err := v1.ListAll(ctx, "/users", api.ListOptions{})
+		if err != nil {
+			addWarning(fmt.Sprintf("listing admins: %v", err))
+			return
+		}
+		admins := aggregateAdmins(result.Data)
+		mu.Lock()
+		data.Admins = admins
+		mu.Unlock()
+	}()
+
+	wg.Wait()
+
+	if len(warnings) > 0 {
+		data.Warnings = warnings
+	}
+
+	// If every section failed, the snapshot is useless — return an
+	// error so the chokepoint surfaces the failure clearly rather than
+	// shipping an empty card.
+	if data.MFA == nil && data.FDE == nil && data.Admins == nil {
+		return nil, fmt.Errorf("all compliance sub-fetches failed: %v", warnings)
+	}
+
+	return data, nil
+}
+
+// aggregateUserCompliance derives MFA adoption + password-age histogram
+// from a single users list scan. Splitting the two aggregations into
+// separate goroutines would double the V1 page count for no gain.
+func aggregateUserCompliance(data []json.RawMessage, now time.Time) (*complianceMFA, *compliancePassword) {
+	mfa := &complianceMFA{}
+	pwd := &compliancePassword{}
+
+	bucketCounts := [4]int{} // <30, 30-60, 60-90, >90
+
+	for _, raw := range data {
+		var u struct {
+			ID            string `json:"_id"`
+			Username      string `json:"username"`
+			Email         string `json:"email"`
+			Activated     bool   `json:"activated"`
+			Suspended     bool   `json:"suspended"`
+			AccountLocked bool   `json:"account_locked"`
+			TOTPEnabled   bool   `json:"totp_enabled"`
+			MFA           struct {
+				Configured bool `json:"configured"`
+			} `json:"mfa"`
+			PasswordDate string `json:"password_date"`
+		}
+		if err := json.Unmarshal(raw, &u); err != nil {
+			continue
+		}
+
+		// MFA scope: only count active, non-suspended, non-locked users.
+		// A locked user without MFA isn't a compliance concern; an
+		// active one without MFA is.
+		if u.Activated && !u.Suspended && !u.AccountLocked {
+			mfa.Total++
+			if u.TOTPEnabled || u.MFA.Configured {
+				mfa.Enrolled++
+			} else if len(mfa.WithoutMFA) < complianceListLimit {
+				mfa.WithoutMFA = append(mfa.WithoutMFA, complianceUserRef{
+					ID: u.ID, Username: u.Username, Email: u.Email,
+				})
+				mfa.WithoutMFALen++
+			} else {
+				mfa.WithoutMFALen++
+			}
+		}
+
+		// Password age: bucket by days since password_date. Empty or
+		// unparsable dates land in NoData so the histogram only
+		// counts users with real data.
+		if u.PasswordDate == "" {
+			pwd.NoData++
+			continue
+		}
+		t, err := time.Parse(time.RFC3339, u.PasswordDate)
+		if err != nil {
+			// Some orgs store password_date as date-only ("2026-01-01");
+			// try that shape too before giving up.
+			t, err = time.Parse("2006-01-02", u.PasswordDate)
+		}
+		if err != nil {
+			pwd.NoData++
+			continue
+		}
+		days := int(now.Sub(t).Hours() / 24)
+		switch {
+		case days < 0:
+			// Future password_date: clock skew, API timestamp oddity,
+			// or a tenant that records the *expiration* date instead
+			// of the set date. Route to >90d so the anomaly surfaces
+			// in the suspicious bucket rather than inflating the
+			// healthy <30d bucket. Comment on complianceAgeLT* says
+			// the bucket "catches anything stale-er (or any
+			// password_date in the future, defensively)" — this is
+			// the route that delivers on that promise.
+			bucketCounts[3]++
+		case days < complianceAgeLT30:
+			bucketCounts[0]++
+		case days < complianceAgeLT60:
+			bucketCounts[1]++
+		case days < complianceAgeLT90:
+			bucketCounts[2]++
+		default:
+			bucketCounts[3]++
+		}
+		pwd.Total++
+	}
+
+	if mfa.Total > 0 {
+		mfa.Percentage = float64(mfa.Enrolled) / float64(mfa.Total) * 100
+	}
+
+	labels := []string{"<30d", "30-60d", "60-90d", ">90d"}
+	pwd.Buckets = make([]compliancePasswordBucket, len(labels))
+	for i, label := range labels {
+		count := bucketCounts[i]
+		var pct float64
+		if pwd.Total > 0 {
+			pct = float64(count) / float64(pwd.Total) * 100
+		}
+		pwd.Buckets[i] = compliancePasswordBucket{
+			Label: label, Count: count, Percentage: pct,
+		}
+	}
+
+	return mfa, pwd
+}
+
+// aggregateDeviceCompliance derives the FDE coverage stats. Per-OS
+// buckets are surfaced because compliance reviews often need "we have
+// 100 % FDE on Macs but only 60 % on Windows" — a single org-wide
+// percentage hides those gaps.
+func aggregateDeviceCompliance(data []json.RawMessage) *complianceFDE {
+	fde := &complianceFDE{}
+
+	type osStat struct{ total, encrypted int }
+	byOS := make(map[string]*osStat)
+
+	for _, raw := range data {
+		var d struct {
+			ID       string `json:"_id"`
+			Hostname string `json:"hostname"`
+			OS       string `json:"os"`
+			FDE      struct {
+				Active bool `json:"active"`
+			} `json:"fde"`
+		}
+		if err := json.Unmarshal(raw, &d); err != nil {
+			continue
+		}
+		fde.Total++
+
+		osName := d.OS
+		if osName == "" {
+			osName = "Unknown"
+		}
+		stat, ok := byOS[osName]
+		if !ok {
+			stat = &osStat{}
+			byOS[osName] = stat
+		}
+		stat.total++
+
+		if d.FDE.Active {
+			fde.Encrypted++
+			stat.encrypted++
+		} else {
+			if len(fde.Unencrypted) < complianceListLimit {
+				fde.Unencrypted = append(fde.Unencrypted, complianceDeviceRef{
+					ID: d.ID, Hostname: d.Hostname, OS: d.OS,
+				})
+			}
+			fde.UnencryptedLen++
+		}
+	}
+
+	if fde.Total > 0 {
+		fde.Percentage = float64(fde.Encrypted) / float64(fde.Total) * 100
+	}
+
+	// Stable per-OS slice sorted by total desc so the busiest platforms
+	// surface first — that's what an auditor scrolls to.
+	osList := make([]complianceFDEByOS, 0, len(byOS))
+	for name, stat := range byOS {
+		var pct float64
+		if stat.total > 0 {
+			pct = float64(stat.encrypted) / float64(stat.total) * 100
+		}
+		osList = append(osList, complianceFDEByOS{
+			OS: name, Total: stat.total, Encrypted: stat.encrypted, Percentage: pct,
+		})
+	}
+	sort.Slice(osList, func(i, j int) bool {
+		if osList[i].Total != osList[j].Total {
+			return osList[i].Total > osList[j].Total
+		}
+		return osList[i].OS < osList[j].OS
+	})
+	fde.ByOS = osList
+
+	return fde
+}
+
+// aggregateAdmins compiles the admin inventory from the V1 /users
+// response. Orgs typically have single-digit admins; complianceListLimit
+// applies defensively in case an org somehow has hundreds.
+func aggregateAdmins(data []json.RawMessage) *complianceAdmins {
+	admins := &complianceAdmins{Total: len(data)}
+	limit := complianceListLimit
+	if len(data) < limit {
+		limit = len(data)
+	}
+	for i := 0; i < limit; i++ {
+		var a struct {
+			ID                string `json:"_id"`
+			Email             string `json:"email"`
+			RoleName          string `json:"roleName"`
+			EnableMultiFactor bool   `json:"enableMultiFactor"`
+			LastLogin         string `json:"lastLogin"`
+		}
+		if err := json.Unmarshal(data[i], &a); err != nil {
+			continue
+		}
+		admins.List = append(admins.List, complianceAdminRef{
+			ID: a.ID, Email: a.Email, RoleName: a.RoleName,
+			EnableMultiFactor: a.EnableMultiFactor, LastLogin: a.LastLogin,
+		})
+	}
+	// Stable alphabetical sort so an audit run-to-run sees the same
+	// order even when the V1 endpoint shuffles results.
+	sort.Slice(admins.List, func(i, j int) bool {
+		return admins.List[i].Email < admins.List[j].Email
+	})
+	return admins
+}
diff --git a/internal/mcp/apps_compliance_test.go b/internal/mcp/apps_compliance_test.go
new file mode 100644
index 0000000..1b693fd
--- /dev/null
+++ b/internal/mcp/apps_compliance_test.go
@@ -0,0 +1,343 @@
+package mcp
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/modelcontextprotocol/go-sdk/mcp"
+)
+
+// startComplianceServer mounts the three V1 endpoints fetchComplianceData
+// hits (/systemusers, /systems, /users for admins) on a single httptest
+// server with deterministic fixtures.
+func startComplianceServer(t *testing.T, users, devices, admins []map[string]any) *httptest.Server {
+	t.Helper()
+	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch r.URL.Path {
+		case "/api/systemusers":
+			_ = json.NewEncoder(w).Encode(map[string]any{
+				"results": users, "totalCount": len(users),
+			})
+		case "/api/systems":
+			_ = json.NewEncoder(w).Encode(map[string]any{
+				"results": devices, "totalCount": len(devices),
+			})
+		case "/api/users":
+			_ = json.NewEncoder(w).Encode(map[string]any{
+				"results": admins, "totalCount": len(admins),
+			})
+		default:
+			w.WriteHeader(404)
+			_ = json.NewEncoder(w).Encode(map[string]string{"path": r.URL.Path})
+		}
+	}))
+}
+
+// passwordDateDaysAgo formats a date `days` ago using the date-only
+// layout — exercises the secondary parse path in aggregateUserCompliance
+// alongside the primary RFC3339 path. We anchor "now" in the tests so
+// the math stays deterministic.
+func passwordDateDaysAgo(now time.Time, days int) string {
+	return now.Add(-time.Duration(days) * 24 * time.Hour).Format("2006-01-02")
+}
+
+func TestAggregateUserCompliance_MFAAndPasswordBuckets(t *testing.T) {
+	now := time.Date(2026, 5, 20, 12, 0, 0, 0, time.UTC)
+	users := []map[string]any{
+		// Active + MFA + 5d password → bucket 0
+		{"_id": "u1", "username": "alice", "email": "a@x.com",
+			"activated": true, "totp_enabled": true,
+			"password_date": passwordDateDaysAgo(now, 5)},
+		// Active + no MFA + 45d password → bucket 1, lands in WithoutMFA
+		{"_id": "u2", "username": "bob", "email": "b@x.com",
+			"activated": true, "totp_enabled": false,
+			"password_date": passwordDateDaysAgo(now, 45)},
+		// Active + MFA via mfa.configured + 75d → bucket 2
+		{"_id": "u3", "username": "carol", "email": "c@x.com",
+			"activated": true, "mfa": map[string]any{"configured": true},
+			"password_date": passwordDateDaysAgo(now, 75)},
+		// Active + no MFA + 120d → bucket 3, second offender
+		{"_id": "u4", "username": "dave", "email": "d@x.com",
+			"activated": true, "totp_enabled": false,
+			"password_date": passwordDateDaysAgo(now, 120)},
+		// Suspended user without MFA → excluded from MFA scope but
+		// still contributes to password buckets (bucket 0).
+		{"_id": "u5", "username": "evan", "email": "e@x.com",
+			"activated": true, "suspended": true, "totp_enabled": false,
+			"password_date": passwordDateDaysAgo(now, 10)},
+		// Locked user without MFA → also excluded from MFA scope.
+		{"_id": "u6", "username": "frank", "email": "f@x.com",
+			"activated": true, "account_locked": true, "totp_enabled": false,
+			"password_date": passwordDateDaysAgo(now, 20)},
+		// Empty password_date → no_data, still counts toward MFA scope.
+		{"_id": "u7", "username": "gina", "email": "g@x.com",
+			"activated": true, "totp_enabled": true},
+	}
+	raws := make([]json.RawMessage, len(users))
+	for i, u := range users {
+		raws[i], _ = json.Marshal(u)
+	}
+
+	mfa, pwd := aggregateUserCompliance(raws, now)
+
+	// MFA scope: 5 active users (u1, u2, u3, u4, u7); u5 suspended, u6
+	// locked — both excluded so an inactive account isn't held against
+	// the org's MFA percentage.
+	if mfa.Total != 5 {
+		t.Errorf("MFA total = %d, want 5 (excludes suspended/locked)", mfa.Total)
+	}
+	if mfa.Enrolled != 3 {
+		t.Errorf("MFA enrolled = %d, want 3 (u1, u3 via mfa.configured, u7)", mfa.Enrolled)
+	}
+	// 3 / 5 = 60 %
+	if mfa.Percentage < 59.9 || mfa.Percentage > 60.1 {
+		t.Errorf("MFA percentage = %.2f, want ~60.0", mfa.Percentage)
+	}
+	// Without MFA: u2 (bob) and u4 (dave). u5/u6 excluded from scope.
+	if len(mfa.WithoutMFA) != 2 {
+		t.Fatalf("WithoutMFA = %+v, want 2 entries (bob, dave)", mfa.WithoutMFA)
+	}
+	// Order follows iteration order of the input slice, which is
+	// deterministic for this test.
+	if mfa.WithoutMFA[0].Username != "bob" || mfa.WithoutMFA[1].Username != "dave" {
+		t.Errorf("WithoutMFA usernames = %+v, want [bob, dave]", mfa.WithoutMFA)
+	}
+	if mfa.WithoutMFALen != 2 {
+		t.Errorf("WithoutMFALen = %d, want 2", mfa.WithoutMFALen)
+	}
+
+	// Password buckets: u1=5d, u5=10d, u6=20d → bucket 0 (3 users);
+	// u2=45d → bucket 1; u3=75d → bucket 2; u4=120d → bucket 3.
+	// u7 → no_data.
+	wantBuckets := []int{3, 1, 1, 1}
+	for i, want := range wantBuckets {
+		if pwd.Buckets[i].Count != want {
+			t.Errorf("bucket[%d] %q count = %d, want %d",
+				i, pwd.Buckets[i].Label, pwd.Buckets[i].Count, want)
+		}
+	}
+	if pwd.NoData != 1 {
+		t.Errorf("NoData = %d, want 1 (u7)", pwd.NoData)
+	}
+	if pwd.Total != 6 {
+		t.Errorf("password Total = %d, want 6 (excludes no_data)", pwd.Total)
+	}
+	if pwd.Buckets[0].Label != "<30d" {
+		t.Errorf("bucket[0].Label = %q, want \"<30d\"", pwd.Buckets[0].Label)
+	}
+}
+
+// Bugbot KLA-405 catch: a password_date in the future (clock skew,
+// tenant emitting expiration date instead of set date, etc.) must NOT
+// inflate the healthy <30d bucket. Route it to >90d instead so the
+// anomaly is visible to the auditor.
+func TestAggregateUserCompliance_FutureDateRoutesToOver90d(t *testing.T) {
+	now := time.Date(2026, 5, 20, 12, 0, 0, 0, time.UTC)
+	users := []map[string]any{
+		// 10 days in the future — clearly anomalous.
+		{"_id": "u1", "username": "alice", "activated": true, "totp_enabled": true,
+			"password_date": now.Add(10 * 24 * time.Hour).Format(time.RFC3339)},
+		// Sanity-check anchor: a real fresh date stays in <30d.
+		{"_id": "u2", "username": "bob", "activated": true, "totp_enabled": true,
+			"password_date": passwordDateDaysAgo(now, 5)},
+	}
+	raws := make([]json.RawMessage, len(users))
+	for i, u := range users {
+		raws[i], _ = json.Marshal(u)
+	}
+
+	_, pwd := aggregateUserCompliance(raws, now)
+
+	if pwd.Buckets[0].Count != 1 {
+		t.Errorf("bucket[<30d].Count = %d, want 1 (only bob); future-dated alice should not land here",
+			pwd.Buckets[0].Count)
+	}
+	if pwd.Buckets[3].Count != 1 {
+		t.Errorf("bucket[>90d].Count = %d, want 1 (alice, future-dated)",
+			pwd.Buckets[3].Count)
+	}
+	if pwd.Total != 2 {
+		t.Errorf("Total = %d, want 2 (both users counted, neither no_data)", pwd.Total)
+	}
+}
+
+func TestAggregateDeviceCompliance_FDEBuckets(t *testing.T) {
+	devices := []map[string]any{
+		{"_id": "d1", "hostname": "mac-1", "os": "Mac OS X", "fde": map[string]any{"active": true}},
+		{"_id": "d2", "hostname": "mac-2", "os": "Mac OS X", "fde": map[string]any{"active": true}},
+		{"_id": "d3", "hostname": "win-1", "os": "Windows", "fde": map[string]any{"active": false}},
+		{"_id": "d4", "hostname": "win-2", "os": "Windows", "fde": map[string]any{"active": true}},
+		{"_id": "d5", "hostname": "linux-1", "os": "", "fde": map[string]any{"active": false}},
+	}
+	raws := make([]json.RawMessage, len(devices))
+	for i, d := range devices {
+		raws[i], _ = json.Marshal(d)
+	}
+
+	fde := aggregateDeviceCompliance(raws)
+
+	if fde.Total != 5 || fde.Encrypted != 3 {
+		t.Errorf("overall = %d/%d, want 3/5", fde.Encrypted, fde.Total)
+	}
+	if fde.Percentage < 59.9 || fde.Percentage > 60.1 {
+		t.Errorf("percentage = %.2f, want 60.0", fde.Percentage)
+	}
+	// ByOS sorted by total desc, then alphabetical. Mac=2 and Win=2
+	// tie on total, so alphabetical: Mac OS X before Windows. Unknown=1
+	// comes after.
+	if len(fde.ByOS) != 3 {
+		t.Fatalf("ByOS = %+v, want 3 entries", fde.ByOS)
+	}
+	if fde.ByOS[0].OS != "Mac OS X" || fde.ByOS[0].Encrypted != 2 {
+		t.Errorf("ByOS[0] = %+v, want Mac OS X 2/2", fde.ByOS[0])
+	}
+	if fde.ByOS[1].OS != "Windows" || fde.ByOS[1].Encrypted != 1 {
+		t.Errorf("ByOS[1] = %+v, want Windows 1/2", fde.ByOS[1])
+	}
+	if fde.ByOS[2].OS != "Unknown" {
+		t.Errorf("ByOS[2] should be Unknown bucket, got %+v", fde.ByOS[2])
+	}
+	// Unencrypted list: d3 + d5
+	if len(fde.Unencrypted) != 2 {
+		t.Errorf("Unencrypted = %+v, want 2 entries", fde.Unencrypted)
+	}
+	if fde.UnencryptedLen != 2 {
+		t.Errorf("UnencryptedLen = %d, want 2", fde.UnencryptedLen)
+	}
+}
+
+func TestAggregateAdmins_SortAndShape(t *testing.T) {
+	admins := []map[string]any{
+		{"_id": "a2", "email": "zane@acme.com", "roleName": "Administrator",
+			"enableMultiFactor": true, "lastLogin": "2026-05-20T10:00:00Z"},
+		{"_id": "a1", "email": "alice@acme.com", "roleName": "Read-Only",
+			"enableMultiFactor": false, "lastLogin": ""},
+	}
+	raws := make([]json.RawMessage, len(admins))
+	for i, a := range admins {
+		raws[i], _ = json.Marshal(a)
+	}
+
+	got := aggregateAdmins(raws)
+	if got.Total != 2 {
+		t.Errorf("total = %d, want 2", got.Total)
+	}
+	// Sorted alphabetically by email.
+	if got.List[0].Email != "alice@acme.com" {
+		t.Errorf("list[0] = %q, want alice@acme.com (alphabetical sort)", got.List[0].Email)
+	}
+	if got.List[1].EnableMultiFactor != true {
+		t.Errorf("list[1].EnableMultiFactor = %v, want true", got.List[1].EnableMultiFactor)
+	}
+}
+
+func TestFetchComplianceData_EndToEnd(t *testing.T) {
+	setupToolTest(t)
+
+	now := time.Date(2026, 5, 20, 12, 0, 0, 0, time.UTC)
+	origNow := nowFunc
+	nowFunc = func() time.Time { return now }
+	t.Cleanup(func() { nowFunc = origNow })
+
+	users := []map[string]any{
+		{"_id": "u1", "username": "alice", "email": "a@x.com",
+			"activated": true, "totp_enabled": true,
+			"password_date": passwordDateDaysAgo(now, 5)},
+		{"_id": "u2", "username": "bob", "email": "b@x.com",
+			"activated": true, "totp_enabled": false,
+			"password_date": passwordDateDaysAgo(now, 100)},
+	}
+	devices := []map[string]any{
+		{"_id": "d1", "hostname": "mac-1", "os": "Mac OS X", "fde": map[string]any{"active": true}},
+		{"_id": "d2", "hostname": "mac-2", "os": "Mac OS X", "fde": map[string]any{"active": false}},
+	}
+	admins := []map[string]any{
+		{"_id": "a1", "email": "admin@acme.com", "roleName": "Administrator",
+			"enableMultiFactor": true, "lastLogin": "2026-05-20T10:00:00Z"},
+	}
+
+	ts := startComplianceServer(t, users, devices, admins)
+	t.Cleanup(ts.Close)
+	overrideV1ClientForTest(t, ts.URL)
+
+	data, err := fetchComplianceData(context.Background())
+	if err != nil {
+		t.Fatalf("fetch: %v", err)
+	}
+
+	if data.MFA == nil || data.FDE == nil || data.Passwords == nil || data.Admins == nil {
+		t.Fatalf("missing sections: %+v", data)
+	}
+	if data.MFA.Total != 2 || data.MFA.Enrolled != 1 {
+		t.Errorf("MFA = %+v, want 2 active / 1 enrolled", data.MFA)
+	}
+	if data.FDE.Total != 2 || data.FDE.Encrypted != 1 {
+		t.Errorf("FDE = %+v, want 2 total / 1 encrypted", data.FDE)
+	}
+	if data.Admins.Total != 1 || data.Admins.List[0].Email != "admin@acme.com" {
+		t.Errorf("admins = %+v", data.Admins)
+	}
+	if data.Timestamp != now.Format(time.RFC3339) {
+		t.Errorf("timestamp = %q, want %q", data.Timestamp, now.Format(time.RFC3339))
+	}
+}
+
+func TestComplianceView_HasUIMetadata(t *testing.T) {
+	setupToolTest(t)
+	cs := connectToolTestServer(t, Options{})
+
+	result, err := cs.ListTools(context.Background(), nil)
+	if err != nil {
+		t.Fatalf("ListTools: %v", err)
+	}
+	var found *mcp.Tool
+	for _, tool := range result.Tools {
+		if tool.Name == "compliance_view" {
+			found = tool
+			break
+		}
+	}
+	if found == nil {
+		t.Fatal("compliance_view tool missing")
+	}
+	meta := map[string]any(found.Meta)
+	ui, ok := meta["ui"].(map[string]any)
+	if !ok {
+		t.Fatalf("expected _meta.ui to be a map, got %T", meta["ui"])
+	}
+	if uri, _ := ui["resourceUri"].(string); uri != "ui://jc/compliance" {
+		t.Errorf("resourceUri = %q, want ui://jc/compliance", uri)
+	}
+}
+
+func TestComplianceViewResource_ServesHTMLWithInjection(t *testing.T) {
+	setupToolTest(t)
+	cs := connectToolTestServer(t, Options{})
+
+	result, err := cs.ReadResource(context.Background(), &mcp.ReadResourceParams{URI: "ui://jc/compliance"})
+	if err != nil {
+		t.Fatalf("ReadResource: %v", err)
+	}
+	if len(result.Contents) == 0 {
+		t.Fatal("empty resource contents")
+	}
+	c := result.Contents[0]
+	if c.MIMEType != mcpAppMIMEType {
+		t.Errorf("MIME = %q, want %q", c.MIMEType, mcpAppMIMEType)
+	}
+	if !strings.Contains(c.Text, "window.jcApp") {
+		t.Error("served HTML missing common.js injection")
+	}
+	if strings.Contains(c.Text, appCommonMarker) {
+		t.Error("served HTML still contains injection marker")
+	}
+	if !strings.Contains(c.Text, "JumpCloud Compliance Snapshot") {
+		t.Error("served HTML missing page title")
+	}
+}
diff --git a/internal/mcp/apps_html/compliance.html b/internal/mcp/apps_html/compliance.html
new file mode 100644
index 0000000..52ced6e
--- /dev/null
+++ b/internal/mcp/apps_html/compliance.html
@@ -0,0 +1,490 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<title>JumpCloud Compliance Snapshot</title>
+<style>
+  :root {
+    --bg: #0f1117;
+    --surface: #1a1d27;
+    --surface-hover: #22263a;
+    --border: #2a2e3d;
+    --text: #e1e4ed;
+    --text-muted: #8b8fa3;
+    --accent: #6366f1;
+    --accent-light: #818cf8;
+    --green: #22c55e;
+    --yellow: #eab308;
+    --red: #ef4444;
+    --blue: #3b82f6;
+    --orange: #f97316;
+    --radius: 10px;
+  }
+  * { margin: 0; padding: 0; box-sizing: border-box; }
+  body {
+    font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+    background: var(--bg); color: var(--text); padding: 20px; line-height: 1.5;
+  }
+
+  header {
+    display: flex; gap: 16px; align-items: center;
+    background: var(--surface); border: 1px solid var(--border);
+    border-radius: var(--radius); padding: 16px; margin-bottom: 16px;
+  }
+  header .icon {
+    width: 48px; height: 48px; border-radius: 12px;
+    background: linear-gradient(135deg, var(--accent), var(--accent-light));
+    display: flex; align-items: center; justify-content: center;
+    color: white; font-weight: 700; font-size: 20px;
+  }
+  header .title { flex: 1; }
+  header h1 { font-size: 18px; font-weight: 600; }
+  header .sub { font-size: 13px; color: var(--text-muted); margin-top: 2px; }
+  .refresh-btn {
+    background: var(--surface); color: var(--text-muted);
+    border: 1px solid var(--border); padding: 6px 14px; border-radius: 6px;
+    cursor: pointer; font-size: 13px;
+  }
+  .refresh-btn:hover { background: var(--surface-hover); color: var(--text); }
+
+  .grid {
+    display: grid; grid-template-columns: 1fr 1fr; gap: 16px;
+  }
+  @media (max-width: 900px) {
+    .grid { grid-template-columns: 1fr; }
+  }
+
+  .card {
+    background: var(--surface); border: 1px solid var(--border);
+    border-radius: var(--radius); padding: 16px;
+  }
+  .card h2 {
+    font-size: 12px; text-transform: uppercase; letter-spacing: 0.5px;
+    color: var(--text-muted); margin-bottom: 12px;
+  }
+
+  .big-number {
+    font-size: 32px; font-weight: 700; line-height: 1;
+  }
+  .big-number .unit {
+    font-size: 16px; color: var(--text-muted); margin-left: 4px;
+    font-weight: 500;
+  }
+  .sub-line {
+    color: var(--text-muted); font-size: 12px; margin-top: 4px;
+  }
+
+  /* Coverage bar with a single percentage + text label. */
+  .bar {
+    background: var(--border); border-radius: 4px; height: 8px;
+    overflow: hidden; margin-top: 10px;
+  }
+  .bar > span { display: block; height: 100%; background: var(--green); }
+  .bar > span.warn { background: var(--yellow); }
+  .bar > span.crit { background: var(--red); }
+
+  /* Histogram of password-age buckets: 4 columns, equal width. */
+  .histogram { display: grid; grid-template-columns: repeat(4, 1fr); gap: 10px; margin-top: 8px; }
+  .histogram .col {
+    text-align: center; border: 1px solid var(--border);
+    border-radius: 8px; padding: 10px 6px;
+  }
+  .histogram .count { font-size: 22px; font-weight: 600; line-height: 1; }
+  .histogram .label { font-size: 11px; color: var(--text-muted); margin-top: 4px;
+    text-transform: uppercase; letter-spacing: 0.4px; }
+
+  table { width: 100%; border-collapse: collapse; font-size: 12px; margin-top: 10px; }
+  th, td {
+    text-align: left; padding: 6px 8px; border-bottom: 1px solid var(--border);
+  }
+  th { color: var(--text-muted); font-weight: 600; font-size: 11px;
+       text-transform: uppercase; letter-spacing: 0.4px; }
+  tr:last-child td { border-bottom: none; }
+  td.mono { font-family: ui-monospace, "SFMono-Regular", Menlo, Consolas, monospace;
+           color: var(--text-muted); font-size: 11px; }
+
+  .truncation-note {
+    color: var(--text-muted); font-size: 11px; margin-top: 6px;
+    font-style: italic;
+  }
+
+  .empty { color: var(--text-muted); font-size: 13px; padding: 8px 0; }
+
+  .badge {
+    display: inline-block; font-size: 10px; padding: 2px 6px; border-radius: 8px;
+    text-transform: uppercase; letter-spacing: 0.4px; font-weight: 600;
+  }
+  .badge.ok    { background: rgba(34,197,94,0.15);  color: var(--green); }
+  .badge.no    { background: rgba(239,68,68,0.15);  color: var(--red); }
+
+  #warnings {
+    display: none;
+    background: rgba(234,179,8,0.1); border: 1px solid var(--yellow);
+    border-radius: var(--radius); padding: 10px 14px; margin-bottom: 16px;
+    color: var(--yellow); font-size: 12px;
+  }
+  #error {
+    display: none;
+    background: rgba(239,68,68,0.1); border: 1px solid var(--red);
+    border-radius: var(--radius); padding: 12px; margin-bottom: 16px;
+    color: var(--red); font-size: 13px;
+  }
+  #loading {
+    display: flex; align-items: center; justify-content: center;
+    height: 200px; color: var(--text-muted); font-size: 14px;
+  }
+  .spinner {
+    width: 18px; height: 18px;
+    border: 2px solid var(--border);
+    border-top-color: var(--accent);
+    border-radius: 50%;
+    animation: spin 0.6s linear infinite;
+    margin-right: 10px;
+  }
+  @keyframes spin { to { transform: rotate(360deg); } }
+</style>
+</head>
+<body>
+  <div id="warnings"></div>
+  <div id="error"></div>
+  <div id="loading"><div class="spinner"></div>Loading compliance snapshot…</div>
+  <div id="content" style="display:none;">
+    <header>
+      <div class="icon">JC</div>
+      <div class="title">
+        <h1>Compliance Snapshot</h1>
+        <div class="sub" id="snapshot-time"></div>
+      </div>
+      <button type="button" class="refresh-btn" id="refresh-btn">Refresh</button>
+    </header>
+
+    <div class="grid">
+      <div class="card">
+        <h2>MFA adoption</h2>
+        <div id="mfa-summary"></div>
+        <div id="mfa-without"></div>
+      </div>
+      <div class="card">
+        <h2>Device encryption (FDE)</h2>
+        <div id="fde-summary"></div>
+        <div id="fde-by-os"></div>
+        <div id="fde-unencrypted"></div>
+      </div>
+      <div class="card">
+        <h2>Password age</h2>
+        <div id="password-summary"></div>
+        <div class="histogram" id="password-histogram"></div>
+      </div>
+      <div class="card">
+        <h2>Admin inventory</h2>
+        <div id="admin-summary"></div>
+        <div id="admin-list"></div>
+      </div>
+    </div>
+  </div>
+
+<!--JC_APP_COMMON-->
+<script>
+(function() {
+  "use strict";
+
+  // Text-content-only DOM builder — same XSS-safe helper used by the
+  // other apps. Setting className/textContent only; unknown attribute
+  // keys are dropped rather than forwarded to setAttribute.
+  function el(tag, attrs, children) {
+    var n = document.createElement(tag);
+    if (attrs) Object.keys(attrs).forEach(function(k){
+      if (k === "className") n.className = String(attrs[k]);
+      else if (k === "textContent") n.textContent = String(attrs[k]);
+    });
+    if (children) children.forEach(function(c){
+      if (c == null) return;
+      if (typeof c === "string") n.appendChild(document.createTextNode(c));
+      else if (c instanceof Node) n.appendChild(c);
+    });
+    return n;
+  }
+
+  function clear(n) { while (n.firstChild) n.removeChild(n.firstChild); }
+
+  function fmtTimestamp(iso) {
+    if (!iso) return "";
+    var d = new Date(iso);
+    if (isNaN(d)) return iso;
+    return d.toISOString().slice(0, 16).replace("T", " ") + "Z";
+  }
+
+  function fmtPct(n) {
+    if (typeof n !== "number" || !isFinite(n)) return "—";
+    if (n >= 99.95) return "100%";
+    return n.toFixed(1) + "%";
+  }
+
+  // Color-codes a coverage bar by where the percentage falls: green is
+  // "compliant," yellow warns, red flags. Symmetric thresholds across
+  // MFA and FDE so the cards read the same way at a glance.
+  function coverageClass(pct) {
+    if (typeof pct !== "number" || !isFinite(pct)) return "crit";
+    if (pct >= 95) return "";
+    if (pct >= 80) return "warn";
+    return "crit";
+  }
+
+  function renderMFA(mfa) {
+    var summary = document.getElementById("mfa-summary");
+    clear(summary);
+    if (!mfa) {
+      summary.appendChild(el("div", { className: "empty",
+        textContent: "MFA data not available." }));
+      return;
+    }
+    var pct = mfa.percentage || 0;
+    summary.appendChild(el("div", { className: "big-number" }, [
+      fmtPct(pct),
+      el("span", { className: "unit",
+        textContent: " " + mfa.enrolled + " / " + mfa.total + " active users" })
+    ]));
+    var bar = el("div", { className: "bar" });
+    var fill = el("span", { className: coverageClass(pct) });
+    fill.style.width = Math.max(0, Math.min(100, pct)) + "%";
+    bar.appendChild(fill);
+    summary.appendChild(bar);
+
+    var without = document.getElementById("mfa-without");
+    clear(without);
+    var list = mfa.without_mfa || [];
+    if (list.length === 0) {
+      without.appendChild(el("div", { className: "empty", textContent: "All active users have MFA enrolled." }));
+      return;
+    }
+    var table = el("table", null, [
+      el("thead", null, [el("tr", null, [
+        el("th", { textContent: "Without MFA" }),
+        el("th", { textContent: "Email" })
+      ])])
+    ]);
+    var tbody = el("tbody");
+    list.forEach(function(u){
+      tbody.appendChild(el("tr", null, [
+        el("td", { textContent: u.username || u.id || "—" }),
+        el("td", { className: "mono", textContent: u.email || "" })
+      ]));
+    });
+    table.appendChild(tbody);
+    without.appendChild(table);
+    var total = mfa.without_mfa_total || list.length;
+    if (total > list.length) {
+      without.appendChild(el("div", { className: "truncation-note",
+        textContent: "Showing " + list.length + " of " + total + "." }));
+    }
+  }
+
+  function renderFDE(fde) {
+    var summary = document.getElementById("fde-summary");
+    clear(summary);
+    if (!fde) {
+      summary.appendChild(el("div", { className: "empty",
+        textContent: "Device encryption data not available." }));
+      return;
+    }
+    var pct = fde.percentage || 0;
+    summary.appendChild(el("div", { className: "big-number" }, [
+      fmtPct(pct),
+      el("span", { className: "unit",
+        textContent: " " + fde.encrypted + " / " + fde.total + " devices encrypted" })
+    ]));
+    var bar = el("div", { className: "bar" });
+    var fill = el("span", { className: coverageClass(pct) });
+    fill.style.width = Math.max(0, Math.min(100, pct)) + "%";
+    bar.appendChild(fill);
+    summary.appendChild(bar);
+
+    var byOSEl = document.getElementById("fde-by-os");
+    clear(byOSEl);
+    var byOS = fde.by_os || [];
+    if (byOS.length === 0) {
+      // single-OS orgs — bar above already captures the picture.
+    } else {
+      var table = el("table", null, [
+        el("thead", null, [el("tr", null, [
+          el("th", { textContent: "OS" }),
+          el("th", { textContent: "Encrypted" }),
+          el("th", { textContent: "Coverage" })
+        ])])
+      ]);
+      var tbody = el("tbody");
+      byOS.forEach(function(o){
+        tbody.appendChild(el("tr", null, [
+          el("td", { textContent: o.os }),
+          el("td", { textContent: o.encrypted + " / " + o.total }),
+          el("td", { textContent: fmtPct(o.percentage || 0) })
+        ]));
+      });
+      table.appendChild(tbody);
+      byOSEl.appendChild(table);
+    }
+
+    var unencEl = document.getElementById("fde-unencrypted");
+    clear(unencEl);
+    var unenc = fde.unencrypted || [];
+    if (unenc.length === 0) return;
+    var head = el("table", null, [
+      el("thead", null, [el("tr", null, [
+        el("th", { textContent: "Unencrypted device" }),
+        el("th", { textContent: "OS" })
+      ])])
+    ]);
+    var tbody2 = el("tbody");
+    unenc.forEach(function(d){
+      tbody2.appendChild(el("tr", null, [
+        el("td", { textContent: d.hostname || d.id || "—" }),
+        el("td", { textContent: d.os || "—" })
+      ]));
+    });
+    head.appendChild(tbody2);
+    unencEl.appendChild(head);
+    var total = fde.unencrypted_total || unenc.length;
+    if (total > unenc.length) {
+      unencEl.appendChild(el("div", { className: "truncation-note",
+        textContent: "Showing " + unenc.length + " of " + total + "." }));
+    }
+  }
+
+  function renderPasswords(pwd) {
+    var summary = document.getElementById("password-summary");
+    clear(summary);
+    if (!pwd) {
+      summary.appendChild(el("div", { className: "empty",
+        textContent: "Password data not available." }));
+      return;
+    }
+    var nodataNote = pwd.no_data > 0
+      ? " · " + pwd.no_data + " without recorded date"
+      : "";
+    summary.appendChild(el("div", { className: "sub-line",
+      textContent: pwd.total + " users with a recorded password date" + nodataNote }));
+
+    var hist = document.getElementById("password-histogram");
+    clear(hist);
+    (pwd.buckets || []).forEach(function(b){
+      hist.appendChild(el("div", { className: "col" }, [
+        el("div", { className: "count", textContent: String(b.count) }),
+        el("div", { className: "label", textContent: b.label })
+      ]));
+    });
+  }
+
+  function renderAdmins(admins) {
+    var summary = document.getElementById("admin-summary");
+    clear(summary);
+    if (!admins) {
+      summary.appendChild(el("div", { className: "empty",
+        textContent: "Admin data not available." }));
+      return;
+    }
+    summary.appendChild(el("div", { className: "big-number" }, [
+      String(admins.total),
+      el("span", { className: "unit", textContent: " admins" })
+    ]));
+
+    var list = document.getElementById("admin-list");
+    clear(list);
+    var rows = admins.list || [];
+    if (rows.length === 0) {
+      list.appendChild(el("div", { className: "empty", textContent: "No admins returned." }));
+      return;
+    }
+    var table = el("table", null, [
+      el("thead", null, [el("tr", null, [
+        el("th", { textContent: "Admin" }),
+        el("th", { textContent: "Role" }),
+        el("th", { textContent: "MFA" }),
+        el("th", { textContent: "Last login" })
+      ])])
+    ]);
+    var tbody = el("tbody");
+    rows.forEach(function(a){
+      var mfaBadge = a.enable_multi_factor
+        ? el("span", { className: "badge ok", textContent: "Yes" })
+        : el("span", { className: "badge no", textContent: "No" });
+      tbody.appendChild(el("tr", null, [
+        el("td", { textContent: a.email || a.id || "—" }),
+        el("td", { textContent: a.role_name || "—" }),
+        el("td", null, [mfaBadge]),
+        el("td", { textContent: a.last_login ? fmtTimestamp(a.last_login) : "—" })
+      ]));
+    });
+    table.appendChild(tbody);
+    list.appendChild(table);
+  }
+
+  function renderAll(data) {
+    document.getElementById("loading").style.display = "none";
+    // #content's CSS has no `display: none` rule (only inline
+    // display:none on the element), so clearing the inline style with
+    // "" works here. #warnings and #error need explicit "block" though
+    // because their CSS rules set display:none.
+    document.getElementById("content").style.display = "";
+    document.getElementById("error").style.display = "none";
+
+    var warn = document.getElementById("warnings");
+    if (data.warnings && data.warnings.length) {
+      warn.textContent = data.warnings.join(" ");
+      warn.style.display = "block";
+    } else {
+      warn.style.display = "none";
+    }
+
+    document.getElementById("snapshot-time").textContent =
+      data.timestamp ? "Snapshot at " + fmtTimestamp(data.timestamp) : "";
+
+    renderMFA(data.mfa);
+    renderFDE(data.fde);
+    renderPasswords(data.passwords);
+    renderAdmins(data.admins);
+  }
+
+  function showError(msg) {
+    document.getElementById("loading").style.display = "none";
+    var e = document.getElementById("error");
+    e.textContent = msg;
+    // CSS has `display: none` on #error; inline "" only removes the
+    // override, leaving the stylesheet rule in effect. Must set an
+    // explicit block. Mirrors the pattern in dashboard.html.
+    e.style.display = "block";
+  }
+
+  function refresh(btn) {
+    if (btn) { btn.disabled = true; btn.textContent = "Loading…"; }
+    jcApp.callTool("compliance_view", {}).then(function(result){
+      try {
+        var data = jcApp.parseToolResult(result);
+        if (data) renderAll(data);
+        else showError("Empty response");
+      } catch (e) { showError(e.message || String(e)); }
+      if (btn) { btn.disabled = false; btn.textContent = "Refresh"; }
+    }).catch(function(err){
+      showError("Failed to load: " + (err.message || String(err)));
+      if (btn) { btn.disabled = false; btn.textContent = "Refresh"; }
+    });
+  }
+
+  jcApp.ready("JumpCloud Compliance Snapshot", "1.0.0");
+
+  var initialized = false;
+  jcApp.onToolResult(function(params) {
+    if (initialized) return;
+    try {
+      var data = jcApp.parseToolResult(params);
+      if (data) { initialized = true; renderAll(data); }
+    } catch (e) { /* swallow — refresh button will recover */ }
+  });
+
+  document.getElementById("refresh-btn").addEventListener("click", function() {
+    refresh(this);
+  });
+})();
+</script>
+</body>
+</html>
diff --git a/internal/mcp/tools_test.go b/internal/mcp/tools_test.go
index 52fc5ab..4ffb96e 100644
--- a/internal/mcp/tools_test.go
+++ b/internal/mcp/tools_test.go
@@ -378,6 +378,7 @@ func TestMCP_ListTools_AllRegistered(t *testing.T) {
 		"insights_view",
 		"user_view",
 		"device_view",
+		"compliance_view",
 	}
 
 	toolNames := make(map[string]bool)
@@ -392,8 +393,8 @@ func TestMCP_ListTools_AllRegistered(t *testing.T) {
 	}
 
 	// Verify exact count — update when adding/removing tools.
-	if len(result.Tools) != 198 {
-		t.Errorf("expected 198 tools, got %d", len(result.Tools))
+	if len(result.Tools) != 199 {
+		t.Errorf("expected 199 tools, got %d", len(result.Tools))
 	}
 }