diff --git a/application/single_app/admin_settings_int_utils.py b/application/single_app/admin_settings_int_utils.py
new file mode 100644
index 00000000..70e41b5e
--- /dev/null
+++ b/application/single_app/admin_settings_int_utils.py
@@ -0,0 +1,38 @@
+# admin_settings_int_utils.py
+
+
+def safe_int_with_source(raw_value, fallback_value, hard_default=0):
+    """
+    Safely parse an integer value using raw input, fallback, then hard default.
+
+    Args:
+        raw_value (object): Primary value to parse.
+        fallback_value (object): Secondary value to parse when raw parsing fails.
+        hard_default (int): Final integer default when both values are invalid.
+
+    Returns:
+        tuple[int, str]: Parsed integer and parse source (`raw`, `fallback`, `hard_default`).
+    """
+    try:
+        return int(raw_value), "raw"
+    except (TypeError, ValueError):
+        try:
+            return int(fallback_value), "fallback"
+        except (TypeError, ValueError):
+            return int(hard_default), "hard_default"
+
+
+def safe_int(raw_value, fallback_value, hard_default=0):
+    """
+    Safely parse an integer using raw input, fallback, then hard default.
+
+    Args:
+        raw_value (object): Primary value to parse.
+        fallback_value (object): Secondary value to parse when raw parsing fails.
+        hard_default (int): Final integer default when both values are invalid.
+
+    Returns:
+        int: Parsed integer value.
+    """
+    parsed_value, _ = safe_int_with_source(raw_value, fallback_value, hard_default)
+    return parsed_value
diff --git a/application/single_app/app.py b/application/single_app/app.py
index 2fba1631..9f62fbe6 100644
--- a/application/single_app/app.py
+++ b/application/single_app/app.py
@@ -425,10 +425,212 @@ def check_retention_policy():
     # Unified session setup
     configure_sessions(settings)
 
+
+def get_idle_timeout_settings(settings=None):
+    """
+    Resolve and normalize idle timeout settings used for warning and logout enforcement.
+
+    Args:
+        settings (dict, optional): Settings dictionary to use. If None, uses request-scoped settings.
+
+    Returns:
+        tuple[int, int]: A tuple of (idle_timeout_minutes, idle_warning_minutes)
+                         after parsing, fallback handling, and boundary normalization.
+
+    Raises:
+        None: Invalid values are handled via fallback defaults and warning logs.
+    """
+    if settings is None:
+        settings = get_request_settings()
+
+    timeout_raw = settings.get('idle_timeout_minutes', 30)
+    warning_raw = settings.get('idle_warning_minutes', 28)
+
+    try:
+        timeout_minutes = int(timeout_raw)
+    except (TypeError, ValueError):
+        timeout_minutes = 30
+        log_event(
+            "Invalid idle timeout value detected; using default.",
+            extra={
+                "setting": "idle_timeout_minutes",
+                "raw_value": str(timeout_raw),
+                "fallback_value": 30
+            },
+            level=logging.WARNING
+        )
+
+    try:
+        warning_minutes = int(warning_raw)
+    except (TypeError, ValueError):
+        warning_minutes = 28
+        log_event(
+            "Invalid idle warning value detected; using default.",
+            extra={
+                "setting": "idle_warning_minutes",
+                "raw_value": str(warning_raw),
+                "fallback_value": 28
+            },
+            level=logging.WARNING
+        )
+
+    normalized_timeout = max(1, timeout_minutes)
+    if normalized_timeout != timeout_minutes:
+        log_event(
+            "Idle timeout value normalized to minimum allowed value.",
+            extra={
+                "setting": "idle_timeout_minutes",
+                "original_value": timeout_minutes,
+                "normalized_value": normalized_timeout
+            },
+            level=logging.WARNING
+        )
+    timeout_minutes = normalized_timeout
+
+    normalized_warning = max(0, warning_minutes)
+    if normalized_warning != warning_minutes:
+        log_event(
+            "Idle warning value normalized to minimum allowed value.",
+            extra={
+                "setting": "idle_warning_minutes",
+                "original_value": warning_minutes,
+                "normalized_value": normalized_warning
+            },
+            level=logging.WARNING
+        )
+    warning_minutes = normalized_warning
+
+    if warning_minutes >= timeout_minutes:
+        previous_warning_minutes = warning_minutes
+        warning_minutes = max(0, timeout_minutes - 1)
+        log_event(
+            "Idle warning value adjusted to remain below idle timeout.",
+            extra={
+                "idle_timeout_minutes": timeout_minutes,
+                "original_idle_warning_minutes": previous_warning_minutes,
+                "adjusted_idle_warning_minutes": warning_minutes
+            },
+            level=logging.WARNING
+        )
+
+    return timeout_minutes, warning_minutes
+
+
+def is_idle_timeout_enabled(settings=None):
+    """
+    Determine whether idle-timeout enforcement is enabled.
+
+    Args:
+        settings (dict, optional): Settings dictionary to use. If None, uses request-scoped settings.
+
+    Returns:
+        bool: True when idle-timeout enforcement should run; otherwise False.
+
+    Raises:
+        None: Unexpected values are coerced to boolean-compatible behavior.
+    """
+    if settings is None:
+        settings = get_request_settings()
+
+    enabled_raw = settings.get('enable_idle_timeout', True)
+
+    if isinstance(enabled_raw, str):
+        return enabled_raw.strip().lower() in ('1', 'true', 'yes', 'on')
+
+    return bool(enabled_raw)
+
+
+settings_source_counters = {}
+settings_source_counters_lock = threading.Lock()
+
+
+def record_request_settings_source(source):
+    """
+    Record and log the source used to resolve request settings.
+
+    Args:
+        source (str): Settings source label (for example: cache, cosmos_fallback, cosmos_forced).
+
+    Returns:
+        None: Updates in-memory counters and request context diagnostics.
+
+    Raises:
+        None: Counter updates and diagnostics are handled internally.
+    """
+    normalized_source = source or 'unknown'
+    with settings_source_counters_lock:
+        settings_source_counters[normalized_source] = settings_source_counters.get(normalized_source, 0) + 1
+        cache_hits = settings_source_counters.get('cache', 0)
+        cosmos_fallback_hits = settings_source_counters.get('cosmos_fallback', 0)
+        cosmos_forced_hits = settings_source_counters.get('cosmos_forced', 0)
+        unknown_hits = settings_source_counters.get('unknown', 0)
+
+    g.request_settings_source = normalized_source
+    debug_print(
+        f"[SETTINGS SOURCE] path={request.path} source={normalized_source}",
+        category="SETTINGS",
+        cache_hits=cache_hits,
+        cosmos_fallback_hits=cosmos_fallback_hits,
+        cosmos_forced_hits=cosmos_forced_hits,
+        unknown_hits=unknown_hits
+    )
+
+    if normalized_source != 'cache':
+        log_event(
+            "Request settings source is non-cache.",
+            extra={
+                "path": request.path,
+                "settings_source": normalized_source,
+                "cache_hits": cache_hits,
+                "cosmos_fallback_hits": cosmos_fallback_hits,
+                "cosmos_forced_hits": cosmos_forced_hits,
+                "unknown_hits": unknown_hits
+            },
+            level=logging.INFO
+        )
+
+
+def get_request_settings():
+    """
+    Get request-scoped settings, resolving and caching them when needed.
+
+    Args:
+        None
+
+    Returns:
+        dict: Request settings dictionary cached on Flask `g` for the current request.
+
+    Raises:
+        None: Unexpected resolver response shapes are logged and handled with safe fallbacks.
+    """
+    request_settings = getattr(g, 'request_settings', None)
+    if request_settings is None:
+        settings_result = get_settings(include_source=True)
+        if isinstance(settings_result, tuple) and len(settings_result) == 2:
+            request_settings, settings_source = settings_result
+        else:
+            request_settings = settings_result
+            settings_source = 'unknown'
+            log_event(
+                "Unexpected settings response shape in get_request_settings.",
+                extra={
+                    "path": request.path,
+                    "response_type": type(settings_result).__name__
+                },
+                level=logging.WARNING
+            )
+
+        request_settings = request_settings or {}
+        g.request_settings = request_settings
+        record_request_settings_source(settings_source)
+    return request_settings
+
 @app.context_processor
 def inject_settings():
-    settings = get_settings()
+    settings = get_request_settings()
     public_settings = sanitize_settings_for_user(settings)
+    idle_timeout_enabled = is_idle_timeout_enabled(settings)
+    idle_timeout_minutes, idle_warning_minutes = get_idle_timeout_settings(settings)
     # Inject per-user settings if logged in
     user_settings = {}
     try:
@@ -440,7 +642,13 @@ def inject_settings():
         print(f"Error injecting user settings: {e}")
         log_event(f"Error injecting user settings: {e}", level=logging.ERROR)
         user_settings = {}
-    return dict(app_settings=public_settings, user_settings=user_settings)
+    return dict(
+        app_settings=public_settings,
+        user_settings=user_settings,
+        idle_timeout_enabled=idle_timeout_enabled,
+        idle_timeout_minutes=idle_timeout_minutes,
+        idle_warning_minutes=idle_warning_minutes
+    )
 
 @app.template_filter('to_datetime')
 def to_datetime_filter(value):
@@ -464,6 +672,148 @@ def reload_kernel_if_needed():
         """
         setattr(builtins, "kernel_reload_needed", False)
 
+IDLE_TIMEOUT_EXEMPT_PATHS = {
+    '/login',
+    '/logout',
+    '/logout/local',
+    '/getAToken',
+    '/getATokenApi',
+    '/robots933456.txt',
+    '/favicon.ico'
+}
+
+IDLE_TIMEOUT_EXEMPT_PREFIXES = (
+    '/static/',
+    '/health',
+    '/api/health'
+)
+
+def _is_idle_timeout_exempt(path):
+    """
+    Check whether a request path is exempt from idle-timeout processing.
+
+    Args:
+        path (str): Request path to evaluate.
+
+    Returns:
+        bool: True if the path is exempt from idle-timeout checks; otherwise False.
+
+    Raises:
+        None
+    """
+    if path in IDLE_TIMEOUT_EXEMPT_PATHS:
+        return True
+    return any(path.startswith(prefix) for prefix in IDLE_TIMEOUT_EXEMPT_PREFIXES)
+
+
+@app.before_request
+def load_request_settings_cache():
+    """
+    Preload request-scoped settings for authenticated, non-exempt requests.
+
+    Args:
+        None
+
+    Returns:
+        None: Always returns None to continue Flask request processing.
+
+    Raises:
+        None: Unexpected settings resolver shapes are logged and converted to safe fallbacks.
+    """
+    g.request_settings = None
+    g.request_settings_source = None
+
+    if request.method == 'OPTIONS' or _is_idle_timeout_exempt(request.path):
+        return None
+
+    if 'user' not in session:
+        return None
+
+    settings_result = get_settings(include_source=True)
+    if isinstance(settings_result, tuple) and len(settings_result) == 2:
+        request_settings, settings_source = settings_result
+    else:
+        request_settings = settings_result
+        settings_source = 'unknown'
+        log_event(
+            "Unexpected settings response shape in load_request_settings_cache.",
+            extra={
+                "path": request.path,
+                "response_type": type(settings_result).__name__
+            },
+            level=logging.WARNING
+        )
+
+    g.request_settings = request_settings or {}
+    record_request_settings_source(settings_source)
+    return None
+
+@app.before_request
+def enforce_idle_session_timeout():
+    """
+    Enforce server-side idle session timeout for authenticated requests.
+
+    Args:
+        None
+
+    Returns:
+        Response | None: A redirect/401 response when timeout is exceeded; otherwise None.
+
+    Raises:
+        None: Runtime issues in timeout evaluation are logged and request processing continues safely.
+    """
+    if 'user' not in session:
+        return None
+
+    if request.method == 'OPTIONS' or _is_idle_timeout_exempt(request.path):
+        return None
+
+    now_epoch = int(time.time())
+    request_settings = get_request_settings()
+    if not is_idle_timeout_enabled(request_settings):
+        session['last_activity_epoch'] = now_epoch
+        session.modified = True
+        return None
+
+    idle_timeout_minutes, _ = get_idle_timeout_settings(request_settings)
+    last_activity_epoch = session.get('last_activity_epoch')
+    has_valid_last_activity_epoch = False
+
+    if last_activity_epoch is not None:
+        try:
+            parsed_last_activity_epoch = int(float(last_activity_epoch))
+            has_valid_last_activity_epoch = True
+            idle_seconds = now_epoch - parsed_last_activity_epoch
+            if idle_seconds >= (idle_timeout_minutes * 60):
+                user_id = session.get('user', {}).get('oid') or session.get('user', {}).get('sub')
+                session.clear()
+
+                log_event(
+                    f"Session expired due to {idle_timeout_minutes} minute inactivity timeout for user {user_id or 'unknown'}.",
+                    level=logging.INFO
+                )
+
+                if request.path.startswith('/api/'):
+                    return jsonify({
+                        'error': 'Session expired',
+                        'message': 'Your session expired due to inactivity. Please sign in again.',
+                        'requires_reauth': True
+                    }), 401
+
+                return redirect(url_for('local_logout'))
+        except Exception as e:
+            log_event(f"Idle timeout evaluation failed: {e}", level=logging.WARNING)
+
+    if request.path.startswith('/api/'):
+        if not has_valid_last_activity_epoch:
+            session['last_activity_epoch'] = now_epoch
+            session.modified = True
+        return None
+
+    session['last_activity_epoch'] = now_epoch
+    session.modified = True
+    return None
+
 @app.after_request
 def add_security_headers(response):
     """
@@ -556,6 +906,30 @@ def serve_js_modules(filename):
 def acceptable_use_policy():
     return render_template('acceptable_use_policy.html')
 
+@app.route('/api/session/heartbeat', methods=['POST'])
+@swagger_route(security=get_auth_security())
+@login_required
+def session_heartbeat():
+    """
+    Refresh the authenticated session activity timestamp used by idle-timeout enforcement.
+
+    Args:
+        None
+
+    Returns:
+        tuple[Response, int]: JSON response containing refresh confirmation and timeout metadata.
+
+    Raises:
+        None
+    """
+    session['last_activity_epoch'] = int(time.time())
+    session.modified = True
+    idle_timeout_minutes, _ = get_idle_timeout_settings(get_request_settings())
+    return jsonify({
+        'message': 'Session refreshed',
+        'idle_timeout_minutes': idle_timeout_minutes
+    }), 200
+
 @app.route('/api/semantic-kernel/plugins')
 @swagger_route(security=get_auth_security())
 def list_semantic_kernel_plugins():
diff --git a/application/single_app/config.py b/application/single_app/config.py
index 2280b761..d7820228 100644
--- a/application/single_app/config.py
+++ b/application/single_app/config.py
@@ -94,7 +94,7 @@
 EXECUTOR_TYPE = 'thread'
 EXECUTOR_MAX_WORKERS = 30
 SESSION_TYPE = 'filesystem'
-VERSION = "0.239.011"
+VERSION = "0.239.012"
 
 SECRET_KEY = os.getenv('SECRET_KEY', 'dev-secret-key-change-in-production')
 
@@ -562,7 +562,7 @@ def ensure_custom_favicon_file_exists(app, settings):
     except (base64.binascii.Error, TypeError, OSError) as ex: # Catch specific errors
         print(f"Failed to write/overwrite {favicon_filename}: {ex}")
     except Exception as ex: # Catch any other unexpected errors
-         print(f"Unexpected error during favicon file write for {favicon_filename}: {ex}")
+        print(f"Unexpected error during favicon file write for {favicon_filename}: {ex}")
 
 def initialize_clients(settings):
     """
diff --git a/application/single_app/functions_settings.py b/application/single_app/functions_settings.py
index 89367065..c8d97a47 100644
--- a/application/single_app/functions_settings.py
+++ b/application/single_app/functions_settings.py
@@ -4,8 +4,9 @@
 from functions_appinsights import log_event
 import app_settings_cache
 import inspect
+import copy
 
-def get_settings(use_cosmos=False):
+def get_settings(use_cosmos=False, include_source=False):
     import secrets
     default_settings = {
         # External health check
@@ -259,6 +260,9 @@ def get_settings(use_cosmos=False):
         # Other
         'max_file_size_mb': 150,
         'conversation_history_limit': 10,
+        'enable_idle_timeout': True,
+        'idle_timeout_minutes': 30,
+        'idle_warning_minutes': 28,
         'default_system_prompt': '',
         # Access denied message shown on the home page for signed-in users who lack required roles.
         # Default is hard-coded; admins can override via Admin Settings (persisted in Cosmos DB).
@@ -326,6 +330,11 @@ def get_settings(use_cosmos=False):
         'default_retention_document_public': 'none',
     }
 
+    def _format_result(settings_payload, source):
+        if include_source:
+            return settings_payload, source
+        return settings_payload
+
     try:
         # Attempt to read the existing doc
         if use_cosmos:
@@ -333,17 +342,35 @@ def get_settings(use_cosmos=False):
                 item="app_settings",
                 partition_key="app_settings"
             )
+            settings_source = "cosmos_forced"
+            log_event(
+                "App settings loaded from Cosmos DB (forced).",
+                extra={
+                    "settings_source": settings_source,
+                    "use_cosmos": True
+                },
+                level=logging.INFO
+            )
         else:
             settings_item = None
+            settings_source = "cache"
 
             cache_accessor = getattr(app_settings_cache, "get_settings_cache", None)
             if callable(cache_accessor):
                 try:
                     settings_item = cache_accessor()
-                except Exception:
+                except Exception as cache_error:
                     settings_item = None
+                    log_event(
+                        "Error reading app settings from cache accessor.",
+                        extra={
+                            "error": str(cache_error)
+                        },
+                        level=logging.WARNING
+                    )
 
             if not settings_item:
+                settings_source = "cosmos_fallback"
                 settings_item = cosmos_settings_container.read_item(
                     item="app_settings",
                     partition_key="app_settings"
@@ -361,33 +388,75 @@ def get_settings(use_cosmos=False):
                         "Warning: Failed to get settings from cache, read from Cosmos DB instead. "
                         f"Called from {caller_file}:{caller_line} in {caller_func}()."
                     )
+                    log_event(
+                        "App settings cache miss. Falling back to Cosmos DB.",
+                        extra={
+                            "settings_source": settings_source,
+                            "caller_file": caller_file,
+                            "caller_line": caller_line,
+                            "caller_func": caller_func
+                        },
+                        level=logging.WARNING
+                    )
                 else:
                     print(
                         "Warning: Failed to get settings from cache, "
                         "read from Cosmos DB instead. (no caller frame)"
                     )
+                    log_event(
+                        "App settings cache miss. Falling back to Cosmos DB (no caller frame).",
+                        extra={
+                            "settings_source": settings_source
+                        },
+                        level=logging.WARNING
+                    )
         #print("Successfully retrieved settings from Cosmos DB.")
 
+        original_settings_item = copy.deepcopy(settings_item)
+
         # Merge default_settings in, to fill in any missing or nested keys
         merged = deep_merge_dicts(default_settings, settings_item)
 
         # If merging added anything new, upsert back to Cosmos so future reads remain up to date
-        if merged != settings_item:
+        if merged != original_settings_item:
             cosmos_settings_container.upsert_item(merged)
             print("App Settings had missing keys and was updated in Cosmos DB.")
-            return merged
+            log_event(
+                "App settings missing keys were merged and persisted to Cosmos DB.",
+                extra={
+                    "settings_source": settings_source
+                },
+                level=logging.INFO
+            )
+            return _format_result(merged, settings_source)
         else:
             # If merged is unchanged, no new keys needed
-            return merged
+            return _format_result(merged, settings_source)
 
     except CosmosResourceNotFoundError:
         cosmos_settings_container.create_item(body=default_settings)
         print("Default settings created in Cosmos and returned.")
-        return default_settings
+        log_event(
+            "App settings document not found. Default settings created in Cosmos DB.",
+            extra={
+                "settings_source": "cosmos_default_created"
+            },
+            level=logging.WARNING
+        )
+        return _format_result(default_settings, "cosmos_default_created")
 
     except Exception as e:
         print(f"Error retrieving settings: {str(e)}")
-        return None
+        log_event(
+            "Error retrieving app settings.",
+            extra={
+                "error": str(e),
+                "use_cosmos": use_cosmos
+            },
+            level=logging.ERROR,
+            exceptionTraceback=True
+        )
+        return _format_result(None, "error")
 
 def update_settings(new_settings):
     try:
diff --git a/application/single_app/route_frontend_admin_settings.py b/application/single_app/route_frontend_admin_settings.py
index 2fc5abc8..70805a7f 100644
--- a/application/single_app/route_frontend_admin_settings.py
+++ b/application/single_app/route_frontend_admin_settings.py
@@ -8,6 +8,7 @@
 from functions_logging import *
 from swagger_wrapper import swagger_route, get_auth_security
 from datetime import datetime, timedelta
+from admin_settings_int_utils import safe_int_with_source
 
 def allowed_file(filename, allowed_extensions):
     return '.' in filename and \
@@ -288,10 +289,58 @@ def admin_settings():
             form_data = request.form # Use a variable for easier access
             user_id = get_current_user_id()
 
+            def parse_admin_int(raw_value, fallback_value, field_name="unknown", hard_default=0):
+                """
+                Parse an admin form value to an integer with structured fallback diagnostics.
+
+                Args:
+                    raw_value (object): The submitted form value to parse.
+                    fallback_value (object): The fallback value to parse when input conversion fails.
+                    field_name (str): The admin settings field name being parsed.
+                    hard_default (int): Final integer default when both input and fallback are invalid.
+
+                Returns:
+                    int: A valid integer derived from input, fallback, or hard default.
+                Raises:
+                    None.
+                """
+                parsed_value, parse_source = safe_int_with_source(raw_value, fallback_value, hard_default)
+
+                if parse_source == "hard_default":
+                    log_event(
+                        "Invalid admin settings integer input and fallback detected; using hard default value.",
+                        extra={
+                            "field": field_name,
+                            "raw_value": str(raw_value),
+                            "fallback_value": str(fallback_value),
+                            "hard_default": hard_default,
+                            "user_id": user_id
+                        },
+                        level=logging.WARNING
+                    )
+                elif parse_source == "fallback":
+                    log_event(
+                        "Invalid admin settings integer input detected; using fallback value.",
+                        extra={
+                            "field": field_name,
+                            "raw_value": str(raw_value),
+                            "fallback_value": str(fallback_value),
+                            "user_id": user_id
+                        },
+                        level=logging.WARNING
+                    )
+
+                return parsed_value
+
             # --- Fetch all other form data as before ---
             app_title = form_data.get('app_title', 'AI Chat Application')
             max_file_size_mb = int(form_data.get('max_file_size_mb', 16))
             conversation_history_limit = int(form_data.get('conversation_history_limit', 10))
+            enable_idle_timeout = form_data.get('enable_idle_timeout') == 'on'
+            idle_timeout_minutes = max(1, parse_admin_int(form_data.get('idle_timeout_minutes'), settings.get('idle_timeout_minutes', 30), 'idle_timeout_minutes', 30))
+            idle_warning_minutes = max(0, parse_admin_int(form_data.get('idle_warning_minutes'), settings.get('idle_warning_minutes', 28), 'idle_warning_minutes', 28))
+            if idle_warning_minutes >= idle_timeout_minutes:
+                idle_warning_minutes = max(0, idle_timeout_minutes - 1)
             # ... (fetch all other fields using form_data.get) ...
             enable_video_file_support = form_data.get('enable_video_file_support') == 'on'
             enable_audio_file_support = form_data.get('enable_audio_file_support') == 'on'
@@ -868,6 +917,9 @@ def is_valid_url(url):
                 # Other
                 'max_file_size_mb': max_file_size_mb,
                 'conversation_history_limit': conversation_history_limit,
+                'enable_idle_timeout': enable_idle_timeout,
+                'idle_timeout_minutes': idle_timeout_minutes,
+                'idle_warning_minutes': idle_warning_minutes,
                 'default_system_prompt': form_data.get('default_system_prompt', '').strip(),
                 'access_denied_message': form_data.get('access_denied_message', settings.get('access_denied_message', '')).strip(),
 
diff --git a/application/single_app/route_frontend_authentication.py b/application/single_app/route_frontend_authentication.py
index 022ecf84..a60f7734 100644
--- a/application/single_app/route_frontend_authentication.py
+++ b/application/single_app/route_frontend_authentication.py
@@ -35,6 +35,7 @@ def login():
         # Clear potentially stale cache/user info before starting new login
         session.pop("user", None)
         session.pop("token_cache", None)
+        session.pop("last_activity_epoch", None)
 
         # Use helper to build app (cache not strictly needed here, but consistent)
         msal_app = _build_msal_app()
@@ -121,6 +122,7 @@ def authorized():
         debug_print(f" [claims] User claims: {result.get('id_token_claims', {})}")
 
         session["user"] = result.get("id_token_claims")
+        session["last_activity_epoch"] = int(time.time())
 
         # --- CRITICAL: Save the entire cache (contains tokens) to session ---
         _save_cache(msal_app.token_cache)
@@ -207,6 +209,39 @@ def authorized_api():
 
         return jsonify(result, 200)
 
+    @app.route('/logout/local')
+    @swagger_route(security=get_auth_security())
+    def local_logout():
+        """
+        Clear the local Flask session and redirect to the configured home destination.
+
+        Args:
+            None.
+
+        Returns:
+            Response: A redirect response to the local or Front Door home URL.
+        Raises:
+            None.
+        """
+        session.clear()
+
+        from functions_settings import get_settings
+        settings = get_settings()
+
+        if settings.get('enable_front_door', False):
+            front_door_url = settings.get('front_door_url')
+            if front_door_url:
+                home_url, _ = build_front_door_urls(front_door_url)
+                logout_uri = home_url
+            elif HOME_REDIRECT_URL:
+                logout_uri = HOME_REDIRECT_URL
+            else:
+                logout_uri = url_for('index', _external=True, _scheme='https')
+        else:
+            logout_uri = url_for('index', _external=True, _scheme='https')
+
+        return redirect(logout_uri)
+
     @app.route('/logout')
     @swagger_route(security=get_auth_security())
     def logout():
diff --git a/application/single_app/static/css/chats.css b/application/single_app/static/css/chats.css
index f672b28f..c7f30dfe 100644
--- a/application/single_app/static/css/chats.css
+++ b/application/single_app/static/css/chats.css
@@ -1046,7 +1046,7 @@ a.citation-link:hover {
 .message-content {
   display: flex;
   align-items: flex-end;
-  overflow: auto; /* Preserving higher level visible property while allowing response message scroll if needed */
+  overflow: auto; /* Make message content scrollable when it overflows while minimizing effects elsewhere. */
 }
 
 .message-content.flex-row-reverse {
diff --git a/application/single_app/static/js/admin/admin_settings.js b/application/single_app/static/js/admin/admin_settings.js
index c6bdec36..7cc02735 100644
--- a/application/single_app/static/js/admin/admin_settings.js
+++ b/application/single_app/static/js/admin/admin_settings.js
@@ -1538,6 +1538,16 @@ function setupToggles() {
         });
     }
 
+    const enableIdleTimeoutToggle = document.getElementById('enable_idle_timeout');
+    const idleTimeoutSettingsDiv = document.getElementById('idle_timeout_settings');
+    if (enableIdleTimeoutToggle && idleTimeoutSettingsDiv) {
+        idleTimeoutSettingsDiv.classList.toggle('d-none', !enableIdleTimeoutToggle.checked);
+        enableIdleTimeoutToggle.addEventListener('change', function () {
+            idleTimeoutSettingsDiv.classList.toggle('d-none', !this.checked);
+            markFormAsModified();
+        });
+    }
+
     const enableEnhancedCitation = document.getElementById('enable_enhanced_citations');
     if (enableEnhancedCitation) {
         toggleEnhancedCitation(enableEnhancedCitation.checked);
diff --git a/application/single_app/static/js/idle-logout-warning.js b/application/single_app/static/js/idle-logout-warning.js
new file mode 100644
index 00000000..bc5e804b
--- /dev/null
+++ b/application/single_app/static/js/idle-logout-warning.js
@@ -0,0 +1,233 @@
+// idle-logout-warning.js
+
+(function () {
+    'use strict';
+
+    const defaultConfig = {
+        enabled: false,
+        timeoutMinutes: 30,
+        warningMinutes: 28,
+        heartbeatUrl: '/api/session/heartbeat',
+        localLogoutUrl: '/logout/local',
+        fullSsoLogoutUrl: '/logout',
+        logoutUrl: '/logout'
+    };
+
+    const mergedConfig = Object.assign({}, defaultConfig, window.idleLogoutConfig || {});
+
+    if (!mergedConfig.enabled) {
+        return;
+    }
+
+    document.addEventListener('DOMContentLoaded', function () {
+        if (typeof bootstrap === 'undefined' || !bootstrap.Modal) {
+            return;
+        }
+
+        const warningModalElement = document.getElementById('idleTimeoutWarningModal');
+        const countdownElement = document.getElementById('idleTimeoutCountdown');
+        const staySignedInButton = document.getElementById('idleStaySignedInButton');
+        const logoutNowButton = document.getElementById('idleLogoutNowButton');
+
+        if (!warningModalElement || !countdownElement || !staySignedInButton || !logoutNowButton) {
+            return;
+        }
+
+        const timeoutMinutes = Number(mergedConfig.timeoutMinutes);
+        const warningMinutes = Number(mergedConfig.warningMinutes);
+
+        if (!Number.isFinite(timeoutMinutes) || timeoutMinutes <= 0) {
+            return;
+        }
+
+        if (!Number.isFinite(warningMinutes) || warningMinutes < 0 || warningMinutes >= timeoutMinutes) {
+            return;
+        }
+
+        const timeoutMs = timeoutMinutes * 60 * 1000;
+        const warningMs = warningMinutes * 60 * 1000;
+        const warningModal = bootstrap.Modal.getOrCreateInstance(warningModalElement);
+
+        let warningTimer = null;
+        let logoutTimer = null;
+        let countdownInterval = null;
+        let logoutDeadlineMs = null;
+        let isRefreshingSession = false;
+        let lastActivityResetAt = 0;
+        let lastServerHeartbeatAt = 0;
+
+        const HEARTBEAT_MIN_INTERVAL_MS = Math.min(60000, timeoutMs / 2);
+
+        const activityEvents = [
+            'mousedown',
+            'mousemove',
+            'keydown',
+            'scroll',
+            'touchstart',
+            'click'
+        ];
+
+        function clearTimers() {
+            if (warningTimer) {
+                clearTimeout(warningTimer);
+                warningTimer = null;
+            }
+
+            if (logoutTimer) {
+                clearTimeout(logoutTimer);
+                logoutTimer = null;
+            }
+        }
+
+        function stopCountdown() {
+            if (countdownInterval) {
+                clearInterval(countdownInterval);
+                countdownInterval = null;
+            }
+        }
+
+        function updateCountdown() {
+            if (!logoutDeadlineMs) {
+                return;
+            }
+
+            const remainingMs = Math.max(0, logoutDeadlineMs - Date.now());
+            const remainingSeconds = Math.ceil(remainingMs / 1000);
+            countdownElement.textContent = String(remainingSeconds);
+        }
+
+        function startCountdown() {
+            stopCountdown();
+            updateCountdown();
+            countdownInterval = setInterval(updateCountdown, 1000);
+        }
+
+        function hideWarningModal() {
+            if (warningModalElement.classList.contains('show')) {
+                warningModal.hide();
+            }
+            stopCountdown();
+        }
+
+        function logoutNow() {
+            clearTimers();
+            stopCountdown();
+            const logoutTarget = mergedConfig.localLogoutUrl || mergedConfig.fullSsoLogoutUrl || mergedConfig.logoutUrl;
+            window.location.href = logoutTarget;
+        }
+
+        function scheduleIdleTimers() {
+            clearTimers();
+            logoutDeadlineMs = Date.now() + timeoutMs;
+
+            warningTimer = setTimeout(function () {
+                warningModal.show();
+                startCountdown();
+            }, warningMs);
+
+            logoutTimer = setTimeout(logoutNow, timeoutMs);
+        }
+
+        async function refreshServerSession(forceLogoutOnFailure, userInitiated) {
+            if (isRefreshingSession) {
+                return;
+            }
+
+            isRefreshingSession = true;
+            if (userInitiated) {
+                staySignedInButton.disabled = true;
+            }
+
+            try {
+                const response = await fetch(mergedConfig.heartbeatUrl, {
+                    method: 'POST',
+                    credentials: 'same-origin',
+                    headers: {
+                        'Content-Type': 'application/json',
+                        'X-Requested-With': 'XMLHttpRequest'
+                    },
+                    body: '{}'
+                });
+
+                if (!response.ok) {
+                    let requiresReauth = response.status === 401 || response.status === 403;
+
+                    if (!requiresReauth) {
+                        try {
+                            const responseBody = await response.clone().json();
+                            requiresReauth = Boolean(responseBody && responseBody.requires_reauth);
+                        } catch (_parseError) {
+                            requiresReauth = false;
+                        }
+                    }
+
+                    if (forceLogoutOnFailure || requiresReauth) {
+                        logoutNow();
+                    }
+                    return;
+                }
+
+                lastServerHeartbeatAt = Date.now();
+
+                if (userInitiated) {
+                    hideWarningModal();
+                    scheduleIdleTimers();
+                }
+            } catch (error) {
+                console.error('Session heartbeat failed:', error);
+                if (forceLogoutOnFailure) {
+                    logoutNow();
+                }
+            } finally {
+                isRefreshingSession = false;
+                if (userInitiated) {
+                    staySignedInButton.disabled = false;
+                }
+            }
+        }
+
+        staySignedInButton.addEventListener('click', function () {
+            refreshServerSession(true, true);
+        });
+
+        logoutNowButton.addEventListener('click', function () {
+            logoutNow();
+        });
+
+        warningModalElement.addEventListener('hidden.bs.modal', function () {
+            stopCountdown();
+        });
+
+        activityEvents.forEach(function (eventName) {
+            document.addEventListener(eventName, handleUserActivity);
+        });
+
+        document.addEventListener('visibilitychange', function () {
+            if (!document.hidden) {
+                handleUserActivity();
+            }
+        });
+
+        scheduleIdleTimers();
+
+        function handleUserActivity() {
+            const now = Date.now();
+
+            if (now - lastActivityResetAt < 1000) {
+                return;
+            }
+
+            lastActivityResetAt = now;
+
+            if (warningModalElement.classList.contains('show')) {
+                hideWarningModal();
+            }
+
+            scheduleIdleTimers();
+
+            if ((now - lastServerHeartbeatAt) >= HEARTBEAT_MIN_INTERVAL_MS) {
+                refreshServerSession(false, false);
+            }
+        }
+    });
+})();
diff --git a/application/single_app/templates/admin_settings.html b/application/single_app/templates/admin_settings.html
index e9ff7d18..c649049a 100644
--- a/application/single_app/templates/admin_settings.html
+++ b/application/single_app/templates/admin_settings.html
@@ -1423,6 +1423,42 @@ <h5>
                         <input type="number" class="form-control" id="conversation_history_limit"
                             name="conversation_history_limit" value="{{ settings.conversation_history_limit }}">
                     </div>
+                    <div class="form-check form-switch mb-3">
+                        <input
+                            type="checkbox"
+                            class="form-check-input"
+                            id="enable_idle_timeout"
+                            name="enable_idle_timeout"
+                            {% if settings.enable_idle_timeout is not defined or settings.enable_idle_timeout %}checked{% endif %}>
+                        <label class="form-check-label ms-2" for="enable_idle_timeout">
+                            Enable Idle Session Timeout and Warning
+                        </label>
+                        <i class="bi bi-info-circle ms-2" data-bs-toggle="tooltip" title="When enabled, inactive users receive a warning and are automatically logged out after the configured timeout."></i>
+                    </div>
+                    <div id="idle_timeout_settings" class="{% if settings.enable_idle_timeout is defined and not settings.enable_idle_timeout %}d-none{% endif %}">
+                        <div class="mb-3">
+                            <label for="idle_timeout_minutes" class="form-label">Idle Logout Timeout (Minutes)</label>
+                            <input
+                                type="number"
+                                class="form-control"
+                                id="idle_timeout_minutes"
+                                name="idle_timeout_minutes"
+                                min="1"
+                                value="{{ settings.idle_timeout_minutes | default(30) }}">
+                            <small class="form-text text-muted">Users are logged out locally after this many minutes of inactivity.</small>
+                        </div>
+                        <div class="mb-3">
+                            <label for="idle_warning_minutes" class="form-label">Idle Warning Time (Minutes)</label>
+                            <input
+                                type="number"
+                                class="form-control"
+                                id="idle_warning_minutes"
+                                name="idle_warning_minutes"
+                                min="0"
+                                value="{{ settings.idle_warning_minutes | default(28) }}">
+                            <small class="form-text text-muted">Show the warning modal after this many minutes of inactivity. (Countdown starts from this time)</small>
+                        </div>
+                    </div>
                     <div class="mb-3">
                         <label for="default_system_prompt" class="form-label">Default System Prompt</label>
                         <textarea class="form-control" id="default_system_prompt" name="default_system_prompt"
diff --git a/application/single_app/templates/base.html b/application/single_app/templates/base.html
index fa8d060f..f9e0983a 100644
--- a/application/single_app/templates/base.html
+++ b/application/single_app/templates/base.html
@@ -351,12 +351,47 @@
   <script src="{{ url_for('static', filename='js/profile-image.js') }}"></script>
   <!-- Notifications JavaScript (for badge polling on all pages) -->
   <script src="{{ url_for('static', filename='js/notifications.js') }}"></script>
+  {% if session.get('user') %}
+  <script>
+    window.idleLogoutConfig = {
+      enabled: {{ idle_timeout_enabled | default(true) | tojson }},
+      timeoutMinutes: {{ idle_timeout_minutes | default(30) | int }},
+      warningMinutes: {{ idle_warning_minutes | default(28) | int }},
+      heartbeatUrl: "{{ url_for('session_heartbeat') }}",
+      localLogoutUrl: "{{ url_for('local_logout') }}",
+      fullSsoLogoutUrl: "{{ url_for('logout') }}"
+    };
+  </script>
+  <script src="{{ url_for('static', filename='js/idle-logout-warning.js') }}"></script>
+  {% endif %}
   <!-- User Agreement JavaScript (for file upload prompts) -->
   {% if app_settings.enable_user_agreement %}
   <script src="{{ url_for('static', filename='js/user-agreement.js') }}"></script>
   {% endif %}
   {% block scripts %}{% endblock %}
 
+  {% if session.get('user') %}
+  <div class="modal fade" id="idleTimeoutWarningModal" tabindex="-1" aria-labelledby="idleTimeoutWarningModalLabel" aria-hidden="true" data-bs-backdrop="static" data-bs-keyboard="false">
+    <div class="modal-dialog modal-dialog-centered">
+      <div class="modal-content">
+        <div class="modal-header bg-primary text-white">
+          <h5 class="modal-title" id="idleTimeoutWarningModalLabel">
+            <i class="bi bi-clock me-2"></i>Session Expiring Soon
+          </h5>
+        </div>
+        <div class="modal-body">
+          <p class="mb-2">You've been inactive for a while.</p>
+          <p class="mb-0">You will be signed out in <strong><span id="idleTimeoutCountdown">60</span> seconds</strong> unless you continue your session.</p>
+        </div>
+        <div class="modal-footer">
+          <button type="button" class="btn btn-outline-secondary" id="idleLogoutNowButton">Logout now</button>
+          <button type="button" class="btn btn-primary" id="idleStaySignedInButton">Stay signed in</button>
+        </div>
+      </div>
+    </div>
+  </div>
+  {% endif %}
+
   <!-- User Agreement Upload Modal (shown before file uploads when enabled) -->
   {% if app_settings.enable_user_agreement %}
   <div class="modal fade" id="userAgreementUploadModal" tabindex="-1" aria-labelledby="userAgreementUploadModalLabel" aria-hidden="true">
diff --git a/docs/explanation/fixes/v0.239.012/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md b/docs/explanation/fixes/v0.239.012/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md
new file mode 100644
index 00000000..f57e0b45
--- /dev/null
+++ b/docs/explanation/fixes/v0.239.012/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md
@@ -0,0 +1,49 @@
+# ADMIN SETTINGS SAFE INT FALLBACK FIX
+
+## Overview
+
+- **Issue**: Admin settings save flow could throw a `TypeError` when `safe_int()` returned a non-integer fallback value.
+- **Root Cause**: `safe_int()` returned `fallback_value` as-is after parse failure; if persisted fallback values were malformed (for example strings that cannot be converted), subsequent `max(1, ...)` / `max(0, ...)` operations could fail.
+- **Fixed/Implemented in version: `0.239.012`**
+- **Related version update**: `application/single_app/config.py` updated to `VERSION = "0.239.012"`.
+
+## Technical Details
+
+### Files Modified
+
+- `application/single_app/route_frontend_admin_settings.py`
+- `application/single_app/admin_settings_int_utils.py`
+- `application/single_app/config.py`
+- `functional_tests/test_admin_settings_safe_int_fallback_fix.py`
+- `functional_tests/test_idle_logout_timeout.py`
+- `functional_tests/test_settings_deep_merge_persistence_fix.py`
+
+### Code Changes Summary
+
+- Extracted integer parsing into module-level helper functions (`safe_int`, `safe_int_with_source`) in `admin_settings_int_utils.py`.
+- Updated admin settings route to use the extracted helper while preserving existing fallback and hard-default `log_event` diagnostics.
+- Kept idle-timeout call sites using explicit hard defaults (`30` and `28`).
+
+### Testing Approach
+
+- Refactored `functional_tests/test_admin_settings_safe_int_fallback_fix.py` to behavior-level helper tests (malformed raw and fallback values) plus AST route wiring validation.
+- Kept existing functional tests version-aligned with release version.
+
+### Impact Analysis
+
+- Prevents runtime `TypeError` in admin settings save flow for malformed persisted fallback values.
+- Improves resiliency of idle-timeout configuration handling without changing intended behavior for valid values.
+
+## Validation
+
+### Before
+
+- Invalid form input could cause `safe_int()` to return non-int fallback values, potentially raising `TypeError` in `max()`.
+
+### After
+
+- `safe_int()` always returns a valid integer from raw input, parsed fallback, or hard default.
+
+### Test Result
+
+- Verified by running `py -3 functional_tests/test_admin_settings_safe_int_fallback_fix.py`.
diff --git a/docs/explanation/fixes/v0.239.012/IDLE_HEARTBEAT_INTERVAL_FIX.md b/docs/explanation/fixes/v0.239.012/IDLE_HEARTBEAT_INTERVAL_FIX.md
new file mode 100644
index 00000000..68f52386
--- /dev/null
+++ b/docs/explanation/fixes/v0.239.012/IDLE_HEARTBEAT_INTERVAL_FIX.md
@@ -0,0 +1,35 @@
+# IDLE HEARTBEAT INTERVAL FIX
+
+## Header Information
+
+- **Fix Title**: Idle heartbeat timing alignment for short timeout configurations
+- **Issue Description**: The client initialized `lastServerHeartbeatAt` with `Date.now()` and used a fixed 60-second heartbeat minimum interval. With `timeoutMinutes = 1`, active users could miss a heartbeat before server-side timeout and be logged out unexpectedly.
+- **Root Cause Analysis**: Heartbeat throttling was static and did not account for short configured timeout windows, delaying the first heartbeat too long for aggressive timeout settings.
+- **Version Implemented**: **0.239.012**
+- **Related Config Update**: `application/single_app/config.py` updated to `VERSION = "0.239.012"`.
+
+## Technical Details
+
+- **Files Modified**:
+  - `application/single_app/static/js/idle-logout-warning.js`
+  - `functional_tests/test_idle_logout_timeout.py`
+  - `application/single_app/config.py`
+- **Code Changes Summary**:
+  - Set `lastServerHeartbeatAt` to `0` so first user activity can trigger an immediate heartbeat.
+  - Replaced fixed heartbeat interval with dynamic interval: `Math.min(60000, timeoutMs / 2)`.
+  - Added functional test markers to assert both initialization and dynamic heartbeat interval logic.
+- **Testing Approach**:
+  - Extended `functional_tests/test_idle_logout_timeout.py` JavaScript wiring assertions.
+- **Impact Analysis**:
+  - Prevents active users from timing out in short (1-minute) idle-timeout configurations due to delayed client heartbeat.
+  - Preserves lower heartbeat frequency for normal/larger timeout configurations.
+
+## Validation
+
+- **Test Results**:
+  - Functional idle-timeout test includes marker checks for dynamic heartbeat timing logic.
+- **Before/After Comparison**:
+  - **Before**: First heartbeat could be delayed up to 60 seconds regardless of timeout size.
+  - **After**: First heartbeat is eligible on first activity, and recurring heartbeat interval scales with timeout.
+- **User Experience Improvements**:
+  - More reliable stay-signed-in behavior during active interaction when short idle timeout settings are configured.
diff --git a/docs/explanation/fixes/v0.239.012/IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md b/docs/explanation/fixes/v0.239.012/IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md
new file mode 100644
index 00000000..b7719726
--- /dev/null
+++ b/docs/explanation/fixes/v0.239.012/IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md
@@ -0,0 +1,35 @@
+# IDLE HEARTBEAT REAUTH HANDLING FIX
+
+## Header Information
+
+- **Fix Title**: Background heartbeat reauth synchronization
+- **Issue Description**: Background heartbeat requests that returned non-OK responses (such as `401` after server-side idle expiry) could return without redirecting, leaving the UI active while the backend session was already cleared.
+- **Root Cause Analysis**: `refreshServerSession()` only forced logout for non-OK responses when `forceLogoutOnFailure` was `true` (user-initiated path), but the background path used `false` and silently returned.
+- **Version Implemented**: **0.239.012**
+- **Related Config Update**: `application/single_app/config.py` updated to `VERSION = "0.239.012"`.
+
+## Technical Details
+
+- **Files Modified**:
+  - `application/single_app/static/js/idle-logout-warning.js`
+  - `functional_tests/test_idle_logout_timeout.py`
+  - `application/single_app/config.py`
+- **Code Changes Summary**:
+  - Added hard-logout handling for heartbeat responses with HTTP `401`/`403` even in background heartbeat mode.
+  - Added fallback parsing of non-OK JSON payloads to check `requires_reauth` and trigger logout accordingly.
+  - Kept existing behavior where transient non-auth failures still avoid forced logout for background heartbeats.
+- **Testing Approach**:
+  - Extended `functional_tests/test_idle_logout_timeout.py` JavaScript marker assertions for status-based and payload-based reauth handling.
+- **Impact Analysis**:
+  - Prevents client/server auth-state divergence after backend session expiration.
+  - Reduces false “still signed in” UI state when the server has already invalidated the session.
+
+## Validation
+
+- **Test Results**:
+  - Idle-timeout functional test validates the new reauth marker logic in heartbeat handling.
+- **Before/After Comparison**:
+  - **Before**: Non-user-initiated heartbeats could silently ignore server reauth responses.
+  - **After**: Background heartbeats force logout on auth-failure signals (`401`, `403`, or `requires_reauth`).
+- **User Experience Improvements**:
+  - Consistent logout behavior when session expiration is detected during background activity monitoring.
diff --git a/docs/explanation/fixes/v0.239.012/IDLE_SESSION_API_ACTIVITY_SEED_FIX.md b/docs/explanation/fixes/v0.239.012/IDLE_SESSION_API_ACTIVITY_SEED_FIX.md
new file mode 100644
index 00000000..68055a95
--- /dev/null
+++ b/docs/explanation/fixes/v0.239.012/IDLE_SESSION_API_ACTIVITY_SEED_FIX.md
@@ -0,0 +1,36 @@
+# IDLE SESSION API ACTIVITY SEED FIX
+
+## Header Information
+
+- **Fix Title**: Idle timeout API activity timestamp seeding
+- **Issue Description**: `enforce_idle_session_timeout()` returned early for `/api/...` requests without updating `session['last_activity_epoch']`. If an authenticated session did not already have that key, idle-timeout tracking could fail to start for API-only traffic.
+- **Root Cause Analysis**: API-path early return happened before timestamp update logic, and the function only updated `last_activity_epoch` for non-API requests (or when idle-timeout was disabled).
+- **Version Implemented**: **0.239.012**
+- **Related Config Update**: `application/single_app/config.py` updated to `VERSION = "0.239.012"`.
+
+## Technical Details
+
+- **Files Modified**:
+  - `application/single_app/app.py`
+  - `functional_tests/test_idle_logout_timeout.py`
+  - `application/single_app/config.py`
+- **Code Changes Summary**:
+  - Added `has_valid_last_activity_epoch` tracking in `enforce_idle_session_timeout()`.
+  - For API requests, seed `session['last_activity_epoch']` only when the existing value is missing or invalid, then return.
+  - Kept existing behavior where non-API requests refresh activity timestamp normally.
+  - Added AST regression assertion to ensure API-path timestamp seeding remains wired.
+- **Testing Approach**:
+  - Functional AST wiring checks in `functional_tests/test_idle_logout_timeout.py` now assert API-path `last_activity_epoch` assignment logic.
+- **Impact Analysis**:
+  - Eliminates idle-timeout bypass risk for authenticated API-only sessions lacking initial activity timestamp.
+  - Avoids changing existing design where every API request does not automatically extend active session lifetime.
+
+## Validation
+
+- **Test Results**:
+  - Updated idle-timeout functional test validates the API-path timestamp seeding wiring.
+- **Before/After Comparison**:
+  - **Before**: API requests could return without ever initializing `last_activity_epoch`.
+  - **After**: API requests initialize `last_activity_epoch` when missing/invalid, enabling consistent timeout enforcement.
+- **User Experience Improvements**:
+  - Idle-timeout behavior is consistent for users interacting mainly through API traffic while preserving expected session-expiry behavior.
diff --git a/docs/explanation/fixes/v0.239.012/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md b/docs/explanation/fixes/v0.239.012/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md
new file mode 100644
index 00000000..9557036d
--- /dev/null
+++ b/docs/explanation/fixes/v0.239.012/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md
@@ -0,0 +1,52 @@
+# SETTINGS DEEP MERGE PERSISTENCE FIX
+
+## Overview
+
+- **Issue**: App settings default-key merge changes were not being persisted back to Cosmos DB.
+- **Root Cause**: `deep_merge_dicts(default_settings, settings_item)` mutates `settings_item` in place, and `get_settings()` compared `merged` against the same mutated object, so `merged != settings_item` evaluated false.
+- **Fixed/Implemented in version: `0.239.012`**
+- **Related version update**: `application/single_app/config.py` updated to `VERSION = "0.239.012"`.
+
+## Technical Details
+
+### Files Modified
+
+- `application/single_app/functions_settings.py`
+- `application/single_app/config.py`
+- `functional_tests/test_settings_deep_merge_persistence_fix.py`
+
+### Code Changes Summary
+
+- Added `import copy` in `functions_settings.py`.
+- Captured a pre-merge snapshot with `original_settings_item = copy.deepcopy(settings_item)`.
+- Updated change detection to compare `merged` against `original_settings_item`.
+- Preserved existing merge behavior and upsert/logging flow.
+
+### Testing Approach
+
+- Added functional regression test: `functional_tests/test_settings_deep_merge_persistence_fix.py`.
+- Test validates marker-based wiring for:
+  - deep-copy snapshot creation,
+  - comparison against pre-merge state,
+  - Cosmos upsert path availability,
+  - version alignment in `config.py`.
+
+### Impact Analysis
+
+- Restores intended persistence behavior for newly introduced default settings keys.
+- Reduces risk of drift between in-memory merged settings and persisted Cosmos settings.
+- Maintains compatibility with existing callers and return shapes.
+
+## Validation
+
+### Before
+
+- Missing default keys could be merged in memory but not persisted, because the change check compared a mutated object to itself.
+
+### After
+
+- Missing default keys trigger the upsert path and persistence logging because merge output is compared against a deep-copied pre-merge snapshot.
+
+### Test Result
+
+- Verified by running `py -3 functional_tests/test_settings_deep_merge_persistence_fix.py`.
diff --git a/docs/explanation/release_notes.md b/docs/explanation/release_notes.md
index 634eb3af..37c3c7cc 100644
--- a/docs/explanation/release_notes.md
+++ b/docs/explanation/release_notes.md
@@ -2,6 +2,27 @@
 
 # Feature Release
 
+### **(v0.239.012)**
+
+#### New Features
+
+*   **Idle Session Timeout Feature**
+    *   Added a new idle timer that automatically clears the user session after a configurable set time and redirects to the main chat login page.
+    *   Added a frontend idle warning modal that pops up after a configurable set time, but disappears if the user moves the mouse over the chat window or interacts with the app in any way.
+    *   Default values are used if the idle logout and warning values are not set. 
+    *   Idle logout and idle warning values are validated and auto-fixed as needed.
+    *   Added a new admin switch to enable or disable idle session timeout and warning behavior.
+    *   Timeout and warning inputs are grouped under a toggleable section in General > System Settings.
+    *   (Ref: `application/single_app/templates/admin_settings.html`, `application/single_app/static/js/admin/admin_settings.js`, `application/single_app/route_frontend_admin_settings.py`, `application/single_app/functions_settings.py`, `application/single_app/app.py`, `application/single_app/templates/base.html`, `application/single_app/static/js/idle-logout-warning.js`, `application/single_app/config.py`, `functional_tests/test_idle_logout_timeout.py`, `application/single_app/route_frontend_authentication.py`)
+
+#### Bug Fixes
+
+*   **Settings Default Merge Persistence Fix**
+    *   Fixed app settings merge detection in `get_settings()` where `deep_merge_dicts()` mutates the existing settings object in place, causing change detection to always evaluate as unchanged.
+    *   Added pre-merge snapshot comparison with `copy.deepcopy()` so missing default keys correctly trigger `upsert_item()` and are persisted back to Cosmos DB.
+    *   Added a functional regression test to validate the merge detection and persistence markers.
+    *   (Ref: `application/single_app/functions_settings.py`, `application/single_app/config.py`, `functional_tests/test_settings_deep_merge_persistence_fix.py`)
+    
 ### **(v0.239.007)**
 
 #### New Features
@@ -76,6 +97,7 @@
     *   Ensures Python package installation works reliably in environments requiring custom certificate trust and pip configuration.
     *   (Ref: Docker customization, CA cert setup, `pip.conf` handling)
     
+
 ### **(v0.239.001)**
 
 #### New Features
@@ -1101,8 +1123,6 @@
     *   **Benefits**: Improved workspace identification, consistent with Group scope naming pattern, better navigation between workspace scopes.
     *   (Ref: `chat-documents.js`, scope label updates, dynamic workspace display)
 
-=======
-
 ##### User Interface and Content Rendering Fixes
 
 *   **Unicode Table Rendering Fix**
diff --git a/functional_tests/test_admin_settings_safe_int_fallback_fix.py b/functional_tests/test_admin_settings_safe_int_fallback_fix.py
new file mode 100644
index 00000000..9638f3ec
--- /dev/null
+++ b/functional_tests/test_admin_settings_safe_int_fallback_fix.py
@@ -0,0 +1,195 @@
+#!/usr/bin/env python3
+"""
+Functional test for admin safe_int fallback hardening.
+Version: 0.239.012
+Implemented in: 0.239.012
+
+This test ensures admin settings integer parsing always returns ints,
+including when persisted fallback values are malformed.
+"""
+
+import ast
+import os
+import sys
+import traceback
+
+ROOT_DIR = os.path.join(os.path.dirname(os.path.abspath(__file__)), "..")
+APP_DIR = os.path.join(ROOT_DIR, "application", "single_app")
+
+if APP_DIR not in sys.path:
+    sys.path.append(APP_DIR)
+
+from admin_settings_int_utils import safe_int, safe_int_with_source
+
+
+def _read_file(*path_parts):
+    file_path = os.path.join(
+        ROOT_DIR,
+        *path_parts
+    )
+    with open(file_path, "r", encoding="utf-8") as file_handle:
+        return file_handle.read()
+
+
+def _parse_python_file(*path_parts):
+    """Read and parse a Python source file into AST."""
+    source = _read_file(*path_parts)
+    return source, ast.parse(source)
+
+
+def _find_top_level_function(module_tree, function_name):
+    """Find a top-level function definition by name."""
+    for node in module_tree.body:
+        if isinstance(node, ast.FunctionDef) and node.name == function_name:
+            return node
+    return None
+
+
+def _find_nested_function(parent_function, function_name):
+    """Find a nested function definition by name in a parent function body."""
+    for node in parent_function.body:
+        if isinstance(node, ast.FunctionDef) and node.name == function_name:
+            return node
+    return None
+
+
+def test_safe_int_behavior_with_malformed_values():
+    """Validate helper behavior for raw, fallback, and hard-default parsing paths."""
+    print("🔍 Testing admin safe_int helper behavior...")
+
+    behavior_cases = [
+        ("42", "30", 0, 42),
+        ("abc", "30", 0, 30),
+        (None, "28", 0, 28),
+        ("bad", "still_bad", 17, 17),
+        ("-5", "10", 3, -5)
+    ]
+
+    for raw_value, fallback_value, hard_default, expected in behavior_cases:
+        parsed_value = safe_int(raw_value, fallback_value, hard_default)
+        assert isinstance(parsed_value, int), (
+            f"safe_int should always return int; got {type(parsed_value).__name__} "
+            f"for raw={raw_value}, fallback={fallback_value}, hard_default={hard_default}"
+        )
+        assert parsed_value == expected, (
+            f"Unexpected safe_int result for raw={raw_value}, fallback={fallback_value}, hard_default={hard_default}. "
+            f"Expected {expected}, got {parsed_value}"
+        )
+
+    parsed_value, parse_source = safe_int_with_source("9", "30", 0)
+    assert parsed_value == 9 and parse_source == "raw", "Expected raw parse source for valid raw input"
+
+    parsed_value, parse_source = safe_int_with_source("bad", "30", 0)
+    assert parsed_value == 30 and parse_source == "fallback", "Expected fallback parse source when raw input is invalid"
+
+    parsed_value, parse_source = safe_int_with_source("bad", "still_bad", 11)
+    assert parsed_value == 11 and parse_source == "hard_default", "Expected hard_default parse source when raw and fallback are invalid"
+
+    print("✅ Admin safe_int helper behavior is valid")
+
+
+def test_route_wiring_uses_module_safe_int_helper():
+    """Validate admin settings route uses extracted module helper for integer parsing."""
+    print("🔍 Testing admin route wiring for extracted safe_int helper...")
+
+    _, route_tree = _parse_python_file("application", "single_app", "route_frontend_admin_settings.py")
+
+    has_helper_import = any(
+        isinstance(node, ast.ImportFrom)
+        and node.module == "admin_settings_int_utils"
+        and any(alias.name == "safe_int_with_source" for alias in node.names)
+        for node in route_tree.body
+    )
+    assert has_helper_import, "Missing 'from admin_settings_int_utils import safe_int_with_source' import"
+
+    register_route_def = _find_top_level_function(route_tree, "register_route_frontend_admin_settings")
+    assert register_route_def is not None, "Missing register_route_frontend_admin_settings function"
+
+    admin_settings_def = _find_nested_function(register_route_def, "admin_settings")
+    assert admin_settings_def is not None, "Missing nested admin_settings route function"
+
+    has_legacy_nested_safe_int = any(
+        isinstance(node, ast.FunctionDef) and node.name == "safe_int"
+        for node in ast.walk(admin_settings_def)
+    )
+    assert not has_legacy_nested_safe_int, "Legacy nested safe_int function should be removed after extraction"
+
+    has_parse_admin_int = any(
+        isinstance(node, ast.FunctionDef) and node.name == "parse_admin_int"
+        for node in ast.walk(admin_settings_def)
+    )
+    assert has_parse_admin_int, "Missing parse_admin_int wrapper for route logging and helper usage"
+
+    has_safe_int_with_source_call = any(
+        isinstance(node, ast.Call)
+        and isinstance(node.func, ast.Name)
+        and node.func.id == "safe_int_with_source"
+        for node in ast.walk(admin_settings_def)
+    )
+    assert has_safe_int_with_source_call, "Missing safe_int_with_source helper call in admin settings route"
+
+    parse_admin_int_calls = [
+        node for node in ast.walk(admin_settings_def)
+        if isinstance(node, ast.Call)
+        and isinstance(node.func, ast.Name)
+        and node.func.id == "parse_admin_int"
+    ]
+    assert len(parse_admin_int_calls) >= 2, "Expected parse_admin_int usage for idle timeout and warning fields"
+
+    print("✅ Admin route wiring for extracted safe_int helper is present")
+
+
+def test_version_alignment_for_safe_int_fix():
+    """Validate config version aligns with safe_int fix release."""
+    print("🔍 Testing version alignment for safe_int fallback fix...")
+
+    config_content = _read_file("application", "single_app", "config.py")
+
+    required_markers = [
+        "VERSION = \"0.239.012\""
+    ]
+
+    missing_markers = [marker for marker in required_markers if marker not in config_content]
+    assert not missing_markers, f"Missing config markers: {missing_markers}"
+
+    print("✅ Safe_int fix release version markers are aligned")
+
+
+def main():
+    """Run all safe_int fallback hardening functional checks."""
+    print("🧪 Running Admin Safe Int Fallback Functional Tests...\n")
+
+    tests = [
+        test_safe_int_behavior_with_malformed_values,
+        test_route_wiring_uses_module_safe_int_helper,
+        test_version_alignment_for_safe_int_fix
+    ]
+
+    results = []
+    for test in tests:
+        print(f"\n🧪 Running {test.__name__}...")
+        try:
+            test()
+            results.append(True)
+        except AssertionError as error:
+            print(f"❌ {test.__name__} failed: {error}")
+            results.append(False)
+        except Exception as error:
+            print(f"❌ {test.__name__} error: {error}")
+            traceback.print_exc()
+            results.append(False)
+
+    success = all(results)
+    print(f"\n📊 Results: {sum(results)}/{len(results)} tests passed")
+
+    if success:
+        print("✅ All admin safe_int fallback functional tests passed!")
+    else:
+        print("❌ Some admin safe_int fallback functional tests failed.")
+
+    return success
+
+
+if __name__ == "__main__":
+    test_success = main()
+    sys.exit(0 if test_success else 1)
diff --git a/functional_tests/test_idle_logout_timeout.py b/functional_tests/test_idle_logout_timeout.py
new file mode 100644
index 00000000..11756009
--- /dev/null
+++ b/functional_tests/test_idle_logout_timeout.py
@@ -0,0 +1,429 @@
+#!/usr/bin/env python3
+"""
+Functional test for idle session auto-logout.
+Version: 0.239.012
+Implemented in: 0.239.012
+
+This test ensures that server-side idle timeout enforcement and
+client-side warning/logout wiring are present and sourced from admin settings.
+"""
+
+import os
+import sys
+import ast
+import traceback
+
+sys.path.append(os.path.dirname(os.path.abspath(__file__)))
+
+
+def _read_file(*path_parts):
+    file_path = os.path.join(
+        os.path.dirname(os.path.abspath(__file__)),
+        "..",
+        *path_parts
+    )
+    with open(file_path, 'r', encoding='utf-8') as file_handle:
+        return file_handle.read()
+
+
+def _parse_python_file(*path_parts):
+    """Read and parse a Python source file into AST."""
+    source = _read_file(*path_parts)
+    return source, ast.parse(source)
+
+
+def _find_top_level_function(module_tree, function_name):
+    """Find a top-level function definition by name."""
+    for node in module_tree.body:
+        if isinstance(node, ast.FunctionDef) and node.name == function_name:
+            return node
+    return None
+
+
+def _find_nested_function(parent_function, function_name):
+    """Find a nested function definition by name in a parent function body."""
+    for node in parent_function.body:
+        if isinstance(node, ast.FunctionDef) and node.name == function_name:
+            return node
+    return None
+
+
+def test_server_idle_timeout_wiring():
+    """Validate idle-timeout and heartbeat backend wiring exists."""
+    print("🔍 Testing server-side idle-timeout wiring...")
+
+    _, app_tree = _parse_python_file("application", "single_app", "app.py")
+    config_content = _read_file("application", "single_app", "config.py")
+    _, auth_tree = _parse_python_file("application", "single_app", "route_frontend_authentication.py")
+
+    required_app_functions = [
+        "get_idle_timeout_settings",
+        "is_idle_timeout_enabled",
+        "record_request_settings_source",
+        "get_request_settings",
+        "load_request_settings_cache",
+        "enforce_idle_session_timeout",
+        "session_heartbeat"
+    ]
+    missing_app_functions = [
+        function_name for function_name in required_app_functions
+        if _find_top_level_function(app_tree, function_name) is None
+    ]
+    assert not missing_app_functions, f"Missing backend functions in app.py: {missing_app_functions}"
+
+    has_settings_source_counter_dict = any(
+        isinstance(node, ast.Assign)
+        and any(isinstance(target, ast.Name) and target.id == "settings_source_counters" for target in node.targets)
+        and isinstance(node.value, ast.Dict)
+        and len(node.value.keys) == 0
+        for node in app_tree.body
+    )
+    assert has_settings_source_counter_dict, "Missing settings_source_counters = {} assignment"
+
+    idle_settings_def = _find_top_level_function(app_tree, "get_idle_timeout_settings")
+    has_idle_timeout_default_get = False
+    has_idle_warning_default_get = False
+    for node in ast.walk(idle_settings_def):
+        if (
+            isinstance(node, ast.Call)
+            and isinstance(node.func, ast.Attribute)
+            and isinstance(node.func.value, ast.Name)
+            and node.func.value.id == "settings"
+            and node.func.attr == "get"
+            and len(node.args) >= 2
+            and isinstance(node.args[0], ast.Constant)
+            and isinstance(node.args[1], ast.Constant)
+        ):
+            if node.args[0].value == "idle_timeout_minutes" and node.args[1].value == 30:
+                has_idle_timeout_default_get = True
+            if node.args[0].value == "idle_warning_minutes" and node.args[1].value == 28:
+                has_idle_warning_default_get = True
+
+    assert has_idle_timeout_default_get, "Missing settings.get('idle_timeout_minutes', 30) in get_idle_timeout_settings"
+    assert has_idle_warning_default_get, "Missing settings.get('idle_warning_minutes', 28) in get_idle_timeout_settings"
+
+    has_include_source_get_settings = False
+    has_record_settings_source_call = False
+    for node in ast.walk(app_tree):
+        if (
+            isinstance(node, ast.Call)
+            and isinstance(node.func, ast.Name)
+            and node.func.id == "get_settings"
+            and any(
+                isinstance(keyword, ast.keyword)
+                and keyword.arg == "include_source"
+                and isinstance(keyword.value, ast.Constant)
+                and keyword.value.value is True
+                for keyword in node.keywords
+            )
+        ):
+            has_include_source_get_settings = True
+
+        if (
+            isinstance(node, ast.Call)
+            and isinstance(node.func, ast.Name)
+            and node.func.id == "record_request_settings_source"
+            and len(node.args) == 1
+            and isinstance(node.args[0], ast.Name)
+            and node.args[0].id == "settings_source"
+        ):
+            has_record_settings_source_call = True
+
+    assert has_include_source_get_settings, "Missing get_settings(include_source=True) wiring in app.py"
+    assert has_record_settings_source_call, "Missing record_request_settings_source(settings_source) wiring in app.py"
+
+    has_idle_timeout_exempt_logout_local = False
+    for node in app_tree.body:
+        if isinstance(node, ast.Assign) and any(
+            isinstance(target, ast.Name) and target.id == "IDLE_TIMEOUT_EXEMPT_PATHS"
+            for target in node.targets
+        ):
+            if isinstance(node.value, ast.Set):
+                has_idle_timeout_exempt_logout_local = any(
+                    isinstance(element, ast.Constant) and element.value == "/logout/local"
+                    for element in node.value.elts
+                )
+
+    assert has_idle_timeout_exempt_logout_local, "Missing '/logout/local' in IDLE_TIMEOUT_EXEMPT_PATHS"
+
+    enforce_idle_timeout_def = _find_top_level_function(app_tree, "enforce_idle_session_timeout")
+    has_is_idle_timeout_enabled_guard = False
+    has_local_logout_redirect = False
+    for node in ast.walk(enforce_idle_timeout_def):
+        if isinstance(node, ast.If):
+            test_node = node.test
+            if (
+                isinstance(test_node, ast.UnaryOp)
+                and isinstance(test_node.op, ast.Not)
+                and isinstance(test_node.operand, ast.Call)
+                and isinstance(test_node.operand.func, ast.Name)
+                and test_node.operand.func.id == "is_idle_timeout_enabled"
+                and len(test_node.operand.args) == 1
+                and isinstance(test_node.operand.args[0], ast.Name)
+                and test_node.operand.args[0].id == "request_settings"
+            ):
+                has_is_idle_timeout_enabled_guard = True
+
+        if (
+            isinstance(node, ast.Call)
+            and isinstance(node.func, ast.Name)
+            and node.func.id == "redirect"
+            and len(node.args) == 1
+            and isinstance(node.args[0], ast.Call)
+            and isinstance(node.args[0].func, ast.Name)
+            and node.args[0].func.id == "url_for"
+            and len(node.args[0].args) == 1
+            and isinstance(node.args[0].args[0], ast.Constant)
+            and node.args[0].args[0].value == "local_logout"
+        ):
+            has_local_logout_redirect = True
+
+    has_api_activity_seed_assignment = False
+    for node in ast.walk(enforce_idle_timeout_def):
+        if not isinstance(node, ast.If):
+            continue
+
+        test_node = node.test
+        is_api_path_check = (
+            isinstance(test_node, ast.Call)
+            and isinstance(test_node.func, ast.Attribute)
+            and isinstance(test_node.func.value, ast.Attribute)
+            and isinstance(test_node.func.value.value, ast.Name)
+            and test_node.func.value.value.id == "request"
+            and test_node.func.value.attr == "path"
+            and test_node.func.attr == "startswith"
+            and len(test_node.args) == 1
+            and isinstance(test_node.args[0], ast.Constant)
+            and test_node.args[0].value == "/api/"
+        )
+        if not is_api_path_check:
+            continue
+
+        has_seed_assign_in_api_block = any(
+            isinstance(inner_node, ast.Assign)
+            and len(inner_node.targets) == 1
+            and isinstance(inner_node.targets[0], ast.Subscript)
+            and isinstance(inner_node.targets[0].value, ast.Name)
+            and inner_node.targets[0].value.id == "session"
+            and isinstance(inner_node.targets[0].slice, ast.Constant)
+            and inner_node.targets[0].slice.value == "last_activity_epoch"
+            and isinstance(inner_node.value, ast.Name)
+            and inner_node.value.id == "now_epoch"
+            for inner_node in ast.walk(node)
+        )
+        if has_seed_assign_in_api_block:
+            has_api_activity_seed_assignment = True
+            break
+
+    assert has_is_idle_timeout_enabled_guard, "Missing 'if not is_idle_timeout_enabled(request_settings)' guard"
+    assert has_local_logout_redirect, "Missing redirect(url_for('local_logout')) in enforce_idle_session_timeout"
+    assert has_api_activity_seed_assignment, "Missing API-path last_activity_epoch seeding in enforce_idle_session_timeout"
+
+    session_heartbeat_def = _find_top_level_function(app_tree, "session_heartbeat")
+    has_heartbeat_refresh_call = False
+    for node in ast.walk(session_heartbeat_def):
+        if (
+            isinstance(node, ast.Call)
+            and isinstance(node.func, ast.Name)
+            and node.func.id == "get_idle_timeout_settings"
+            and len(node.args) == 1
+            and isinstance(node.args[0], ast.Call)
+            and isinstance(node.args[0].func, ast.Name)
+            and node.args[0].func.id == "get_request_settings"
+        ):
+            has_heartbeat_refresh_call = True
+    assert has_heartbeat_refresh_call, "Missing get_idle_timeout_settings(get_request_settings()) in session_heartbeat"
+
+    required_config_markers = [
+        "VERSION = \"0.239.012\""
+    ]
+
+    missing_config_markers = [marker for marker in required_config_markers if marker not in config_content]
+    assert not missing_config_markers, f"Missing config markers: {missing_config_markers}"
+
+    auth_register_def = _find_top_level_function(auth_tree, "register_route_frontend_authentication")
+    assert auth_register_def is not None, "Missing register_route_frontend_authentication function"
+
+    login_def = _find_nested_function(auth_register_def, "login")
+    authorized_def = _find_nested_function(auth_register_def, "authorized")
+    assert login_def is not None, "Missing login route function in authentication route"
+    assert authorized_def is not None, "Missing authorized route function in authentication route"
+
+    has_last_activity_pop = False
+    for node in ast.walk(login_def):
+        if (
+            isinstance(node, ast.Call)
+            and isinstance(node.func, ast.Attribute)
+            and isinstance(node.func.value, ast.Name)
+            and node.func.value.id == "session"
+            and node.func.attr == "pop"
+            and len(node.args) >= 1
+            and isinstance(node.args[0], ast.Constant)
+            and node.args[0].value == "last_activity_epoch"
+        ):
+            has_last_activity_pop = True
+    assert has_last_activity_pop, "Missing session.pop('last_activity_epoch', ...) in login flow"
+
+    has_last_activity_assignment = False
+    for node in ast.walk(authorized_def):
+        if isinstance(node, ast.Assign) and len(node.targets) == 1:
+            target = node.targets[0]
+            if (
+                isinstance(target, ast.Subscript)
+                and isinstance(target.value, ast.Name)
+                and target.value.id == "session"
+                and isinstance(target.slice, ast.Constant)
+                and target.slice.value == "last_activity_epoch"
+                and isinstance(node.value, ast.Call)
+                and isinstance(node.value.func, ast.Name)
+                and node.value.func.id == "int"
+                and len(node.value.args) == 1
+                and isinstance(node.value.args[0], ast.Call)
+                and isinstance(node.value.args[0].func, ast.Attribute)
+                and isinstance(node.value.args[0].func.value, ast.Name)
+                and node.value.args[0].func.value.id == "time"
+                and node.value.args[0].func.attr == "time"
+            ):
+                has_last_activity_assignment = True
+    assert has_last_activity_assignment, "Missing session['last_activity_epoch'] = int(time.time()) in authorized flow"
+
+    print("✅ Server-side idle-timeout wiring is present")
+
+
+def test_base_template_warning_modal_wiring():
+    """Validate warning modal and JS config are wired in base template."""
+    print("🔍 Testing base template warning modal wiring...")
+
+    base_html_content = _read_file("application", "single_app", "templates", "base.html")
+
+    required_markers = [
+        "window.idleLogoutConfig",
+        "idleTimeoutWarningModal",
+        "idleTimeoutCountdown",
+        "idleStaySignedInButton",
+        "idleLogoutNowButton",
+        "js/idle-logout-warning.js",
+        "localLogoutUrl",
+        "fullSsoLogoutUrl",
+        "enabled: {{ idle_timeout_enabled | default(true) | tojson }}",
+        "session_heartbeat"
+    ]
+
+    missing_markers = [marker for marker in required_markers if marker not in base_html_content]
+    assert not missing_markers, f"Missing base template markers: {missing_markers}"
+
+    print("✅ Base template warning modal wiring is present")
+
+
+def test_idle_warning_javascript_wiring():
+    """Validate client-side warning and heartbeat logic markers exist."""
+    print("🔍 Testing idle warning JavaScript wiring...")
+
+    js_content = _read_file("application", "single_app", "static", "js", "idle-logout-warning.js")
+
+    required_markers = [
+        "heartbeatUrl",
+        "localLogoutUrl",
+        "fullSsoLogoutUrl",
+        "warningMinutes",
+        "logoutNow",
+        "scheduleIdleTimers",
+        "idleTimeoutWarningModal",
+        "idleStaySignedInButton",
+        "let lastServerHeartbeatAt = 0",
+        "const HEARTBEAT_MIN_INTERVAL_MS = Math.min(60000, timeoutMs / 2)",
+        "response.status === 401 || response.status === 403",
+        "const responseBody = await response.clone().json()",
+        "responseBody && responseBody.requires_reauth",
+        "fetch(mergedConfig.heartbeatUrl",
+        "const logoutTarget = mergedConfig.localLogoutUrl || mergedConfig.fullSsoLogoutUrl || mergedConfig.logoutUrl",
+        "window.location.href = logoutTarget"
+    ]
+
+    missing_markers = [marker for marker in required_markers if marker not in js_content]
+    assert not missing_markers, f"Missing JavaScript markers: {missing_markers}"
+
+    print("✅ Client-side idle warning/logout wiring is present")
+
+
+def test_admin_idle_settings_wiring():
+    """Validate admin settings and Cosmos defaults for idle timeout are wired."""
+    print("🔍 Testing admin idle settings wiring...")
+
+    settings_content = _read_file("application", "single_app", "functions_settings.py")
+    admin_route_content = _read_file("application", "single_app", "route_frontend_admin_settings.py")
+    admin_template_content = _read_file("application", "single_app", "templates", "admin_settings.html")
+
+    required_settings_markers = [
+        "'enable_idle_timeout': True",
+        "'idle_timeout_minutes': 30",
+        "'idle_warning_minutes': 28"
+    ]
+    missing_settings_markers = [marker for marker in required_settings_markers if marker not in settings_content]
+    assert not missing_settings_markers, f"Missing settings default markers: {missing_settings_markers}"
+
+    required_route_markers = [
+        "form_data.get('enable_idle_timeout')",
+        "form_data.get('idle_timeout_minutes')",
+        "form_data.get('idle_warning_minutes')",
+        "'enable_idle_timeout': enable_idle_timeout",
+        "'idle_timeout_minutes': idle_timeout_minutes",
+        "'idle_warning_minutes': idle_warning_minutes"
+    ]
+    missing_route_markers = [marker for marker in required_route_markers if marker not in admin_route_content]
+    assert not missing_route_markers, f"Missing admin route markers: {missing_route_markers}"
+
+    required_template_markers = [
+        "id=\"enable_idle_timeout\"",
+        "name=\"enable_idle_timeout\"",
+        "id=\"idle_timeout_settings\"",
+        "id=\"idle_timeout_minutes\"",
+        "name=\"idle_timeout_minutes\"",
+        "id=\"idle_warning_minutes\"",
+        "name=\"idle_warning_minutes\""
+    ]
+    missing_template_markers = [marker for marker in required_template_markers if marker not in admin_template_content]
+    assert not missing_template_markers, f"Missing admin template markers: {missing_template_markers}"
+
+    print("✅ Admin idle settings wiring is present")
+
+
+def main():
+    """Run all idle-timeout functional checks."""
+    print("🧪 Running Idle Timeout Functional Tests...\n")
+
+    tests = [
+        test_server_idle_timeout_wiring,
+        test_base_template_warning_modal_wiring,
+        test_idle_warning_javascript_wiring,
+        test_admin_idle_settings_wiring
+    ]
+
+    results = []
+    for test in tests:
+        print(f"\n🧪 Running {test.__name__}...")
+        try:
+            test()
+            results.append(True)
+        except AssertionError as error:
+            print(f"❌ {test.__name__} failed: {error}")
+            results.append(False)
+        except Exception as error:
+            print(f"❌ {test.__name__} error: {error}")
+            traceback.print_exc()
+            results.append(False)
+
+    success = all(results)
+    print(f"\n📊 Results: {sum(results)}/{len(results)} tests passed")
+
+    if success:
+        print("✅ All idle-timeout functional tests passed!")
+    else:
+        print("❌ Some idle-timeout functional tests failed.")
+
+    return success
+
+
+if __name__ == "__main__":
+    test_success = main()
+    sys.exit(0 if test_success else 1)
diff --git a/functional_tests/test_settings_deep_merge_persistence_fix.py b/functional_tests/test_settings_deep_merge_persistence_fix.py
new file mode 100644
index 00000000..7a2c93f8
--- /dev/null
+++ b/functional_tests/test_settings_deep_merge_persistence_fix.py
@@ -0,0 +1,254 @@
+#!/usr/bin/env python3
+"""
+Functional test for settings deep-merge persistence fix.
+Version: 0.239.012
+Implemented in: 0.239.012
+
+This test ensures merge persistence logic is validated using AST structure checks
+and controlled runtime behavior validation for deep_merge_dicts.
+"""
+
+import ast
+import os
+import sys
+import traceback
+
+sys.path.append(os.path.dirname(os.path.abspath(__file__)))
+
+
+def _read_file(*path_parts):
+    file_path = os.path.join(
+        os.path.dirname(os.path.abspath(__file__)),
+        "..",
+        *path_parts
+    )
+    with open(file_path, "r", encoding="utf-8") as file_handle:
+        return file_handle.read()
+
+
+def _load_functions_settings_ast():
+    """Load and parse functions_settings.py into an AST tree."""
+    settings_content = _read_file("application", "single_app", "functions_settings.py")
+    return settings_content, ast.parse(settings_content)
+
+
+def _find_top_level_function(module_tree, function_name):
+    """Find a top-level function definition by name."""
+    for node in module_tree.body:
+        if isinstance(node, ast.FunctionDef) and node.name == function_name:
+            return node
+    return None
+
+
+def test_get_settings_merge_detection_ast_wiring():
+    """Validate get_settings merge persistence logic through AST structure checks."""
+    print("🔍 Testing get_settings merge persistence AST wiring...")
+
+    _, module_tree = _load_functions_settings_ast()
+
+    has_copy_import = any(
+        isinstance(node, ast.Import) and any(alias.name == "copy" for alias in node.names)
+        for node in module_tree.body
+    )
+    assert has_copy_import, "Missing 'import copy' in functions_settings.py"
+
+    get_settings_def = _find_top_level_function(module_tree, "get_settings")
+    assert get_settings_def is not None, "Missing get_settings function in functions_settings.py"
+
+    has_snapshot_assignment = False
+    has_merged_assignment = False
+    merge_comparison_if = None
+
+    for node in ast.walk(get_settings_def):
+        if isinstance(node, ast.Assign):
+            for target in node.targets:
+                if isinstance(target, ast.Name) and target.id == "original_settings_item":
+                    if (
+                        isinstance(node.value, ast.Call)
+                        and isinstance(node.value.func, ast.Attribute)
+                        and isinstance(node.value.func.value, ast.Name)
+                        and node.value.func.value.id == "copy"
+                        and node.value.func.attr == "deepcopy"
+                        and len(node.value.args) == 1
+                        and isinstance(node.value.args[0], ast.Name)
+                        and node.value.args[0].id == "settings_item"
+                    ):
+                        has_snapshot_assignment = True
+
+                if isinstance(target, ast.Name) and target.id == "merged":
+                    if (
+                        isinstance(node.value, ast.Call)
+                        and isinstance(node.value.func, ast.Name)
+                        and node.value.func.id == "deep_merge_dicts"
+                        and len(node.value.args) == 2
+                        and isinstance(node.value.args[0], ast.Name)
+                        and node.value.args[0].id == "default_settings"
+                        and isinstance(node.value.args[1], ast.Name)
+                        and node.value.args[1].id == "settings_item"
+                    ):
+                        has_merged_assignment = True
+
+        if isinstance(node, ast.If) and isinstance(node.test, ast.Compare):
+            compare_node = node.test
+            if (
+                isinstance(compare_node.left, ast.Name)
+                and compare_node.left.id == "merged"
+                and len(compare_node.ops) == 1
+                and isinstance(compare_node.ops[0], ast.NotEq)
+                and len(compare_node.comparators) == 1
+                and isinstance(compare_node.comparators[0], ast.Name)
+                and compare_node.comparators[0].id == "original_settings_item"
+            ):
+                merge_comparison_if = node
+
+    assert has_snapshot_assignment, "Missing original_settings_item copy.deepcopy(settings_item) assignment"
+    assert has_merged_assignment, "Missing merged = deep_merge_dicts(default_settings, settings_item) assignment"
+    assert merge_comparison_if is not None, "Missing if merged != original_settings_item comparison"
+
+    has_upsert_in_branch = False
+    has_log_event_in_branch = False
+
+    for node in ast.walk(merge_comparison_if):
+        if (
+            isinstance(node, ast.Call)
+            and isinstance(node.func, ast.Attribute)
+            and isinstance(node.func.value, ast.Name)
+            and node.func.value.id == "cosmos_settings_container"
+            and node.func.attr == "upsert_item"
+            and len(node.args) == 1
+            and isinstance(node.args[0], ast.Name)
+            and node.args[0].id == "merged"
+        ):
+            has_upsert_in_branch = True
+
+        if (
+            isinstance(node, ast.Call)
+            and isinstance(node.func, ast.Name)
+            and node.func.id == "log_event"
+            and node.args
+            and isinstance(node.args[0], ast.Constant)
+            and isinstance(node.args[0].value, str)
+            and "missing keys were merged and persisted to Cosmos DB" in node.args[0].value
+        ):
+            has_log_event_in_branch = True
+
+    assert has_upsert_in_branch, "Missing cosmos_settings_container.upsert_item(merged) in merge-detected branch"
+    assert has_log_event_in_branch, "Missing merge persistence log_event message in merge-detected branch"
+
+    print("✅ Get_settings merge persistence AST wiring is present")
+
+
+def test_deep_merge_dicts_ast_behavior_wiring():
+    """Validate deep_merge_dicts merge behavior through AST structure checks."""
+    print("🔍 Testing deep_merge_dicts AST behavior wiring...")
+
+    _, module_tree = _load_functions_settings_ast()
+    deep_merge_def = _find_top_level_function(module_tree, "deep_merge_dicts")
+    assert deep_merge_def is not None, "Missing deep_merge_dicts function in functions_settings.py"
+
+    has_not_in_guard = False
+    has_missing_key_assignment = False
+    has_recursive_merge_call = False
+    returns_existing_dict = False
+
+    for node in ast.walk(deep_merge_def):
+        if isinstance(node, ast.Compare):
+            if (
+                isinstance(node.left, ast.Name)
+                and node.left.id == "k"
+                and len(node.ops) == 1
+                and isinstance(node.ops[0], ast.NotIn)
+                and len(node.comparators) == 1
+                and isinstance(node.comparators[0], ast.Name)
+                and node.comparators[0].id == "existing_dict"
+            ):
+                has_not_in_guard = True
+
+        if isinstance(node, ast.Assign) and len(node.targets) == 1:
+            target = node.targets[0]
+            if (
+                isinstance(target, ast.Subscript)
+                and isinstance(target.value, ast.Name)
+                and target.value.id == "existing_dict"
+                and isinstance(node.value, ast.Name)
+                and node.value.id == "default_val"
+            ):
+                has_missing_key_assignment = True
+
+        if (
+            isinstance(node, ast.Call)
+            and isinstance(node.func, ast.Name)
+            and node.func.id == "deep_merge_dicts"
+            and len(node.args) == 2
+            and isinstance(node.args[0], ast.Name)
+            and node.args[0].id == "default_val"
+            and isinstance(node.args[1], ast.Name)
+            and node.args[1].id == "existing_val"
+        ):
+            has_recursive_merge_call = True
+
+        if isinstance(node, ast.Return):
+            if isinstance(node.value, ast.Name) and node.value.id == "existing_dict":
+                returns_existing_dict = True
+
+    assert has_not_in_guard, "Missing 'if k not in existing_dict' guard in deep_merge_dicts"
+    assert has_missing_key_assignment, "Missing existing_dict[k] = default_val assignment in deep_merge_dicts"
+    assert has_recursive_merge_call, "Missing recursive deep_merge_dicts(default_val, existing_val) call"
+    assert returns_existing_dict, "Missing return existing_dict in deep_merge_dicts"
+
+    print("✅ deep_merge_dicts AST behavior wiring is present")
+
+def test_version_alignment_for_fix_release():
+    """Validate config version reflects this fix release."""
+    print("🔍 Testing fix release version alignment...")
+
+    config_content = _read_file("application", "single_app", "config.py")
+
+    required_markers = [
+        "VERSION = \"0.239.012\""
+    ]
+
+    missing_markers = [marker for marker in required_markers if marker not in config_content]
+    assert not missing_markers, f"Missing config markers: {missing_markers}"
+
+    print("✅ Fix release version markers are aligned")
+
+
+def main():
+    """Run all functional checks for deep-merge persistence fix."""
+    print("🧪 Running Settings Deep Merge Persistence Functional Tests...\n")
+
+    tests = [
+        test_get_settings_merge_detection_ast_wiring,
+        test_deep_merge_dicts_ast_behavior_wiring,
+        test_version_alignment_for_fix_release
+    ]
+
+    results = []
+    for test in tests:
+        print(f"\n🧪 Running {test.__name__}...")
+        try:
+            test()
+            results.append(True)
+        except AssertionError as error:
+            print(f"❌ {test.__name__} failed: {error}")
+            results.append(False)
+        except Exception as error:
+            print(f"❌ {test.__name__} error: {error}")
+            traceback.print_exc()
+            results.append(False)
+
+    success = all(results)
+    print(f"\n📊 Results: {sum(results)}/{len(results)} tests passed")
+
+    if success:
+        print("✅ All deep-merge persistence functional tests passed!")
+    else:
+        print("❌ Some deep-merge persistence functional tests failed.")
+
+    return success
+
+
+if __name__ == "__main__":
+    test_success = main()
+    sys.exit(0 if test_success else 1)